Brazilian data protection law takes next steps

Brazilian data protection law takes next steps

On May 29, 2019, the Brazilian Federal Senate approved Provisional Measure No. 869/2018 (Medidia Provisória No. 869/2018, MP), which amends the General Data Protection Act (Lei Geral de Proteção de Dados No. 13,709/2018, LGPD).

The measure creates a National Data Protection Authority (Autoridade Nacional de Proteção de Dados, ANPD) as part of the LGPD. The ANPD will be a federal public administration body; however, under the amendments, it may become an independent body (albeit one with revenue stipulated by the LGPD) within two years of the LGPD being enacted.

The approved text also includes three new sanctions in the case of a company breaching the regulations:

partial suspension of the operation of the database in which the violation has occurred;
suspension of the processing of the personal data involved in the breach; and
partial or total prohibition of the exercise of activities related to data processing.
Breaches of the LGPD will result in fines of up to 2 percent of the sales revenue of the company or group in Brazil, and up to BRL50 million per violation. Companies’ data protection officers must have legal and regulatory knowledge, and be able to provide specialised data protection services.

The LGPD has been greatly influenced by the EU’s General Data Protection Regulation (GDPR), and will affect all companies dealing with Brazilian citizens, including foreign companies with branches in Brazil.

Having been approved by congress and the senate, the measure has been converted into Draft Law No. 7/2019, and now awaits presidential sanction to be enacted into law. The LGPD will come into force on August 16, 2020.