As we have reported, Brazil's Congress and President have traded proposals over the past few months to delay the effective date of the LGPD in order to mitigate the impact of the COVID-19 pandemic on companies (see our previous stories here, here, and here). Most recently, the Chamber of Deputies voted to approve a provisional measure that aimed to delay the effective date of the LGPD to December 31, 2020. That measure was sent to the Senate, which issued a last-minute amendment that would give the main provisions of the LGPD immediate effect (subject to Presidential approval of the measure).
With the LGPD’s main provisions entering into force, private lawsuits and public prosecutor actions based on the LGPD will be possible. This means that prosecutors and individuals are able to bring lawsuits against companies under Brazil’s Consumer Rights Law, Internet Law, or Civil Code in case of any LGPD violations.
In the meanwhile, administrative sanctions under the LGPD are still subject to Law No. 14,010/20, which postponed the availability of those sanctions until August 1, 2021. A significant development on LGPD enforcement is that Brazil’s President published, on August 26, Decree No. 10,464, which would establish Brazil’s National Data Protection Authority (ANPD), the administrative agency tasked with enforcing administrative sanctions and issuing regulations under the LGPD. The Decree will enter into force, establishing the ANPD, once the ANPD’s executive director is appointed.
With the main provisions of the LGPD taking effect and the possibility of private lawsuits and public prosecutor actions, companies should consider their compliance with the LGPD, including by:
- Reviewing and updating privacy notices and consent forms;
- Identifying and updating any agreements that involve the transfer of Brazilian personal data, including cross-border transfers out of Brazil;
- Carrying out impact reports for "high risk" data uses;
- Implementing reasonable security measures; and
- Updating policies and procedures, including breach notification, to meet LGPD standards.
Hogan Lovells Partners Isabel Carvalho and Bret Cohen recently presented “Brazil’s new privacy law: what you need to know.” To access the webinar recording, click here.
This post was updated on August 27 with additional information about the possibility of a presidential veto and Decree No. 10,464.
Authored by: Isabel Carvalho, Bret Cohen, Daniel Crespo, Paula Pagani, and Julian Flamant.
