Privacy rights regulation is expanding beyond the GDPR and CCPA with Brazil’s privacy law referred to as the LGPD (Lei Geral de Proteção de Dados Pessoais) now effective as of September 18, 2020. While penalties for infractions will be applied on August 1, 2021.
On August 25, 2020, the Brazilian House of Representatives approved the Provisional Measure (MP) No. 959/2020, including the text stating the enforcement date for LGPD would be December 31, 2020. However, the next day August 26, 2020, the Brazilian Senate approved the Conversion Bill (PLV) 34/2020, which originated from the Provisional Measure but due to the “question of order” raised by a senator, that Article 4 of the MP would postpone the LGPD, the enforcement date was removed from the legal text by the Brazilian Senate.
On August 27, 2020, a decision was made in the Senate, the Brazilian federal government published the Decree No. 10,474/2020, approving the regulatory structure of the Autoridade Nacional de Proteção de Dados known as the National Data Protection Authority (ANPD). Under the decree, the ANPD will be linked to the office of the President of Brazil and equipped with technical and decision-making autonomy with limited independence.
The ANPD will include a Directing Council that consists of five members directly appointed to the chief of staff of the presidency. The existence of the ANPD is a matter of adequately nominating the members of the Directing Council, which is in the hands of the Senate, and that’s only after a rigorous selection process.
As for this scenario, when the LGPD starts it depends on when Brazil’s President Jair Bolsonaro sanctions the PLV, which could occur anytime within the next 15 days. Brazilian privacy professionals view the LGPD as a positive move, as it reduces the uncertainties and the validity of the LGPD and validates the creation of the DPA (responsible for the inspection and regulation activities of its provisions)
Even though sanctions involving the LGPD have been postponed until August 2021, the consumer protection authorities, civil society groups, and public prosecutors could still initiate legal proceedings against Brazilian and foreign companies based on privacy issues. This new legal practice in Brazil makes for a promising time for the privacy community, private sector, and different professional organizations. Although it has not been an easy road for this new legal practice, neither was the GDPR or CCPA.