Insights: Alerts LGPD In Effect: First Civil Action Filed in Brazil
After a tumultuous legislative history, as noted in our previous alerts, the Brazilian Senate finally passed into law a revised proposal to remove any delays of the LGPD’s effectiveness. On September 18, 2020,1 the Brazilian president promulgated Law 14.058/2020 and Brazil’s comprehensive data protection law, the General Personal Data Protection Law (“Lei Geral de Proteção de Dados” or “LGPD”), entered into force immediately.
While the data protection regulator (“Autoridade Nacional de Proteção de Dados” or “ANPD”) was implemented by a presidential Decree on August 27, 2020,2 enforcement-related provisions are only set to become effective on August 1, 2021, as provided by Law 14.010/2020.3
However, such delay does not eliminate LGPD enforcement, as the Brazilian Constitution grants a private right of action to all citizens and a public right of action to its “Ministério Público” or “MP” (Brazil Public Prosecutors’ Office). Specifically, the Ministério Público, which is composed by several offices at both the Federal and State levels, has several functions, including the role of instituting “civil investigations and public civil actions to protect the public and social patrimony, the environment and other diffuse and collective interests.”4 Further, the Brazilian Consumer Protection Code (the “CDC”) also provides that the “defense of consumers’ rights and interests may be exercised collectively.”5
First LGPD Lawsuit Filed
On September 21, 2020, merely three days after the LGPD’s entry into force, the Ministério Público do Distrito Federal e dos Territórios (“MPDFT”), based in Brasília, filed its first public civil action based on the LGPD.6 Specifically, the lawsuit was filed against a digital services company based in the state of Minas Gerais. According to the complaint, the targeted company holds data of 500,000 individuals of the city of São Paulo (including their name, email address, phone number and home address), which the company sells to other entities for marketing purposes. The complaint also states that potential buyers of data are able to purchase segmented personal data, such as data from medical doctors, accountants, hairdressers, engineers, etc., from specific states of Brazil.
It is important to highlight that the MPDFT has a dedicated unit specialized in data privacy and artificial intelligence (“Unidade Especial de Proteção de Dados e Inteligência Artificial” or “ESPEC”). The ESPEC is the first Brazilian initiative dedicated exclusively to the protection of the personal data and privacy of Brazilian citizens.
While administrative penalties are not going to occur before August 2021, it is imperative that companies with Brazilian operations take the necessary steps to adequately protect data and ensure LGPD compliance. Indeed, the MPDFT’s action is likely to serve as an encouragement for other MPs in Brazil to take the initiative in protecting data privacy rights.
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.