Data Protection & Privacy 2024 Comparisons

The Development of Data Protection Legislation in Brazil

In Brazil, data protection regulation – especially protection of personal data – stems from the Constitution (Article 5, X): “intimacy, private life, honour, and image of people are inviolable, ensuring the right to compensation for material or moral damage resulting from their violation”.

The Consumer Protection Code (Law 8,078/93) also has rules on “personal information”, and introduced, for the first time, a standard that allows consumers to have access to the data that a company holds about them and to request its update or correction. These concepts were expanded by Decree 7,962/13, which now talks about “data security”, an idea close to another concept, that of “personal data as part of an individual’s assets”.

In 2013, the Civil Rights Framework for the Internet was approved (Law 12,965/14). Even though it was aimed at activities on the internet, it introduced relevant concepts, such as “net neutrality” and “active protection of personal data”, into the wider legal/regulatory landscape in Brazil.

In 2018, with Law 13,709, the General Data Protection Law (LGPD), introduced rules designed to regulate, protect, and discipline the treatment and security of personal data in Brazil. Based almost entirely on the GDPR of the European Union, the LGPD only entered into force in September 2020, except for its penalties.

In 2022, the protection of personal data was explicitly included in the Federal Constitution as a fundamental right (Article 5, LXXIX).

With the advancement of AI, Brazil decided to try to regulate the matter. To this end, Bill 2,388/23 emerged, which, in line with global trends, is based on the most widely accepted principles in this area:

• recommendations and ethical principles for creating standards of conduct;
• rules on governance and compliance;
• a certain degree of normative liberality in the practice of AI; and
• the establishment of rights and obligations with the aim of mitigating risks and ensuring reliable use of AI systems.

Principal and Derivative (Sector-Specific) Regulators

The Brazilian regulatory model is largely based on the GDPR, and adopts a similar “vertically centralised” regulatory system. Regulation is part of a “hard core”, represented by the Constitution, which runs along the central axis (legal framework) and ends in the branches (regulation and rules).

This model admits some radicality, in which the regulation assumes a “horizontal” profile, reaching not only those that directly engage with the processing of personal data, but the entities that exercise some regulation over data processors.

Thus, there are two classes of regulators: the principal regulators, which receive prerogatives from the primary legislation (Constitution and LGPD), and the derivative regulators, whose regulatory power stems from the fact that the activities of a given data processor are under their regulation.

The main regulator is the Autoridade Nacional de Proteção de Dados (ANPD), as provided for in the LGPD and approved by Decree 10,474/20. Recently, the ANPD has gained the status of “agency” and has begun to make up part of the structure of the Ministry of Justice. Among derived regulators there are some entities, such as the Banco Central do Brasil (Law 4,595/64), the Agência Nacional de Transportes Terrestres (ANTT) (Law 10,233/01) and the Comissão de Valores Mobiliários (CVM) (Law 6,385/76).

Although the ANPD argues that the punitive measures referred to in the LGPD are of exclusive application by the main regulator, this is not exactly true, as there are penalties substantially like those of the LGPD that can be imposed by secondary regulators. Thus, the sanctions applicable by the ANPD can perfectly coexist with the sanctions imposed by a secondary regulator, especially if the facts assessed by both regulators are related to the protection of personal data.

AI

As for AI, the matter gets complicated. While the ANPD wants to take over the regulation of AI, due to the proximity of the subjects within its competence (personal data) to the topics related to AI systems, other voices say that regulation should take place in the form of a “committee”, composed of other government bodies. Bill 2,388 is silent on the topic, limiting itself to referring to a “competent authority”.

In the EU, the AI Law seems to indicate a very strong desire for the bloc to become a “global regulator” on AI issues, given the repercussions of its regulations on other countries, including Brazil. Furthermore, the AI Act shows a well-defined focus on technology risks, the so-called “own risks”, especially its effects on disinformation, innovation, jobs and the interests of governments and States.

The topic of “deepfakes” is one of these own risks. People are misled by fraudulent video and audio content, created with the help of AI. Precisely for this reason, in Brazil, Bill 5,241/23 is being processed, which establishes the use of deepfake audiovisual content as a crime.

Brazilian legislation on personal data establishes a process for sanctions and a means to challenge such sanctions. This begins with the administrative process carried out by the ANPD, which verifies an organisation’s adherence to the LGPD.

The process may be monitoring, guidance, prevention or repression. If the supervised agent does not adjust its procedures, the regulator may apply the sanctions. Even in this case, regulatory authorities and agents may sign a conduct adjustment, to be completed within a certain period.

