Brazil

The Brazilian General Data Protection Legislation (LGPD), drafted in 2018 and effective as of February of 2020, is in its early stages of implementation. To oversee enforcement, Brazil’s former president established the Data Protection Authority (DPA), tasked with operationalizing the nascent legislation. In these early stages, advocacy efforts in the country are focused on ensuring the DPA maintains consultation with civil society and human rights groups in developing good guidelines and regulations, staffs its ranks with respected experts, and establishes independence from the federal government as it begins enforcing sanctions this year.

To learn more about data protection topics and programming in Brazil, take a look at the Bolivia resource page here, or browse resources via specific categories below

Brazil Resources

Podcast Dadocracia

Tags - Advocacy, Introduction to Data Protection
Brazil
Portuguese

Data Privacy Brazil

Take a look at Data Privacy Brazil's podcast!

Jogue com as crianças: Dados Pessoais

Tags - Securing Personal Data
Brazil
Portuguese

Safernet Brasil

Online activities to create awareness for children about the way they share their personal data on Internet

Entenda e reconheça seus rastros digitais

Tags - Securing Personal Data
Brazil
Portuguese

Safernet Brasil, 2017

A guide to learn more about the traces we leave from our use of the Internet, especially in relation to personal data.

Pornografia sem consentimento: Cinco recomendações para denunciar e resistir com a sua publicação

Tags - Best Practices, Securing Personal Data, Strategic Litigation
Brazil
Portuguese

Acoso Online, 2021

This is a useful resources to learn more about nonconsensual pornography and how to fight back using legal and technical tools in Brazil.

Looking to understand existing case law to guide advocacy and strategic litigation?
Interested to learn more about the status of data protection in Brazil?
Click below for more resources to inform advocacy, community building, enforcement, and other topics in support of rights-respecting data protections.
What does the legal landscape look like in Brazil?

The following snapshot is intended to help identify and understand the various factors impacting the passage of rights-respecting data protection legal frameworks. This includes the roadblocks to establishing a dedicated law, the key issues being considered within the data privacy conversation, the political circumstances under which these developments take place, and the ongoing advocacy practices that aim to support data privacy regulations.

Exclusive Statute/Bill/Draft

The Lei Geral de Proteção de Dados (LGPD) or the General Personal Data Protection Law was passed by the Brazilian parliament in 2018 and came into force in 2020.

Seven years before the existence of LGPD, the Lei do Cadastro Positivo (LCP – it can be translated as Good Credit Rating Score Law), brought the concept of database for the first time in a normative text. In other words, for the first time in Brazilian Law there was a concern with regulating technology, with special focus on databases, considering  risks, social impacts and vulnerabilities.

The LCP  defined two general principles that are not only important, but were also kept in the LGPD seven years later: (i) The right to be informed; and (ii) Data quality, related to integrity, confidentiality and security of data. Therefore, the LCP has paved on 2011 an important path for the maturation of the debate on informational self-determination, and the importance of regulating the use and development of information technology, with special focus on databases

Features of Statute

The LGPD is closely modeled on the EU GDPR in terms of the rights codified for data subjects and the constellation of actors it establishes, such as data controllers, data processors etc. It imposes simple fines or daily fines for private legal entities, groups or conglomerates for up to 2% of their billing in the last year, limited in total to R$ 50 million reais for each infraction.

The LGPD does not apply to the prosecution of criminal offences.

Related and Sector-Specific Laws

A significant part of the Brazilian legal landscape concerning data protection is the Marco Civil da Internet or the Brazilian Civil Rights Framework for the Internet. The framework was approved by the federal senate in 2014, close on the heels of whistleblower Edward Snowden’s revelations about the USA’s global surveillance programme. It puts forth a larger structure of various rights and policy positions as they interact with digital technologies.

 

Other laws that also deal with specialised aspects of data protection and privacy in Brazil include:

Consumer Protection Code (CDC – Law 8.078/ 1990)

Access to Information Law (LAI – 12.527/ 2011)

Positive Credit Registry Law (LCP – Law 12.414/ 2011)

Features of Enforcement 

The LGPD has established a national Data Protection Authority, called the Autoridade Nacional de Proteção de Dados (ANPD). It is composed of, among other things, a council, an ombudsman, and a board of directors. The enforcement of fines and penalties came into effect as recently as in August 2021.

The ANPD’s work agenda for the next 2 years comprises 3 strategic objectives: a. Promoting the strengthening of the culture of personal data protection; b. Establish an effective normative environment for privacy and data protection; and c. Improve conditions for the compliance with legal requirements.

