Insights: Alerts COVID-19 Potentially Postpones the LGPD in Brazil

In response to what could quickly become a very hard winter with COVID-19, the Brazilian Federal Senate approved, on April 4, 2020, the Bill 1.179/2020(“Regime Jurídico Emergencial e Transitório das Relações Jurídicas de Direito Privado” or “RJET”). The bill, which implements emergency and transitory rules on various topics, notably postpones the entry into force of the General Personal Data Protection Law2 (“Lei Geral de Proteção de Dados” or “LGPD”). The RJET bill was received by the Brazilian House of Representatives on April 13, 2020 and is expected to be approved relatively quickly, and subsequently submitted to President Jair Bolsonaro for approval. This comes as the President just fired his respected health minister who had predicted that the Brazilian health system would collapse this month, and videos of those who had succumbed to COVID-19 lying in Brazilian hospital hallways are being circulated by news outlets around the world.

The LGPD, which was initially scheduled to be effective in 2019, was postponed once before by Law 13.853/2019,3 which provided that the LGPD would become effective on August 20, 2020. The first postponement was stated to be necessary in order to provide additional time for the Federal Government to implement the National Data Protection Authority (“Autoridade Nacional de Proteção de Dados” or “ANPD”). Under the RJET bill, however, the effectiveness of the LGPD is further postponed to January 1, 2021,4 and specific enforcement-related provisions of the LGPD shall only become effective on August 1, 2021.5

What to expect

The new postponement was criticized by data protection and privacy advocates. The Brazilian Public Prosecutor’s Office (“Ministério Público Federal” or “MPF”) issued a technical note6 opposing the postponement, and proposed that any delays should be limited to LGPD enforcement-related provisions only. Indeed, at this time, the National Data Protection Authority has still not been created. As such, if the House of Representatives were to follow MPF’s recommendation and limit the postponement to enforcement-related provisions, it would allow both the companies to continue their LGPD compliance efforts and the ANPD to finally be established.

In any event, it is important to note that even if the LGPD’s entry into force is fully postponed, data protection has increasingly been the subject of legislative efforts in Brazil. One of these efforts was reflected by the proposition of a Constitutional Amendment in 2019.7 The proposition, which was approved by the Brazilian Federal Senate and is currently at the House of Representatives for approval, defines personal data protection as a fundamental right under the Brazilian Constitution. 

Additionally, while the first version of the RJET bill provided for a general 18-month postponement of the entire LGPD framework,8 several Senators proposed revisions, arguing that such a postponement would result in legal uncertainty. These concerns were recognized and reflected in the final text,9 which, as explained above, sets forth different entry into force dates for the general data protection framework and the enforcement-related provisions. 

Further, as a signal that data protection is still a high priority matter, the Federal Government published, on April 10, 2020, the first edition of the LGPD Guide of Best Practices.10 The guide, which will be progressively updated as the ANPD is created and begins to issue directives, shall serve as a general LGPD compliance guide for all public entities in Brazil.

Conclusion

While the RJET bill is not yet final, it is still crucial that companies conducting any data processing operations in Brazil continue their efforts in complying with the LGPD. 

In order to prepare for the LGPD, we recommend that companies take the following key preliminary actions necessary for compliance: 

  1. Identify and publicly disclose a Data Protection Officer, in the terms set forth in article 41 of the LGPD;
  2. Identify data that is subject to the LGPD, as “personal data” is broadly defined as any information relating to an identified or identifiable natural person;
  3. Review processing activities governed under the LGPD, notably with respect to consent, as a blanket authorization regarding the use of personal data is expressly prohibited;
  4. Prepare compliance documentation regarding data processing and transfers, as organizations must identify a specific legal basis for any data processing and cross border transfers are restricted and subject to specific rules;
  5. Review contracts for compliance;
  6. Monitor and update compliance measures as needed, by tracking enforcement activity resulting from administrative sanctions, judicial decisions, or advisory activity of the ANPD.

Footnotes

Bill 1.179/2020 of the Brazilian Federal Senate on the Emergency and Transitory Legal Framework for Private Law Legal Relations (“Regime Jurídico Emergencial e Transitório das Relações Jurídicas de Direito Privado” or “RJET”), available at https://www25.senado.leg.br/web/atividade/materias/-/materia/141306.

2 Law 13.709 of August 14, 2018 (“Lei Geral de Proteção de Dados (LGPD)”), available at http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/L13709.htm

Law 13.853 of July 8, 2019 on data protection and the creation of the National Data Protection Authority, available at http://www.planalto.gov.br/ccivil_03/_Ato2019-2022/2019/Lei/L13853.htm#art2

Article 25 of the RJET.

Id.

Technical Note, dated April 14, 2020, available at http://www.mpf.mp.br/pgr/noticias-pgr/mpf-e-contra-o-adiamento-do-inicio-de-vigencia-da-lei-geral-de-protecao-de-dados

“Proposta de Emenda à Constituição No. 17 de 2019”, available at https://www25.senado.leg.br/web/atividade/materias/-/materia/135594.

Senator Antônio Anastasia, PL 1.179/2020 dated March 30, 2020, available at https://legis.senado.leg.br/sdleg-getter/documento?dm=8081773&ts=1586898521531&disposition=inline

Senator Simone Tebet, Parecer dated April 3, 2020, available at https://legis.senado.leg.br/sdleg-getter/documento?dm=8088980&ts=1586898525739&disposition=inline

10 “Guia de Boas Práticas – Lei Geral de Proteção de Dados (LGPD)”, available at https://www.gov.br/governodigital/pt-br/governanca-de-dados/guia-de-boas-praticas-lei-geral-de-protecao-de-dados-lgpd

Related People

Latest Thinking

View more Insights
Insights Center
close
Loading...
If you would like to receive related insights and information from Kilpatrick Townsend, please provide your contact details by filling out the form and clicking “Agree.” If you would like to access the PDF only, please click “Download Only.”