In the event of a penalty, the regulator must comply with the following criteria:

• compliance with the general interest;
• adequacy between means and purposes, formalities essential to the guarantee of rights, simple forms;
• respect for the rights of interested parties;
• official operation of the administrative process (without prejudice to the actions of the interested parties); and
• legal interpretation to ensure the fulfilment of the public purpose.

The regulated organisation has means of defence; however, ANPD Resolution 1/20 begins by declaring (Article 38) that there is no way to appeal the decision of the regulator that opened the sanctioning process, which calls into question the right to appeal. First, the Constitution says that no law can exclude from judicial assessment an injury or threat to the law (Article 5, XXXV); second, the Constitution affirms (Article 5, LV) the principle of broad defence; and third, the Federal Administrative Procedure Law (Article 2, paragraph 1, X), applicable to proceedings before the regulatory authorities, determines that it is the right of the interested party to appeal as it deems necessary.

According to the infraction notice, the regulated agent has ten working days to defend itself, including with evidence and other elements; then, the regulated agent has ten more working days, before the instruction report, to respond to the evidence and other elements collected; finally, the agent will be called to comply with the decision, or to make a final appeal, within ten working days, addressed to the Board of Directors of the ANDP.

If the regulated agent does not agree with the decision of the council, it may appeal to the judiciary. Since the ANPD is now part of the structure of the Ministry of Justice, discussion has gained momentum over whether, in the case of a final decision of the ANPD, and before taking the matter to the judiciary, the penalised agent could submit an improper hierarchical appeal – the legislation seems to allow this exit, but only time will tell.

AI

As there is still no legal framework for AI in Brazil, it is not possible to say that the country has a system of sanctions and resources focused on AI issues. This does not mean, however, that there is an absolute vacuum. If an AI issue has to do with personal data, it is always possible to submit it to the ANPD. If the issue is related to the financial market, it is possible to take it to the CVM or Central Bank for examination.

The Brazilian national regime for the protection and guarantee of personal data is quite recent (2018), even though discussions on the subject began more than a decade ago.

Brazilian legislation has a low level of interaction with the legislation of members of the Asia-Pacific Economic Cooperation (APEC), but many issues have been discussed bilaterally. One of them is the protection of personal data in cross-border trade; for example, considering the “inherent risks” of unregulated transfers, parity of legal standards, alignment between commercial partners and alternative means of conflict resolution.

The interaction between Brazil and the EU is far greater. Of particular note is a difference in the interpretation of jurisdiction over data processing. For Brazil, personal data processing is subject to the LGPD if, as a fundamental concept, this processing occurs within the national territory. Under the GDPR, however, the processing (or processing) may still fall under EU regulation even if carried out by a controller outside the EU, if it is sufficiently linked to the activities of an establishment in an EU country.

Brazil has expressed interest in joining the OECD, but to do so it would have to make progress in personal data protection and the regulation of fair and legal data processing acts. The case of the European Directive on Electronic Privacy is emblematic: the EU is already discussing escalating the issue to more complex legislation, but Brazil does not even have fundamental guidelines on the subject.

Data protection and security in Brazil is still a very recent issue, and therefore there is not a significant number of independent bodies dedicated to maintaining data protection and security standards, especially personal data (eg, self-regulatory organisations (SROs) and others).

In recent months, some initiatives have been observed in this area. For example: the case of the self-regulation agreement between the CVM and ANBIMA (an association that brings together financial and capital market entities). Although focused on the activities of fund management, the document covers some concepts that can be applied to the processing of personal data.

As for AI, the subject currently has no defined contours. As the sector’s promised legal framework has not yet been put in place, there is not even a defined regulatory process, let alone something like self-regulation. It is possible that, with the EU’s decision to approve the AI Act, Brazil will be encouraged to accelerate the creation of the a legal framework for the sector.

Brazil has adopted an “omnibus” regime for data protection: legislation of higher origin, linked to a constitutional (federal) rule, regulates security, processing and privacy issues related to personal data.

It was not easy to approve the LGPD, and it has not been easy to ensure that its standards are applied. This is due to social and cultural differences, but also to Brazil’s legislative system. This is the reason for the “omnibus” law, which helps to reduce legislative disparities and the risk of decisions that could “implode” the concepts and principles related to personal data and its protection. Brazil, unlike the EU, did not have a conceptual legacy for protecting privacy and its relationship with personal data. That is why it chose the option of a “national” law, a framework that is both engine and booster, but with a bias that inhibits local and sectoral initiatives.

