Five years ago was enacted the Brazilian Personal Data Protection Law, named “LGPD”.

Despite its young age, the seed of privacy and data protection has already been sown in Brazil since the promulgation of the Federal Constitution in 1988, when at that time it was established as a fundamental right of the individual: the inviolability of intimacy, private life, honor and image, as well as the right to inviolability of the secrecy of correspondence and telegraphic communications, data and telephone communications.

Subsequently, rules such as the Consumer Protection Code, enacted in 1990 and the Brazilian Civil Rights Framework for the Internet, of 2014, began to establish specific conditions for the use of individuals’ personal data, within the scope of consumer relations in the online environment, as well as rights to the respective data subjects due to the use of their data.

However, only after the publication of the European personal data protection regulation (GDPR-EU) on 2018, which would significantly change the global scenario on the subject, Brazil launched the LGPD, thus consolidating all the rights and guarantees that were then provided for in sparse legislation in our country, as well as the obligations in relation to the processing of personal data both in physical and digital media.

Over the last few years, the LGPD has been continuously structured and applied gradually, through the publication of regulations widely discussed with citizens and the dissemination of guidelines and interpretations developed by authorities and scholars on the subject.

In this regard, we highlight that since it began to act officially in 2021, the ANPD (National Authority for the Protection of Personal Data), the body responsible for overseeing compliance with the LGPD, has been maintaining an intense regulatory agenda, publishing resolutions, especially with the purpose of making the rules for the processing of personal data provided for in the LGPD enforceable.

On 2022, the protection of personal data was also promoted to the category of fundamental right provided for in the Federal Constitution, alongside privacy, according to item LXXIX included in 2022 by Constitutional Amendment No. 115 and, as of 2023, the ANPD began its sanctioning procedures when it applied its first penalty of fine and warning against a teleservice company, thus inaugurating its punitive action in case of non-compliance with the LGPD.

It should always be stressed that the LGPD is part of mechanisms to protect the natural person and their wills, especially in face of companies that aim to use personal data in an improper and unethical manner, and against criminal groups that act based, above all, on the lack of security as required by the aforementioned legislation.

Since its publication in 2018, it has taken almost 3 years for companies to adapt its internal rules to the legislation and adopt policies and implement procedures for the processing of personal data in an organized, justified and transparent manner for the data subject.

Therefore, it is not without reason that in recent times, we have been intensively notified about the use of cookies on websites, to be invited to read and learn about the various privacy policies of the companies, as well as to consent to the use of our data both in the digital and physical environment. Also, we started to hear much more frequently about the occurrence of data leaks and cyber crimes and how we can be compensated for losses and damages resulting from such occurrences, with many cases brought to the courts.

All of this has been part of the application and development of the LGPD which, despite being young, is already in fact a reality in Brazil. However, there is still much to be done, especially by companies in relation to the processing of data in an adequate and transparent manner, as well as by data subjects, who must be aware of the self-care they must assume in relation to the provision of their data.

Without prejudice to the sanctioning activity, the expectation in terms of governmental behavior is that ANPD will continue to act in an educational manner for a few more months, providing the regulation of essential topics for the application of the LGPD as a whole, especially in relation to the exercise of the rights provided for in the legislation, the processing of data of children and teenagers, as well as the international transfer of data that are on the 2023/2024 regulatory agenda.

Finally, we remind you that before establishing rules and obligations, the LGPD was created to guarantee and protect the rights of individuals and must be respected as a matter of legal compliance.

In order for you to continue receiving up-to-date information on the developments of the LGPD, follow Emerenciano, Baggio & Associados – Advogados publications on their Instagram profile: @emerencianobaggio and on their blog:

This content is for informational purposes only and does not consist of any type of consultancy, recommendation or technical and/or legal guidance for specific cases regarding the topics addressed herein.