Brazil General Data Protection Law
Comply with Brazil's LGPD
The General Personal Data Protection Law (LGPD) entered into force on September 18, 2020, although its enforcement provisions entered into effect on August 1, 2021. The LGPD is a comprehensive data protection law that covers the activities of data controllers and processors and creates novel requirements on the processing of information of data subjects. It includes provisions on a variety of issues such as data protection officer appointments, Data Protection Impact Assessments, data transfers, and data breaches. It is enforced by the Brazilian Data Protection Authority (ANPD), which provides guidance and clarity on the provisions of the LGPD. The LGPD has many similarities to the EU's General Data Protection Regulation (GDPR), granting certain data privacy rights to data subjects in Brazil and requiring organizations that process personal data to meet specific data protection obligations.
OneTrust's LGPD solutions are backed by AI, robotic automation, and regulatory research, ensuring quick time to value, efficiency, and unparalleled guidance as you build, adapt, and mature your LGPD program. Find out more about OneTrust's full suite of solutions here.
Visit our Brazil Jurisdiction Dashboard for further information on Brazil's Data Protection Landscape.
LGPD v. GDPR Benchmark
OneTrust DataGuidance and Baptista Luz Advogados have produced a free LGPD v. GDPR Report, which you can download here, and which assists organizations in understanding and comparing key provisions of the LGPD to the GDPR. In the tab above, you can also leverage this information through our LGPD v. GDPR Comparison.
On April 26, 2024, the Brazilian data protection authority (ANPD) published Resolution CD/ANPD No. 15 of April 24, 2024 (the Resolution), approving the Data Breach Notification Regulation (the Regulation).
On April 25, 2024, the Brazilian data protection authority (ANPD) announced the redesign of its complaint-handling process, together with the Ministry of Management, aimed at achieving greater efficiency.
On April 10, 2024, bill 1126/2024 to amend Law No. 13.709 of 2018, increase the administrative fines calculated on the revenue of a private legal entity, group, or conglomerate in Brazil, and other provisions was sent to the Commission on Communication and Digital Law. This follows the bill's introduction to the Senate on April 8, 2024.
On April 24, 2024, the Senate announced that the Temporary Commission on Artificial Intelligence in Brazil (CTIA) presented its preliminary report on the regulation of artificial intelligence (AI), containing proposals for an AI bill. The preliminary report aimed at being aligned with existing regulations in the EU and the US.
On April 11, 2024, the Brazilian data protection authority (ANPD) published its Resolution CD/ANPD No 12 of 9 April 2024, instituting the ANPD's integrity program.
In particular, the ANPD highlighted that the objectives of the integrity program are:
On April 17, 2024, the Brazilian data protection authority (ANPD) requested public comments on draft guidance on the processing of high-risk personal data. In particular, the ANPD highlighted that the guidance aims to clarify the concept of high-risk processing of personal data.
On April 11, 2024, the Brazilian data protection authority (ANPD) published its methodology for process governance, which details the steps to ensure coordinated and consistent process governance across the ANPD's internal units aiming to accomplish the ANPD's strategy objectives.
On April 9, 2024, the National Council for the Rights of Children and Adolescents (CONANDA) published Resolution No. 245 of 5 April 2024, providing for the protection of children's and adolescent's rights in the digital environment.
On March 21, 2024, the European Commission announced that the EU and the Government of Brazil held their 12th Digital Dialogue.
On March 13, 2024, bill No. 303/2024 amending the IP Law to provide for the ownership of inventions generated autonomously by artificial intelligence (AI) systems was sent to the Science, Technology and Innovation Commission, after having been introduced to Parliament on February 20, 2024.
On March 7, 2024, bill No. 615/2024 to ensure the Brazilian data protection authority's (ANPD) autonomy was referred to the Commission on Communication and Digital Law. The bill was introduced to the Parliament on March 6, 2024, and aims to strengthen ANPD's autonomy by giving it the same prerogatives as similar national regulators.
On February 20, 2024, Bill No. 262/2024 amending the Penal Code to provide grounds for increasing penalties for copyright infringement when artificial intelligence (AI) is used, and to create the crime of scientific or academic falsehood was referred to the Senate Commission on Science, Technology, Innovation, and Computing.
On February 21, 2024, Bill No. 210/2024 introducing principles for the use of artificial intelligence was referred to the Senate Internal Temporary Commission on Artificial Intelligence in Brazil.
On February 21, 2024, Bill No. 145/2024 amending the Consumer Protection Code to regulate the use of artificial intelligence tools for advertising purposes and prevent misleading advertising was referred to the Senate Internal Temporary Commission on Artificial Intelligence in Brazil.
On February 21, 2024, Bill No. 266/2024 on the use of artificial intelligence systems to aid the activities of doctors, lawyers, and judges was referred to the Senate Internal Temporary Commission on Artificial Intelligence in Brazil.
On February 2, 2024, the Brazilian data protection authority (ANPD) released a guide on legitimate interests, aiming to clarify the use of legitimate interests as a legal basis for processing personal data under the General Personal Data Protection Law (LGPD).
In this Insight article, Ana Costa, from FTR Advogados, explores the impact of Resolution CD/ANPD No. 04, of February 24, 2023 (Resolution No. 04) on sanctions, dosimetry, and its broader implications for data privacy compliance under the Brazilian General Personal Data Protection Law (LGPD).
The Brazilian Federal Senate established a commission of legal experts ('the AI Commission') who were commissioned with the task of drafting an Artificial Intelligence Legal Framework ('AI Legal Framework').
Over two years on from the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') entering into force, the regulatory framework for the enforcement of its provisions continues to take shape.
Both Brazil and Chile have existing data protection frameworks which have, in part, been influenced by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
In this report, OneTrust DataGuidance and Baptista Luz Advogados provide a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (LGPD).
Brazil is currently in the process of fleshing out its approach to regulating cookies, with more extensive guidance on the way. Celina Bottino, Vinicius Padrão, and Flávia Parra Cano, from Rennó, Penteado, Sampaio Advogados, discuss current developments in this area and the relevance of approaches taken in the EU on this matter.
The Brazilian data protection authority ('ANPD') was established by the Article 55-A of Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD').
The Brazilian data protection authority ('ANPD') has been active in the past months, with the publication of various guidance documents pertaining to Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') and aimed at facilitating compliance.
The entry into force of the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No.
Following public consultation on the matter, the Brazilian data protection authority1 ('ANPD') approved, on 29 October 2021, Regulation CD/ANPD No. 1 ('the Regulation'), regarding the monitoring and enforcement of administrative sanctions by the ANPD. The Regulation entered into effect on the same day it was enacted.
OneTrust DataGuidance and Baptista Luz Advogados provide a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the General Personal Data Protection Law (LGPD). The report, which was last updated in September 2022, examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of the LGPD with the GDPR.
You can access the latest version of the report here.
Key highlights
The LGPD and the GDPR share some similarities, particularly in regard to their personal and material scope. Both laws:
- apply to the processing of natural persons' data as carried out by controllers and processors;
- provide special protection for the processing of sensitive personal data as well as for the processing of children's data;
- the rights individuals are entitled to, as well as the obligations controllers and processors are subject to; and
- apply to organizations that have a presence in the EU and Brazil respectively as well as to organizations that are not physically located, but which offer goods and services in the jurisdictions, or process personal data in these regions.
However, despite their similarities, the LGPD and the GDPR also differ sometimes in their approach, such as:
- the applicable legal basis when sensitive data is processed;
- the time period in which a data subject access request must be responded to, the information which must be included in the response, and limitations to the right; and
- the grounds and scope of the right to data portability.