Final Report issued by the Joint Committee under Provisional Act 869/2018

Based on the opinions and positions expressed in the four (4) public hearings regarding Provisional Act (MP) nº 869/18, the Rapporteur of the Joint Committee for the appraisal of this legal document prepared a legislative report (Draft Law on Conversion – PLV), presenting his conclusions on the matter. Its terms will be considered by the House and Senate, in a future vote for approval or refusal of the report. The PLV, presented on April 25, 2019, addressed the most relevant and controversial points of MP 869/18, as will be seen below.
The national data protection authority

Initially, regarding the first major topic (ANDP – National Data Protection Authority), the report dealt with the question of maintaining the ANPD in Direct Administration. Although it was desirable to consider the authority as an autarchy, an agency with independence in all aspects, the position of the rapporteur was that, under the risk of a new presidential veto and a legal vacuum of a supervisory authority and regulator of data processing in Brazil, the most prudent measure for the moment would be maintaining the agency in the administrative structure, as established in MP 869/18.

Nevertheless, he pointed out the need to take steps to strengthen the independent, technical and administrative performance of the ANPD to the maximum, such as the need for a level 5 in the commission position (DAS); the possibility of preventive removal of the Counselors by the President of the Republic if so recommended by the Special Commission established to determine the administrative disciplinary process and the provision that the internal rules of the agency should be approved by its highest collegiate agency. In addition, two innovations were included: i) a discussion process, by the Federal Senate, of the members of the Board of Directors, in order to give greater legitimacy to the directors of the ANPD; and ii) an express indication that the legal nature of the ANPD should be transformed into a local authority within a specific period of two (2) years from the approval of its regulatory structure, as well as in time to be included in the Budget Laws. These points reflect the issues debated in the discussions held during the Public Hearings, which demonstrates the commitment of the legislative process with the contribution of the participants (academia, public and private initiative and civil society).

The second point discussed, still regarding the ANPD, was the question of the attributions of authority. The rapporteur was in favor of restoring the authority’s powers, as foreseen in the Law originally approved by the National Congress in August 2018. Some of them are the need to watch over commercial and industrial secrets, development of Protection of Personal Data and Privacy guidelines and provision of forms of advertising of personal data processing operations, for example.

In addition, it is intended to incorporate the attributions added by the MP, which are: deliberation, in a definitive way, in the administrative sphere; request for information at any time; communication to the authorities of criminal offenses and non-compliance of the LGPD by the Administration; promotion of studies and articulation of the ANPD with other public regulators.

The report also incorporated the possibility of the signing of the Term of Adjustment of Conduct (TAC) and of publicizing the institution’s reports. Finally, regarding the configuration of a crime of responsibility for the lack of care of preservation of business secrecy and secrecy of information in the exercise of the powers of the ANPD, the rapporteur believes that such a provision could weaken the enforcement action and, therefore, suggests that protection of secrets be conferred by being made explicit that, even in audit procedures, the ANPD must observe the secrets in question.

Regarding ANPD’s revenue, the rapporteur expressed his opinion on the rejection of MP 869/18 and restoration of the original law, thus considering that the authority should have revenue from the proceeds of the execution of its active debt, appropriations entered into the general budget, of the special credits, additional credits, transfers and on-lendings granted to it; donations, bequests, grants and other resources allocated to it; of the amounts determined in the sale or lease of movable and immovable assets belonging to it; among other legal hypotheses. In addition, pursuant to the Law of the Administrative Council for Economic Defense (CADE), the proceeds from the collection of fines applied by the ANPD, whether or not registered as an active debt, should be allocated to the Fund for the Defense of Diffuse Rights, to avoid the possibility of loss of efficiency of authority and conflicts of interests in its actions (related to the “fines industry”).

With regard to the application of sanctions, the rapporteur’s understanding is for restoration of sanctions provided for in the original law, originating from the National Congress, in order to establish a full scale of penalties, similar to the scale of internet applications, as foreseen in the Internet Civil Rights and the Consumer Protection Code. However, taking into account that the total suspension of databases and exercise of the activity could cause considerable damage to the users of the services provided, in order to guarantee the stability of the consumer legislation, the rapporteur suggested replacing the suspensions with the sanction of “administrative intervention” in order to bring the controller back to legal compliance, without prejudice to the holders with interruption of the service. In addition, the powers of the ANPD in the application of sanctions, regarding the protection of personal data, should prevail over those of the correlates of other entities.

