Brazil

Image

Brazil Topic Page

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to privacy in Brazil. The IAPP Resource Center also includes a “Latin America” topic page, which can be accessed here.

  • expand_more

    LGPD Law and Documents

Featured Resources

ARTICLE SERIES

Top-5 operational impacts of Brazil’s LGPD

This is a five-part series aimed at helping global privacy professionals better understand the operational impacts of Brazil’s new General Data Protection Law.
Read More

ARTICLE

How Brazilian courts apply the LGPD

Opice Blum analyzed more than 400 decisions by state courts understand how the LGPD is being applied. This article breaks down trends to closely monitor.
Read More

GUIDANCE

English translation of the LGPD

The IAPP Resource Center hosts an English translation of the Brazilian General Data Protection Law. This translation was based on an initial version by Monica Hruby.
Read More

ARTICLE

Applicable legal basis of affirmative action under the LGPD

Examples of affirmative actions can be found in legislation across Brazil, both at a federal and state level. look at This article looks at the possible legal basis for processing personal data for affirmative action purposes under the General Data Protection Law.
Read More

ARTICLE

ANPD’s LGPD buildup, priorities

In this interview, Miriam Wimmer, CIPP/E, one of five directors for the ANPD (Brazil’s DPA), opens up about the beginning of the ANPD’s work and what lies ahead.
Read More

ARTICLE

Operational impacts of the LGPD: Enforcement mechanisms and sanctions

The LGPD requires controllers processing personal data to appoint a data protection officer to help tackle various tasks, such as ensuring adequate record-keeping, data impact assessment preparation and proper processing practices. This article looks at the enforcement mechanisms under the law and sanctions companies may face for noncompliance.
Read More


Latin America Dashboard Digest newsletter

Keep up to date with the most important privacy and data protection news from Latin America by subscribing to the Latin America Dashboard Digest enewsletter.

The Data Protection Authority

Brazil’s President Michel Temer enacted a provisional measure, creating the Brazilian Data Protection Authority (Autoridade Nacional de Proteção de Dados or ANPD) and altering several provisions of the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados or LGPD).


ANPD releases DPIA guidance

Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, published a Q&A outlining proper procedures for data protection impact assessments. The 15-question document covers basic inquiries the covered entities have regarding process, preparation and requirements for performing DPIAs. The regulator indicated the list is a work in progress considering "additional obligations and parameters may be established by the ANPD in the future."Full Story ... Read More

ANPD publishes investigation list

Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, updated and released its list of ongoing probes into potential General Law for the Protection of Personal Data violations. The list publicizes company names, their industries, descriptions of alleged misconduct and statuses of cases in the sanctioning process. The ANPD will add further details on final decisions as cases conclude.Full Story... Read More

ANPD publishes new security incident reporting form

The General Inspection Coordination of Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, published a form for security incident reporting by personal data controllers. The new document, required as of Jan. 1, includes expanded structured responses and guidelines on the incident reporting process. The ANPD said an "expected benefit is the improvement in the quality of responses to allow the structuring of a reliable database on security incidents."Full Story... Read More

Measure gives ANPD independent body status

A provisional measure will give Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, independent authority from the Brazilian government, ZDNet reports. While it still requires approval from Brazil's National Congress, the measure gives the ANPD full control of its administrative and budgetary processes. Concerns were raised regarding the regulator's ties to Brazil's president when the ANPD was established. The ANPD said it is "more capable of prioritizing actions an... Read More

CNPD establishes internal regulations

A resolution outlining internal regulations and processes for Brazil's National Council for the Protection of Personal Data and Privacy was filed in the Official Gazette. The CNPD will be responsible for the oversight of Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, which will include proposing strategic guidelines for the ANPD's work, suggesting actions to the regulator and performing annual evaluations. The council will also facilitate studies, debates and p... Read More

ANPD updates guidance on processing agents, DPOs

Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, released an updated version of its guidance on definitions of data processing agents and data protection officers. The guidance includes revisions on concepts for controllers, joint controllers, processors, subprocessors and DPOs, as well as practical examples of each role. The ANPD said the updates work to clear up "issues that have generated the most doubts" among those covered by the law.Full Story... Read More

ANPD ombudsman releases 2021 management report

The ombudsman of Brazil’s data protection authority, the Autoridade Nacional de Proteção de Dados, presented its first annual management report for 2021. Among other things, the ombudsman is responsible for questions related to the ANPD’s implementation of the Brazilian General Data Protection Law. “Efforts have been made to make citizens’ demands materialize in products and information useful to all stakeholders and affected personal data protection legislation,” the report said, adding the omb... Read More

ANPD releases infosecurity guide for small processors

Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, published an information security guide for small-scale data processors. The guidance features suggested administrative and technical measures under the General Data Protection Law, and it is accompanied by a checklist outlining how the measures should be adopted. "Inducing and directing the protection of personal data is an important mission of ANPD and making progress in providing tools and document templates can... Read More

