Brazilian Data Protection Law Update – Delayed Enforcement, Lack of Administrative Structure, and Market Unreadiness
(*As with all posts, this article is for informational purposes only; Sidley Austin LLP does not have offices in or practice law in Brazil; Felipe Saraiva is a former Sidley associate licensed to practice law in Brazil.)
The enactment of Law n. 13.709/2018 (the Brazilian Data Protection Law, or “LGPD”) in 2018 was followed by great enthusiasm from the general public in Brazil. Indeed, the comprehensive law has been viewed as a necessary measure for the country to join a select but growing group of nations in the systematic protection of individuals’ personal data.
Originally, the LGPD provided for a 12-month grace period for its enforcement; however, this term was subsequently extended to 24 months, as legislators understood the initial time frame wouldn’t give companies enough time to adapt. As previously analyzed in an article by these authors published on January 20, 2020, the LGPD’s provisions require a great deal of compliance effort from all organizations that are subject to the law.
In view of the current crisis caused by the spread of COVID-19, the compliance difficulties companies are facing, and the fact that the actual creation of the National Agency of Data Protection (“ANPD”) called for in the law is still pending, Brazilian legislators are further extending the LGPD’s grace period; these legislators now indicate that enforcement of the law’s general provisions are extended to May 3, 2021, while its legal sanctions would become enforceable as of August 1, 2021.
Compliance Costs and the 2020 Crisis
Undoubtedly, the LGPD’s requirements impose a myriad of compliance measures to be undertaken by companies that process individuals’ personal data. These include, for example: the revision of contracts with clients and suppliers in order to guarantee they address data owners’ specific consent for the processing of their data; the restructuring of internal procedures, such as hiring processes and marketing initiatives; the hiring or repurposing of personnel to conduct compliance activities, such as testing and monitoring, and enforcing the new data processing requirements; and facilitating the mandatory presence of a data protection officer (the encarregado). Data portability, one of the main novelties imposed by the new law, may require a significant investment in people, processes, and technology infrastructure in order to be implemented.
These measures will therefore mean significant and additional costs to be incurred by data agents. A 2020 survey, conducted by Serasa Experian, a Brazilian research and credit agency, shows that 85% of companies that would fall under the scope of the LGPD are still not fully in compliance with its requirements – this may be due to a mix of: a lack of legal certainty and clarity with respect to the provisions, and a general lack of compliance in the private sector.
Currently, Brazil faces a growing economic crisis precipitated by the COVID-19 pandemic. The financial hardships and the necessary austerity measures will induce the government, people, and legal entities to implement a variety of strategies in order to save capital and keep businesses running. Considering these new circumstances, the imposition of new costs in connection to the LGPD may not be welcomed by market actors, even if those costs were foreseeable when the law was initially published.
On the other hand, the current unconventional scenario may trigger the interest in, or need for, unorthodox acts. For instance, to support monitoring of the spread of the novel Coronavirus, executive order n. 954/20, signed by the Brazilian President, Jair Bolsonaro, and published on April 17, 2020, established that communication companies would have to provide names, phone numbers and addresses in its user database to the Brazilian Institute of Geography and Statistics Foundation (Instituto Brasileiro de Geography e Estatistica, or “IBGE”), so that the IBGE could perform surveys in order to track the disease. This measure was deemed unconstitutional by the Brazilian Supreme Court; however, it evidences the importance of well-established legal and administrative mechanisms to protect data owners, particularly for the processing of “sensitive personal data” (as defined by the LGPD), such as health data.
Additionally, the new social-distancing work-from-home dynamic, with the consequent increase in the use of conference and video call technology, proportionally increases the exposure of individuals’ personal data. This factor should also be taken into consideration when addressing the compelling need for an enforceable data protection system.
The Data Protection Agency (“ANPD”)
Another consideration relevant to the enforceability of the Law is the readiness of the ANPD. The LGPD provides for the creation of this Agency and grants it regulatory powers to enforce the law and sanction violations; the ANPD also would provide industry with best practices and strategic guidelines, interpret the law, and create rules for companies to follow. Since the LGPD’s enactment, however, it appears that no progress has been made toward the actual structuring of such an agency. The members of the Directive Committee, for instance, must be appointed by the Brazilian President and confirmed by the Senate, but, as of the time of this writing, no names have yet been proposed.
