Historical Summary 

Until 2018, there was no specific regulation in Brazil on the protection of personal data, privacy, guarantee of secure processing and related topics. 

The Brazilian Federal Constitution of 1988 established an innovative rule (Article 5, X); however, it referred only to two initial concepts: "intimacy" and "private life". 

In 2011, the Law on Access to Information (Law No 12,527) was enacted, the main objective of which was to present the first indirect regulation of the constitutional rule of 1988. In 2012, came a new advance with the introduction of Law No 12,737, which criminalised the invasion of personal communication devices for the purpose of accessing personal data. Two years later, Law No 12,965, the so-called "Civil Framework of the Internet", was established, with the purpose of reaffirming the right to privacy, without, however, the scope that would only be obtained six years later. 

In 2018, Law No 13,709, known as the "General Data Protection Law", or LPGP, was enacted, almost entirely based on the General Data Protection Regulation (GDPR) that is in force in the European Union (EU) under Regulation (EU) 2016/679. However, the LGPD did not enter into force until September 2020, with the exception of its penalties, which could only begin to be applied in August 2021. 

Finally, in 2022, the protection of personal data was included in the Brazilian Constitution as a fundamental right, with special privileges (Article 5, LXXIX). 

Fundamental Privacy and Data Protection Provisions 

The LGPD represented a legal innovation, especially from the point of view of concepts and principles. 

Two concepts were fundamental in the construction of the LGPD: "personal data" and "processing". There has always been confusion between personal data and information – personal data is the basic and unitary element that, when combined with others, generates information. However, because the GDPR employs "personal data," it was followed by the LGPD, which also uses this expression. The second concept is "treatment". There is a fundamental difference between the LGPD and the EU GDPR: the LGPD (Article 5, X) provides that "processing" data is a "processing" activity, whereas the GDPR considers "processing" as gender. 

Principles 

Brazilian law recognises that data protection is linked to certain principles: good faith, purpose, adequacy, need, free access, data quality, transparency, security, prevention, non-discrimination and accountability. 

Each of these principles leads the law enforcement officer to an aspect of the handling of personal data in order to demonstrate adherence to legislation. 

However, other principles can be juxtaposed to these, such as legality (all processing must have a permitted basis by law), centralised management (the agent must document the processing activities), planning (the agent fixes a life cycle for the data they deal with) and veracity (close relationship between the data and its processing). 

Application and Penalties 

The ecosystem for applying data protection standards is complex in Brazil. There are two reasons for this: (i) the idea of "protection of personal data" is not yet well understood, and (ii) there is a lack of a defined, autonomous, simplified and independent regulatory framework.  

Certain peculiarities of the European system were not considered in the drafting of the LGPD. As the stimulus to the practice of "privacy by design", the idea of privacy should be incorporated into all stages of production. This asymmetry makes a difference, especially when talking about processes that depend on massive data processing or different treatments.  

Imitating the European system, the LGPD has created a regime in which everything can go wrong. This is mainly because penalties suffer from negative dispersion (an act contrary to legislation leads to the application of different sanctions for agents who have practiced equal conduct, or equal sanctions for agents who have practised different conducts). This can occur in the "publicisation of the infringement" – the agents involved must publicly disclose the infringement. In this case, the asymmetry of guilt between agents can harm the agent who was found to be the least guilty, or the agent of lesser financial power. 

Sensitive Digital Technologies 

It was at this time that new technologies involving personal data were considered, eg, artificial intelligence, algorithm governance, e-privacy and metaverse platforms.  

For artificial intelligence (AI), Bill No 21/20 seeks to establish the legal framework for the development of AI and encourage self-regulation. 

However, there are problems, such as: the dissemination of knowledge of critical or high-risk artificial intelligence (HiRCAI); ethical transparency, which was (purposely?) set aside; and the definition of whether the accountability should be horizontal or vertical. 

Main Regulators 

The Brazil model imitates the GDPR and follows "vertical centralisation". In it, the regulation is part of a "hard core", usually represented by the Constitution, which runs through the central axis (legal framework), and ends in the branches (regulation and its norms). 

The Brazilian model admits a certain radicality, in which the regulation assumes a "horizontal" profile, not only reaching those that engage with the treatment of data, but also the entities that exercise some regulation of treatment agents (LGPD, Article 5, IX). 

Thus, there are two classes of regulators: the main regulator, who receives prerogatives from the primary source (Constitution and LGPD), and the derivative, whose regulatory power arises from the fact that the activities of an agent are under its regulation.  

The main regulator is the National Data Protection Authority (ANPD), as provided for by the LGPD and approved in Decree No 10,474/20. The secondary regulator may be, for example, the Central Bank of Brazil (Law No 4,595/64), or the National Land Transport Agency (ANTT) (Law No 10,233/01) or the Brazilian Securities and Exchange Commission (CVM) (Law No 6,385/76).  