ANPD publishes consumer data protection guide

Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, along with the National Consumer Secretariat of the Ministry of Justice and Public Security, published a guide to help consumers understand how to secure their data and effectuate data protection rights under the General Data Protection Law. Consumers are given details on what data is necessary or allowed for certain processing activities and what they can do if there is an LGPD violation. Meanwhile, the ANPD has b... Read More

Brazil’s DPA holds hearing on the regulation of investigative powers and penalties

Brazil’s data protection authority, the Autoridade Nacional de Proteção de Dados, held hearings July 15 and 16 where the public had the opportunity to offer 5-minute comments, via an online platform, on the draft regulation governing the ANPD’s investigation powers and the application of penalties set forth in the General Data Protection Law. The draft was based on the “responsive regulation” model. This model comes from Professor John Braithwaite’s works and has been widely adopted by Brazilia... Read More

What to know about Brazil's DPA director appointments

The sudden implementation of Brazil's General Data Protection Law proved dizzying for the local and global privacy communities alike. While there continues to be a learning curve and much to sort out under the law, privacy professionals are, in fact, pleased with the progress taking place in Brazil. The steps forward continued Oct. 20, 2020, as Brazil's Senate confirmed President Jair Bolsonaro's five nominations to the board of directors for Brazil's data protection authority, the Autoridade N... Read More

Congress approves creation of Brazilian data protection authority, amends LGPD

A Brazilian data protection authority was expected to be formed at the time the Brazilian General Data Protection Act passed in August 2018. Such authority, mentioned more than 50 times in the LGPD, would be responsible for overseeing the enforcement of privacy and data protection laws in Brazil. While the LGPD was originally approved by Congress in August 2018, providing for the creation of the Brazilian DPA, the president vetoed its creation at that time due to a flaw in the legislative proce... Read More

Changes to Brazil's data protection law and the establishment of the DPA

Dec. 28, 2018, Executive Order n° 869, of December 27th 2018, was published in the Diário Oficial da União. It promotes several alterations to Federal Law n° 13.709, of Aug. 14, 2018, known as the Brazilian General Data Protection Regulation. One of the most important alterations is the creation of the Brazilian National Data Protection Authority. It is important to mention that MP n° 869/18 also alters the vacatio legis period for the LGPD to 24 months, changing the enforcement date from Februa... Read More

Brazil’s DPA has arrived: Is it a blessing or curse in disguise?

As the curtains close on his mandate, Brazil’s President Michel Temer enacted a provisional measure — similar to an executive order in the U.S. — that was published in the Official Gazette Dec. 28, 2018, creating the Brazilian Data Protection Authority (Autoridade Nacional de Proteção de Dados or ANPD) and altering several provisions of the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados or LGPD). The act was highly anticipated by the market for a very clear reason: Withou... Read More

Additional News and Resources

CIPL, CEDIS — Effective LGPD Project

The Centre for Information Policy Leadership and Centro de Direito, Internet e Sociedade of Instituto Brasiliense de Direito Público has published this updating series of papers, infographics and public consultations covering Brazil’s General Data Protection Law. Read More

ANPD releases DPIA guidance

Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, published a Q&A outlining proper procedures for data protection impact assessments. The 15-question document covers basic inquiries the covered entities have regarding process, preparation and requirements for performing DPIAs. The regulator indicated the list is a work in progress considering "additional obligations and parameters may be established by the ANPD in the future."Full Story ... Read More

ANPD publishes investigation list

Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, updated and released its list of ongoing probes into potential General Law for the Protection of Personal Data violations. The list publicizes company names, their industries, descriptions of alleged misconduct and statuses of cases in the sanctioning process. The ANPD will add further details on final decisions as cases conclude.Full Story... Read More

ANPD updates guidance on processing agents, DPOs

Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, released an updated version of its guidance on definitions of data processing agents and data protection officers. The guidance includes revisions on concepts for controllers, joint controllers, processors, subprocessors and DPOs, as well as practical examples of each role. The ANPD said the updates work to clear up "issues that have generated the most doubts" among those covered by the law.Full Story... Read More

Brazilian Senate appoints commission to address, draft AI regulation

According to the Senate News Agency, Brazil’s Senate appointed a commission of jurists to draft a proposal to regulate AI. The commission will focus on the economic and social impacts of AI in areas including sustainable development, public security, agriculture, industry, digital services, health care and IT, and must report back to the Senate in 120 days. During the drafting process, the commission plans to study other AI regulations, such as those in the European Union. Full Story... Read More

