Bill Aims to Amend LGPD Provisions on Security Incident Publicization
On April 13, 2023, Bill 1876/2023 was presented by its sponsor, Congressman Marcos Tavares (PDT/RJ), aiming to amend the Brazilian General Data Protection Law (the “LGPD”) by adding the following language:
"Art. 54-A. The data controllers must disclose, in mass media outlets and on their pages and profiles, any security incident that may pose a relevant risk or damage to the data subjects, and must report the incident to the National Data Protection Authority (ANPD)."
The objective of the proposed legislative amendment is to require the widespread publication of incidents involving personal data security in mass media, which may pose a risk or damage, regardless of the actual impact on the data subjects, the number of affected individuals, and regardless of whether public disclosure is actually the best measure to safeguard the rights of the data subjects.
Article 52, IV of the LGPD already provides for one possible sanction to be applied by the ANPD: the publicizing of the violation after its occurrence has been investigated and confirmed. In other words, the disclosure of the incident in mass media is already provided for in LGPD and only occurs after due process of law, ensuring the controller's right to a hearing, as not only would such publication generate a burden for the data processing agent, but it would also significantly harm the agent’s reputation, which tends to translate into loss of clients, businesses, and revenue.
The proposed article also brings up another controversial point, as it not only disregards the due process of law already determined by LGPD but also indicates that the mere possibility of posing a risk or harm to the data subjects would already generate the obligation to publish the incident—before the matter had been properly investigated and confirmed.
The bill does not take into account the data processing carried out by liberal professionals and small-scale data processing agents, nor does it address the volume of data affected by the incident. In this regard, requiring any controller to disclose an incident in a large-circulation vehicle is incompatible with current law.
Finally, Article 2 of Bill 1876/2023 delegates the competence and responsibility of establishing the necessary complementary rules for the execution of the law to the Federal Executive Power, instead of to the ANPD. This approach opens up room for possible regulatory conflicts between the ANPD and any decrees issued by the executive branch.
We are monitoring the legislative progress of the matter and will keep our clients updated on it.