‍

The protection of personal data has become a central issue in the global legal and technological landscape. With the increasing digitalization of the economy and the cross-border flow of data, harmonizing legislation and recognizing equivalent levels of data protection between countries are fundamental steps to ensure legal certainty and the smooth operation of international commerce. The European Union's recent decision to recognize Brazil as a country with a level of personal data protection “essentially equivalent” to its own represents a significant milestone in this regard.

On September 4, 2025, the European Commission published a document containing the preliminary version of its adequacy decision for Brazil, stating that the country ensures a level of personal data protection equivalent to that provided under European law for the purposes of international data transfers. Below, we detail the foundations and implications of this decision, analyzing the pillars of the Brazilian data protection system, from its constitutional framework to oversight mechanisms and enforcement, as well as public authorities' access to and use of data, concluding with the decision's impact and the ongoing role of data protection authorities.

‍

The Constitutional Framework of Brazil

The foundation for protecting fundamental rights in Brazil is its comprehensive 1988 Constitution, which establishes the rights and guarantees of citizens. Societal evolution and the growing importance of personal data in the digital environment have necessitated a fundamental update to this framework.

The protection of privacy and personal data is intrinsic to fundamental rights in Brazil. In this context, the inclusion of Item LXXIX in Article 5, via Constitutional Amendment #115 of February 10, 2022, is particularly noteworthy. This amendment elevated the protection of personal data to the status of an explicit fundamental right, guaranteeing it not only in digital environments but in all contexts. According to the Brazilian Government's website, this inclusion reinforces Brazil's commitment to privacy and data protection, aligning it with global trends. The constitutional change provides a robust pillar for legal certainty and for protecting individuals in the face of new technologies. Brazilian constitutional protection also extends beyond its citizens.

This demonstrates a comprehensive commitment to human rights, ensuring that anyone, regardless of nationality or residence, can invoke constitutional protections on Brazilian soil and, in certain cases, even abroad. Furthermore, Brazil's adherence to international treaties strengthens its rights framework. The country ratified the American Convention on Human Rights, known as the “Pact of San José,” in 1992. This Convention, in its Article 11, guarantees the right to privacy, and in Article 8, protects the right to a fair trial. Brazil has also recognized the binding authority of the Inter-American Court of Human Rights, allowing its decisions to influence the application of rights, including in the context of activities by public authorities related to security and defense.

The inclusion of data protection as a fundamental right in Brazil’s Constitution, coupled with adherence to international conventions, clearly demonstrates that the country is establishing a solid and broad foundation for privacy and data security, which are crucial elements for achieving parity with European standards.

‍

Brazil's Data Protection Framework

The legislative cornerstone for personal data protection in Brazil is the General Data Protection Act (LGPD – Lei Geral de Proteção de Dados Pessoais), Statute #13,709/2018. This legislation represents a significant step forward, being largely inspired by the European Union's General Data Protection Regulation (GDPR) and establishing a robust set of principles, rights, and obligations for processing personal data.

Since its enactment, the LGPD has been strengthened and clarified through subsequent legislation. A crucial step was the creation of the Brazilian Data Protection Authority (ANPD – Autoridade Nacional de Proteção de Dados) by Statute #13,853/2019, which was later transformed into an independent authority by Statute #14,460/2022. This independence grants the ANPD greater autonomy to perform its regulatory and supervisory role, which is essential for the statute's effectiveness. The Federal Government portal highlights the importance of the ANPD in overseeing and regulating the application of the LGPD, emphasizing its transformation into an independent agency.

The ANPD plays a proactive role in interpreting and applying the LGPD, issuing binding regulations and guidelines on various aspects of the law, such as the sanctions regime, the notification of security incidents, and the interpretation of legal bases like legitimate interest. This constant action by the ANPD is fundamental for the adaptation and continuous improvement of the legal framework.

On the international stage, the ANPD has been actively engaged in promoting data protection. In 2023, it became a member of the Global Privacy Assembly, alongside data protection authorities from the European Union, and participates as an observer on the Committee of Convention 108 of the Council of Europe. Brazil has also been advancing initiatives at the United Nations regarding the right to privacy, co-introducing resolutions on the right to privacy in the digital age, which condemn arbitrary surveillance, interception of communications, and unlawful collection of personal data, and urge states to create independent oversight mechanisms. This demonstrates Brazil's alignment with global best practices and discussions on data protection.

The structure and main components of the Brazilian legal framework are quite similar to those of the European Union, based not only on domestic legal obligations and constitutional rights but also on obligations under international law, such as adherence to the American Convention on Human Rights.

‍

Material and Territorial Scope of the LGPD

The LGPD has a broad scope of application, applying to any processing operation involving personal data carried out in Brazilian territory, regardless of the means used. Its territorial applicability is defined similarly to the GDPR, covering:

1. Processing activities carried out within national territory.
2. Processing activities aimed at providing goods or services to individuals located in Brazil.
3. The processing of personal data collected within Brazilian territory.

