Since enacted in August 2018, the entry into force of the Brazilian Data Protection Law (No. 13,709 – “LGPD”) has been subject to several changes. First it was supposed to be effective as of February 2020; then August 2020; and more recently 3 May 2021 (Provisional Measure No. 959/2020 dated 29 April 2020). The future of the LGPD remains uncertain, since this Provisional Measure needs to be rejected, approved or changed by the National Congress, or else it will expire on 27 August 2020.
Moreover, the Provisional Measure No. 959/2020 does not apply to LGPD’s sanction provisions (articles 52, 53 and 54) and to the provisions which create and regulate the data protection authority (55-A to 55-L, 58-A and 58-B). The latter have been in full force since 28 December 2018, though the authority has not yet been set up. As to the sanction provisions, they shall now enter into force on 1 August 2021, pursuant to the newly enacted Law No. 14,010 dated 10 June 2020.
Economy Stakeholders’ Request With The House of Representatives
Also on 10 June 2020, several Brazilian trade and industrial associations (agriculture and livestock; trade in goods, services and tourism; industry; financial institutions; health; general insurance; transportation; and the online billing system) sent a letter to the President of the Brazilian House of Representatives asking for the approval of Provisional Measure No. 959/2020, so that the majority of the LGPD provisions enter into force no sooner than 3 May 2021. These trade and industrial associations, which represent a good portion of the Brazilian economy, base that position on the fact that the data protection authority has yet to be formed and say that the authority being operational would be essential for companies’ ability to comply with the LGPD. They also note that Brazilian companies need to focus now on recovering from the significant effects of the COVID-19 pandemic on their operations.
Take away
In a nutshell, if the current legal framework is confirmed by the National Congress, the majority provisions of the LGPD will become effective on 3 May 2021 and the sanctions provisions on 1 August 2021.
Between May and August 2021, even if no administrative sanctions can be imposed, the obligations arising from the LGPD to controllers and processors will be enforceable by data subjects, public consumer protection authorities, national regulation agencies and authorities such as the Central Bank, the Health Surveillance Agency, the Telecoms Agency, the Film Agency, etc., public prosecutors, as well as private consumer associations (this is a peculiarity of the LGPD, Article 18 para. 8).
In this sense, even if the administrative sanctions are not to take effect until August 2021, companies should plan to be in compliance with all LGPD provisions by no later than 3 May 2021.
This article was originally published on AllAboutIP – Mayer Brown’s blog on relevant developments in the fields of intellectual property and unfair competition law.