Lastly, the final point related to the ANPD dealt with in the report was the National Council for the Protection of Personal Data and Privacy, in which the rapporteur stated that the amendment proposed by MP 869/18 – that is, of fixed term withdrawal, defined in 2 (two) years for the members appointed by the Administration – would create instability in the exercise of the duties, weakening the mandates and the importance of the counseling agency. Therefore, a resizing of the Council was proposed, so that it could have proportional representation of the three sectors of society: business, productive and labor. In this sense, it was recommended: i) balance of the participation of the business sector with the labor market; (ii) extension of civil society representatives to include those related to data protection; and iii) withdrawal of one of the members of the Union, in order to maintain proportionality in relation to the other sectors involved.

Data handling by the public administration
Regarding the second major topic, that is, management of data by the Administration, the subtopics chosen for discussion were: i) the sharing of data by the Administration; ii) protection of applicants for information requests related to the Law on Access to Information (LAI); and (iii) educational data (INEP).

Regarding the sharing of data by the Administration, the rapporteur was against the flexibility related to the existence of a Clerk, as this would only guarantee the opening of a channel of communication between the parties, not being sufficient for the protection of data treatment by the Administration. However, he believed the permission to transfer information exclusively to combat fraud and irregularities was positive, suggesting changes on this point. Regarding the suppression of the need for communication to the National Authority in the case of transfers of data to private entities, the rapporteur suggested changing the wording of the device to include such communication in order to avoid weakening the audit power. Finally, the report was manifested by the need to make the possibility of transferring data more flexible since there is a legal provision or transfer be supported by contracts, agreements or similar instruments, based on specific cases of the Administration (such as the possibility of collecting taxes, for example).

As far as the protection of applicants from requests for information concerning LAI is concerned, due to the veto of protection of personal data of request authors for access to information under MP 869/18, the rapporteur took the position of the need to restore the old provision, since the identification of applicants for information could bring insecurity to citizens, since they would be subject to intimidation, retaliation or constraints. The absence of identification would protect transparency and full exercise of citizenship. Finally, regarding educational data, the report agreed with the deletion of a provision that includes the Anísio Teixeira National Institute of Studies and Educational Research (Inep) in the joint regulation of access to personal data related to education in its custody, since, having in view the general and “non-sensitive” nature of educational data, there was no need for special protection for this database.

Security, defense and investigation

The third major topic under discussion was security, defense and investigation. The main discussion regarding this issue was processing of data by private entities.
The rapporteur therefore considered that treatment of all security and defense databases by a private company or entity delegated by that company could weaken protective measures against possible arbitrary or security incidents. In addition, in the case of national defense, it is necessary to consider the use of foreign technologies by manufacturers and application providers and databases, which could generate the possibility of international access to the information processed. The rapporteur was therefore in favor of the need for public companies (like Serpro, for example) to process this information, and also agreed with the possibility opened by MP 869/18 to transfer data to public companies. In order to minimize possible access and misuse, an amendment was offered, providing the guarantee that the private company must have capital integrally constituted by the Public Authority to receive data.

Regarding the possibility for the ANPD to comment on the treatment carried out by public security and related entities, the rapporteur believes that the provision is positive, since the authority could contribute with these agencies, mainly at the municipal and state level, to disseminate best practices. In addition, because of the suggestion to raise data protection as a “matter of national interest”, it is proposed to amend the LGPD Statement to expressly state that it is a “General Data Protection Law”; the inclusion of a provision that all federated entities must comply with the general rules contained in the LGPD and that the competence of the ANPD covers the entire country.

The issues affected in public and private areas

The fourth major topic addressed the issues common to the public and private spheres, as outlined below.

I. Automated treatment

In this perspective, the first subtopic debated was automated treatment. The rapporteur decided to retain the provision of MP 869/18 which allows the holder to request a review of decisions taken solely on the basis of automated processing of personal data affecting his interests. In the meantime, he added a device, in order to state that the review must be carried out by an individual only in the cases and as foreseen in future regulations of the ANPD. With this conclusion, it was intended to avoid the negative effects that the practice of abusive or incorrect attitudes by technologies could generate, guaranteeing both the exercise of human rights and citizenship of the consumer and the promotion of innovation, in order to facilitate commercial integration and generation of opportunities and investments at the national and global levels.

II. The Clerk

The second sub-topic dealt with the clerk, in which the rapporteur concluded by allowing him to be a legal person. This decision was made taking into account, for example, large organizations, in which a single individual would not be able to handle large volumes of demands, as small companies could outsource their service in case of lack of technical knowledge. Furthermore, the rapporteur expressed the unnecessary need for the controller to be a clerk (since the service to holders would be dispensable) and to have, in law, internal organization of the entities and the hierarchical position of the clerk in the internal structure.

III. Duty of information to the holder

The third sub-topic focused on the information to the holder, which resulted in the decision through notification release to the data holder on the use of his information in case of incidence on a legal basis of legal compliance or execution of public policies, in order to reduce bureaucracy of this process.

