In a major plot twist over the last few days, Brazil’s new General Data Protection Law (Lei Geral de Proteção de Dados Pessoais) – Law No. 13,709/2018 (LGPD) will take effect in two short weeks, after a last-minute decision not to delay its rollout.

The Background: A Very Brief Overview of the LGPD

The LGPD is similar to the EU’s General Data Protection Regulation (GDPR), applying data protection obligations to companies processing personal data regarding Brazilian residents. Among other requirements, the LGPD requires certain legal bases for processing data and provides Brazilian residents with many enumerated rights over their personal data. For a helpful overview of the LGPD’s provisions, including the individual rights, legal bases for processing, and sanctions as enumerated in the legislation, see GT Alert, 6 Months Until Brazil’s LGPD Takes Effect – Are You Ready?

The Plot: A Uniquely Brazilian Process

The timeline of the LGPD’s implementation has been in flux for months. Originally, per the terms of the statutory text, the LGPD was supposed to come into force August 16, 2020. In the wake of the COVID-19 pandemic, however, both the Brazilian Congress and President Jair Bolsonaro moved to delay the rollout of the LGPD. When Congressional efforts faltered, President Bolsonaro himself issued the equivalent of an executive order on April 29, 2020, that delayed the rollout of the LGPD. The president’s provisional measure (PM), No. 954, delayed the LGPD effective date (from August 16, 2020, to May 3, 2021) and enforcement of those LGPD provisions addressing penalties until August 1, 2021.

However, under Brazilian law, PMs are only temporary, emergency actions that can be issued by the executive. They only last for 60 days, though they can be renewed once for the same time period by the National Congress of Brazil. After that, unless the National Congress enacts a PM into law, the PM expires. On June 12, the National Congress passed and President Bolsonaro signed legislation that solidified the delay of the enforcement of the LPGD’s penalties and sanctions provisions until August 1, 2021. The National Congress was slower to act, however, on enacting the overall delay to the effective date of the LGPD (though on June 26, the National Congress extended the PM for another 60 days, giving it until August 27, 2020 to figure out a solution).

The Twist: The LGPD Is Effective Immediately

For the last couple of months, the National Congress has been attempting to land on a date for the LGPD’s effective date. As recently as August 25, Brazil’s Chamber of Deputies (the lower house of the National Congress) approved a postponement until December 31, 2020. The following day, on August 26, however, the Brazilian Senate rejected that proposal, setting an immediate date of enactment of August 27, 2020. The Conversion Bill will now go to the president’s desk. According to Article 62 of the Brazilian Federal Constitution, the LGPD will come into force at the end of a 15-business day period, or as soon as the Conversion Bill is sanctioned or vetoed (or if the president takes no action).

The Sequel: Brazil’s New Data Protection Authority

On August 26, President Bolsonaro approved a regulatory structure and framework of official positions for the Brazilian Data Protection Authority, the ANPD. The ANPD will be tasked with overseeing personal data protection measures, developing relevant guidelines, investigating and enforcing the LGPD, and promoting cooperation actions with data protection authorities from other countries.

Final Thoughts

Though the LGPD’s provisions addressing penalties will not be enforceduntil August 1, 2021, any Brazilian resident damaged by a violation of law will be able to immediately seek remedies. Consequently, organizations processing Brazilian residents’ personal data want to make sure they are in compliance with the LGPD and pay close attention to any guidance that the ANPD issues in coming months.

*Greenberg Traurig is not licensed to practice law in Brazil and does not advise on Brazilian law. Specific LGPD questions and Brazilian legal compliance issues will be referred to lawyers licensed to practice law in Brazil.

Print:
EmailTweetLikeLinkedIn
Photo of Gretchen A. Ramos Gretchen A. Ramos

Gretchen A. Ramos is Co-Chair of the Data, Privacy & Cybersecurity Practice and focuses her practice on privacy, cybersecurity, and information management. A creative problem-solver with a long track record of success in commercial disputes, she never loses sight of the simple fact…

Gretchen A. Ramos is Co-Chair of the Data, Privacy & Cybersecurity Practice and focuses her practice on privacy, cybersecurity, and information management. A creative problem-solver with a long track record of success in commercial disputes, she never loses sight of the simple fact that she works in a service industry. Clients appreciate not only her legal skills, but also her direct, no-nonsense approach to client service, including her bullet-pointed emails, snapshot executive summaries, and creativity in finding ways to streamline communications for in-house counsel with dozens of other projects—and little time—on their hands.

