Brazil: Privacy

This is an Insight article, written by a selected partner as part of GDR's co-published content. Read more on Insight

Data protection regulation in the Brazilian jurisdiction

Beyond its economic status of being a ‘valuable asset’, an individual’s personal data is also his or her individual right, and is thus subject to specific protection, similar to the traditional right to privacy. As a result, the question being posed by regulators at an international level is: ‘How should the right to data protection be structured in jurisdictions around the world?’ In Brazil, for instance, this debate takes shape around the development of the General Data Protection Law (Law No. 13,709/2018 (LGPD)), which was enacted in 2018 as the first normative framework for personal data protection regulation in the country, promoting economic development in association with data subjects’ power to control the use of their personal data.

Prior to the LGPD, several sectorial norms already addressed different aspects of individuals’ privacy and data protection in Brazil, safeguarding issues such as intimacy, private life, honour, image and secrecy of correspondence, bank operations and communications. In this regard, following the Brazilian Federal Constitution, which laid the groundwork for the normative data protection scenario, the following legislation is relevant:

  • the Brazilian Internet Act, governing the use of the internet in Brazil;
  • the Consumer Protection Code; and
  • the Positive Registration Law, regulating the structuring and consultation of databases with information about credit history.

In the face of this set of sparse sectorial norms and inspired by international standards (especially those provided by the EU’s General Data Protection Regulation (GDPR)), the LGPD was published to reduce legal uncertainty. In general, the LGPD has a broader scope as it regulates the processing of personal data (such as collection, production and classification) in public and private sectors in Brazil.

As a result, even though the LGPD is a Brazilian norm, it is possible for it to extend its influence even when data processing activities take place outside of Brazil. In fact, a data processing agent must comply with the LGPD whenever its data processing activities:

  • are carried out in the national territory;
  • are pursued with means to offer or provide goods or services to individuals located in the national territory; or
  • take place with personal data that has been collected in the national territory.

The LGPD is not applicable, however, when the processing of personal data is made: 

  • by a natural person for exclusively private and non-economic purposes;
  • exclusively for journalistic, artistic and academic purposes;
  • by public authorities, and intended to be used for the promotion of public security, national defence, state security or activities of investigation and prosecution of criminal offences; or
  • when the data originates outside the national territory and is not the object of communication, shared use of data with Brazilian processing agents or the object of international transfer of data from Brazil to another country that is not the country of origin (as long as the country of origin provides a level of personal data protection adequate to that established in the LGPD).

Regardless of such specific scenarios, it is clear that the LGPD has the potential to impact foreign and local business with its series of safeguards. The relevance of this matter is reflected at a national level, for instance, by Constitutional Amendment No. 115, which altered the fundamental rights set forth in the Brazilian Federal Constitution to include the ‘right to the protection of personal data’. This reflects an additional step towards the strengthening of data protection culture in Brazil, which also opens new litigation frontiers in this area since data protection issues may now be directly discussed in the Brazilian Supreme Federal Court.

In fact, compliance with data protection regulation has been a relevant factor in the market when it comes to the establishment of commercial relationships. Not only is there a gradually growing concern from data subjects about how their personal data will be processed by companies, but also from other business partners who tend to demand contractual data protection clauses or even LGPD compliance audits prior to entering into commercial agreements. Arising from these concerns, Brazil’s current data protection litigation framework also promotes companies’ conformity to the data protection regulation insofar as data protection is gradually becoming subject to analysis by the courts (discussed in detail below).

Aside from the Brazilian courts, administrative regulatory bodies such as the National Data Protection Authority (ANPD) have the means to ensure enforcement of the data protection regulation. Just like data protection authorities (DPAs) from other jurisdictions, the ANPD has a central role in structuring Brazilian data protection culture, as it is responsible not only for imposing administrative sanctions for breaching the LGPD, but also for regulating normative parameters and guidelines. In line with this, the ANPD’s Strategic Plan sets forth that the National Authority envisions its objective as ‘ensuring the protection of personal data’ (its mission); seeking ‘to become an example to be pursued, in the national and international levels in the Personal Data Protection scenario’ (its vision); and acting, to do so, with ‘ethics, transparency, integrity, impartiality, efficiency and accountability’ (its values).

