In a surprise move, the Brazilian Senate on Wednesday rolled back a planned Presidential postponement of Brazil’s new data protection law, originally scheduled to become effective on August 14 2020, but which had been delayed until May 2021, law firm Hunton Andrews Kurth reports in The National Law Review.
Passed in 2018, Brazil’s new data protection law – Lei Geral de Proteção de Dados Pessoais, or “LGPD” – had been delayed by President Bolsonaro by a Provisional Measure, but the Measure had to be approved by August 27 by both houses of Congress. A proposal had been made to change the date once more, to December 31 2020, but instead, the Senate overruled any delays at all.
The latest change, however, must be signed off by the President. When this is done, the law will have a retroactive applicability date of August 14, according to The National Law Review article, although its sanctions provisions will not be implemented until August 2021.
On Thursday, according to Bloomberg Law, Brazil created a National Data Protection Authority, charged with enforcing the new law.
The LGPD brings over 40 different statutes governing personal data in Brazil under one legal mechanism. Like GDPR, it has extraterritorial scope, applying to any organisation processing personal data relating to people in Brazil irrespective of where that entity is based. It sets out nine rights of data subjects, including the right to confirm the existence of the data; access the data; to correct the data; to anonymise, block or delete unnecessary, excessive or non-compliant data; to request the portability of the data to another service or product provider; to delete personal data processed with the consent of the data subject; to information about entities with which the controller has shared data; to information about the possibility of denying consent; and the right to revoke consent.