Although the ANPD argues that the punitive measures provided for by the LGPD are of exclusive application of the main regulator, this is not true as there are penalties substantially equal to those of the LGPD that can be imposed by the secondary regulator. Therefore, the sanctions applicable by the ANPD may co-exist with sanctions imposed by the secondary regulator, especially if the facts determined by both regulators are related to data protection. 

Compliance Audits and Investigations 

Compliance audits and investigations by regulators, in the context of data processing, are still virtually absent in Brazil. While the legislation has not been omitted, the lack of procedural structure and logistics prevents them from being carried out.  

In the GDPR, audits are carried out, mainly because they are useful tools to evaluate the adherence of actions and measures to legislation. Further, they also have a special role in avoiding the application of penalties and generating reliability in the models adopted for the treatment of data in the organisation.  

Their absence has two perverse effects: (i) it creates the false impression that everything is fine, and that there is little to do in terms of data security and privacy; and (ii) punitive regulatory action is not feasible, since, without evidence, the regulator has no way to impose sanctions (LGPD, Article 52). 

Conceptually, audits are provided for in the LGPD (Article 55-J, XVI); in October 2021 the ANPD (Resolution No 1) said that they can be carried out, without detailing how and under what rules. 

Process of Imposing Penalties and Means of defence 

The Brazilian law establishes a process for sanctions and means of contest available to interested parties. 

In summary, these are the possible steps.  

• It starts with a supervisory process by the ANPD, which verifies the organisation's adherence to the LGPD.  
• This process may be monitoring, guidance, prevention or repression (the penalties provided for in Ordinance No 1 may not be immediately applied). 
• If the supervised agent is unable to adjust its procedures, the regulator may apply the penalties. 
• Even in this is the case, regulated and regulatory authorities may sign a conduct adjustment, to be fulfilled within a certain time. 
• If there is a penalty, the regulator must observe the criteria: attendance to the general interest, adequacy between means and ends, formalities essential to the guarantee of rights, simple forms, respect for the rights of interested parties, official functioning of the administrative process (without prejudice to the performance of interested parties) and legal interpretation to ensure the fulfilment of the public end. 
• The regulated organisation has its means of defence. However, Ordinance No 1/20 begins by stating (Article 38) that no appeal is appropriate from the decision of the regulator who decides to open the sanctioning process. This leads one to question the right to appeal. First, because the Brazilian Constitution states that no law can exclude from judicial consideration any injury or threat to law (Article 5, XXXV); secondly because the Constitution also asserts (Article 5, LV) the principle of broad defence; and thirdly because the Federal Administrative Procedure Law (Article 2, paragraph 1, X), applicable to proceedings within the regulatory authorities, determines that it is the right of the person concerned to appeal as they deem necessary. 
• According to the Infraction Notice, the regulated agent has ten working days to defend themselves, including the presentation of evidence and other elements; then, the regulated agent has ten more working days, before the Instruction Report, to respond to evidence and other elements gathered; finally, the penalised agent shall be called upon to comply with the decision, or to file a last resort appeal, also within ten working days, addressed to the board of directors. 
• If the regulated agent still does not agree with the decision of the board of directors, they may appeal to the judiciary, demonstrating their reasons. 

Brazilian System and Multinational Systems 

The Brazilian system of protection of personal data is very recent (2018), but has been under discussion for more than ten years. 

Although Brazil's legislation has a low level of interaction with the legislation of APEC members, some issues are examined on both sides. The case of the protection of personal data in cross-border trade, for example, is a discussion that is of direct interest to Brazil and Asia-Pacific Economic Cooperation (APEC), considering the so-called "inherent risks" of activities such as unregulated transfer, equalisation of legal rules and alignment between trading parties side by side. 

Another point that brings Brazil closer to APEC is related to cybercrimes, especially those that make personal data more vulnerable. However, Brazil has made very little progress in this field, even though it is the fifth country most affected by events related to this subject. Even with the publication of Law No 14,155 of 2021, which more strongly criminalises some crimes that use electronic devices, personal data is still a matter of high vulnerability. 

Very recently, Brazil expressed greater interest in joining the OECD, but to do so it will have to move forward and make a lot of progress in terms of real and material initiatives for the protection of personal data and regulation of fair and legal processing acts. The case of the European E-Privacy Directive is emblematic: the EU has been discussing the issue for more than five years, given the complexity of the issue, but Brazil has no guidelines on the subject as yet. 

NGOs and SROs 

The theme of data protection in Brazil is new, and so there is still no intense dissemination of independent bodies to safeguard this data in civil society. 

The major movements have not yet been co-ordinated, but some commendable initiatives have emerged in the country. This is the case for some platforms – such as the LGPD Portal Third Sector, whose purpose is to disseminate the main discussions and proposals on privacy and security in terms of data to reach the so-called "third sector", and InternetLab, which intends to promote several initiatives around personal data, especially those that circulate in "free of free" environments. 

