Brazilian Congress under pressure to approve delay in data-protection law, privacy official says

Companies are pressuring Brazilian lawmakers to delay implementation of the nation's data-protection law from Aug. 16 until next May, arguing that an authority to enforce the law is needed first, said Fabrício da Mota Alves, a senate representative appointed to the Brazilian national council of data protection.

“Companies came together very strongly to ask for the law delay. It is absurd that a law is implemented before the authority,” Alves told MLex in an interview. “Companies’ mobilization has been really impressive. There’s been unanimity on the subject.”

Brazilian President Jair Bolsonaro in April published a provisional measure immediately delaying implementation of the General Law for Data Protection, or LGPD, from Aug. 16, 2020, to May 3, 2021. The provisional measure, however, must be voted on by Congress within 120 days of its publication in the country's Official Journal to become permanent. That deadline will expire Aug. 28.

If Congress fails to vote by then, the provisional measure is canceled.

Alves believes the provisional measure will be approved by Congress. “I think this [provisional measure] will be approved because there’s been great pressure for this to happen,” he said.

Last week, Chamber of Deputies’ president, Rodrigo Maia, publicly said his chamber “will vote” on the provisional measure and stressed that the continued delay of the formation of the National Authority for Data Protection, or ANPD, is generating legal uncertainty for those willing to make investments in the country.

Bolsonaro has been delaying publishing a presidential decree passed by Congress that is essential to establishing the protection authority and starting discussions on regulation before the law goes into force.

Alves said “the government needs to understand that the authority is necessary. It is not about creating further expenses, it is about the need to have an authority to enforce a law,” the data protection councilor said.

Delay in fines

It isn't just the law's implementation that's been delayed, but also the assessment of data-privacy fines, now set for Aug. 1, 2021. As things stand, the law could come into force months before companies can actually be sanctioned for violating it.

Alves said the delay in the fine assessment — signed into law by Bolsonaro in June — will generate two “very” negative effects on the market and society.

“The first is a signal that society will remain vulnerable, even if the law comes into force. In other words, the citizen will have the right guaranteed by the law, but whoever violates it will be free from punishment because the ANPD will have it hands tied” until August 2021, he said.

The second effect, Alves said, is a delay to build regulations for data-privacy fines. “With the penalty delay, Article 53 of the law, which establishes the duty of the ANPD to modify fines through public consultations, has also been delayed.”

He called the delay an “innocuous solution” considering that the new authority won’t be implemented anytime soon and, therefore, it is unlikely that it would have imposed any fines by Aug. 1, 2021.