Data protection and cybersecurity laws in Brazil

For instance, "Bill 522/2022" aims to define "neural data" and regulate its processing.  "Bill 4374/2020" seeks to limit the sharing of consumer personal data for credit protection purposes.  Additionally, "Bill 365/2020" proposes to include philanthropic entities in the list of exceptions to the application of the LGPD.

National Authority of Data Protection ("ANPD”) 

• www.gov.br
• anpd@anpd.gov.br

The LGPD came into force on 18 September 2020. However, the law was amended in 2020, postponing the application of the administrative sanctions to 1 August 2021. 

• Warning;
• A one-time fine of up to two percent (2%) of the entity, group, or conglomerate's revenue in Brazil for the last fiscal year, limited to BRL fifty (50) million per infraction;
• Daily fine, subject to the limit mentioned above;
• Public disclosure of the infraction;
• Blocking of personal data related to the infraction for regularization; 
• Deletion of personal data pertaining to the infraction; 
• Partial suspension of the database operation involved in the infraction for a maximum period of six (6) months, extendable for an equivalent period;
• Suspension of the personal data processing activity related to the infraction for up to six (6) months, extendable for the same duration;
• Partial or total prohibition of activities related to data processing.

None.

Individual claims for damages and losses caused by the violation of personal data. Class actions and claims from Consumer Protection Units and the Public Prosecutor for damages and losses due to violations of the data subject's personal data.

Provision exists for notifying the ANPD and data subjects of security incidents that may pose a risk or cause relevant damage to data subjects. However, there is no requirement to register with the ANPD data processing activities, databases or cross-border flows. Additionally, there is no provision that requires payment of the data protection fee.

The controller and processor are the two categories of "processing agents" as defined by the LGPD, and both are required to comply with the principle of good faith and the following principles: purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination, liability, and demonstration of compliance with the law.

Data processing is lawful only if it meets at least one of the criteria set forth in Article 7 (for personal data) or Article 11 (for sensitive personal data).  Both the controller and the processor are obligated to keep records of personal data processing activities.  The controller is required to, and the processor has the option to, appoint a Data Protection Officer (DPO).  The DPO serves as a liaison between the controller, the data subject, and the ANPD. Controllers and processors are responsible for implementing security, technical, and administrative measures to protect personal data from unauthorized access and any illegal or accidental incidents that may result in destruction, loss, alteration, communication, or any form of improper or unauthorized access.

In case of any security incident that could pose a risk or cause significant damage to data subjects, the controller is mandated to notify both the ANPD and the affected data subjects.

The data subject has the following rights:

• confirmation of existence of personal data;
• access to their data;
• correction of incomplete, inadequate or out of date data;
• anonymization, blocking, or erasure of data that is unnecessary, excessive, or processed in non-compliance;
• portability of their data to another service or provider;
• erasure of personal data that was obtained based on consent;
• information about the sharing of their data with both private and public entities;
• information about the right to refuse consent and the consequences of such refusal;
• revocation of consent at any time;
• lodging a complaint regarding the processing of their data to the ANPD;
• opposition to the processing of their data obtained without consent, if it is not in accordance with the law; and
• requesting a review of automated decisions made using their personal data that may impact their interests. 

The LGPD does not lay out specific provisions regarding data processing by third parties. When a third party acts as a processor (processing data in the name of and on behalf of a controller), this third party is accountable to the controller.  However, the controller retains ultimate liability towards the data subjects.

The international transfer of personal data is allowed in the following cases:

• to countries or international organisations that provide the appropriate level of personal data protection required by the LGPD;
• when the controller ensures compliance with the principles, data subject rights and data protection regime established in the LGPD, is assured either by:
  • specific contractual provisions for a given transfer;
  • standard contractual clauses;
  • binding corporate rules;
  • stamps, certifications or codes of conduct;
• for international legal cooperation between government intelligence, investigation and police bodies; 
• When necessary to protect the life or physical integrity of the data subject or a third party; 
• upon authorisation from the ANPD for such transfer; 
• as part of a commitment under an international cooperation agreement; 
• for the execution of a public policy or legal function of public utility; 
• when the data subject has given explicit and highlighted consent for the transfer, having been previously informed about the international nature of the operation, clearly distinguished from other purposes; 
• where required for (a) compliance with a statutory or regulatory obligation by the controller, or (b) whenever necessary for the performance of agreements or preliminary procedures relating to agreements to which the data subject is a party, at the request of the data subject, or (c) in the regular exercise of rights in lawsuits, administrative or arbitration proceedings.

As of 19 August 2024, the ANPD issued Resolution No. 19/2024, regulating the procedures and rules applicable to international data transfer through adequacy decisions, specific contractual clauses, standard contractual clauses, or bunding corporate rules002E

An individual or legal entity must be appointed by the controller to act as a point of communication between the controller, data subjects, and the ANPD.

This appointee is responsible for:

• accepting complaints and communications from data subjects, providing clarifications, and taking necessary actions;
• receiving communications from the ANPD and implementing appropriate measures; 
• instructing staff and contractors about data processing practices;
• performing other duties as assigned by the controller or as established by supplementary rules.

While it is not mandatory for processors to appoint a DPO, doing so has become an industry standard. In addition, according to Resolution 02/2022 from the ANPD, small-scale data controllers may, but are not required to, appoint a DPO. However, they must still provide a communication channel with data subjects to fulfil obligations regarding accepting complaints and communications from data subjects, providing clarifications, and taking necessary actions.

