COVID-19 Forcing Countries to Reshuffle Data Protection Regulations
The COVID-19 pandemic has forced some countries to consider delaying data protection law implementation.
While it goes without saying that COVID-19 has upended how practically all of us go about our usual lives, it’s also forced governments to revise how and when it implements laws.
This has been the case in several circumstances for data protection regulations, laws that involve a great deal of planning, both on the part of businesses when it comes to meeting compliance, and for those in the government in charge of enforcing them.
The pandemic has forced countries like Brazil and Thailand in particular to reconsider how and when they roll out laws.
Last month, Brazil's Senate agreed to push back both the go-live date and enforcement date of the Lei Geral de Proteção de Dados Pessoais, or LGPD - its new data protection law, to 2021.
Upon reevaluation, the Senate, in a remote voting session last week, decided to reinstate the original time table, agreeing to set the LGPD into motion in August, later this summer, while sanctions for non-compliance will begin being enforced a year later, in August 2021.
A new change in the text this Tuesday, May 19, attempted to rescue the original term of the LGPD. With that, the Data Protection Law shall come into force on August 14, 2020. The sanctions, on the other hand, were for August 2021.
— TheePrivacyLawyer Brazil LGPD (@BrazilLgpd) May 20, 2020
The LGPD, which like many other pieces of data protection legislation of late, draws from the European Union’s General Data Protection Regulation, is slated to replace a slew of statutes already on the books in the country around how personal data is handled.
Even with the LGPD’s date change, businesses there are likely to deal with some confusion when it comes to complying with the law.
Rules around the LGPD aren’t set in stone yet and the outfit designated to enforce it, the National Data Protection Authority, hasn’t been set up yet either. Comprised of a board of directors, a national council, an inspection body, an ombudsman, and its own legal advisory body, the ANPD was a sticking point of the LGPD's creation.
Legislators in Thailand are also wrestling with whether or not to postpone its own data protection act.
For the time being, it seems as if the country is going to pause the roll out of its Personal Data Protection Act (PDPA) until May 2021, meaning all organizations would be exempt from complying until that date. A cabinet there said the delay would give more time to those in both the public and private sectors and help ease financial burdens caused by COVID-19.
The law, passed in 2019, was scheduled to come into effect last week.
According to the Bangkok Post, the PDPA mandates that data controllers and processors who use personal data must receive consent from the data's owners and use it only for expressed purposes. Other requirements of the PDPA - but not expected to be postponed - are the formation of the Office of Personal Data Protection Committee and the appointment of members to a Personal Data Protection Committee.
While many have speculated whether the California Consumer Protection Act, which is scheduled to be enforced on July 1, will be postponed, the state's AG has gone on record that he doesn't intend to delay the enforcement.