Additionally, the LGPD covers the processing of data of natural persons located within the national territory, including behavioral monitoring, regardless of where the data is processed. The jurisprudence of the Brazilian Supreme Court (STF – Supremo Tribunal Federal) also guarantees that constitutional protections of fundamental rights apply to any person, regardless of nationality or residence.

‍

Definitions of Personal Data and Processing

‍

The LGPD establishes clear definitions for its core terms:

• Personal Data:  “information related to an identified or identifiable natural person” (Article 5, I). The “data subject” is the “natural person to whom the personal data being processed refers” (Article 5, V).

• Pseudonymized Data: Information that cannot directly or indirectly identify an individual without the use of additional information is considered personal data under the LGPD (Article 13).

• Anonymized Data: Information that cannot be associated with an individual by reasonable and technically available means. Anonymized data is excluded from the scope of the LGPD, except when the anonymization process can be reversed through “reasonable efforts” (Article 5 and Article 12). The LGPD's approach to anonymization and safeguards against re-identification is similar to that of the EU.

• Processing: “any operation carried out with personal data, such as those referring to collection, production, retrieval, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, alteration, communication, transfer, disclosure or extraction” (Article 5, X).

‍

Data Controllers and Operators

The LGPD clearly defines the roles and responsibilities:

• Controller: The “natural or legal person, governed by public or private law, who is responsible for decisions regarding the processing of personal data” (Article 5, VI).

• Processor: The “natural or legal person, governed by public or private law, who processes personal data on behalf of the controller” (Article 5, VII).

The processor must conduct the processing according to the controller's instructions, and the controller is responsible for verifying compliance (Article 39). Both must maintain a record of processing activities, especially when based on legitimate interest (Article 37). The LGPD establishes joint and several liability for damages caused to data subjects, similar to Chapter IV of the GDPR.

‍

Exceptions to Certain LGPD Provisions

As in the European system, the LGPD does not apply to anonymized data (Article 12), processing for exclusively private (domestic) purposes (Article 4, I), or processing for exclusive purposes of public security, national defense, state security, and the investigation and prosecution of criminal offenses (Article 4, III). However, this last exception is partial, as the fundamental principles and rights of the LGPD still apply. The Brazilian Supreme Court has confirmed that the LGPD applies partially in these contexts, requiring that conditions be established for data processing and instructing the ANPD to issue technical opinions and request data protection impact assessments.

Other partial exceptions include processing for academic purposes and for journalistic, artistic, or literary purposes (Article 4, II). For academic research, the exemption is limited, and Articles 7 (legal bases) and 11 (sensitive data) still apply. The ANPD has issued guidance to specify the rules, confirming the partial application of the LGPD and its general principles. For health research, the LGPD imposes additional limitations, such as security obligations for databases and prohibitions on transferring data to third parties in certain circumstances (Article 13).

For journalistic and artistic purposes, the exemption is similar to Article 85(2) of the GDPR, covering situations where processing is done “exclusively” for those purposes. When other purposes exist (e.g., human resources), the LGPD applies in full. Freedom of expression (Article 5, IX of Brazil’s Constitution) is balanced with the right to privacy and data protection, with the possibility of compensation for damages, as interpreted by the Supreme Federal Court and integrated into the Brazilian Internet Bill of Rights.

Finally, the LGPD exempts from its scope the processing of data originating outside Brazil that is not subject to communication, shared use of data with Brazilian processing agents, or international transfer of data with another country not considered adequate under the LGPD, provided it is not the object of transfer to another country (Article 4, IV). The ANPD's Data Transfer Regulation clarifies that the mere transit of data without further processing in Brazil would be excluded, but any access to or use of the data in the country would trigger the application of the LGPD.

This detailed and constantly evolving framework demonstrates Brazil's commitment to establishing a robust data protection system comparable to international standards, particularly those of the European Union.

‍

Safeguards, Rights, and Obligations

The LGPD establishes a comprehensive set of safeguards, rights, and obligations aimed at protecting personal data and ensuring its processing is conducted ethically and transparently. These elements are crucial for recognizing equivalence with the European GDPR.

‍

Lawfulness and Fairness of Treatment

The processing of personal data must be lawful and fair. The principles of lawfulness, good faith, and transparency, along with the legal bases for processing, are enshrined in Articles 6 and 7 of the LGPD, following a similar approach to Articles 5 and 6 of the GDPR. Controllers and processors must process personal information lawfully and in good faith, to the minimum extent necessary for a specified purpose, using data that is relevant, proportionate, and not excessive.

