LGPD to take immediate effect after review by Brazil's President

After a long period of uncertainty about the effective date of Brazil’s General Data Protection law (LGPD), Brazil’s Congress on Wednesday dramatically approved a last-minute amendment to a measure that would accelerate the effective date of the LGPD. The amendment is now on the President's desk for approval or potential veto. If the President expressly approves the amendment, or does not veto the bill by September 16, it will become law and the LGPD will take effect immediately at that point. 

As we have reported, Brazil's Congress and President have traded proposals over the past few months to delay the effective date of the LGPD in order to mitigate the impact of the COVID-19 pandemic on companies (see our previous stories here, here, and here). Most recently, the Chamber of Deputies voted to approve a provisional measure that aimed to delay the effective date of the LGPD to December 31, 2020. That measure was sent to the Senate, which issued a last-minute amendment that would give the main provisions of the LGPD immediate effect (subject to Presidential approval of the measure).

With the LGPD’s main provisions entering into force, private lawsuits and public prosecutor actions based on the LGPD will be possible. This means that prosecutors and individuals are able to bring lawsuits against companies under Brazil’s Consumer Rights Law, Internet Law, or Civil Code in case of any LGPD violations.

In the meanwhile, administrative sanctions under the LGPD are still subject to Law No. 14,010/20, which postponed the availability of those sanctions until August 1, 2021. A significant development on LGPD enforcement is that Brazil’s President published, on August 26, Decree No. 10,464, which would establish Brazil’s National Data Protection Authority (ANPD), the administrative agency tasked with enforcing administrative sanctions and issuing regulations under the LGPD. The Decree will enter into force, establishing the ANPD, once the ANPD’s executive director is appointed.

With the main provisions of the LGPD taking effect and the possibility of private lawsuits and public prosecutor actions, companies should consider their compliance with the LGPD, including by:

  • Reviewing and updating privacy notices and consent forms;
  • Identifying and updating any agreements that involve the transfer of Brazilian personal data, including cross-border transfers out of Brazil;
  • Carrying out impact reports for "high risk" data uses;
  • Implementing reasonable security measures; and
  • Updating policies and procedures, including breach notification, to meet LGPD standards.

 

Hogan Lovells Partners Isabel Carvalho and Bret Cohen recently presented “Brazil’s new privacy law: what you need to know.” To access the webinar recording, click here.

This post was updated on August 27 with additional information about the possibility of a presidential veto and Decree No. 10,464.

 

 

Authored by: Isabel Carvalho, Bret Cohen, Daniel Crespo, Paula Pagani, and Julian Flamant.

Contacts
Isabel da Costa Carvalho
Partner
São Paulo
Bret Cohen
Partner
Washington, D.C.
Julian Flamant
Associate
Washington, D.C.
Filippo Raso
Associate
Washington, D.C.

 

This website is operated by Hogan Lovells Solutions Limited, whose registered office is at 21 Holborn Viaduct, London, United Kingdom, EC1A 2DY. Hogan Lovells Solutions Limited is a wholly-owned subsidiary of Hogan Lovells International LLP but is not itself a law firm. For further details of Hogan Lovells Solutions Limited and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2021 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.