Last review date: 3 January 2025
Brazil has a federal-level regulator for LGPD matters, the ANPD. Initially created as an entity associated with the Federal Presidency, it has been associated with the Ministry of Justice since January 2023 and has the authority to enforce the obligations provided under the LGPD and to apply statutory penalties, such as fines and even the prohibition to perform processing activities in the country.
However, the enforcement of data protection rights is not limited to the ANPD. Companies can also be subject to individual or collective claims from data subjects or other authorities or entities authorized to represent a class of data subjects, including consumer authorities for failure to comply with the LGPD.
Also, as mentioned in the section "Key Data Privacy and Cybersecurity Laws," Brazil has several sector-specific regulations containing cybersecurity and data privacy provisions, issued by different authorities, such as BACEN, ANATEL, and CVM. Although such authorities are not properly data privacy/cybersecurity regulators, non-compliance with their regulations, including their respective data privacy and cybersecurity obligations, may result in enforcement against players of the industries subject to their regulatory framework.
Last review date: 3 January 2025
Consumer Authorities
☒ Very active
ANPD
☒ Moderately active
Sector-specific regulators
☒ Not very (for data protection and cybersecurity matters) ☐ Moderately active ☐ Very active
Consumer authorities are currently more active in enforcing data protection rights. While the ANPD is not as active yet, it has been increasing its enforcement efforts compared to previous years. This indicates a growing focus and commitment from the ANPD towards data protection regulation and compliance.
Last review date: 3 January 2025
The ANPD has been focused on the enactment of regulations for the LGPD.
Some of its key recent activities include the following:
- The ANPD released the Guide on Legitimate Interests, which aims to clarify the application of legitimate interest as the legal basis for processing, ensuring transparency, predictability, and legal certainty in data processing activities
- The ANPD published Resolution CD/ANPD No. 15 ("Regulation on Notification of Security Incidents"). This regulation establishes mandatory procedures for data controllers to notify both the ANPD and data subjects about security incidents involving personal data, as required by the LGPD.
- The ANPD released a study on biometric data and facial recognition in Brazil. The study aims to analyze the impacts, risks, and challenges associated with these technologies, particularly concerning the protection of personal data under the LGPD.
- The ANPD published Resolution CD/ANPD No. 18 ("Regulation on the Appointment of the Person in Charge"), which creates additional rules for the appointment of the Person in Charge.
- The ANPD published Resolution CD/ANPD No. 19 ("Regulation on International Data Transfer"), which details the data transfer procedure and provides the Standard Contractual Clauses (SCCs) for international data transfers.
- The ANPD updated the Data Protection Glossary and included new entries.
- The ANPD published a translation of the LGPD and the Regulation on International Data Transfer.
- The ANPD published the Report on Generative AI, which aims to analyze the implications, risks, and challenges associated with generative AI technologies, particularly in the context of data protection under the LGPD.
As such, enforcement of the topics above may be expected in the near future.
The ANPD has published its Regulatory Agenda for 2025-2026, outlining its priority topics and expected dates for upcoming regulations. The agenda is divided into phases.
The ANPD expects to regulate data subject rights during the first phase, followed by Data Protection Impact Assessments (DPIAs), data sharing by government entities, minors' data processing, biometric data, security measures, artificial intelligence, high-risk processing of personal data, processing of personal data by religious organizations, and anonymization and pseudonymization.
In phase two, a national personal data protection and privacy policy, along with good practices and data governance rules, is expected to be prepared. Additionally, processing activities carried out by data aggregators will be regulated, with the aim of providing clear guidance on the transparency measures to be adopted, the appropriate legal basis for the processing of personal data and the limits on the use of data publicly available. The last topic planned to be regulated in phase two is health data.
Regulation on consent requirements is planned for phase three.
Finally, the regulation of the legal basis of credit protection is planned for phase four.
Last review date: 3 January 2025
Regulatory investigations or direct enforcement activity by data or cyber regulators are:
☒ Increasing
Class actions/group actions under data or cyber regulation are:
☒ Increasing
Last review date: 3 January 2025
There are:
☒ administrative remedies /civil penalties applied by regulators and law enforcement
According to the LGPD, sanctions include:
- Warnings, with an indication of a deadline for correction measures to be undertaken
- Simple fines of up to 2% of the net turnover of the economic group in Brazil, in its last fiscal year, limited to BRL 50 million (approx. USD 10.5 million) per violation
- Daily fine, considering the total limits of the previous fine
- Disclosure of the violation, after having properly verified and confirmed its occurrence
- Blocking of the personal data that is the subject of the violation, until remedied
- Deletion of the personal data, which is the subject of the violation
- Suspension of the relevant database for six months, renewable for another six-month period
- Suspension of the processing activities for six months, renewable for another six-month period
- Prohibition of processing activities
The ANPD published the Regulation on the Calculation and Application of Administrative Sanctions, which establishes standards and criteria for the application of administrative sanctions by the ANPD, as well as the forms and the manner for calculating the base value of fine sanctions.
☒ criminal penalties from regulators and law enforcement
According to the Brazilian Criminal Code, it is a criminal offense to invade third parties' information devices, whether or not such devices are connected to the internet, by means that aim to obtain, alter or destroy data or information without the express or implied authorization from the device owner or to install vulnerabilities to obtain illicit advantages. The crime is punishable by detention of three months to one year, plus a fine. This penalty also applies to anyone who makes, offers, distributes, sells or discloses a computer device or software aimed at enabling the conduct described above. Also, in the event that the invasion results in obtaining content from private electronic communications, industrial or trade secrets, confidential information or the unauthorized remote control of the device, the penalty is increased to imprisonment for six months to two years, plus a penalty. This latter penalty is also increased in the event that the data or information obtained is disclosed, traded or transmitted to third parties.
☒ private remedies
The imposition of administrative remedies does not preclude the right of affected individuals to claim indemnification for damages caused by the processing of personal data. The Brazilian Federal Constitution expressly entitles the data subject to indemnification for both moral and material damages for violations of the individual's rights to data protection, intimacy, privacy and honor.