Tag: Brazil

Enforcement of Brazil’s new Data Protection Law postponed due to COVID-19

8. May 2020

The Coronavirus is affecting South America, like the rest of the world, and it is spreading rapidly in its largest country: Brazil. Brazil’s Government and Legislators try to handle both the public health crisis and the economic crisis that the country is facing. Now both branches have adopted emergency measures to alleviate the effects of the virus, even impacting the enforcement of the country’s new national Data Protection Law (“Lei Geral de Proteção de Dados Pessoais” or “LGPD”).

The National Congress of Brazil only passed the LGPD in August 2018. It was originally scheduled to come into effect on 15 August 2020 (we reported). As the effects of the Coronavirus began to impact Brazilian businesses, many companies called for the postponement of the LGPD’s effective date due to the difficult economic environment and due to the fact that Brazil’s national Data Protection Authority (“ANPD”) is still not fully functional.

On 3 April 2020, the Senate of Brazil unanimously approved of the Law Bill “PL 1179/2020” which includes a provision to delay the effective date of the LGPD until 1 January 2021. Furthermore, the Bill sets forth that non-compliance with the LGPD shall not be sanctioned by the Data Protection Authorities until 1 August 2021.

The second chamber of Brazil’s National Congress, the House of Representatives, debated “PL 1179/2020” all throughout April 2020 and considered the implications of the LGPD’s postponement for the privacy rights of individuals, especially with many emergency measures on the way that were increasingly restrictive on privacy rights. A vote on “PL 1179/2020” by the House of Representatives was still pending by the end of the month.

On 29 April 2020, the President of Brazil took matters into his own hands when he issued Provisional Measure #959/2020. The measure postponed the effective date of the LGPD to 3 May 2021, without segmenting the postponement into two stages like the Senate’s Law Bill “PL 1179/2020” stipulated.

Provisional Measures issued by the President of Brazil serve as temporary law and are valid for a period of 60 days which the President may extend for another 60 days. During this time period, both chambers of the National Congress must approve of the Provisional Measure in order to become permanent law. If Congress disapproves, the measure will be invalidated.

Amidst the Coronacrisis, the National Congress passed legislation to enable an expedited process for approval of Provisional Measures on 20 March 2020. It shortens a Provisional Measure’s period of validity to 16 days. Given the issuing date of the President’s Provisional Measure #959/2020, the National Congress now must approve of it until 15 May 2020.

LGPD – Brazil’s upcoming Data Protection Law

28. November 2019

The National Congress of Brazil passed in August 2018 a new General Data Protection Law (“Lei Geral de Proteção de Dados” or “LGPD”). This law is slated to come into effect in August 2020. Prior to the LGPD, data protection in Brazil was primarily enforced via a various collection of legal frameworks, including the country’s Civil Rights Framework for the Internet (Internet Act) and Consumer Protection Code.

The new legislation creates a completely new general framework for the use of personal data processed on individuals in Brazil, regardless of where the data processor is located. Brazil also established its own Data Protection Authority, in order to enforce the guidance. Although the Data Protection Authority will initially be tied to the Presidency of the Federative Republic of Brazil, the DPA will become autonomous in the long term, in about two years.

Like the GDPR, the new framework has an extraterritorial application, which means that the law will apply to any individual or organization, private or public that processes or collects personal data in Brazil, regardless of where the Processor is based. The LGPD does not apply to data processing for strictly personal, academic, artistic and journalistic purposes.

Although the LGPD is largely influenced by the GDPR, both frameworks also differ from each other a lot. For instance, both frameworks define personal data differently. The LGPD’s definition is broad and covers any information relating to an identified or identifiable natural person. Furthermore, the LGPD does not permit cross-border transfers based on the controller’s legitimate interest. In the GDPR, the deadline for data breach notification is 72 hours; in the LGPD, the deadline is loosely defined, to name just a few.

Category: General · Personal Data
Tags: ,

Brazil changes new Data Protection Law and creates a Data Protection Authority

15. January 2019

On August 14, 2018, Brazil’s former president Michel Termer signed the new General Data Privacy Law (Lei Geral de Proteção de Dados Pessoais or “LGPD”) (we reported). Although the law enlarges the country’s data protection framework, the final text did not contain the creation of a data protection authority.

On December 28, 2018, Temer signed a last-minute executive order (Medida Provisória no. 869/18), which made important changes to the LGPD including the implementation of the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados or “ANPD”).

Despite the ANPD being an independent entity and being capable of freely handling and evaluating data protection and privacy issues, the authority still is part of the federal government and linked to the office of the President of Brazil.

According to the Executive Order no. 869/18 the ANPD has, among other things, the authority to:

  • Release rules and regulations regarding privacy and data protection;
  • Exclusively be responsible for monitoring and applying fines to non-compliant organizations;
  • Within the administrative field, exclusively interpret the LGPD, including cases in which the law remain silent; and
  • Promote privacy and data protection within the Brazilian society.

The new agency would consist of 28 members, five of them to be chosen by the president to constitute the board of directors and 23 members including public, private and third sector representatives to constitute an advisory board.

The order also establishes other important changes to the LGPD. For example that:

  • The LGPD will come into force in August 2020, six months after the originally scheduled date. Until then the ANPD will have an advisory and collaborative function.
  • The Data Protection Officer does not need to be an individual person. The tasks could be performed by an internal committee or department or could be outsourced to third parties such as specialized companies and law firms.

The executive order came into force immediately but must be voted into law by the Brazilian Congress to remain valid and become permanent.