With regard to SROs, Brazil does not yet have relevant active entities. 

Similarities with Other National Systems

Brazil has adopted the "omnibus" regime, in which legislation of higher origin, linked to a constitutional rule (also federal), regulates security, processing and privacy issues related to personal data. 

Historically, the cultural and conceptual differences in a subject as complex as "personal data" and in a country as vast as Brazil have led the legislator to the "omnibus" regime, either to reduce the legislative disparities that could arise, or to prevent local decisions (especially in judicial terms) from "imploding" the fundamental concepts and principles of the subject. 

The main problem, even copying the European system, is that Brazil did not have, unlike the Old Continent, a conceptual legacy about privacy protection and its relationship with the active "personal data". That is why it has elected the option of a "national" law, a legal framework that is a driver and a booster, but evidently inhibiting local and sectoral initiatives. 

Another aspect in favour of the model chosen by the country is that, with a "national" law, the regulation can take place vertically or horizontally, and in this case cover all activities and all sectors, productive or not. The market may complain about Brazilian legislation, but it is undeniable that the choice for "lex omnibus" derived more from a clear economic and historical context than from a true governmental option. 

This is the case, for example, for border economic initiatives, such as startups, SPACs, asset exploration funds and many others, which, by their own structure, cannot be regulated, in an aspect as important as "personal data", by local or merely sectoral legislation. 

Key Developments

Brazil has dealt with some pioneering initiatives, such as the banking and financial regulation. This topic is important enough to make the legal industry more interested in personal data than expected. 

While Brazilian legislation, after 2018, has made little progress, especially in terms of operationality, other countries are moving towards expanding the subject of data, and thereby creating more layers of protection for data owners. 

Thus, problems such as the sharing of personal data, provided for in the LGPD (Article 5, XVI), in an instant payment arrangement environment, have been a cause of headaches for data regulators and the financial sector. A leak of personal data linked to these arrangements calls into question the theme of the "regulator of the regulator". That is because, if the financial regulator cannot be the regulator of personal data, someone needs to regulate that regulator on the subject of personal data, mainly because the protection of that data is a fundamental right and the law that gives them security is a "national" law. 

There are currently no disputes involving these problems, but this is a matter of time. Financial regulators around the world are bound by international rules (IFRS, GAAP, CPSS/BIS and TC/IOSCO), and the Central Bank of Brazil is no different. This shows that leaks of personal data related to instant payment arrangements, capital transfer, securities clearing and foreign exchange transactions can compromise the credibility of the financial ecosystem and greatly undermine any national effort to enhance data protection regulations. 

Pending changes and hot topics on the horizon over the next 12 months include:

• data compliance audit x assisted compliance; 
• e-privacy for personal data declared restricted by its owner; 
• data obtained during the COVID-19 pandemic: protected or public, in view of the "social interest"; 
• accompanied self-regulation; 
• "personal data clearing chambers"; 
• processors on demand; 
• data in the metaverse; 
• e-DPO; 
• reputation management (active and passive); 
• personal data retention code; 
• encryption governance; 
• scrutiny (rules) of alignment with China's privacy law (PIPL); 
• responsible use of adtech (risks, tokens, and cohorts); 
• "relative" privacy; and
• capillarity of personal data protection standards. 

Omnibus Laws 

The idea of an "omnibus law" is related to the principle of "rational regulation", according to which all behaviour of the regulated agents tends to be more uniform, compatible and manageable than if the legislation adopted were that of the sectoral model. A relationship in which there is the presence of personal data in treatment presents very important angles: the first is that this type of relationship can last longer than one thinks, and the second is that, once shared, personal data cease to "belong" to the universe of one party, becoming part of the "data assets" of the other party, at least for a while. 

These characteristics give relationships in which personal data is involved a characteristic that may not be present in other phenomena: the so-called "data communication". For example, if one of the parts of the relationship is located in a location where there is regulation of privacy of personal data, and the other is in a different location, where the regulation does not exist or is different, or less or more intense. In fact, there would be a legal asymmetry that was difficult to solve. Equal asymmetry would also occur if the related parts were from non-analogue sectors, with differentiated regulations. For this, the "omnibus" rule works best – although there can always be difficulties. 

Extending the scope of personal data security and privacy standards is a justification that compensates for the possible difficulties of the omnibus system. It is also worth remembering that centralised regulation does not always mean concentrated regulation; it is always feasible for regulation to allow for a measure of "sectorisation", provided that it does not compromise the essential part of the rule and the role of the main regulator (classic). 

The cases in the European Union, under the GDPR, China, under its PIPL, and Indonesia, with its RUU Cipta Kerja, show that the model is more alive than ever, and can even be considered for high regulatory concentration structures.  

