Brazil’s Data protection Law will transform risk landscape

Electronic Data Theft

In 2018, the Brazilian Data protection law (Lei Geral de Proteção de Dados – LGPD) passed by the legislature and, in August 2018, the former Brazilian President – Michel Temer – assented to this law.

The articles concerning the creation of a National Data Protection Authority (Autoridade Nacional de Proteção de Dados – ANPD) and the National Council for Privacy and Data Protection came into force on 28 December 2018, but all other articles of the LGPD are going to come into force on 20 August 2020.

This new legislation is extremely important to Brazil as it creates legal certainty, establishing rules that all type and size of companies should adhere to, and face sanctions in case of breach. There are important terms defined by LGPD, as personal data, sensitive personal data, controller, and so on. Moreover, having a National Authority for Data Protection allows Brazil to be considered adequate for cross-jurisdiction commercial agreements, and it is an important step towards the possibility of including Brazil in the OECD.

Although the articles concerning the creation of the ANPD came into force in December 2018, another law was approved by the current President of Brazil, which modified the original project of the LGPD.

Originally, the intention of the legislative project was the creation of an autonomous agency responding directly to a Ministry. However, the law 13852/2019, that amended the LGPD, ruled that the ANPD should be part of the direct public administration, reporting direct to the Brazilian Executive/President. The possibility of converting the ANPD into an Autarchy is still stated under the LGPD, and according to art 55-A, paragraph 2, if the intention is to do so, such conversion should be taken place within 2 years from the moment that the formal regime of the ANPD came into force.

ANPD appointments

Following the amendments inserted into the LGPD, the President of Brazil must appoint the five members of the Board of the ANPD, and such appointments must be approved by the Brazilian Senate. Since LGPD will enter into force on 20 August 2020, it is expected that such appointments and approvals will happen prior to this date.

The creation and establishment of the Authority is a vital element of the new system under the LGPD, since various of its articles depend upon secondary regulation that should be issued by ANPD. One of the examples are articles 48 and 49, as follows:

“Art 48. The controller must communicate the National Authority and the owner of the data the occurrence of a security incident that could cause risk or relevant damage to the owner of the data.

1st Paragraph – The communication must be made within a reasonable deadline, as defined by the National Authority (…)

2nd Paragraph – The National Authority must consider the seriousness of the incident and can, if necessary, oblige the controller to adopt specific measures (…)

Art 49. The systems used to storage/deal with the personal data must be developed taking into consideration the security requirements, the good practice standards and the general principles stated in this Law and additional regulatory norms”

Regarding the administrative proceedings that should be conducted by the ANPD, art 52, 1st paragraph, states that the administrative proceedings should allow the implicated companies/individuals to submit their defences and arguments prior to the imposition of any sanctions. The procedural rules of such administrative proceedings still need to be properly regulated by ANPD.

Another point that is still grey is how the ANPD will work together with other Authorities, including the Consumer Watchdog. The application of the sanctions stated under the LGPD is a monopoly of the ANPD and, in dealing with personal data and potential breaches of the LGPD, the legitimacy to deal with the issue lays on the ANPD.

The Brazilian Consumer Code codified minimum guarantees for the consumers, and article 43 establishes consumer’s rights in accessing his/her personal data stored by a company. However, it is important to consider that such code dates back to 1990, and therefore relevant provisions and definitions are not considered under this code, although the principles are general enough to be adapted to the modern B2C relationship.

Anyhow, it is important to take into consideration that the Consumer Code regulates the B2C relationship and the powers to impose sanctions are not as effective as the sanctions detailed under the LGPD.

The idea is that LGPD will complement the Consumer Code, but the respective Authorities must exercise their powers according to the limits established by the law. Furthermore, in  Regulated Activities, such as Oil & Gas, the regulations applicable to the specific industry should be considered. Thus, it is expected that ANPD officers will be able to deal with complex matters affecting many different types of regulations and regulators with whom cooperation will be key.

