- Blog Post
- Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.
Robert Muggah is co-founder of the Igarapé Institute—a think and do tank working on data-driven safety and justice. His latest book, with Ian Goldin, will be released by Penguin Random House in 2020.
Pedro Augusto Pereira Francisco is a senior researcher at Igarape Institute.
After years of procrastination, Brazil has finally adopted comprehensive data protection legislation. In mid-2018, the government approved Law 13.709, known by its Portuguese acronym, LGPD. Public agencies and private companies are scrambling to understand what the law entails and how to respond. They have until August 2020 to figure things out. Before explaining what the new law says, it's worth recalling how Brazil got here.
The road to data protection
The long road to the creation of a far-reaching data protection law began back in 2010 when the national consumer secretary—a unit in the Ministry of Justice—publicly circulated a draft bill on data protection. The bill was opened up for consultation again in 2015, two years after Edward Snowden disclosed details about U.S. and Five Eyes surveillance efforts around the world, including in Brazil. Unnerved by the vulnerabilities of Brazilian networks and users, the government acccelerated the approval of the bill, assembling over two thousand submissions from businesses, non-profits, and universities along the way.
Confident that the bill was ready, President Dilma Rousseff sent it to Congress in 2016, where it became Bill 5276/2016. Despite President Rousseff’s urgency to get data protection legislation passed, Congress stalled because another data protection law, Bill 330/2013, which was heavily supported by the private sector because it granted companies more discretion in handling personal data, was being simultaneously reviewed by the Brazilian Senate.
In 2018, the Cambridge Analytica revelations kicked Brazil's lawmakers into action. What especially bothered Brazilians was the news that Cambridge Analytica's Brazilian partners—A Ponte Estratégia, a Sao Paulo-based consulting group —had quietly collected data on over 443,000 citizens in 2017. With public outrage mounting, President Michel Temer approved PLC 53/2018, also known as Law 13.709, which formally introduced the LGPD in August 2018. This law was closer to the original Bill 5276/2016.
One step forward
So what does PLC 53/2018 do? Brazil's LGPD is modeled on the European Unions's General Data Protection Regulation (GDPR). This means that Brazil has adopted a "user-centric" approach to data protection, giving individual citizens considerable agency to control their own data. Specifically, Article 18 of the LGPD notes that individuals can exercise the right to be informed about the use of their data by government and corporate entities, rectify and remove their personal information from datasets, and oppose efforts to collect or manipulate their data. It even requires that organizations explain their use of automated decision-making processes that collect and use personal data.
Like the GDPR, Brazil's LGPD has extraterritorial dimensions, meaning that global firms offering services in Brazil are required to comply with the law for services outside of Brazil. In addition, there are situations where data can be collected without the subject's consent, which are framed as instances where there are “legitimate interests,” an idea imported from GDPR.
One step backward
Despite passing the LGPD, Brazil’s government lacks a national data protection authority to enforce the law’s basic provisions because President Temer vetoed the creation of the ANPD, a federal agency to safeguard and enforce data protection rules. President Temer argued that the creation of a new national agency was the prerogative of the executive branch, and not Congress. However, before leaving office, President Temer introduced a partial solution to this problem in the form of provisional measure 869/2018 (converted to Law 13.853 in 2019), which created rules to establish the ANPD. The law provides an interim agency with a temporary two-year mandate, after which the federal government can decide whether or not to upgrade it to a permanent body. Since assuming office in 2019, however, President Jair Bolsonaro has already restricted the ability of the new agency to impose penalties on entities that violate the LGPD.
There is still no sign of any federal ordinance to formally establish the ANPD. In the absence of a permanent government organization to implement the law, many private companies, public agencies, and civic groups lack sufficient guidance to properly comply with the LGPD, while most Brazilians have no idea how the country's data protection rules will be interpreted or enforced.
Some members of Brazil’s Congress are discussing a new bill to postpone the LGPD to August 2022. Others privately wonder if the bill should be voided altogether. This is a far cry from a year ago when Brazil was positioned to lead the way on data protection. The truth is that Brazil is way behind schedule. It is critical that the country's politicians not stall, but instead accelerate the implementation of the ANPD. At a minimum, the executive branch must propose candidates for positions in the interim agency so that Congress can approve them before the August 2020 deadline.