Brazil General Data Protection Law
Comply with Brazil's LGPD
The General Personal Data Protection Law (LGPD) entered into force on September 18, 2020, although its enforcement provisions entered into effect on August 1, 2021. The LGPD is a comprehensive data protection law that covers the activities of data controllers and processors and creates novel requirements on the processing of information of data subjects. It includes provisions on a variety of issues such as data protection officer appointments, Data Protection Impact Assessments, data transfers, and data breaches. It is enforced by the Brazilian Data Protection Authority (ANPD), which provides guidance and clarity on the provisions of the LGPD. The LGPD has many similarities to the EU's General Data Protection Regulation (GDPR), granting certain data privacy rights to data subjects in Brazil and requiring organizations that process personal data to meet specific data protection obligations.
OneTrust's LGPD solutions are backed by AI, robotic automation, and regulatory research, ensuring quick time to value, efficiency, and unparalleled guidance as you build, adapt, and mature your LGPD program. Find out more about OneTrust's full suite of solutions here.
Visit our Brazil Jurisdiction Dashboard for further information on Brazil's Data Protection Landscape.
LGPD v. GDPR Benchmark
OneTrust DataGuidance and Baptista Luz Advogados have produced a free LGPD v. GDPR Report, which you can download here, and which assists organizations in understanding and comparing key provisions of the LGPD to the GDPR. In the tab above, you can also leverage this information through our LGPD v. GDPR Comparison.
On September 30, 2024, the Brazilian data protection authority (ANPD) published CNPD Resolution No. 2, of September 26, 2024, establishing the Internal Regulations of the National Council for Data Protection and Privacy (CNPD).
The Regulations also provide that the CNPD will meet on an ordinary basis at least three times a year.
On September 24, 2024, the Brazilian data protection authority (ANPD) launched a page on its website dedicated to international data transfers, aimed at ensuring transparency and facilitating organizations' and citizens' understanding of data transfer mechanisms.
On September 13, 2024, the Brazilian data protection authority (ANPD) published a report on its side-event 'Navigating Data Protection in the G20 Digital Economy Agenda,' which took place on June 12, 2024, during the 3rd G20 Digital Economy Working Group (DEWG) meeting.
On September 10, 2024, the National Council of Prosecution Services (CNMP) announced that, together with the ANPD, the CNMP decided to initiate the preparation of a draft term of collaboration.
On September 9, 2024, the Brazilian data protection authority (ANPD) published its audit report on the ANPD's regulatory agenda 2023-2024.
On August 30, 2024, the Brazilian data protection authority (ANPD) announced that it had published its Decision No. 33/2024/PR/ANPD, in which it decided to suspend the ban imposed on Meta Platforms Inc., to use personal data to train its artificial intelligen
On August 23, 2024, the Brazilian data protection authority (ANPD) published Resolution CD/ANPD No. 19 of August 23, 2024, containing the Data Transfer Regulation and Standard Contractual Clauses (SCCs).
On August 14, 2024, the Institute for Consumers' Protection (IDEC) announced that the Federal Court, on August 14, 2024, issued a preliminary injunction against WhatsApp LLC Inc.
On August 7, 2024, the Ministry of Science, Technology and Innovations published a proposal for the Brazilian Artificial Intelligence Plan 2024-2028 (PBIA) during the 5th National Science Conference. The plan provides for a total of BRL 23 billion (approx.
On July 16, 2024, the Federal Prosecution Service (MPF) announced that, together with the Institute for Consumers' Protection (IDEC), it initiated a civil action against the Brazilian data protection authority (ANPD) and WhatsApp LLC Inc., for insufficient supervision and violations of the General Personal Data Protection Law (LGPD), respectivel
On July 17, 2024, the Brazilian data protection authority (ANPD) published Resolution CD/ANPD No. 18 of July 16, 2024, on the responsibilities of data protection officers (DPOs), following public consultation.
On July 16, 2024, the Brazilian data protection authority (ANPD) announced that it extended the deadline for public comments on the project regulation on processing minors' data until August 16, 2024.
On July 4, 2024, the National Telecommunications Agency (Anatel) announced the approval of amendments to Resolution No.
On July 10, 2024, the Brazilian data protection authority (ANPD) announced, after receiving a request for reconsideration from Meta Platform Inc., the ANPD confirmed its decision to precautionarily suspend Meta's processing of users' personal data to train Meta's
On July 4, 2024, the Temporary Commission for Artificial Intelligence in Brazil (the Commission) published its updated report analyzing amendments to Bill No.
On July 2, 2024, the Brazilian data protection authority (ANPD) announced that it had published Decision No. 20/2024/PR/ANPD in which it decided to temporarily ban Meta Platform Inc. from processing personal data to train Meta's artificial intelligence (AI), following an ex officio investigation.
In this Insight article, Ana Costa, from FTR Advogados, explores the impact of Resolution CD/ANPD No. 04, of February 24, 2023 (Resolution No. 04) on sanctions, dosimetry, and its broader implications for data privacy compliance under the Brazilian General Personal Data Protection Law (LGPD).
The Brazilian Federal Senate established a commission of legal experts ('the AI Commission') who were commissioned with the task of drafting an Artificial Intelligence Legal Framework ('AI Legal Framework').
Both Brazil and Chile have existing data protection frameworks which have, in part, been influenced by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
Brazil is currently in the process of fleshing out its approach to regulating cookies, with more extensive guidance on the way. Celina Bottino, Vinicius Padrão, and Flávia Parra Cano, from Rennó, Penteado, Sampaio Advogados, discuss current developments in this area and the relevance of approaches taken in the EU on this matter.
The Brazilian data protection authority ('ANPD') was established by the Article 55-A of Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD').
The Brazilian data protection authority ('ANPD') has been active in the past months, with the publication of various guidance documents pertaining to Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') and aimed at facilitating compliance.
The entry into force of the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No.
Following public consultation on the matter, the Brazilian data protection authority1 ('ANPD') approved, on 29 October 2021, Regulation CD/ANPD No. 1 ('the Regulation'), regarding the monitoring and enforcement of administrative sanctions by the ANPD. The Regulation entered into effect on the same day it was enacted.
The advent of a comprehensive data protection law such as the incoming Law No. 13.709 of 14 August, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') in Brazil requires organisations to react in order to meet its demands.
OneTrust DataGuidance and Baptista Luz Advogados provide a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the General Personal Data Protection Law (LGPD). The report, which was last updated in September 2022, examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of the LGPD with the GDPR.
You can access the latest version of the report here.
Key highlights
The LGPD and the GDPR share some similarities, particularly in regard to their personal and material scope. Both laws:
- apply to the processing of natural persons' data as carried out by controllers and processors;
- provide special protection for the processing of sensitive personal data as well as for the processing of children's data;
- the rights individuals are entitled to, as well as the obligations controllers and processors are subject to; and
- apply to organizations that have a presence in the EU and Brazil respectively as well as to organizations that are not physically located, but which offer goods and services in the jurisdictions, or process personal data in these regions.
However, despite their similarities, the LGPD and the GDPR also differ sometimes in their approach, such as:
- the applicable legal basis when sensitive data is processed;
- the time period in which a data subject access request must be responded to, the information which must be included in the response, and limitations to the right; and
- the grounds and scope of the right to data portability.