On August 14, 2024, Brazil celebrates the 6th anniversary of the General Data Protection Law (LGPD). Legislation marked the progress in protecting privacy and personal data in the country. Approved on August 14, 2018, the LGPD came into force in September 2020, with sanctions applicable from August 2021.
The LGPD defines personal data as any information that can identify or make identifiable a natural or legal person, such as name, CPF, RG, email, and other data. The main purpose of the LGPD is to ensure that these data are used safely and transparently, preventing misuse and guaranteeing the protection and legal security of citizens.
In May 2021, two years after the enactment of the LGPD, the Supreme Federal Court (STF) recognized the protection of personal data as a fundamental right. This recognition was included in the Federal Constitution in February 2022, through Constitutional Amendment No. 115/22. With the Federal Constitution of 1988, the rights to intimacy, privacy, and communication confidentiality had already been enshrined, but personal data protection only became part of the constitutional text more recently. Laws such as the Marco Civil da Internet and the Lei de Acesso à Informação were important predecessors that contributed to the formulation of the LGPD.
After the enactment of the law, companies had to adjust to the new legislation by adopting specific practices. This involved the creation of privacy policies and procedures, employee training, and the implementation of information security technologies. The LGPD establishes fines and sanctions for non-compliance, which -theoretically- encouraged companies to comply with the law.
However, the LGPD is not yet fully implemented in some parts of the country. A survey conducted by the LGPD Brasil portal showed that, despite the requirement, only 16% of companies in the country are in compliance with the law. This reveals that, although there is already some awareness of the law, it is still quite concentrated in large urban centers, and it is necessary to bring this knowledge to other regions of the country.
The lawyer and digital law specialist at FGV, Lucas Maldonado D. Latini, points out that one of the biggest challenges for compliance with LGPD is the lack of knowledge about the law and how it affects company operations. Many organizations still do not know that the legislation applies to their field of activity. The lawyer notes that the legislation covers companies from various sectors, such as finance, education, retail, etc. Everyone must comply or face sanctions.
For him, the provisions on data protection were scattered across various laws, making the interpretation and application of these rights difficult. "The unification promoted by the LGPD brought clarity and cohesion to the Brazilian regulatory framework. Additionally, the National Data Protection Authority (ANPD) was created to ensure oversight and compliance with the law," he comments. Today, the ANPD is responsible for issuing resolutions and guidance guides that help data processing agents understand and comply with their obligations.
What to expect for an increasingly technological future?
Although the regulatory framework has advanced significantly since its implementation, there are several issues that still need to be addressed by the National Data Protection Authority (ANPD) to ensure that enforcement continues to be effective.
One of the key topics is the regulation of international data transfers. In 2022, the ANPD launched a public consultation to create guidelines on how personal data can be sent outside Brazil. The LGPD requires that these transfers be made in a way that ensures adequate protection of data in other countries. For this, the ANPD needs to establish clear rules, including regarding countries it considers to have protection levels compatible with Brazilian legislation.
Another point is the regulation of Artificial Intelligence (AI). So far, Brazilian legislation does not specifically address the use of AI concerning data protection. The ANPD is participating in the discussions of Bill No. 2,338/2023, which aims to establish a legal framework for AI and is being evaluated by the Federal Senate.
The lawyer emphasizes that one of the most important points is that companies establish security, technical, and administrative measures necessary for the protection of personal data. These guidelines may include minimum security standards, the use of encryption, firewalls, and access policies. The implementation of each of them is a way to prevent security incidents, such as data leaks, and to ensure that information is protected against unauthorized access.