The legal bases for processing personal data, according to Article 7 of the LGPD, include:

• Consent of the data subject;
• Necessity for the execution of a contract or preliminary procedures;
• Compliance with a legal or regulatory obligation;
• Protection of the life or physical safety of the data subject or a third party;
• Processing by the Federal Government for the implementation of public policies;
• Legitimate interest of the controller or a third party, provided it does not override the fundamental rights of the data subject;
• Conduct of studies by research bodies, with anonymization where possible;
• Regular exercise of rights in judicial, administrative, or arbitration proceedings;
• Protection of health, exclusively in procedures performed by health professionals; and
• Credit protection.

‍

Criteria for Consent

Consent is one of the most important legal bases and is strictly regulated. Article 8 of the LGPD establishes formal requirements for obtaining valid consent, aligning with Articles 4(11) and 7 of the GDPR:

• It must be a free, informed, and unambiguous manifestation (written or by other means that demonstrate will). Tacit or implied consent is invalid;
• It must be for “specific purposes” and generic authorizations are invalid;
• It must be communicated in a transparent, clear, and unambiguous manner;
• If included in a broader contract, it must be in a highlighted clause;
• It is invalid if it contains abusive or misleading terms;
• The controller must inform the data subject of any changes in purpose, processing details, controller identity, or data sharing;
• It can be revoked at any time by the subject, free of charge; and
• The controller bears the burden of proof that consent was lawfully obtained.

When consent is the adequate legal basis, the LGPD states that the consent requirement is waivered if the personal data has been made “manifestly public by the data subject” (Article 7, Paragraph 4). However, controllers and processors are not exempt from other LGPD obligations, and the processing must still serve a “legitimate and specific” purpose, guaranteeing the data subjects' rights.

‍

Criteria for Legitimate Interest

The concept of legitimate interest as a legal basis is approached cautiously in the LGPD. Article 7, IX, states that processing based on legitimate interest cannot violate the data subject's fundamental rights and freedoms, similar to Article 6(1)(f) of the GDPR.

Article 10 of the LGPD imposes additional conditions: processing must be “strictly necessary” for the purpose, and controllers must implement transparency measures. Legitimate interest can only be invoked in “specific situations.”

The ANPD's “Legitimate Interest Guide” details the conditions for its use, clarifying it cannot be used for sensitive data and providing a model for a fundamental rights balancing test. Three conditions must be met:

1. Compatibility with the Brazilian Legal System: It must not be prohibited by law or contradict legal provisions/principles.
2. Reference to a Specific Situation: It must be based on concrete, clear, and precise situations with well-defined interests, not abstract or speculative ones.
3. Specific and Explicit Purpose: The processing purpose must be clear and precise, defining the scope and allowing for a balance with the data subjects' legitimate rights and expectations.

‍

Processing Special Categories of Data

The LGPD provides specific safeguards for “sensitive personal data,” defined in Article 5, II, as data concerning “racial or ethnic background, religious belief, political opinion, membership of a trade union or organization of a religious, philosophical or political nature, data relating to health or sexual life, and genetic or biometric data, when linked to a natural person”. Brazilian jurisprudence has expanded this to cover other information that could be used for discrimination, such as criminal records, following the principle of non-discrimination (Article 6, IX).

Processing sensitive data generally requires the data subject's “specific and explicit” consent (Article 11, I). Exceptions include compliance with legal obligations, public policy implementation, protection of life, exercise of rights, health protection, research (with anonymization), and fraud prevention (Article 11, II).

‍

Purpose Limitation

Personal data must be collected for a specific purpose and processed consistently with it. Article 6, I, establishes that data must be processed for “legitimate, specific, explicit purposes informed to the data subject,” with no subsequent “incompatible” processing. 

Any processing must be compatible with the communicated purposes (Article 6, II). The ANPD clarifies that for a new purpose to be compatible, there must be a link between purposes, considering the data subjects' “legitimate expectations.”

‍

Data Quality and Minimization

Data must be accurate and, when necessary, up-to-date, appropriate, relevant, and not excessive in relation to the purposes for which they are processed. These principles are guaranteed in the LGPD by the principles of “data quality” (Article 6, III) and “necessity” (Article 6, V). The controller and the operator must ensure that personal data is accurate, clear, relevant, and up-to-date, and that processing is limited to the minimum necessary to achieve the specific purposes.

‍

Storage Limitation

Data should be retained only as long as necessary for its purposes. Chapter II, Section IV, of the LGPD, dedicated to the “termination of data processing,” requires the deletion of personal data after processing ends (Article 16). Exceptions to retention include: compliance with legal obligations, research (with anonymization), transfer to third parties (per the LGPD), or exclusive controller use (with anonymization and no third-party access).

