STRAIGHT TO THE POINT:
ANPD representatives discussed the Authority’s regulatory and supervisory activities at a seminar organized by CGI.br and NIC.br, highlighting the key topics slated for upcoming studies and regulation. Among the most notable are the regulation of data subjects’ rights, the protection of children’s and adolescents’ data, rules on high-risk processing activities, and the use of personal data in artificial intelligence systems.
On August 26, representatives of the Brazilian National Data Protection Authority (ANPD) participated in the panel “Conversation on Data Protection with the ANPD” during the 16th Seminar on Privacy and Personal Data Protection, organized by CGI.br and NIC.br.[1]
The panel featured Fabrício Guimarães Madruga Lopes, ANPD’s Head of Supervision, and Rodrigo Santana, ANPD’s Head of Regulation, who presented the development of the ANPD’s regulatory agenda, the priority issues under review, and the Authority’s supervisory approach.
We attended the event and summarized below the main points discussed.
REGULATION
The ANPD emphasized that its regulatory processes are risk-based and aimed at safeguarding fundamental rights. Its ongoing initiatives include:
- Data subjects’ rights: The ANPD is working on the regulation of the Brazilian General Data Protection Law (LGPD) regarding data subjects’ rights. Key topics under discussion include enhancing transparency in privacy notices – such as providing clearer information on data sharing –, setting parameters for the exercise of the right to data rectification, and defining response deadlines. The Authority is also reviewing the conditions for exercising the right to request a review of automated decisions, including clarifying when such review requires human intervention.
- Data sharing by public authorities: The ANPD is considering launching a public consultation to define the conditions under which government bodies may share personal data with the private sector, in accordance with legal exceptions and applicable legal instruments.
- Children and adolescents: The regulatory agenda covers minimum standards for processing children’s and adolescents’ data, including requirements for specific consent, age verification mechanisms, and safeguards based on the best interests of children and adolescents. The Authority also highlighted the potential impacts of Bill of Law No. 2628/2023, commonly known as the “Digital Child and Adolescent Statute,” which is currently awaiting presidential sanction.
- Biometric data: Following the conclusion of a public consultation, the Authority is now assessing issues such as the definition of biometric data, legal bases for its processing, the reliability of facial recognition systems, and the requirements for security and transparency.
- High-risk data processing: The ANPD’s Board of Directors is expected to deliberate on specific parameters applicable to controllers engaged in data processing activities classified as high risk.
- Artificial intelligence: The ANPD is developing a guidance document on AI that will address applicable legal bases for data processing in AI systems, web scraping practices, technical and legal safeguards, and the challenges of ensuring the effective exercise of data subject rights in this context.
- Anonymization: The Authority is conducting a new study to assess the use of anonymization as a risk mitigation measure, particularly in AI applications.
- National Data Protection Policy: The ANPD is coordinating the development of the National Data Protection Policy, building on the guidelines proposed by the National Data Protection Council. Key pillars include promoting education culture of data protection, as well as fostering institutional integration among sectoral regulators, public authorities, and the society at large.
SUPERVISION
With regard to its supervisory activities, the following points were highlighted by ANPD representatives:
- Responsive enforcement: The ANPD reaffirmed its responsive supervision strategy, a model that combines guidance and cooperation with the imposition of proportional sanctions. Penalties are reserved for cases of resistance to compliance or high-risk processing carried out without adequate safeguards. The approach prioritizes tangible outcomes for data subjects by promoting swift corrective actions whenever possible, while still applying sanctions where necessary.
- Monitoring: The Authority operates a dedicated monitoring unit that review complaints and reports, currently receiving around 1,000 monthly submissions through the “gov.br” platform. These inputs, along with mandatory security incident notifications filed by controllers, feed into monitoring cycles conducted by the supervisory division. The 2023–2025 cycle is being finalized and will serve as the basis for the next Priority Topics Map, which will define the Authority’s enforcement focus for the following two years.
- Security incidents: The most frequently reported cases involve social engineering and ransomware attacks. The ANPD emphasized that notifying relevant incidents to the Authority, as required by LGPD, does not automatically result in sanctions; in most cases, it leads to recommendations. Conversely, failure to notify is deemed a serious violation and is likely to result in penalties.
The Authority also emphasized that the LGPD was not designed to prevent the use of personal data, but rather to enable its proper and responsible circulation for the benefit of society.
CONCLUSIONS
The statements made by the ANPD’s representatives reflect an Authority in the process of consolidation. In this context, the ANPD aims to establish clear and proportionate rules on key issues such as data subject rights, biometric data, children and adolescents, and artificial intelligence, while also strengthening a responsive supervisory model that balances guidance, monitoring, and proportionate enforcement.
The message to data controllers is equally clear: documenting governance practices, adopting appropriate transparency measures, and implementing security safeguards proportionate to the level of risk are essential to demonstrate good faith and reduce exposure to sanctions.
Our Data Protection team continuously monitor legislative developments and the ANPD’s activities, and remain available to support your organization in achieving regulatory and strategic compliance with the LGPD.
[1] CGI.br is Brazil’s multistakeholder Internet governance body, and NIC.br is the entity that implements its decisions and manages core Internet infrastructure.