Brazil issues MP 959 to delay LGPD effective date

Overview

On 29 April 2020, Brazil issued Provisional Measure 959/2020 proposing to delay the Lei Geral de Proteção de Dados (LGPD) effective date from August 2020 to May 3, 2021. The measure responded to COVID-19 disruptions preventing organizations from completing compliance programs, though its provisional nature created uncertainty requiring scenario planning for multiple setup timelines.

Legislative Context

Understanding Brazil's legislative process is essential for compliance planning:

• Provisional Measures: MPs have immediate force of law but require Congressional approval within 120 days or they expire.
• Amendment risk: Congress may modify, extend, shorten, or reject the proposed delay during deliberation.
• Previous delays: LGPD had already experienced setup delays, creating compliance fatigue and uncertainty.
• Enforcement authority: The Autoridade Nacional de Proteção de Dados (ANPD) establishment also faced delays, complicating guidance development.

Organizations could not assume the May 2021 date would hold and needed contingency plans for earlier setup.

LGPD Compliance Scope

Organizations subject to LGPD face full requirements:

• Territorial scope: LGPD applies to processing of Brazilian residents' personal data regardless of where the processing organization is located.
• Legal bases: Processing requires documented legal basis including consent, legitimate interest, contract performance, or legal obligation.
• Data subject rights: Rights to access, correction, deletion, portability, and information about processing activities.
• Data Protection Officer: Mandatory DPO appointment with public contact information.
• Breach notification: Notification requirements to ANPD and affected individuals for security incidents.
• Cross-border transfers: Restrictions on international data transfers requiring adequacy decisions, SCCs, or other mechanisms.

COVID-19 Compliance Disruptions

The pandemic disrupted LGPD compliance programs in multiple ways:

• Resource constraints: Organizations diverted compliance resources to pandemic response and business continuity.
• Remote work challenges: Data mapping and process documentation proved difficult with distributed workforces.
• Vendor coordination: Contract negotiations with processors and service providers stalled.
• Budget pressures: Economic uncertainty led to privacy program budget reductions or freezes.
• Regulatory uncertainty: ANPD establishment delays meant lack of official guidance on compliance interpretation.

Compliance Program Recommendations

If you are affected, continue LGPD preparation despite timeline uncertainty:

• Data inventory: Complete data mapping identifying personal data flows, processing purposes, and legal bases.
• Privacy notices: Draft and review privacy notices meeting LGPD transparency requirements.
• Consent mechanisms: Implement consent collection and management for processing activities requiring consent.
• Data subject request processes: Establish procedures for responding to access, deletion, and portability requests.
• Vendor contracts: Negotiate data processing agreements with service providers and processors.
• Breach response: Develop incident response procedures addressing LGPD notification requirements.

Multi-Jurisdiction Coordination

Organizations with global privacy programs should coordinate LGPD with other frameworks:

• GDPR alignment: Many LGPD requirements parallel GDPR, enabling used compliance investments.
• CCPA considerations: U.S. organizations facing both CCPA and LGPD should identify common requirements and Brazil-specific gaps.
• Regional harmonization: Latin American privacy laws now converge, supporting regional compliance approaches.
• Global policy frameworks: Enterprise privacy policies can address multiple jurisdictions with jurisdiction-specific addenda.

Scenario Planning

If you are affected, prepare for multiple setup scenarios:

• Scenario A: MP 959 approved—May 2021 effective date with full compliance required by then.
• Scenario B: MP expires or rejected—August 2020 effective date requiring accelerated completion.
• Scenario C: Modified delay—Congressional amendments producing different effective date.
• Scenario D: Phased setup—Different requirements becoming effective at different times.

Compliance roadmaps should identify critical path activities and resources required for each scenario.

Monitoring and Updates

Privacy teams should actively monitor legislative developments through local counsel, trade associations, and regulatory announcements to adjust planning as the setup timeline clarifies.

You may also find useful

Hand-picked articles on adjacent topics.

Compliance · Credibility 71/100 · July 1, 2020

California begins enforcing the CCPA

The California Attorney General started enforcing the California Consumer Privacy Act on 1 July 2020, compelling businesses to honor consumer rights requests and update data-handling disclosures.

Compliance · Credibility 71/100 · August 14, 2020

California CCPA regulations approved and effective immediately

California’s Office of Administrative Law approved the CCPA regulations on 14 August 2020, making the rules effective the same day and clarifying notices, opt-outs, and recordkeeping obligations.

Compliance · Credibility 71/100 · February 14, 2023

CPPA files final CPRA regulations with California OAL

California's CPPA filed final CPRA regulations in February 2023, adding implementation detail to the statute. Risk assessments, automated decision-making disclosures, and updated privacy notice requirements. The…

Compliance · Credibility 92/100 · January 14, 2026

Three New State Privacy Laws Take Effect: Indiana, Kentucky, and Rhode Island

Three new comprehensive state privacy laws became effective January 1, 2026: Indiana Consumer Data Protection Act (ICDPA), Kentucky Consumer Data Protection Act (KCDPA), and Rhode Island Data Transparency and Privacy…

Compliance · Credibility 89/100 · April 30, 2020

UAE economic substance regime tightens reporting controls

Cabinet Resolution No. 57 of 2020 and Ministerial Decision No. 100 for 2020 overhauled the United Arab Emirates Economic Substance Regulations (ESR), expanding relevant activities, clarifying exempted licensees, and…

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• ESG Assurance Operating Guide

  Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published

April 29, 2020

Coverage pillar

Compliance

Source credibility

73/100 — medium confidence

Topics

LGPD · Privacy compliance · Brazil · Regulatory timelines

Sources cited

3 sources (in.gov.br, cvedetails.com, iso.org)

Reading time

5 min

Documentation

1. Medida Provisória nº 959, de 29 de abril de 2020 — Presidência da República do Brasil
2. CVE Details - Vulnerability Database — CVE Details
3. ISO 37301:2021 — Compliance Management Systems — International Organization for Standardization