As up-to-date readers of Taft’s Privacy & Data Security Insights blog know, the legal landscape continues to quickly evolve due to the economic, legal and privacy impacts of COVID-19. Moreover, we have seen significant flexibility from government agencies on various laws and regulations as a result of COVID-19.
Brazil’s encroaching data privacy law is the latest to suffer a delay as a result of the economic uncertainty caused by COVID-19. Brazil’s General Data Protection Law (aka, the Lei Geral de Proteção de Dados and referred to as the “LGPD” in the Portuguese acronym) appeared ready to go into effect in August 2020. However, Brazil has recently and rapidly become a hot spot for COVID-19. On April 3, 2020, as a result of the healthcare crisis caused by COVID-19, the Brazilian Senate approved Bill No. 1179/2020. This emergency measure postpones the effective date for the LGPD to January 2021, with sanctions and penalties enforceable only after August 2021. The Brazilian Senate validated its emergency measure by asserting that businesses should not be burdened by having to dedicate resources for privacy compliance as they navigate the crisis caused by COVID-19. Bill No. 1179/2020 is now awaiting approval by the Brazilian House of Representatives.
On April 29, Brazilian President Bolsonaro issued Provisional Measure No. 959/2020, which delays the application date of the LGPD to May 3, 2021. Brazilian provisional measures have the same effect as law, though they must still be approved by the Brazilian Congress. Essentially, there are now two measures that may delay the effective date of the LGPD until at least next year: 1) the Brazilian House of Representatives must vote on and approve Bill No. 1179/2020 for an effective date of January 2021 for the LGPD; or 2) the Brazilian Congress must approve Provisional Measure No. 959/2020 for an effective date of May 2021 for the LGPD.
Given the impact of COVID-19 and the fact that a Brazilian national data protection authority is not operational yet, it is highly likely that at least one of the two proposed extensions will pass. There is certainly merit to postponing the application and enforcement of the LGPD. Companies already have dwindling resources while dealing with current economic hardships and instability. Not requiring companies to dedicate resources to comply with privacy regulations—such as developing an enterprise-wide strategy for the handling of personal data—will come as a relief to many businesses.
However, there is concern that a lack of data protection and regulation during the COVID-19 pandemic may erode individual rights, particularly when health information is being readily transmitted through coronavirus testing and contact tracing. The Brazilian Public Prosecutor’s Office opposed the postponement of the LGPD, stating that constitutional and legal principles are especially essential during times of crisis. It also stressed that the LGPD would actually help develop actions and collaborations with foreign entities to battle the global pandemic, through sharing health information with international agencies. There is also growing concern that continual postponement of the LGPD sends a message to the international community that Brazil is having difficulty implementing privacy laws, and serves as a barrier to the circulation of international data, goods and services. International distrust would exacerbate economic loss already caused by COVID-19.
While the current focus is rightfully on the numerous hardships posed by COVID-19, it is still important to analyze how the impact of deferring privacy regulations may affect individual rights. Even if the LGPD is delayed, global organizations processing personal data from or in Brazil should keep apprised of the LGPD’s developments. As an additional reminder, the California Consumer Privacy Act (CCPA) has not been postponed despite COVID-19 and will be enforced in July 2020.