Delay Denied: Brazil Senate Sets Immediate Effective Date for the LGPD

Efforts to Delay the LGPD Fail

As noted by our firm earlier this spring, Brazilian authorities have considered delaying the General Personal Data Protection Law’s (“Lei Geral de Proteção de Dados” or “LGPD”) effective date.

Earlier this week, the Brazilian Chamber of Deputies voted on an amendment to an executive order, MP 959/2020, which would have postponed the LGPD’s effective date to January 1, 2021. However, on August 26, 2020, the Brazilian Senate revised MP 959/2020 to remove that delay. The LGPD will therefore immediately become effective upon the Brazilian president’s signature of the amendment.

Administrative Penalties Delayed

While the presidential Decree 10.474/2020, published on August 27, 2020, implemented the data protection regulator (the “Autoridade Nacional de Proteção de Dados” or “ANPD”), a previous measure, Law 14.010/2020 of June 10, 2020, had already delayed the effectiveness of enforcement-related provisions. Therefore, the newly created ANPD has no ability to bring enforcement actions under the LGPD until August 1, 2021, as MP 959/2020 does not alter that delay. However, that delay of administrative penalties does not eliminate LGPD enforcement, as the Brazilian Constitution grants a private right of action to all citizens. As such, any citizen may go to court and claim a violation of their rights, and that includes the privacy rights set forth in the LGPD.

Action Items, Preparing for LGPD Compliance

Companies should take the following actions to prepare for LGPD compliance:

A. Identify a Data Protection Officer (“DPO”) for purposes of the LGPD.

  • The DPO must be publicly disclosed, "preferably" on the data controller's website.
  • The DPO must be able act as a liaison between controllers, data subjects, and the ANPD.

B. Review processing activities governed by the LGPD.

  • Assess processing performed on the basis of consent to determine whether the consent provides specific purposes for the use of personal data. Consents that are not specific are invalid under the LGPD.
  • Identify any personal data that can be anonymized without losing value for the purposes for which the personal data is being processed.

C. Prepare compliance documentation.

  • The LGPD requires companies to maintain compliance documentation regarding data processing and transfer. Materials designed for the GDPR may have significant utility for LGPD compliance as, under the GDPR, organizations must identify a specific legal basis for any data processing under the LGPD. The LGPD also restricts cross-border transfers and such transfers are subject to specific rules.
  • The LGPD has a significant focus on security and incident response, so carefully review internal documentation relating to those topics.
  • Consider preparing a short, sharable summary of compliance activities that outlines compliance policy and procedure and links those activities to major LGPD compliance obligations.

D. Review contracts for compliance.

  • Identify contracts applying to personal data governed by the LGPD, and evaluate them for compliance. Focus on the details of consent collection and international data transfers. The review should govern contracts with both a company’s vendors and customers.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Kilpatrick Townsend & Stockton LLP | Attorney Advertising

Written by:

Kilpatrick Townsend & Stockton LLP
Contact
more
less

Kilpatrick Townsend & Stockton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.