On Thursday (14), the General Data Protection Law (LGPD) completes seven years since it was sanctioned. Approved in 2018, the legislation represents a watershed in the consolidation of fundamental rights in the Brazilian digital environment, ensuring privacy, freedom, and protection of citizens’ personal data.
Since it came into force, the LGPD has regulated the processing of personal data, including sensitive information, such as racial origin, ideological beliefs, and biometric data, determining how these data should be collected, stored, and used by companies, public bodies, and organizations.
According to the LGPD Panel Report in the Courts, prepared by the Center for Law, Internet, and Society (Cedis-IDP) in partnership with Jusbrasil and with the support of the United Nations Development Programme (UNDP) Brazil, there has been a significant increase in the number of judicial decisions mentioning the LGPD. Between October 2023 and October 2024, 15,921 decisions mentioning the legislation were identified, representing a 112% growth compared to the same period the previous year, when 7,503 decisions were recorded.
The effective application of the sanctions provided for in the law began in August 2021, after a transition period that started in 2020. Since then, the National Data Protection Authority (ANPD), responsible for overseeing compliance with the regulation, has acted strategically. The agency has already published technical guides, conducted public consultations, analyzed security incidents, and imposed penalties, including significant fines.
With the rapid advancement of technology and artificial intelligence, challenges for data protection have become even more complex. Issues such as consent for the use of information in algorithm training, explainability of automated decisions, and application of minimization and information security principles have become central to ongoing compliance with LGPD.
The concept of privacy by design, gains prominence in this scenario, requiring organizations to adopt preventive measures for data protection from the outset of product and service development.
For lawyer and professor of Law at Centro Universitário Itaperuna, Dr. Rayla Santos, the date reinforces the need to consolidate a solid culture of privacy respect. “With each LGPD anniversary, we are reminded that it is not just a legal norm, but the continuous construction of a culture of privacy respect,” she says. According to her, the law emerges as a response to social and technological transformations that impact how data is treated and shared. “LGPD was inspired by international legislations, such as the EU’s GDPR, but adapted to the Brazilian reality, representing a significant advancement in the protection of individual rights.”
With the advancement of artificial intelligence, Dr. Rayla Santos evaluates that the application of LGPD principles such as informed consent, data minimization, and algorithmic transparency is becoming increasingly urgent. She emphasizes that companies and developers must adopt ethical practices in data usage to train automated systems, ensuring clarity about the handling of personal information. The specialist also highlights the need for robust data governance, emphasizing that the legislation requires security measures and good practices from the conception of technologies, in accordance with the principles of privacy by design and privacy by default.
Another point emphasized by the Afya Itaperuna specialist is the role of educational and research institutions in preparing professionals for the challenges of digital privacy. “It is not enough to mechanically apply the LGPD. It is necessary to understand its principles and spirit. Education on data protection must expand beyond Law, reaching areas such as information technology, engineering, and social sciences,” she argues.
In the coming years, some trends become relevant: the institutional strengthening of the ANPD, specific regulation on artificial intelligence in dialogue with LGPD, the dissemination of data protection culture in academic and corporate environments, and the training of experts qualified to deal with the new scenarios of the information society.
