Efforts to Delay the LGPD Fail

As noted by our firm earlier this spring, Brazilian authorities have considered delaying the General Personal Data Protection Law’s (“Lei Geral de Proteção de Dados” or “LGPD”) effective date.

Earlier this week, the Brazilian Chamber of Deputies voted on an amendment to an executive order, MP 959/2020, which would have postponed the LGPD’s effective date to January 1, 2021. However, on August 26, 2020, the Brazilian Senate revised MP 959/2020 to remove that delay. The LGPD will therefore immediately become effective upon the Brazilian president’s signature of the amendment.

Administrative Penalties Delayed

While the presidential Decree 10.474/2020, published on August 27, 2020, implemented the data protection regulator (the “Autoridade Nacional de Proteção de Dados” or “ANPD”), a previous measure, Law 14.010/2020 of June 10, 2020, had already delayed the effectiveness of enforcement-related provisions. Therefore, the newly created ANPD has no ability to bring enforcement actions under the LGPD until August 1, 2021, as MP 959/2020 does not alter that delay. However, that delay of administrative penalties does not eliminate LGPD enforcement, as the Brazilian Constitution grants a private right of action to all citizens. As such, any citizen may go to court and claim a violation of their rights, and that includes the privacy rights set forth in the LGPD.

Action Items, Preparing for LGPD Compliance

Companies should take the following actions to prepare for LGPD compliance:

A. Identify a Data Protection Officer (“DPO”) for purposes of the LGPD.

• The DPO must be publicly disclosed, "preferably" on the data controller's website.
• The DPO must be able act as a liaison between controllers, data subjects, and the ANPD.

B. Review processing activities governed by the LGPD.

• Assess processing performed on the basis of consent to determine whether the consent provides specific purposes for the use of personal data. Consents that are not specific are invalid under the LGPD.
• Identify any personal data that can be anonymized without losing value for the purposes for which the personal data is being processed.

C. Prepare compliance documentation.

• The LGPD requires companies to maintain compliance documentation regarding data processing and transfer. Materials designed for the GDPR may have significant utility for LGPD compliance as, under the GDPR, organizations must identify a specific legal basis for any data processing under the LGPD. The LGPD also restricts cross-border transfers and such transfers are subject to specific rules.
• The LGPD has a significant focus on security and incident response, so carefully review internal documentation relating to those topics.
• Consider preparing a short, sharable summary of compliance activities that outlines compliance policy and procedure and links those activities to major LGPD compliance obligations.

D. Review contracts for compliance.

• Identify contracts applying to personal data governed by the LGPD, and evaluate them for compliance. Focus on the details of consent collection and international data transfers. The review should govern contracts with both a company’s vendors and customers.