[co-authors: Daniel Crespo, Paula Pagani]
After a long period of uncertainty about the effective date of Brazil’s General Data Protection law (LGPD), Brazil’s Congress on Wednesday dramatically approved a last-minute amendment to legislation that accelerated the effective date of the LGPD to immediately take effect, as of August 27.
As we have reported here, Brazil's Congress and President have traded proposals over the past few months to delay the effective date of the LGPD in order to mitigate the impact of the COVID-19 pandemic on companies. Most recently, the Chamber of Deputies voted to approve a provisional measure that aimed to delay the effective date of the LGPD to December 31, 2020. That measure was sent to the Senate, which issued a last-minute amendment that set the effective date of the main provisions of the LGPD to August 27, 2020.
With the LGPD’s main provisions entering into force, private lawsuits and public prosecutor actions based on the LGPD are now possible as of August 27, 2020. This means that prosecutors and individuals are able to bring lawsuits against companies under Brazil’s Consumer Rights Law, Internet Law, or Civil Code in case of any LGPD violations.
In the meanwhile, administrative sanctions under the LGPD are still subject to Law No. 14,010/20, which postponed the availability of those sanctions until August 1, 2021. That said Brazil still awaits for the regulation constituting the National Data Protection Authority (ANPD), the administrative agency tasked with enforcing administrative sanctions and issuing regulations under the LGPD.
With the main provisions of the LGPD taking effect and the possibility of private lawsuits and public prosecutor actions, companies should consider their compliance with the LGPD, including by:
- Reviewing and updating privacy notices and consent forms;
- Identifying and updating any agreements that involve the transfer of Brazilian personal data, including cross-border transfers out of Brazil;
- Carrying out impact reports for "high risk" data uses;
- Implementing reasonable security measures; and
- Updating policies and procedures, including breach notification, to meet LGPD standards.
This post was updated on August 27 with additional information about the possibility of a presidential veto and Decree No. 10,464.