Brazilian House of Representatives votes to delay LGPD

Brazil’s lower house has voted to delay the LGPD – the latest move in a series of twists and turns that could see the data protection law postponed until August 2021.

As part of a coronavirus relief package last month, the country’s senate initially voted to delay the LGPD’s entry into force from this August until January 2021, with sanctions being postponed until August 2021.

Brazil president Jair Bolsonaro also issued a provisional measure later in April that would delay both the law’s entry into force and the penalties until May 2021. Some observers said at the time that the conflicting dates created uncertainty for companies trying to plan for LGPD.

That uncertainty was compounded last week when the House of Representatives amended the coronavirus relief legislation to further extend the entry into force deadline from January to May 2021 – while keeping the August 2021 sanction postponement. The bill will now head back to the Senate; meanwhile, neither house has acted on Bolsonaro’s provisional measure.

“The only thing that’s certain is that [the date LGPD goes into effect] is not going to be August of this year,” said Veirano partner Fábio Pereira in Sao Paulo. “The date is 3 May [2021] as of now. [Congress] has until August to analyse [Bolsonaro’s order]. Until then, it’s 3 May.”

From the point of view of privacy advocates, the House’s vote last week took the worst aspects of the coronavirus legislation and Bolsonaro’s order – because it incorporated the former’s sanctions delay and the latter’s delay of the entry into force, Pereira said. “It’s a major setback because it’s postponing everything,” he said.

Observers have warned that the delays will likely lead to other government agencies enforcing data protection issues in the absence of a data protection authority. For instance, the Supreme Court cited the LGPD in its 8 May ruling on a government programme that would have collected the telecommunications data of millions of residents.

“The court is embedding the data protection concepts and culture even though the law is not in force yet,” Mattos Filho partner Thiago Sombra told GDR after the ruling. “It’s very clear that if the government doesn’t create the authority, the government may have a lot of losses and problems in court.”

VMCA partner Marcela Mattiuzzo in São Paulo said the lack of a data protection authority may lead to government bodies imposing their views on the private sector. The data protection authority would presumably allow the private sector to have greater input since it is advised by a body of council members from all sectors of the economy.

“The lack of enforcement of the law leaves space for other authorities to create their own understanding about what data protection is and should be, and to effectively impose their view on the private sector, rather than allowing for the building of a policy alongside the actors directly involved with it, as I believe the LGPD together with the ANPD [data protection authority] could entail,” Mattiuizzo told GDR last week in the wake of the court ruling.