As a result, with the ANPD’s technical, administrative, and financial independence, the macro-strategic objectives that it aims to achieve in the coming years include:

  • the promotion and strengthening of personal data protection culture, which involves strategic activities to prevent and detect any infringements to the LGPD, and the development of campaigns to promote the training and guiding of data processing agents and society in general (thus enabling a more active dialogue with private and governmental institutions);
  • the establishment of an effective regulatory environment for personal data protection, including the definition of the ANPD’s priorities in the face of its Regulatory Agenda, the approval of specific regulation topics to be discussed later and the establishment of procedures and mechanisms to promptly address identified data breaches and received complaints; and
  • the improvement of the conditions for compliance with data protection normative provisions, which brings together, in turn, actions aimed at ensuring an adequate and sufficient structure, as well as physical and budgetary conditions for the proper functioning of the ANPD.

Even though the ANPD’s regulatory agenda has already been set in motion, the Authority has yet to regulate the standards to be followed when issuing administrative sanctions. As a result, while the ANPD does not have an active approach for the enforcement of the LGPD as of 2022, other sectors have remained active in relation to the defence of privacy rights.

Brazilian general data protection and the LGPD

Personal data processing framework

When diving deeper into the LGPD’s regulatory framework, a preliminary question arises: What is at stake when it comes to the ‘processing of personal data’? The starting point is that, whenever a data processing agent (either a controller or a processor) collects personal data, it is collecting any information related to an identified or identifiable natural person (who is, in turn, the ‘data subject’).

The LGPD has a list of ‘sensitive personal data’ that consists of a specific category of personal information that requires a greater degree of legal protection in the face of the discriminatory potential that may arise from its processing. In this regard, similar to a ‘special category of data’ in the GDPR, the sensitive personal data category includes personal data on:

  • racial or ethnic origin;
  • religious belief;
  • public opinion;
  • affiliation to union or religious groups;
  • philosophical or political organisation;
  • data relating to health or sex life; and
  • genetic or biometric data, whenever related to a natural person.

As a result, while personal data is that which can identify or lead to the identification of someone, sensitive data, in addition to identifying an individual, is capable of promoting discrimination of a specific data subject.

Pursuant to such definitions, a series of safeguards are imposed under the data protection regulation in connection with the processing of personal data. For instance, the LGPD provides a list of hypothetical situations where data processing activities take place in a valid and lawful structure. These legal conditions, better known as ‘legal bases’, cover different possible scenarios that would legitimise the development of data processing activities. As a result, processing agents must perform preliminary assessments aimed at identifying the most relevant legal basis for each of their activities, weighing aspects such as the degree of security of the legal basis against future questioning and any additional measures that are required.

In connection with the data protection assumptions set above, the LGPD sets a series of general principles that should guide the processing of personal data, regardless of the scope of agents’ activities. These principles act as guidelines to ensure that:

  • the processing of personal data is within the limits that are conveyed to the data subjects;
  • the data subjects can enquire about the processing activities that take place regarding access to their data and information clearly and without difficulty; and
  • the data processing agents will adopt concrete and preventive measures to guarantee the security of personal data.

With regard to the limits of data processing (pursuant to the principles of ‘purpose’, ‘suitability’, ‘necessity’ and ‘non-discrimination’), such activities must take place only for legitimate, specific and explicit purposes of which the data subject is informed (without subsequent processing that is incompatible with these purposes). To achieve this, data processing agents should limit the collection of data to the minimum amount necessary to achieve their purposes, using data that is relevant, proportional and non-excessive in connection with the purposes of the data processing. Thus, whenever personal data are no longer needed for the purpose or means previously conveyed to the data subjects, the data processing agents should delete them (or anonymise them) to avoid unnecessary storage of information.

