The Brazilian General Data Protection Law (Law No. 13,709/2018 or the LGPD) is the key legislation that regulates the processing of personal data in Brazil. It guarantees a series of rights to data subjects, as well as imposing important obligations on processing agents.
A lot has happened since the LGPD was signed into law on 14 August 2018, not only in terms of discussions regarding the LGPD’s effective date and the creation of the Brazilian National Data Protection Authority (the ANPD), but also the COVID-19 pandemic. This has greatly impacted the ability of processing agents, both private and public, to adopt all the legal, technical, and administrative measures required to ensure compliance with the LGPD.
The LGPD entered into force on 18 September 2020, and enforcement provisions became effective on 1 August 2021, under Law No. 14,010/2020. So, how effective has the LGPD been during its first year and what should we expect in the coming months?
The original text of the LGPD provided that companies would have 24 months to become compliant with the law. However, following the pandemic, the Brazilian Chamber of Deputies decided to delay empowering the ANPD to impose administrative sanctions until 1 August 2021. The President also amended Provisional Measure No. 959/2020, postponing the effectiveness of the other articles of the LGPD to 3 May 2021, following their complex entry into force on 18 September 2020.
The creation of ANPD was finally enshrined into Law No. 13,853/2019 in July 2019. This is important because that law alters key provisions of the LGPD – in particular, the right of the data subject to request the review of decisions made solely by automated means (as per article 20 of the LGPD). It also resulted in the ANPD being left without any independent budget, as an entity part of the Federal Public Administration.
Law No. 13,853/2019 did, however, determine that the legal nature of the ANPD is transitional and may be transformed by the Executive Branch into an indirect Federal Public Administration entity within two years from the date of entry into force of the ANPD’s regulatory framework. The possibility of changing the status of the ANPD is beneficial to companies that transfer data to the European Union. It potentially makes an EU adequacy decision in favour of Brazil more likely given that one of the requirements is for the importing country to have an independent regulator.
In October 2019, the first members of the National Council for Personal Data and Privacy Protection were nominated. On 28 January 2021, Ordinance 11/2021 was published, establishing the ANPD’s regulatory agenda for 2021/2022 and listing the 10 priority topics to be regulated within the period.
The ANPD has already published various guidelines and technical documents on its official website. These cover a range of issues including data protection and data breaches and guidance on the definition of the roles of the processing agents and of data protection officers. It has also published:
Beyond that, even though it's not included under the scope of the regulatory agenda, the ANPD has also launched a public consultation on the Oversight Regulation, which provides for the enforcement and application of administrative sanctions by the ANPD.
Before the end of the year, the ANPD also intends to set out the rules concerning how and when administrative sanctions will be imposed and calculated, and look at data protection impact assessments and risk mitigation measures where a DPIA reveals a risk to the rights of individuals.
In 2022, the ANPD will:
In March 2021, the ANPD and the National Consumer Secretariat (Senacon) signed a Technical cooperation agreement (TCA), with the objective of streamlining investigations into security incidents.
Under the TCA, Senacon will start sharing information about consumer complaints relating to data protection with the ANPD, but it will be up to the ANPD to set the necessary interpretations regarding the application of the LGPD on a case-by-case basis and provide Senacon with access to data and information necessary to contribute to the improvement of Senacon's activities.
The execution of the TCA is a very important step in improving the culture of privacy and data protection in Brazil, presenting a fundamental tool for the effective action of the ANPD to monitor compliance with the LGPD. The TCA is already in force and will last 24 months, a period that can be extended by the ANPD and Senacon.
The TCA does exempt processing agents from complying with the provisions of the Brazilian Consumer Defence Code (CDC) and all other rules of the National Consumer Protection System, in addition to the LGPD and other applicable data protection laws.
Another TCA was signed on 2 June 2021, with the Administrative Council for Economic Defence (CADE), aimed at fighting activities harmful to the economic order and promoting and disseminating the culture of free competition in services involving the protection of personal data. To that end, CADE and the ANPD will share information, and will participate in joint educational activities on procedures and practices to promote competition in personal data protection services.
It is also noteworthy that that the ANPD signed a Memorandum of Understanding with the Spanish Data Protection Agency on 5 October 2021. This establishes the bases for institutional collaboration between the two Authorities to exchange knowledge and share best practice.
Recent research carried out in Brazil by consulting and risk management companies suggests most Brazilian private entities are not ready for the LGPD. Because of this, the ANPD seems aware of the need to invest time and effort in raising awareness rather than rigidly enforcing the law.
This does not mean that businesses do not have to engage with the LGPD. As mentioned, the LGPD is already in force and is widely applicable. Beyond that, other authorities in Brazil, such as the Public Attorney's Office and the Consumer Protection Office, have been applying the LGPD, following the landmark decision of the Federal Supreme Court which recognised data protection as a fundamental right of individuals.
Data protection and information security have never been more important than they are today. There has been a substantial increase in the number of cyberattacks, security incidents and data breaches, due to the greater volume of online information and digitalised documents, and increased exposure of online personal data during the pandemic. Ensuring compliance with data protection legislation is therefore one of the most important market assets a company can have.
The Sheppard Mullin team looks at the progress of privacy laws in the USA.
1 of 5 Insights
Our China team looks at the impact of China's latest data security law on international businesses.
2 of 5 Insights
Chris Jeffery looks at recent developments in data protection and cybersecurity in Qatar, Saudi Arabia and UAE.
3 of 5 Insights
5 of 5 Insights