Another point in favour of the Brazilian model is that, with “national” law, regulation can occur vertically or horizontally, and cover different sectors. The market may complain about Brazilian legislation, but it is undeniable that the “lex omnibus” derived more from an economic and historical context than from a government option. But there is still a long way to go. With regard to AI, NFTs, regulated businesses and so-called “paranational” relationships, EU and US regulation is more effective, deeper, and tougher. Mechanisms such as “data sharing agreements”, “joint processing treaties”, and others were not even considered in Brazil. Measures such as “external data control” and “approach supervision” are also not even discussed, and this creates a negative context for the LGPD.

In the last twelve months - even though other countries have made great strides towards regulating highly relevant aspects of personal data, AI, NFTs, digital markets and other subjects – Brazil has also taken some important steps:

• 17 states already have internal standards that regulate the LGPD within their limits;
• AI (even without a legal framework) has advanced in many sectors (facial recognition, credit granting, medical diagnoses, distance learning, and technological innovation);
• the LGPD has been increasingly used in labour court rulings and consumer relations (in 2023 there were around 1,200 rulings, while in 2022 there were only around 600);
• the ANPD has published the Regulation on Dosimetry and Application of Administrative Sanctions (Resolution 4/23) related to infractions involving personal data;
• the ANDP published its guide for processing personal data for academic purposes and research;
• discussions have begun about the “monetisation of personal data”, a controversial topic full of controversies (Bill 234/23); and
• the ANPD published the updated and consolidated version of its guidance on definitions of personal data processing agents and data protection officers (DPOs).

In the coming months, many hot topics will be revisited. Among these are:

• “monetisation of personal data”;
• “sharing” personal data contracts;
• “datapharma” and its regulation (sensitive data);
• personal data in the banking sector;
• retention of personal data codes;
• self-regulation (SROs) and partial self-regulation (ASROs);
• dispute resolution chambers for matters of personal data;
• DPOs and work relationships;
• compliance for personal data;
• AI regulation;
• data governance at companies;
• NFTs and personal data;
• personal data market and regulation; and
• contracts for the representation of personal data.

Safe-Harbour Agreements and the Schrems Case

A highly significant issue concerns the decision in the Schrems case. As this case could have many future repercussions in Brazil and other countries, it is important to know a little more about it. Austrian privacy advocate Max Schrems questioned the security of the transfer of his personal data through a famous social media platform, carried out at the time under the EU-US safe-harbour agreement. Schrems argued that Edward Snowden’s revelations about US intelligence agencies indicated a lack of protection against surveillance under US law.

Therefore, the CJEU invalidated the safe harbour due to the lack of adequate safeguards required by EU law. The EU and the US then negotiated a replacement agreement (the “Privacy Shield”), created as a new recognised basis for data flows in compliance with EU law. But this second arrangement was also later invalidated by the EU. The court concluded that certain programmes that give US authorities access to personal data transferred from the EU for national security purposes create limits to the protection of that data. Such limits indicate a lack of protection that is “essentially equivalent” to EU law and means that data subjects may have no rights actionable in courts against US authorities.

One of the alternatives that emerged was the adoption of “standard clauses”, which were not invalidated by the CJEU, although the court’s recommendation was to assess, in each case, the integrity of the protection offered by them, with the possibility of adjustments or amendments.

Transfer Risk Assessments

Many countries – such as the United Kingdom, through the Information Commissioner’s Office (ICO) – have decided to adopt a very useful instrument, the transfer risk assessment (TRA). This instrument considers two alternatives: a comparison between the situation of data subjects and their data in, for example, the UK (ICO model) or a comparison of a country’s laws and practices with those in the data importer’s jurisdiction (European Data Protection Board model). This involves both knowing the extent to which personal data protection safeguards are similar to those of the domestic regime and questions of access by third parties, especially governments.

The term “omnibus law” generally refers to comprehensive piece of legislation that covers a wide range of issues or policies. These laws are often enacted to simplify and consolidate laws or regulations into a single set, facilitating their implementation. General laws are typically employed to address complex or interrelated issues that may require multiple changes to existing laws.

On the topic of “personal data”, Brazil, although it has not adopted a strict “omnibus law”, uses the concept to ensure that legislation/regulation subordinate to the Constitution is always in accordance with it in all aspects. If this does not happen, the legislation/regulation will need to be changed or adjusted until it aligns with the Federal Constitution.

Data Protection Officers

The LGPD provides that organisations that process personal data must have a data protection officer (DPO). But the ANPD softened this rule (Resolution 2/22). Therefore, small data processing agents, depending on their profile, are no longer required to have a DPO. For organisations that need to have a DPO, there are some LGPD requirements that need to be met and other good practice rules. For example, the DPO must report to the company’s highest authority, have administrative and financial independence and be the link between the company and the external public.