Applicability 

DPO and requirements

The Data Officer (as Brazilian legislation calls the DPO) is a requirement of "active self-regulation" (Article 41) and collaborates with the organisation in monitoring internal compliance and acts to assist and guide the controller (and the operator) on matters related to data, security, and privacy. It is essential that it has autonomy, independence, its own budget with some flexibility, manager's character, with some experience in privacy (at least conceptual) and reports to the highest management level of the company. It can be part of the organisation, or an external nominee, and organisations from the same group can benefit from the shared DPO. 

Collection, consent and other legal bases

In the legislation, the processing of data begins with the collection (active or passive), considered by the LGPD as an unfolding of the processing. It is a distinctive criterion for determining the incidence of the LGPD – which only occurs if the data have been collected in Brazil, which is only considered if the data subject is in the national territory at the time of collection (Article 3, paragraphs 1 and 2) Although the holder's consent is a "viable legal basis" by the LGPD, not all collection requires such consent – this may occur, for example, if the collection relates to another legal basis, such as the attendance of a legal obligation, the performance of a contract or the exercise of a right at a court. There are cases that, although the controller does not invoke consent, the holder may authorise the collection of data for a purpose that will benefit him (the so-called collection on request). 

Privacy by design

The idea is the active incorporation of the concepts and principles of privacy and security of data into the productive processes (material or virtual) of the organisation, from the "starting point". In this case, the controller is concerned with two concepts: the internal dissemination of the relevance of processes integrated to the processing of data and the documentation of the progress made. 

Analyses

Brazilian legislation provides (LGPD, Article 5, XVII) for the application of impact reports on the processing of personal data, as a way of ascertaining whether and how there are risks to the rights of the holder. The legislation, although it does not specifically say that such reports are an obligation, provides that the regulator may require the controller, especially if the treatment is legally based on the legitimate interest, to undertake the preparation of such analyses (Article 10, paragraph 3). In addition, evaluations of this nature are a good indication of a robust data governance programme, which can make a difference in inspections carried out by the regulatory body (Article 38 and Article 50, paragraph 1, sub-paragraph (d)"). 

Policies

The adoption of internal personal data policies, comprising processes and procedures, is a highly considered data governance measure (LGPD, Article 50). A good policy can help to address issues of transparency, accountability and autonomy of the will of the holder, principles adopted by Brazilian legislation. In addition, the existence of a data policy will be considered by the regulator in the inspection procedures with the regulated agent (Article 52, paragraph 1, VIII and IX). 

Access of the holder

The idea is that the personal data are the property of their holder, and whenever they wish – if some basic conditions are met – they may have access to their data, interrupt the processing, request their return and even withdraw their consent. Legislation, such as the EU GDPR, provides that the rights of the holder may be exercised at any time (Article 18), and do not depend on exceptional formalities. One highlight is that the sharing of personal data by the owner does not remove their ownership of them. 

Data protection methods

The legislation provides that the controller may adopt "special measures" to protect the data and the data subject, including anonymisation, a technique that allows the data to be made non-associable to a specific person, which removes from them the characteristic of "personal" and puts it outside the application of the LGPD. The use of pseudonyms is a little more complex, because, under certain circumstances, pseudonyms are personal data, and therefore are again subject to the LGPD. 

Restrictions

The LGPD (Article 20) deals specifically with automated decision-making, and takes care to establish that the controller must always document the decisions and that the holder has the right to know what personal data has been submitted to the decision makers and for what purposes. Profiling via personal data is another interesting point because the Brazilian legislature has established that the data used to obtain profiles of individuals may, even if they are not personal data at the origin, be considered as such for protection purposes. 

Injury and damage

Brazilian law does not make a very clear distinction between "injury" and "damage" (Article 42), but other rules give good clues: not every injury is necessarily a cause of damage, but all damage presupposes an injury of such severity that affects some dimension of the data owner. The LGPD seems to have adopted the idea that the injury is more in the legal field, while the damage is in the real field, as the result is experienced by the data subject. However, the LGPD is quite clear in saying that any nature of damage (Article 42) is repairable to the holder, and in this case has not saved qualifiers, although it has left aside specific damages, such as image, psychological, social, family and emotional. Damages arising from "invasion of privacy" or "violation of integrity" were not included either, although it can always be said that they fall into the category "moral damage".

Sensitive Data 

Brazilian legislation speaks of sensitive data in a very explicit way, following, for example, the GDPR and standards of other countries, such as the United Kingdom. For Brazilian law, there is no definition of sensitive data, but a framework in relation to which data can be considered sensitive (Article 5, II). 

The idea about sensitive data is that there are elements that relate directly to intimate and private aspects of the individual, in such a way that they have the right to keep such data under strict reservation, and to only share it for well-defined and objectively determined purposes. 

