carregando...

Article

31 de January de 2025

2024 Retrospective – Privacy and Data Protection: January 28 – International Data Protection Day

Introduction

The International Data Protection Day is celebrated on January 28. On this date, in 1981, Convention 108 of the Council of Europe was signed and later recognized as the first international legally binding treaty on the protection of personal data.

In Brazil, the General Data Protection Law (“LGPD”) establishes the primary legal framework on this topic. The National Data Protection Authority (“ANPD”) continues to play a central role in regulating and monitoring compliance with the LGPD, in accordance with the powers granted to such authority by law.

The year of 2024 was significant for personal data protection in Brazil. New regulations, decisions, guidelines, and initiatives by the ANPD strengthened and fostered debate on the privacy and data protection scenario. Below you will find a retrospective of ANPD’s main actions in 2024.

 

2024 Retrospective

 

  • Regulations:
  • Regulation on Security Incident Reports – April/2024
  • Regulation on the Role of the Data Protection Officer (DPO) – July/2024
  • Regulation on International Data Transfers and publication of standard contractual clauses – August/2024
  • Regulatory Agenda for the 2025-2026 biennium – December/2024

 

  • Public Consultations:
  • Consultation on the Preliminary Study on Anonymization and Pseudonymization for the Protection of Data – January/2024
  • Consultation on Data Subjects’ Rights – February/2024
  • Consultation on the Preliminary Study on High-Risk Processing of Personal Data – April/2024
  • Consultation on Processing of Children and Teenagers Data – June/2024
  • Consultation on Artificial Intelligence and Review of Automated Decisions – November/2024

 

  • Guidelines and Publications:
  • Radar Tecnológico[1] on Smart Cities – January/2024
  • Glossary on Personal Data Protection and Privacy – January/2024
  • Guidelines on the Legal Basis of Legitimate Interest – February/2024
  • Radar Tecnológico on Biometric Data and Facial Recognition – June/2024
  • Radar Tecnológico on Generative Artificial Intelligence – November/2024
  • Guidelines on the Role of the Data Protection Officer – December/2024

 

  • Administrative Sanctions Applied by the ANPD:
  • National Social Security Institute (INSS) – January/2024
  • Secretariat of Education of the Federal District (SEEDF) – January/2024
  • Department of Social Assistance, Hunger Prevention, and Drug Policies (SAS) – April/2024
  • Ministry of Health – August/2024
  • Ministry of Health – October/2024

 

  • Other Initiatives and Actions of the ANPD:
  • Contributions to the substitute text of Bill of Law No. 2338/23 regarding the regulation of Artificial Intelligence in Brazil – May/2024
  • Precautionary suspension of personal data processing for training Meta’s generative Artificial Intelligence – July/2024
    • Suspension of the measure in August 2024, in light of documents presented and commitments made by Meta
  • Order for the regularization and opening of sanctioning proceeding against TikTok, due to the potential infringing processing of children and teenagers data – November/2024
  • Opening of inspection proceedings against 20 companies due to the lack of a Data Protection Officer and of appropriate communication channels – December/2024
  • Suspension of generative Artificial Intelligence training with personal data of individuals under 18 years old by X. Corp (formerly “Twitter”), among other measures – December/2024
  • Technical Cooperation Agreement with the National Supplementary Health Agency (ANS) to enhance data protection in the healthcare sector – December/2024

 

ANPD’s numbers over the years[2]

From 2021 to 2024, the ANPD:

  • Applied 20 administrative sanctions to 7 data processing agents (one private company and six public entities), including:
    • 17 warnings, out of which 8 required corrective measures
    • 2 fines
    • 1 public disclosure of the violation with corrective measures
  • Main Topics:
  • Communication of a security incident that is incomplete, untimely or not individualized to all affected data subjects
  • Insufficiency or absence of systemic security measures
  • Failure to provide evidence of the appointment of a Data Protection Officer (DPO)
  • Lack of records of personal data processing activities
  • Failure to submit documents requested by the ANPD or to comply with its requests
  • ANPD received 1,146 security incident reports, as detailed below:
    • 186 in 2021
    • 275 in 2022
    • 352 in 2023
    • 333 in 2024

 

Currently ANPD has 26 ongoing administrative proceedings (publicly available), as detailed below:

    • 1 monitoring proceeding
    • 18 inspection proceedings
    • 4 preparatory proceedings
    • 3 sanctioning proceedings

 

For more information, please refer to the following links (in Portuguese):

Centrais de Conteúdo — Autoridade Nacional de Proteção de Dados

Atividades Fiscalizatórias — Autoridade Nacional de Proteção de Dados

 

Highlights and outlook for 2025

The year of 2025 began with Artificial Intelligence as a key topic. On January 25, the ANPD ordered Tools for Humanity to suspend offering any type of financial compensation for the collection of biometric data (iris) from data subjects in Brazil. According to the company, this collection was intended to promote greater digital security in the context of expanding Artificial Intelligence, ensuring proof that the data subject is a unique human being.

According to the authority’s regulatory agenda for 2025-2026 and the map of priority topics for 2024-2025, the main actions expected from the ANPD for 2025 include addressing data subjects’ rights, Data Protection Impact Reports, facial recognition, data scraping and data aggregators, Artificial Intelligence and review of automated decisions, among other topics.

We will continue to monitor and share the main developments throughout 2025.

 

This newsletter is for information purposes only and should not be relied upon for legal advice on any of the topics covered herein. For further information, please contact the heads of the Privacy and Data Protection team, Adriano Chaves and Marcia Issler Mandelbaum.

CGM Advogados. All rights reserved.

 

[1] Series of publications on emerging technologies

[2] Information updated as of January 28, 2025

Related content

See more News and Insights
Skip to content