In response to what could quickly become a very hard winter with COVID-19, the Brazilian Federal Senate approved, on April 4, 2020, the Bill 1.179/20201 (“Regime Jurídico Emergencial e Transitório das Relações Jurídicas de Direito Privado” or “RJET”). The bill, which implements emergency and transitory rules on various topics, notably postpones the entry into force of the General Personal Data Protection Law2 (“Lei Geral de Proteção de Dados” or “LGPD”). The RJET bill was received by the Brazilian House of Representatives on April 13, 2020 and is expected to be approved relatively quickly, and subsequently submitted to President Jair Bolsonaro for approval. This comes as the President just fired his respected health minister who had predicted that the Brazilian health system would collapse this month, and videos of those who had succumbed to COVID-19 lying in Brazilian hospital hallways are being circulated by news outlets around the world.
The LGPD, which was initially scheduled to be effective in 2019, was postponed once before by Law 13.853/2019,3 which provided that the LGPD would become effective on August 20, 2020. The first postponement was stated to be necessary in order to provide additional time for the Federal Government to implement the National Data Protection Authority (“Autoridade Nacional de Proteção de Dados” or “ANPD”). Under the RJET bill, however, the effectiveness of the LGPD is further postponed to January 1, 2021,4 and specific enforcement-related provisions of the LGPD shall only become effective on August 1, 2021.5
What to expect
The new postponement was criticized by data protection and privacy advocates. The Brazilian Public Prosecutor’s Office (“Ministério Público Federal” or “MPF”) issued a technical note6 opposing the postponement, and proposed that any delays should be limited to LGPD enforcement-related provisions only. Indeed, at this time, the National Data Protection Authority has still not been created. As such, if the House of Representatives were to follow MPF’s recommendation and limit the postponement to enforcement-related provisions, it would allow both the companies to continue their LGPD compliance efforts and the ANPD to finally be established.
In any event, it is important to note that even if the LGPD’s entry into force is fully postponed, data protection has increasingly been the subject of legislative efforts in Brazil. One of these efforts was reflected by the proposition of a Constitutional Amendment in 2019.7 The proposition, which was approved by the Brazilian Federal Senate and is currently at the House of Representatives for approval, defines personal data protection as a fundamental right under the Brazilian Constitution.
Additionally, while the first version of the RJET bill provided for a general 18-month postponement of the entire LGPD framework,8 several Senators proposed revisions, arguing that such a postponement would result in legal uncertainty. These concerns were recognized and reflected in the final text,9 which, as explained above, sets forth different entry into force dates for the general data protection framework and the enforcement-related provisions.
Further, as a signal that data protection is still a high priority matter, the Federal Government published, on April 10, 2020, the first edition of the LGPD Guide of Best Practices.10 The guide, which will be progressively updated as the ANPD is created and begins to issue directives, shall serve as a general LGPD compliance guide for all public entities in Brazil.
While the RJET bill is not yet final, it is still crucial that companies conducting any data processing operations in Brazil continue their efforts in complying with the LGPD.
In order to prepare for the LGPD, we recommend that companies take the following key preliminary actions necessary for compliance:
- Identify and publicly disclose a Data Protection Officer, in the terms set forth in article 41 of the LGPD;
- Identify data that is subject to the LGPD, as “personal data” is broadly defined as any information relating to an identified or identifiable natural person;
- Review processing activities governed under the LGPD, notably with respect to consent, as a blanket authorization regarding the use of personal data is expressly prohibited;
- Prepare compliance documentation regarding data processing and transfers, as organizations must identify a specific legal basis for any data processing and cross border transfers are restricted and subject to specific rules;
- Review contracts for compliance;
- Monitor and update compliance measures as needed, by tracking enforcement activity resulting from administrative sanctions, judicial decisions, or advisory activity of the ANPD.