News and Business
Data Privacy & Protection Day: 2025 developments in Brazil and prospects for 2026
Mattos Filho's Data Protection & Cybersecurity practice provides an overview of the Brazilian Data Protection Agency's main actions in 2025 and issues it is expected to address in 2026
Subjects
Each year across the globe, January 28 marks Data Privacy and Protection Day. In Brazil, the Brazilian Data Protection Agency (ANPD) is responsible for safeguarding personal data rights and monitoring compliance with the General Data Protection Law (LGPD).
Since the ANPD’s first governing body was appointed in 2020 via Decree No. 10,474, the agency has issued resolutions, guides, and interpretations to guide data processing agents on how the LGPD’s rules should be applied in practice.
In 2025, the ANPD addressed various data protection-related issues and provided insights into the agency’s expected actions in the year to come. In commemorating Data Protection and Privacy Day, Mattos Filho’s Data Protection & Cybersecurity practice has compiled a summary of the ANPD’s key activities in 2025 and expected actions in 2026 with direct impacts on those involved in personal data processing.
ANPD Oversight
In 2025:
-
Enforcement of Data Protection Officer rules
As was disclosed in 2024 and 2025, while priority topics were being proposed for the ANPD to address for 2026-2027, the agency’s oversight efforts targeted public authorities, the financial sector, and digital platforms. It also focused on enforcing data controllers’ obligations to appoint a data protection officer (DPO) in charge of processing activities, as provided for in existing regulations.
For 2026:
-
Enforcement Dashboard launch
In November 2025, the ANPD launched its Enforcement Dashboard, an interactive tool with aggregated data on oversight actions, preparatory procedures, and administrative proceedings that the agency has conducted to penalize non-compliance.
The dashboard indicates, for example, whether the procedures involve analyzing or processing the data of minors, sensitive data, as well as the estimated range of people affected and the type of activities the data controller conducts.
This is the latest in a line of other initiatives the ANPD has already implemented to increase transparency around its activities, such as dashboards on security incident reports it has received, which present aggregated data from 2025 and previous years.
International Data Transfers
In 2025:
-
Deadline for adapting to standard contractual clauses
The deadline for adapting to the standard contractual clauses provided for in CD/ANPD Resolution No. 19/2024 (International Data Transfer Regulation) passed in August 2025. In practice, controllers that use standard contractual clauses as an international transfer mechanism must ensure that such clauses are incorporated in accordance with the model provided for in the International Data Transfer Regulation.
Given that the deadline has already passed, this adaptation may be required as part of any proceedings before the ANPD.
In 2026:
-
European Union-Brazil adequacy decision
On January 26, 2026, the ANPD and the European Commission agreed that Brazil’s LGPD and the European Union’s General Data Protection Regulation (GDPR) provide equivalent levels of protection, facilitating international data flows between the two jurisdictions.
As part of this development, the ANPD has published Resolution No. 32/2026 to formally recognize that the European Union provides an adequate level of personal data protection (in relation to the LGPD) for international transfers.
In light of this recognition, companies in Brazil and the European Union no longer need to adopt specific instruments to share data with each other.
The decision also comes in the wake of the recently approved EU-Mercosur free trade agreement between the EU and Mercosur.
The ANPD’s New Responsibilities
In 2025:
-
ANPD converted from an authority into an agency
In September 2025, Provisional Measure No. 1,317/2025 was published to officially transform the ANPD into a regulatory agency. As a result, the ANPD was included on the list of regulatory agencies provided for in Law No. 13,848/2019, meaning it now has functional, technical, decision-making, administrative, and financial autonomy, and is consolidated as a data protection regulator in Brazil. Furthermore, the agency is linked to the Ministry of Justice and Public Security.
In practice, this new configuration ensures greater independence and provides the agency with adequate tools to regulate, supervise, and penalize non-compliance more effectively.
Although the provisional measure took immediate effect upon publication, it still requires formal congressional approval to be converted into a permanent law.
