Surprise! Brazil’s New Data Privacy Law to Take Effect Sooner than Expected

Brazil’s new data privacy law, the LGPD (Lei Geral de Proteção de Dados Pessoais), will become effective not later than September 16, 2020. The LGPD, which was passed on August 14, 2018, has an extraterritorial, multi-sectoral scope and governs the online and offline collection, use, and processing of (1) personal data in Brazil, and (2) personal data about Brazilians.

The Brazilian president, Jair Bolsonaro, enacted a temporary provisional measure to delay the LGPD’s effective date until May 3, 2021. However, this provisional measure would become permanent only with the approval of both chambers of the Brazilian National Congress prior to the measure's expiration on August 26, 2020. Although the Brazilian Chamber of Deputies approved a delayed effective date, the Brazilian Senate rejected any such delay. As a result, the provisional measure expired and the LGPD will become effective as soon as it's approved by President Bolsonaro, which can occur at the latest on September 16, 2020.

Once the LGPD is effective, private lawsuits will be permitted against companies that allegedly violate the LGPD. However, administrative sanctions resulting from violations of the LGPD still will not be permitted until August 1, 2021. Such sanctions would be imposed by the governmental authority charged with overseeing the LGPD, namely the ANPD (National Data Protection Agency). Sanctions can range from warnings to daily fines of up to two percent of a business’s revenues in Brazil for the prior financial year excluding taxes, up to a total of 50 million reais (almost $9.5 million USD) per infraction.

The acceleration of the LGPD’s effective date for private lawsuits emphasizes the need for businesses to expedite their plans to comply with the LGPD, which will apply to any “processing operation” carried out by a natural person or a public or private legal entity “irrespective of the means, the country in which its headquarters is located, or the country where the data are located,” provided that at least one of the following criteria applies: (1) the processing operation is carried out in Brazil; (2) the purpose of the processing activity is to offer or provide goods or services or the processing of data of individuals located in Brazil; or (3) the personal data being processed were collected in Brazil.

Under the LGPD, "processing" is defined as any operation carried out with personal data, and "personal data" is defined as information regarding an identified or identifiable natural person. Sensitive personal data, such as racial, ethnic, political, or religious information, receives stricter protections. As with the California Consumer Privacy Act and the EU’s General Data Protection Regulation, individuals have certain rights to their personal data under the LGPD (e.g., the right to know, the right to access, the right to deletion), and businesses have certain responsibilities, such as using only personal data they have collected for disclosed purposes and implementing safeguards to protect the security of personal data.

The acceleration of the LGPD’s effective date caught many data privacy experts by surprise. Preparing for compliance with the LGPD should now be high priority for affected businesses. If you need assistance complying with the LGPD or with other cybersecurity or data privacy laws, please contact one of our Cybersecurity & Data Privacy attorneys.

Firm Highlights
Client Alert

Temporary COBRA Changes Under the American Rescue Plan Act

More
Client Alert

Virginia Passes Sweeping Data Privacy Legislation Similar to CCPA and GDPR

More
News

Jerina D. Phillips Offers COVID-19 Vaccination Advice for Employers in St. Louis Magazine Article

More
Diversity & Inclusion

Two Lewis Rice Members Selected for Leadership Council on Legal Diversity Programs

More
Diversity & Inclusion

Law Firm ILN-telligence Podcast Hosts Ronald A. Norwood to Discuss Mentorship, Diversity & Inclusion in the Legal Industry, and the Importance of Equity for All

More
News

Jeremy P. Brummond’s Article on Waivers of Consequential Damages is Published in Construction Executive

More
Client Alert

Federal Appellate Court Determines a Website Is Not a “Place of Public Accommodation” Under the ADA

More
News

Kansas City Office of Lewis Rice Names New Member

More
Client Alert

Public Access to Electronic Court Records in Missouri

More
Client Alert

Have You Done Your Annual CCPA Housekeeping?

More
Client Alert

Model COBRA Notices Under the American Rescue Plan Act

More
Client Alert

New York State Regulator Discourages Ransomware Payments and Publishes New Cyber Insurance Risk Framework

More
News

Meghan S. Largent and Lindsay S. C. Brinton Negotiate $700,000 Award to Cobb County, Georgia Landowners in Rails-to-Trails Case

More
News

Brian P. Pezza Gives Advice on Vaccination Acceptance in the Workforce in Society for Human Resource Management Article

More
Diversity & Inclusion

Fatima G. Khan Elected President of South Asian Bar Association of Metropolitan St. Louis

More
Diversity & Inclusion

Lewis Rice Member Ronald A. Norwood Serves on Missouri Bar’s Special Committee on Lawyers of Color to Establish Diversity, Inclusion Programs

More
Client Alert

Supreme Court Hands Down Unanimous Decision Limiting FTC’s Ability to Seek Monetary Relief

More
Client Alert

CROWN Act Legislation on the Verge of Passage in St. Louis City & County

More
Client Alert

COVID-19 Rescue Plan Act Expands Paid Leave Availability but Does Not Revive Employer Mandates

More
News

Lindsay S. C. Brinton and Meghan S. Largent Negotiate $1.4 Million Settlement for Landowners along Legacy Trail

More