Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, published a Q&A outlining proper procedures for data protection impact assessments. The 15-question document covers basic inquiries the covered entities have regarding process, preparation and requirements for performing DPIAs. The regulator indicated the list is a work in progress considering "additional obligations and parameters may be established by the ANPD in the future."Full Story ... Read More

Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, updated and released its list of ongoing probes into potential General Law for the Protection of Personal Data violations. The list publicizes company names, their industries, descriptions of alleged misconduct and statuses of cases in the sanctioning process. The ANPD will add further details on final decisions as cases conclude.Full Story... Read More

The General Inspection Coordination of Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, published a form for security incident reporting by personal data controllers. The new document, required as of Jan. 1, includes expanded structured responses and guidelines on the incident reporting process. The ANPD said an "expected benefit is the improvement in the quality of responses to allow the structuring of a reliable database on security incidents."Full Story... Read More

A provisional measure will give Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, independent authority from the Brazilian government, ZDNet reports. While it still requires approval from Brazil's National Congress, the measure gives the ANPD full control of its administrative and budgetary processes. Concerns were raised regarding the regulator's ties to Brazil's president when the ANPD was established. The ANPD said it is "more capable of prioritizing actions an... Read More

A resolution outlining internal regulations and processes for Brazil's National Council for the Protection of Personal Data and Privacy was filed in the Official Gazette. The CNPD will be responsible for the oversight of Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, which will include proposing strategic guidelines for the ANPD's work, suggesting actions to the regulator and performing annual evaluations. The council will also facilitate studies, debates and p... Read More

Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, released an updated version of its guidance on definitions of data processing agents and data protection officers. The guidance includes revisions on concepts for controllers, joint controllers, processors, subprocessors and DPOs, as well as practical examples of each role. The ANPD said the updates work to clear up "issues that have generated the most doubts" among those covered by the law.Full Story... Read More

The ombudsman of Brazil’s data protection authority, the Autoridade Nacional de Proteção de Dados, presented its first annual management report for 2021. Among other things, the ombudsman is responsible for questions related to the ANPD’s implementation of the Brazilian General Data Protection Law. “Efforts have been made to make citizens’ demands materialize in products and information useful to all stakeholders and affected personal data protection legislation,” the report said, adding the omb... Read More

Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, published an information security guide for small-scale data processors. The guidance features suggested administrative and technical measures under the General Data Protection Law, and it is accompanied by a checklist outlining how the measures should be adopted. "Inducing and directing the protection of personal data is an important mission of ANPD and making progress in providing tools and document templates can... Read More

Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, along with the National Consumer Secretariat of the Ministry of Justice and Public Security, published a guide to help consumers understand how to secure their data and effectuate data protection rights under the General Data Protection Law. Consumers are given details on what data is necessary or allowed for certain processing activities and what they can do if there is an LGPD violation. Meanwhile, the ANPD has b... Read More

Brazil’s data protection authority, the Autoridade Nacional de Proteção de Dados, held hearings July 15 and 16 where the public had the opportunity to offer 5-minute comments, via an online platform, on the draft regulation governing the ANPD’s investigation powers and the application of penalties set forth in the General Data Protection Law. The draft was based on the “responsive regulation” model. This model comes from Professor John Braithwaite’s works and has been widely adopted by Brazilia... Read More

The sudden implementation of Brazil's General Data Protection Law proved dizzying for the local and global privacy communities alike. While there continues to be a learning curve and much to sort out under the law, privacy professionals are, in fact, pleased with the progress taking place in Brazil. The steps forward continued Oct. 20, 2020, as Brazil's Senate confirmed President Jair Bolsonaro's five nominations to the board of directors for Brazil's data protection authority, the Autoridade N... Read More

A Brazilian data protection authority was expected to be formed at the time the Brazilian General Data Protection Act passed in August 2018. Such authority, mentioned more than 50 times in the LGPD, would be responsible for overseeing the enforcement of privacy and data protection laws in Brazil. While the LGPD was originally approved by Congress in August 2018, providing for the creation of the Brazilian DPA, the president vetoed its creation at that time due to a flaw in the legislative proce... Read More

Dec. 28, 2018, Executive Order n° 869, of December 27th 2018, was published in the Diário Oficial da União. It promotes several alterations to Federal Law n° 13.709, of Aug. 14, 2018, known as the Brazilian General Data Protection Regulation. One of the most important alterations is the creation of the Brazilian National Data Protection Authority. It is important to mention that MP n° 869/18 also alters the vacatio legis period for the LGPD to 24 months, changing the enforcement date from Februa... Read More

As the curtains close on his mandate, Brazil’s President Michel Temer enacted a provisional measure — similar to an executive order in the U.S. — that was published in the Official Gazette Dec. 28, 2018, creating the Brazilian Data Protection Authority (Autoridade Nacional de Proteção de Dados or ANPD) and altering several provisions of the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados or LGPD). The act was highly anticipated by the market for a very clear reason: Withou... Read More

Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, published a Q&A outlining proper procedures for data protection impact assessments. The 15-question document covers basic inquiries the covered entities have regarding process, preparation and requirements for performing DPIAs. The regulator indicated the list is a work in progress considering "additional obligations and parameters may be established by the ANPD in the future."Full Story ... Read More

Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, updated and released its list of ongoing probes into potential General Law for the Protection of Personal Data violations. The list publicizes company names, their industries, descriptions of alleged misconduct and statuses of cases in the sanctioning process. The ANPD will add further details on final decisions as cases conclude.Full Story... Read More

Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, released an updated version of its guidance on definitions of data processing agents and data protection officers. The guidance includes revisions on concepts for controllers, joint controllers, processors, subprocessors and DPOs, as well as practical examples of each role. The ANPD said the updates work to clear up "issues that have generated the most doubts" among those covered by the law.Full Story... Read More

According to the Senate News Agency, Brazil’s Senate appointed a commission of jurists to draft a proposal to regulate AI. The commission will focus on the economic and social impacts of AI in areas including sustainable development, public security, agriculture, industry, digital services, health care and IT, and must report back to the Senate in 120 days. During the drafting process, the commission plans to study other AI regulations, such as those in the European Union. Full Story... Read More

Brazilian Congress passed an amendment to Article 5 of the constitution that gives citizens the fundamental right to personal data protection, ZDNet reports. The amendment is an unchangeable clause, which means protections for citizens can only be expanded. Supporters said the amendment elevated the General Data Protection Law into the constitution and would improve the investment climate for the technology and communications sectors. However, critics said proposals approved by the Lower House o... Read More

Brazil's government launched a data protection guide to promote awareness with the general public, ZDNet reports. Created in cooperation with the national data protection authority, the report details the rights of data users, including the right to opt out, how to protect personal information and what steps to take if they have been involved in a data breach. The report also outlines steps organizations "should act in relation to personal data." Editor's note: The IAPP launched a Brazil topic p... Read More

Over the past years, many studies have shown when the inclusion cycle begins in employment relations, and it is more likely significant changes are made toward the recognition of rights and safeguards that break the chains of exclusion in our society. Unfortunately, it is also known that social equality is far from being a reality. The study "LGBT+ in the pandemic" found six out of 10 LGBTQ+ people in Brazil experienced a loss or decrease in income due to the COVID-19 pandemic. Also, according t... Read More

Society's "datafication" also affects children, who are especially vulnerable to the exposure of their personal information. In its children's data and privacy online report, the London School of Economics divides children's privacy into three segments: interpersonal (the creation of children's digital footprints), institutional (how the government and related agencies handle children's data) and commercial (how children's data is used by businesses and for marketing purposes). With the prolifer... Read More

It has become increasingly common to discuss what "normal" bodies are and how "normal" gender and sexuality play a role in our society. When "normal" means cisgender and heterosexual, the LGBTQIA+ (lesbian, gay, bisexual, transgender, queer, intersex, asexual and other) community is easily forgotten about. This marginalization is a way to favor those who conform and, consequently, punish those who do not. LGBTQIA+ identities are often rejected through discrimination, inferiorization and criminal... Read More

Privacy professionals are still working to make sense of what enforcement of Brazil's General Data Protection Law will look like when the law's grace period ends Aug. 1, 2021. Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, pulled back the curtain on its enforcement focuses with the recent release of its regulatory agenda and 2021–23 strategic plan. ANPD Director Miriam Wimmer, CIPP/E, appointed to one of five seats on the regulator's board of directors in Octo... Read More

Recently, Brazil's Digital Government Secretariat issued guidelines to instruct the interpretation of the General Data Protection Law (Law No. 13.709/2018,) by public entities. Although the guidelines are addressed to the public sector, they include instructions for private companies when applicable. Each guideline is based on compliance benchmarks that comprise privacy and governance, data mapping, terms of use and privacy notices, risk analysis, adequacy of information and technology contract... Read More

Organizations are responsible for compliance with Brazil's General Data Protection Law and, therefore, must adopt effective measures capable of proving compliance with the rule. One of the determinations provided for in the LGPD is that the controller designates the data protection officer, who will act as a communication link between the controller, the data subjects (individuals) and the Autoridade Nacional de Proteção de Dados. The DPO will be the person responsible for the dissemination of ... Read More

Brazil’s General Data Protection Law is now in effect. Much like the EU General Data Protection Regulation, the LGPD has extraterritorial applicability, meaning any organization processing personal data in Brazil must comply with the law irrespective of the company’s location. One of the LGPD’s requirements for such companies under Article 41 is that they must appoint a data protection officer to be “in charge of processing personal data.” Given the prevalence of data processing in today’s digit... Read More

