open search
close
Brazil Internationales Arbeitsrecht Neueste Beiträge

Data protection in Brazil: what to expect this year

Print Friendly, PDF & Email
In 2023, the Brazilian General Data Protection Law (LGPD) celebrates five years since its publication.

Since its entry into force in 2020, the LGPD has come a long way, but there are several legal issues relating to the protection of personal data that still need further refinement. 

Brazilian Data Protection Authority

Among the main changes since the enactment of the LGPD has beenthe change in the legal nature of the National Data Protection Authority (ANPD), which represented an important step in the process of adapting Brazilian regulation to international data protection standards. Originally created as part of the Federal Public Administration and linked to the Presidency, the ANPD was recently transformed into an independent agency. This status has effectively given the ANPD technical and decision-making autonomy. 

Regulation of Specific LGPD Topics

The ANPD is currently carrying out all of its inspection and sanctioning functions except for the application of fines, which was the subject of discussion in public consultation (as mentioned below). The ANPD has already issued the following resolutions: 

  • a 2021 resolution establishing the rules and procedures for the inspection process and the administrative sanctions process; and  
  • a 2022 resolution which approves the regulations for micro and small businesses and for startups and innovation companies.  

In order to provide guidance to data processors on the subject of personal data protection, ANPD (alongside several other entities and authorities) has also published and updated several guidelines and technical documents on its official website, covering a variety of specific data protection topics.   

Nevertheless, there are still several LGPD provisions pending clarification and/or regulation by the ANPD. In this regard, in August of 2022 the ANPD opened four public consultations on the following matters. 

ANPD’s Regulatory Agenda for the biennium 2023-2024

Aiming to confer greater publicity, predictability, transparency, and efficiency to its regulatory process, as well as to improve the relationship with processing agents, the agency published a call for public comments with the main topics pending regulation to be classified by the public in order of priority and relevance. 

After the contributions by public, the ANPD approved its Regulatory Agenda for 2023-2024 at the end of 2022. Overall, 20 initiatives are foreseen in the Agenda that were classified into phases by order of priority. 

Resolution On The Application Of Administrative Penalties

The draft Resolution on the Application of Administrative Penalties sets out a methodology for the application of the sanctions provided for in the LGPD, seeking to ensure that its decisions are effective, transparent, objective and consistent. Finalising this regulation is the main pending issue before the ANPD begins to apply fines. Among the most relevant points of the draft proposed by the agency are:  

  • the classification of penalties (e.g. warnings and fines, the publicising of the infraction, suspension of personal data processing activities); 
  • the establishment of criteria and parameters for the definition of sanctions (e.g. the gravity and nature of the act, degree of damage and the cooperation and good faith of the offender); 
  • the classification of infractions as light, medium or serious; and 
  • the application and calculation of the fine sanctions established by the LGPD. 
Resolution on High-Risk Personal Data Processing

This consultation stems from the provisions of a 2022 regulation that provides the criteria for defining when the processing performed is of high risk to the data subjects. Although the regulation relaxes some of the obligations provided for in the LGPD, small-sized data processing agents who carry out high-risk processing will not be able to benefit from this differentiated legal regime. In light of this, the ANPD is preparing a guideline to assist small data processors in the evaluation of their personal data processing.  

Regulation on the Processing of Children and Adolescents’ Personal Data

Given the importance and controversial nature of this topic, the LGPD has reserved a specific section for the personal data processing of children and adolescents, establishing that such processing must be carried out in the best interests of these data subjects. To this end, the ANPD has prepared a preliminary study on the legal rules applicable to the personal data processing of children and adolescents. In this study, the agency addressed especially the mandatory collection of consent from legal guardians for the processing of children’s personal data, as well as its implications. 

What to Expect in the Future?

Recent surveys indicate that most Brazilian companies are not compliant with the LGPD. At the same time, incidents involving personal data continue to grow in the country, placing Brazil among the countries with the highest total number of data incidents. Although the ANPD has shown that it is aware of the need to invest time and effort in raising awareness about personal data protection before taking a more aggressive stance, organisations must commit to LGPD compliance. 

In the first half of 2023, we expect: 

  • a study of compliance with the LGPD by the General Inspection Coordination;  
  • an increase in requests by data subjects directed to companies and the ANPD to exercise their rights;  
  • an ongoing increase in the number of cyber-attacks and security incidents, such as data leaks, due to the progressive growth in the volume of personal data circulating in digital environments and platforms. 

We also expect regulation by the ANPD on:  

  • the application of administrative penalties;  
  • rights of the data subjects;  
  • deadlines for Information Security Incident reporting and notification;  
  • mechanisms for international transfer of personal data, including defining the content of Brazilian standard contractual clauses, among others;  
  • Data Protection Impact Assessment (DPIA) for cases where the processing poses a high risk; and  
  • the definition and duties of the Data Protection Officer, including cases of exemption from the requirement to appoint one based on the nature and size of the entity or the volume of data processing operations.  

Although enormous challenges lie ahead for the full implementation and proper enforcement of the LGPD, the advances in these last four years have brought the certainty that data privacy and the protection of personal data are rights that are here to stay.  

In light of these advances, it is expected that the gaps in LGPD will soon be filled, bringing greater legal certainty to organisations and more effective protection for personal data subjects in a global scenario of increasingly data-driven economies.

Ius Laboris




Ius Laboris is a leading international employment law practice combining the world’s leading employment, labour and pension firms. Our role lies in sharing insights and helping clients to navigate the world of labour and employment law successfully.
Verwandte Beiträge
Internationales Arbeitsrecht Neueste Beiträge

Can employers monitor their employees’ social media posts?

Increasingly, employers are being made aware of employee misconduct that is evidenced by photos, videos or other social media posts. What are employers allowed to do when it comes to their employees‘ posts, what are the limits, what should they bear in mind when using these posts? Here we consider the situation in Germany, with comments from our experts in 19 other jurisdictions. Employee posts…
Internationales Arbeitsrecht

It’s finally here: adequacy decision on EU-US data transfers

Data transfers from the EU to the US will now be easier for many companies, following a long-awaited decision from the European Commission. More than a year after the first announcement of the Trans-Atlantic Data Privacy Framework, the European Commission adopted its adequacy decision on the EU-US Data Privacy Framework (DPF) on 10 July 2023, which entered into force with immediate effect. Transfers to US companies signed up…
Datenschutz Internationales Arbeitsrecht Neueste Beiträge

GDPR: five years on

For those  impacted by the EU General Data Protection Regulation, known as the GDPR since its entry into operation across the bloc on 25 May 2018, it’s quite something to think that the legislation has been with us for five years today. So what has gone well and what has gone less well? One of the main purposes of the legislation was to get the…
Abonnieren Sie den kostenfreien KLIEMT-Newsletter.
Jetzt anmelden und informiert bleiben.

 

Die Abmeldung ist jederzeit möglich.