On April 29, 2020, the Brazilian President issued Provisional Measure #959/2020, which provisionally delays the applicability date of the Brazilian data protection law (Lei Geral de Proteção de Dados Pessoais – “LGPD”) to May 3, 2021.
Under the Brazilian legislative process, Provisional Measures are temporary urgent measures issued by the Executive Power. They have the same effects as a law and are valid for 60 days, a period that can be extended for an additional 60 days. For these measures to become permanent, they have to be approved by the Brazilian Congress within this timeframe – otherwise, the measures are invalidated.
However, due to COVID-19, on March 20, 2020, the Brazilian Congress has approved a simplified and expedited process for approval of provisional measures, which now has to happen within 16 days. According to this new process, the Congress may approve provisional measures within 16 days, and the President of the Congress may decide to extend this timeframe. This is, however, a permission for an expedited approval process – in case the Congress is unable to follow it, the constitutional timeframe of 120 days still applies.
This means that by May 15, 2020, the Brazilian Congress may approve Provisional Measure #959/2020 in order for the new LGPD effective date of May 3, 2021 to be affirmed. If the Brazilian Congress does not approve the measure by then, the President of the Congress may extend the approval timeframe. In any case, the Congress has until August 27, 2020, to approve Provisional Measure #959/2020, according to the constitutional timeframe of 120 days. If it does not approve it, the LGPD will still be applicable from August 2020.
There are additional factors that add to the complexity of the LGPD applicability date. First, it is arguable that Provisional Measure #959/2020 does not fulfil the urgency standard required by the Brazilian Constitution and, therefore, could be declared invalid by the Brazilian Supreme Court. Notably, the Supreme Court recently invalidated a separate provisional measure related to data protection, which would have required that Brazilian telecommunication companies share non-anonymized personal data with the Brazilian public statistical agency linked to the Ministry of the Economy.
Second, the Brazilian House of Representatives has yet to vote on Bill #1179/2020, which was recently approved by the Senate and also aims to delay the LGPD’s effective date. This bill sets forth different timeframes for the LGPD’s sanctions provisions (which would be applicable as of August 2021), and the remaining provisions (which would be applicable as of January 2021). On April 29, 2020, the same day that the President issued Provisional Measure #959/2020, the House of Representatives determined that Bill #1179/2020 is urgent and must be voted on, with priority over other bills. However, even if the House of Representatives approves this bill, it is unknown whether the President would sanction or veto it, especially in light of the fact that he now has issued a Provisional Measure with different LGPD applicability dates.
The Brazilian data protection realm is currently experiencing a great degree of legal uncertainty. With Brazil ranked as one of the top countries with reported COVID-19 cases, concerns regarding the use of personal data for purposes of tracking the virus have also arisen and stirred up local data protection debates. Many privacy experts and other stakeholders, including the Public Prosecutor’s Office, oppose a delay of the LGPD, which they view as facilitating and enforcing responsible uses of personal data in the context of COVID-19 by the government as well as public and private organizations.
Regardless of the success (or failure) of Provisional Measure #959/2020 and Bill #1179/2020 in delaying the LGPD’s applicability, the LGPD provisions concerning the establishment of the new Brazilian data protection authority (“ANPD”) have been applicable since December 28, 2020. The Brazilian government must therefore establish the ANPD immediately. The Centre for Information Policy Leadership (“CIPL”) recently published a paper arguing that the ANPD should become operational as quickly as possible and prioritize its activities in the most effective manner to help Brazilian businesses and government agencies come into compliance with the LGPD.
CIPL is keeping track of Brazilian privacy and data protection developments as part of its project on “Effective Implementation & Regulation under New Brazilian Data Protection Law (LGPD),” which is coordinated alongside the Centro de Estudos de Direito, Internet e Sociedade of Instituto Brasiliense de Direito Público. For any questions concerning these developments and the project, please contact Giovanna Carloni at gcarloni@huntonak.com.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code