Members of the CNPD, sector entities, research organizations and experts indicate the achievements resulting from the LGPD and point out which topics are priorities in the near future.

In its 5 years of existence, the General Data Protection Law (LGPD) has faced setbacks and uncertainties, but has consolidated itself as an important tool for a society based on the digitalization of the economy. The path has been tortuous since its sanction in 2018, under the Michel Temer government, which took place after much negotiation. In the following government, uncertainties arose regarding the viability of the National Data Protection Authority (ANPD), as director Miriam Wimmer pointed out.

But the authority was no longer just a matter of paper and the body was given the autonomy of a special agency. It approved essential regulations to begin monitoring abuses related to data privacy and fined a company in the first half of this year, 33 months after it was created.

In this second text about the five years of the LGPD, Tele.Síntese gathered opinions from entities, activists and members of the National Council for Data Protection and Privacy (CNPD), an advisory body of the ANPD, regarding the achievements made in relation to the law and what the future challenges will be. Check it out:

Fabricio da Mota Alves, partner at Serur Advogados and member of the CNPD

Achievements: “Due to legal liability, organizations have been undergoing internal transformations, reviewing operational flows and IT systems, creating a new role to house the work of the Data Protection Officer with a view to avoiding liability, but also to incorporating new corporate values of respect for the data subject. Data protection is no longer seen as just a technical issue but has become a strategic priority.”

Challenges: “The most critical point in the application of data protection in Brazil is its implementation by a regulator that is qualified in terms of both its management team and civil servants (especially in regulatory areas), in addition to having sufficient numbers to meet the challenge. Budgetary allocation, autonomy and administrative structure help in this regard, but effectiveness is needed beyond the legal provision.”

Patrícia Peck, from Peck Advogados and member of the CNPD

Conquest: “The main advance was having achieved legislation that achieved its governance by having its own, independent National Data Protection Authority, which became a special agency and is fully operational. It managed to publish the rules of the sanctioning process to effectively monitor data processing agents and has already started applying fines.”

Challenges: “What we still have a big gap in is the cultural pillar. We still need to carry out a national awareness campaign. Most countries that have implemented legislation like this have carried out an educational campaign for the population. This is still a pending issue for the ANPD and a requirement that the legislation brought that must be carried out by data processing agents. So it is a joint effort between public and private institutions to ensure a change in culture and make us see that the LGPD is part of Brazilians’ daily lives.” 

Conexis Brasil Digital

Achievements: “In a context in which the telecommunications sector registers approximately 340 million accesses, the protection of user data becomes even more crucial. With the 5-year milestone of the General Data Protection Law (LGPD), Conexis Brasil Digital highlights the progress achieved throughout this period, including the launch of the Code of Good Data Protection Practices for the Telecommunications Sector. This code, created with the purpose of guiding telecommunications companies in the application of the LGPD, reflects the sector's firm commitment to ensuring the privacy and protection of individuals' personal data.”

Maria Tereza Pelicano David, DPO at Claro

Achievements: “There has been significant progress in Brazilian society with regard to the importance of treating personal data responsibly, transparently, appropriately and securely. The Law has brought greater clarity regarding the rights and duties of both data subjects and companies that process data for a variety of purposes.”

Challenges: “The ANPD has been working hard on important issues, but there are still many relevant points on the regulatory agenda that, when defined, will impact decisions already made by companies, accelerated by digitalization and technological advances. The collection of biometrics, for example, is a fundamental safeguard for the security of the holder and an important mechanism for preventing fraud, especially in a primarily digital environment such as telecommunications.”

Sergio Sgobbi, director of institutional relations at Brasscom

Conquest: “Data protection was included in the list of fundamental rights and guarantees of Brazilians.”

Challenge: “It is still necessary to seek the acculturation that data protection is a perennial and relevant issue for business. Data protection is still seen as an obligation, a burden for many companies, when the vision should be to benefit from the effects generated by respect for privacy and see this as a way to leverage opportunities based on the proper adaptation of the business to the legislation”.

Fabro Steibel, Executive Director of ITS Rio

Achievements: “I would like to highlight the creation of the Council (CNPD). Personal data is a matter of processes, not compliance. All the consultations conducted show that it is clear that a multisectoral approach is necessary, especially regarding an umbrella issue that applies to all areas. The formation of the council took time, it took a long time, but it is a group of experts who participated in several stages of public policies, such as respect for the privacy of children and adolescents.” 

Challenges: “The current regulations give a lot of power to the president of the CNPD and little to the council. But these are issues that must be addressed in future administrations. The agility of the CNPD consultation process is another challenge. The creation of working groups is a good alternative, but it is still necessary to better connect the ANPD’s agenda with the Council’s agenda, to prevent one party from deciding and the other from giving opinions on different matters. Another challenge is data interoperability, which implies generating value for the data and protecting the issue of personal data.”

Rafael Zanatta, Director of the Data Privacy Brazil Research Association

Achievements: “The creation of the ANPD, which occurred after a two-year legal impasse, with the law expecting a vacatio legis of one and a half years. The possibility of selecting staff and requesting servers brought a base of expertise from ANAC, ANATEL, and MCTIC. The emergence of a broad personal data protection community in Brazil, with thousands of professionals who know the principles of the LGPD and apply them in their daily lives.”

Challenges: “Regulate elements of the rights of data subjects in relation to the response deadline, the right to file a petition with the ANPD, and explain how automated review rights work. There is also the stabilization of the technical staff, training of staff and institutional strengthening of the ANPD, which will be increasingly in demand for issues related to childhood, artificial intelligence and platform regulation.”

Ellen Carolina Silva, Partner at Luchesi Advogados, member of the Brazilian Association of Precision and Digital Agriculture

Achievements: “The regulation itself, whether by the ANPD, of legislative proposals aimed at amending the text of the LGPD, or to legislate on data protection in a complementary manner. I highlight Constitutional Amendment 115, approved in 2022, which enshrined the protection of personal data as an autonomous fundamental right in the Federal Constitution, in addition to having defined the exclusive competence of the Union to legislate on the subject. This point directly reflects on the application of the LGPD as it demonstrates the State's commitment to reinforcing the practical importance of the law and its impacts on the international market”.

Challenge: “Although the ANPD has made progress on some important regulatory issues, there is still a lack of regulation on essential points of the LGPD, such as the issue of international data transfer and the issue of requirements for reporting security incidents. Regulation of these issues is important to validate (or correct) what is already being practiced in the market.”

Adriana Rollo, member of the International Association for Artificial Intelligence

Achievements: “We have reached a level of maturity and social awareness where bad data processing practices are no longer tolerated by people. We are seeing this with the spread of artificial intelligence tools, which ultimately use large amounts of data.”

Challenges: “The ANPD has positioned itself in favor of regulating artificial intelligence and fostering innovation, as long as it is done responsibly. Last month, the ANPD published its preliminary analysis of Bill No. 2338/23, which regulates the use of artificial intelligence. In it, it presents the points of convergence and conflict between the bill and the LGPD, and suggests that the ANPD should be the key authority in the regulation and governance of artificial intelligence in Brazil, especially with regard to the protection of personal data.”

Reproduction: Telesynthesis