CIPL/IDP Joint Project on Brazilian Data Protection Implementation and Effective Regulation
In August 2018, Brazil approved its first comprehensive data protection law (“Lei Geral de Proteção de Dados Pessoais” or “LGPD”). In December 2018, the former President of Brazil issued Provisional Measure No. 869/2018 which makes some amendments to the LGPD and importantly creates Brazil’s national data protection authority (the “ANDP”). The Brazilian Congress has until the beginning of June 2019 to confirm the provisional measure in its entirety or to reject or amend it. If accepted, the LGPD will enter into force in August 2020. Under the law, the current effective date is February 2020.
This leaves many organisations with approximately a 9 to 15 month window to assess the impact of the LGPD on their data processing activities and operations, devise and execute implementation strategies and make relevant changes to their business processes, compliance infrastructures and IT systems to reflect the new requirements. For many organisations, some of this work will have been completed in the context of preparations for the GDPR. For many others, including, local and Latin America wide companies, this will be a new compliance journey and an opportunity to transform their approach to data protection and data management in line with the modern digital economy.
In addition to internal preparations, organisations will now need to constructively engage and work with, for the first time, a new central data protection authority which will have its own unique leadership style and approach to ensuring the protection and privacy of Brazilians throughout the country. For the ANDP, 2020 symbolises the first cycle of regulatory data protection leadership and enforcement power and this will be as much of a learning experience for the regulator as it will for organisations. Ensuring the effectiveness of the ANDP and constructive engagement and bridge building with organisations will be critical to the success of the new data protection framework.
Many of the key changes introduced by the LGPD appear to be modeled on the GDPR requirements, including rules around the LGPD’s extraterritorial scope, the introduction of different legal bases for processing, including legitimate interest, expanded individual rights, requirements to appoint a DPO, rules around risk, including performance of a DPIA and breach notification and rules surrounding data transfers. At the same time, there are several differences and unique aspects to the LGPD. For example, the LGPD introduces legal bases not explicitly present in the GDPR, such as processing for the protection of credit. Also, there may be variations between the concept of “legitimate interest” under the LGPD and the GDPR, which could be further explored. Data portability was a completely new right for individuals in Europe but existed in Brazil in the context of porting data related to a telephone number since 2007 under Brazil’s General Portability Regulation of Anatel. Organisations cannot rest on their GDPR efforts alone for compliance with the LGPD. It is a unique compliance operation and while there will be opportunities to leverage existing organisational and technical compliance measures, organisations will need to bridge the gaps through strategic, well-informed and timely planning and implementation of the requirements.
The Centre for Information Policy Leadership (CIPL) launches this special project on Brazilian Data Protection Implementation and Effective Regulation, in collaboration with the Instituto Brasiliense de Direito Publico (“IDP”), to bring together key stakeholders and experts from industry, government and academia to engage in a constructive and expert dialogue on the LGPD, its interpretation, implementation and effective application. Through a series of 3 major workshops, several webinars and white papers, CIPL and IDP will facilitate consistent and forward-thinking interpretations of the new obligations, suggest best practices for implementing the requirements and build bridges between the different stakeholders in order to ensure the success of the new regulation for Brazil, for the global data landscape and for the modern digital economy.
The objectives of the project are four-fold:
Proposed Project Topics
A project-specific Steering Committee will be set up to finalise the proposed topics. Details on how to join this Committee will be provided in due course.
The areas of focus for this project include:
A. Implementation of the LGPD
C. Individual Rights
D. International Data Transfers
E. The Role of the ANDP