The General Personal Data Protection Law (LGPD) completes seven years in Brazil in a context where data protection already impacts various aspects of economic sectors, transforming how personal data is handled. At the same time, the framework established a new era of governance, security, and transparency in the processing of personal information.
“More than a regulatory instrument, the LGPD consolidated a new standard of privacy protection in Brazil, directly influencing corporate strategies and society’s awareness about the use of personal data,” says Carla do Couto Hellu Battilana, partner in the Cybersecurity & Data Privacy practice at TozziniFreire Advogados.
Since the LGPD was enacted, there have been numerous changes in how data protection is viewed in Brazil. Among the most significant milestones in these last 7 years is Constitutional Amendment No. 115/2022, which recognized personal data protection as a fundamental right, alongside guarantees such as freedom of expression and human dignity. “This recognition brought greater legal certainty for citizens and businesses, while also shielding the legislation against setbacks,” explains Battilana.
Another advancement was the maturation in applying legitimate interest as a legal basis for data processing, which gained additional clarifications in the Guide published by the National Data Protection Authority (ANPD). “By establishing clearer parameters, the ANPD helped balance companies’ needs with the preservation of data subjects’ rights,” said Battilana.
The regulation of international data transfers marked another important step. Resolution CD/ANPD No. 19/2024 established specific rules for standard contractual clauses and technical security measures. “Today, companies have a set of rules to ensure data remains protected, regardless of the destination country,” emphasizes Battilana.
According to Battilana, ANPD’s oversight and enforcement of sanctions have become more frequent and structured, especially after Resolution CD/ANPD No. 4/2023, which defined criteria for penalty dosimetry. “The authority’s more active presence is raising organizations’ maturity and the law’s effectiveness.”
The publication of Statement CD/ANPD No. 1/2023 relaxed the requirement for consent as a legal basis for processing children and adolescents’ data, provided the principle of the child’s best interest is respected. “The change does not reduce protection but offers legitimate alternatives for cases where consent is not the most suitable path,” says Battilana.
In the field of technology, the ANPD has gained prominence in discussions about artificial intelligence, launching a sandbox regulatory framework and actively participating in debates around Bill No. 2,338/2023, which could make it the national coordinator for AI governance. “The intersection between AI and data protection is inevitable and requires heightened attention to ensure innovation walks hand in hand with security and privacy,” assesses Battilana.
With advances in data protection, awareness about cyber risks and the importance of incident reporting—a key measure to mitigate damages—has grown in the country. Resolution CD/ANPD No. 1/2024 also helped by establishing clear protocols for companies to report incidents to the authority and data subjects.
“Looking at the future of the LGPD means tracking trends such as the advancement of artificial intelligence, the integration of international data protection standards, and the sophistication of cyber threats. A constantly evolving scenario that requires updating and commitment from all involved stakeholders,” emphasizes Battilana.