‍

Data Security

Data security is a fundamental LGPD pillar. Personal data must be processed with security, including protection against unauthorized access, loss, destruction, or damage. Article 6, VII, of the LGPD requires “technical and administrative measures” to protect personal data against unauthorized access and accidental or unlawful processing. Article 6, VIII, requires the adoption of measures to “prevent harm due to the personal data processing.”

Article 44 establishes that data processing is unlawful when it fails to meet the security standards reasonably expected by the data subject. The appropriate level of security is determined by the specific circumstances of the processing, the associated level of risk, and the techniques available. Article 46 imposes on controllers and operators the obligation to adopt security measures throughout the entire lifecycle of a product or service, from conception to execution. The ANPD is empowered to establish minimum security standards.

The LGPD also provides for the notification of security incidents. According to Article 48, in the event of an incident that may create significant risk or harm to data subjects, the controller must notify both the ANPD and the affected individuals. This notification must occur within a reasonable period, interpreted as 3 days or 72 hours under ANPD regulations, and include detailed information about the incident. This approach is similar to that under Articles 33 and 34 of the European GDPR. The ANPD defines an “incident” as “any confirmed adverse event related to a breach of the security of personal data, affecting its confidentiality, integrity, availability, or authenticity.”

‍

Transparency

Transparency is fundamental to enabling data subjects to exercise their rights. Article 6, VI, of the LGPD stipulates that data subjects must receive clear, accurate, and easily accessible information about the processing of their data and the identity of the respective controllers, with the exception of “commercial and industrial secrets.”

Article 9 lists the specific information to be provided to data subjects. This includes the specific purpose of the processing; the type and duration of the processing; the identification and contact details of the controller; information about any data sharing; the responsibilities of the agents involved in the processing; and the rights of the data subjects. The limitation regarding “commercial and industrial secrets” is interpreted in light of Brazil’s Access to Information Law (LAI), which prioritizes the disclosure of information while allowing justified exceptions to protect legitimate business secrets, without hindering compliance with the law.

‍

Individual Rights

Chapter III of the LGPD establishes the rights of data subjects in a manner similar to Articles 15 to 22 of the European GDPR. Exercising these rights is free of charge, and individuals must be informed of them. Any violation of these rights is considered a “medium” or “serious” offense by the ANPD, subject to the highest levels of sanctions and fines. The ANPD has reported receiving an increasing volume of complaints and requests from individuals, particularly following the launch of a modernized platform for submitting requests.

The main rights include:

• Right of Access and Information (Articles 9 & 18, II): To obtain information about the processing of one’s data at any time, including the identity of the controller, the purpose, any data sharing, the duration of processing, and one’s own rights. Access must be provided “immediately, in a simplified format” or “within 15 days, via a clear and complete statement” (Article 19).
• Right of Rectification (Article 18, III):  To request the correction of incomplete, inaccurate, or outdated data.
• Right of Deletion (Article 18, IV & VI): To request the deletion of data that is unnecessary, excessive, or processed unlawfully; data processed based on consent (when such consent is revoked); or illegally.
• Right to Objection/Restriction (Articles 15 & 18, IV): To object to processing based on a legal basis other than consent, in cases of non-compliance with the LGPD, or to request the blocking of processing where data is unnecessary, excessive, or processed in a non-compliant manner.
• Right to Portability (Article 19, Paragraph 3): To request an electronic copy of one’s data for transfer to another service or product provider, when the processing was based on consent or contract.
• Rights Regarding Automated Decision-Making (Article 20): To request a review of decisions made solely based on automated processing that affect one’s interests, including the right to clear information about the criteria and procedures used. “Commercial and industrial secrets” cannot be cited as grounds for refusing this service.

Specific legislation, such as the *Habeas Data* Law and the Federal Administrative Procedure Law, further strengthens rights of access and information regarding data processed by public authorities.

‍

International Data Transfers

Chapter V of the LGPD establishes a rigorous framework for the international transfer of personal data, which is further detailed in binding regulations issued by the ANPD. These rules apply to all processing subject to the LGPD, regardless of the technical means used, the geographical location of the data, or the physical presence of the controller or operator.

International data transfers are permitted only under three cumulative conditions:

1. They must be carried out for legitimate, specific, and explicit purposes disclosed to the data subject, with no possibility of subsequent incompatible processing.
2. They must be based on a valid legal basis under the LGPD (Article 7 or Article 11 for sensitive data).
3. A valid transfer mechanism must be utilized.