Brazilian Congress approves personal data protection amendment to constitution

Brazilian Congress passed an amendment to Article 5 of the constitution that gives citizens the fundamental right to personal data protection, ZDNet reports. The amendment is an unchangeable clause, which means protections for citizens can only be expanded. Supporters said the amendment elevated the General Data Protection Law into the constitution and would improve the investment climate for the technology and communications sectors. However, critics said proposals approved by the Lower House o... Read More

Brazilian government launches data protection guide

Brazil's government launched a data protection guide to promote awareness with the general public, ZDNet reports. Created in cooperation with the national data protection authority, the report details the rights of data users, including the right to opt out, how to protect personal information and what steps to take if they have been involved in a data breach. The report also outlines steps organizations "should act in relation to personal data." Editor's note: The IAPP launched a Brazil topic p... Read More

D&I programs and processing of employees' personal data: Challenges and guidelines considering Brazil’s data protection legal framework

Over the past years, many studies have shown when the inclusion cycle begins in employment relations, and it is more likely significant changes are made toward the recognition of rights and safeguards that break the chains of exclusion in our society. Unfortunately, it is also known that social equality is far from being a reality. The study "LGBT+ in the pandemic" found six out of 10 LGBTQ+ people in Brazil experienced a loss or decrease in income due to the COVID-19 pandemic. Also, according t... Read More

Can mandatory consent be optional? Processing children’s personal data under Brazil's LGPD

Society's "datafication" also affects children, who are especially vulnerable to the exposure of their personal information. In its children's data and privacy online report, the London School of Economics divides children's privacy into three segments: interpersonal (the creation of children's digital footprints), institutional (how the government and related agencies handle children's data) and commercial (how children's data is used by businesses and for marketing purposes). With the prolifer... Read More

Does Brazil’s LGPD recognize gender identity, sexual orientation as sensitive personal data?

It has become increasingly common to discuss what "normal" bodies are and how "normal" gender and sexuality play a role in our society. When "normal" means cisgender and heterosexual, the LGBTQIA+ (lesbian, gay, bisexual, transgender, queer, intersex, asexual and other) community is easily forgotten about. This marginalization is a way to favor those who conform and, consequently, punish those who do not. LGBTQIA+ identities are often rejected through discrimination, inferiorization and criminal... Read More

Wimmer discusses ANPD's LGPD buildup, priorities

Privacy professionals are still working to make sense of what enforcement of Brazil's General Data Protection Law will look like when the law's grace period ends Aug. 1, 2021. Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, pulled back the curtain on its enforcement focuses with the recent release of its regulatory agenda and 2021–23 strategic plan. ANPD Director Miriam Wimmer, CIPP/E, appointed to one of five seats on the regulator's board of directors in Octo... Read More

Brazilian SGD publishes guidelines for compliance with LGPD

Recently, Brazil's Digital Government Secretariat issued guidelines to instruct the interpretation of the General Data Protection Law (Law No. 13.709/2018,) by public entities. Although the guidelines are addressed to the public sector, they include instructions for private companies when applicable. Each guideline is based on compliance benchmarks that comprise privacy and governance, data mapping, terms of use and privacy notices, risk analysis, adequacy of information and technology contract... Read More

Brazil's DPO dilemma: How and who to choose?

Organizations are responsible for compliance with Brazil's General Data Protection Law and, therefore, must adopt effective measures capable of proving compliance with the rule. One of the determinations provided for in the LGPD is that the controller designates the data protection officer, who will act as a communication link between the controller, the data subjects (individuals) and the Autoridade Nacional de Proteção de Dados. The DPO will be the person responsible for the dissemination of ... Read More

Privacy Around the Globe: Brazil

Original Broadcast Date: October 2020 In this LinkedIn Live, IAPP Chief Knowledge Officer Omer Tene and Lawyer and Law Professor Danilo Doneda discuss the landscape of privacy in Brazil. Watch the full recording on LinkedIn. Access the IAPP's LinkedIn profile.... Read More

Study: LGPD likely to require at least 50K DPOs in Brazil alone

Brazil’s General Data Protection Law is now in effect. Much like the EU General Data Protection Regulation, the LGPD has extraterritorial applicability, meaning any organization processing personal data in Brazil must comply with the law irrespective of the company’s location. One of the LGPD’s requirements for such companies under Article 41 is that they must appoint a data protection officer to be “in charge of processing personal data.” Given the prevalence of data processing in today’s digit... Read More

Brazil's LGPD now in effect — what does this mean for enforcement?

