Data Protection Is the New Law in Brazil

It’s official! Brazil has taken a giant step forward in the world of data protection. Following the footsteps of the European Union’s GDPR, Brazil has enacted its own law to protect the personal information of Brazilians.

Known as the LGPD (Lei Geral de Proteção de Dados Pessoais), Law No 13.709 has been in the making since 2018 when it was first announced. And over the past two years, Congress and President Bolsonaro have gone back and forth about when the law would actually go into effect. But it seems those discussions have finally come to an end.

On September 17, President Bolsonaro signed the bill into law, although its effective date is retroactive to August 14, 2020. Yet enforcement has been postponed until August 1, 2021. This will give companies time to implement the new requirements while the government develops the regulatory body known as the Brazilian Data Protection Authority.

How does this impact you? Well, just like the GDPR, the LGPD applies to anyone with data regarding Brazilian residents. This means that even US companies with no ties to Brazil, other than maybe a Brazilian customer, would need to comply with the law.

And again, like it’s European sister, the LGPD imposes stiff penalties on those who don’t comply. This includes fines that can reach up to 2% of a company’s revenue with limits of R$50 million for each violation.

This begs the question: after so many countries have passed data protection laws, will the US be next?