Criteria for Data Processing

The requirements for processing personal data are all set out in the LGPD, and include everything from the collection process (what data to collect, from whom, how, in what form and for what purpose) to the process of ending the processing (return, maintenance or elimination). The LGPD also establishes where processing authorisation or consent applies, whether it is possible for the data to be shared and how its international transfer takes place.

“Privacy by Design/Default”

These principles are already found, at least in essence, in the LGPD, especially because it aims to ensure that the privacy of data subjects is guaranteed and protected from the beginning, without relying on third parties who have detailed knowledge or understanding of privacy settings. This gives data subjects greater control over their personal data and helps prevent unauthorised access or unwanted use of their data.

Impact Analysis and Privacy Policies

The LGPD has rules that aim to ensure that the processing of personal data is specifically fair, for a lawful purpose, on an authorised legal basis and dependent (if applicable) on a legitimate interest assessment (LIA), the analysis that allows determining whether data processing can even occur based on legitimate interest.

Data Subject Access Rights, Anonymisation and Pseudonymisation, Big Data and AI

One of the principle of the LGPD is that the data subject always has control and ownership of their personal data. This means that they, and only they, can guide the controller over what is possible and what is prohibited to do with their data. This is why the LGPD guarantees data subjects the right to determine the fate of their personal data, as they never lose ownership. For example, it is the data subject who decides on anonymisation, erasure, alteration, storage, and other actions involving their data.

Injury/Harm

As the Constitution establishes the firm concept that personal data is the property of the data subject and that its protection is a fundamental right, any injury (or threat) to this data is treated seriously and data has a high level of protection. Personal data involves material, emotional, financial, reputational, intimate, and family aspects, and an injury (or threat) to personal data represents, in practice, an injury (or threat) to the concept of individual dignity, which deserves the protection that governments give it.

Ordinary and Sensitive Data

Under Brazilian legislation, personal data falls into two categories: ordinary and sensitive. Ordinary data is “common” data that does not intensely affect the privacy or intimacy of its subject. Sensitive data, on the contrary, is data with a greater degree of intimacy and therefore carries a greater need for protection for the subject. Different or intermediate degrees (such as data relating to financial, academic or previous criminal activity) have not yet been included in the legislation.

Ordinary data has “ordinary” protection, that is, common protection; sensitive data has “special” protection, and its processing can only be carried out under specific conditions. For example, ordinary data can be processed if there is a legitimate interest, and this allows for an open range of possibilities; but sensitive data cannot be processed under a legitimate interest, other legal bases applying to them (Article 11, LGPD).

There is a risk that has become common among data controllers: assigning ordinary data the status of sensitive data, just because it seems that certain data, by its nature, “should” be considered sensitive. In principle, the decision is nothing unusual. But it is necessary to remember that if the controller itself decides to reclassify certain data, from ordinary to sensitive, its decision is incorporated into its internal practice, and this is incorporated into its policy, even without a written rule. This means that, after making this decision, it is not possible to go back, and its effects can complicate things for the controller.

Command Data

Although national legislation only talks about common and sensitive personal data, there is a category of data that can complicate things. This is what is known as “command data”. This class includes elements such as tracking, image capture, targeted advertising, active location, behaviour in the media and social networks, provoked responses or comments, among others. Command data is so-called because it is not always personal data generated by the holder, but derived from an external action that leads the holder to produce data that it did not have before that action. This type of data has been gaining in importance, and the tendency is for legislation to also provide it with protection.

Privacy and Public Safety/Public Interest

The LGPD provides that data associated with these practices can be processed for the purposes of applying criminal sanctions, which signals that, in this case – as the Superior Court of Justice of Brazil recently decided – the collective or social value can outweigh the individual value.

The Right To Be Forgotten

The Supreme Court (RE 1,010,606) has found that the right to be forgotten is not compatible with Brazilian law, and for this reason argued that the passage of time, in isolation, is not a reason to prevent facts from being publicly disclosed.

The boundaries between unsolicited communications and irregular processing of personal data are conceptual rather than concrete. In the EU, “consumption access” may require authorisation (not consent) from recipients, and recommendations continue to be that an individual’s email should not be used for mass communications or pre-ticked boxes for authorisation.

Brazil is preparing to regulate the practice, but only the State of São Paulo (Law 17,334/21) has rules to prevent unwanted calls and unsolicited commercial messages (or active capture of preferences and profiles). In any case, the Consumer Protection Code (Law 8,038, article 39, III) establishes that the supply of unsolicited goods or services is an “abusive practice” and prohibited. Recently, Bill 310/22 went further: it prohibits telemarketing companies from unwanted contact with people, including automated calls.

Targeted advertising, especially towards more vulnerable people, such as children and the elderly, is also considered abusive and prohibited by consumer law.

