How the law has changed since 2010

Observatory’s Memory: Episode 5/5

Ever since the first Draft was presented by the Ministry of Justice in 2010 until the final legislative process in 2019, the content of the General Data Protection Law went through countless transformations and improvements, and also left some opportunities for modernization along the way.


The original text written by the Ministry of Justice in 2010 was very incipient. The main legal basis for the processing of data was consent, and there were articles that soon would become meaningless and be set aside.


Along the two Public Consultations between 2010 and 2011, and then 2015, the content of the text grew larger with several contributions from the private sector, civil society and academia. The number of legal basis for processing of data, for instance, reached ten – on the first version, in addition to consent, there were other three options.


Bill 330 originally followed the content of the Draft made by the Ministry of Justice. However, from the moment that the Draft was sent to  Congress, the Executive’s preference under Temer’s government for Bill 330 made the two projects disconnect themselves in certain aspects, such as on the regulation of the processing of data by the State.


As the multistakeholder discussions were being intensified at the meetings proposed by representative Orlando Silva, both the private sector and civil society needed to give up some aspects of the Law that were considered essential for both sides.


The creation of a National Data Protection Authority entered the text in the last minute, already with the perspective that it could be vetoed. The Draft sent to Congress (Bill 5276/2016) mentioned a “competent authority”, responsible for applying the LGPD, but did not specify how that body would be organized.


One of the most discussed legal basis for the processing of data is that of legitimate interest, debated since the 2nd Public Consultation. The final drafting of this excerpt was made at the last minute, when the Bill was about to be voted, to ensure certain safeguards for the public.


As a positive outcome of the final version of the text is the strong encouragement of compliance policies inside companies, so that privacy and data protection become fundamental pillars of their business.


On the other hand, the LGPD maintained characteristics that are questionable, such as several exceptions for the financial sector. Likewise, the Law did not adopt modern practices of data regulation such as the mandatory character of data protection impact assessments, which are optional on the LGPD.


The most divisive aspect of the final regulation is the review of automated decisions by a natural person. Vetoed by Temer and re-included by Orlando Silva in his report on the Provisional Measure that created the Authority, this article was vetoed once again by Bolsonaro.


From the private sector’s perspective, the measure was impracticable in practice, and can be discussed again in the future. From civil society and academia’s perspective, by not having it, the LGPD abandons one of the fundamental matters of today’s data protection debate, and it also contributes to Brazil not being able to enter the Organisation for Economic Co-operation and Development (OECD).