Composition and oversight of the regulatory body

Brazilian DPA (ANPD) is established as an organ of the federal public administration. Therefore, it is linked to the Government. As a result, it loses one of the most important characteristics of DPAs: full independence. On paper, however, the LGPD guarantees the ANPD technical and decision-making autonomy.

The ANPD is composed of a 5-member Directing Council, a 23-member Advisory Board called the National Council for the Protection of Personal Data and Privacy (CNPD), organs of assistance to the Directing Council, and other sectional departments.

The Directing Council is the highest decision-making body of the ANPD, and the Chief Executive Officer is responsible for the management and institutional representation of the ANPD.

Related Draft Legislations

The LGPD has exceptions to the public security activities and criminal investigations. An additional Draft Criminal Data Protection Law (2020) will focus entirely on governing these exceptions. Other draft bills proposing changes to the LGPD are:

 

The PL 365/2020 proposes that philanthropic entities be included in the list of exceptions to the application of the LGPD, along with milder fines and penalties for them.

The PL 4963/2019 proposes to regulate the voluntary sharing of investments, insurance and banking data of account holders with other individuals or legal entities.

The PL 3044/2020 proposes new rules for the use of pseudonyms and anonymous profiles on the Internet.

The PEC 17/2019 intends to insert the right to personal data’s protection as a constitutional clause.

Exclusive Statute/Bill/Draft

The Lei Geral de Proteção de Dados (LGPD) or the General Personal Data Protection Law was passed by the Brazilian parliament in 2018 and came into force in 2020.

Seven years before the existence of LGPD, the Lei do Cadastro Positivo (LCP – it can be translated as Good Credit Rating Score Law), brought the concept of database for the first time in a normative text. In other words, for the first time in Brazilian Law there was a concern with regulating technology, with special focus on databases, considering  risks, social impacts and vulnerabilities.

The LCP  defined two general principles that are not only important, but were also kept in the LGPD seven years later: (i) The right to be informed; and (ii) Data quality, related to integrity, confidentiality and security of data. Therefore, the LCP has paved on 2011 an important path for the maturation of the debate on informational self-determination, and the importance of regulating the use and development of information technology, with special focus on databases

Features of Statute

The LGPD is closely modeled on the EU GDPR in terms of the rights codified for data subjects and the constellation of actors it establishes, such as data controllers, data processors etc. It imposes simple fines or daily fines for private legal entities, groups or conglomerates for up to 2% of their billing in the last year, limited in total to R$ 50 million reais for each infraction.

The LGPD does not apply to the prosecution of criminal offences.

Related and Sector-Specific Laws

A significant part of the Brazilian legal landscape concerning data protection is the Marco Civil da Internet or the Brazilian Civil Rights Framework for the Internet. The framework was approved by the federal senate in 2014, close on the heels of whistleblower Edward Snowden’s revelations about the USA’s global surveillance programme. It puts forth a larger structure of various rights and policy positions as they interact with digital technologies.

 

Other laws that also deal with specialised aspects of data protection and privacy in Brazil include:

Consumer Protection Code (CDC – Law 8.078/ 1990)

Access to Information Law (LAI – 12.527/ 2011)

Positive Credit Registry Law (LCP – Law 12.414/ 2011)

Features of Enforcement 

The LGPD has established a national Data Protection Authority, called the Autoridade Nacional de Proteção de Dados (ANPD). It is composed of, among other things, a council, an ombudsman, and a board of directors. The enforcement of fines and penalties came into effect as recently as in August 2021.

The ANPD’s work agenda for the next 2 years comprises 3 strategic objectives: a. Promoting the strengthening of the culture of personal data protection; b. Establish an effective normative environment for privacy and data protection; and c. Improve conditions for the compliance with legal requirements.

Composition and oversight of the regulatory body

Brazilian DPA (ANPD) is established as an organ of the federal public administration. Therefore, it is linked to the Government. As a result, it loses one of the most important characteristics of DPAs: full independence. On paper, however, the LGPD guarantees the ANPD technical and decision-making autonomy.

The ANPD is composed of a 5-member Directing Council, a 23-member Advisory Board called the National Council for the Protection of Personal Data and Privacy (CNPD), organs of assistance to the Directing Council, and other sectional departments.

The Directing Council is the highest decision-making body of the ANPD, and the Chief Executive Officer is responsible for the management and institutional representation of the ANPD.

Related Draft Legislations

The LGPD has exceptions to the public security activities and criminal investigations. An additional Draft Criminal Data Protection Law (2020) will focus entirely on governing these exceptions. Other draft bills proposing changes to the LGPD are:

 

The PL 365/2020 proposes that philanthropic entities be included in the list of exceptions to the application of the LGPD, along with milder fines and penalties for them.

The PL 4963/2019 proposes to regulate the voluntary sharing of investments, insurance and banking data of account holders with other individuals or legal entities.

