Support Centre

Brazil

Summary

Law: Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD')

Regulator: The structure of the Brazilian data protection authority ('ANPD') was created by Presidential Decree No. 10,474 of 26 August 2020 (only available in Portuguese here) ('the Decree'). The Decree will come into force on the date of publication of the appointment of the ANPD's executive director in the Federal Official Gazette.

Summary: The LGPD was passed in 2018 and entered into effect on 18 September 2020, although its enforcement provisions will not come into effect until 1 August 2021. The LGPD is a comprehensive data protection law which covers the activities of data controllers and processors and creates novel requirements on the processing of information of data subjects. It includes provisions on a variety of issues such as data protection officer appointments, Data Protection Impact Assessments, data transfers, and data breaches. It will be enforced by the ANPD which, when established, is expected to provide important guidance and clarity on the provisions of the LGPD. In addition, Law No. 12.965 of 23 April 2014 (only available in Portuguese here) ('Marco Civil da Internet') has been in force since June 2014 and establishes principles, guarantees, rights and duties relating to the use of the internet in Brazil. So far, and before the establishment of the ANPD, the Public Ministry of Federal Districts and Territories has taken various enforcement actions in relation to privacy based on the provisions of Marco Civil da Internet.

Insights

In this Insight article, Ana Costa, from FTR Advogados, explores the impact of Resolution CD/ANPD No. 04, of February 24, 2023 (Resolution No. 04) on sanctions, dosimetry, and its broader implications for data privacy compliance under the Brazilian General Personal Data Protection Law (LGPD).

The Brazilian Federal Senate established a commission of legal experts ('the AI Commission') who were commissioned with the task of drafting an Artificial Intelligence Legal Framework ('AI Legal Framework').

In this Insight article, Fabio Ferreira Kujawski and Ingrid Soares, from Mattos Filho Advogados, summarise the main findings of the AI Commission that shall guide the discussions in the Brazilian Congress about an upcoming federal statute for AI systems, whilst also analysing existing laws and regulations that currently impact the use and development of AI systems in Brazil.

Both Brazil and Chile have existing data protection frameworks which have, in part, been influenced by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Samara Schuch and Debora Batista Araújo, from Schuch & Araújo Specialized Law Firm, provide a comparison between the frameworks in both Brazil and Chile, and discuss the challenges and successes of both.

In this report, OneTrust DataGuidance and Baptista Luz Advogados provide a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (LGPD). 

The report, which was last updated in September 2022, examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of the LGPD with the  GDPR. 

You can access the latest version of the report here.

Brazil is currently in the process of fleshing out its approach to regulating cookies, with more extensive guidance on the way. Celina Bottino, Vinicius Padrão, and Flávia Parra Cano, from Rennó, Penteado, Sampaio Advogados, discuss current developments in this area and the relevance of approaches taken in the EU on this matter.

The Brazilian data protection authority ('ANPD') was established by the Article 55-A of Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD'). This brought Brazil in line with other countries around the world with specific legislation for data protection, as well as a supervisory authority dedicated exclusively to subjects such as data protection, privacy, cybersecurity, and related matters.

This article addresses the first operational year of the ANPD in 2021, and analyses some of its main achievements.

The Brazilian data protection authority ('ANPD') has been active in the past months, with the publication of various guidance documents pertaining to Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') and aimed at facilitating compliance. One such action was the ANPD's approval, on 28 January 2022, of Resolution CD/ANPD No. 2 of 27 January 2022 for a Regulation on the application of the LGPD to small processing agents1 ('the Resolution'), which entered into force on the date of its publication in the Official Gazette, 28 January 2022. This Insight article analyses the key aspects of the Resolution and what small processing agents must consider in ensuring that they comply with the requirements under the LGPD.

The entry into force of the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') in Brazil creates a new legal regime for children's personal data, with some sectors being particularly impacted. Patricia Peck Pinheiro, Marcelo Crespo, Camila Bruna do Nascimento, and Helen Batista Battaglini, from Peck Advogados, discuss this area and its nuances.

Following public consultation on the matter, the Brazilian data protection authority1 ('ANPD') approved, on 29 October 2021, Regulation CD/ANPD No. 1 ('the Regulation'), regarding the monitoring and enforcement of administrative sanctions by the ANPD. The Regulation entered into effect on the same day it was enacted. Despite the sanctioning prerogatives of the ANPD entering into force on 1 August 2021, the Regulation is necessary for allowing the ANPD to act out this function. Alan Campos Elias Thomaz and Thaissa Lencastre Pinto, Founding Partner and Attorney respectively at Campos Thomaz Advogados, discuss the Regulation and its provisions.

The advent of a comprehensive data protection law such as the incoming Law No. 13.709 of 14 August, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') in Brazil requires organisations to react in order to meet its demands. Alan Campos Eliaz Thomas, Partner at AT | Advogados, breaks down some practical steps that can be taken to map data flows through an organisation and subsequently identify any legal gaps in how such data is handled in order to satisfy the provisions of the LGPD.