Publications

A person typing on a nottebok. Above, graphic representation of icons symbolizing technology and information security

ANPD publishes data breach reporting regulation

Category: Digital Law

On April 26, the Board of Directors of the National Data Protection Authority (ANPD) published Resolution CD/ANPD 15/24, which approves the Data Breach Reporting Regulation. The rule, already in force, complements article 48 of the Brazilian General Data Protection Act (LGPD), which provides for the obligation of the data controller to report cases of risk or relevant harm to the ANPD and the data subjects.

The regulation brings important novelties, such as the possibility of the controller having to give wide disclosure of the data breach, in addition to definitions on authentication data in systems, financial data and security incident. It also establishes the Incident Handling Report as the new document to be provided by the controller.

The ANPD advances in defining what is considered a relevant risk or harm. The criterion is fundamental to characterize the obligation to communicate to the ANPD and to the data subjects.

According to the ANPD, the data breach may entail a relevant risk or damage if there is the possibility of significantly affecting interests and fundamental rights and, at the same time, involving sensitive personal data, data of children, adolescents or the elderly, financial data, authentication data in systems, data protected by legal, judicial or professional secrecy or data on a large scale.

The regulation also defines large-scale data incidents as those that cover a large number of data subjects, also considering the volume of data involved, duration, frequency and geographical extent of the data subjects.

In order to meet all the requirements established by the new regulation, it is important, therefore, that companies have accurate and detailed risk assessments of incidents, capable of providing a holistic and secure view of the business.

In this way, they will be able to identify more assertively the situations that should or should not be communicated. The preparation of a Data Protection Impact Assessment, including a consistent Data Breach Impact Assessment, is essential. The report may even be required by the ANPD.

Secrecy is not the rule

The confidentiality that the data breach occurred is not the rule. It will be up to the controller to request, in a reasoned manner, confidentiality from the ANPD. In addition, the municipality will be able to give wide publicity of the data breach, including communication in the media and internet. It is possible, for example, that the data controller will be required to include the information that the incident occurred on its social media.

Deadlines, form, and content of the communication

The ANPD has set a deadline of three working days for the communication to be made to the municipality and the holders. For additional communications, the deadline is 20 working days. In the case of small agents, these deadlines are considered double. The three days start from the moment the data controller became aware that the incident compromised personal data.

The new regulation reinforces the need for companies to be prepared to provide all the necessary information to the ANPD and data subjects in the short term. To do this, it is important that they have a documented and structured plan.

For the ANPD, the data controller must be able to provide a list of 12 points, such as a description of the nature and category of the personal data affected; the number of affected beneficiaries (including children, adolescents and the elderly); the technical and security measures used before and after the incident; the risks involved; reasons for any delay; and the identification of operators, if applicable.

For data subjects, there will be at least seven points: a description of the nature and category of personal data affected; the technical and security measures used for the protection of the data, observing commercial and industrial secrets; the risks related to the data breach with identification of possible impacts to data subjects; the reasons for the delay, in the event that the communication has not been made within the period established in the caput of article 6 of the resolution; the measures that have been or will be adopted to reverse or mitigate the effects of the incident, where applicable; the date on which the data breach became known; and the contact for information – and, where applicable, the contact details of the person in charge.

In addition to content, companies should be prepared to use simple and easy-to-understand language. At this point, Legal Design and Visual Law techniques can be great allies.

If it is possible to identify the affected data subjects, the communication must be direct and individualized. The means normally used by the controller to contact the data subjects, such as telephone, e-mail and electronic messages, must be considered.

In addition to notifying the data subjects, the data controller will need, within three days (from the end of the first communication period), to submit to the ANPD a statement that it has complied with the communication determination and evidence of how this was done.

Data breach record and submission of documents

The ANPD expressly determines that the data controller must keep a record of all security incidents involving personal data for at least five years, regardless of whether they have been reported or not.

Thus, in addition to being prepared to act diligently, assertively, and quickly, companies will need to be ready to document the entire data breach and its stages of identification, response, remediation, and communication.

The record must contain at least:

  • a description of the nature and category of the personal data affected;
  • the technical and security measures used for the protection of the data, observing commercial and industrial secrets;
  • the risks related to the incident with identification of possible impacts to data subjects;
  • the reasons for the delay, in the event that the communication has not been made within the period established in the caput of article 6 of the resolution;
  • the measures that have been or will be adopted to reverse or mitigate the effects of the incident, where applicable;
  • the date on which the security incident became known; and
  • the contact for information – and, where applicable, the contact details of the person in charge.

At any time, the ANPD may require the data controller to submit a record of the affected data processing operations, the Data Protection Impact Assessment and the Incident Handling Report, which contain copies and relevant information to describe the incident and the measures taken.

The company's documented and assertive response in the event of incidents becomes even more fundamental. The controller must be prepared not only to carry out communications with the required content and form, but also be ready to account for its activities in relation to the event. It's important to show your preparation before, during, and after.

Own administrative process

Data breach reports now require its own administrative process (Security Incident Reporting Process), through which the ANPD will inspect the case and the measures adopted by the company.

In the event of non-compliance with the provisions of the new regulation, the controller may respond to administrative sanctioning proceedings.

The new regulation is in line with the way in which Machado Meyer's Digital and Personal Data Protection practice deals with situations of this nature. A holistic and strategic approach, connected with the firm's crisis management expertise and the technical work of the other practices. We remain available to answer any questions on the subject.

Lower view of the mirrored building

Zoning Law: chamber overturns 17 mayor's vetoes

Category: Real estate

On April 10, the São Paulo City Council rejected 17 of the 58 vetoes made by mayor Ricardo Nunes in the partial revision of the Land Parceling, Use and Occupation Law. The text is better known as the Zoning Law (Law 16.402/16), instituted through Law 18.081/24 on January 19, 2024.

The revision carried out by mayor Ricardo Nunes aimed to reconcile the objectives of the Zoning Law jointly with the mid-term review of the Strategic Master Plan of São Paulo (Law 17.975/23). However, the São Paulo City Council, in an ordinary session on April 10, discussed and voted to overturn 17 vetoes. The decision was promulgated by the president of the Chamber, Milton Leite, at the request of the mayor, on April 17.

The justifications presented by the City Council for the partial overturning of the vetoes focused on encouraging sustainability and the production of social housing in the city. Measures to support the so-called "smart" cities to foster sustainable practices in buildings through incentives for environmentally responsible technological and constructive innovations are highlighted.

The most relevant changes are presented in the updated version of our e-book: Revision of the Master Plan and Zoning Law.

 

Mockup of tablets reflecting the e-book's internal content

Ebook: Legal Framework for Secured Transactions

Category: Real estate

The Legal Framework for Secured Transactions (Law 14.711/23) represents a turning point for the Brazilian financial and real estate sector. Promoting legal certainty and efficiency in the use of guarantees, the legislation promises to dynamize the credit supply, reduce costs, and stimulate investments.

In this new ebook, we explore the real estate aspects of the legislation, unfolding its practical and strategic implications for industry professionals, investors, and those interested in the credit market.

The publication addresses the innovations introduced, such as the flexibilization and modernization of the secured fiduciary sale. We also detail some novelties, such as the subsequent secured fiduciary sale and the extension of the secured fiduciary sale.

In addition to other topics, the ebook also covers changes in foreclosure procedures and auctions, as well as the revitalization of the mortgage, which, although less utilized, gains new momentum with the possibility of extrajudicial foreclosure.

Stethoscope on a wooden table. In the background, also on the table, a clipboard with a black pen above the sheets.

Everything to know on the new clinical research bill of Law

Category: Life sciences and healthcare

On April 23, 2024, the Federal Senate approved the final consolidated text of Bill No. 6,007/23, which aims to establish a legal framework for research with human beings in Brazil, and establishes the National System of Ethics in Clinical Research with Human Beings.

After 7 years under discussion in the National Congress,  the text initiated in the Federal Senate was revised by the  Brazilian House of Representatives at the end of 2023, having been approved in this House in the form of a substitute (Bill No. 7.082/17).