For the controller, handling sensitive data may be necessary, but also problematic. For example, they should be able to demonstrate that treatment is strictly necessary and enforceable, and that it meets one of the legal bases of the law (Article 11); strictly, in this scenario, it means that the treatment must be linked to a real and pressing need and that it cannot be achieved by less invasive means. 

In Brazil, these data can be divided into three classes:(i) sensitive to individuals (eg, biometrics), (ii) sensitive to their intimate or private personal activities (eg, religious conviction), (iii) and sensitive to their specific personal condition (health and life choices). 

Other issues include the following.

• Navigation: Brazilian law has chosen to consider navigation a private activity, and therefore the data circulating in it about the individual is under protection, and therefore its collection through tools (cookies, FLoC, tracking, etc) should be preceded by a specific policy by the controller.
• Another problem faced by organisations is browsing tracking, which allows, for example, data collection to identify fake profiles, hate messages, fake news, and the like. For Brazilian law (Internet Civil Framework), the practice is prohibited, but some actions have been employed, such as the installation of applications, which, in practice, since they are a "choice" of the individual, can be used for tracking.
• A national bill (No 10,052) intends to aggravate the picture, since it provides for the tracking of internet activities for the acquisition of goods and services, which may collect even more data from the holder.
• The right to forget is another explosive point: recently, the Supreme Court ruled (in Special Appeal 1,010,606) that the right to be forgotten is not compatible with Brazilian law, and for this it argued that the passage of time, in isolation, cannot be a reason to prevent facts from being publicly disclosed. 

Unsolicited Communications and Spamming 

The boundary between unsolicited communications and irregular data processing is symbolic. 

In the EU, for example, this type of "consumption access" may require authorisation (non-consent) from recipients, and the main recommendations are still not to use an individual's email for mass communications and not to use pre-marked boxes for an authorisation. 

Brazil is actively preparing to regulate the practice, but only the state of São Paulo, by Law No 17,334/21, has established specific rules to prevent unwanted calls and unsolicited commercial messages (or capture of preferences and profiling). Nevertheless, the Consumer Protection Code (Law No 8,038/90, Article 39, III) provides that the provision of unsolicited goods or services is considered "abusive practice" and is therefore prohibited. 

Similarly, targeted advertising, especially when aimed at the most vulnerable people, such as children, adolescents and the elderly, is also considered abusive, and prohibited by consumer law. 

Privacy at Work 

The concept of privacy has also reached the work environment. But here there is a problem: in times of a pandemic and remote working, it is no longer so simple to define what is a "workplace", which can be as much the physical environment as anywhere where the worker performs their tasks, whether that be at home or in a public park. The consensus appears to be that the typical "workplace" is the physical point of the company's location. 

Organisations have been concerned about the privacy around personal data, as workers displaced from their physical workplaces also need to manage this data for their activities, but outside the "aseptic" and protected environment of companies. This is why the number of companies that adopt strict privacy policies for the processing of personal data outside their walls has grown, with the signing of confidentiality terms and non-disclosure of data, digital security commitments and secure management obligations. 

Codes of conduct in personal data privacy and internal personnel data processing notices have also become commonplace, and in most cases there is no interpretation that this violates employee privacy. The labour courts in Brazil have actually understood that employees have an obligation not to breach the personal data of third parties, especially if this is what is expected of their activities in the company. A recent case ruled that an employee could be fired from the company for serious misconduct for copying and sending out company customer data from the organisation. 

Another point of concern for companies is electronic discovery (e-discovery): employees have been seen practising e-discovery, and with this having access to personal data considered "non-proprietary" (not belonging to the employer). The problem is more serious than it seems, because judicial, technical and legal evidence can be obtained by this method, and then "marketed" to interested parties. Furthermore, employees who handle, due to their activities, large masses of personal data, are subject to paid external capture so that, in practising e-discovery, they provide strategic data to the employer's competitors. 

Legal Norms 

Regulators have at their disposal a small (in Brazil) arsenal to open investigations into violations of the laws of security and privacy of personal data. In the case of the Brazilian LGPD, the regulator (ANPD) can directly interfere in the data processing activities of an organisation, and there are three basic possibilities for this: (i) regulatory intervention, if the controller has been accused of systematically violating the rights of the holder in terms of their personal data; (ii) suspensive intervention (Article 52, X); and (iii) punitive intervention. 

Typically, the regulator will open a conduct investigation process against the regulated agent, and assess the severity of the violations they have committed, ensuring them broad defence and the production of evidence. The main basis for this is the "conduct of the processing agent", the actions and measures that they adopted or failed to adopt and that led to the vulnerability of their controls and documentation in the processing of personal data. That is, even before the evidence of violation, if the agent considers the nature and severity of the conduct as a means of reaching the legal assessment of the facts. 

