In August 2018, Brazil passed a comprehensive data privacy law called the General Data Protection Law (the Lei Geral de Proteção de Dados Pessoais, hereinafter the LGPD). Since the enactment of the LGPD, businesses and organizations doing business in Brazil have been ramping up and preparing for the implementation of the law. At the end of August 2020, the Brazilian government started to tie up some of the LGPD’s loose ends, which led to several important outcomes that are essential to understanding the future of the LGPD. Most notably, (i) the LGPD could become effective as soon as September 16, 2020, and (ii) the Brazilian federal government has approved the structure of the regulatory body that will oversee the LGPD’s enforcement. Thus, businesses and other organizations that are subject to the LGPD should be mindful of the law’s timeline for effectiveness and should prioritize working towards compliance.
The LGPD: A high-level overview
According to Article 1 of the LGPD, the law is guided by the principle of protecting “the fundamental rights of freedom and privacy and the free development of the personality of the natural person.” Like the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), the LGPD has extraterritorial scope. Subject to certain listed exceptions, according to Article 3, the LGPD applies to the processing of “personal data” (as such term is defined by the LGPD) by any natural person or entity, public or private, even if such natural person or entity is based outside of Brazil, provided that (1) the processing takes place in Brazil, (2) the purpose of the processing is to offer or provide goods or services in Brazil, or (3) the personal data being processed was collected in Brazil.
The LGPD also takes a broad view of what data falls within the definition of personal data, similar to the GDPR and CCPA. In Article 5, the LGPD defines personal data as information related to an identified or identifiable natural person. Arguably, because of its broad definition, personal data may include information such as online identifiers. Article 12 of the LGPD states that data may be considered personal when used to create behavioral profiles (which may include online profiles) of a natural person and when such profiles identify that person. The LGPD also provides heightened protection for sensitive personal data, such as information concerning racial origin or genetic or biometric data.
The individual rights of data subjects under the LGPD are similar to the rights of data subjects under the GDPR, including the right to access data, the right to correct incomplete or inaccurate data, the right to delete personal data, and the right to revoke consent. Other requirements under the LGPD include hiring an officer to be in charge of processing, only processing personal data if the processing falls under one of the enumerated legal bases, and reporting data breaches within a reasonable time period.
Recent developments for the LGPD: Effective date becomes more certain and a regulatory body for enforcement
Initially, the effective date of the LGPD was slated for August 16, 2020. However, earlier this year, after taking into consideration the effects of COVID-19, President Jair Bolsonaro issued Provisional Measure No. 959/2020 to postpone the LGPD’s effective date to May 3, 2021. Several months later, on August 25, 2020, the Brazilian House of Representatives approved the Provisional Measure, but amended it to change the effective date to December 31, 2020. Then, on August 26, 2020, the Senate ultimately omitted all of the language related to any such postponement, and the remaining text was woven into Conversion Bill No. 34/2020 (PLV).
The PLV is now reportedly on President Bolsonaro’s desk, waiting for his action. Without a proposed postponement date in the PLV, the LGPD is expected to become effective as soon as the President approves or vetoes the PLV (although, there is some debate as to whether the effective date could instead be retroactively applied to the original August 16, 2020 date upon signing). Per Article 66 of the Constitution of the Federative Republic of Brazil, the President has 15 working days to approve or veto the PLV after receipt, which means his approval or veto could come as soon as September 16, 2020. Similarly, if the President takes no action within such period, then the LGPD is anticipated to become effective immediately upon expiry of the deadline. Therefore, the LGPD could become effective any day now or, alternatively, retroactively apply back to the August 16, 2020 date.
Ensuring compliance with the LGPD is now even more important because on August 27, 2020, the Brazilian federal government approved the regulatory framework for the National Authority for Protection of Data (the Autoridade Nacional de Proteção de Dados, hereinafter the ANPD). The ANPD will be responsible for a variety of functions, including enacting regulations to enforce the LGPD, designing the National Plan for Data Protection, notifying data subjects of breaches, and enforcing LGPD penalties, which could amount to millions of dollars in some situations. In conjunction with the LGPD likely becoming effective very soon, the formalization of the ANPD will give the LGPD some regulatory teeth, although enforcement of penalties and other administrative sanctions will be delayed until August 1, 2021 in accordance with Law No. 14.010.
Although the recent developments regarding the LGPD seem sudden and rather chaotic, it is clear that the Brazilian government is beginning to iron out some of the LGPD’s wrinkles. As stated, the law could become effective any day now or may potentially be applied retroactively.
If they have not already done so, organizations that collect the personal data of individuals in Brazil or that process personal data in Brazil should assess their personal data processing activities that are covered by the LGPD and work expeditiously to meet requirements and close any compliance gaps.