The authority will oversee compliance with the General Data Protection Law, which will come into force in August 2020.

The Senate avoided a delay to May 2021: Among the interim measures in response to COVID-19, the Brazilian Parliament had delayed the entry into force of parts of the country’s General Data Protection Law (LGPD) from August 2020 to May 2021 and August 2021. On 26 August 2020, the Brazilian Senate overturned the vote of the Lower House, thereby paving the way for the immediate entry into force of the law.

The role of the authority: As a result of the vote, the National Authority for Data Protection (ANPD) is created, through a separate decree of the Federal Government. The ANPD will be a body with ‘technical and decision-making autonomy’, whose board members will have a mandate of four years and cannot be removed, unless they resign or are required to do so through a disciplinary administrative proceeding. Among its tasks, the ANPD will develop guidelines for national policies on privacy and data protection, and promote knowledge of privacy rules amid the population. The ANPD will also have to set rules and guidelines for small businesses to adhere to the LGPD, which will be subject to prior public consultation.

No penalties for another year: Part of the LGPD will still come into force in August 2021, such as the section of the law that refers to the penalties. This will give businesses sufficient time to adapt to the new law. The maximum fines under the LGPD can amount to 2% of a company’s annual turnover in Brazil, up to BRL50m (USD8.9m).