Support Centre

Brazil

Summary

Law: Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD')

Regulator: The structure of the Brazilian data protection authority ('ANPD') was created by Presidential Decree No. 10,474 of 26 August 2020 (only available in Portuguese here) ('the Decree'). The Decree will come into force on the date of publication of the appointment of the ANPD's executive director in the Federal Official Gazette.

Summary: The LGPD was passed in 2018 and entered into effect on 18 September 2020, although its enforcement provisions will not come into effect until 1 August 2021. The LGPD is a comprehensive data protection law which covers the activities of data controllers and processors and creates novel requirements on the processing of information of data subjects. It includes provisions on a variety of issues such as data protection officer appointments, Data Protection Impact Assessments, data transfers, and data breaches. It will be enforced by the ANPD which, when established, is expected to provide important guidance and clarity on the provisions of the LGPD. In addition, Law No. 12.965 of 23 April 2014 (only available in Portuguese here) ('Marco Civil da Internet') has been in force since June 2014 and establishes principles, guarantees, rights and duties relating to the use of the internet in Brazil. So far, and before the establishment of the ANPD, the Public Ministry of Federal Districts and Territories has taken various enforcement actions in relation to privacy based on the provisions of Marco Civil da Internet.

Insights

Over two years on from the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') entering into force, the regulatory framework for the enforcement of its provisions continues to take shape. Celina Bottino, Vinicius Padrão, and Celina Carvalho, from Rennó, Penteado, Sampaio Advogados, discuss recent developments in this area.

Both Brazil and Chile have existing data protection frameworks which have, in part, been influenced by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Samara Schuch and Debora Batista Araújo, from Schuch & Araújo Specialized Law Firm, provide a comparison between the frameworks in both Brazil and Chile, and discuss the challenges and successes of both.

Environmental, social, and governance ('ESG') has become an area that organisations are increasingly expected to pay close attention towards in their business practices. In part two of this series, Bernardo Araujo, Daniella Ferrari, Eduarda Ribeiro, and Marcus Fontes, from FTR Advogados, discuss the 'G' component of ESG in the Brazilian context and how the regulatory framework on this has been expanding.

Environmental, social, and governance ('ESG') has become an area that organisations are increasingly expected to pay close attention towards in their business practices. In part two of this series, Bernardo Araujo, Daniella Ferrari, Eduarda Ribeiro, and Marcus Fontes, from FTR Advogados, discuss the 'S' component of ESG in the Brazilian context and how the regulatory framework on this has been expanding.

Brazil is currently in the process of fleshing out its approach to regulating cookies, with more extensive guidance on the way. Celina Bottino, Vinicius Padrão, and Flávia Parra Cano, from Rennó, Penteado, Sampaio Advogados, discuss current developments in this area and the relevance of approaches taken in the EU on this matter.

Environmental, social, and governance ('ESG') has become an area that organisations are increasingly expected to pay close attention towards in their business practices. In part one of this series, Bernardo Araujo, Daniella Ferrari, Eduarda Ribeiro, and Marcus Fontes, from FTR Advogados, discuss the 'E' component of ESG in the Brazilian context and how the regulatory framework on this has been expanding.

Almost one year after the publication of the Brazilian data protection authority's ('ANPD') first guidelines ('the Guidelines'), which address the definitions of processing agents and general requirements for data protection officers ('DPOs'), the regulator has issued an updated version with a few modifications1, mostly aimed at clarifying the role of the latter. Marcus Fontes, Bernardo José Oliveira Araujo, Daniella Fernandes Ferrari, Beatriz Gomes Sampaio, and Ana Paula Ferreira de Santana, from Fontes Tarso Ribeiro Advogados, discuss the updated version of the Guidelines and further expected developments regarding DPOs in Brazil.

The Brazilian data protection authority ('ANPD') was established by the Article 55-A of Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD'). This brought Brazil in line with other countries around the world with specific legislation for data protection, as well as a supervisory authority dedicated exclusively to subjects such as data protection, privacy, cybersecurity, and related matters.

This article addresses the first operational year of the ANPD in 2021, and analyses some of its main achievements.

The Brazilian data protection authority ('ANPD') has been active in the past months, with the publication of various guidance documents pertaining to Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') and aimed at facilitating compliance. One such action was the ANPD's approval, on 28 January 2022, of Resolution CD/ANPD No. 2 of 27 January 2022 for a Regulation on the application of the LGPD to small processing agents1 ('the Resolution'), which entered into force on the date of its publication in the Official Gazette, 28 January 2022. This Insight article analyses the key aspects of the Resolution and what small processing agents must consider in ensuring that they comply with the requirements under the LGPD.

The entry into force of the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') in Brazil creates a new legal regime for children's personal data, with some sectors being particularly impacted. Patricia Peck Pinheiro, Marcelo Crespo, Camila Bruna do Nascimento, and Helen Batista Battaglini, from Peck Advogados, discuss this area and its nuances.

Following public consultation on the matter, the Brazilian data protection authority1 ('ANPD') approved, on 29 October 2021, Regulation CD/ANPD No. 1 ('the Regulation'), regarding the monitoring and enforcement of administrative sanctions by the ANPD. The Regulation entered into effect on the same day it was enacted. Despite the sanctioning prerogatives of the ANPD entering into force on 1 August 2021, the Regulation is necessary for allowing the ANPD to act out this function. Alan Campos Elias Thomaz and Thaissa Lencastre Pinto, Founding Partner and Attorney respectively at Campos Thomaz Advogados, discuss the Regulation and its provisions.