The COVID-19 crisis will likely result in the postponement of the go-live date for Brazil's general data protection regulations. According to industry observers, the pandemic is seen as a fair justification to delay the go-live date for the regulations, which are due to be enforced in August 2020.
A bill authored by congressman Carlos Bezerra presented in November 2019 had already proposed pushing the go-live date for the rules to August 15, 2022. In his proposal to delay the introduction of Brazil's GDPR, Bezerra used the slowness in setting up the National Data Protection Authority (ANPD, in the Portuguese acronym), which will be responsible for editing the data protection and privacy regulations, as a key part of the argument.
Bezerra argues that the time extension would allow the ANPD's governing body to be chosen, as well as a national campaign to be set up, which would inform the population and businesses about the importance of the new rules.
According to Brazilian privacy lawyer and member of the education advisory board at the International Association of Privacy Professionals (IAPP), Dirceu Santa Rosa, maintaining the August go-live date for the law could be a possibility, with some obligations, such as the formation of the data protection authority, being fulfilled further down the line. However, this would create additional problems:
"If the law is introduced without the ANPD, that role would be played by the prosecutor's office at a state and federal level, as well as consumer rights bodies, which would weaken the original function of the data protection authority", he points out.
The lack of a data protection authority will likely be felt in Brazil when it comes to coronavirus testing, according to Santa Rosa. In relation to rapid tests that notify the patient as well as authorities in the case of positive results, he argues there will be a fine line to tread between individual rights and the need for surveillance:
"A data protection authority could provide some direction as to what is acceptable in terms of privacy in a scenario of mass testing, and what needs to be done in the interests of society", the lawyer argues.
According to Santa Rosa, large companies appear to be still working on their data protection projects, but smaller companies and the public sector is dealing with much more urgent priorities, he adds.
"Just as anywhere in the world, businesses are just trying to survive", the lawyer notes, adding that introducing a legal framework in a scenario of crisis would not be advisable as the focus of the economy would be on post-pandemic reconstruction.
Brazilians are neither happy with the way in which companies handle their personal data or trust them, according to a study carried out by IBM in December 2019. According to the research, 5 in 10 Brazilian consumers know that their information is always, or often shared with other organizations they are unaware of.
Some 81 percent of Brazilians admitted to having lost control in terms of how their data is being used by companies, according to the research. In addition, the report has found that 6 in 10 Brazilians know someone who has been a victim of a data leak or have been through such situations themselves.
No official decisions have been made in relation to delaying the go-live personal data protection law in Brazil yet. However, in addition to the coronavirus crisis, the country is experiencing a number of problems including massive unemployment and social unrest. With so many factors at play, anything could happen:
"We might well be on the verge of social collapse", Santa Rosa says. "In such a scenario, it is hard to tell whether there will be anyone available to deal with these [data protection] issues within the government."