Brazil Legal Landscape Snapshot

This page offers a high-level overview of the data protection landscape in Brazil, including  any relevant laws, the challenges in implementing those laws, political willingness, and ongoing advocacy efforts. 

Exclusive Statute/Bill/Draft

The Lei Geral de Proteção de Dados (LGPD) or the General Personal Data Protection Law was passed by the Brazilian parliament in 2018 and came into force in 2020. 

Seven years before the existence of LGPD, the Lei do Cadastro Positivo (LCP - it can be translated as Good Credit Rating Score Law), brought the concept of database for the first time in a normative text. In other words, for the first time in Brazilian Law there was a concern with regulating technology, with special focus on databases, considering  risks, social impacts and vulnerabilities. 

The LCP  defined two general principles that are not only important, but were also kept in the LGPD seven years later: (i) The right to be informed; and (ii) Data quality, related to integrity, confidentiality and security of data. Therefore, the LCP has paved on 2011 an important path for the maturation of the debate on informational self-determination, and the importance of regulating the use and development of information technology, with special focus on databases


Features of Statute

The LGPD is closely modeled on the EU GDPR in terms of the rights codified for data subjects and the constellation of actors it establishes, such as data controllers, data processors etc. It imposes simple fines or daily fines for private legal entities, groups or conglomerates for up to 2% of their billing in the last year, limited in total to R$ 50 million reais for each infraction. 

The LGPD does not apply to the prosecution of criminal offences.


Related and Sector-Specific Laws

A significant part of the Brazilian legal landscape concerning data protection is the Marco Civil da Internet or the Brazilian Civil Rights Framework for the Internet. The framework was approved by the federal senate in 2014, close on the heels of whistleblower Edward Snowden’s revelations about the USA’s global surveillance programme. It puts forth a larger structure of various rights and policy positions as they interact with digital technologies. 

 

Other laws that also deal with specialised aspects of data protection and privacy in Brazil include: 

Consumer Protection Code (CDC – Law 8.078/ 1990)

Access to Information Law (LAI – 12.527/ 2011)

Positive Credit Registry Law (LCP – Law 12.414/ 2011)


Features of Enforcement 

The LGPD has established a national Data Protection Authority, called the Autoridade Nacional de Proteção de Dados (ANPD). It is composed of, among other things, a council, an ombudsman, and a board of directors. The enforcement of fines and penalties came into effect as recently as in August 2021.

The ANPD’s work agenda for the next 2 years comprises 3 strategic objectives: a. Promoting the strengthening of the culture of personal data protection; b. Establish an effective normative environment for privacy and data protection; and c. Improve conditions for the compliance with legal requirements.


Composition and oversight of the regulatory body

Brazilian DPA (ANPD) is established as an organ of the federal public administration. Therefore, it is linked to the Government. As a result, it loses one of the most important characteristics of DPAs: full independence. On paper, however, the LGPD guarantees the ANPD technical and decision-making autonomy.

The ANPD is composed of a 5-member Directing Council, a 23-member Advisory Board called the National Council for the Protection of Personal Data and Privacy (CNPD), organs of assistance to the Directing Council, and other sectional departments.

The Directing Council is the highest decision-making body of the ANPD, and the Chief Executive Officer is responsible for the management and institutional representation of the ANPD. 


Related Draft Legislations

The LGPD has exceptions to the public security activities and criminal investigations. An additional Draft Criminal Data Protection Law (2020) will focus entirely on governing these exceptions. Other draft bills proposing changes to the LGPD are:

 

The PL 365/2020 proposes that philanthropic entities be included in the list of exceptions to the application of the LGPD, along with milder fines and penalties for them.

The PL 4963/2019 proposes to regulate the voluntary sharing of investments, insurance and banking data of account holders with other individuals or legal entities.

The PL 3044/2020 proposes new rules for the use of pseudonyms and anonymous profiles on the Internet.

The PEC 17/2019 intends to insert the right to personal data’s protection as a constitutional clause.

Predominant Hurdles In Implementation

The roles and eligibility of the DPOs of small businesses and the public sector are still under discussion. This adds uncertainty and ambiguity to the application of the law. 

Meanwhile, on the subject of securing sensitive databases, government repositories are yet to put adequate measures in place. This highlights a lack of preparedness from public entities in areas that require a more proactive compliance. 

Key National Issues in the Field

Issues arising from rapid digitalisation drive the debates around data protection in Brazil. Internet services in Brazil do not adhere to net neutrality norms. A push for smart cities has also posed data protection challenges. 

A proposed initiative to create a centralised database of digital government IDs has sparked an important discussion on the dangers of such a centralised database, its potential to be a honeypot for malicious actors, and the threat of government surveillance. Brazil’s Electoral Supreme Court has the country’s largest central biometric database. 

Current Political Climate

 

There has been an increased militarisation of cities under Brazil’s conservative president Jair Bolsonaro. The far-right has used a biased interpretation of the LGPD and the Marco Civil Law of the Internet, threatening the democratic system and aiding the spread of misinformation. This is especially significant considering that 2022 is an election year in Brazil, and Bolsonaro will seek re-election. He drafted a bill (already denied by the Senate) that sought changes in the Marco Civil Law, to limit the action of providers of websites and social media, keeping them from removing pages and/or blocking accounts,  in defense of "freedom of expression" and "right to privacy" of users. 

The argument was to fight arbitrary and unjustified exclusions motivated by a political persecution from the Left on these platforms, making it difficult for large social media platforms to remove content that violates the Terms of Use. This is not by chance. There are recent examples where the President himself spread misinformation about the electronic voting system (in use in Brazil since 1995), and also the unfounded dangers of COVID-19 vaccination, through his own social media accounts.

With the general elections coming up in 2022, citizens’ data is being used by political parties to build campaign strategies, particularly through WhatsApp groups (In 2020, 91% of Brazilian internet users were  on Facebook-owned messaging platforms. WhatsApp, in turn, is installed on 99% of Brazilian smartphones, with 93% using the app everyday: an estimated 120 million people). While no political party has shown a dedicated interest in privacy issues, some electoral representatives have done so in an individual capacity. 

Social campaigns centered on race, gender and sexual orientation have begun to address privacy and data protection as and where they intersect with their movements.

Over the last five years, as a result of the drafting and approval of the LGPD, several stakeholders emerged and got involved to defend the data protection policies. The majority of these stakeholders are civil societies (NGO, lawyers association, etc.) and academics working on digital rights.  Private sector groups, especially those from big technology companies, remain invested in how the legislation is enforced. Social movements, such as black activists, have also started discussing these themes due to the implementation of facial recognition in several cities and states and compulsory DNA identification of prison population


Goals

Raising public awareness around data protection and privacy issues is the most important significant advocacy goal in Brazil currently. This will require campaigning for better regulation of biometric data and digital ID records and against the deployment of facial recognition technologies for public security. Another goal is to advocate for a more independent ANPD. This will ideally involve engagement with a more diverse set of civil society organisations in these efforts, such as those campaigning for gender equality and against racism. 


Challenges

Disinformation, hate speech, and harassment of human rights advocates are the chief obstacles for f advocacy efforts in Brazil. The country has one of the highest homicide rates for human rights activists (second only to Colombia) in the world, according to a 2021 report by the UN Human Rights Council.