The regulator generally considers violations as direct or indirect, and can also include cross-cutting violations. Direct violations stem straight from the conduct of the agent, indirect violations come from the worsening effects of their conduct, and cross-cutting ones consider the impact of the violation on other agents and other regulators. 

The regulator can also apply the penalties provided for in the LGPD, usually in the "verticalisation" regime (from the least serious to the most serious). Even penalties may vary due to the nature of the breach, because if the same breach can be considered and punished by more than one regulator (classic and derivative, for example), it is possible that the original penalty is aggravated by the secondary penalty (applied by a non-regulatory body of personal data). 

Private disputes for violations of privacy are quite predictable, including through so-called "class actions", in which many actors (assets or liabilities) come together in search of legal rights or duties that apply to all. Increasingly, collective defence entities have been concerned with the issue of "indistinct privacy," a new concept, also called "collective privacy." In this case, there are no specific individuals affected by a privacy violation, but an indistinct group of them, harmed by the violation. 

Leakage of personal data, for example, has served as the keynote of discussions. Consumer relations organisations (IDEC, for example) and the Public Prosecutor's Office have already adopted a position on this, especially regarding the various data leaks related to payment arrangements articulated by the Central Bank. Approximately 600 lawsuits are already taking place in Brazilian courts on personal data issues, from leaks to abuse or misuse, and only one association of rights of data subjects accounts for dozens of violations of privacy laws.

Laws and Regulations 

According to the Brazilian LGPD (Article 4, III), its rules do not apply if the processing of personal data relates exclusively to public security, national defence, state security or investigation and prosecution of criminal offenses. 

This means that, in principle, if the processing of personal data is intended for any of these purposes, the agent (usually public) is not submitted to the LGPD. 

Thus, the government does not necessarily need to ask the regulator for the right to access databases for crimes and prosecution of crimes. 

However, that is not to say that the authority that accesses the data is free to use it as it wishes. The LGPD, for example, provides that the public authority that accesses this data cannot transfer it to third parties, with a few exceptions, and that the regulatory authority may act against the government if it violates the rules of the legislation. 

Standards and Laws (National Security) 

According to the LGPD (Article 4, III), its rules do not apply when the processing of personal data is objectively related to public security, national defence, state security or investigative activities and repression of criminal offenses. 

Thus, in principle, if the processing of data is intended for any of those purposes, the agent is not submitted to the LGPD. 

Therefore, the public agent does not need to ask the regulator's permission to access databases on intelligence, state defence or national security. 

As at 3.1 Laws and Standards for Access to Data for Serious Crimes, the authority that accesses the data is not free to use it as they wish or transfer it to third parties. . 

Foreign Government 

In 2021, Brazil formally joined the Budapest Convention (Convention on Cybercrime). The document requires that each country that is part of it maintain the legal authority to compel organisations based in their territory to disclose data (including personal) that is in their custody, regardless of whether the organisation also has the custody of data from other countries. 

This, in practice, means that Brazil may, even without formal accession to any free-traffic agreement of personal data for certain purposes, such as the American Cloud Act, have to examine concrete cases of request for capture and assignment of data. The Cloud Act (Clarifying Lawful Overseas Use of Data Act) was passed in 2018 by the US Congress, and it is basically the result of the limits of the Stored Communication Act (1986). This legislation mandates that US data and communications companies must allow access to customer data, even if their repositories are outside US jurisdiction. This has created a problem for the EU GDPR, which, two months after the Cloud Act, linked access to data stored in a foreign country to the prior judicial authorisation of that country. 

However, a foreign government request based on the Budapest Convention, or even an agreement similar to the Cloud Act, does not indistinctly give a private organisation the right to seize the chance and request access to the personal data included in the government request. This organisation, based in another country or Brazil, needs to use its own means to have access to the desired personal data, and is still subject to scrutiny of legislation and the judiciary. 

Main Privacy Issues 

Even though the Access to Information Act, prior to the LGPD, allows citizens and organisations to access data stored on public administration databases, the government has been using the LGPD to deny them (and sometimes even members of the public power community) access to personal data, including for projects of high social interest. 

Recently, the Central Bank of Brazil, linked to the Ministry of Economy, signed two co-operation agreements with private entities representing financial institutions. The agreements provide that the monetary authority will share with the institutions an important and huge database, called National Civil Identity, which includes sensitive data, such as biometrics of Brazilian nationals. Different entities and the Federal Prosecutor's Office are already investigating this, and legal representations have been made, including to the Federal Court of Auditors (TCU). 

The Brazilian Central Bank has witnessed leaks of personal data in financial institutions in Brazil, which may have compromised an excessive number of records. 

Restrictions on Transfers 

For the LGPD, international transfer of personal data is a topic to be considered carefully. The argument is that such transfers may mean that data, once outside national jurisdiction, is lost forever, especially in regulatory terms. 

