Brazil’s Data Protection Law

by Luiza Parolin

On September 18th, Brazilian President Jair Bolsonaro signed into force the Brazilian General Data Protection Regulation (LGPD), putting a sudden end to an almost ten-year process.  This was the last of a series of unexpected turns that propelled the bill, after the Brazilian Senate rejected a proposal last month to delay the law’s start date once more, and caused the regulation to come into effect months earlier than expected.

Brazil’s LGPD—notably inspired by the European Union’s General Data Protection Regulation (GDPR)—seeks to regulate the processing of personal data, focusing on protecting the fundamental rights of freedom and privacy, and the free development of the personality of the natural person. The law applies to any processing of data—regardless of who is processing it—in three situations:
  1. the processing is carried out in Brazil;
  2. the purpose of the processing is to offer goods or services, or to process personal data of subjects located in Brazil; or
  3. the personal data being processed was collected in Brazil.
The LGPD’s timeline
After traveling a long, “bumpy road,” filled with uncertainties, the sudden approval of the bill came as a surprise to impacted companies, and even privacy and data protection professionals. After eight years of legislative debate and two years of postponements, they face a new legal framework for data protection that is not yet clearly operationalized.
After eight years of debate in Congress, on August 14, 2018, the LGPD was enacted. Initially, the regulation was expected to enter into force in February 2020. Mere months later, however, in November, then President Michel Temer issued Provisional Measure 869 (MP 869/2018),—adopted as law in July 2019—heavily amending the bill, setting the need to create a National Data Protection Authority (ANPD), and effectively postponing the law’s entry into force to August 2020. The ANPD is tasked with developing guidelines to many of the LGPD provisions, supervise and monitor public and private sector compliance, and promoting cooperation with data protection authorities from other countries.

While one could imagine that this would allow for enough time to establish the ANPD, that was not the case. In April 2020, President Jair Bolsonaro issued Provisional Measure 959 (MP 959/2020), which delayed the LGPD’s effective date once again, this time to May 3, 2021. The administrative sanctions provided by the LGPD were postponed to August 2021 by Law 14.010/2020 in June.

On August 25, 2020, the Chamber of Deputies made modifications to the MP 959/2020, proposing now to alter the LGPD’s effective start date to December 31, 2020. However, the next day the Senate rejected the Chamber of Deputies’ proposal, giving almost immediate effect to the main provisions of the LGPD, subject to the President’s approval. Going back to its earlier text, the law would come into effect 24 months after its publication: August 2020. In parallel, the President issued Decree No. 10.474/20, published on August 27, 2020, approved the regulatory structure and the framework of the positions and functions the ANPD.

Finally, on September 17, 2020, President Jair Bolsonaro approved the Senate’s decision. Because the law could not have retroactive effect, on September 18 the LGPD officially entered into force. Even though the LGPD is now in effect, it should be noted that the administrative sanctions, postponed in June 2020, will remain inapplicable until August 2021. This, however, will not preclude, the enforcement of other provisions of the regulation, including the private right of action by the data subjects.
The LGPD’s long, complicated journey made some experts rely on pop culture analogies to express their frustration. Brazilian Professor and affiliated fellow at Yale Law School’s Information Society Project, Carlos Affonso Souza tweeted that the LGPD resembled the time-travel show on Netflix, Dark: although it was already in force, not today, but it will be tomorrow. George Washington University Law School professor and author Daniel Solove, who focuses on privacy, on the other hand, explained the LGPD trajectory with reference to J.R.R. Tolkien, noting that “we’ve journeyed to there  . . . and there . . . and there, and back again . . . .”
Even though it seemed that the concerns regarding the LGPD were finally over, there are still unresolved questions. The main concern is that the Brazilian framework for data protection came into force without a properly established ANPD in place. While Decree No. 10.474 was adopted, it only establishes the ANPD’s regulatory structure and framework regarding its positions and functions. The members of the board of directors still need to be appointed by the President and approved by the Senate, a very time-consuming endeavor. The LGPD is therefore ineffectual, since many of its provisions need to be regulated by the ANPD.

Without the ANPD established prior to the LGPD’s effective date, many privacy and data protections experts argue that Brazil will face an overflow of judicial demands and an increase in legal uncertainty, since there will not be a data protection authority to set the guidelines and uniformity for the data protection provisions.

Nonetheless, despite the many uncertainties surrounding the LGPD and its future, Brazil has taken the first steps to bring a culture of data protection to the country and its citizens. In May, the Brazilian Supreme Court held in a landmark ruling that data protection was an autonomous fundamental right. And now, the law that protects people’s personal data has finally entered into force.

Luiza Parolin is a research intern with the Technology Policy Program at the Center for Strategic and International Studies in Washington, DC.

The Technology Policy Blog is produced by the Technology Policy Program at the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).