Permissible transfer mechanisms include:

• Adequacy Decision: The ANPD may issue an adequacy decision for a specific third country or international organization, assessing criteria similar to the EU’s, such as general and sectoral legislation, the nature of the data, the protection of data subjects’ rights, technical/organizational security measures, and the existence of an independent supervisory authority. The ANPD is currently working on an adequacy decision for the European Union.
• Compliance Guarantees: Controllers may ensure compliance through: 
  
  • Specific contractual clauses.
  • Standard Contractual Clauses (SCC) approved by the ANPD. The ANPD has already adopted a set of modular model clauses covering core data protection requirements.
  • Binding Corporate Rules (BCRs), subject to prior ANPD approval and meeting detailed validity requirements.
  • Seals, certifications, and codes of conduct approved by the ANPD.
• Other Specific Bases for Transfer: These include the need for international legal cooperation; the protection of life or physical integrity; specific authorization from the ANPD; a commitment to international cooperation; the execution of a public policy or legal obligation; the data subject’s consent (with prior information on the risks of the transfer); or compliance with a legal/regulatory obligation for the performance of a contract or exercise of rights in judicial proceedings.

The ANPD's Data Transfer Regulation strictly governs the use of these mechanisms to guarantee the continuity of protection, ensuring that international transfers are conducted in accordance with the LGPD’s principles and the rights of data subjects, thereby maintaining the required level of protection.

‍

Accountability

The principle of accountability requires data-processing entities to implement appropriate technical and organizational measures to fulfill their data protection obligations and to demonstrate this compliance to the competent authority. Article 6, IX, of the LGPD states that the controller and the operator must adopt measures that are “effective and capable of proving compliance with the personal data protection rules.”

To ensure accountability, Article 50 allows for the adoption of internal governance rules and policies, including procedures for managing complaints and requests from data subjects, while observing security obligations and risk mitigation strategies.

The LGPD also requires the appointment of a Data Protection Officer (DPO) (Article 41), who acts as a communication channel between the controller, data subjects, and the ANPD. The DPO's identity must be publicly disclosed. The ANPD may exempt certain micro-enterprises, small businesses, startups, and non-profit organizations from appointing a DPO, provided they do not process “high-risk” data. Processing is considered high-risk if it cumulatively meets following criteria:

1. It involves the large-scale processing of personal data;
2. It may significantly impact the fundamental rights and interests of data subjects. And furthermore involves at least one of the following specific characteristics:
   
   1. The use of emerging or innovative technology;
   2. Surveillance or control of publicly accessible areas;
   3. Exclusively automated decision-making processes; and
   4. The processing of sensitive data or data concerning children and adolescents.

The ANPD has issued a detailed regulation on the role of the DPO, outlining their responsibilities and reinforcing requirements for independence, access to senior management, and ethical conduct. The ANPD’s oversight has prioritized compliance with DPO provisions, applying sanctions in cases of non-compliance.

Data Protection Impact Assessments (DPIAs) are another key accountability tool. Article 38 authorizes the ANPD to request a DPIA, which must include a description of the processing operations, the measures, safeguards, and mechanisms in place to mitigate risks, and an assessment of the necessity and proportionality of the processing.

In summary, the LGPD’s framework of safeguards, rights, and obligations is comprehensive, detailed, and continuously refined by the ANPD, demonstrating a structure that seeks essential equivalence with European standards.

‍

Inspection and Enforcement

The effectiveness of any data protection legislation depends on robust oversight and efficient enforcement mechanisms. In Brazil, this responsibility falls primarily on the ANPD, which has established itself as an independent body with broad powers.

‍

Independent Supervision

The ANPD was created by Article 55-A of the LGPD, and its independence was formally established by Statute #14,460/2022. This change elevated it to the status of “a special type of autonomous entity, with technical and decision-making autonomy, its own assets and headquarters in the Federal District,” as detailed in the Draft Adequacy Decision – Brazil – LGPD – FINAL – September 2025. This autonomy is fundamental for the ANPD to perform its functions without interference, including in administrative and financial management.

The ANPD's resources come primarily from the federal budget, supplemented by donations and other credits, as per Article 55-L of the LGPD. Since its creation in 2021, the authority has grown exponentially, increasing both its staff and its annual budget.

The ANPD is composed of a Board of Directors (its highest body), a National Council for the Protection of Personal Data and Privacy (an advisory body), and several administrative units (Recital 127). The Board of Directors consists of five directors, including the President. They are appointed by the President of the Republic after approval by the Federal Senate for four-year terms. To guarantee independence, directors must be highly qualified Brazilians and are prohibited from holding profit-making roles, political positions, or management/advisory roles in private companies. Strict restrictions also exist to prevent conflicts of interest, which apply even after their term ends. Directors may only be dismissed under specific circumstances (resignation, judicial conviction, disciplinary administrative process), which provides institutional protection in the exercise of their duties.

The tasks and powers of the ANPD, detailed in Article 55-J of the LGPD, are extensive and include:

• Developing data protection policies and guidelines;
• Promoting standards that facilitate data subjects' control over their data;
• Investigating violations and handling complaints;
• Applying the LGPD and imposing sanctions;
• Promoting education in data protection; and
• Cooperation with data protection authorities from other countries (Recital 131 ).

