The Brazilian National Data Protection Authority (“ANPD“), a special federal authority linked to the Ministry of Justice, has as its main purpose to ensure the protection of personal data, in accordance with the Brazilian General Data Protection Law (Law No. 13,709, of August 14, 2018, “LGPD“). The ANPD, with technical independence and decision-making power, is responsible for regulating, supervising, and providing guidance on the application of data protection legislation.
In 2024, the ANPD played an active role, having approved relevant resolutions for the application of the LGPD and initiated monitoring and sanctioning proceedings against controllers who allegedly failed to comply with the LGPD provisions. We highlight below the most relevant developments of ANPD’s activities:
Resolution CD/ANPD No. 15: Security Incident Communication Regulation
On April 24, 2024, the ANPD approved Resolution CD/ANPD No. 15, which establishes procedures and criteria that controllers must follow to report security incidents to the ANPD and data subjects, in cases in which security incidents may pose significant risk or damage to data subjects.
This resolution determines the deadlines, procedures, and criteria to be met by controllers to communicate security incidents to the ANPD and data subjects, in cases in which security incidents may cause relevant risk or damage to data subjects, in addition to establishing the deadlines and criteria for the registration and storage of incidents.
The resolution also defined the procedure that the ANPD can launch to investigate data incidents and the measures that the ANPD may request from controllers to safeguard the rights of data subjects.
Resolution CD/ANPD No. 18: Regulation on the Role of the DPO
On July 16, 2024, Resolution CD/ANPD No. 18 was approved, which details the role of the Data Protection Officer (“DPO”), defined by the ANPD as the person appointed by the controller and processor to act as a communication channel between the controller, data subjects, and the ANPD.
The resolution provides criteria regarding the requirements for the appointment of the DPO, establishing the required formalities for the appointment of the DPO and the requirements for the disclosure of the DPO’s information, in addition to outlining the DPO’s responsibilities, activities, and duties, and criteria for the prevention and identification of conflicts of interest related to the performance of the DPO’s duties.
Resolution CD/ANPD No. 19: International Data Transfer Regulation
On August 23, 2024, the ANPD published Resolution CD/ANPD No. 19, which addresses international data transfers and the content of standard contractual clauses, regulating articles 33 to 36 of the LGPD. The resolution establishes procedures and rules to ensure a level of data protection equivalent to that established by the LGPD in data transfers to other countries or international organizations, or when the controller offers guarantees of compliance with the data protection regime provided by the LGPD by means of contractual clauses or global corporate rules.
The resolution also established the need to adopt procedures compatible with international best practices to ensure the secure flow of data across borders. The resolution imposes responsibility and accountability on controllers for international data transfers, requiring effective measures to ensure compliance with the principles, rights, and obligations established by the LGPD. Additionally, it emphasized the need for transparency in international data transfers, enabling data subjects to be fully informed about the transfer of their data to foreign countries.
Moreover, Resolution CD/ANPD No. 19 published standard contractual clauses to establish minimum guarantees and valid conditions for carrying out international data transfers.
Sanctioning and Preventive Measures
Regarding administrative sanctions, in 2024, the ANPD enhanced its enforcement measures, imposing sanctions on three Brazilian public entities. The first sanction was imposed on the Regional Department of Education of the Federal District (“SEEDF“), which was sanctioned with four warnings by the ANPD due to several irregularities in its activities, including inadequate maintenance of records related to personal data and failure to prepare the Data Protection Impact Assessment after it was requested by the ANPD.
The second sanction was imposed on the National Social Security Institute (“INSS”), for failing to notify data subjects about a security incident that occurred between August and September 2022, which may have exposed personal data. The ANPD required the INSS to disclose the violation on its website and in the app “Meu INSS” for 60 days and to send notifications to all app users about the incident.
The third sanction was imposed on the Brazilian Ministry of Health due to a security incident in 2022 involving its registration and access permission system. The Ministry of Health was punished with two warning sanctions for failing to notify the security incident to data subjects and the ANPD, and for lacking adequate security measures.
According to the ANPD’s website, three additional administrative sanctioning proceedings are ongoing against the Ministry of Health and the Secretariat of Social Development, Children, and Youth – SDSCJ (for failing to notify data subjects of a security incident and lacking security measures) and Bytedance Brasil Tecnologia Ltda. – TikTok (for practices inconsistent with the best interests of children and adolescents).
In addition to administrative sanctions, the ANPD also applied preventive measures and initiated relevant monitoring proceedings. Notably, on July 2, 2024, ANPD applied a preventive measure against Meta Platforms, ordering the immediate suspension of the company’s new privacy policy. The policy allowed the use of personal data collected on its platforms, such as Facebook, Messenger, and Instagram, to train Meta’s generative artificial intelligence system, Llama 3. As Meta presented an updated Compliance Plan, with several measures to enhance transparency in personal data processing and align its practices with the LGPD requirements, as well as committing not to use data from children’s and adolescents’ accounts to train its AI system, the ANPD approved the plan and determined its monitoring by the General Coordination of Oversight.
Moreover, on December 17, 2024, the ANPD ordered X. Corp to suspend data processing from children’s and adolescents’ accounts to train its generative AI system, among other preventive measures imposed under the monitoring proceeding.
The ANPD also announced the initiation of a monitoring proceeding against twenty large companies that failed to appoint a DPO or provided ineffective communication channels.
Regulatory Agenda for 2025-2026: Focus on Transparency and Security
On December 9, 2024, Resolution N. 23 was published to approve the ANPD’s regulatory agenda for the 2025–2026 biennium. The agenda defined regulatory initiatives and processes to be implemented by the ANPD in four phases. According to the resolution, the ANPD will prioritize the initiatives outlined in the agenda in its actions and plans, with focus on data subjects’ rights, such as the rights to access, correct, and eliminate personal data. Requirements for sharing and processing personal data between the public and private sectors will also be established to ensure greater security and transparency. The protection of minors’ data, especially in digital environments, and the use of biometric data are also priority matters.
Regarding security measures and artificial intelligence, the resolution provides that the coming years will focus on establishing minimum security standards for personal data processing in order to prevent unauthorized access and privacy violations. Additionally, the agenda includes matters such as processing of health data, data subjects’ consent, and protection of credit data.
For more information about the LGPD and the ANPD’s activities, contact Saud Advogados.