The work environment benefits from the concept of privacy. But, in times of remote or hybrid work, it is not simple to define the “workplace”, as it can be the physical environment or a place where the worker performs tasks (home or public place). The consensus seems to indicate that the typical “workplace” is the physical location of the company where the worker provides services.

Companies have been increasingly concerned about personal data privacy in this case, as workers, even outside their physical locations, also need to manage data for their activities. Therefore, the number of companies that have been adopting strict control and privacy policies when processing personal data outside their facilities is only growing, with the signing of confidentiality and non-disclosure terms, digital security commitments and secure data management and information.

Codes of conduct and integrity in personal data privacy and internal personal data processing notices have also become common and there is almost always no inclination that these violate workers’ privacy. The Brazilian Labour Court has already made it clear that employees have an obligation not to violate the personal data of third parties, especially if this is what is expected of their activities in the company.

Another point of caution is that workers who manipulate large masses of personal data in their activities are always subject to paid external capture so that they provide (or facilitate access to) strategic data (personal or not) to the employer’s competitors or to people who are dedicated to predatory practices. It is true that Brazilian legislation allows organisations to adopt measures, technological or otherwise, to protect their strategic information and the personal data it processes. But it is also true that a significant number of organisations have not yet adequately prepared themselves for this.

As for AI guidelines, Brazil is expected to have a legal framework in place for AI in the coming months, based on ongoing legislative proposals. For now, events related to AI, in the workplace, can be conducted based on the Internet Legal Framework and the LGPD, according to the rules that are applicable.

Brazilian regulators have at their disposal a group of mechanisms to open investigations into violations of personal data guarantee, security, and privacy laws.

According to the LGPD, the ANPD can directly interfere in an organisation’s data processing activities. This can be done in three ways:

• active regulatory intervention, if the controller has been accused of systematically violating the rights of the personal data subject;
• suspensive intervention (Article 52, X); and
• punitive intervention.

In general, the regulator initiates an investigation against the processing agent and assesses the nature and severity of the infractions committed, ensuring a full defence and production of evidence. The main basis for this is the “conduct of the processing agent”, the actions and measures it adopted – or failed to adopt – (which led to the vulnerability of its controls) and the documentation in data processing. Therefore, before even proving the infringement, the regulator can consider the nature and severity of the conduct as a way of arriving at the most appropriate legal assessment.

Classification and Penalties

In general, the regulator considers violations to be direct or indirect, and may include cross-cutting violations. The direct ones result objectively from the agent’s conduct, the indirect ones result from the worsening of the effects of its conduct and the transversal ones consider the impact of the violation on other agents and regulators.

The regulator can also apply penalties provided for in the LGPD, generally in the “verticalisation” regime (from least serious to most serious). Even penalties may vary depending on the nature and quality of the infraction, because if the same infraction can be considered and punished by more than one regulator, it is possible that the original penalty will be aggravated by a secondary regulator (which does not directly regulate personal data).

Class Actions

Private legal disputes over violations of privacy or intimacy are common, including through so-called collective actions, in which different actors come together to protect rights or discuss legal duties that apply to everyone. Collective defence entities have been concerned with the issue of “indistinct privacy” or “collective privacy”. In this case, there are no specific individuals affected by a privacy breach, but an indistinct group of them.

This is the case of personal data leaks. Consumer relations organisations and the Public Prosecutor’s Office have taken a stand on it, especially in relation to data leaks related to payment arrangements articulated by the Central Bank. This is of particular relevance as Brazil is the fourth preferred global target for personal data breaches.

Article 4, III, of the LGPD establishes the so-called “exclusionary principle”. In short, this Article states that the LGPD rules have restricted application when the subject is the processing of personal data related exclusively to public security, national defence, State security or investigation and repression of criminal offences.

Therefore, if data processing is related to these purposes, it will not be fully subject to the LGPD, and the government will not necessarily be obliged to ask the regulator for access to databases of crimes, infractions, and related processes. This does not mean that the authority accessing the data is entirely free to use it as its wishes. This is because another principle of the LGPD, “purpose”, establishes that, once the government declares that access to data is related to the repression of crimes and infractions, it cannot change this purpose to another. For example, the LGPD says that the public administration that accesses the data cannot transfer it to third parties, with exceptions, and that the regulator can act against the government if it violates this legal assumption.

Another aspect to be considered is that the public authority that wants to have access to data in cases of repression of crimes and infractions can go directly to the judiciary, without going through the regulator. But this creates a problem: special instance suppression. Once there is a regulator, only if it refuses to allow access to data can the government ask the judiciary to act on the case.

