Brazil’s Data Protection Paradox
By Robert Muggah and Pedro Augusto Pereira Francisco
Published on Council on Foreign Relations
After years of procrastination, Brazil has finally adopted comprehensive data protection legislation. In mid-2018, the government approved Law 13.709, known by its Portuguese acronym, LGPD. Public agencies and private companies are scrambling to understand what the law entails and how to respond. They have until August 2020 to figure things out. Before explaining what the new law says, it’s worth recalling how Brazil got here.
The road to data protection
The long road to the creation of a far-reaching data protection law began back in 2010 when the national consumer secretary—a unit in the Ministry of Justice—publicly circulated a draft bill on data protection. The bill was opened up for consultation again in 2015, two years after Edward Snowden disclosed details about U.S. and Five Eyes surveillance efforts around the world, including in Brazil. Unnerved by the vulnerabilities of Brazilian networks and users, the government acccelerated the approval of the bill, assembling over two thousand submissions from businesses, non-profits, and universities along the way.