(Brazil) Brazil's new data protection law, originally due to be enforced this year, is to have its enforcement provisions deferred until 2021. Latin Lawyer reports as follows:
Brazil’s federal senate has passed an emergency coronavirus bill that includes a provision to delay the country’s data protection law until January 2021.
The data protection law, known as the LGPD (Lei Geral de Proteção de Dados), was initially set to come into force in August 2020. Some companies were already pushing for an extension of the grace period due to the country not having a data protection authority in place; and support to delay the law mounted after covid-19 became a global pandemic.
“With the covid-19 pandemic and the country’s current economic situation, the Senate understood that several companies would not be able to adopt the necessary measures for the fulfillment of the obligations imposed by the LGPD – since the adequacy to the LGPD also involves the need to hire other companies responsible for the processing of personal data,” said Veirano partner Fábio Luiz Barboza Pereira.
Along with extending the date the LGPD comes into force from August to next January, the bill also stipulates that fines and other sanctions won’t be applied until 1 August 2021.
“This means that, as of 1 January, lawsuits and complaints related to violations based on the LGPD may be proposed,” Pereira said. “However, the fines and sanctions provided for in the law can only be applied by the National Data Protection Authority in August 2021.”
The bill still needs to be approved by Brazil’s house of representatives.
(Privacy press clipping sourced via Latin Lawyer)
The LGPA, Brazil’s major data privacy law, was originally due to enter into force on 15 February 2020, but was apparently pushed back to August 2020. It is a major reform to the law of Brazil and includes provisions for substantive fines where a contravention occurs. Fines “may vary from 2 percent of the company’s, group’s or conglomerate’s turnover in Brazil in its last fiscal year, limited in total to R 50,000,000.00 (fiy million reais) per infraction. There is also the possibility of a daily fine to compel the entity to cease violations”. (IAPP)
Under the proposal, the LGPD would enter into force in January 2021. At that time, prosecutors could look into breaches and violations, but they could not bring formal enforcement action until 1 August 2021 (the new LGPD effective date for enforcement and penalties). This would give companies some more time to prepare and implement their LGPD-specific compliance programs. The reason for this deferral is reportedly the COVID-19 crisis. Apparently only 16% of companies are ready for the LGPD, according to the Global Data Review.
This move is in contrast to the approach in California, where the Attorney General has indicated that the enforcement date of the CPPA would not be deferred on account of COVID-19 or for any other reason.