In legislation, international transfer is an exception, both actively (from Brazil out) and passive (from abroad to Brazil). 

Such a transfer, according to the LGPD, is possible only:

(a) to countries or international bodies that ensure the degree of protection of personal data appropriate to that provided for in the LGPD;

(b) if the controller provides and proves assurance of compliance with the principles, rights of the data subject and data protection regime provided for in this Law (conditions provided for in points (a) to (d));

(c) if it is necessary for international legal co-operation between public intelligence, investigation and pursuit agencies; 

(d) it is for the protection of the life or physical safety of the holder or third party; 

(e) if the national authority authorises; 

(f) it it results in a commitment made in an international co-operation agreement; 

(g) if it is necessary for the execution of public policy or legal attribution of the public service; 

(h) the holder gives their specific and prominent consent; or

(i) to meet the hypotheses set forth in paragraphs II, V and VI of Article 7 of the LGPD. 

The import of data via international transfer, although it is recommended that it pass the "entry criteria", is possible on the basis of:

• authorisation of the transfer;
• level of conformity of the origin;
• data filter;
• formalisation;
• verification of the Brazilian destination; and
• absence of judicialisation of the transfer – it is not a treatment subject to the LGPD, (Article 4, IV). 

Mechanisms and Derogations 

An international transfer of personal data, in the LGPD or GDPR, is a typical processing activity (or processing, according to the GDPR), and therefore needs to respond positively to legal conditions, including derogations (specific authorisations upon knowledge of the risks involved). 

It is therefore necessary that:

• it be done on an authorised legal basis;
• it is under one of the hypotheses of derogation (LGPD, Article 33, and GDPR, Article 9, paragraph 2);
• it is naturally informed;
• it is under a legitimate and non-prohibited purpose;
• it does not include excessive data; and
• it is the subject of actual risk protection and containment measures. 

In terms of multilateral mechanisms, the transfer of personal data also needs to be disciplined in a personal data transfer agreement (PDTA), with clauses that ensure the bilaterality of the data communication arrangement, by any modality. 

In addition, a data privacy notice (DNA) is always recommended. 

Government Notifications and Approvals 

The legal hypotheses authorising the international transfer of personal data are in the LGPD (Article 33); outside these cases, the transfer certainly cannot take place, not even under derogations.  

One of these hypotheses provides that the regulatory authority can authorise transfers, but even this possibility requires that the event meets one of the legal bases. Even if the government decided to make an international transfer of data, it would be necessary that the case fall within Article 33 of the LGPD, and even then it would be up to the regulator to evaluate the "conditions of transfer", provided for in Article 35 of that Law. 

Usually, the public persons referred to in the Access to Information Act (Article 1) may ask the regulator, prior to an international transfer of personal data, to assess the degree of protection of personal data conferred by a country or international body. 

Location 

In the field of the location of personal data, one of the points of interest is that Brazilian legislation has adopted the principle of irrelevance of location (Article 3), according to which the state of the data situation is not significant for law enforcement. However, this depends on the following conditions:

• the treatment operation is carried out in the national territory;
• the purpose of the processing activity is to offer or supply goods or services or to process data from individuals located in the national territory; or
• the personal data processed have been collected in Brazil. 

Data that, by their nature, purpose, quality, scope and content should remain on Brazilian soil, cannot be transferred, as is the case with personal data used by research bodies in public health studies (LGPD, Article 13, paragraph 2). 

Technical Details 

Although the LGPD does not explicitly state that elements such as source codes, software and other technical items must be shared with the government, it is necessary to understand this issue a little better. 

First, it is quite possible for public and private entities to share personal data with each other, provided that the rules of Article 25 of the LGPD are met and that the data are employed by the public for public finality, pursuit of the public interest, execution of legal powers or compliance with legal duties of the public service. 

Secondly, sharing does not necessarily mean a breach of copyright protection, as occurs in the case of algorithms, which cannot always be considered "intellectual products" (Law No 9,610/98, Article 8, I). 

However, it is necessary to consider that the sharing of typical intellectual creations – such as source codes, for example – can provide for in depth discussions (Law No 9,609/98, Article 2, paragraph 5). 

Data Collection and Transfer Organisations 

This type of organisation is subject to the provisions of the LGPD, provided that personal data have been collected in the national territory and that at least one processing activity on them has been carried out in the country (Article 3). 

According to Article 3 of the LGPD, it is not relevant whether the organisation is located in Brazil or abroad, because what determines the application of the Brazilian Law is the place where the data were collected and where they are subject to treatment. 

However, in the case of international data transfer, between the organisation and the entity that hired it, the transferee is subject to the transfer rules provided for by the LGPD, which means that a legal basis (Articles 7 and 11) and compliance with one of the conditions of Article 33 of the LGPD will be required. 

Blocking Statutes 

These statutes are more widespread than before, and much of their rules provide for limitations that, if they do not prevent certain practices involving personal data, at least create conditions that agents must meet before acting. 

It is true that locks do not always have to do with the security and privacy of personal data, and sometimes this is not even the focus, but it is undeniable that one of their effects is to create obstacles to practices that might otherwise be allowed. 

For example, the EU GDPR has already been understood as a blocking tool for transfers of personal data to extra-EU agencies by applying Article 49(1)(d), when talking about "important reasons of public interest". This was made more evident with a US District Court ruling (July 2019), which was called upon to answer whether the GDPR is a blocking statute under US law. 

Current Issues 

Some of these topics are already covered, directly or indirectly, by the Brazilian LGPD, such as biometrics, facial recognition (collection of pictorial data and personal distinction), profile formation, and metadata. 

Drones

There is currently no specific national legislation on drones and their relationship with personal data, except for the Brazilian Special Civil Aviation Regulation No 94/17, of the Brazilian aeronautical regulator, which only refers to the need to preserve the private life and intimacy of individuals. 

Big data

The mass acquisition of personal data will be strongly impacted by the LGPD. Article 20 provides that it is the right of the holder not only to know on what bases the decisions on the processing of their data were made, but also to review those decisions and, if abuses are found, to obtain redress. 

IoT

Since 2021, Law No 14,108, known as the IoT Law, is not a legal framework on the subject; it only creates government tax breaks for IoT-focused technologies. 

AI

Brazil does not yet have a legal framework, or regulatory framework, on AI. At the moment, there is only one Bill on the subject (No 21/20). 

Dark patterns (DPs)

These patterns, still little known, play a key role in people’s consumption options. Through malicious techniques designed with the intention of inducing users of web services to make certain choices, manipulating their decisions, DPs have been a cause for concern since the Civil Framework of the Internet (Law No 12,965/14). 

Fiduciary duty

The legislation says that a bond forms between the controller and holder that requires the former not only to follow the legislation, but not to frustrate the expectations of the data owner. 

Governance 

Brazil does not yet have safe regulations on the subject of governance, and nor has it implemented a regular practice on this, although the LGPD provides (Article 50) and recommends the introduction of data governance practices in organisations. 

What has occurred is that the organisations create, by themselves, governance committees, usually linked to the DPO, so that issues such as risks, management and documentation can be addressed under a legal and technical basis. 

Disputes 

Due to Brazil's very recent history in terms of the protection of personal data, there are no specific cases on the subject involving repercussions and penalties. However, it is worth remembering that more than 600 legal cases are ongoing on the subject, and the ANPD, at some point in the future, will begin to be involved in cases. 

Transactions 

The subject is still new, but a good number of due diligence processes have begun to give more value to the compliance search of personal data processing relating to transactions between companies. 

Investment planning cases have also required invested companies to submit an LGPD-related compliance diagnosis and, in many cases, one for the GDPR. 

This may include:

• assessment of personal data;
• collection of relevant data protection documents, such as policies, procedures and guidelines;
• verification of technical and organisational measures adopted in the processing of data;
• assessment of the systems used in treatment activities;
• analysis of operators and sub operators;
• consultation of the history of incidents with personal data and communications related to the National Data Protection Authority and other bodies, and to data subjects;
• listing of information on judicial or administrative proceedings regarding the LGPD;
• mapping of the flow of service to the demands of existing holders and the areas involved in the service;
• verification of the existing privacy structure, if there is a DPO and an active privacy committee; and
• assessment of whether there is a need to comply with other laws in the case of international data transfer. 

Public Disclosure

In Brazil, there is no specific legislation requiring such disclosure. The first reason for this is that, in terms of protecting personal data, the country still needs to make significant progress before instituting a cybersecurity ranking; the second reason is that a ranking like this always depends on a degree of maturity of data security and privacy concepts, and principles. 

The fact is that the activities of evaluation, measurement and monetisation of the risks of processing personal data are very new in Brazil. An example of this is vulnerability analysis for the classes and categories of data handled. This type of study evaluates four fundamental pillars:

• protection systems in force;
• compliance with safety legislation and standards;
• gaps for security incidents; and
• resilience to potential threats (internal and external). 

Other significant issues that are relevant to cybersecurity regulation in Brazil include:

• massive data processing – regulation and limits; 
• critical data processing vulnerabilities; 
• data leakage in environments regulated by other authorities – such as compatibilisation, determining and applying penalties; 
• service level agreement applicable to the compliance of personal data and their processing; 
• algorithm governance; sharing of public databases and their effects on private organisations; 
• permanent international transfer of personal data; 
• DPO technical standards policy; 
• personal data as a legacy in the case of international business transactions – transfer, assignment or sharing; and
• leadership of investigative processes of security incidents in the case of treatment agents' members of different organisations.