This post is also available in: Español

On December 28, 2018, Brazil’s then president, Michael Temer, signed an executive order (Provisional Measure 869/18) creating the Brazilian National Data Protection Authority (“BNDPA”). The measure complemented the Brazilian Data Protection Act (“LGPD”),  approved on August 14, 2018, which took inspiration from the General Data Protection Regulation (“GDPR”), and will make Brazil one of the Latin American countries with greatest protection for personal data when it comes into force in 2020.

The LGPD shares a number of characteristics with the GDPR, such as its extensive scope of application and several lawful grounds on which to process data.

However, in practice, it faces a sizable obstacle. The draft bill presented to Temer after approval in both chambers of the Brazilian congress was vetoed on three key aspects before being signed: (i) establishing an independent data protection authority, (ii) sanctions for breaching the LGPD, and (iii) transparency requirements for public sector agents handling personal data.

The content of these vetoes has received criticism from some sectors of Brazilian society, e.g., the Brazilian Coalition for Digital Rights, as they not only placed obstacles for holding infringing parties accountable for their actions, but also left several legal loopholes wide open that would make the effective application of the LGPD dependent on the result of the general elections. Despite these concerns, Temer’s government finally created the ANPD, as a last-minute measure.

Regarding the ANPD’s powers, section 55(j) of Executive Order 869/18 establishes that the ANPD can do the following:

  • Issue rules and regulations regarding data protection and privacy.
  • Interpret (within the administrative sphere) the LGPD exclusively, including in those cases where the law is silent.
  • Request information on data processing procedures from data processors and controllers.
  • Oversee and exclusively impose administrative sanctions for breaches of the LGPD.
  • Promote data protection and privacy in Brazilian society.
  • Carry out studies relating to national and international data protection and privacy practices and establish relationships with authorities from other countries to increase international cooperation.

Another relevant aspect introduced by Executive Order 869/18 is the delayed date on which it will come into force, set for six months after the date established in the initially approved bill: August 2020 compared to February of the same year. The Brazilian congress will now have 120 days from when the executive order comes into force to ratify it and make it permanent. After dispelling doubts about whether the Brazilian government would create the ANPD, the Brazilian people can now start to prepare for when the LGPD comes into force.

This post is also available in: Español



17 artículos