Data protection cases

Whilst many of the relevant articles of the LGPD depend on further regulation, relevant cases concerning data protection are hitting the doors of companies stablished in Brazil and with cross-border exposure. Such cases are normally connected with hackers and niche publications that publicise how vulnerable the servers are and how exposed the personal data stored by these companies can be. The fact that the LGPD is not yet in force provides  temporary protection to such companies, as they cannot be implicated in any administrative proceeding nor be sanctioned until the law comes into effect, but it shows how educative the new legislation will be as there is clearly a need for better data protection, and adaptation by Brazilian companies to a more demanding environment.

It is clear that further regulation is necessary in order to instil the principles of certainty and responsibility that the LGPD intends to bring, but the impression is that the process to have the ANPD duly set up and running by 20 August 2020 is not a priority for the Brazilian Government as there is no clear plan being executed, and considering the layers of bureaucracy that proper implementation of the law will take, it is likely that additional time will be required for a proper set up.

Authors: Alex Guillamont, Head of Latin America and Caribbean at Kennedys and Isadora Talamo, Associate (Foreign qualified lawyer Brazil) at Kennedys.

This article was first published by Insurance Day on 4 March 2020.

Posted in (re) Insurance articles Brazil, (re) Insurance articles Latin America, Data protection, Other | Tagged , , , , | Leave a comment

2020 Miami Latin American Claims (Re)Insurance Forum – Registration is open, come and join us!


Kennedys and QLDG are pleased to announce the 6th edition of the annual Miami Latin American Claims (Re)Insurance Forum, the event of choice for the insurance industry in the region.

For the first time, in addition to the popular involvement of International and local CEOs, executives working in the region will discuss Innovation that makes their operation more efficient. A significant few risk managers will also join the event.

The Forum will be held at the Four Seasons Miami, in the heart of Brickell, downtown Miami’s financial and cultural center, from June 16 (Welcome Cocktail) to June 19 2020.

The Forum will bring together key international and Latin American industry experts who will be analyzing top issues and developments in Latin America and the Caribbean. Topics and case studies are carefully chosen based on current affairs and the feedback received by professionals from the (re)insurance industry.

You can find the program HERE including speakers from over 30 carriers and international reinsurance brokers.

Thank you to our sponsors Advanta, Crawford, Envista Forensics, IRB Brasil Re, McLarens, Rimac, R&G Espinosa and Sedgwick for their support.

This is an exclusive event and attendance is by invitation only, as places are limited.

Registration is now open.

To register, please click HERE and use the code FORUM2020 (case sensitive)

Simultaneous translation in Spanish and English available.

For information, please contact:
Juan E. Lopez-Santini:
Alex Guillamont:
Hilda Welcker:

Posted in Conferences, Events, insurance, Insurance Event, insurance seminar, networking, Other | Tagged , , , , , , , , | Leave a comment

Important precedent for the (re)insurance market in Colombia

Waving Colombian Flag National Capitol in Bogota, Clolombia

Just a week after the second of our articles relating to fiscal liability proceedings in Colombia, the Comptroller General or Contraloría (CGR) have agreed with our direct revocation request in the Institute for Urban Development (IDU) matter.

The strategy of providing full coverage considerations with the revocation request worked. The CGR let itself be educated on insurance issues and, for the first time, agreed that fiscal proceedings and insurance contracts may be interrelated, but should be approached differently. The CGR admitted that their previous analysis was incomplete, and concluded correctly that the policy in effect when the investigation commenced in 2014 is the only one that should respond in observance of “claims made” underwriting principles.

The CGR expressly recognized that their decisions now being revoked were unduly detrimental to the insurers previously condemned and has ordered the full return of funds.

The CGR decision is final as no appeal is allowed. It remains to be seen whether the CGR will apply the reasoning behind the revocation in similar investigations, whether they involve civil servant or more standard D&O wordings.

Authors: Monica Tocarruncho, Partner in Kennedys Colombia and Alex Guillamont, Head of Latin America and Caribbean at Kennedys.

Posted in (re)insurance article Colombia, insurance, Other | Tagged , , , , , | Leave a comment