On April 3, the Brazilian Senate approved a Bill of Law (PL 1179/2020) with several emergency measures to deal with the COVID-19 pandemic in Brazil. The bill includes a specific rule that postpones the entry into force of the Brazilian General Data Protection Law, the LGPD.
The bill, led by Sen. Antonio Anastasia and advocated by Brazilian Supreme Court President Dias Toffoli, was rapidly approved by the Brazilian Senate on a remote session and will be presented in the next week for another round of approvals by the Brazilian House of Representatives. Subsequently, the final bill will be presented to the sanction of President Jair Bolsonaro. Due to the urgency that involves the entire bill, it is expected its text will be promptly approved with minor or no changes in these subsequent instances.
Based on such legislation, the LGPD will become effective only in January 2021, and the rules regarding administrative sanctions and penalties are scheduled to be enforceable only after August 2021.
To validate the need for such postponement, the Senate understood that, in the context of a global health crisis and strong economic uncertainty, most Brazilian companies will suffer a direct impact on their activities and projects as a whole. This would create difficulties for such businesses to maintain their LGPD adequacy projects operational in a timely manner.
Also, the Brazilian data protection authority proposed by the law has not yet been created. Its full implementation in just a few months would be almost impossible during this COVID19 crisis.
Several industry associations, civil entities and privacy specialists disagree with the postponement approved by the Brazilian Senate. They have been lobbying Congress to keep the LGPD's starting date for August 2020, arguing that Brazilian data subjects have an urgent need for privacy protection, particularly with the imminent use of monitoring and surveillance technologies by authorities and private entities during the epidemic.
There are also significant concerns in the privacy community that, after the pandemic is over, the Brazilian government might not only keep such surveillance technologies active, but also share personal health data within the government and between companies and research agencies. With the delay to 2021, personal data legitimately transferred based on health security issues could be subsequently used or treated with limited transparency.
Having the Brazilian LGPD in force now would have been very helpful with the processing of personal data in the context of the COVID-19 pandemic. Its prompt implementation would also bring better levels of privacy to Brazilian data subjects, as well as transparency on the use of technologies against the epidemic that involve the collection and treatment of personal data.
On the other hand, concerns from both the public and private sectors about being able to focus and invest in their compliance with the LGPD during this difficult period were a key element to this bill and the delay that shall be approved in the next few days.
While the postponement of the LGPD generates a certain level of juridical insecurity to businesses dealing with privacy matters in Brazil, at this moment, the most important objective should be a political commitment to build and create Brazil’s DPA for immediate deployment, regardless of possible budgetary restrictions, well before LGPD's starting date. An effective DPA will be able to build a legal privacy landscape suitable with Brazilian laws that can coexist adequately with public health and safety issues. This should be the main goal of all the parties involved in this debate.
Brazil is eagerly waiting for the LGPD to lead not only a transformation in the local data protection scenario, but also a cultural change toward privacy protection, embedding it in our laws and the culture of Brazilians. Let’s hope we get there in time, with no further delays, and in a world already free of the COVID-19 pandemic.
Photo by sergio souza on Unsplash