As of 16 July 2024, the ANPD issued Resolution Nº 18/2024 setting forth ground rules for the appointment of the DPO, their mandatory duties, and expressly prohibiting the DPO to act in situation where a conflict of interest is present. 

The LGPD does not specify particular security measures that must be implemented by controllers or processors. However, it does allow for the ANPD to establish minimum standard technical security measures.  Both controllers and processors are required to implement security, technical, and administrative measures to protect personal data from unauthorized access and from illicit or accidental incidents that could lead to destruction, loss, alteration, communication, or any other form of illicit or inadequate access.

As per Resolution No. 15/2024, the controller is obligated to report any confirmed security incident related to the violation of confidentiality, integrity, availability, or security authenticity properties of personal data. Such report shall be made to both the ANPD and the data subjects if the incident poses a risk or could cause significant harm to data subjects within three businesses days from acknowledging such incident.  Additionally, it may be prudent to report such incidents to the company's sector-specific regulator or consumer protection units, especially if the incident is related to consumer relations. 

Although the LGPD does not specifically address direct marketing, there is a general consensus that processing data for direct marketing purposes requires the consent of the data subject.

The LGPD does not specifically deal with cookies and adtech, but it is understood that the data processing for cookies and adtech requires the data subject's consent.

The ANPD has published an orientational guide towards Cookies and Personal Data Protection recommending:

• Preparation and publication of a specific policy/privacy notice towards cookies (which shall not be confused with the cookie banner) 
• Providing a button that allows the user to reject all non-essential cookies in both first and second level banners; 
• Providing an easily accessible link so that the data subject can exercise their rights, which may include, for example, learning more details about how their data is used and about the retention period, as well as requesting the deletion of data, opposing the processing, or revoking consent 
• In the second-level banner:
  • Classify cookies into categories; 
  • Describe the cookie categories according to their uses and purposes; 
  • Provide a description and simple, clear, and precise information regarding these purposes; 
  • Allow consent to be obtained for each specific purpose, in accordance with the categories identified, where applicable; 
  • Disable consent-based cookies by default; 
  • Provide information on how to block cookies through browser settings.  If the cookie or tracker cannot be disabled via the browser, the data subject should be informed accordingly.

Moderate

• LGPD (Portuguese)
• ANPD Guides, Regulations and Other publications (Portuguese) 

Although Brazil does not have laws exclusively dedicated to cybersecurity, several existing laws and regulations incorporate cybersecurity principles and rules:

• The Consumer Code and the Internet Act set forth certain principles and rules related to cybersecurity. 
• The Criminal Code (Decree Law 2,848/1940) defines crimes such as "invasion of a computing device," "theft by fraud through an electronic device," and "electronic fraud." 
• The LGPD applies to all categories of personal data, encompassing both offline and online data. 
• Federal Decree 11,856/2023 establishes the foundational principles for a National Cybersecurity Policy (PNCiber).

Despite the absence of a specific cybersecurity law or dedicated regulator in Brazil, significant steps have been taken with the introduction of the National Cybersecurity Strategy (E-Ciber) in 2020:

• E-Ciber aims to position Brazil as a "country of excellence" in the cybersecurity sector. 
• It outlines ten strategic objectives to bolster cybersecurity, including centralizing the national cybersecurity system, increasing international cooperation, improving cyber governance in both public and private sectors, and enhancing the protection of critical infrastructure. 
• E-Ciber also anticipates the development of a new cybersecurity law, which has not yet been realized.

In December 2023, the Federal Government issued PNCiber, setting forth specific principles and objectives. These are to be achieved through the implementation of the updated version of the E-Ciber issued on August 2025 and the forthcoming National Cybersecurity Plan.

Not applicable.

Brazil does not have a regulator specifically dedicated to cybersecurity. Instead, the responsibility for regulating cybercrime falls under the purview of the Ministry of Justice and Public Security.

Not applicable.

Under the LGPD:

• warning; 
• fine of up to 2% of the entity, group or conglomerate in Brazilian revenue in its last fiscal year limited to BRL 50m for infraction; 
• daily fine; 
• publication of infraction; 
• blockage of personal data that relates to infraction for regularisation; 
• erasure of personal data that refers to infraction.

• "Invasion of a computing device": Imprisonment for up to four years and a fine, with the potential to increase by up to two-thirds if the breach results in economic loss. 
• "Theft by fraud through an electronic device": Imprisonment for up to eight years and a fine.
• "Electronic fraud": Imprisonment for up to eight years and a fine.

Individual claims for damages and losses caused for violation of personal data. Claims from the Consumer Protection Units and Public Prosecutor for damages and losses caused for violating the data subject's personal data.

CERT.br is the Brazilian National Computer Emergency Response Team.

A list of CSIRTs can be found here: www.cert.br

N/A

Cybersecurity law as envisaged by E-Ciber, but this has yet to materialise.

• CERT https://www.cert.br/csirts/
• E-Ciber (Portuguese) https://www.planalto.gov.br/ccivil_03/_ato2019-2022/2020/decreto/d10222.htm
• PNCiber (Portuguese) https://www.planalto.gov.br/ccivil_03/_ato2023-2026/2023/decreto/D11856.htm