When analysing transparency obligations (taking into account the principles of ‘free access’, ‘transparency’ and ‘quality of data’), data subjects should have easy access to all relevant information about the processing of their data, and data processing agents should present clear, appropriate and complete information on, among other things:

  • the specific purpose of the operation;
  • how and for how long the data will be processed;
  • the processing agents involved; and
  • who they will share the data with.

All of these measures are deeply connected with the LGPD’s main goals of granting the data subjects the power to control their personal data; after all, such power can only be made possible with prior access to information about the processing activities in place.

Finally, regarding the need to ensure the security of personal data (in connection with the principles of ‘security’, ‘prevention’ and ‘accountability’), data processing agents should use technical and administrative measures to protect the personal data from unauthorised access and from accidental or unlawful situations that may figure as data breaches. In addition, the agents should be capable of demonstrating that they can adopt effective measures that ensure compliance with the personal data protection rules.

Data subjects’ rights

Pursuant to the LGPD’s primary goal of ensuring data subjects’ control over their personal information, the legislation also sets out specific rights that are inherent to an individual’s status of being a ‘data subject’. In this regard, at any time and with a free and facilitated procedure, data subjects may request from controllers that their rights be fulfilled, including:

  • the right to confirm the existence of processing, that is, to confirm whether personal information about the data subject is being processed by the controller;
  • the right to access, which includes the request that the controller disclose, in a clear, adequate and ostensible way, information regarding the personal data being processed (such as what personal information is being used, for what purposes, for how long will be stored and with whom it is shared);
  • the right to correction, that is, to request that the controller correct any incorrect, incomplete or out-of-date information it has about the data subject;
  • the right to anonymisation, that is, to request that the controller depersonalise the data subject’s personal data (so there is no possibility of direct or indirect association);
  • the right to block, that is, to request that the controller no longer process the data subject’s personal data;
  • the right to delete, that is, to request that the controller delete any personal information about the data subject that it had previously collected (insofar as the personal data in question was collected with the data subject’s consent or if such information is considered unnecessary, excessive or was processed in non-compliance with the LGPD’s provisions);
  • the right to portability, that is, to request that the controller provide the data subject with their personal data in a structured, commonly used and machine-readable format in order to transmit that data to another controller;
  • the right to information, that is, to request that the controller provide details of any public and private entities with which the personal data has been shared, as well as inform about the possibility of denying consent and the consequences of such denial;
  • the right to opt-out, that is, to request that, from the moment of revocation of consent onwards, the data controller no longer process any data that the data subject had once consented to; and
  • the right to review decisions based on automated processing, that is, to request that the data controller provide clear and adequate information regarding the criteria and procedures used to generate a decision that was taken solely on the basis of automated processing of the consumer’s personal data that might affect the data subject’s interest.

The data protection officer

Another figure created by the LGPD to promote the local development of a data protection culture and to assist data processing agents in compliance with the LGPD is the data protection officer (DPO). The DPO acts as a communication channel between the data controller, its data subjects and the ANPD. In this regard, the DPO is responsible for providing necessary clarifications, receiving complaints and receiving other requests from data subjects (as well as official notices from the ANPD).

In addition to being an external presence, a DPO is strongly present in a data processing agent’s daily activities as he or she is a leading figure in the development of a data protection culture in such operations (the ‘privacy by design’ culture). Regardless of the various strategies that can be set in motion to achieve such goals, a series of challenges also follows the DPO’s daily activities when:

  • structuring records of data processing activities;
  • addressing data subjects’ requests;
  • implementing the necessary administrative measures to address data breaches; and
  • promoting the standardisation and consolidation of internal procedures, and the development of data protection awareness and training sessions.

Regardless of the provisions already in place, there is still uncertainty in the LGPD regarding the full extent of the DPO’s role. Therefore, pursuing Phase II of its Regulatory Agenda, the ANPD is currently regulating this matter. In April 2022, the Authority began with a collection of suggestions from the public regarding the extent of a DPOs’ attributions and liabilities, the requirements to act as a DPO, as well as the possibility of waiving a controller’s need to appoint a DPO, among other aspects. With this scenario in perspective, it is expected that the ANPD will formally consolidate such matters in an official regulation in the upcoming months. In the meantime, the National Authority has already addressed the possibility of waiving the aforementioned requirement of appointing a DPO in other discussions such as in its Regulation on Small Data Processing Agents (as addressed below).

