In the past six months, Brazil’s National Data Protection Authority (ANPD) has demonstrated a proactive approach to enforcing the Brazilian Data Protection Law (LGPD). This law applies to any entity processing personal data of individuals in Brazil, regardless of the entity’s physical presence in the country. As a result, all organizations that handle Brazilian personal data must establish comprehensive data privacy policies to comply with the law.
The ANPD has issued several new regulations to clarify and strengthen the requirements under LGPD. One of the notable regulations outlines the roles and responsibilities of data protection officers (DPOs), mandating that all data controllers appoint a DPO to ensure data privacy practices align with the LGPD. This move emphasizes the importance of internal data governance structures in complying with Brazilian data laws.
Additionally, the ANPD has taken steps to limit how global companies use Brazilian data. For instance, it ordered Meta Platforms Inc. to stop using personal data from social media for training artificial intelligence systems. This action reflects the authority’s concerns about the use of personal data in AI and underscores its commitment to protecting data from misuse in technological applications.
The ANPD has also focused on transparency and international data handling. It introduced requirements for disclosing security breaches to affected individuals and the authority itself and issued a mandate for the National Social Security Institute to publicly announce data breaches. To further safeguard international data transfers, the ANPD has released standard contractual clauses that entities can implement, reinforcing Brazil’s stance on controlled data exchange beyond its borders.
Reference:
