22 Dec Decree that regulates data sharing between public agencies changes the rules for data sharing by public administration and composition of data governance committee
By Fabio Alonso Vieira and Jhonata Candido
On November 25, 2022, President Jair Bolsonaro published a Decree No. 11.266/2022, which changed Decree No. 10.046/2019, which deals the governance of data sharing under the federal public administration and establishes the Citizen’s Base Register and the Center Data Governance Committee.
The decree was published due to the determination of the Supreme Court, through judgement of ADI No. 6.649 and ADPF No. 695, through which it was decided that Article 22 of decree 10.046/2019, on the composition of the Central Committee for Data Governance is unconstitutional and that the sharing of data between public agencies, is possible, since that the following requirements are met:
(i) follow legitimate, specific, and explicit purposes;
(ii) be compatible with the purposes reported;
(iii) comply with the requirements of the General Data Protection Law for the public sector;
(iv) be done through publicity and transparency of information, and the Central Data Governance Committee should provide for strict mechanisms for access control to the Citizen’s Base Register, justify the entry of new personal data and institute security measures for eventual accountability in case of abuse;
(v) to observe, for the sharing of personal information in intelligence activities, the provisions of specific legislation and the parameters set by ADI 6.529;
(vi) hold the State civilly responsible for the processing of personal data promoted by public agencies that do not observe legal and constitutional parameters; and
(vii) hold the State civilly responsible for an act of administrative misconduct in case of a willy transgression of the duty of publicity established in Article 23 of LGPD.
Therefore, the new decree created guidelines on data sharing by public administration bodies and entities at the federal level, emphasizing the importance of complying fulfilling and observing the rights to preserve the intimacy and privacy of the natural persons, as well as data protection.
In addition, the new decree also disciplines data sharing between public administration bodies, foreseeing the need to observe the LGPD, the Digital Government Law, the Access to information Law and the National Data Protection Authority, along with the correlated rules.
Another important novelty brought in the decree is the responsibility of the public administration for any damages suffered by individuals, at any level of categorization for data sharing, thus being subject to the legal and constitutional parameters of State civil liability and possibly the LGPD.
The new decree also prohibits the use of the Citizen’s Base Register and its cross-referencing with other databases for the processing of the data that aims at mapping or exploiting individual or collective behaviors of citizens without the prior and express consent of the Citizen.
Regarding the composition of the Data Governance Committee, the decree includes in its body two experts in the protection personal data, representatives of the National Council of Justice, the House of Representatives and the Federal Senate and civil society, all with right to vote.
In general, the President Jair Bolsonaro only complied with the terms of the Supreme Court decision, adapting data sharing rules in federal agencies.
The new published Decree can be accessed, in full, here.
This article is intended exclusively to provide information and does not contain any opinion, recommendation or legal advice from KV Advogados in relation to the matters herein addressed. Copyrights are reserved to Kestener & Vieira Advogados.
No Comments