In a surprising turn of events, the Brazilian Senate has revised executive order MP 959/2020 to remove the delayed effective date of Brazil’s General Personal Data Protection Law (“Lei Geral de Proteção de Dados” or “LGPD”). As we previously discussed in Taft’s Privacy & Data Security Insights blog, Brazil had originally delayed the implementation of LGPD to have an effective date of January 2021. However, during a remote session on August 26, 2020, the Brazilian Senate rejected the proposed delay by the Brazilian Chamber of Deputies (the lower house of Brazil’s National Congress) and set an enactment date of August 27, 2020. Upon the Brazilian president’s signature of MP 959/2020, LGPD will become effective immediately.
It should be noted that administrative sanctions and penalties for LGPD violations will continue to be delayed until August 2021. As a reminder, under LGPD, the newly created Brazilian National Data Protection Authority (“ANPD”) would oversee personal data protection measures, allowing data subjects to submit claims or complaints directly to the ANPD. Although the ANPD would not be able to bring enforcement actions until August 2021, LGPD—once sanctioned by the President—allows citizens and data subjects to immediately claim violations of their privacy rights through legal action in Brazil’s court system.
The immediate enactment of LGPD is unusual given the fact that it was delayed from its original August 16, 2020 effective date by the Brazilian Congress and President due to the global impact of the COVID-19 pandemic. Despite the ongoing pandemic, Brazil’s leadership appears ready to now move forward with LGPD’s data protection measures. Unfortunately, this means that entities processing relevant personal data will need to ensure they comply with LGPD and follow the ANPD’s guidelines in the ensuing months—while they deal with the impact COVID-19 is having on their businesses.