Brazil is at a historic moment regarding its General Data Protection Law. The LGPD is taking effect Sept. 18, 2020, after facing an uncertain and confusing scenario, since all indications were that the law’s effective date would be postponed to 2021. Instead, the LGPD is entering into force now, although the penalties for infractions will only start being applied Aug. 1, 2021. In practice, many doubts have arisen about the consequences involving its taking effect now but with the application of... Read More

Following a year of uncertainty regarding the date of implementation, Brazil’s General Data Protection Law has officially come into effect. Although Brazil is no stranger to sectoral privacy laws and already had more than 40 laws and norms at the federal level, the LGPD is the country’s first law to provide a comprehensive framework regulating the use and processing of all personal data. Greatly influenced by the EU General Data Protection Regulation, the LGPD will be familiar to those who have... Read More

In less than 48 hours, privacy professionals in Brazil and around the world have seen significant developments and unique challenges regarding the country's data protection legal landscape and, in particular, Brazil’s General Data Protection Law. On Aug. 25, 2020, the Brazilian House of Representatives approved Provisional Measure (MP) No. 959/2020, which included text stating the LGPD would enter into force Dec. 31, 2020. This outcome was celebrated by several local players, particularly in th... Read More

For privacy pros watching Brazil's pending privacy law, Thursday morning has been a doozy — a pour-yourself-that-second-cup-of-coffee-and-keep-the-water-on kind of a doozy. That's because Wednesday night, in an unprecedented move, the Brazilian Senate approved an amendment allowing the General Data Protection Law to go into effect immediately. The decision reverses a vote Tuesday from the Chamber of Deputies to delay the implementation of the LGPD to Dec. 31, 2020. "The whole scenario is quite... Read More

Compliance with the Brazilian General Data Protection Law has proven to be an essential and complex challenge for organizations. The lack of a data-driven culture, legal uncertainties, low investment in data governance and a growing landscape of cyber insecurity contributes to this complexity. The lack of data protection culture I often say that compliance with data law brings a double challenge regarding the creation of a culture that privacy demands. First, Brazilian organizations do not ha... Read More

October is a busy month in Brazil for kids, parents, schools, advertisers and companies belonging to the “children’s industry,” as Children’s Day was celebrated Oct. 12. For the same reason, civil society entities, advocacy groups and consumer associations, among others, spend time presenting relevant research and activities taken toward child protection from the previous year. When it comes to data regarding children, numbers are the best way to assess the relevance of the matter. Research sho... Read More

Privacy professionals all over the world have a lot on their plate. Laws continue to be proposed, passed and amended, and each piece of legislation comes with a brand new set of challenges to solve. No one has all of the answers. A panel at the IAPP Privacy. Security. Risk. conference took a look recent developments in Brazil and Mexico and some of the questions privacy professionals are grappling with in those two countries. An area of concern in both Brazil and Mexico is one that privacy pro... Read More

Last year, 2018, proved to be a very important year for data protection in Brazil. As recalled by European Data Protection Supervisor Giovanni Butarelli, Brazil is now considered the most populated country in the world to have a national general data protection law. There are, therefore, great expectations concerning privacy themes that should take a leading role in the privacy agenda in 2019. National data protection authority model: Free flow of information and compliance As the lights of 20... Read More

The Brazilian Data Protection Act (Lei Geral de Proteção de Dados, or LGPD) will come into force Feb. 16, 2020, and is an omnibus law that establishes detailed rules for the collection, use, processing and storage of personal data in Brazil, affecting all economic sectors, private and public entities, whether the processing of personal data occurs in the digital and physical environment. Unlike the General Data Protection Regulation of the European Union, which updated the rules established by t... Read More

By the middle of August last year, the Brazilian Congress took an important step on a data protection law. After many years of debates and different drafts, it finally enacted the General Data Protection Law (Law n. 13709/18). Clearly inspired by provisions in the EU General Data Protection Regulation, but innovating in certain matters, the Brazilian legislation establishes harmonized rules to be enforced against the public sector and private entities, big and small, regardless of their activiti... Read More

Brazil has recently approved its General Data Protection Law, giving the country a new legal framework for the use of personal data. The law will potentially enhance innovation in a number of areas by offering comprehensive rules for adequate data use when it goes into effect in early 2020. Listen to this web conference to learn more about the Brazilian rules, including the organizations it covers, whether there are exceptions for certain processing purposes, and if compliance requirements are s... Read More

In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you work to comply with multiple privacy and data protection laws worldwide and help you focus your efforts. In this installment, Bruno Bioni, Maria Cecília Oliveira Gomes and Renato Leite Monteiro, CIPP/E, CIPM, compare Brazil's General Data Protection Law, or LGPD... Read More