*This article was adapted from “Global Overview,” appearing in The Privacy, Data Protection and Cybersecurity Law Review (7th Ed. 2020)(Editor Alan Charles Raul), published by Law Business Research Ltd., and first published by the International Association of Privacy Professionals Privacy Perspectives series on September 28, 2020.
Privacy, like everything else in 2020, was dominated by the COVID-19 pandemic. Employers and governments have been required to consider privacy in adjusting workplace practices to account for who has a fever and other symptoms, who has traveled where, who has come into contact with whom, and what community members have tested positive or been exposed.
As a result of all this need for tracking and tracing, governments and citizens alike have recognized the inevitable trade-offs between exclusive focus on privacy versus exclusive focus on public health and safety.
(*As with all posts, this article is for informational purposes only; Sidley Austin LLP does not have offices in or practice law in Brazil; Felipe Saraiva is a former Sidley associate licensed to practice law in Brazil.)
The enactment of Law n. 13.709/2018 (the Brazilian Data Protection Law, or “LGPD”) in 2018 was followed by great enthusiasm from the general public in Brazil. Indeed, the comprehensive law has been viewed as a necessary measure for the country to join a select but growing group of nations in the systematic protection of individuals’ personal data.
Originally, the LGPD provided for a 12-month grace period for its enforcement; however, this term was subsequently extended to 24 months, as legislators understood the initial time frame wouldn’t give companies enough time to adapt. As previously analyzed in an article by these authors published on January 20, 2020, the LGPD’s provisions require a great deal of compliance effort from all organizations that are subject to the law.
In view of the current crisis caused by the spread of COVID-19, the compliance difficulties companies are facing, and the fact that the actual creation of the National Agency of Data Protection (“ANPD”) called for in the law is still pending, Brazilian legislators are further extending the LGPD’s grace period; these legislators now indicate that enforcement of the law’s general provisions are extended to May 3, 2021, while its legal sanctions would become enforceable as of August 1, 2021.
*This article first appeared in Law360 on January 14, 2020.
After two years in the Brazilian Congress, the General Law of Data Protection was signed on Aug. 18, 2018, by then Brazilian President, Michel Temer, who also signed an executive order (Medida Provisória n. 869, from Dec. 27, 2018).