The National Council for the Protection of Personal Data and Privacy, composed of representatives from the Executive, Legislative, and Judicial branches, civil society, labor unions, and the business sector, has an advisory role. It issues recommendations and promotes debates but holds no monitoring or enforcement powers.

‍

Enforcement, Including Sanctions

To ensure compliance, the ANPD has broad investigative and corrective powers.

• Investigative Powers: The ANPD can conduct on-site audits and inspections of data controllers in both the public and private sectors and can request any necessary information, especially in cases of suspected or reported LGPD violations. Controllers and operators are required to grant the ANPD access to relevant facilities, systems, documents, and data.
• Corrective Powers and Sanctions: The ANPD can impose warnings, fines, and other sanctions, such as orders to temporarily suspend data processing or to delete data. These sanctions can be applied to both public and private entities, although fines and daily penalties cannot be levied against public entities. Warnings may include deadlines for adopting corrective measures.

The LGPD provides for administrative fines of up to 2% of a legal entity's revenue in Brazil, limited to R$ 50 million per infraction (Article 52, II); these fines may be cumulative in the case of multiple violations. In instances of non-compliance, the ANPD may impose daily fines of up to 50 million BRL, applied cumulatively until the obligation is fulfilled.

The ANPD categorizes sanctions into three levels of severity: mild, moderate, and severe. This categorization is based on factors such as the type and volume of data processed, the nature of the processing, and the impact on data subjects' rights. Violations involving sensitive personal data are subject to the most severe sanctions. The ANPD's sanctions regulations include a methodology for calculating fines that considers aggravating and mitigating factors.

The ANPD has demonstrated a strong enforcement record, applying its first monetary fines just months after adopting its sanctions regulation. Sanctions and recommendations have been issued against both public authorities and private operators for infractions ranging from the failure to appoint a DPO to security incidents and non-cooperation with the ANPD. In July 2024, for example, the ANPD ordered a major social media platform to suspend the processing of personal data for training generative artificial intelligence systems, imposing a daily fine of 50,000 BRL until the processing complied with the LGPD.

It is important to note that the LGPD's administrative sanctions do not preclude the application of other civil and criminal sanctions, such as those provided for in the Consumer Protection Code and the Brazilian Civil Rights Framework for the Internet. This ensures an additional layer of protection for data subjects.

In conclusion, the Brazilian system of oversight and enforcement, led by the ANPD, is robust and effective, ensuring compliance with data protection rules. This is fundamental for the recognition of equivalence with European standards.

‍

Access to and Use of Personal Data by Public Authorities in Brazil

The European Union's assessment of data protection equivalence also considers the limitations, safeguards, and available oversight and individual redress mechanisms within Brazilian legislation regarding the collection and use of personal data by public authorities, especially for criminal law enforcement and national security purposes.

The European Commission, as per the Draft Adequacy Decision – Brazil – LGPD – FINAL – September 2025, assessed whether the conditions for government access to data transferred to Brazil meet the “essential equivalence” test in line with Article 45(1) of the GDPR and the Charter of Fundamental Rights of the European Union. The criteria considered include:

1. Any limitation on the right to personal data protection must be provided for by law, with the legal basis defining the scope of the limitation;
2. Legislation should establish clear and precise rules, impose minimum safeguards, and subject compliance to independent oversight to ensure proportionality and protection against abuse; and
3. Legal requirements must be binding on authorities and enforceable in court. Data subjects should have the possibility of recourse to an independent court to access, rectify, or delete their data.

‍

General Legal Framework

Access to personal data by Brazilian public authorities is governed by a comprehensive legal framework:

• Principle of Legality: Access is governed by the general principle of legality, from which the constitutional principles of reasonableness, necessity, and proportionality derive. Fundamental rights and freedoms may only be restricted by law when necessary for imperatives of national security, public safety, or other specified public interest purposes, and any restriction must be reasonable and proportionate.
• Habeas Data: The Constitution guarantees Habeas Data as a constitutional remedy to protect the right of access, rectification, and erasure of personal data held by public authorities or in public datasets. Any individual, regardless of nationality, can initiate a Habeas Data action.
• Specific Laws: Laws such as the Brazilian Internet Bill of Rights (which requires a prior court order for access to online data) and the Law on Telephone Interception (with specific measures for telecommunications data) regulate data access. In the area of national security, the law establishing the Brazilian Intelligence System provides measures for lawful access to data.
• Partial LGPD Application: The LGPD applies partially to the processing of personal data by public authorities, including for law enforcement and national security purposes. The principles and objectives of the LGPD still apply, and the ANPD can issue technical opinions and require a DPIA for these activities.
• Judicial Review: Individuals can invoke their constitutional rights before the Brazilian Supreme Court and seek redress through independent supervisory bodies (such as the ANPD) and the courts.