The importance of having a functioning body to define and clarify the open concepts included by the legislator cannot be overstated. In view of the current legal enforcement posture, there is a fundamental need to have the ANPD and its guidance in place; such steps could provide market actors with a uniform interpretation of the law and relevant compliance standards, and avoid possible misinterpretation and compliance abuses.
However, the current political and economic environments do not indicate there will be any short-term developments in this area, increasing the risk of growing uncertainty for entities and individuals subject to the law. Arguably, discussions related to the extension of the law’s grace period would probably be unnecessary if Brazil had the ANPD in place and carrying on the scope of its work.
New Grace Period
While, as noted above, the COVID crisis presents considerations on both sides of the question of whether to extend the LGPD’s enforceability date, Brazilian political actors have decided that providing business with more time is appropriate.
To that end, on April 29, 2020, the Brazilian President signed executive order n. 959/2020 (“MP 959”), postponing the enforcement of the LGPD’s general provisions, previously scheduled for August 15, 2020, to May 3, 2021. While the order was immediately enforceable, it has to be voted by the Congress in up to 60 days, or it would automatically lose its validity.
Nonetheless, on May 19, 2020, Congress approved bill n. 1179/2020, which was approved by the Brazilian President on June 10 and transformed in Law n. 14010/2020 (“Law 14010”), published on June 12, 2020. After a period of uncertainty when the bill n. 1179 was still being discussed, Law 14010 finally gave Brazilian society a first clear milestone regarding the LGPD’s enforcement date related to sanctions. This law provides for an extension of the LGPD’s grace period until August 1, 2021, but only with respect to its articles 52 and 54, which relate to the applicable sanctions to be imposed in case of any violation. These sanctions may vary, according to the law, but may include: a warning; a fine up to 2% of the company’s income; a daily fine; general publication of the underlying infraction; freezing of the personal data to which the violation refers; and/or, complete deletion of such data. Such postponement under the new law will provides greater certainty to industry concerning the law’s applicability.
Moreover, if the aforementioned MP 959 is confirmed by the Congress, the other provisions in LGPD will be enforceable on May 3, 2021, or nearly three months before the sanctions enforceability date of August 1, 2021.
This enforcement and sanctions timing mismatch does not mean that potential violations would go unnoticed – in theory. The Brazilian legislation provides the means for reparation for damages caused by a legal breach, in addition to the possible application, in certain cases, of previous legislation, such as the Brazilian Internet Law (Federal Law n. 12.965/2014; an unofficial English translation is available here) and the Brazilian Consumer Protection Code (Federal Law n. 8.078/1990; an unofficial English translation is available here).
In this sense, the delay in further guidance and enforcement by a recognized and robust authority following the LGPD’s enactment could, instead of protecting the marketplace, cause a fragmented application of the law.
The lack of establishment of the ANPD and concurrent critical world COVID-19 situation has contributed to the necessity of, once again, delaying the enforceability of the LGPD – which now will be broken into two sets of: (i) general provisions being enforceable possibly as of May, 2021, and (ii) legal sanctions being enforceable possibly as of August, 2021. The lag in the process to build a comprehensive legal framework and enforcement structure with respect to privacy and data protection in Brazil has been generating an atmosphere of increasing uncertainty – the opposite of the intention of the LGPD. In the meantime, international data transfers and other personal data processing activities may face scrutiny. Whilst some international data transfer mechanisms (e.g., Standard contractual clauses) are already available to help address data protection issues and data sharing between the countries in the European Economic Area and Brazil, others are currently out of reach for South America’s largest economy – such as, the potential for transfers on the basis of an adequacy decision by the European Commission under Chapter 5 of GDPR, which is likely not possible until a functioning ANPD and certain other protections are in place.
In the meantime, the delay in enforceability will provide companies additional time to implement the compliance measures that will eventually become necessary. Forward-leaning organizations will want to consider and implement relevant measures during this heterodox period, including a comprehensive information security program to safeguard information technology assets, protect intranet and internet access points, reinforce confidentiality controls, and help prevent and/or mitigate data breaches.