Brazil’s General Data Protection Law (LGPD) completes seven years in a context where data protection already impacts various aspects of economic sectors, transforming how personal data is handled. At the same time, the framework established a new era of governance, security, and transparency in the processing of personal information.
“More than a regulatory instrument, the LGPD has consolidated a new level of privacy protection in Brazil, directly influencing corporate strategies and society’s awareness about the use of personal data,” says Carla do Couto Hellu Battilana, a partner in the Cybersecurity & Data Privacy practice at TozziniFreire Advogados.
Since the LGPD was enacted, there have been significant changes in how data protection is perceived in Brazil. Among the most notable milestones in these past seven years is Constitutional Amendment No. 115/2022, which recognized the protection of personal data as a fundamental right, alongside guarantees such as freedom of expression and human dignity. ‘This recognition has provided greater legal certainty for citizens and businesses, while also shielding the legislation against setbacks,’ explains Battilana.
Another advancement was the refinement in applying legitimate interest as a legal basis for data processing, which gained additional clarification in the Guide published by the National Data Protection Authority (ANPD). ‘By establishing clearer parameters, the ANPD has helped balance business needs with the preservation of data subjects’ rights,’ said Battilana.
The regulation of international data transfers marked another important step. Resolution CD/ANPD No. 19/2024 established specific rules for standard contractual clauses and technical security measures. ‘Today, companies have a set of rules to ensure data remains protected, regardless of the destination country,’ emphasizes Battilana.
According to Battilana, ANPD’s enforcement and sanctions have become more frequent and structured, especially after Resolution CD/ANPD No. 4/2023, which defined criteria for penalty dosimetry. ‘The authority’s more active presence is raising the maturity of organizations and the effectiveness of the law.’
The publication of CD/ANPD Statement No. 1/2023 relaxed the requirement for consent as a legal basis for processing children’s and adolescents’ data, provided the principle of the best interest of the minor is respected. ‘This change does not reduce protection but offers legitimate alternatives for cases where consent may not be the most appropriate path,’ says Battilana.
In technology, the ANPD has taken a leading role in discussions on artificial intelligence, launching a sandbox regulatory framework and actively participating in debates on Bill No. 2,338/2023, which could make it the national coordinator for AI governance. ‘The intersection between AI and data protection is inevitable and requires heightened attention to ensure innovation walks hand in hand with security and privacy,’ assesses Battilana.
With advancements in data protection, awareness of cyber risks and the importance of incident reporting—a crucial measure to mitigate damage—has grown in the country. CD/ANPD Resolution No. 1/2024 also helped by establishing clear protocols for companies to report incidents to the authority and data subjects.
‘Looking at the future of the LGPD means following trends such as advancements in artificial intelligence, integration with international data protection standards, and the growing sophistication of cyber threats. A constantly evolving scenario that demands updates and commitment from all stakeholders involved,’ emphasizes Battilana.