The issue of “national security” is a problem that has not yet been legally resolved in Brazil. This is an “open concept”, which allows for multiple interpretations, and this lack of definition on Brazil’s part has placed the country in a delicate situation before the world and some organisations, such as the OECD.

The LGPD itself does not have clear rules on the handling of personal data when it comes to “national security”. For example, Article 4 speaks, ambiguously, of “national defence”, a concept that is not always the same as “national security”, which is much broader.

The current situation is that the LGPD (Article 4, III) does not fully apply if the processing of personal data is objectively related to “national defence” and “state security”. In principle, if data processing is intended for one of these purposes, the public agent is not subject to the LGPD, and therefore does not need authorisation from the regulator to access intelligence, state defence or “national security” databases.

As for the OECD, Brazil, although invited to join this entity, has not yet met all the necessary conditions. But the arguments continue, even though the matter is not on the list of priorities of the current government.

Brazil has joined the Budapest Convention on Cybercrime. The document requires each country to maintain the legal authority to compel organisations in its territory to disclose data (including personal) that is in their custody, regardless of whether the organisation also has custody of data from other countries.

This means that Brazil must, even without adhering to an agreement on the free movement of personal data for certain purposes (such as the American Cloud Act), examine requests for data capture and transfer. The Cloud Act (Lawful Use of Data Abroad Clarification Act), passed in 2018 by the United States Congress, is basically the result of the limits of the Stored Communications Act (1986). It determines that US data and communications companies must allow access to customer data, even if their repositories are outside US jurisdiction. This created a problem for the GDPR, which, after the Cloud Law, linked access to data stored in a foreign country to prior judicial authorisation from that country. See 1.8 Significant Pending Changes, Hot Topics and Issues (Safe-Harbour Agreements and the Schrems Case).

But a foreign government’s request based on the Budapest Convention, or an agreement like the Cloud Act, does not indiscriminately give a private organisation the right to request access to personal data included in the government’s request. This organisation, based in Brazil or another country, needs to use its own means to access the personal data it desires, and is subject to scrutiny by legislation and the judiciary.

Privacy and Data Monetisation

The topic of citizen privacy is gaining more and more attention, and debates around it have featured in Brazilian media. One of these issues relates to “data monetisation”, which basically means that an organisation can “commercialise” its database, thus obtaining a financial return. As data (and not just personal data) is an extremely valuable asset (sometimes referred to as virtual gold), monetising it can be advantageous. But what are the limits? What kind of rules can protect the data subject from a leak? How to protect it from the phenomenon of “dispersion” (when data is spread out in such a way that its control becomes, in practice, impossible)?

Agreements Between the State and the Private Sector

Another debate involves the government, which, discreetly, has signed agreements with private entities and representatives of business sectors. The Central Bank, for example, signed co-operation agreements with private entities representing financial institutions. These agreements provide authority for the Central Bank to share a large database (National Civil Identity), which includes sensitive data, such as biometrics. The Federal Public Ministry is investigating the matter, and representations were made, including to the Federal Audit Court (TCU), which found no irregularities in the agreements.

The international transfer of personal data is a topic to be considered carefully. Such transfers may indicate that data, once out of national jurisdiction, is “lost” (or dispersed) forever, especially in regulatory terms.

In the LGPD, international transfers are an exception, both active (from Brazil to abroad) and passive (from abroad to Brazil). Such transfer, according to the LGPD, is only possible:

• if items II, V and VI of Article 7 of the LGPD are met;
• if necessary for international legal co-operation between public intelligence, investigation, and prosecution agencies;
• if necessary for the execution of public order or the legal assignment of public service;
• if the controller provides and proves a guarantee of compliance with the principles, rights of the data subject and the personal data protection regime provided for under the law;
• if the data subject gives their consent;
• if the ANDP authorises it;
• to countries or international organisations that guarantee an adequate level of data protection (similar) to that provided for in the LGPD;
• when intended to protect the life or physical safety of the holder or third parties; and/or
• when it is the result of a commitment under an international co-operation agreement.

Importing data via international transfer is possible based on:

• data filters;
• formalisation;
• judicialisation of the transfer – this is not treatment subject to the LGPD, (Article 4, IV)
• source conformity level;
• the use of transfer; and
• verification of Brazilian destination.

The international transfer of personal data, according to the LGPD (and the GDPR), is a typical data processing activity and must meet legal conditions, including derogations (specific authorisations that consider knowledge of the risks involved).

These conditions include that the transfer:

• cannot include more data than necessary;
• must be done on a legal basis;
• must be naturally informed;
• must be subject to one of the derogation possibilities (LGPD, Article 33 or GDPR, Article 9, Section 2);
• must be subject to real measures to protect and contain risks; and
• must have a fair, legitimate and non-prohibited purpose.

As for multilateral mechanisms, the transfer (especially international) of personal data must be regulated in a Personal Data Transfer Agreement (PDTA), with rules that guarantee the bilaterality of the data communication contract. Additionally, a data privacy notice is highly recommended.

The legal hypotheses that allow the international transfer of personal data are in the LGPD (Article 33). The transfer cannot be made without these derogations.

One of these hypotheses establishes that the regulatory body can authorise the transfer, but this requires that the event meets one of the legal bases of the LGPD. Although the government has decided to carry out an international transfer of data, the case must fall within Article 33 of the LGPD, and even then, it is up to the regulator to evaluate the “transfer conditions”, provided for in Article 35.

In general, public persons referred to in the Access to Information Law (Article 1) may request the regulator, before international data transfer, to assess the degree of data protection afforded by the country or international organisation that will receive the material.

Regarding personal data localisation, a point of interest is that Brazilian legislation has adopted the “principle of irrelevance of location” (Article 3). The point where the data is located (or stored) is not significant for law enforcement.

But this depends on the following conditions:

• the personal data to be processed is collected in Brazil;
• the processing operation must be carried out in the national territory; and
• the purpose of the processing activity is to offer or supply goods or services, or process the data of natural persons located in the national territory

Data that, due to its nature, purpose, quality, scope, and content, must remain in Brazil, cannot be transferred, such as personal data used by research bodies in public health studies (LGPD, Article 13, Section 2).

The sharing of personal data with third parties is an exception to the usual obligations on a data controller, because this data should normally remain under its custody, so that the data subject’s privacy is protected. But, if sharing is necessary, some rules must be observed. GDPR rules require that all data subjects be encrypted, which includes thinking about security systems for managing keys. Under the LGPD, there is no obligation for encryption, but a requirement that secure techniques be put into practice to make personal data unintelligible, and the most obvious solution to such a requirement is encryption.

There are no explicit rules in the LGPD on how key elements (source codes, software and other technical data) should be shared with the government, this subject requires further regulatory guidance in Brazil.

It is possible for public and private entities to share personal data, as long as they comply with Article 25 of the LGPD and the data is used for public purposes, in the public interest, in the exercise of legal powers or in the fulfilment of legal public service duties.

In addition, sharing does not necessarily mean a violation of copyright protection, as algorithms, for example, are not always seen as “intellectual products” (Law 9,610/98, Article  8, I). But it is necessary to consider that sharing typical intellectual creations – such as source codes – can lead to legal disputes (Law 9,609/98, Article 2, paragraph 5).

Agents who collect or transfer personal data in connection with requests from a foreign government are subject to the LGPD, provided that the data was collected in Brazil and that at least one processing activity was carried out in the country (Article 3). According to Article 3 of the LGPD, it is irrelevant whether the agent is located in Brazil or abroad, as what establishes the application of Brazilian data law is the place where the data was collected and where it was subjected to processing. In the case of an international data transfer between an organisation and the entity that contracted it, however, the transferee is subject to the LGPD transfer rules – ie, a legal basis (Articles 7 and 11) and a purpose will be required, in accordance with Article 33 of the LGPD.

This type of statute is becoming increasingly widespread, and its rules provide for limitations that, if they do not prevent practices involving personal data, create conditions that processing agents must comply with before acting.

Even though blocks are not always related to the protection, security and privacy of personal data (as this is not always the focus), it is undeniable that one of their effects is to create difficulties for practices that would otherwise be permitted.

An example is the EU GDPR, which has already been seen as a blocking tool for transfers of personal data to non-EU agencies (applying Article 49(1)(d)) when it comes to “important reasons of public interest”.

This was made most evident by the US District Court decision (2019), which calls for an answer as to whether the GDPR is in fact a blocking statute under US law.

Some of these topics are addressed, directly or indirectly, by the LGPD, such as facial recognition, biometrics, pictorial data processing, personal distinction, profiles, metadata and reverse data.

Drones

There is still no specific comprehensive legislation on drones in Brazil. Some standards (such as Special Civil Aviation Regulation 94/2017 of the National Civil Aviation Agency) try to overcome this gap, especially regarding the need to preserve the private life and intimacy of individuals.

Big Data

The mass (intensive) acquisition of personal data is strongly impacted by the LGPD. Article 20 establishes that it is the data subject’s right not only to know on what legal basis decisions were made regarding them, but also to request corrections, changes and repair of abuses.

AI and IoT

Law 14,108 (the “IoT Law”) is not the legal framework for the subject, but it creates government incentives for technologies focused on IoT. Brazil does not yet have a legal or regulatory framework for AI. At this moment, the most relevant and current initiative is Bill 2,338/23.