IV. Law enforcement in cases of illegal treatment

Furthermore, the fourth subtopic, related to law enforcement, concluded that it is necessary to apply it even in cases of illegal data processing and to guarantee the right to opposition by the holder in these cases.

V. Consent

The fifth subtopic, referring to the public and private spheres, was consent. In this sense, the rapporteur emphasized the need to consider changes in this matter with their impacts and real need to clarify the devices, so as not to negatively impact society. In this way, he stated that the waiver of new consent in cases of change of controlling shareholder control should be subject to infra-legal regulation by the ANPD; that the extension of treatment with regard to the processing of sensitive data would not be prudent when made manifestly public by the holder; and that it would not be necessary to change to include the legal guardian as a source of consent in cases of compliance with a legal obligation, since, as soon as it is recognized by a valid legal document, it is naturally able to replace the holder. Regarding the use of data for public purpose and those made manifestly publicly for new purposes, without consent, provided the rights of the holder are observed, the rapporteur expressed the opinion of the inclusion of a device that allows the subsequent treatment without new consent, provided that legitimate purposes are observed and specific to the new treatment and preservation of the rights of the holder, as well as the fundamentals and principles of the LGPD.

VI. Sensitive data

The sixth subtopic raised the question of the definition of “sensitive data” from an expansive analysis, considering that such data would be those linked to an “identified or identifiable” person. However, the rapporteur was of the opinion that this proposal should be rejected in view of the insecurity and uncertainty that such a measure would cause, since, from cross-referencing of databases, the correlation between a data and its owner remains basically evident.

VII. Legitimate interest

The seventh sub-topic dealt with legitimate interest, in which the rapporteur rejected the suggestions of permitting treatment justified from this legal basis, data not strictly necessary for this purpose; and to revoke the possibility of treatment through legitimate interest, in order to balance protection of the holder and freedom for free initiative.
Other subtopics dealt with were portability and good practices. As for the first, in addition to emphasizing that data portability is an exercise of the holder’s right (it does not concern the data generated or complemented by controller treatments) and that it is up to the controller to only comply with the Law and prove its service – being protected, in this case, in the event of any irregularities committed by third parties – the rapporteur understands the need for immediate information to treatment agents when changes in the personal data of holders, except in cases of proven impossibility or disproportionate effort, when the controller cannot be held responsible. As regards good practices, these should be encouraged by the national authority, and not imposition on the sector, and provisions for the application of sanctions being sufficient to ensure their promotion.

Treatment of health and academic data

The fifth major topic discussed was the treatment of health and academic data. Regarding health data, the rapporteur concluded that in the cases related to the provision of health services, including ancillary services for diagnosis and therapy, it would be possible to communicate health-sensitive data provided for the benefit of the holders, as well as for financial and administrative transactions resulting from the use and provision of contracted services. In this way, registrations in pharmacies or laboratories for obtaining data that result in discounts or other non-contracted purposes will be prohibited.
Also, the hypotheses of services and professionals that are intended to be reached in the treatment of health data were restricted and clarified. In this sense, the treatment of personal data and sensitive personal data could be carried out, exclusively, for the protection of health – ensuring that it is for the benefit of the holder – in a procedure performed by health professionals, health services or health authority. Regarding the concerns relative to the possibility of denial of access or unjustified increase of the supplementary health services by the crossing of information, the report understood that such hypothesis, since it is already prohibited by Normative Summative nº 27 of June 10, 2015, of the National Agency of Supplementary Health, would prevent unfair treatment of users with regard to access to health.
In addition, with regard to academic data, the rapporteur defended the return of the original legal text, so as to exclude the treatment of these data from the scope of the LGPD provided that the rules of consent of general personal data and sensitive personal data were followed. In this way, anonymization, confidentiality and opposition of treatment to the participants of diverse research would be guaranteed, without subjecting the researchers to the other legal provisions. Furthermore, journalistic, academic and artistic data must be kept as general (non-sensitive) personal data and private research entities that do not exercise legal mandates and profit objectives must obtain consent to perform data processing, not being considered “research agencies” for the flexibility of obtaining consent.