Check below the main aspects involving the current regulation of clinical research in Brazil and the final text approved on an urgent basis.

Background

In practical terms, Brazil already has a structured clinical research system that includes the National Health Council (CNS), the National Research Ethics Commission (Conep), and Institutional Review Boards – IRBs (Comitês de Ética em Pesquisa – CEPs) established in hospitals, research centers, and academic institutions.

Bill No. 6.007/23, however, intends to provide a legal foundation for applicable regulations and oversight of public and private institutions conducting research with human beings in Brazil.

According to the approved text, research with human beings includes the handling of their data, information or biological material, directly or indirectly. It can be divided into three categories:

  • Scientific, technological or innovation research – Study that interacts with human beings (individually or collectively), in a direct way, without the objective of registering the product under research.
  • Clinical research – A set of scientific procedures developed in a systematic manner with the aim of:

- evaluating the action, safety and efficacy of drugs, products, techniques, procedures, medical devices or health care for preventive, diagnostic, or therapeutic purposes;

- verifying the distribution of risk factors, diseases or conditions in the population;

- Assessing the effects of factors or states on health.

  • Clinical Trial – Its purpose is to discover or confirm the clinical, pharmacological, or any other pharmacodynamic effects of the investigational drug, to identify any reaction to the product, or to study its absorption, distribution, metabolism, and excretion, to analyze and verify the action, safety, and efficacy of the investigational

In these cases, research protocols will be subjcet to a prior ethical analysis, which form now on will be carried out in a single instance by Institutional Review Boards, putting an end to the double review carried out by Conep, which today still occurs in specific cases.

In addition, the text established a maximum period of 30 days for deliberation by the IRBs, except when it comes to research of strategic interest to the SUS, whose deadline for issuing an opinion will be 15 days.

Main changes in Bill No. 6.007/23the final text

The Federal Senate promoted about 60 amendments to the substitute text proposed by the House of Representatives, in its most of editorial nature.

The main modification concerns the financial responsibility of the research sponsors in Brazil.

The version approved by the House of Representatives provided that, in the case of research sponsored by governments, national or international government agencies, or non-profit institutions, the collaborating Brazilian institution could assume and exempt the responsibilities of one or more sponsors from the obligation to indemnify and provide health care for any damages caused. However, said provision was fully removed by the Senate.

Other highlights are:

  • Exclusion of the possibility of having Independent Institutional Review Boards;
  • Reestablishment of the National System of Ethics in Clinical Research with Human Beings (SNEPCSH), composed of a national ethics body (current CONEP) and a local ethics analysis body (IRBs);
  • The National Research Ethics Commission (current CONEP) will now integrate the Ministry of Health, having the competence to regulate, supervise, and carry out the ethical control of research;
  • The research with pregnant women will be mandatorily preceded by similar research with women outside the gestational period, except when the pregnancy or the unborn child is the fundamental object of the research;
  • Studies with biological materials of human origin should avoid discrimination and stigmatization of individuals, families, or groups, regardless of the benefits obtained from the research;
  • Exclusion of the possibility of having an IRB to waive the requirement of prior individual informed consent for future use of biological data and materials in case of new research of relevant social value or deemed unfeasible without waiver;
  • Clinical trials may be initiated within 90 days from the submission of the request for approval to Anvisa, regardless of the Agency's manifestation, provided that the ethical protocol has been approved;
  • Elimination of the "researcher/investigator-sponsor" player, under the justification that such a figure could lead, in practice, to the exemption of responsibilities on the part of the sponsor.

Criteria for Post-Study Provision

Access of the investigational drug post-study may be interrupted on the following situations:

  • decision of the research participant or legal representative;
  • cure of the disease or introduction of a satisfactory therapeutic alternative;
  • absence of benefit from the continued use of the investigational drug to the research participant, considering the risk-benefit ratio outside the context of the clinical trial or the emergence of new evidence of risks related to the safety profile of the investigational drug;
  • an adverse reaction that makes it impossible to continue the investigational drug;
  • impossibility of obtaining or manufacturing the investigational drug for technical or safety reasons - provided that the sponsor provides an equivalent or superior therapeutic alternative existing on the market;
  • after 5 years from the commercial availability of the investigational drug in Brazil; or
  • availability of the product in the SUS.