Violations of the data protection regulation

Should a data processing agent fail to adopt the expected and necessary measures to prevent a data breach from arising because of their processing activities, additional procedures should be in place. A data breach is understood to be any unauthorised access or accidental or unlawful situation of destruction, loss, modification, communication or any form of inappropriate or unlawful processing of personal data.

When facing a data breach, the LGPD establishes that there are specific situations in which the data controller needs to notify both the affected data subjects and the ANPD about the incident’s occurrence. Broadly, the LGPD provides that notifications should be made whenever the data breach creates a risk or relevant damage to the data subjects.

As the definition of risk or harm remains unclear (in order to identify a data breach that leads to ‘relevant risk or damage to the data subjects’), the ANPD provides preliminary criteria for such evaluation in its Data Breach Notification Guidelines (prior to official regulations on the matter). In this regard, even though the ANPD has not yet regulated detailed procedures on how data processing agents should proceed when facing a data breach, its Guidelines serve as a standard of best practices that data processing agents can use when evaluating the best strategy to notify of data breaches.

According to the ANPD’s Guidelines, the probability of a breach resulting in risk or damage to the data subjects will be greater when it involves sensitive personal data and data from legally vulnerable individuals (eg, children and adolescents). In addition, the Guidelines set forth that a data breach shall be considered relevant whenever it has the potential to inflict material or moral damage on the data subjects, for example:

  • leads to discrimination;
  • violates their image rights;
  • impacts their reputation; or
  • results in financial fraud or identity theft.

As a result, whenever the breach involves risk or damage to the affected data subjects, it should be notified to both the ANPD and the individuals. Depending on the impact that resulted from the violation in analysis, the ANPD may also impose sanctions such as a warning, public disclosure of the infraction and fines of up to 50 million reais. Given that the provisions that set forth sanctions in the LGPD entered into force in August 2021, the ANPD is currently invested with the power to sanction data processing agents if necessary. In any case, in order to do so, the ANPD shall first regulate the specific criteria and proceedings that will be adopted when applying the sanctions set forth in the LGPD, which have not yet been set in motion.

ANPD’s regulatory activity

Throughout 2021 and 2022, the ANPD has advanced in its Regulatory Agenda, publishing general guidelines involving recommendations on data breach notifications and the collection of cookie data online, for instance. In parallel, the Authority has also collected contributions from the public towards various matters that will be regulated in the future, such as the processing of personal data by small data processing agents, the role of the DPO and the international transfer of personal data.

In addition, the National Authority has published its first formal regulations, specifically:

  • Resolution CD/ANPD No. 01/2021 on the Supervisory and Administrative Sanctioning Processes; and
  • Resolution CD/ANPD No. 02/2022 on the LGPD Applicability for Small Data Processing Agents.

Concerning Resolution No. 01/2021, the ANPD aimed at establishing phases for its supervisory process (with monitoring cycles based on the Authority’s ‘Map of Priority Themes’) and procedural rules and definitions for its administrative sanctioning process. At the same time, the Resolution brings forth additional guidelines on the best strategies for processing agents who have faced data breaches to return to a status of full conformity with the provisions set forth in the LGPD. Consequently, the discussion on the criteria and methodologies for evaluating and applying the sanctions set forth in LGPD was left for another further regulation (to be drafted by the end of 2022).

As for the ANPD’s Resolution No. 02/2022, it was drafted with the goal of loosening some of the general obligations set forth for data processing agents when it comes to promoting LGPD applicability and conformity to ‘small data processing agents’. In this scenario, when addressing this category of agents, the Resolution specifically establishes that it includes, among others, ‘micro-companies, small-sized companies, and startups’.

