This is how I greeted, on the 10th of July, the approval, by the Brazilian Senate of our FIRST General Data Protection Law (LGPD). After almost a decade of anticipation, I felt entitled to yield to a poetical mood:
“The GDPR made a lot of noise. Indeed! To the point of boosting the approval of our LGPD. Shy, by the same measure as it was uncertain, it remained prudently veiled. Even so, the gracious alias of 'Brazilian GDPR' seemed as a sound foreteller of both its virtues and its fortune. The fact is that our LGPD, pending presidential sanction, is born a protagonist. The matter is no longer restricted to a 'normative powerhouse' coming from the old continent. The question now is how Brazil, its businesses, its government, and its citizens, will deal with the nascent and materialized duty to respect privacy; with the fact that rights and duties that used to be mere abstractions, join themselves in concreteness. Welcome, LGPD. Intuition has finally met its instruction manual.”
I share this tribute first to give those with data protection laws in their own countries a bit of a sense of how the satisfaction of a long yearning for a data protection law feels and, second, to encourage those fighting for their own law to keep pushing. Brazil is a very complicated beast (as all big countries are) and if it was done here, it can be done anywhere. Also, this is a praise for those in Brazil who worked so hard and for so long to make it happen (they know who they are).
The accolade is also a guide: It starts with the fact — or trivia — that the LGPD, the first major national law approved following the implementation phase of the GDPR, was respectfully dubbed “Brazilian GDPR.” The embracing of the European acronym in lieu of mention of the LGPD in its own right constitutes formidable ratification of the influence that the GDPR exerts globally.
It is an influence that resonates both in name and in substance, as there is little dispute that our law is very much inspired by the GDPR. In fact, a spirited simplification would be to say that the LGPD bears almost all the goodies, with a little less sophistication. Significantly, a certain lack of sophistication is neither a fault, nor an overlook. It was deliberate and results from a shrewd sense by Brazilian data privacy experts that Brazil, welcoming only its first law, might be unfit for the full package.
As a result, our version of the GDPR is mostly lean and occasionally vague. But akin to our cherished Bossa Nova, it is not the number of notes that define a work of art, especially one destined to make almost everybody happy. The approval of the LGPD is practically a consensus in Brazil. Up to now, only the financial sector has shown open, albeit limited resistance to the LGPD.
Resemblance does not mean, obviously, that we do not count with our own intricacies. It would not be local law if that were the case. For instance, the fact that we provide 10 legal bases to process calls one’s attention at first. But then, at closer look, four of those would seem to fall under the legitimate interests umbrella (look for a Brazilian addition to the "GDPR Match-Up" series shortly).
What about the “but not quite yet” part in the title? A former partner, a prudent man by inclination, enjoyed educating foreign clients with this saying: “Brazil is not for beginners.” It was a grace he offered to those avid to do business in Brazil. His grace is applicable to the sanction of the LGPD by the President.
As a rule, the President has 15 days as of approval of the LGPD to sanction it. Articles can be vetoed. If after 15 days no action is taken, it will come into force. So where lies the problem? The President is inclined to veto the articles which create the data protection authority that would enforce the law.
This matter goes back a few years, when President Dilma released the LGPD Bill without contemplating a DPA. At the time, government did not believe it was essential. But as the bill gained a life of its own, and amendments creating the DPA were accepted, a constitutional issue arose. Congress cannot create public agencies affecting government budget. Thus, the motivation to veto. Ideally, veto would be followed by a presidential act to make things right. But then, serendipity, seemingly entangled with the LGPD, came into play once again.
The LGPD has been approved in the 180 day period that precedes Brazil’s next general elections. During this period, to comply with our fiscal responsibility law, government cannot create more expenses. This makes the presidential act solution inadequate. In principle, a DPA cannot be legally created at this point.
Well, that's partially true. A maze of solutions is being explored. Intense negotiations are taking place. There is political will. My educated guess? The implementation of the DPA will be left to whomever takes seat in January.
Brazil is not for beginners, but somehow we make things happen when they are important. The LGPD is important, as is a DPA to follow.
If you want to comment on this post, you need to login.