Brazil’s long-anticipated data protection law, Lei Geral De Proteção de Dados Pessoais (“General Law for Data Protection” or “LGPD”), now appears positioned to take effect in a matter of days. Ever since the law was originally passed in August 2018, implementation and enforcement timelines have been in flux. In a rather sudden turn of events last week, however, dramatic back-to-back votes by each house of Brazil’s National Congress now put the substantive provisions of the LGPD on track to take effect in a few days’ time, upon approval by Brazil’s president. The LGPD’s administrative fines and sanctions provisions remain scheduled to take effect next year in August 2021.
Now that LGPD implementation has taken more shape, here is a high-level overview of how the LGPD got to this point, where plans for LGPD enforcement currently stand, and what companies should think about as they gear up to comply.
How did the LGPD get to this point?
Ever since the LGPD first passed in August 2018, its implementation has faced a long, winding road. This spring during the COVID-19 crisis, Brazil’s president, Jair Bolsonaro, proposed legislation delaying the law’s implementation date, which garnered support from industry stakeholders, including Brazil’s International Chamber of Commerce. Some Brazilian legislators, however, resisted postponement. Here is a quick timeline of some of the key legislative developments in recent months:
What does this mean for LGPD enforcement?
Currently, enforcement is not set to begin until August 1, 2021, when the administrative sanctions provisions of the LGPD go into effect. For companies that violate the LGPD, the LGPD provides for administrative sanctions that may include fines of up to 2% of the company’s revenues in Brazil for the prior financial year, up to a maximum of R 50,000,000.00 (approx. $9M USD) per infraction.
Given that the ANPD was only just established last week, many questions remain regarding how the ANPD will operate in practice. The ANPD will be linked to the Presidential Office, and therefore will not be fully independent. The ANPD’s five-member Board of Directors, however, has yet to be appointed. Due to funding limitations related to the ongoing COVID-19 crisis, it is possible that Brazil’s government will simply re-assign leaders (who may or may not have privacy experience) from other government bodies to serve on the ANPD. Brazil’s antitrust authority, Administrative Council for Economic Defense (“CADE”), furthermore, has thrown itself into the ring as a potential DPA. CADE recently leaked documents marketing itself as a natural fit to serve as Brazil’s DPA, given its experience in enforcement and the resources it already has available. Unlike the ANPD, CADE is an independent agency. We will continue to monitor how ANPD formulation takes shape over the coming weeks and months.
Even though the ANPD will not impose administrative penalties under the LGPD until August 2021, companies subject to the law are not free from liability in the interim. Brazilian consumer protection authorities and public prosecutors may still bring claims against companies for alleged LGPD violations. LGPD compliance, therefore, should be prioritized sooner rather than later.
Who does the LGPD apply to and what obligations does it impose?
The LGPD has far-reaching implications for the global privacy landscape, but the good news is that it appears heavily influenced by the GDPR. As with the GDPR, the LGPD applies broadly to the processing of personal data—both online and offline. Here are some key LGPD concepts to keep in mind as companies begin to evaluate their compliance posture:
Key LGPD Takeaways
Our Orrick team will continue to monitor LGPD developments in Brazil, as well as privacy law developments around the world.