Brazil's General Data Protection Regulations (LGPD, in the Portuguese acronym) have been sanctioned by president Jair Bolsonaro on Friday (18), after nearly a month of uncertainty over the actual go-live date of the rules.
The latest development brings a change in relation to the implementation date of May 2021 proposed by the Brazilian Congress and means the regulations are already valid, with sanctions for non-compliance applicable from August 2021.
Among other things, the LGPD prohibits illicit or abusive processing of personal data from a specific person or a group to support business decisions - consumer data for the sale of goods or services, for example - public policies or the performance of a government agency. Sanctions for non-compliance range from warnings to daily fines of up to 50 million reais (USD 9.2 million), in addition to a partial or total suspension of activities related to data processing.
Despite the fact that the data protection rules have gone live in Brazil, the presidential sanction did not include any mention to the formation of the National Data Protection Authority (ANPD, in the Portuguese acronym), which will be tasked with enforcing the rules and is set to include members from industry, academia and national Internet governance bodies.
While the introduction of the GDPR-equivalent is seen by some as an opportunity to finally appoint the members of the ANPD, others point to the legal uncertainty relating to introducing regulations without an authority to enforce them.
The creation of the agency had been initially vetoed by then-president Michel Temer at the time the country's data protection regulations were signed in August 2018. The autonomy model of the body was one of the main reasons behind the veto - however, the body is considered crucial for the implementation of the new rules so the