Congress overturns vetoes to the Brazilian GDPR
With the vetoes overthrow, harsher penalties were reinserted in the law, such as the prohibition of personal data processing activities.
Last Tuesday (24), the National Congress decided on points of great impact for data protection in Brazil. The Legislative overturned six of the thirteen items vetoed by President Jair Bolsonaro in the Brazilian Data Protection Law (LGPD), reinserting severe penalties for privacy breaches in the final text of Law n. 13,709/2019.
According to the legal provisions, the recurrence of the same concrete personal data breach may be punishable - depending on the seriousness of the breach - with:
(i) suspension from operating the database relating to the infringement for up to six months, extendable for an equal period, until the data handling activity is set right;
(ii) suspension from the personal data processing activity relating to the infringement for up to six months, extendable for an equal period;
(iii) partial or total prohibition of data processing activities.
In addition, except from fines, other penalties - including the suspension of database or processing activities - are applicable to public entities and agencies.
The vetoes overthrow has been seen as positive by civil society organizations responsible for promoting consumer rights. For businesses and the public authorities, however, the task of adapting to LGPD has become more complex, given the rigorous manner by which the law deals with personal data breaches.
After the vetoes overturn, the legal provisions were sent to the President for publication within 48 hours. In his omission, the Senate’s President or Vice President have the same time table to publish the changes in the law.
The Congress’ work, however, is not over. The veto on human review of automated algorithmic decision is yet to be assessed. The matter had been included in the agenda for deliberation on September 25, but it did not occur. In that way, voting is expected to take place soon.