On August 14, 2024, Brazil celebrates the 6th anniversary of the General Data Protection Law (LGPD). The legislation marked progress in the protection of privacy and personal data in the country. Approved on August 14, 2018, the LGPD came into effect in September 2020, with sanctions applicable from August 2021.
The LGPD defines personal data as any information that can identify or make identifiable a natural or legal person, as a name, CPF, RG, email and other data. The main purpose of the LGPD is to ensure that this data is used safely and transparently, avoiding misuse and ensuring the protection and legal security of citizens
In May 2021, two years after the enactment of the LGPD, the Federal Supreme Court (STF), recognized the protection of personal data as a fundamental right. This recognition was included in the Federal Constitution in February 2022, através da Emenda Constitucional Nº 115/22. With the Federal Constitution of 1988, the rights to privacy, privacy and confidentiality of communications had already been established, but personal data protection only recently became part of the constitutional text. Laws such as the Internet Civil Framework and the Access to Information Law were important precursors that contributed to the formulation of the LGPD
After the enactment of the law, companies needed to adjust to the new legislation, adopting specific practices. This involved the creation of privacy policies and procedures, employee training and the implementation of information security technologies. The LGPD establishes fines and sanctions for non-compliance, what -theoretically- encouraged companies to comply with the law
However, the LGPD is still not fully complied with in some parts of the country. A survey conducted by the LGPD Brasil portal showed that, even with the obligation, only 16% of companies in the country are in compliance with the law. This reveals that, although there is already a certain awareness about the law, it is still quite concentrated in large urban centers, and it is necessary to take this knowledge to other regions of the country
The lawyer and specialist in digital law from FGV, Lucas Maldonado D. Latins, points out that one of the biggest challenges for compliance with the LGPD is the lack of knowledge about the law and how it affects companies' operations. Many organizations still do not know that the legislation applies to their area of activity. The lawyer notes that the legislation covers companies from various sectors, like finances, education, retail etc. Everyone must comply or they are subject to sanctions
For him, the provisions on data protection were scattered across various laws, making the interpretation and application of these rights difficult. "The unification promoted by the LGPD brought clarity and cohesion to the Brazilian regulatory framework". Furthermore, we had the creation of the National Data Protection Authority (ANPD) to ensure oversight and compliance with the law, comment. Today, the ANPD is responsible for issuing resolutions and guiding documents that help data processing agents understand and comply with obligations
What to expect for an increasingly technological future
Although the regulatory framework has advanced significantly since its implementation, there are several issues that still need to be addressed by the National Data Protection Authority (ANPD) to ensure that the application remains effective
One of the topics in focus is the regulation of international data transfers. In 2022, ANPD launched a public consultation to create guidelines on how personal data can be sent outside Brazil. The LGPD requires that these transfers be made in a way that ensures the adequate protection of data in other countries. For that, the ANPD needs to establish clear rules, inclusive about countries that it considers to have protection levels compatible with Brazilian legislation
Another point, it is the regulation of Artificial Intelligence (AI). Until now, Brazilian legislation does not specifically address the use of AI in relation to data protection. The ANPD is participating in the discussions of Bill No. 2.338/2023, which aims to establish a legal framework for AI and is being evaluated by the Federal Senate
The lawyer emphasizes that one of the most important points is that companies establish security measures, technical and administrative, necessary for the protection of personal data. These guidelines may include minimum safety standards, use of cryptography, firewalls and access policies,. The implementation of each of them is a way to prevent security incidents, like data leaks, and ensure that the information is protected against unauthorized access
