The tug of war around when Brazil’s new data protection law goes into effect continues to volley back and forth. Just when companies were getting comfortable with the go-live date - thought to be pushed back to 2021 by the country's Senate because of COVID-19 - in a stunning about face, the law will go into effect next week.

Late last month the Brazilian Senate voted against a measure that would have delayed the Lei Geral de Proteção de Dados Pessoais, or LGPD, to 2021. Instead, it could go into effect in a matter of days. The Senate revised Executive Order 959/2020 on August 26; it just needs the country's President's sign off, or ratification. President Jair Bolsonaro has 15 business days (after the approval or veto of the rest of the MP 959/20).

Assuming things come to pass, the LGPD, modeled after the European Union’s General Data Protection Regulation (GDPR) will be the first general data protection law on the books in Latin America.

The law has been in the works for more than a decade now; it was first born out of a debate on how to protect Brazilians' data in 2010. Originally set to go into effect in August, it was bumped to January 2021 in light of the COVID-19 pandemic in April, earlier this year.

To attain compliance under the LGPD, companies need to identify a data protection officer or DPO, review any processing activities governed under the LGPD, prepare compliance documentation, and review contracts for compliance.

Like the GDPR, the LGPD also grants residents of Brazil certain rights over how their personal data is collected. Individuals can

• access to personal data
• deletion of personal data processed with the consent of the individual
• correction of incomplete, inaccurate, or out-of-date personal data
• anonymization, blocking, or deletion of unnecessary or excessive data or personal data not processed in compliance with the LGPD
• portability of personal data to another service or product provider
• information about the possibility of denying consent and revoking consent
• access to information about entities with whom the organization has shared the individual’s personal data
• access to information on whether or not the organization holds particular data

Organizations can only gather data if it meets one of the following criteria:

• with an individual’s consent;
• when necessary to fulfill the legitimate interests of the organization or a third party, except when the individual’s fundamental rights and liberties outweigh the organization’s interest;
• based on a contract with the individual;
• to comply with a legal or regulatory obligation;
• public administration and for judicial purposes;
• for studies by research entities;
• for the protection of life or physical safety of the individual or a third party;
• by health professionals or by health entities for health care purposes; or
• to protect an individual’s credit.

While the LGPD may go into effect shortly, it may be a little while until the country's data protection regulator, the newly created Autoridade Nacional de Proteção de Dados or ANPD, brings any enforcement actions. Earlier this summer the National Congress there delayed the enforcement of LGPD penalties and sanctions provisions until August 1, 2021.

Still, the dramatic last-minute decision not to delay the law's rollout should prompt organizations if they're not already to reconsider how they handle and process personal data.