Congress has just approved Executive Order #869/2018, which now awaits presidential sanction
On May 29, 2019 Brazilian Congress passed Executive Order #869/2018, which establishes changes in the Brazilian General Data Protection Act and, primarily, provides for the creation of the National Authority for Data Protection (“NADP”). With the new rules, the Act will come into force in August 2020.
The NADP was designed as a body of the federal administration, linked to the Presidency. Despite that, the final wording attempts to grant the NADP with technical and decision-making autonomy and provides that the Authority’s design will be revaluated in a two-year period, when the structure may be changed into an independent regulatory agency model.
The new provisions grant NADP with a key role into enforcing Brazilian General Data Protection Act. Some of the Authority’s responsibilities are:
The new rules also created two NADP’s internal bodies: the Board of Directors and the National Council of Privacy and Data Protection. The Board will be composed by 5 members, Brazilian citizens, for a term varying from 2 to 6 years for the first members, appointed by the President and approved by the Senate. The Board is the top-level governing body, and its attributions include the drafting of the NADP’s bylaws and the appointment of mid ranking officials.
As for the Council, it will be composed by 23 members, appointed by several governmental authorities, such as the Congress, National Council of Justice and Public Attorney’s Office, and private entities, such as the Management Committee of Brazilian Internet and corporations in the field of data treatment. The Council’s attributions are, among others, proposing guidelines to be carried out by the NADP, preparing annual assessments, promoting studies about practices in personal data and privacy protection and disseminating into the society the knowledge about data protection and security measures.
Other relevant changes provided by the Executive Order #869/2018 include:
The new provisions represent a major step for providing legal certainty for users and companies, establishing a culture and a regulatory benchmark for data protection in Brazil. Now, it is important to keep track of the first steps to be taken by the Authority for the enforcement of the law. Meanwhile, the clock is ticking, and companies have until August 2020 to comply with the regulation.
In the past few years, our team has worked on some of the leading cases regarding data privacy and information security in Brazil, with successful results. For more information regarding the matter or to receive an English version of the Law, email us at email@example.com.