For 2026:
-
ECA Digital
The Digital Statute for Children and Adolescents (ECA Digital – Law No. 15,211/2025) is set to take effect in Brazil in March 2026, creating rules to protect minors when using online applications, electronic games, social networks, and computer programs.
The ECA Digital gives the ANPD powers to act as Brazil’s independent administrative authority in regard to protecting the digital rights of minors.
Given this development, the ANPD is expected to take even stronger action on the issue of minors’ rights in the digital space. The agency has already established an internal working group to analyze the ECA Digital’s provisions and plan how to implement the agency’s new powers in practice.
Biometric Data Processing
In 2025:
-
Public consultation on biometric data
In June 2025, the ANPD published a notice calling for proposals for standardizing how biometric data (considered a type of sensitive data) is processed in Brazil.
The notice contained 18 questions covering definitions and principles, legal hypotheses, facial recognition and other emerging technologies, security, good practices, governance, and the rights of data subjects and vulnerable groups.
After receiving a total of 88 contributions, the ANPD released the results in December 2025. A Technical Note was also published to outline the points of convergence and divergence among the contributions.
For 2026:
The ANPD’s 2025-2026 Regulatory Agenda lists this topic among the first phase of issues to be prioritized. According to the agenda, after it analyzes the contributions, the agency is expected to publish a document to establish parameters for processing biometric data in a balanced manner and in compliance with Brazil’s personal data protection legislation.
-
Regulatory agenda
In light of the new powers given to the ANPD by the ECA Digital, the agency included three new topics on its 2025-2026 Regulatory Agenda for regulation:
- Age verification mechanisms;
- The scope and general obligations of the ECA Digital for IT product or service suppliers; and
- ECA Digital-related oversight and penalties: reviewing regulations covering oversight processes and the administrative sanctioning proceedings, as well as regulations covering the calculation and application of administrative penalties.
In addition, the regulatory agenda was updated to include changes to the agency’s rules on oversight, penalties, and processes for developing regulations. The revision of regulations on oversight and penalties may include clarifying how amicus curiae and interested third parties may participate in proceedings, as well as procedural phases and deadlines. The agenda also now includes an item concerning the review of the ANPD process for developing regulations, aiming to align its practices with the provisions of Brazil’s Agencies Law (Law No. 13,848/2019).
Finally, the agenda includes initiatives related to data subjects’ rights, impact reports on personal data protection, government data sharing, and biometric data, among others.
ANPD Priority Topic Map
Based on the analysis of information obtained from requests, incident communications, inspection activities, and other inputs collected by the General Coordination of Inspection over the past two years, the ANPD published a Priority Topic Map for its oversight activities during 2026 and 2027. The planned activities encompass the following:
Data subjects’ rights
- 25 inspections regarding data subjects’ rights across various topics;
- 10 inspections regarding the processing of biometric, health, or financial data;
- Five inspections regarding secondary uses of personal data for targeted commercial advertising, especially through profiling techniques.
Protecting minors in the digital space as per the terms of the LGPD and ECA Digital
- Monitoring the compliance of suppliers of IT products or services targeted at minors (or likely to be accessed by them) with the legal requirements of ECA Digital;
- 15 inspections to confirm that such suppliers have implemented (by design and by default) the most protective privacy and data protection controls, including parental supervision tools;
- 15 inspections to confirm that such suppliers have adopted measures to prevent minors from accessing content deemed inappropriate or prohibited by law, including age verification mechanisms.
Personal data processed by the Brazilian government
- 20 inspections covering personal data processing carried out by public authorities;
- Monitoring compliance with rules on the shared use of personal data by public authorities.
Processing personal data in the context of AI and emerging technologies
20 inspections regarding the processing of personal data (including the data of minors) in the context of artificial intelligence systems and other emerging technologies.
For more information on these topics, please contact Mattos Filho’s Data Protection & Cybersecurity practice.