Gretchen’s clients come from diverse industries, including technology (SaaS), health care and life sciences, consumer products, manufacturing, academic institutions, and non-profits. She provides clients with practical business advice on compliance with state and federal U.S. laws, GDPR, APEC, and other global privacy laws in relation to their external and internal privacy and security procedures, product and app development, and advertising practices. Gretchen also regularly drafts and negotiates contracts concerning data-related vendors, assists clients in assessing privacy risks in corporate transactions, and provides guidance on and conducts privacy and security assessments. She has managed dozens of data breaches, and helps clients prepare for and immediately respond to security incidents and breaches.

Photo of Kate Black Kate Black

Kate Black’s practice focuses on data privacy, information protection, and commercial transactions in consumer technology, digital health, life sciences, and genetics. Kate provides companies with comprehensive, practical strategies for meeting their regulatory obligations while building and maintaining public trust and advancing innovative and

Kate Black’s practice focuses on data privacy, information protection, and commercial transactions in consumer technology, digital health, life sciences, and genetics. Kate provides companies with comprehensive, practical strategies for meeting their regulatory obligations while building and maintaining public trust and advancing innovative and emerging models of health care research and delivery. She’s managed every aspect of global privacy programs, including supervising privacy assessments, providing product strategy and counseling, managing complex vendor and partner agreements, and overseeing security policy audits for leading health technology companies. She regularly advises on proposed regulatory and legislative changes that will impact the health technology environment and has been a featured speaker and frequent lecturer on data privacy and cybersecurity, data analytics, digital health, mobile medical applications, and privacy issues related to genetic and health research.

Prior to joining the firm, Kate served as 23andMe’s first Global Privacy Officer in Mountain View, CA and worked in the Office of Policy and Planning in the Office of the National Coordinator for Health IT in the U.S. Department of Health and Human Services in Washington, D.C.

Photo of Giovanni Biscardi ‡ Giovanni Biscardi ‡

Giovanni Biscardi focuses his practice on mergers and acquisitions, and corporate matters, including commercial and financing agreements. He assists U.S. clients in structuring their investments throughout Latin America and has a long track record of handling complex cross-border transactions for Fortune 500 companies…

Giovanni Biscardi focuses his practice on mergers and acquisitions, and corporate matters, including commercial and financing agreements. He assists U.S. clients in structuring their investments throughout Latin America and has a long track record of handling complex cross-border transactions for Fortune 500 companies and private equity funds. He also assists foreign individuals and entities with their investments in the United States.

Giovanni has deep experience handling legal work related to business transactions in numerous international jurisdictions, including Argentina, Brazil, Canada, Chile, China, France, Italy, and Spain. He has served as a partner at law firms both in the United States and Brazil.

Registered Foreign Legal Consultant in Florida; Admitted to the practice of law in New York and Brazil.

Michael C. Hoosier

Michael C. Hoosier is a data, privacy and cybersecurity attorney at Greenberg Traurig in San Francisco, where he counsels clients on how to comply with local, state, federal, and international privacy laws and regulations. Prior to joining GT, Michael worked as a litigator…

Michael C. Hoosier is a data, privacy and cybersecurity attorney at Greenberg Traurig in San Francisco, where he counsels clients on how to comply with local, state, federal, and international privacy laws and regulations. Prior to joining GT, Michael worked as a litigator, with his practice split between white collar investigations and enforcement, and complex commercial litigation. Michael has represented corporate and individual clients in connection with international anti-corruption investigations, internal investigations, and in defensive postures with respect to federal regulators. His litigation experience includes drafting portions of varied motions and briefs, and reviewing complex commercial documents, including tech-related master services agreements and multibillion-dollar trust documents, for breach of contract and related issues.