On October 2, Congress completed its analysis of Bolsonaro’s vetoes of the Data Protection Law, creating the National Data Protection Authority (ANPD). In a Congress joint session, legislators rejected six of the 13 vetoes included in the version of the law enacted by the Executive in July this year. The provisions reinstated by the Legislative include the extension of the list of administrative sanctions that could be applied to data processing agents for non-compliance.
The measures vetoed by the president which were reinstated include the extension of administrative sanctions applied against infringements by data processing agents. These sanctions include the partial suspension of database operations for a maximum period of six months; suspension of personal data processing activities for the same period, and partial or total prohibition of data processing activities.
These new sanctions may only be applied after an alternative sanction has first been imposed, such as fines, or the blocking and deletion of the personal data in question. The regulation also sets up the National Personal Data Authority (ANDP), the state body responsible for guaranteeing the application of the General Law on the Protection of Personal Data, which will enter into force in 2020.