Efforts to Delay the LGPD Fail
As noted by our firm earlier this spring, Brazilian authorities have considered delaying the General Personal Data Protection Law’s (“Lei Geral de Proteção de Dados” or “LGPD”) effective date.
Earlier this week, the Brazilian Chamber of Deputies voted on an amendment to an executive order, MP 959/2020, which would have postponed the LGPD’s effective date to January 1, 2021. However, on August 26, 2020, the Brazilian Senate revised MP 959/2020 to remove that delay. The LGPD will therefore immediately become effective upon the Brazilian president’s signature of the amendment.
Administrative Penalties Delayed
While the presidential Decree 10.474/2020, published on August 27, 2020, implemented the data protection regulator (the “Autoridade Nacional de Proteção de Dados” or “ANPD”), a previous measure, Law 14.010/2020 of June 10, 2020, had already delayed the effectiveness of enforcement-related provisions. Therefore, the newly created ANPD has no ability to bring enforcement actions under the LGPD until August 1, 2021, as MP 959/2020 does not alter that delay. However, that delay of administrative penalties does not eliminate LGPD enforcement, as the Brazilian Constitution grants a private right of action to all citizens. As such, any citizen may go to court and claim a violation of their rights, and that includes the privacy rights set forth in the LGPD.
Action Items, Preparing for LGPD Compliance
Companies should take the following actions to prepare for LGPD compliance:
A. Identify a Data Protection Officer (“DPO”) for purposes of the LGPD.
- The DPO must be publicly disclosed, "preferably" on the data controller's website.
- The DPO must be able act as a liaison between controllers, data subjects, and the ANPD.
B. Review processing activities governed by the LGPD.
- Assess processing performed on the basis of consent to determine whether the consent provides specific purposes for the use of personal data. Consents that are not specific are invalid under the LGPD.
- Identify any personal data that can be anonymized without losing value for the purposes for which the personal data is being processed.
C. Prepare compliance documentation.
- The LGPD requires companies to maintain compliance documentation regarding data processing and transfer. Materials designed for the GDPR may have significant utility for LGPD compliance as, under the GDPR, organizations must identify a specific legal basis for any data processing under the LGPD. The LGPD also restricts cross-border transfers and such transfers are subject to specific rules.
- The LGPD has a significant focus on security and incident response, so carefully review internal documentation relating to those topics.
- Consider preparing a short, sharable summary of compliance activities that outlines compliance policy and procedure and links those activities to major LGPD compliance obligations.
D. Review contracts for compliance.
- Identify contracts applying to personal data governed by the LGPD, and evaluate them for compliance. Focus on the details of consent collection and international data transfers. The review should govern contracts with both a company’s vendors and customers.
While we are pleased to have you contact us by telephone, surface mail, electronic mail, or by facsimile transmission, contacting Kilpatrick Townsend & Stockton LLP or any of its attorneys does not create an attorney-client relationship. The formation of an attorney-client relationship requires consideration of multiple factors, including possible conflicts of interest. An attorney-client relationship is formed only when both you and the Firm have agreed to proceed with a defined engagement.
DO NOT CONVEY TO US ANY INFORMATION YOU REGARD AS CONFIDENTIAL UNTIL A FORMAL CLIENT-ATTORNEY RELATIONSHIP HAS BEEN ESTABLISHED.
If you do convey information, you recognize that we may review and disclose the information, and you agree that even if you regard the information as highly confidential and even if it is transmitted in a good faith effort to retain us, such a review does not preclude us from representing another client directly adverse to you, even in a matter where that information could be used against you.