Brazil is at a historic moment regarding its General Data Protection Law. The LGPD is taking effect Sept. 18, 2020, after facing an uncertain and confusing scenario, since all indications were that the law’s effective date would be postponed to 2021. Instead, the LGPD is entering into force now, although the penalties for infractions will only start being applied Aug. 1, 2021. In practice, many doubts have arisen about the consequences involving its taking effect now but with the application of... Read More

An overview of Brazil's LGPD

Following a year of uncertainty regarding the date of implementation, Brazil’s General Data Protection Law has officially come into effect. Although Brazil is no stranger to sectoral privacy laws and already had more than 40 laws and norms at the federal level, the LGPD is the country’s first law to provide a comprehensive framework regulating the use and processing of all personal data. Greatly influenced by the EU General Data Protection Regulation, the LGPD will be familiar to those who have... Read More

Brazilian Senate reverses course, national privacy law in effect

In less than 48 hours, privacy professionals in Brazil and around the world have seen significant developments and unique challenges regarding the country's data protection legal landscape and, in particular, Brazil’s General Data Protection Law. On Aug. 25, 2020, the Brazilian House of Representatives approved Provisional Measure (MP) No. 959/2020, which included text stating the LGPD would enter into force Dec. 31, 2020. This outcome was celebrated by several local players, particularly in th... Read More

In rapid-fire reversal, Brazil effectuates privacy law immediately

For privacy pros watching Brazil's pending privacy law, Thursday morning has been a doozy — a pour-yourself-that-second-cup-of-coffee-and-keep-the-water-on kind of a doozy. That's because Wednesday night, in an unprecedented move, the Brazilian Senate approved an amendment allowing the General Data Protection Law to go into effect immediately. The decision reverses a vote Tuesday from the Chamber of Deputies to delay the implementation of the LGPD to Dec. 31, 2020. "The whole scenario is quite... Read More

The challenge of adequacy with Brazil's General Data Protection Law

Compliance with the Brazilian General Data Protection Law has proven to be an essential and complex challenge for organizations. The lack of a data-driven culture, legal uncertainties, low investment in data governance and a growing landscape of cyber insecurity contributes to this complexity. The lack of data protection culture I often say that compliance with data law brings a double challenge regarding the creation of a culture that privacy demands. First, Brazilian organizations do not ha... Read More

How Brazil regulates children's privacy and what to expect under the new data protection law

October is a busy month in Brazil for kids, parents, schools, advertisers and companies belonging to the “children’s industry,” as Children’s Day was celebrated Oct. 12. For the same reason, civil society entities, advocacy groups and consumer associations, among others, spend time presenting relevant research and activities taken toward child protection from the previous year. When it comes to data regarding children, numbers are the best way to assess the relevance of the matter. Research sho... Read More

What are privacy pros grappling with in Brazil, Mexico?

Privacy professionals all over the world have a lot on their plate. Laws continue to be proposed, passed and amended, and each piece of legislation comes with a brand new set of challenges to solve. No one has all of the answers. A panel at the IAPP Privacy. Security. Risk. conference took a look recent developments in Brazil and Mexico and some of the questions privacy professionals are grappling with in those two countries. An area of concern in both Brazil and Mexico is one that privacy pro... Read More

Privacy and personal data protection in Brazil: 2019

Last year, 2018, proved to be a very important year for data protection in Brazil. As recalled by European Data Protection Supervisor Giovanni Butarelli, Brazil is now considered the most populated country in the world to have a national general data protection law. There are, therefore, great expectations concerning privacy themes that should take a leading role in the privacy agenda in 2019. National data protection authority model: Free flow of information and compliance As the lights of 20... Read More

How to be compliant with Brazil's Data Protection Act

The Brazilian Data Protection Act (Lei Geral de Proteção de Dados, or LGPD) will come into force Feb. 16, 2020, and is an omnibus law that establishes detailed rules for the collection, use, processing and storage of personal data in Brazil, affecting all economic sectors, private and public entities, whether the processing of personal data occurs in the digital and physical environment. Unlike the General Data Protection Regulation of the European Union, which updated the rules established by t... Read More

Brazilian Data Protection Law: A complex patchwork

By the middle of August last year, the Brazilian Congress took an important step on a data protection law. After many years of debates and different drafts, it finally enacted the General Data Protection Law (Law n. 13709/18). Clearly inspired by provisions in the EU General Data Protection Regulation, but innovating in certain matters, the Brazilian legislation establishes harmonized rules to be enforced against the public sector and private entities, big and small, regardless of their activiti... Read More

Web con: 'Understanding the New Brazil General Data Protection Law'

Brazil has recently approved its General Data Protection Law, giving the country a new legal framework for the use of personal data. The law will potentially enhance innovation in a number of areas by offering comprehensive rules for adequate data use when it goes into effect in early 2020. Listen to this web conference to learn more about the Brazilian rules, including the organizations it covers, whether there are exceptions for certain processing purposes, and if compliance requirements are s... Read More

GDPR matchup: Brazil's General Data Protection Law

In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you work to comply with multiple privacy and data protection laws worldwide and help you focus your efforts. In this installment, Bruno Bioni, Maria Cecília Oliveira Gomes and Renato Leite Monteiro, CIPP/E, CIPM, compare Brazil's General Data Protection Law, or LGPD... Read More