Brazil’s long-anticipated data protection law, Lei Geral De Proteção de Dados Pessoais (“General Law for Data Protection” or “LGPD”), now appears positioned to take effect in a matter of days. Ever since the law was originally passed in August 2018, implementation and enforcement timelines have been in flux. In a rather sudden turn of events last week, however, dramatic back-to-back votes by each house of Brazil’s National Congress now put the substantive provisions of the LGPD on track to take effect in a few days’ time, upon approval by Brazil’s president. The LGPD’s administrative fines and sanctions provisions remain scheduled to take effect next year in August 2021.
Now that LGPD implementation has taken more shape, here is a high-level overview of how the LGPD got to this point, where plans for LGPD enforcement currently stand, and what companies should think about as they gear up to comply.
How did the LGPD get to this point?
Ever since the LGPD first passed in August 2018, its implementation has faced a long, winding road. This spring during the COVID-19 crisis, Brazil’s president, Jair Bolsonaro, proposed legislation delaying the law’s implementation date, which garnered support from industry stakeholders, including Brazil’s International Chamber of Commerce. Some Brazilian legislators, however, resisted postponement. Here is a quick timeline of some of the key legislative developments in recent months:
- August 2018: Brazil passes the LGPD. The law is set to take effect on August 14, 2020.
- April 29, 2020: President Bolsonaro issues Provisional Measure 959, which proposes to delay the LGPD’s substantive provisions from taking effect until May 3, 2021. This provisional measure requires approval from Brazil’s Congress by August 27, 2020, in order to have permanent effect. If Congress rejects the provisional measure or does not act by August 27 and instead allows it to expire, the implementation of the substantive provisions reverts back to the original date of August 14, 2020.
- June 10, 2020: President Bolsonaro signs Law 14.010, which delays the administrative sanctions provisions of the LGPD from taking effect until August 1, 2021.
- August 25-26, 2020: Brazil’s Congress votes on Provisional Measure 959. On August 25, the lower house, the Chamber of Deputies, votes and approves the provisional measure, with a provision delaying the LGPD until December 31, 2020. The next day, however, the upper house, the Federal Senate, approves the provisional measure but eliminates that provision, reverting the LGPD’s effective date back to its original date of August 14, 2020. The LGPD will therefore take effect upon sanction by President Bolsonaro, which will occur within 15 days (though there is lingering debate about whether the law will apply retroactively to its original effective date of August 14).
- August 27, 2020: President Bolsonaro publishes a decree establishing the National Data Protection Authority (“ANPD”), the Brazilian supervisory authority charged with enforcing the LGPD.
What does this mean for LGPD enforcement?
Currently, enforcement is not set to begin until August 1, 2021, when the administrative sanctions provisions of the LGPD go into effect. For companies that violate the LGPD, the LGPD provides for administrative sanctions that may include fines of up to 2% of the company’s revenues in Brazil for the prior financial year, up to a maximum of R 50,000,000.00 (approx. $9M USD) per infraction.
Given that the ANPD was only just established last week, many questions remain regarding how the ANPD will operate in practice. The ANPD will be linked to the Presidential Office, and therefore will not be fully independent. The ANPD’s five-member Board of Directors, however, has yet to be appointed. Due to funding limitations related to the ongoing COVID-19 crisis, it is possible that Brazil’s government will simply re-assign leaders (who may or may not have privacy experience) from other government bodies to serve on the ANPD. Brazil’s antitrust authority, Administrative Council for Economic Defense (“CADE”), furthermore, has thrown itself into the ring as a potential DPA. CADE recently leaked documents marketing itself as a natural fit to serve as Brazil’s DPA, given its experience in enforcement and the resources it already has available. Unlike the ANPD, CADE is an independent agency. We will continue to monitor how ANPD formulation takes shape over the coming weeks and months.
Even though the ANPD will not impose administrative penalties under the LGPD until August 2021, companies subject to the law are not free from liability in the interim. Brazilian consumer protection authorities and public prosecutors may still bring claims against companies for alleged LGPD violations. LGPD compliance, therefore, should be prioritized sooner rather than later.
