On August 14, 2024, Brazil celebrates the 6th anniversary of the General Data Protection Law (LGPD). The legislation marked an advancement in the protection of privacy and personal data in the country. Approved on August 14, 2018, LGPD came into effect in September 2020, with applicable sanctions starting in August 2021.
LGPD defines personal data as any information that can identify or make identifiable a physical or legal person, such as name, CPF, RG, email, and other data. The main purpose of LGPD is to ensure that this data is used safely and transparently, avoiding misuse and ensuring the legal protection and security of citizens.
In May 2021, two years after the enactment of LGPD, the Brazilian Supreme Federal Court (STF) recognized the protection of personal data as a fundamental right. This recognition was included in the Federal Constitution in February 2022 through Constitutional Amendment No. 115/22. With the Federal Constitution of 1988, rights to privacy, intimacy, and secrecy of communications had already been established, but the protection of personal data only recently became part of the constitutional text. Laws such as the Brazilian Civil Rights Framework for the Internet and the Access to Information Law were important predecessors that contributed to the formulation of LGPD.
After the promulgation of the law, companies had to adjust to the new legislation by adopting specific practices. This involved creating privacy policies and procedures, training employees, and implementing information security technologies. LGPD establishes fines and penalties for non-compliance, theoretically encouraging companies to comply with the law.
However, the LGPD is still not fully complied with in some parts of the country. A survey conducted by the LGPD Brasil portal showed that, even with the mandatory requirements, only 16% of the country’s companies are in compliance with the law. This reveals that, although there is already some awareness of the law, it is still quite concentrated in large urban centers, and it is necessary to spread this knowledge to other regions of the country.
The lawyer and digital law specialist by FGV, Lucas Maldonado D. Latini, points out that one of the biggest challenges for LGPD compliance lies in the lack of knowledge about the law and how it affects companies’ operations. Many organizations still do not know that the legislation applies to their area of activity. The lawyer notes that the legislation covers companies from various sectors, such as finance, education, retail, etc. Everyone needs to adapt or they are subject to sanctions.
He believes that the provisions on data protection were scattered in various laws, making it difficult to interpret and apply these rights. ‘The unification promoted by LGPD brought clarity and coherence to the Brazilian regulatory framework. In addition, we had the creation of the National Data Protection Authority (ANPD) to ensure the monitoring and compliance with the law,’ he comments. Today, ANPD is responsible for issuing resolutions and guidance documents that help data processing agents understand and comply with the obligations.
What to expect for an increasingly technological future?
Although the regulatory framework has advanced significantly since its implementation, there are several issues that still need to be addressed by the National Data Protection Authority (ANPD) to ensure that the application continues to be effective.
One of the focus topics is the regulation of international data transfers. In 2022, the ANPD launched a public consultation to create guidelines on how personal data can be sent out of Brazil. The LGPD requires that these transfers be carried out in a way that ensures adequate protection of the data in other countries. For this, the ANPD needs to establish clear rules, including countries it considers to have protection levels compatible with Brazilian legislation.
Another point is the regulation of Artificial Intelligence (AI). So far, Brazilian legislation does not specifically address the use of AI concerning data protection. The ANPD is participating in discussions on Bill No. 2,338/2023, which aims to establish a legal framework for AI and is being evaluated by the Federal Senate.
The lawyer points out that one of the most important aspects is for companies to establish security measures, technical and administrative, necessary for the protection of personal data. These guidelines may include minimum security standards, the use of encryption, firewalls, and access policies. The implementation of each of them is a way to prevent security incidents, such as data leaks, and ensure that information is protected against unauthorized access.