‍

Access and Use by the Brazilian Government for the Purpose of Enforcing Criminal Law

Brazilian law strictly limits access to and use of personal data for criminal law enforcement, with oversight and redress mechanisms that meet European Union requirements.

• Prior Judicial Authorization: As a general rule, accessing personal data for criminal law enforcement requires a prior warrant issued by a competent judge. In exceptional circumstances, the police and the Public Prosecutor's Office may access personal qualification, affiliation, and address data for individuals under investigation from public records.
• Competent Authorities: Authorities authorized to access data with a judicial warrant include the Civil Police, Federal Police, Public Prosecutor's Office (state and federal), Judges and Courts, and Parliamentary Commissions of Inquiry.
• Types of Access Requiring a Warrant (Article 3-B of the Code of Criminal Procedure): These include interception of communications, lifting tax/banking/data/telecommunications secrecy, search and seizure of a domicile, access to classified information, and other measures that restrict the fundamental rights of the subject under investigation.
• Interception of Communications: The confidentiality of communications is a fundamental right. Interception is a subsidiary and exceptional measure, permitted only with a prior judicial warrant and in specific cases where other investigative means are unavailable. Brazil’s Wiretapping Act establishes strict conditions, such as the absence of other evidence, and limits authorization to 15 days (extendable). Content unrelated to the investigation is inadmissible. For online communications, the Brazilian Internet Bill of Rights also requires a court order to access content and connection logs.
• Breach of Confidentiality (Tax, Banking, Data): Constitutional protections for the confidentiality of this data is robust. Lifting tax or banking secrecy is exceptional, requiring a court order and being permissible only for investigating or prosecuting specific listed crimes (e.g., terrorism, trafficking, crimes against the financial system, money laundering, criminal organizations). Violating this limitation is itself a crime.
• Searches and Seizures: The Brazilian Constitution states that searches and seizures may only occur exceptionally, as provided by law and based on a judicial warrant. Exceptions include flagrant offenses, natural disasters, and emergency response. Brazilian Supreme Court precedent prohibits searches based solely on “anonymous tips” or “suspicious behavior” without a warrant.
• Access to Confidential Information: The LAI defines “confidential information” as information temporarily restricted due to its importance to societal and state security. Access for criminal purposes is subject to the same requirements of judicial authorization and exceptionality.
• Further Use of Information: The LGPD governs the sharing of personal data between public bodies, including law enforcement and intelligence agencies. The Brazilian Supreme Court has ruled that such data sharing must have a legitimate, specific, and explicit purpose, be lawful, minimized, and comply with the LGPD. International data sharing is governed by international legal instruments, with the Ministry of Justice and Public Security as the central authority.
• Oversight for Criminal Law Enforcement: The activities of authorities are overseen by the Judiciary (which authorizes actions and imposes penalties), the Public Prosecutor's Office (which exercises external control over police activities), and the ANPD (regarding relevant LGPD requirements).
• Redress for Criminal Law Enforcement: : The system provides various judicial and administrative avenues for redress, including compensation for material and moral damages (per the Brazilian Constitution and LGPD), Habeas Data, and complaints to the ANPD. In a landmark 2020 decision (ADI 6387), the Brazilian Supreme Court recognized data protection as a fundamental right, suspending an executive order that allowed the sharing of telecommunications data.

‍

Access and Use by Brazilian Public Authorities for National Security Purposes

Access to and use of data for national security purposes are also governed by clear rules and safeguards.

• Brazilian Intelligence System Act (SISBIN – do Sistema Brasileiro de Inteligência): Intelligence activities are governed by the SISBIN Statute (Statute #9,883/1999), which mandates that the system must preserve individual rights and guarantees, comply with the Constitution and international treaties, and ensure the principles of necessity and proportionality.
• Concept of National Security: A 2021 law amending the Brazilian Penal Code defines national security, providing an exhaustive list of “crimes against national security.” These include crimes against national sovereignty, democratic institutions, the electoral process, and the operation of essential services. Freedom of expression and journalistic activity are expressly excluded from this classification.
• Data Access: The data accessed and analyzed to prevent these crimes is obtained by SISBIN member authorities in the context of their operations, under the same conditions described for criminal law enforcement (i.e., with judicial authorization for a clearly defined purpose). SISBIN is composed of public bodies, with the Brazilian Intelligence Agency (ABIN – Agência Brasileira de Inteligência) as its central body. ABIN receives information from SISBIN members but does not collect it independently. The Brazilian Supreme Court (in ADI 6529) clarified that sharing data with ABIN must serve a public interest, follow formal procedures, and require judicial authorization.
• Information Protection: Data processing within SISBIN must protect information from unauthorized access and comply with legislation on professional secrecy, security, personal data protection (including the LGPD), and information security.
• Oversight for National Security: The activities of national security authorities are overseen by the Executive Branch (ensuring alignment of objectives and policies with social demands), the Legislative Branch (through the Joint Committee for the Control of Intelligence Activities (CCAI – Comissão Mista de Controle das Atividades de Inteligência), which monitors constitutional compliance and individual rights), and the ANPD (regarding the partial application of the LGPD). The Judiciary also adjudicates lawsuits against public authorities.
• Redress for National Security: The system provides various judicial and administrative avenues for redress, including lawsuits for damages, Habeas Data, and complaints to the ANPD. The CCAI can also receive and investigate citizen complaints about human rights violations by intelligence agencies. Access to these redress mechanisms is guaranteed for both Brazilians and foreigners.

