Data & Privacy · Brazil
Data protection & privacy laws in Brazil (2026)
Brazil shaded by its data & privacy status
Brazil has a comprehensive, GDPR-style omnibus data-protection law (the LGPD, Law No. 13.709/2018) that applies to processing of personal data by public and private entities, in physical or digital form. It is overseen by an independent supervisory authority, the ANPD, and data protection is also enshrined as a fundamental right in the Federal Constitution (Constitutional Amendment 115/2022).
Key points
The LGPD (Law No. 13.709/2018) is a cross-sector statute modeled on the EU GDPR, regulating processing of personal data of natural persons by both public and private controllers and processors, whether by manual or digital means. It took full effect in 2020 (with administrative sanctions effective from August 2021).
The Autoridade Nacional de Proteção de Dados, created by Law No. 13.853/2019, is the autonomous federal authority that regulates, supervises, guides, and enforces the LGPD; its competence over personal-data protection prevails over correlated powers of other public bodies.
Processing must rely on one of ten legal bases set out in the law (e.g., consent, legitimate interest, legal/contractual obligation, public-policy execution); there is no hierarchy among them, and consent must be specific, informed, and revocable.
Article 18 guarantees rights including confirmation/access, correction, anonymization or deletion of unnecessary or unlawfully processed data, portability, information on sharing, and the right to object to processing carried out without consent.
Penalties (Arts. 52–53) range from warnings to fines of up to 2% of the entity's Brazilian revenue, capped at R$50 million per infraction, plus daily fines, publicization, blocking or deletion of data. ANPD Resolution CD/ANPD No. 4 of 24 Feb 2023 sets the methodology (dosimetria) for calculating these fines.
Constitutional Amendment No. 115/2022 (promulgated 10 Feb 2022) added the protection of personal data, including in digital media, to Article 5 of the Federal Constitution as an autonomous fundamental right and assigned the Union exclusive competence to legislate on and supervise the matter.
Timeline - major decisions & events
The European Data Protection Board adopted Opinion 28/2025 broadly endorsing the European Commission's draft decision (published 5 Sep 2025) that Brazil offers adequate protection under the GDPR, paving the way for free EU–Brazil data flows; mutual adequacy was announced 27 Jan 2026.
EDPB ↗Brazil transformed the ANPD from a special autarchy into a full regulatory agency with functional, technical, decision-making, administrative and financial autonomy, cementing it as an independent data-protection regulator.
IAPP ↗The ANPD approved the regulation governing cross-border transfers and published Standard Contractual Clauses, operationalising the LGPD's international transfer regime (controllers had until 22 Aug 2025 to adopt the new SCCs).
IAPP ↗The ANPD issued a preventive measure suspending Meta's use of personal data to train generative AI under a BRL 50,000/day fine, citing inadequate transparency and risks to minors; the measure was lifted on 30 Aug 2024 after Meta submitted a compliance plan.
Future of Privacy Forum ↗The ANPD imposed its first fine on a microenterprise for telemarketing-related LGPD violations, marking the start of active enforcement of the law's penalty regime.
IAPP ↗The ANPD was converted from a body linked to the Presidency into an independent special autarchy with technical, decision-making and budgetary autonomy, strengthening its impartiality as the national regulator.
Lexology ↗Congress added the protection of personal data, including in digital media, to the fundamental rights in Article 5 of the Constitution (and federal exclusive competence to legislate), entrenching the principles underpinning the LGPD.
Government of Brazil ↗The LGPD's penalty provisions (fines up to 2% of Brazilian revenue, capped at BRL 50 million per infraction) became enforceable, giving the ANPD power to sanction non-compliance.
ICLG ↗By 10–1 the Supreme Federal Court suspended MP 954/2020, which forced telecoms to hand subscriber data to statistics agency IBGE; its reasoning recognised data protection as an autonomous fundamental right derived from the Constitution.
Supremo Tribunal Federal ↗President Michel Temer signed Brazil's first comprehensive, GDPR-inspired data protection statute into law, creating the framework that governs personal data processing nationwide.
ANPD ↗Brazil's 'Internet Bill of Rights' established net neutrality, intermediary liability rules, and the first binding privacy and personal-data protection principles for online activity, laying the groundwork for the LGPD.
Câmara dos Deputados ↗Brazil - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →