Articles

Brazil's national data privacy legislation comes into force

Written by Matt Davis, CIPM (IAPP) | September 16, 2020

The enactment of the European Union's General Data Protection Regulation (GDPR) ignited a worldwide wave of privacy regulations. California and New York, two economically impactful US states, followed suit soon after the GDPR's implementation. These three pieces of legislation impact commerce and data processing all over the world. 

Brazil recently joined the trend with its General Law for the Protection of Personal Data (Lei Geral de Proteção de Dados Pessoais in Portuguese, or LGPD). After multiple delays and an unclear outlook, the Brazilian Congress recently changed course and made its sweeping data privacy law effective soon. 

If you're an Osano user, there's no need to fear. Osano keeps you compliant with this new regulation and protects you against penalties when you collect, process, and share Brazilian users' data. To help you understand these changes, let's briefly go over the LGPD and its timeline. 

What is LGPD?

With 200 million people, Brazil is considered one of the most internet-connected countries in the world. Like other countries, it recognized a need for a data privacy law and supervisory authority to protect its nationals and their personal data. Just like the GDPR, LGPD is transborder legislation, meaning it applies to all organizations that process data on Brazillian data subjects, even if they aren't incorporated in Brazil. 

The LGPD is inspired by the GDPR, though its scope is slightly different. It defines data processing similarly to GDPR. It also establishes similar data subject rights that grant people authority over how their data is collected, used, and shared, though their scope varies. LGPD establishes fines, but the penalties aren't as substantial as the GDPR. Under LGPD, organizations that fail to abide by the law could face penalties of 2% of their yearly revenue up to 50 million reals (about USD $12 million). (Read our full explainer for details.)

The LGPD's Timeline

The Brazilian Senate signed the LGPD into law on August 14, 2018. On July 8, 2019, Brazilian President Jair Bolsonaro approved the final version of the law. Read the full text here

The LGPD was originally set to take effect in February 2020. Still, legislators extended the deadline another six months until August 2020 to give policymakers and organizations some more time to implement the law's requirements. 

Due to the Covid-19 pandemic, however, both the Brazilian Congress and President Bolsonaro wanted to delay the rollout again. Congressional efforts failed, but Bolsonaro issued Provisional Measure No. 954 (what would be called an executive order in the US) to delay the new law until May 2021 and enforcement until August 2021. 

Under Brazilian law, provisional measures are merely emergency actions that only last for 60 days, though Congress can renew them. If a temporary measure isn't enacted into law by Congress, it expires. In June, Congress passed, and Bolsonaro signed legislation that establishes the enforcement date of August 1, 2021. But they failed to address the overall delay of LGPD's effective date. The House of Representatives approved a postponement until December 2020, but the Brazilian Senate rejected it, thereby setting an immediate enactment date of August 27, 2020. 

The final bill now heads to the president's desk to be sanctioned or vetoed. That should happen by mid-September. It will have a retroactive applicability date of August 14, 2020. Will Bolsonaro sign the bill? We don't know for sure, but all signs indicate that he will.

Hours after the Senate's decision, the Brazilian federal government published Decree No. 10.474/2020, which approves the regulatory entity that was created in the LGPD. This entity - the Brazilian Data Protection Authority (In Portuguese, the Autoridade Nacional de Proteção de Dados, or ANPD) - is endowed with technical and decision-making autonomy. It's tasked with overseeing personal data protection measures, investigating and enforcing the LGPD, developing relevant guidelines, and promoting cooperation actions with data protection authorities in other countries. Essentially, this is the LGPD's supervisory authority. 

The publication of this decree and the creation of ANPD is a strong indication that Bolsonaro will sign the bill and LGPD will be law, effective immediately. Privacy advocates in Brazil view these motives positively. 

Osano Users and the LGPD

As a data privacy platform, our goal is to help you stay compliant with data regulation, no matter where it happens. Security and compliance are critical to your business. Our platform is 100% compliant with Brazil's new data protection legislation and other landmark data privacy laws like GDPR, CCPA, and New York's SHIELD Act. We continuously monitor the data privacy landscape and quickly modify our platform and procedures any time new regulation appears. 

If you aren't an Osano user yet, it's essential to understand that this data privacy trend won't stop. As pressure mounts, more countries will enact similar policies. Avoid the expense and hassle of becoming compliant at the last moment by using Osano. Get started today.