In a surprising turn of events, Brazil’s Lei Geral de Proteção de Dados (LGPD), Latin America’s first major data protection law, went into effect this month after hopes that the COVID-19 pandemic would push the introduction of the new law to May 2021 were struck down by the Senate.
The LGPD, passed on 14 August 2018, was a law ten years in the making. It aimed to replace and supplement the over 40 legal norms that governed the protection of privacy and personal data at the federal level in Brazil and align the country’s legislation to the new international standard set by the EU’s General Data Protection Regulation (GDPR). Its implementation schedule however has been riddled with delays and uncertainties.
The new legislation was initially supposed to come into effect 18 months after it was approved, a deadline that was extended by 6 months through a presidential executive order, bringing the implementation date to 15 August 2020. However, in April 2020, the government sought to postpone the introduction of the new rules to May 2021 as it had concluded that organizations would struggle to adapt in time due to the COVID-19 pandemic. One month later, the Senate overturned the decision.
Despite a second attempt to postpone the implementation of the new law to 31 December 2020 by the Lower House of the Congress this time, the Senate passed an amendment that excluded the proposed delay, effectively sticking to the original date of August 2020. President Jair Bolsonaro sanctioned the latest amendment on 18 September 2020 and the LGPD entered into force immediately.
The LGPD has a very broad reach and applies to all individuals and legal entities, both public and private that carry out personal data processing activities that take place or are related to individuals located in Brazil, aim to supply goods or services in the country, or involve personal data collected in Brazil. It has an extraterritorial reach meaning that no matter where a data collector is located, whether they have offices in the country or not if they collect the data of Brazilian citizens, they are subject to the LGPD.
Data processing carried out for strictly personal purposes by individuals, for exclusively journalistic, artistic, literary, or academic purposes or for national security, national defense, public safety, or criminal investigation or punishment activities, is exempt from LGPD compliance.
Obligations under the LGPD
All organizations falling under the incidence of the LGPD are expected to appoint a Data Protection Officer (DPO) that will act as a liaison to Brazil’s data protection authority, the Autoridade Nacional de Proteção de Dados (ANPD), handle complaints and provide guidance for compliance and best practices. They must also adopt technical and administrative measures to protect personal data from unauthorized access and accidental or illegal destruction, loss, alteration, communication, or dissemination. They must also conduct Data Protection Impact Assessments (DPIA) and develop an incident response and remediation plan.
The LGPD also makes data breach notification mandatory. Companies are obligated to notify the ANPD in case a data breach is believed to pose a risk or damage to data subjects and, if ordered by the ANPD, they must also inform the affected data subjects and the media about the security incident.
Data subjects gained a number of new rights under the LGPD, including the right to request that their data be corrected, deleted, or provided to them in an easily readable format that can be transferred to a different company. They must also be informed of the purpose for which data is being collected. Companies must implement internal procedures that can deal with any incoming requests from data subjects. They must also delete data after it is no longer needed for the original purpose for which it was collected unless they have the express consent of data subjects to retain it.
LGPD Fines and Civil Actions
The Brazilian data protection authority, the ANPD, that will be responsible for the enforcement of the LGPD and its administrative sanctions, was finally implemented by a presidential decree on 27 August 2020, allowing for its formation. Through the ANPD, companies can be fined up to 2% of their total revenue in Brazil in the previous year or up to 50,000,000 Brazilian Reals (approximately $8,900,000 at the time of writing), whichever is higher. However, the administrative sanctions that the ANPD will be applying are not expected to be enforced until 1 August 2021.
That being said, companies should not relax their compliance efforts because of this delay. Under the Brazilian Constitution, all citizens have a private right of action and the Ministério Público, the country’s public prosecutors’ office, has a public right of action. The Brazilian Consumer Protection Code also allows for class action lawsuits in defense of consumers’ rights and interests.
And while private citizens may take some time to familiarize themselves with their new rights, Brazil’s public ministries have already started exercising them. A mere three days after the LGPD came into force, on 21 September 2020, the Ministério Público do Distrito Federal e dos Territórios (MPDFT) filed the first public civil action based on the LGPD against a digital services company based in the state of Minas Gerais that is accused of selling the personal information of 500,000 individuals based in the city of São Paulo for marketing purposes. It’s worth nothing that the MPDFT has a unit specializing in data privacy and artificial intelligence, exclusively dedicated to the protection of the personal data and privacy of Brazilian citizens. It is therefore expected that this first public civil action will not be the last to be filed by the MPDFT now that the LGPD is in effect.
The LGPD is Latin America’s first foray into post-GDPR data protection legislation. It is likely to be a pioneer in the region and its success is expected to usher in similar laws in neighboring countries. Although it faced a few hurdles on its way to implementation, the LGPD is now in full effect and public authorities have shown they are not shy about already using its powers. Companies must therefore be mindful of potential private and public civil actions and ensure they reach LGPD compliance as soon as possible.
Download our free ebook on
A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.