Dark Patterns (DPs)

Dark Patterns are user interface elements that, through attention items, colours, positioning, flashing elements and other artificial techniques, try to induce the individual to opt for something that, in fact, they did not want or would like to buy or use.

The Consumer Protection Code conceives of dark patterns as a type of misleading advertising. This is because this Code establishes that it is the consumer’s basic right to have access to “adequate and clear information about different products” and determines that “coercive or unfair commercial methods”, which include obscure patterns, are abusive and illegal.

Profiling or Micro-targeting

The subject of “profiling” has been under discussion for years, but only with privacy laws has its relevance become evident. For the GDPR, “profiling” is “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyse or predict aspects concerning the work of that natural person, their economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.

The Brazilian data law, the LGPD, goes even further, and says that personal data is considered to be any data used in generating the profile of an identified person (Article 12). This means that the elements that form the profile, and the profile itself, can be under the protection of the law, including the rights and duties it establishes, as stated in the LGPD (Article 20).

But is it just the formation of a profile that must comply with legislation? It seems clear that profiling, as well as its potential variations (microtargeting, etc), since they are based on the same principles and concepts (tagging people with a defined objective), must be evaluated under data protection legislation.

Fiduciary Duty

Brazilian legislation states that a bond is formed between the controller and the holder, and this requires the controller not only to comply with the legislation, but also not to frustrate the legitimate expectations of the holder.

Brazil does not yet have specific regulations on digital governance (or on personal data, or AI) and nor has it implemented a regular practice in this field, even though the LGPD provides one (under Article 50) and recommends the introduction of general governance practices in organisations.

In fact, organisations create governance committees themselves, generally linked to their DPO, so that issues such as risks, compliance, standards, management and documentation can be addressed on a legal and technical basis.

There are no specific cases on the protection of personal data involving repercussions and penalties in Brazil’s recent history. However, it is worth remembering that the number of lawsuits related to this issue is only increasing, and has now reached the thousands, which means that the ANPD, at some point, will need to get involved in these cases.

Talking about personal data and its protection in Brazil is still new, but a good number of due diligence processes are starting to value the search for compliance in the processing of personal data related to transactions between companies.

Cases of investment planning and strategic partnerships are requiring partner, invested, or synergistic companies to present a compliance diagnosis related to the LGPD and, in several cases, a diagnosis connected to the GDPR.

This may include:

• analysis of operators and sub-operators;
• collection of data protection documents (policies, procedures, protocols, and guidelines);
• consultation on the history of incidents involving personal data and communications to the ANPD, other regulatory bodies, and data holders;
• information on judicial or administrative proceedings relating to the LGPD;
• measurement of the flow of service to the demands of holders and those involved in the service;
• the value of personal data;
• the value of the need to comply with other laws in international transfers;
• the value of the systems used in processing activities;
• verification of the privacy framework, whether there is a DPO, and a privacy committee; and

• verification of the technical and organisational measures adopted in the processing of personal data.

There is still no specific legislation in Brazil that requires disclosure of an organisation’s cybersecurity risk profile.

This can be explained as follows: in personal data protection, the country needs to make progress before instituting a cybersecurity or personal data security classification; and this classification depends on the maturity of data security and privacy concepts and principles.

The activities of assessing, measuring and monetising the risks of processing personal data are new in the country, and the criteria are not yet very clear. One example is vulnerability analysis for classes and categories of manipulated data. This kind of analysis evaluates four pillars: compliance with legislation and safety standards, blank spaces for security incidents, resilience to potential threats (internal and external), and protection systems implemented.

Key trends in terms of data protection and privacy (including in regard to personal data) include the following.

• The Digital Services Act (DSA) has started to apply to online platforms and large search engines. In Brazil, a similar law is being discussed, which would act on open and closed digital markets (NFTs, certificates, electronic business chains, among others).
• A Bill on the AI Legal Framework is under discussion, and everything indicates that it will be accelerated by the approval of the AI Act in the EU. This indicates that many important concepts will be incorporated into the framework, such as the principles of “innovation” and “logical precision”.
• The ANDP is considering approving specific rules on the sharing of personal data (including sensitive ones, under certain conditions) between controllers, in order to reduce the risks of data dispersion.

The most significant topics for data protection regulation in Brazil include:

• data processing in environments regulated by other authorities;
• DPO technical and operational standards policies;
• leading security incident investigations in the case of agents and members of different organisations;
• massive (intensive) data processing (regulation and limits);
• monetisation and demonetisation of personal data;
• permanent international transfer of personal data;
• personal data as a legacy in international transactions;
• service level agreements on personal data processing compliance; and
• sharing of public databases and their effects.