The General Data Protection Law (LGPD) has reached its fifth anniversary since its enactment in August 2018, representing a significant milestone in the regulation of privacy and personal data protection in Brazil.
Drawing inspiration from the General Data Protection Regulation (GDPR) – the European regulation that guides the treatment of personal data within the European Union – and in effect since September 2020, the LGPD has introduced stringent guidelines for the collection, processing, and storage of personal data, whether through physical or digital means. Its aim is to bring about a profound transformation in how businesses and public organizations handle such information, thereby ensuring greater privacy and control for data subjects over their personal data and how it is managed.
Over these past five years, there has been much speculation about whether the law would actually be taken seriously. Such speculations remain alive even today, considering that many companies operating in Brazil have yet to comply with LGPD rules. This lack of compliance may be due to either insufficient awareness about the law or a reluctance to consider the necessary expenses for its adherence as an investment.
However, it’s impossible to ignore the advancements brought by the law in terms of protection and privacy in the handling of personal data. These advancements are further substantiated by the inclusion of the right to protection of personal data (including in digital environments) in the list of fundamental rights and guarantees under Article 5, Section LXXIX of the Brazilian Federal Constitution, through Constitutional Amendment 115/2022.
The truth is that LGPD has been stimulating a cultural shift concerning privacy and data protection, encouraging public awareness and active engagement in the management of one’s own personal information, which aligns with the rapidly growing global movement on privacy and data protection.
On the other hand, despite ongoing speculation about the law’s effectiveness, both public and private organizations are still obligated to take measures for compliance. This is also due to the persistent activities of the Brazilian National Data Protection Authority (ANPD). Whether it is in the regulation of issues within the LGPD that require guidance for better implementation, in the creation of instructional guides for best practices relevant to privacy and data protection, or even in the active monitoring and enforcement of penalties against organizations that remain non-compliant with the LGPD and the ANPD’s own guidelines, or those that have not even initiated their adherence efforts.
In early 2023, ANPD publicly released a list of companies (both public and private) that are currently under its scrutiny, thereby offering greater visibility to the general public regarding the work being done to ensure effective compliance with the LGPD. For professionals in the privacy and data protection sector, a significant milestone in the five-year existence of the LGPD, affirming the activities undertaken by the National Authority, was the announcement of the first sanction imposed by the ANPD’s General Coordination of Inspection (CGF/ANPD) in July 2023.
The imposition of such penalty underscored the importance of the LGPD and prospects for its implementation in Brazil. The penalized company, a micro-enterprise (a very small business, often with fewer than 10 employees) in the telecommunications sector, was found to be handling personal data without indicating any of the legal grounds specified by the LGPD. Moreover, the company tried to evade the ANPD’s guidelines during the investigative audit, thereby obstructing the regulatory process.
The conclusion of the first administrative process initiated by the ANPD and the involvement of a small business as the penalized party shows that the National Authority is attentive to LGPD compliance across the board, whether it involves large corporations or “micro-entrepreneurs”. This adds further weight to the necessity of adhering to the legislation in Brazil.
The celebration of LGPD’s fifth anniversary serves as a moment to reflect on the progress made so far and the challenges that lie ahead. As LGPD continues to shape the privacy landscape in Brazil, it’s crucial to acknowledge both its accomplishments and the lessons learned over these five years. The collaboration between the public and private sectors, coupled with ongoing education on the law’s principles and guidelines, is playing a key role in fostering a safer and more responsible environment for everyone subject to it.