Prolonged delay in setting up Brazil data-protection authority would muddle companies' compliance with law

The General Law for Data Protection (LGPD), effective since Sept. 18, was a huge step toward a bigger role for Brazil in the global digital economy and for guaranteeing the free flow of personal data between Brazil and other countries. But uncertainties about when a data-protection authority will be up and running have left companies with no guidance on how to interpret the law and ensure they are adopting the proper compliance measures.

The National Authority for Data Protection, or ANPD, will be responsible for enforcing the LGPD and will have a fundamental role in regulating data-privacy matters in different sectors, as well as in providing guidance to companies on compliance. While it's missing in action, other authorities will be left to handle data-privacy demands, which could lead to conflicting decisions over a single set of facts.

The ideal scenario would have been to have the data-protection authority in place before the enforcement started, so that it could centralize and unify interpretation of the law that other entities will need. That's no longer possible.

Before the ANPD is put in place, Brazilian President Jair Bolsonaro must nominate at least the president-director of the new institution, who must also be approved by the Senate. So far, Bolsonaro has only published a decree with the rules that will govern the authority, and he's provided no clarity over when he plans to make the nominations.

Without a functioning ANPD, existing authorities like the National Consumer Secretariat and the Public Prosecution Service in the Federal District and Territories continue to open their own data-privacy cases, showing they will be active in this regard now that the LGPD is effective.

For instance, on Sept. 21, the prosecution service filed a civil action against a computer company whose activity allegedly involves commercialization of personal data from Brazilians.

The following day, the same public prosecutors began an investigation into the application of the LGPD by companies that operate in the data-mining and market-intelligence sectors.

National Consumer Secretary Juliana Domingues yesterday said that with the LGPD effective, her secretariat is intensifying monitoring of illicit activity in the digital environment.

Courts are also in the game. Earlier this week, a student filed an action with a court in Pernambuco state against a passenger-transportation consortium in Recife for alleged data-protection violations. The student argued that a bus agent refused to give him a student discount on a bus ticket because the student refused to register his facial biometrics.

In all these cases, the plaintiffs cited the new data-protection law to support their arguments. Legal practitioners and experts expect the challenges to become more common now that the data-privacy rules are effective.

Such recent movements indicate that, although the ANPD hasn’t yet been implemented and the assessment of data-privacy penalties has been delayed to Aug. 1, 2021, companies won’t be shielded from data-breach liabilities.