Quando, Quando, Quando? Brazil’s LGPD Privacy Law May Become Effective August 26, 2020 (or Sooner)

Already pushed back once, the Brazilian General Data Protection Law, Lei Geral de Proteção de Dados Pessoais (LGPD), was scheduled to go into effect on August 16, 2020. Yet, there have been separate government actions in Brazil that may push both the effective date and the date after which enforcements under the LGPD can begin:

Effective Date Currently August 26, 2020 (Yet, Possibly as Early as August 16, 2020, or Delayed to May 3, 2021). There is a lot of confusion, but simply there are three scenarios that will determine the LGPD effective date:

1. Original Date – August 16, 2020. The LGPD was to become effective August 16, 2020.
2. Proposed Extension Date – May 3, 2021. Brazil’s president enacted a temporary executive order, Executive Order No. 959 (MP 959), pushing the effective date of LGPD to May 3, 2021. However, the order becomes definitive law only if the National Congress converts it into law by August 26, 2020.
3. What You Need to Know – Possible Effective Date – August 26, 2020 (or Earlier, up to August 16, 2020). If the Executive Order is not converted into law, amended or extended on or before August 26, 2020, the order lapses, and the LGPD immediately becomes effective on August 26, 2020, or possibly earlier—between August 16, 2020 (the original effective date) and August 25, 2020—if Brazil’s Congress rejects the Executive Order.

Enforcements Delayed to August 1, 2021. Taking a page out of the California Legislature that separated the effective and enforcement dates of CCPA, in June 2020, the Brazilian Congress issued Law No. 14.010/2020 that postponed the effectiveness of the administrative penalties and enforcements under the LGPD (Articles 52 to 54) until August 1, 2021.

Actions to Take Now

Companies that (i) collect or process personal data in Brazil or from individuals located in Brazil or (ii) offer or provide goods or services in Brazil, are subject to the LGPD and have been taking the following actions to prepare for compliance:

• Immediate Measures – Appoint a Data Protection Officer (DPO), Update Privacy Policy and Contracts Before August 26, 2020. While the effective date of the LGPD is being determined, most companies are quickly (i) updating their privacy policy to address LGPD’s additional disclosure requirements, (ii) appointing a global DPO (or at least one for Brazil) and (iii) amending their data processing addendums/contracts partners, vendors and other service providers to ensure they include LGPD compliance, when effective.
• On a Risk-Basis – Update Privacy Program for LGPD. The LGPD borrows heavily from the CCPA and the GDPR for its requirements (e.g., enhanced privacy policy disclosure, data subject rights, incident response, DPO, data mapping and appointment of legal bases and other provisions). As a result, companies that will be subject to the LGPD that maintain global privacy and data protection programs designed for compliance with the CCPA and GDPR (among other global laws) should modify their existing policies, procedures, training and supporting IT to accommodate the requirements of the LGPD (see here for a translation of the law).

For additional information (or to be connected with Brazilian counsel), please contact Tyler Newby or any member of our global Privacy and Cybersecurity Practice.