Hogan Lovells 2024 Election Impact and Congressional Outlook Report
On 14 August 2018 Brazil approved its new General Data Privacy Law (Lei Geral de Proteção de Dados Pessoais or “LGPD”) – a comprehensive law that closely mirrors the European Union’s General Data Privacy Regulation (“GDPR”). Although the LGPD significantly expands Brazil’s data protection framework and places the country among one of the few jurisdictions to provide similar data privacy protections as those offered in the European Union, the new law did not create a data protection authority.
This issue was addressed on 28 December 2018 by the outgoing President Michel Temer, who signed a last-minute executive order (Medida Provisória no. 869/18) that made some important changes to the LGPD and most notably created the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados or “ANPD”).
The ANPD is part of the federal government and linked to the office of the President of Brazil. From a technical and subject matter perspective, the ANPD is an independent entity, capable of freely evaluating and addressing data protection and privacy issues; however, it is linked to the office of the President of Brazil, which may bring into question if the ANPD will be more prone to political pressures than other Brazilian agencies that are not directly tied to the country’s administration.
With regard to the attributions of the ANPD, Section 55(j) of Executive Order no. 869/18 establishes that the ANPD has the authority to, among other things:
Executive Order no. 869/18 also implemented other important changes to the LGPD, notably:
These changes should not impact the LGPD’s conformity with the GDPR or the European Union’s acceptance of the LGPD as a broad and encompassing data protection law.
The executive order entered into effect immediately; however, it must be voted into law by the Brazilian Congress within 120 days in order to continue to be valid and become permanent. In any case, discussions and speculation regarding if and when a national data authority will be created have now been addressed and companies should start making preparations to comply with the LGPD.
Authored by Isabel Carvalho and Rafael Loureiro