The PL 3044/2020 proposes new rules for the use of pseudonyms and anonymous profiles on the Internet.

The PEC 17/2019 intends to insert the right to personal data’s protection as a constitutional clause.

Predominant Hurdles In Implementation

The roles and eligibility of the DPOs of small businesses and the public sector are still under discussion. This adds uncertainty and ambiguity to the application of the law.

Meanwhile, on the subject of securing sensitive databases, government repositories are yet to put adequate measures in place. This highlights a lack of preparedness from public entities in areas that require a more proactive compliance.

Key National Issues in the Field

Issues arising from rapid digitalisation drive the debates around data protection in Brazil. Internet services in Brazil do not adhere to net neutrality norms. A push for smart cities has also posed data protection challenges.

A proposed initiative to create a centralised database of digital government IDs has sparked an important discussion on the dangers of such a centralised database, its potential to be a honeypot for malicious actors, and the threat of government surveillance. Brazil’s Electoral Supreme Court has the country’s largest central biometric database.

Key National Issues in the Field

Issues arising from rapid digitalisation drive the debates around data protection in Brazil. Internet services in Brazil do not adhere to net neutrality norms. A push for smart cities has also posed data protection challenges.

A proposed initiative to create a centralised database of digital government IDs has sparked an important discussion on the dangers of such a centralised database, its potential to be a honeypot for malicious actors, and the threat of government surveillance. Brazil’s Electoral Supreme Court has the country’s largest central biometric database.

Over the last five years, as a result of the drafting and approval of the LGPD, several stakeholders emerged and got involved to defend the data protection policies. The majority of these stakeholders are civil societies (NGO, lawyers association, etc.) and academics working on digital rights.  Private sector groups, especially those from big technology companies, remain invested in how the legislation is enforced. Social movements, such as black activists, have also started discussing these themes due to the implementation of facial recognition in several cities and states and compulsory DNA identification of prison population

Goals

Raising public awareness around data protection and privacy issues is the most important significant advocacy goal in Brazil currently. This will require campaigning for better regulation of biometric data and digital ID records and against the deployment of facial recognition technologies for public security. Another goal is to advocate for a more independent ANPD. This will ideally involve engagement with a more diverse set of civil society organisations in these efforts, such as those campaigning for gender equality and against racism.

Challenges

Disinformation, hate speech, and harassment of human rights advocates are the chief obstacles for f advocacy efforts in Brazil. The country has one of the highest homicide rates for human rights activists (second only to Colombia) in the world, according to a 2021 report by the UN Human Rights Council.

Hear from Coding Rights

Coding Rights has been conducting advocacy promoting data privacy through an intersectional and human-centric lens with ADAPT since early 2021. Check out their blogs and podcasts that showcase some of the core elements of their work and the issues that they prioritize.

Brazil Podcasts

EPISODE

Você Está Lendo Minha Mente?: A Creative Storytelling Series on Data Rights [Português]

EPISODE

Você Está Lendo Minha Mente? (Are You Reading My Thoughts?): A Creative Storytelling Series on Data Rights [English]

EPISODE 6

Por que Inteligência Artificial é uma questão feminista?

EPISODE 6

Is Artificial Intelligence a Feminist Issue?

Brazil Blog Posts

30 minutes /
Available in English, Portuguese, and Spanish (see links below) Since 2018, over sixty countries around the world have enacted or proposed new data protection laws, with those numbers steadily increasing each year. Data protection regulatory bodies and agencies are entrusted with massive responsibilities to enforce these newly passed laws across all sectors of society- often while significantly under-resourced with small...
ADAPT

ADAPT

15 minutes /
It is not new that there is a tendency among public authority managers to promote the concept of smart cities to justify any actions to implement technology without discussing in depth its purposes. Cameras, facial recognition, sensors, smart meters, wi-fi, etc. are brought to the municipal public space while disclosing little to no information to those who live there about...
Vanessa Koetz

Vanessa Koetz

10 minutes /
The third workshop of the Data Privacy Learning Series took place on February 1st, 2022, and discussed the challenges in creating and maintaining independent data protection authorities in the ADAPT partner countries, some having passed comprehensive data protection legislation and others currently discussing it. The choice of subject for the workshop was validated by talks conducted with the partners prior...
Data Privacy Brazil

Data Privacy Brazil

12 minutes /
When discussing data protection regulations, particularly the passage of comprehensive data protection laws, the issue of what falls within scope and what exemptions exist to circumvent them often arises. This comes into focus in reviewing the cases in which personal data processing for the purposes of public security, national defense or criminal persecution are weakened or completely excluded from the...
Data Privacy Brazil

Data Privacy Brazil