Privacy & Information Security Law Blog

On April 29, 2020, the Brazilian President issued Provisional Measure #959/2020, which provisionally delays the applicability date of the Brazilian data protection law (Lei Geral de Proteção de Dados Pessoais – “LGPD”) to May 3, 2021.

Under the Brazilian legislative process, Provisional Measures are temporary urgent measures issued by the Executive Power. They have the same effects as a law and are valid for 60 days, a period that can be extended for an additional 60 days. For these measures to become permanent, they have to be approved by the Brazilian Congress within this timeframe – otherwise, the measures are invalidated.

However, due to COVID-19, on March 20, 2020, the Brazilian Congress has approved a simplified and expedited process for approval of provisional measures, which now has to happen within 16 days. According to this new process, the Congress may approve provisional measures within 16 days, and the President of the Congress may decide to extend this timeframe. This is, however, a permission for an expedited approval process – in case the Congress is unable to follow it, the constitutional timeframe of 120 days still applies.

This means that by May 15, 2020, the Brazilian Congress may approve Provisional Measure #959/2020 in order for the new LGPD effective date of May 3, 2021 to be affirmed. If the Brazilian Congress does not approve the measure by then, the President of the Congress may extend the approval timeframe. In any case, the Congress has until August 27, 2020, to approve Provisional Measure #959/2020, according to the constitutional timeframe of 120 days. If it does not approve it, the LGPD will still be applicable from August 2020.

There are additional factors that add to the complexity of the LGPD applicability date. First, it is arguable that Provisional Measure #959/2020 does not fulfil the urgency standard required by the Brazilian Constitution and, therefore, could be declared invalid by the Brazilian Supreme Court. Notably, the Supreme Court recently invalidated a separate provisional measure related to data protection, which would have required that Brazilian telecommunication companies share non-anonymized personal data with the Brazilian public statistical agency linked to the Ministry of the Economy.

Second, the Brazilian House of Representatives has yet to vote on Bill #1179/2020, which was recently approved by the Senate and also aims to delay the LGPD’s effective date. This bill sets forth different timeframes for the LGPD’s sanctions provisions (which would be applicable as of August 2021), and the remaining provisions (which would be applicable as of January 2021). On April 29, 2020, the same day that the President issued Provisional Measure #959/2020, the House of Representatives determined that Bill #1179/2020 is urgent and must be voted on, with priority over other bills. However, even if the House of Representatives approves this bill, it is unknown whether the President would sanction or veto it, especially in light of the fact that he now has issued a Provisional Measure with different LGPD applicability dates.

The Brazilian data protection realm is currently experiencing a great degree of legal uncertainty. With Brazil ranked as one of the top countries with reported COVID-19 cases, concerns regarding the use of personal data for purposes of tracking the virus have also arisen and stirred up local data protection debates. Many privacy experts and other stakeholders, including the Public Prosecutor’s Office, oppose a delay of the LGPD, which they view as facilitating and enforcing responsible uses of personal data in the context of COVID-19 by the government as well as public and private organizations.

Regardless of the success (or failure) of Provisional Measure #959/2020 and Bill #1179/2020 in delaying the LGPD’s applicability, the LGPD provisions concerning the establishment of the new Brazilian data protection authority (“ANPD”) have been applicable since December 28, 2020. The Brazilian government must therefore establish the ANPD immediately. The Centre for Information Policy Leadership (“CIPL”) recently published a paper arguing that the ANPD should become operational as quickly as possible and prioritize its activities in the most effective manner to help Brazilian businesses and government agencies come into compliance with the LGPD.

CIPL is keeping track of Brazilian privacy and data protection developments as part of its project on “Effective Implementation & Regulation under New Brazilian Data Protection Law (LGPD),” which is coordinated alongside the Centro de Estudos de Direito, Internet e Sociedade of Instituto Brasiliense de Direito Público. For any questions concerning these developments and the project, please contact Giovanna Carloni at gcarloni@huntonak.com.