11. November 2020
Since 18 September 2020, the main provisions of the Brazilian Data Protection Law “LGPD” are in effect. At the same time, Brazilian businesses have been facing legal uncertainty because Brazil’s national Data Protection Authority (“ANPD”) is still not fully functional (we reported). The ANPD shall provide businesses with vital guidance, inter alia, by assessing foreign countries’ level of data protection for international data transfers, Art. 34 LGPD.
On 15 October 2020, the President of Brazil appointed the five members for the ANPD Board of Directors. Following the formal approval process of President appointees in Brazil (“Sabatina”), the Infrastructure and Services Commission of Brazil’s Senate approved of the President’s appointees on 19 October 2020.
Finally, on 20 October 2020, the Senate’s plenary approved of the five appointees. This marks another major step in the ANPD becoming fully operational. The serving terms of the Board of Directors will be staggered:
- Serving a six-year term: Waldemar Ortunho, current president of Telebras, a state-owned telecommunications company
- Serving a five-year term: Arthur Pereira Sabbat, currently the Director of the Institutional Security Office (GSI) for the Government’s cybersecurity
- Serving a four-year term: Joacil Basilio Rael, currently advisor at Telebras
- Serving a three-year term: Nairane Farias Rabelo, currently Partner at a law firm specialized in Tax Law and Data Protection Law
- Serving a two-year term: Miriam Wimmer, currently a Director of Telecommunications Services at the Brazilian Ministry of Science, Technology, Innovation and Communications
However, Annex II to the Presidential Decree 10.474 establishing the ANPD sets forth that many more yet vacant positions of the ANPD will have to be filled before it may be fully functional. Until then, Brazilian businesses remain waiting on guidance from the ANPD.
28. August 2020
Earlier this year, in April, the President of Brazil issued Provisional Measure #959/2020, which dealt with emergency measures in face of the pending Coronacrisis. The Provisional Measure (“PM”) did not only set rules for the federal banks’ payments of benefits to workers affected by the reduction in salary and working hours and the temporary suspension of employment due to the pandemic, but also postponed the effective date of Brazil’s first Data Protection Law (“LGPD”) from the 14 August 2020 to the 3 May 2021 (we reported).
In Brazil, PMs serve as temporary law and are valid for a maximum period of 120 days, in which both chambers of the National Congress must approve of the PM in order to become permanent law.
As the 120 days period was coming to an end, the House of Representatives approved of the PM on 25 August 2020, but included an amendment to delay the effective date only to the 31 December 2020. One day later, on 26 August 2020, the Senate approved of the PM, but provided yet another amendment to not include any delay of the LGPD’s effective date at all. The Senate’s amendment rather postulates that violations against the LGPD shall not be santioned by the Data Protection Authority until 1 August 2021. Thus, neither the House of Representative’s postponement to the 31 December 2020 nor the President’s intial postponement to the 3 May 2021 were approved of. This development came to a great surprise because in April, Brazil’s Senate itself introduced Law Bill “PL 1179/2020” which aimed at postponing the effective date of the LGPD to 1 January 2021.
After all, the LGPD will become effective very soon. Upon the rapid developments regarding the LGPD, legal commentators from Brazil still share some confusion to when the law will become valid exactly. They report that the law will become effective either when the President signs it into law or retroactively on 14 August 2020. In any case, many Brazilian businesses are reportedly not ready for the LGPD whilst also facing a very difficult economic environment, as Brazil is suffering from the consequences of the pandemic.
Moreover, Brazilian businesses are also facing legal uncertainty because Brazil’s national Data Protection Authority (“ANPD”) is still not fully functional. Only on 26 August 2020, Brazil’s President passed Decree 10.474 to establish the ANPD. However, the new Data Protection Law gives the ANPD many vital responsibilities that it has not been able to fulfil, because it hadn’t been established yet. These responsibilities include
- Recognising good practices and best-in-class examples of accountable privacy programs,
- Establishing rules, procedures and guidance for organisations as required by the LGPD,
- Clarifying LGPD provisions,
- Providing technical standards to organisations, and
- Enabling international transfers of personal data.
As the recent developments and the status quo of the national Data Protection Authority suggest a rocky road ahead for Brazil’s privacy landscape, the fundamental milestones of making the LGPD effective and establishing the ANPD have been passed now. At the same time, Brazilian businesses can draw hope from the fact that they have time to become compliant until 1 August 2021.