LGPD completes seven years and transforms the personal data processing landscape in Brazil

Brazil's General Personal Data Protection Law (LGPD) completes seven years in a context where data protection already significantly impacts various aspects of economic sectors, transforming how personal data is processed. Simultaneously, the framework established a new era of governance, security, and transparency in the processing of personal information. 

"More than a regulatory instrument, the LGPD has consolidated a new standard of privacy protection in Brazil, directly influencing corporate strategies and society's awareness regarding the use of personal data," states Carla do Couto Hellu Battilana, partner in the Cybersecurity & Data Privacy practice at TozziniFreire Advogados.  

Since the LGPD was enacted, there have been numerous changes in how data protection is perceived in Brazil. Among the most significant milestones over these past 7 years is Constitutional Amendment No. 115/2022, which recognized personal data protection as a fundamental right, alongside guarantees such as freedom of expression and human dignity. "This recognition has brought greater legal certainty for citizens and companies, while also shielding the legislation from setbacks," explains Battilana. 

Another advancement was the maturation in the application of legitimate interest as a legal basis for data processing, which received additional clarifications in the Guide published by the National Data Protection Authority (ANPD). "By establishing clearer parameters, the ANPD has helped balance companies' needs with the preservation of data subjects' rights," said Battilana. 

The regulation of international data transfers marked another important step. Resolution CD/ANPD No. 19/2024 established specific rules for standard contractual clauses and technical security measures. "Today, companies have a set of rules to ensure that data remains protected, regardless of the destination country," emphasizes Battilana. 

According to Battilana, the ANPD's monitoring and enforcement of sanctions have become more frequent and structured, especially after Resolution CD/ANPD No. 4/2023, which defined criteria for penalty dosimetry. "The authority's more active presence is raising the maturity of organizations and the effectiveness of the law." 

The publication of Statement CD/ANPD No. 1/2023 relaxed the requirement for consent as a legal basis for processing children's and adolescents' data, provided that the principle of the child's best interest is respected. "The change does not reduce protection but offers legitimate alternatives for cases where consent may not be the most appropriate path," says Battilana.  

In the technology field, the ANPD has taken a leading role in discussions on artificial intelligence by launching a regulatory sandbox and actively participating in debates on Bill No. 2,338/2023, which could make it the national coordinator for AI governance. "The intersection between AI and data protection is inevitable and requires doubled attention to ensure innovation walks hand in hand with security and privacy," assesses Battilana. 

With advancements in data protection, awareness of cyber risks and the importance of incident reporting is increasing in the country, a key measure to mitigate damages. Resolution CD/ANPD No. 1/2024 also helped by establishing clear protocols for companies to report incidents to the authority and data subjects.  

"Looking at the future of the LGPD means keeping up with trends such as the advancement of artificial intelligence, the integration of international data protection standards, and the sophistication of cyber threats. An ever-evolving scenario that requires updating and commitment from all involved actors," emphasizes Battilana.