On August 14, 2024, Brazil celebrates the 6° anniversary of the General Law on the Protection of Personal Data (LGPD). The legislation marked the advancement in the protection of privacy and personal data in the country. Approved on August 14, 2018, the LGPD came into force in September 2020, with sanctions applicable from August 2021.
The LGPD defines personal data as any information that can identify or make identifiable a natural or legal person, such as name, CPF, RG, email and other data. The main purpose of the LGPD is to ensure that this data is used in a safe and transparent way, avoiding misuse and ensuring the protection and legal security of citizens.
In May 2021, two years after the sanction of the LGPD, the Federal Supreme Court (STF) recognized the protection of personal data as a fundamental right. This recognition was included in the Federal Constitution in February 2022, through Constitutional Amendment No 115/22. With the Federal Constitution of 1988, the rights to privacy and confidentiality of communications had already been positivized, but protection of personal data only became part of the constitutional text more recently. Laws such as the Civil Internet Framework and the Access to Information Law were important precursors that contributed to the formulation of the LGPD.
After the enactment of the law, companies had to adjust to the new legislation, adopting specific practices. This involved the creation of privacy policies and procedures, training of employees and the implementation of information security technologies. The LGPD establishes fines and sanctions for noncompliance, which -theoretically - encouraged companies to comply with the law.
However, the LGPD is not yet fully complied with in some parts of the country. A survey conducted by the LGPD Brazil portal showed that even with the requirement, only 16% of the country's companies comply with the law.This reveals that, although it already has a certain awareness of the law, it is still quite concentrated in large urban centers, and it is necessary to bring this knowledge to other regions of the country.
The lawyer and specialist in digital law by FGV, Lucas Maldonado D. Latini, points out that one of the biggest difficulties for the adaptation to the LGPD is the lack of knowledge about the law and how it affects the operations of companies. Many organizations still do not know that the legislation applies to their field of activity. The lawyer notes that the legislation covers companies from various sectors, such as finance, education, retail etc.
For him, the provisions on data protection were dispersed in several laws, making it difficult to interpret and apply these rights.“A unification promoted by the LGPD brought clarity and cohesion to the Brazilian regulatory framework.In addition, we had the creation of the National Data Protection Authority (ANPD) to ensure the supervision and compliance with the” law, comments. Today, ANPD is responsible for issuing resolutions and guidelines that help data processing agents understand and comply with obligations.
What can we expect for an increasingly technological future?
While the regulatory framework has advanced significantly since its implementation, there are several issues that still need to be addressed by the National Data Protection Authority (ANPD) to ensure that the application continues to be effective.
One of the topics in focus is the regulation of international data transfers. In 2022, the ANPD launched a public consultation to create guidelines on how personal data can be sent outside Brazil. The LGPD requires that these transfers be made in order to ensure adequate protection of data in other countries.For this, the ANPD needs to establish clear rules, including on countries where it considers to have levels of protection compatible with Brazilian law.
Another point is the regulation of Artificial Intelligence (AI). To date, Brazilian legislation does not specifically address the use of AI in relation to data protection. ANPD is participating in the discussions of Bill 2,338/2023, which aims to establish a legal framework for AI and is being evaluated by the Federal Senate.
The lawyer points out that one of the most important points is that companies establish security measures, technical and administrative, necessary for the protection of personal data. These guidelines may include minimum security standards, use of encryption, firewalls and access policies, the implementation of each of them is a way to prevent security incidents, such as data leaks, and ensure that information is protected from unauthorized access.
