LAW No. 14.289/2022: HEALTH DATA PROTECTION

11 Jan LAW No. 14.289/2022: HEALTH DATA PROTECTION

Earlier this year, Law No. 14.289/2022 was enacted to ensure the right to privacy, intimacy, and data protection through the preservation of confidentiality regarding the status of individuals with HIV, chronic hepatitis, leprosy, and tuberculosis.

By determining the prohibition of disclosure of data and information that allow the identification of people living with infection by the human immunodeficiency virus (“HIV”) and chronic hepatitis (“HBV and HCV’) and people with leprosy and tuberculosis, the new law dialogues with the Brazilian General Data Protection Law (“LGPD“), which also brings, in its wording, specific determinations about sensitive personal data.

Although it does not provide a definition for health data like the General Data Protection Regulation (“GDPR“), the LGPD states that health data is sensitive personal data and, therefore, by its nature is subject to stricter protection criteria.

Article 11 of the LGPD states that sensitive personal data may only be processed in the following cases:

(a) whenever the data subjects or their legal representative specifically and emphatically consent to such processing, for specific purposes;

(b) without the supply of the data subjects’ consent, whenever they are essential for:

• compliance with a statutory or regulatory obligation by the controller;

• shared processing of data required for the enforcement, by the public administration, of public policies set forth in the laws or regulations;

• the conduction of studies by research bodies,

• regular exercise of rights, including in agreements and in lawsuits, administrative or arbitration proceedings;

• protection of the life or of the physical safety of the data subjects or of third parties;

• health protection, exclusively, in a procedure performed by health professionals, health services or health authority; or

• guarantee of the prevention of fraud and of the security of the data subjects, in the processes of identification and certification of record in electronic systems, except in the event of prevalence of fundamental rights and liberties of the data subjects that require protection of the personal data.

Following the premises established in the LGPD, Law No. 14.298/2022 determines, for example, that professional secrecy about the condition of a person living with one of these diseases can only be broken in cases determined by law, for just cause, or by express authorization of the affected person or, in the case of children, of their legal guardian, by signing an informed consent form, in accordance with the provisions of article 11 of the LGPD.

Another provision that dialogues with the LGPD is article 2 of Law No. 14,289/2022, which prohibits the disclosure by public or private agents of information that allows the identification of the condition of a person living with any of the diseases mentioned in the scope of:

• health services;

• educational instituions;

• workplaces;

• public administration;

• national security;

• judicial proceedings; and,

• written and audiovisual media.

Accordingly with the LGPD, non‑compliance by public or private agents with the provisions of Law No. 14.298/2022 subjects them to the sanctions provided for in article 52 of the LGPD (i.e. warning, fine, publication of the violation, blocking of personal data, partial suspension of the operation of the database, suspension of the exercise of the activity of processing personal data or partial or total prohibition of the exercise of activities related to data processing), as well as other applicable administrative sanctions, and obliges them to indemnify the victim for material and moral damages, pursuant to article 927 of the Civil Code.

In a complementary manner, Law No. 14.298/2022 establishes that in situations where information about the condition of a person living with HIV infection, chronic hepatitis, leprosy, and tuberculosis is disclosed by agents who, by virtue of their profession or position, are obliged to preserve confidentiality, and this disclosure is characterized as intentional and with the intent to cause harm or offense, the penalties will be doubled.

Despite the numerous challenges regarding data protection in Brazil, the dialogue between LGPD and Law No. 14.298/2022 is another step towards strengthening data protection in the country and reinforces the constitutional principles of personal data protection and privacy.

Law No. 14,289/2022 can be fully accessed here.

This article is intended exclusively to provide information and does not contain any opinion, recommendation or legal advice from KVLaw concerning the matters herein addressed. Copyrights are reserved to Kestener & Vieira Advogados.