The text will be analyzed by the President of the Republic, who may sanction it with or without veto. Subsequently, complementary regulations on operational topics are expected to be published, such as:

  • availability of information about the research on a publicly accessible website;
  • definition of standard operating procedures and best practices;
  • rules for biobanks and biorepositories;
  • mandatory clauses for clinical research contracts;
  • definition of special groups;
  • procedures for suspension or termination of IRBs;
  • monitoring rules for research;
  • definition of information and procedures for ethical analysis by the IRBs;
  • creation of a national registry of volunteers in bioequivalence studies;
  • requirements for the design and implementation of a post-study supply program or continuation of the experimental treatment;
  • specificities of research in the humanities and social sciences;

The Life Sciences & Health practice  can provide more information on the topic.

Anvisa publishes Regulatory Reliance rules for devices

Category: Life sciences and healthcare

On April 8, 2024, the Brazilian National Health Surveillance Agency (Anvisa) published Normative Ruling 290/24, which establishes an abbreviated analysis process for high-risk medical devices (classes III and IV), effective as of June 3. The measure allows the process to be expedited at the request of the companies, as long as the devices have already been recognized by an equivalent foreign regulatory authority (AREE).

AREEs are foreign regulatory entities that have practices aligned with Anvisa’s and are recognized as trusted bodies. Recognition by an AREE ensures that the products authorized for commercialization have been properly evaluated and meet standards of quality, safety, and efficacy similar to Brazil.

Anvisa RDC 741/22 establishes general criteria for acceptance of analyses conducted by AREE in the sanitary surveillance at Anvisa, through an optimized analysis procedure. The resolution provides that specific rules will establish criteria and procedures to define AREEs concerning a given health surveillance process or product category.

Recognized AREEs for Medical Devices Marketing Authorization

For the adoption of the optimized procedure for analyzing medical device’s marketing authorization previously recognized by AREEs, the following entities and respective proof of registration or authorization must be considered, per Normative Ruling 220/24:

  • Austrália: Australia Therapeutic Goods Administration (TGA) – Australian Register of Therapeutic Goods (ARTG);
  • Canadá: Health Canada (HC) – Medical Device Licence;
  • Estados Unidos: US Food and Drug Administration (US FDA) – 510(k) Clearance, Premarket Approval (PMA) ou 513 (f)(2) "De Novo"; e
  • Japão: Japan Ministry of Health, Labour and Welfare (MHLW) – Pre-market approval (Shonin).

Requirements for Optimized Procedure Adoption

The optimized review procedure will be applied for medical device petitions authorized by at least one AREE from the list above.

In addition, the products intended for the Brazilian market must have the same production characteristics, indications, and intended use approved by the recognized regulatory authority, which must be demonstrated by documentation.

To apply for medical device marketing authorization via an optimized procedure, the application request must be based on the documents listed in Anvisa RDC 751/22 and Anvisa RDC 36/15, and the supplementary documentation established by the new rule:

  • Statement of Eligibility Assessment by the Optimized Analysis Procedure, which must contain company data, AREE’s reference, and product information – such as name and indication of use;
  • document proving the marketing authorization issued by the AREE; and
  • medical device instructions of use in force in the jurisdiction of the AREE.

According to the new Normative Ruling, the adoption of the optimized analysis procedure does not entail a change in the chronological order of the petitions and does not condition Anvisa's approval.

The Life Sciences & Health practice can provide more information on the topic.

Beige clipboard with white sulphite sheet and stethoscope above, positioned on a table.

MoH informs TCU about measures adopted for the resumption of PDPs

Category: Life sciences and healthcare

On April 15, 2024, the Secretariat of Science, Technology and Innovation and the Department of  Industrial-Economic Health Complex (CEIS) presented clarifications on the measures taken by the Ministry of Health (MoH) to comply with the determinations of the Federal Audit Court (TCU) made on October 2022. These measures were adopted after the suspension of Productive Development Partnerships (PDPs), as decided by the TCU, in response to the release of the new strategy for the CEIS by the government (check out our previous analysis on the topic here).

