Five years of the Brazilian Data Protection Law

This August marks the fifth anniversary of the Brazilian Data Protection Law (Law No. 13,709/2018 – LGPD). Published in 2018, the LGPD came into effect in 2020, and its sanctions became enforceable in 2021.

In the era prior to the LGPD, Brazil’s Federal Constitution contemplated comprehensive rights to privacy, while various infra-constitutional laws already outlined certain regulations for processing personal data. However, the LGPD introduced more specific rules, and after the law became enforceable, personal data protection attained the status of a fundamental constitutional right in 2022.

With the technological progress in our information-driven society in recent years, the introduction of the LGPD has strengthened the culture of data privacy in Brazil. It has propelled Brazil’s data protection landscape forward, benefiting data processors with more clearly defined obligations and responsibilities, as well as data subjects who can now take advantage of stronger mechanisms and legal support in asserting their rights.

The publication of the LGPD has also led to other significant milestones, a noteworthy highlight being the founding of the Brazilian Data Protection Authority (ANPD), entrusted with the authority to regulate and enforce how the LGPD is applied. Since it came into being, the ANPD has published several guidelines, technical notes and resolutions, actively engaged in important debates, and recently imposed its first administrative sanction in July 2023.

Key achievements

Among the various topics the ANPD has already addressed, the following stand out:

• Resolution on small processing agents’ obligations – published ​on January 27, 2022, this resolution introduced exemptions and increased flexibility for agents eligible for a special data processing framework (including obligations related to recording data processing activities and appointing a data protection officer);
• Guidelines on Cookies and Personal Data Protection – published on October 18, 2022, this guide provides data processing agents with information on cookies, covering technical matters (such as the definitions and categories of cookies), as well as the LGPD’s applicability to the use of cookies on websites;
• Resolution for applying administrative sanctions – published on February 27, 2023, the resolution defines the criteria and parameters the ANPD must apply in relation to monetary and non-monetary sanctions, as well as criteria for calculating pecuniary sanctions.
• Data protection impact assessment guidance – published on April 6, 2023, this website contains FAQs with information on the subject of data protection impact assessments, when and how the data controllers should prepare them, information that must be included, and the definition of ‘high-risk’ data processing activities – among other aspects that are not addressed in the LGPD;
• Public consultation for a resolution on data security incidents – published on May 2, 2023, the ANPD accepted contributions on a draft resolution concerning how personal data security incidents should be reported to the authority and affected data subjects. The draft resolution seeks to regulate reporting requirements in the event of incidents that could lead to serious harm or risks for data subjects;
• Preliminary analysis and statement regarding processing children’s and adolescents’ data – published on May 22, 2023, the statement established that this data may be processed according to the provisions of Article 7 of the LGPD (or Article 11 in the case of sensitive data), provided that the data subjects’ best interests are respected.

Besides the ANPD’s guidelines, several court decisions regarding the interpretation and application of the LGPD have also been issued. The number of lawsuits related to the LGPD has risen substantially since the law took effect in 2020.

Outstanding issues

However, there are still a number of issues that need to be addressed, especially by the ANPD. Some of these topics are provided for in the ANPD’s regulatory agenda and include:

• International data transfers: on May 18, 2022, the ANPD opened a call for public contributions as part of a move to develop regulations on international personal data transfers. According to the LGPD, the ANPD is responsible for regulating international data transfers, such as defining standard contractual clauses, as well as checking transfer-specific contractual clauses, global corporate standards or seals, certificates and codes of conduct.
• Artificial intelligence (AI): Brazil’s legal framework is yet to specifically regulate this topic. However, the ANPD has analyzed Bill No. 2,338/2023 (which would create a specific framework for AI) and has highlighted points of convergence and contention between the bill and the LGPD.
• Data subjects’ rights: the ANPD needs to regulate these rights in detail, in line with relevant provisions contained in the LGPD.
• Sensitive personal data: the ANPD needs to regulate how such data is processed, especially biometric data, which is widely processed in situations involving fraud prevention and facial recognition.
• Security, technical and administrative measures: the regulation of this topic is being considered for inclusion in the ANPD’s agenda, as well as the establishment of minimum technical security standards. This is because data processors must adopt such measures to avoid security incidents and demonstrate their adoption of good practices and compliance with data security principles.

The LGPD’s fifth anniversary is an opportune moment for reflecting on the considerable accomplishments that have been realized so far. Nonetheless, certain aspects of the law require further exploration in the years to come in order to ensure greater legal certainty for data-driven enterprises and data subjects alike. Undoubtedly, we will continue to see significant developments in data protection in Brazil over the next five years.

For further information about the ANPD’s activities and other aspects of data protection, please contact Mattos Filho’s Data Protection & Cybersecurity practice area.