A sweeping data protection law passed in 2018 by Brazil's National Congress and amended in 2019, but whose effective date had been delayed, has now come into effect. On September 18, 2020, President Jair Bolsonaro signed enacting legislation bringing the General Data Protection Law (LGPD) into full force and effect as of that day. The penalty provisions of the LGPD will not take effect until August 1, 2021.
The LGPD contains broad protections and regulations governing the collection and sharing of personal data and the processing of personal data, which is defined broadly to include any information relating to an identified or identifiable subject. It establishes various rights concerning personal data, including the right to:
- Confirmation of the existence of data processing
- Access to personal data held by a data controller (person or entity making determinations about the processing of personal data)
- Correct incomplete, inaccurate, or obsolete data
- Block or eliminate unnecessary or excessive data
- Eliminate personal data altogether under certain circumstances
- Know about public or private entities with whom a data controller has shared data
The law shares broad similarities with the European Union's General Data Protection Regulation (GDPR)
and the California Consumer Privacy Act
, but the specifics of each law differ and require particularized compliance. Enforcement of the LGPD will be carried out by a newly created National Data Protection Authority (ANPD).
Edward Kowalski, Esq., is Manager, Payroll Information Resources, for the American Payroll Association