Brazil
Summary
Law: Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD')
Regulator: The structure of the Brazilian data protection authority ('ANPD') was created by Presidential Decree No. 10,474 of 26 August 2020 (only available in Portuguese here) ('the Decree'). The Decree will come into force on the date of publication of the appointment of the ANPD's executive director in the Federal Official Gazette.
Summary: The LGPD was passed in 2018 and entered into effect on 18 September 2020, although its enforcement provisions will not come into effect until 1 August 2021. The LGPD is a comprehensive data protection law which covers the activities of data controllers and processors and creates novel requirements on the processing of information of data subjects. It includes provisions on a variety of issues such as data protection officer appointments, Data Protection Impact Assessments, data transfers, and data breaches. It will be enforced by the ANPD which, when established, is expected to provide important guidance and clarity on the provisions of the LGPD. In addition, Law No. 12.965 of 23 April 2014 (only available in Portuguese here) ('Marco Civil da Internet') has been in force since June 2014 and establishes principles, guarantees, rights and duties relating to the use of the internet in Brazil. So far, and before the establishment of the ANPD, the Public Ministry of Federal Districts and Territories has taken various enforcement actions in relation to privacy based on the provisions of Marco Civil da Internet.