As previously reported, Brazilian lawmakers have been debating a delay to the LGPD, which was scheduled to come into effect August 15, 2020, in response to COVID-19. The Brazilian Senate first passed Bill 1,179/2020, and Brazil’s President later enacted Provisional Measure 959. On May 19, 2020, the Brazilian Congress sent to the President’s desk an amended Bill 1,179/2020 that would maintain the LGPD’s August 15, 2020 effective date but would delay administrative sanctions until August 1, 2021. However, if approved, the Final Bill would still allow the LGPD’s requirements to be enforced through other means.
On April 29, The Brazilian Federal Government issued an executive order, Provisional Measure, which would postpone the implementation of LGPD until May 3, 2021 if approved by Brazil’s legislature in the next couple of weeks.
In light of the pandemic crisis caused by the COVID-19, Brazilian Officials have sought to enact emergency measures to minimize its impact on regular business practices. One of the latest efforts is Bill 1,179/2020, which would, among other things, delay implementation of Brazil’s General Data Protection Law, or LGPD, until January 1, 2021 so as not to burden companies in the face of the enormous technical economic difficulties arising from the pandemic.
Although Brazil’s new General Data Privacy Law (LGPD) significantly expands Brazil’s data protection framework and places the country among one of the few jurisdictions to provide similar data privacy protections as those offered in the European Union, the new law did not create a data protection authority. On 28 December 2018, outgoing President Michel Temer signed Medida Provisória no. 869/18, a last-minute executive order that made important changes to the LGPD and most notably created the Brazilian National Data Protection Authority (ANPD).
The Brazilian General Data Protection Law (“Lei Geral de Proteção de Dados” or “LGPD”), passed by Congress on 14 August 2018, will come into effect on 15 February 2020. The new data protection law significantly improves Brazil’s existing legal framework by regulating the use of personal data by the public and private sectors. Very similar to the General Data Protection Regulation (“GDPR”) implemented in the European Union, the LGPD imposes strict regulations on the collection, use, processing, and storage of electronic and physical personal data. In conjunction with the passing of the LGPD, the National Data Protection Authority will be created in order to adequately implement the new legislation.
Hogan Lovells today published Pan-American Governmental Access to Data in the Cloud, the fifth installment in a series of White Papers examining government access to data held by Cloud service providers. Examining the right of governments in the United States and Latin America to access data in the Cloud, the White Paper concludes that the physical location of Cloud servers does not significantly affect government access to data stored on those servers, and that it is fundamentally incorrect to assume that the United States government’s access to data in the Cloud is greater than that in the Latin American countries examined.
The Brazilian legislature is considering two privacy laws that have been in limbo but have found new life following revelations about US government spying. The Marco Civil da Internet would establish an “Internet Bill of Rights” with data protection requirements and obligations to preserve net neutrality. The Data Protection Bill would establish an EU-style framework for the processing of personal data. If the Brazilian legislature fails to pass the bills promptly or does not include the data localization measures discussed below in the final legislation, Brazil’s president may choose–to the extent permitted by Brazil’s constitution–to implement many of the privacy provisions contained in the proposed laws by executive decree.