There are currently four bills in the National Congress dealing with the extension of the deadline for the General Law of Data Protection - LGPD to come into force. In general terms, three of these bills provide for an increase in the deadline for the LGPD to take effect on public and private entities, while the fourth bill only aims to suspend the application of sanctions by the National Data Protection Authority - ANPD.
Bill No. 5762/2019, authored by Congressman Carlos Bezerra (MDB/MT) is the oldest and best known of them, as it has been in the House of Representatives since mid-2019. If approved, it would extend the entry into force of the LGPD to August 15, 2022 under the argument of the slowness for the establishment of the ANPD, as well as the prediction that a low number of companies will be prepared to comply with the law on the original date of entry into force. More recently, Bill No. 1027/2020, by Senator Otto Alencar (PSD/BA), was submitted to the Federal Senate at the end of March this year, proposing the date of February 16, 2022 for the law to come into force, under similar arguments.
On the other hand, the bill no. 1164/2020, presented to the Federal Senate by Senator Álvaro Dias (PODEMOS/PR), days ago, seeks to suspend only the application of ANPD sanctions until the deadline of August 16, 2021, under the argument that the current pandemic caused by the new coronavirus makes it difficult for those who must comply with the LGPD to adapt. This is a palliative measure with limited effects, since companies would still be subject to civil liability for non-compliance with the legislation.
The fourth and last project refers to Bill no. 1179/2020, of Senator Antonio Anastasia (PSD/MG), which aims to broadly regulate civil relations during the pandemic combat period. Along with several emergency amendments, it extends the entry into force of the LGPD until February 16, 2022 due to the technical and economic difficulties expected in the coming months. This bill should be voted on by both houses of Congress later this month and has already received several amendments, including to shorten the extension period and even to remove it from the bill.
We understand that, while additional time for compliance may benefit some companies with ongoing projects in this period, the postponement is not entirely welcome. The current state of calamity has shown several situations in which citizens' privacy has been threatened and initiatives regarding the use of their data are surrounded by uncertainty, which shows the importance of having a general law on privacy and data protection in place as soon as possible. In addition, with the absence of a data protection authority to centralize the decisions and enforcement of privacy and data protection rules (ANPD), other government agencies, such as the Procons and the Public Prosecutor's Office, have taken the lead in the situation and have been acting in an increasingly comprehensive manner to protect the privacy and data protection of consumers and company employees, but without a unified interpretation of the obligations and limits of liability under existing laws.
The new way of looking at personal data brought by the LGPD is here to stay and has become a global standard. The eventual postponement of the LGPD's effectiveness should not be seen as carte blanche to set aside the governance of personal data in companies, but as additional time to improve this governance system. The proper handling of personal data is increasingly becoming an imperative for companies to do business and market their products and services in our society, with research already showing that investment in privacy correlates directly with value creation for companies, reflecting in losses with security events, fewer delays in the delivery of products and services and greater financial return.
São Paulo, April 2, 2020.
Dr. Karin Klempp Franco
Luiz Fernando Plastino Andrade (CIPP/E)
Mahyra Milani