The ANPD indicates that small data processing agents are still bound to the requirements set forth in the data processing regulation in connection to the need to (1) ensure the necessary transparency with the data subjects and (2) legitimate their data processing activities on a legal basis. In any case, if small data processing agents’ activities are developed with a smaller volume of personal data and pose low risks to the data subjects (pursuant to the standards set forth in the Regulation), it is possible to ease their compliance with the data protection regulation by posing particular adaptations to some obligations set forth in LGPD.

For instance, the Regulation establishes that such data processing agents may have:

  • twice the amount of time, to ensure the appropriate response to data subjects’ requests and to notify the occurrence of data breaches;
  • a simplified format for their records of data processing activities (though this format is still unclear) and for their information security policies; and
  • no requirement to appoint a DPO.

The above makes clear the ANPD’s relevance in the expansion of a data protection regulatory framework in Brazil, gradually working towards a scenario of clearer applicability of the LGPD to data subjects and data processing agents. As for its next steps, the National Authority will soon address further pending matters such as on the international transfer of personal data and on the scope and implementation of data protection impact assessments.

Data protection and public health during the covid-19 pandemic

In the midst of the global coronavirus pandemic, a new set of concerns was brought to light in the operation of numerous public and private entities. For this reason, preventive measures such as the mapping of potential positively diagnosed employees became a recurrent practice when it comes to facing the highly contagious traits of the virus. Such analysis could be made, however, without the processing of individuals’ health conditions data, which falls under the ‘sensitive personal data’ category (including information concerning health or sex life and genetic or biometric data, when related to a natural person).

In spite of the noted need for a higher level of special protection to be upheld by controllers (due to the discriminatory potential that arises with the processing of such types of data), it is clear that those preventive operations could be rendered as long as they were grounded in the normative legal basis outlined in the LGPD. Still, considering the specific characteristic of this type of data, it should not be used for any purpose other than the implementation of preventive measures against covid-19, and should be disposed after the situation has been resolved. 

Regarding the particular measures to be taken with the collected data, it is important that no illicit or abusive discriminatory methods guide those operations. For that reason, the controller’s use of its employees’ or visitors’ health data for the maintenance of a safe environment meets the Brazilian normative framework when facing the dispositions of Law No. 13,979/2020. This regulation was incorporated in the Brazilian legal system as a response to recommendations established by the World Health Organization, establishing the necessary measures set to deal with the public health emergency derived from the covid-19 outbreak.

Data protection litigation

The LGPD has been in effect for over a year, and there is excessive litigation around privacy and data protection in Brazil. Utilising the judiciary as a first option for dispute resolution is a cultural issue and a recurring norm among Brazilians. According to statistics released in 2021 by the National Council of Justice, Brazil ended 2020 with 75.4 million cases pending judgment. This scenario is corroborated by the Brazilian Justice system itself, which provides citizens with broad access, especially to small claim courts, which are available even at airports. There, plaintiffs do not need to pay court costs or legal fees for individual claims up to 40 Brazilian minimum wages (about US$9,600).

In Brazil, there is a culture of collective litigation, led by the federal and state Public Prosecutor and civil associations for consumer protection. In the context of privacy and data protection, civil associations for the defence of data subjects and the right to privacy, formed solely for this purpose, are beginning to appear in the Brazilian litigation scenario with some relevance.

In only the first year, there were more than 1,000 decisions concerning data protection and mentioning the LGPD rendered by the Brazilian courts. Almost 50 per cent of them came from the state courts of appeals, 40 per cent from the labour courts and the other 10 per cent from the federal, electoral and superior courts. Additionally, there was a massive increase in LGPD-related decisions from São Paulo’s Appellate Court, from June 2021 to May 2022. There were approximately 525 per cent more decisions taken, which suggests a rapidly growing caseload as more Brazilians become aware of the law.

