The Impact of Postponing Brazil's Data Protection Law

In April, the Brazilian Senate passed a bill that postpones the deadline for companies and organizations to comply with the Brazilian General Data Protection Law (LGPD) to January 2021, while punishments for non-compliance would only be enforced from August 2021 onward. The bill is still to be voted on by the House of Representatives and signed into law by President Jair Bolsonaro, but it is already raising concerns about data protection in Brazil.

Initially, the LGPD was expected to come into force in August 2020, some 18 months after its formal approval, to give companies time to adjust to the new regulations. However, Senator Antonio Anastasia, the author of the new bill, argued in favor of postponing the LGPD until February 2022 so as “not to overwhelm companies due to the enormous technological and economic hardships that came after the pandemic.” After the proposal caused some backlash, the bill’s rapporteur Senator Simone Tebet, proposed the new deadline, reports newspaper Estadão.

In a statement to the press, the Brazilian Association of IT Companies (Assesspro), has celebrated the decision, considering that “Senator Tebet’s solution for the issue was positive and backs the importance of the LGPD.”

Meanwhile, with the bill pending before the lower house, President Bolsonaro has signed a provisional measure that would postpone the LGPD’s entry into force until May 2021, as part of a larger coronavirus response package, although such decrees expire automatically after 120 days if Congress does not vote to approve.

The LGPD, inspired by the European General Data Protection Regulation (GDPR), is considered by Brazilian digital activists as an advance in data protection in Brazil. It establishes that Brazilian citizens own their data and companies and the government are responsible for handling it and keeping it safe. Non-compliance or breaches may lead to fines of up to 2 percent of a company’s revenue in Brazil, limited to BRL 50 million, plus daily fines.

As explained in the Brazilian Report’s Explaining Brazil podcast, small companies are the most vulnerable to being in noncompliance, as they lack the resources and experience to deal with the regulations, while international companies are already used to this kind of law abroad.

This concern had been raised by lawmakers and businesspeople even before the outbreak of Covid-19. As lawyer Fernando Santiago writes, “even though companies and the public sector should have been well prepared for the LGPD five months before it came into force, those who support postponing it found a mighty ally. There is no denying that this crisis will impact the economy and the regular working of national and international companies.”

In his view, postponing only the punishment could be a good way to find common ground between creating a data protection culture and the fears of companies, which he considers a fair concern as regulation from the National Data Protection Authority, which is charged with overseeing the protection of personal data and interpreting and enforcing the LGPD, is yet to be implemented.

The Risks of Postponing Data Protection Controls

For digital activists, postponing the LGPD brings about serious concerns in terms of data protection in Brazil, especially considering that several monitoring technologies are being used amid the pandemic in an attempt to contain the virus.

“If we consider the context of the pandemic and the growth of initiatives that aim to use personal data, this law becomes much more urgent to regulate eventual abuses in this data treatment,” said Bruna dos Santos, advocacy and policy analyst at NGO Coding Rights, to The Brazilian Report.

As we explained  in an April 2 story, Brazilian public authorities are already using monitoring technologies to curb public gatherings in cities such as Recife and São Paulo. While companies guarantee privacy will be respected, history shows that this pledge is more connected to how developed democracy is in a country, as similar tools have been used for political persecution in dictatorships.  

In Ms. dos Santos' view, Congress had already shown understanding of companies’ needs by providing such a large period for adaptation. Moreover, the fact that sanctions will only be applied in August 2021 leaves people even more unprotected, she says, “as it prioritizes the ability of companies to adapt instead of [prioritizing] protection for individuals.”