The PDP is a type of governmental partnership that aims to establish cooperation between public and private laboratories for the development, training and transfer of technologies considered strategic for the Unified Health System (SUS).

Since 2017, the TCU's Specialized Health Audit Unit (AudSaúde) has been supervising the issue, and had already issued recommendations to the MoH to improve the regulatory framework applicable to partnerships (TCU Ruling 730/17).

At the end of 2022, the TCU Ruling 2.015/23 (case TC 034.653/2018-0) established, among other topics, that it would be up to the MoH to instruct public laboratories on the need to conduct a selection or pre-qualification process of the private partner, or adequately justifying when its realization is not feasible.

In addition, a reformulation of the Technical Committee (CTA) and the Deliberative Committee (CD) regiments was determined, establishing:

  • objective parameters for the analysis of projects and the assignment of grades to proposals;
  • criteria for the division of responsibilities of public laboratories – when more than one PDP project proposal is approved for the same product; and
  • the need for the CTA to re-examine proposals for the same drug and tie-breaking criteria and to readjust market percentages.

Main points presented by the  MoH to the TCU

The  MoH argued that certain TCU determinations were based on a normative act that has already been revoked – Decree No. 9,245/2017, which instituted the National Policy for Technological Innovation in Health and was replaced by Decree No. 11,715/2023, the current National Strategy for CEIS’ Development.

In this sense, the MoH requested that the deadlines for compliance with certain actions should start from the publication of the PDP program’s future ordinance ( the results of Public Consultation 54/23 are still in the analysis phase).

In addition, the MoH also reported that:

  • the topic was put into public consultation to broaden the discussion, support decisions, promote dialogue, and legitimize transparency and social participation to obtain information, opinions, and criticisms about the PDP Program;
  • the update of the internal regulations of the CTA and the CD will be made after the publication of the PDP’s new ordinance;
  • the merit points that were the subject of the TCU's determinations were addressed in the ordinance’s draft subjected to public consultation; and
  • All public institutions were informed, by letter via e-mail, of the need to conduct a selection or pre-qualification process of the private partner, or adequate justification in case of unfeasibility.

Case TC 034.653/2018-0 had been included in the plenary agenda of April 17, 2024, but was then removed without justification.

Public Consultation 54/23 Status

The MoH received 1,489 contributions to Public Consultation 54/23. Currently, they are being consolidated by CEIS’ Department, and, once consolidated, an administrative proceeding will be initiated to regulate the proposition and processing of the normative act.

This process will be forwarded to the Federal Attorney General's Office, which, through the MoH’s Legal Counsel (Conjur/MoH), will analyze the feasibility of the new rule and issue an opinion for the edition of the final version of  PDPs ordinance, as established in the manual for the preparation, proposal, processing and consolidation of normative acts of the MoH (Ordinance 2,500/17).

At the same time, the process must be forwarded for analysis by the Executive Secretariat and the  MoH office for signature and subsequent publication in the Official Union Gazette.

 Public Consultation 53/23, which presented a draft regulation for the Local Innovation Development Program (PDIL) within the scope of the CEIS, should also follow the same procedure.

The Life Sciences & Health practice can provide more information on the topic.

Subcategories

Aviation and shipping

Litigation

Capital markets

Competition

Compliance, investigations and corporate governance

Contracts and complex negotiations

Corporate

Crisis management

Environmental

Infrastructure and energy

Intellectual property

Labor and employment

M&A and private equity

Media, sports and entertainment

Public and regulatory law

Real estate

Restructuring and insolvency

Social security

Succession planning

Tax

Banking, insurance and finance

Tecnology

Institutional

White-Collar Crime

ESG and Impact businesses

Digital Law

Arbitration

Consumer relations

Venture Capital and Startups

Agribusiness

Life sciences and healthcare

Telecommunications

Page 5 of 212