6 years of the Brazilian General Data Protection Law
LGPD – Regulatory Landscape
Since August 14, 2023, relevant materials related to privacy and personal data protection in Brazil have been published, and again the National Data Protection Authority (ANPD) has effectively and assertively acted to strengthen privacy in Brazil. We highlight below the key regulatory events during the period:
- August 14, 2023 – opening of Public Consultation regarding the draft Regulation on International Data Transfers and the template of Standard Contractual Clauses – check out here our post on the matter
- February 2, 2024 – publication of Guidelines on the Legal Basis of the Legitimate Interest, providing the main definitions and interpretation parameters for the lawful basis of legitimate interest, as well as hypothetical situations where there may or may not be a legitimate interest, helping processing agents to understand and apply this lawful basis more appropriately – check out ANPD’s publication on the matter in Portuguese here
- April 17, 2024 – opening of Public Consultation on the draft Guidance on the processing of high-risk personal data – check out here our post on the matter
- April 26, 2024 – publication of Resolution No. 15/2024 approving the Regulation on the Reporting of Security Incidents – check out here our post on the matter
- May 23, 2024 – publication of Glossary of Personal Data Protection and Privacy, which aims to systematize the main concepts of terms and expressions widely used in data protection legislation and other documents issued by the ANPD, helping data subjects to understand them – check out ANPD’s publication on the matter in Portuguese here
- June 24, 2024 – publication of the second volume of the Technological Radar series, on Biometrics and Facial Recognition, presenting the study of various cases of use of biometrics, particularly facial recognition in Brazil – check out ANPD’s publication on the matter in Portuguese here
- July 17, 2024 – publication of Resolution No. 18/2024 approving the Regulation on the Data Protection Officer (DPO) – check out here our post on the matter
Administrative Sanctions
Since August 14, 2023, the ANPD has been more active than in previous years in conducting proceedings and applying sanctions. Here are some figures since the last anniversary of the LGPD:
- 6 new data processing agents sanctioned
- A total of 17 sanctions applied in the period
- Most common violation (6): non-compliance with obligations related to the communication of security incidents involving personal data
Ongoing Investigations
- 1 Administrative Sanctioning Process lacking a public decision from ANPD
- 5 Monitoring Processes
- 16 Inspection Processes
Perspectives for the future of data protection in Brazil
Brazil continues to advance in its level of data protection maturity, with prospects for new regulations, guidelines, and the ongoing action of the ANPD in monitoring and overseeing activities involving personal data in Brazil. Among the key actions expected in the coming years, we highlight the following:
- Definitive regulation on International Data Transfers and template of Standard Contractual Clauses (expected to be released this month)
- Publication of Guidelines regarding the DPO (expected to be released in September 2024)
- Regulation on data subjects’ rights and monitoring of the fulfillment of data subjects’ requests, focusing on public authorities, digital platforms, financial and telecommunications sectors
- Regulation on the Data Protection Impact Assessment (DPIA)
- Monitoring of the processing of personal data of children and teenagers by digital platforms
Additionally, the introduction and regulation of new technologies, such as artificial intelligence (AI), are expected to impact data protection and the application of the LGPD.
AI is increasingly integrated into various sectors of society, making it essential to establish clear standards to ensure the ethical and secure use of personal data processed through this type of technology.
In this context, Bill of Law (Projeto de Lei) No. 2338/2023, the proposed legislation on the matter, is currently under review in the National Congress, and the ANPD has issued Technical Report (Nota Técnica) No. 16/2023 with the authority’s comments thereon (available in Portuguese here). Based on the discussions about this Bill of Law, the expectation is that the ANPD will also take a leading role in the AI area as the coordinating body for the National System of Regulation and Governance of Artificial Intelligence (SIA).
This bulletin is for information purposes only and should not be relied upon to obtain legal advice on any of the topics dealt with here. For additional information, please contact the leaders of the Privacy and Data Protection team.
CGM Advogados.
All rights reserved.