This article was accepted into the corpus but its outbound wikilinks were never NER-processed — typical at the deepest BFS hop or when the run's entity cap was reached. No expansion funnel to show.
| Lei Geral de Proteção de Dados Pessoais (LGPD) | |
|---|---|
| Name | Lei Geral de Proteção de Dados Pessoais |
| Abbr | LGPD |
| Enacted | 2018 |
| Commenced | 2020 |
| Jurisdiction | Brazil |
| Administered by | Autoridade Nacional de Proteção de Dados |
Lei Geral de Proteção de Dados Pessoais (LGPD) is the Brazilian federal statute that regulates the processing of personal data in Brazil. Modeled in part on international instruments and comparative statutes, it establishes rights for data subjects and obligations for entities that process personal data, creating a national regulatory framework and an independent supervisory authority.
The statute emerged amid debates involving Congresso Nacional (Brazil), legislative proposals from members of the Câmara dos Deputados (Brazil), and contributions from the Senado Federal (Brazil), reflecting influences from the European Union's General Data Protection Regulation and comparative references to the United States's sectoral approaches such as Health Insurance Portability and Accountability Act and California Consumer Privacy Act, as well as global standards like the Organisation for Economic Co-operation and Development guidelines and the Council of Europe's Convention 108. Drafting involved stakeholders including Ministry of Justice (Brazil), Presidency of the Republic (Brazil), civil society groups such as Instituto Brasileiro de Defesa do Consumidor, industry associations like Confederação Nacional da Indústria, and academic centers at institutions such as Universidade de São Paulo and Fundação Getulio Vargas. Legislative milestones included committee reports in the Comissão de Constituição e Justiça and votes in plenary sessions of the Câmara dos Deputados (Brazil) and the Senado Federal (Brazil), culminating in presidential sanction and subsequent provisional measures and regulatory acts issued by the Presidency of the Republic (Brazil). Implementation timelines intersected with rulings and guidance from the Supremo Tribunal Federal and administrative measures from the newly created Autoridade Nacional de Proteção de Dados.
The statute defines its territorial and material scope with reference points including processing by natural persons and legal entities headquartered in Brazil, foreign controllers offering goods or services to individuals in Brazil, and processing related to data subjects located in Brazil. Key definitions were harmonized against terminology used by the European Data Protection Board, distinguishing terms such as personal data, sensitive personal data, anonymized data, processing, controller, and processor, with normative cross-references to regulatory instruments from the International Organization for Standardization and rulings from the Supremo Tribunal Federal influencing interpretation. Definitions also drew on comparative law concepts from United Kingdom jurisprudence, decisions from the European Court of Human Rights, and terminology operative in frameworks like APEC privacy guidelines.
The statute articulates foundational principles—such as purpose limitation, necessity, transparency, and accountability—parallel to principles enshrined in instruments like the Universal Declaration of Human Rights and the American Convention on Human Rights. Data subject rights enumerated include access, correction, deletion, portability, revocation of consent, and objection to processing, reflecting counterparts in the GDPR and jurisprudence from the Court of Justice of the European Union. Rights exercise interfaces with remedies available in forums such as the Justiça Federal (Brazil) and consumer protection mechanisms under the Código de Defesa do Consumidor administered by entities like the Procon agencies.
The law sets out lawful bases for processing akin to models in European Union law: consent, compliance with legal or regulatory obligations, execution of contracts with entities such as Banco Central do Brasil, protection of life or physical safety (relevant to Hospital das Clínicas or emergency services), public interest tasks performed by bodies like the Ministério da Saúde (Brazil), and legitimate interests assessed under balancing tests. Consent obligations and specificity requirements informed practices of technology firms headquartered in locations such as Silicon Valley and multinational corporations operating through subsidiaries in Campinas or São Paulo, and intersect with sectoral rules affecting entities like Vivo (telecommunications), Itaú Unibanco, and e-commerce platforms such as Mercado Livre.
Controllers and processors must implement technical and organizational measures, maintain records of processing activities, conduct data protection impact assessments, and appoint data protection officers where applicable, paralleling obligations seen in corporate compliance programs at firms like Petrobras and Vale S.A.. Contractual allocation of responsibilities references standards from the International Chamber of Commerce and best practices advocated by bodies such as the Brazilian Association of Software Companies. Obligations also affect public sector bodies including Ministério da Educação (Brazil) and municipal administrations like Prefeitura de São Paulo, requiring coordination with procurement rules and information security frameworks used by institutions such as the Instituto Nacional de Estudos e Pesquisas Educacionais Anísio Teixeira.
Enforcement is led by the Autoridade Nacional de Proteção de Dados, which issues norms, guidance, and sanctions including warnings, fines, publicizing infractions, and data processing restrictions. The ANPD’s authority interacts with administrative courts, such as decisions from the Tribunal de Contas da União, and with investigative procedures led by law enforcement bodies like the Polícia Federal (Brazil). Sanctions are calibrated against precedents in the European Union and administrative sanction regimes in countries like Argentina and Mexico, and enforcement actions have implications for multinational disputes in venues such as the International Centre for Settlement of Investment Disputes.
The statute has driven compliance programs across sectors—financial services, healthcare, education, telecommunications—and influenced technology deployments at firms collaborating with research centers like Centro de Tecnologia da Informação Renato Archer. It affected cloud service contracts with providers from regions such as United States and European Union, shaped data transfer mechanisms to countries lacking adequacy decisions, and stimulated the privacy tech market alongside consultancies and legal practices in cities like Rio de Janeiro and Belo Horizonte. Societal impacts include enhanced data subject empowerment in interactions with platforms like WhatsApp, debates in media outlets such as Folha de S.Paulo and O Globo, and academic scrutiny in journals published by Editora Abril and university presses.
Category:Brazilian law