From the quantitative and qualitative analysis that one may make of movements that take place in the judiciary, after a year or so of the LGPD’s validity, five major trends can be identified that are triggering the processes and leveraging the numbers, with litigation arising from:

  • security incidents, data breaches and cyberattacks;
  • loyalty programmes and data collection under these programmes;
  • the real estate sector;
  • social media and games; and
  • highly sensitive and very complex collective actions involving the personal data of children and teenagers.

Data breach and cybersecurity

In Brazil, data breaches are leading to a high number of litigations – both individual claims and collective actions and investigations initiated by consumer regulatory authorities.

Individual claims generally seek indemnification for immaterial damages. The big question here is if a data incident really caused actual damage, concrete harm or if it is a mere speculation. Brazilian law requires that a plaintiff show an actual connection between their damage and the breach, rather than simply speculating on any harm that occurred as an automatic result of the breach. The tide seems to be swinging towards the defendants, and there are many reasonable decisions rejecting this type of indemnification claim based on lack of evidence.

In addition, there is a reasonable tendency of state courts to decide that the nature of civil liability under the LGPD is not strict. Therefore, there is no presumed damage or guilt in cases of cyberattacks and data breach.

Regarding collective actions, there have already been more than 20 major data breach public-interest civil actions filed over the past 18 months. There is no relevant decision yet, except for one case involving a major e-commerce platform in Brazil. A class action was filed by a consumer’s association at Rio de Janeiro District Court due to an incident and a preventive outage of services. A helpful decision was rendered, acknowledging that there was no illegality in the case since the company implemented compliance programmes in accordance with the LGPD and their efforts to mitigate risks were adequate.

The DPA is also receiving data breach notification, but there are no further movements in this regard. Consumer regulators, especially the federal consumer agency and the consumer protection agency of the São Paulo state, are also paying attention to data incidents. Such agencies are entitled under the law to impose penalties. The most common penalty is a fine and amounts can reach up to 10 million reais. However, other penalties can also be imposed, such as restrictions on commercial practices or activities.

Loyalty programmes and data collection

Brands and retailers have been using many marketing tactics, but the public prosecutors in the consumer sphere are concerned about how the data are collected and about profiling of consumers and geopricing practices.

There are three relevant cases in Brazil. All of them examine data collection practices and whether consumer information and benefits are sufficient. In each of these three cases, the public prosecutors understood that the data collection did not comply with LGPD and consumer law, and the companies were fined and obliged to change the mechanics of their loyalty programmes.

One piece of advice in terms of loyalty programmes is to make sure that consumers receive very clear and transparent information about data collection.

Real estate

The first Brazilian leading case on LGPD related to the real estate sector and allegedly irregular data sharing. There were many similar consumer claims filed against contractors based on the argument that, after buying an apartment or visiting a building that was for sale, they were spammed and deluged with numerous texts and calls advertising home products,such as furniture, and even architects and designers’ services.

According to the consumers, they did not give their personal data to the companies and professionals who were spamming them, but only to the contractors for registration purposes. Seeking indemnification, they allege that no consent was given to the contractors to allow the sharing of their data and, that the multiple texts and calls were very disturbing.

The first decision in this regard initially ruled in favour of the consumer, ordering the contractor to pay 10,000 reais because there was irregular data sharing subject to indemnification. After this first decision, however, there were similar cases with a different result: courts understood that property purchases are complex and may involve several people, such as brokers and real estate agents in addition to contractors, which is why evidence of who actually shared the data is required to authorise an indemnification. Furthermore, it was decided that the simple fact of data sharing does not necessarily imply damages.

Social media and games

Although there is no evidence of user data misuse, we note three types of claims in this regard.

The first one is the reactivation of accounts that were banned and the disclosure of the criteria used for this decision. Users allege that their accounts were banned due to an automated decision, and that is why they may claim a review according to Rule 20 of the LGPD. The cases are interesting because, despite the plaintiff’s argument related to an automated decision, such banning usually has nothing to do with it, but with a violation of the platform’s terms of use, which contractually authorises the removal of the user’s account. 

