LGPD in effect: legal news and remaining challenges

On September 18, 2020, the Brazillian General Data Protection Act (LGPD) came into effect. This event marked the end of a long period of uncertainty that lasted from the moment the law was sanctioned in August 2018. 

With the LGPD in place, one can observe the emergence of numerous repercussions in Brazilian law. However, there are still several open questions for the personal data protection scenario in Brazil. This post seeks to address some of these repercussions and pending issues arising from the current state of the LGPD. Check it out below!

The journey of the LGPD to date

The LGPD was approved in a hurry due to strong international pressure. This is because, in the first half of 2018, several legislations on the protection of personal data were approved worldwide – notably the CLOUD Act in the USA and the GDPR in the European Union. These foreign regulations, among several other provisions, impose on third countries the need for greater safeguards to personal data to facilitate the international transfer of that information.

At the time of the approval of the LGPD, a period of 2 years was initially determined until it effectively came into effect. This interval was instituted so that companies and other organizations that needed to adapt to the new legal scenario had enough time to do so.

What actually happened, however, was much more complex than initially anticipated. Various legislative movements emerged since the publication of the law, seeking to postpone its effective date.

There were many kinds of arguments used for the postponement attempts: from the supposed lack of time to adjust the entities to which the law would apply to the allegation of ineffective regulation, considering that the National Data Protection Authority (ANPD) – the regulatory body foreseen in the LGPD – had not even been officially created by a regulatory decree. The current pandemic of COVID-19 was also mentioned as a motivating factor for the need for postponement, considering that the entities to which the law applies would be focusing efforts on the contingency of the coronavirus.

Some of the most relevant attempts to postpone the law took place in 2020. One can mention, for example, Bill no. 10.010 / 2020, which, among several provisions regarding the COVID-19 pandemic, postponed until August 2021 the articles of the LGPD that provide for the administrative sanctions applicable by the ANPD. At the time of writing, this postponement was still in effect: it can be said that the LGPD is only “partially” valid.

In addition, the most recent focus of discussions on a possible legal postponement was Provisional Measure (MP) No. 959/2020. Also, among other predictions related to different topics, the MP postponed the remaining articles of the LGPD to May 2021.

MP 959 was subjected to intense debates in the Legislative, initially envisaging the postponement of the LGPD to December 2020 – instead of May 2021. These attempts, however, were blocked by the Senate, which determined that the law should come into effect in the originally foreseen date. 

Thus, in September 2020, the LGPD came into effect, with the exception of administrative sanctions that were postponed to August 2021 by PL 14,010. The law, therefore, is finally having full legal effects, which result in profound changes to the scenario of personal data protection in Brazil.

The validity of the law and the immediate consequences

The LGPD, since the moment of its entry into effect, has brought several concrete repercussions to the Brazilian data protection scenario.

Firstly, the law in effect means that the organizations that are subject to it can already be charged by consumers and partners for their personal data processing activities. This translated, in practice, into a flood of complaints on platforms such as “Reclame Aqui”: on the same day that the LGPD came into effect, dozens of consumers were already notifying companies by these means, demanding information and transparency in the activities involving their data .

In addition, the immediate repercussions of the LGPD in effect were not limited to the holders’ extrajudicial notifications. In fact, since the law’s validity date, there has been the spread of several judicialized cases involving the personal data of holders and usingas an argumentative basis our “newborn” data protection law.

The Public Ministry of the Federal District and Territories, for example, has already filed a Public Civil Action against a company whose activities are limited to the sale of personal data for marketing purposes. In another case, pending before the TJ-SP,was stipulated a R$10,000 (ten thousand Brazillian reais) fine to a company that shared the personal data of a client, and its value could be increased if the company does not cease undue sharing. This decision was based on the principles enunciated by both the Consumer Protection Code and the LGPD.

However, although events to date have already shown positive signs regarding the application of the General Law on the Protection of Personal Data, there are still concerns regarding this standard, and problems pending resolution.

Remaining challenges for the LGPD

The first challenge has been previously mentioned: it is the fact that the law is not yet in effect in its entirety due to the postponement of administrative sanctions foreseen in August 2021. No one can assure, for example, that there won’t be attempts to postpone these final provisions for even longer, resulting in losses to legal security involving personal data in Brazil.

More importantly, we still have an issue of utmost urgency for the Brazilian data protection scenario: our National Data Protection Authority (ANPD).

The creation of the ANPD is a requirement in several LGPD statements. It is not only the entity that has powers to carry out a large part of the inspections and apply the administrative sanctions provided for in the law, but also the body responsible for regulating more specifically the data protection regime in Brazil through official pronouncements.

However, the structuring of our data protection authority has been happening in a way that’s similar to that of the LGPD itself: uncertain and inconstan. For example, since the publication of the law in 2018, we have seen endless discussions about the Authority’s legal nature: should it be linked to direct or indirect public administration?

In addition, it has only recently been possible to observe the publication of a regulatory decree for the ANPD. This translates into the fact that the LGPD is already in effect, but in practice there is no provision for the effective start of the activities of an entity essential for the proper functioning of the Brazilian data protection framework. There are also numerous criticisms directed at the content of this decree, relating to issues such as the autonomy of the ANPD, civil representation in that entity, among others.

Halfway there, but there is still a long way to go

It can be seen, therefore, that there is still a lot to do until Brazil has a properly consolidated personal data protection ecosystem, guaranteeing legal security for data subjects. Although the LGPD finally came into effect, after months of intense uncertainty permeating the story, there are still several challenges pending until the work is in fact “finished”.

In this sense, it is also important to keep in mind that the LGPD represented an important step for Brazil to overcome a decades-long delay in legal safeguards for the rights of personal data holders and the privacy of others. It is natural, therefore, that there is much to be done so that the country has a legal framework for data protection that is really mature.

This is not to say that the events of the past few months have not been of extreme importance for this process as a whole. Data protection has undergone profound changes in Brazil in the recent past, and these events – although they have not exhausted the pending issues regarding the LGPD and data protection as a whole – represented an essential step forward to enable us to continue to see progress in this area.

Are you interested in topics related to LGPD, privacy and protection of personal data? Check out more IRIS content on the topic by clicking here!

The views and opinions expressed in this blogpost are those of the author. 
Illustration by Freepik Stories.