The General Personal Data Protection Law (LGPD) completes seven years in Brazil in a context where data protection already impacts various sectors of the economy, transforming the way personal data is handled. At the same time, the milestone has established a new era of governance, security, and transparency in the treatment of personal information.
“More than a normative instrument, the LGPD has consolidated a new level of privacy protection in Brazil, directly influencing corporate strategies and society’s awareness of the use of personal data,” says Carla do Couto Hellu Battilana, partner in the area of Cybersecurity & Data Privacy at TozziniFreire Advogados.
Since the LGPD was published, we have seen several changes in how the issue of data protection is viewed in Brazil. Among the most significant milestones in these last 7 years is Constitutional Amendment No. 115/2022, which recognized the protection of personal data as a fundamental right, alongside guarantees such as freedom of expression and human dignity. “This recognition brought more legal certainty for citizens and companies, as well as safeguarding legislation against setbacks,” explains Battilana.
Another advancement was the maturation in the application of legitimate interest as a legal basis for data processing, which now includes additional clarifications in the Guide published by the National Data Protection Authority (ANPD). “By establishing clearer parameters, the ANPD has contributed to balancing the needs of companies with the preservation of the rights of data subjects,” said Battilana.
Regulation of international data transfers marked another important step. Resolution CD/ANPD No. 19/2024 established specific rules for standard contractual clauses and technical security measures. “Today, companies have a series of rules to ensure that data remains protected, regardless of the destination country,” emphasizes Battilana.
According to Battilana, ANPD’s oversight and enforcement of sanctions have become more frequent and structured, especially after Resolution CD/ANPD No. 4/2023, which defined criteria for penalty assessment. “The more active presence of the authority is raising organizations’ maturity and the effectiveness of the law.”
The publication of Statement CD/ANPD No. 1/2023 relaxed the requirement for consent as a legal basis for processing data of children and adolescents, as long as the principle of the best interest of the minor is respected. “The change does not reduce protection but offers legitimate alternatives for cases where consent is not the most appropriate path,” says Battilana.
In the field of technology, ANPD has gained prominence in discussions on artificial intelligence, by launching a regulatory sandbox and actively participating in the debates of Bill No. 2,338/2023, which could make it the national coordinator for AI governance. “The intersection between AI and data protection is inevitable and requires special attention to ensure that innovation walks hand in hand with security and privacy,” Battilana evaluates.
With advances in data protection, awareness of cybersecurity risks and the importance of incident reporting is increasing in the country, a fundamental measure to mitigate damages. Resolution CD/ANPD No. 1/2024 also helped by establishing clear protocols for companies to communicate occurrences to the authority and data subjects.
“Looking to the future of LGPD means keeping up with trends such as the advancement of artificial intelligence, the integration of international data protection standards, and the sophistication of cyber threats. A constantly evolving scenario that requires updating and commitment from all involved parties”, emphasizes Battilana.