The second one is indemnification for users who lost their account control due to a hacker situation, alleging that there was a data breach incident. In this sense, it is important to point out that (1) even if it is understood that there was a data breach, indemnification depends on the situation, which means that damages must be evidenced; and (2) if there is no major data breach, judicial decisions recognise that social media cannot be held liable as the user is the one responsible for its passwords.

The third type of claim is related to the disclosure or removal of personal data, based on Rule 18 of the LGPD.

Finally, within the games sector, litigation concerns:

  • the treatment of children and teenager’s data, mentioned above;
  • the banning of accounts and request to disclose the criteria for the hypothetically automated decision; and
  • whether virtual images and nicknames can be considered personal data.

There is no decision yet, but from the claims already issued, there is an argument that virtual images and nicknames are personal data, as the LGPD defines personal data not only as information regarding an identified natural person but also regarding an identifiable natural person. There was a recent decision in this regard: a game player who had his nickname published on an online ‘banished’ list filed a lawsuit for damages to his reputation. Although the court did not expressly mention that a nickname is personal data, it was decided that it reflects an identifiable natural person, which is why the user could claim for damages.

Children

In addition to these major issues, there are litigation discussions involving children and teenagers’ data treatment, which, according to the LGPD, is being given special treatment focused on children and teenagers’ best interest.

Administrative and judicial procedures were initiated in cases related to facial recognition cameras installed in public places, such as on subways or on online apps, including when it is noticed that people under 18 years of age use certain online platforms. In general, it requested information about the need for data collection and explanations of whether such collection is in the best interests of a minor.

Even though there are no definitive decisions on this matter, Brazilian authorities are already concerned about children and teenagers’ data protection, especially when it comes to the collection of biometric data, such as images, and when it refers to data that allow direct communications with young people.

Next steps in data protection regulation

Finally, it should be noted that Brazilian data protection regulation is still under construction. The LGPD acts as a general law that addresses Brazilian demands with regard to the establishment of a normative framework capable of setting the terrain for more legal certainty around the sparse data protection regulation in the country. In any case, further details are still pending regulation for the LGPD becoming fully operational, thus mitigating questions that arise from the implementation of its provisions for market’s daily activities.

Pursuant to such assumptions, the ANPD has stepped up in this discussion – it is collecting civil contributions towards the future regulation of unclear issues set forth in the LGPD. Such contributions address, for instance, the metrics to be adopted when assessing risks related to data breaches, as well as the design of specific regulation applicable to the international transfer of personal data.

To better establish the schedule of its future activities, the ANPD published its Regulatory Agenda for the 2021–2022 biennium. The Agenda organised several LGPD topics that are pending regulation by the ANPD in three phases:

  • Phase I includes initiatives that were set in motion by end of 2021;
  • Phase II includes initiatives that were set in motion by July 2022; and
  • Phase III includes activities expected to be implemented by the end of 2022.

Considering the number of relevant topics to be addressed, every six months the ANPD’s General Coordination of Standardisation will prepare a report on the status of each one. With this in mind, taking into account the latest updates issued by ANPD in July 2022 on the progress of its agenda, the following topics have already been published:

  • ANPD’s Internal Regulation and Strategic Planning;
  • Resolution on Small Data Processing Agents; and
  • Resolution on the Supervisory and Administrative Sanctioning Processes.

As for the National Authority’s next steps, even though all its expected projects have been set in motion, in the upcoming months it will establish a Best Practices Guideline on the legal bases set forth in the LGPD for the processing of personal data, as well as further regulate the specificities of the:

  • criteria for the enforcement of administrative sanctions;
  • requirements for data breach notifications;
  • scope and implementation of the Data Protection Impact Assessment;
  • DPO activities;
  • international transfer of personal data; and
  • implementation of data subjects’ rights.

The LGPD will be further defined in the coming years, both by the ANPD and by the courts that shall interpret this norm in future cases. In any case, even though current questions and uncertainties have been addressed, new challenges and opportunities will inevitably become known, promoting a constant update on Brazil’s data protection regulation, aiming to ensure the pursuance of its goals and safeguards in the national jurisdiction.

Unlock unlimited access to all Global Data Review content