For privacy pros watching Brazil's pending privacy law, Thursday morning has been a doozy — a pour-yourself-that-second-cup-of-coffee-and-keep-the-water-on kind of a doozy. That's because Wednesday night, in an unprecedented move, the Brazilian Senate approved an amendment allowing the General Data Protection Law to go into effect immediately.
The decision reverses a vote Tuesday from the Chamber of Deputies to delay the implementation of the LGPD to Dec. 31, 2020.
"The whole scenario is quite unprecedented and definitely against legal certainty," GCA Advogados Partner Ana Carolina Cagnoni, CIPP/E, CIPP/US, said, noting, however, that the decision on when the Brazilian law would come into effect has been long and drawn out, for sure. "It is an unprecedented law in an unprecedented year."
She said the very subject matter of data protection was unfamiliar to most Congress members and government until today.
"On top of all, we are living a pandemic moment that affects the common routine of the authorities," she said. "Results are that adequate debate was not conducted among these actors and disagreement between House, Senate and government took an arguably final step yesterday."
Leonardi Advogados Partner Marcel Leonardi, CIPP/E, CIPP/US, said the general sentiment following the Senate's action is one of shock and surprise.
"It is, to put it mildly, quite unusual, even though everyone knew it was a possibility all along," he said. "This is a clear example that the Executive branch is having some trouble with Congress at this time."
A little background, lest you're just catching up: The LGPD was supposed to come into force Aug. 16 but was postponed to May 2021, until this week's vote by the House of Representatives approving the alternate text postponing to Dec. 31 instead. But in Wednesday's vote, "contrary to all expectations," Leonardi said, the Senate rejected this proposal and excluded the specific article of the Executive Order that postponed the LGPD to May 2021. To be clear, administrative sanctions for violations of the LGDP will not go into effect until Aug. 1, 2021. Brazilian President Jair Bolsonaro signed a presidential decree approving the formation of a national data protection authority in the country.
"As you may notice, a lot happened very fast, and there is still some confusion," IAPP Brazil Country Leader Dirceu Santa Rosa said, noting a very active IAPP Privacy List this morning. "Anyone who tells you they fully understand the matter is either going through an interpretation or is just guessing."
Cagnoni describes the vibe in Brazil to be not necessarily panic but sadness and uncertainty.
"It is a fact that the vast majority of companies are not prepared and not in compliance with the law," she said. "It is also a fact that the law cannot be fully complied with today as no specific regulations have been issued because the national authority is not in place."
She explained that though the decree was signed to create a national data protection authority, "the bottom line is that until a director is nominated, we do not have an authority. And it will, for obvious reasons, take some time between nomination and the issuance of important regulation. So items such as international transfers, obligation to nominate (data protection officers), deadlines for answer data subject requests, to mention a few, are all items open to further definition."
She added, "The fact that sanctions are not in force helps to some extent but we must not forget that Brazilian constitution provides everyone with the right of action that means that data subjects and representative associations can seek law enforcement directly from the courts."
So, if I'm a privacy pro impacted by this news in some way, what to do?
Leonardi explains that the LGPD is not technically effective just yet.
"It will come into force as soon as the Brazilian Presidency sanctions or vetoes the remaining provisions of the Executive Order (unrelated to the LGPD)," which will take place up to 15 days from now," he said. "Nevertheless, although compliance with LGPD obligations is only mandatory when the law actually becomes effective, it is a matter of days until this occurs."
With that in mind, he said, companies must "quickly redefine strategies and prioritize services aimed at operational aspects of the LGPD, particularly data subject requests, updating privacy policies and drafting/reviewing other external-facing documents, to minimize, to the extent possible, the impacts of the imminent entry into force of the law."
Santa Rosa's interpretation echoes Leonardi's. He notes that some interpret the news that the LGPD's enforceability would now backdate to Aug. 16, but given that no DPA has been established yet, questions remain.
"For the local privacy practitioner, this means the actual 'birth' of our data protection legal environment. These are exciting times to work with privacy in Brazil, if you consider how many opportunities may be around," he said. "For the foreign practitioner, this means that they should keep going with their implementation schedules and programs. As the government released the DPA Decree, the 'keep working' approach is the best one available."
Photo by Mateus Campos Felipe on Unsplash