Converted into law the Provisional Measure no. 869/19, that (re)created the National Data Protection Authority

August / 2019

The Provisional Measure no. 869/18, which amended several provisions of Law no. 13.709/18 – the General Data Protection Regulation (GDPR) – was converted into law. Among the main changes brought by Law no. 13.853/19, its main one was the (re)creation of the National Data Protection Authority (NDPA), contained in its Article 55-A from Article 55-L, an Executive Branch’s body to oversee and enforce the GDPR.

The NDPA, originally foreseen in the GDPR, had been vetoed by former President Michel Temer on the grounds that its creation would not compete to the Legislative Branch. The Provisional Measure, which is the attribution of the President of the Republic, would then supply this defect in the Law’s initiative.

This body was created as a transitional member of the direct federal public administration, being part of the Presidency of the Republic. It will be up to the Federal Executive Branch, within two (2) years of the entry into force of the NDPA regimental structure, to define its legal nature (Article 55-A, § 2), which may be transformed into an indirect federal public administration entity, submitted to an independent governmental regime and linked to the Presidency of the Republic (Article 55-A, § 1).

There are several functions and competences given to the NDPA by the Law – its Article 55-J, which disciplines them, has twenty-four items. Among its main attributions, the following stand out: i. ensure the protection of personal data, as well as the observance of trade and industrial secrets; ii. develop guidelines for the National Policy on Personal Data Protection and Privacy; iii. supervise and enforce sanctions in the event of data processing not in accordance with the law; iv. promote society's awareness of the protection of personal data, as well as studies of national and international practices in the implementation of protection policies; v. prepare management reports on its activities, detailing its income and expenses and reporting to the society; vi. perform audits on the processing of personal data by processing agents, including the Government; vii. enter into commitments with data-processing agents to eliminate irregularities, legal uncertainty or contentious situations; viii. deliberate at administrative level on the interpretation of GDPR, competencies and omission; and ix. in the exercise of its supervisory activity, report any criminal offenses that comes to its awareness and report to the internal control agencies about the Public Administration's non-compliance with the law.

The Law also assigns functions to the National Council for the Protection of Personal Data and Privacy – one of the members of the NDPA –, such as the proposition of guidelines for the elaboration of National Policy on Personal Data Protection and Privacy; and the NDPA’s performance, the preparation of annual evaluation reports on the NDPA’s activities, suggestion of actions to be taken, the preparation of studies and discussions on personal data and the spread of information about the protection of personal data to the society.

Law no. 13.853/19 was sanctioned on July 8, 2019, with partial vetoes in several provisions, although only 1 (one) of them referring to the ANPD (Article 55-L, V, which allowed the collection of funds through the collection of fees for services rendered). Finally, it delimited that the amendments related to the National Data Protection Authority would be in force since December 28, 2018 – date of the edition of Provisional Measure no. 869/18. It remains to be seen, thus, the effective implementation of the new body.