Who does the LGPD apply to and what obligations does it impose?
The LGPD has far-reaching implications for the global privacy landscape, but the good news is that it appears heavily influenced by the GDPR. As with the GDPR, the LGPD applies broadly to the processing of personal data—both online and offline. Here are some key LGPD concepts to keep in mind as companies begin to evaluate their compliance posture:
- The LGPD Applies Extraterritorially: The LGPD applies to any processing operation carried out by any entity—whether public or private, and regardless of size, revenue, or headquarter location—if:
- The processing is carried out in Brazil;
- The purpose of the processing activity is to offer or provide goods or services in Brazil or process data of individuals located in Brazil; or
- The personal data being processed was collected in Brazil.
- The LGPD Requires a Legal Basis for Processing Personal Data: A company may only process personal data if it meets one of ten enumerated legal bases. The ten legal bases include, most notably: consent of the data subject; necessity for execution of a contract; necessity for fulfilling the legitimate interests of the controller or a third party; and protection of credit.
- The LGPD Grants Rights to Data Subjects: The LGPD seeks to protect the personal data of data subjects and does not expressly provide a citizenship or residency requirement in order for a person to qualify as a data subject. Under the LGPD, data subjects have the right to obtain the following from a controller with respect to their personal data:
- Confirmation of the existence of processing;
- Access to the data;
- Correction of incomplete, inaccurate or out-of-date data;
- Anonymization, blocking or deletion of unnecessary or excessive data or data processed in noncompliance with the LGPD;
- Portability of the data to another service or product provider;
- Deletion of personal data processed with the consent of the data subject;
- Information about public and provide entities with which the controller has shared data;
- Information about the possibility of denying consent and the consequences of such denial;
- Revocation of consent; and
- Facilitated access to information concerning the processing of his or her data, such as information about the specific purposes of the processing, the type and duration of processing, the identification of the controller and its contact information, information regarding the shared use of data by the controller and the purpose, responsibilities of the agents that will carry out the processing, and the data subject’s rights under the LGPD.
- The LGPD imposes heightened obligations on sensitive personal data and children’s personal data: As with the GDPR, the LGPD requires that companies adhere to stricter standards when processing certain types of personal data.
- Sensitive personal data is defined under the LGPD as personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data, when related to a natural person. Sensitive personal data may only be processed with the data subject’s consent, or if other limited conditions are met.
- Children’s personal data: the LGPD generally requires consent by a parent or legal representative in order to process personal data of children and teenagers (subject to limited exception). A controller may not condition the participation of children in games, internet applications, or other activities on providing personal information beyond what is strictly necessary for the activity.
- The LGPD imposes security obligations on both controllers and processors: Controllers and processors must adopt security, technical, and administrative measures able to protect personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or any type of improper or unlawful processing. When developing security good practices, the LGPD provides that a company shall take into consideration the company’s structure, scale, volume of operations, sensitivity of the processed data, and the likelihood and severity of damage to data subjects.
- The LGPD requires controllers to report security incidents to data subjects and to the ANPD: A company must report a security incident to the ANPD within “a reasonable time period.” We anticipate that interpretive guidance will elaborate on what constitutes “a reasonable time period” under the LGPD.
Key LGPD Takeaways
- LGPD Compliance Remains a Moving Target: With the August 1, 2021, enforcement date a year away and the ANPD only just established days ago, enforcement remains somewhat uncertain at this stage. Over the next year leading up to enforcement, we anticipate additional interpretive guidance that will shed some light on open questions in the LGPD as well as plans for ANPD enforcement.
- LGPD Signals a Growing Trend of National Data Protection Laws: Following the GDPR and CCPA, the LGPD signals a growing trend in new, updated national data protection laws. New Zealand’s Privacy Act 2020 comes into effect on December 1, 2020, Japan recently voted to amend its Act on the Protection of Personal Information, and Nigeria recently published a draft data protection bill—this is just to name a few. Our Orrick team’s global privacy compliance program can help companies navigate and capitalize on this growing patchwork of global privacy laws.
Our Orrick team will continue to monitor LGPD developments in Brazil, as well as privacy law developments around the world.