In summary, Brazilian law establishes a rigorous framework for public authorities' access to and use of personal data, both for criminal law enforcement and national security. It incorporates numerous safeguards, oversight mechanisms, and avenues for redress to ensure proportionality and protect fundamental rights. This structure is fundamental to the recognition of Brazil's equivalence with European Union requirements.

‍

Effect of the Decision and Action of Data Protection Authorities

The European Commission's decision to recognize Brazil as providing an adequate level of data protection is a highly significant development with profound impacts on EU-Brazil relations. This decision culminates an exhaustive analysis of Brazil's legal and practical framework.

‍

European Commission Conclusion

Following an in-depth analysis, the European Commission concluded that Brazil, through the LGPD, ensures a level of protection for personal data transferred from the EU that is essentially equivalent to that guaranteed by the GDPR. 

Furthermore, the Commission considers that Brazilian supervisory mechanisms and redress avenues allow for the identification and practical handling of potential data protection infringements by controllers and processors, offering data subjects legal remedies to access, rectify, or erase their data. Regarding interference by Brazilian public authorities in the public interest (criminal law enforcement and national security), the Commission assesses that such interference is limited to what is strictly necessary and that effective legal protection against it exists.

‍

Practical Effects of the Decision

This decision has an immediate and significant practical effect:

• Facilitating International Data Transfers: Personal data transfers from EU controllers and processors to their counterparts in Brazil can now occur without requiring additional authorization  (Recital 223). This eliminates the bureaucratic barrier and complexity of using alternative transfer mechanisms like Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) for each transfer.
• Increased Trust and Legal Security: The decision reinforces mutual trust between jurisdictions and provides greater legal certainty for operations involving personal data, as highlighted by the Brazilian Government portal in a news article about the ANPD's closer relationship with the European Commission. This is particularly beneficial for companies that operate internationally.
• Strengthening Trade Relations: Harmonizing data protection standards facilitates trade and cooperation between Brazil and the EU, promoting a more efficient and transparent business environment.
• Direct GDPR Application: The decision does not affect the direct application of the GDPR to entities falling under its territorial scope (Article 3).

It is important to note that EU Member States and their authorities must comply with the Commission's decision. However, a national data protection authority may challenge the decision's compatibility with fundamental rights to privacy and data protection, potentially leading to a referral to the Court of Justice of the European Union.

‍

Monitoring, Suspension, Revocation, or Amendment of the Decision

The adequacy decision is not permanent and is subject to ongoing monitoring and periodic review.

• Continuous Monitoring: The European Commission must continuously monitor developments in Brazil's legal framework and the practical handling of personal data. Brazilian authorities are to inform the Commission of any material developments relevant to the decision.
• Periodic Reviews: The decision will be subject to an initial review within four years of its entry into force, with subsequent reviews every four years. These reviews will cover all relevant aspects, including the ANPD's cooperation with EU authorities and the effectiveness of oversight in criminal law and national security contexts.
• Review Process: For the review, the European Commission will meet with the ANPD and, where appropriate, other relevant Brazilian authorities. Representatives from the European Data Protection Board (EDPB) may participate, and the Commission will request comprehensive information and explanations on any relevant matters.
• Public Report: Based on the review, the European Commission will prepare a public report for the European Parliament and the Council.
• Suspension, Revocation, or Amendment: If the level of protection in Brazil is deemed inadequate, the Commission will inform Brazilian authorities and request corrective measures. If necessary measures are not taken, the Commission will initiate procedures to suspend, revoke, or amend the decision. This may also occur if Brazilian authorities fail to provide necessary information on the required protection level. In urgent cases, the Commission may act immediately.

The EU's recognition of Brazil's adequacy is a testament to the country's maturity and commitment to global data protection standards. However, it requires continuous effort from the ANPD and other Brazilian authorities to maintain and improve these standards, ensuring regulatory interoperability and the protection of fundamental rights in the digital environment. This decision not only validates Brazil's legislative efforts but also opens new doors for international collaboration and business development.