Matters corresponding to proposed amendments

Finally, a number of other matters were presented, relating to the amendments submitted to the Joint Committee of MP 869/18 for consideration. Regarding the validity of the law, despite the considerations brought by the report, the calculation still seems uncertain.
Regarding differential treatment for seniors, the rapporteur proposed a new assignment to the ANPD, in order to institute, in its regulation, the form of implementation of this treatment by the controllers.
With regard to small and micro-enterprises, these will require differentiated treatment and simplification of obligations, not excepting, however, the application of sanctions as a punitive measure of inadequate conduct by treatment agents.
As for the right to petition, it was decided to guarantee the “double way of questioning”, that is, the possibility given to the holder to petition directly with the controllers, the ANPD and before the consumer protection defense agencies. At this point, the rapporteur rejected the possibility of legal uncertainty due to the multiplicity of actions and interpretations by the various entities, justifying that it will be up to the ANPD to settle issues and publish standardized regulations. Also, it was pointed out that it is important that the holder can petition the ANPD only after the complaint with the data controller, in order to “unburden” the institution and avoid excesses in the right to petition, while ensuring the constitutional right of access to justice to guarantee rights.
The report also commented on the possible legal conflict between MP 869/18 and MP 870/19, edited by the Bolsonaro government, which establishes the basic organization of the agencies of the Presidency of the Republic and the Ministries and repeals Law nº 13.502/17 which, in turn, is amended by MP 869/18 by considering the ANPD as an agency of the Federal Public Administration. In the opinion of the rapporteur, since Law nº 13.502/17 is still in force, it was considered convenient to keep the ANPD as a member of the Presidency of the Republic, as a way of granting legal support to its creation, even in case of non-conversion of MP 870/19. Also, in case of conversion of both Provisional Acts, there will be express revocation of Law nº 13.502/17 and creation of the ANPD as part of the Presidency of the Republic.

The complementary report

It should be noted that, on May 7, 2019, the rapporteur presented an addition to the presented report, modifying some items dealt with in the first version of the PLV presented and adding new and relevant inclusions. These conclusions will still be discussed and may be reviewed by the Joint Committee and subsequent votes.
Initially, the addition reconsidered the imposition on the legal nature of the ANPD, granting a more “gentle” legal wording by providing that there would be a possibility of reassessing the temporary legal nature of the authority by the Executive Branch, including its possible transformation into an autonomous authority. However, it maintained that the reassessment should take place within two (2) years from the date of entry into force of the ANPD’s regimental structure, conferring certain legal certainty to the expectation of reconsideration of the authority structure.
Also, regarding sanctions, the administrative intervention penalty was replaced by the sanction of suspension of the exercise of personal data processing activity, for a maximum period of 6 (six) months and extendable for the same period; and the imposition of partial, total suspension sanctions and prohibition of data processing (serious sanctions), that can only be imposed after the imposition of penalties of simple fines, daily fines, disclosure of the infraction, blocking and elimination of personal data, in order to confer greater proportionality between the infraction and its sanction. The addition of the rapporteur’s vote has also modified some provisions, such as the provision that review of automated treatment by an individual, in cases provided by the ANPD, must take into account the nature, size of the entity and the volume of operations under treatment. Other relevant changes were the exclusion of express mention of the articulation of the ANPD with the National Consumer Secretariat (Senacon), an agency of the Ministry of Justice, in order to match the reference to public agencies that have sanctioning power relative to data protection; and flexible mandate permission and delegation of Executive Branch members to the National Council for Personal Data Protection and Privacy.

In addition, new devices were inserted, such as: i) the specification of Union Confederations representing the economic categories of the productive sector as representatives of the National Council for the Protection of Personal Data and Privacy; ii) the express provision of pharmaceutical assistance in the exceptions that allow the sharing of sensitive health data with the objective of obtaining economic advantage, in order to allow the achievement of public policies; iii) the need to create specific regulations for cases of information to the ANPD when sharing data with private entities, to avoid excessive notifications; iv) the possibility that more than one agency regulates a particular agent in the case of controllers submitted to other entities with sanctioning powers, in order to mitigate the possibility of applying severe sanctions to controllers and, consequently, the difficulty of executing public policies; v) the inclusion of competence to the ANPD for the implementation of simplified mechanisms, including by electronic means, for registering complaints about the treatment of personal data not in accordance with the LGPD; and vi) extension of the constitutional simplifications of procedures, guidelines and deadlines for micro and small enterprises to incremental or disruptive entrepreneurial initiatives that self-declare as startups or innovation companies.

Finally, it should be pointed out that the rapporteur decided to incorporate, during the presentation of the supplementary report, an additional provision, suggested by Member of Parliament, Celso Russomano, which gave rise to much discussion. This provision intends that individual leaks or unauthorized access may, only in individual cases, be the subject of conciliation between the controller and the personal data holder and, if there is no agreement, that the controller be subjected to the legal penalties provided. The amendment aims at avoiding harsh accountability of controllers for security incidents caused by external attacks by hackers, enabling the holder of the leaked data to negotiate an indemnity directly with the data bank.

The Telecommunications, Media and Technology (TMT) team of Azevedo Sette Advogados will continue to follow the developments on the subject.

Azevedo Sette Advogados