Brazil’s government has decided to postpone the effective date of its new comprehensive data protection law. On June 12, 2020, the Brazilian government published Law No. 14,010/20, which postpones the effective date of articles 52, 53, and 54 of the Brazilian General Data Protection Law (LGPD) to August 1, 2021. Those articles establish administrative sanctions that may be applied by the Brazilian Data Protection Authority (ANPD) for LGPD violations.
Background and Effect of Brazilian General Data Protection Law (LGPD)
For background, Brazil issued the final version of LGPD on July 8, 2019, amending the previous Law of August 2018, and regulating the processing of personal data in Brazil in a similar way to the European General Data Protection Regulation. The key elements of LGPD include:
- the creation of the National Data Protection Authority
- declaration of national interest
- requirement of a data protection officer
- circumstances of shared use and communication of health data
- provision for direct conciliation
- veto of penalties prohibiting database operation and data processing
Creation of the National Data Protection Authority
The LGPD established the National Data Protection Authority (ANPD) as the Federal body responsible for regulating, supervising, and applying sanctions for violations of data protection. The principal duties of the ANPD include:
- ensuring the protection of personal data under the LGPD
- setting guidelines for the National Policy of Personal Data Protection and Privacy
- supervising and applying sanctions in case of data breaches
- performing or determining the manner of audits within its scope on the processing of personal data by processing agents
Data Protection Officer
LGPD requires data controllers and processors to appoint a Data Protection Officer (DPO). The DPO acts as a communication channel between these entities and the ANPD. In its final version, LGPD does not require the DPO to be a natural person and allows this role to be fulfilled by third-party entities.
Sensitive Health Data
The LGPD expands the circumstances under which health-related data may be subject to shared use or may be communicated:
- data portability when requested by the data subject
- when used in connection with the provision of health, pharmaceutical or healthcare assistance services, including diagnosis and therapy services as well as financial or administrative transactions arising from these.
The topic of penalties under LGPD is vague and uncertain. In previous versions of LGPD, penalties required suspension of database operation for up to six months, as well as those which partially or totally prohibited the carrying out of data processing activities. In the final version, however, LGPD does not set out specific penalties in the event of a data breach, and instead grants authority to the ANPD to set out appropriate sanctions.
The LGPD comes into force in stages, with the provisions creating the ANPD already in effect. Today, the effective date of the LGPD is divided as follows:
|December 28, 2018||Creation of the ANPD and the Brazilian Council for the Protection of Personal Data and Privacy|
|May 3, 2021||Substantial part of the LGPD goes into effect (everything not covered by the effective dates above and below).|
|August 1, 2021||Administrative sanctions by the ANPD become effective.|
Even though the effective date of sanctions has been defined, there is still uncertainty related to the effective date of the substantial part of the LGPD. Provisional Measure (PM) # 959/20, which postponed the effective date of the LGPD to May 3, 2021 (except for articles related to the creation of the ANPD and the Brazilian Council for the Protection of Personal Data and Privacy), still needs be reviewed by the Brazilian Congress, which should occur by August 26, 2020.
|Approved||Effective date: May 3, 2021|
|Rejected||Effective date: August 16, 2020|
|Amended||LGPD enters into effect on the new date established by Congress and sanctioned by the President|
What does the new development mean for companies?
The amendments to the LGPD introduce a level of uncertainty regarding penalties for violations. As the newly created ANPD has been granted the power to set out penalties and impose sanctions, as necessary and appropriate, instead of statutorily defined penalties, the penalties for violations will remain unclear until further regulations and guidance are released.
What should companies do in the meantime?
Appoint a DPO before the LGPD comes into force. This may be a natural person or a third party entity (e.g., law firm), and will act as an intermediary between data controllers and the ANPD. Companies should also be aware that the ANPD has the authority to set out sanctions and penalties for a personal data breach, and may issue regulations to this effect before the LGPD comes into force. As it now stands, data protection in Brazil remains a topic of regulatory interest and concern, and we are following these developments closely and will provide updates on any new developments in due course.