backNewsletter (#001/2025) on Privacy and Data Protection by Campos Thomaz Advogados
Alerts, materials, and updates on Privacy, Data Protection, and Cybersecurity.
To subscribe, click here.
Retrospective 2024: Top 15 Facts About Privacy and Data Protection in Brazil
2024 marked a year of maturity for Brazil’s National Data Protection Authority (ANPD) and significant advancements in data protection! Here are the 15 most relevant privacy events of the year: Learn more
Key topics for 2025: ANPD Published Regulatory Agenda for the 2025-2026 Biennium
On Wednesday, December 11, Brazil’s National Data Protection Authority (ANPD) announced its Regulatory Agenda for the 2025-2026 biennium, a critical roadmap for planning and executing priority regulatory actions. Developed through public consultation, the document underscores the collaborative and transparent nature of the regulatory process. Learn more
ANPD Publishes New Guidelines on the Role of the Data Protection Officer
On December 19, 2024, the Brazilian Data Protection Authority (ANPD) issued a new guideline on the role of the Data Protection Officer (DPO). This document supplements Resolution CD/ANPD No. 18, dated July 16, 2024, detailing the requirements for appointing the DPO and relevant responsibilities. The main objective of the new guideline is to facilitate the interpretation of Resolution CD/ANPD No. 18 and support the proper execution of the DPO’s activities, which are considered essential for privacy and data protection governance within organizations. Learn more
ANPD Orders X Corp (Twitter) to Suspend Use of Minors’ Data for Generative AI Training
On December 16, 2024, Brazil’s National Data Protection Authority (ANPD) ordered X Corp to suspend, within five business days, the use of personal data belonging to individuals under 18 years old for training generative artificial intelligence. The company must also include clear information about this restriction in its Privacy Policy or the “Help Center” section and disable the option to share data for this purpose in accounts belonging to minors. Learn more
ANPD Investigates at Least 20 Companies for Alleged Failure to Appoint Data Protection Officers
The Brazilian Data Protection Authority (ANPD) has launched an enforcement process targeting major companies that allegedly failed to appoint a Data Protection Officer (DPO) as required by Brazil’s General Data Protection Law (LGPD). The investigation also includes organizations that have purportedly not provided effective communication channels for data subjects, hindering the exercise of rights such as access, correction, and deletion of personal information. Learn more
ANPD Extends the Deadline for Contributions to the Regulatory Project on Artificial Intelligence and Data Protection to January 24
On November 29, 2024, Brazil’s National Data Protection Authority (ANPD) extended the deadline to January 24, 2025, for public input on its initiative to gather contributions for regulating the use of Artificial Intelligence (AI) systems in the context of personal data protection. Learn more
STJ Rules on Civil Liability in Data Security Incidents
The Brazilian Superior Court of Justice (STJ) unanimously decided that Enel (formerly Eletropaulo) is responsible for providing complete information to customers whose non-sensitive data was exposed, even in the event of a hacker attack. The company must disclose the entities with which it shared the data, the criteria used, the origin, the purpose of the processing, and provide a copy of all data related to the individual, as stipulated by Article 19, II of the LGPD (Brazil’s General Data Protection Law). Learn more
PROCON Fines Raia Drogasil R$ 8 Million for Requiring Customers’ CPF
The Consumer Protection Agency of Minas Gerais (Procon-MG), affiliated with the Public Prosecutor’s Office of Minas Gerais, imposed a multi-million fine on a pharmacy chain for requiring customers to provide their CPF at checkout. Procon-MG is responsible for ensuring compliance with consumer rights and addressing violations under Brazilian consumer protection laws. Learn more
EDPB Issues Opinion on the Use of Personal Data in AI Models
The European Data Protection Board (EDPB) has published Opinion 28/2024, addressing essential aspects of data protection in the development and use of Artificial Intelligence (AI) models. Key points include the assessment of data anonymization, the use of legitimate interest as a legal basis, and the implications of the misuse of personal data. The EDPB emphasizes that anonymization is only valid when the likelihood of reidentifying individuals is minimal, considering available technologies. It also recommends a thorough analysis to determine the appropriate legal basis, paying attention to the expectations of data subjects. Learn more
Articles Published on Data Guidance
Check out our latest articles on Standard Contractual Clauses and the top 10 privacy and data protection events of the year. Data Guidance is one of the leading content portals worldwide on privacy and data protection.
Access here: https://www.dataguidance.com/opinion/brazil-top-10-facts-privacy-and-data-protection-2024
Access here: Brazil: Data transfers – A new regulation in Brazil with SCCs | Opinion | DataGuidance
Find out more about our DPO as a Service
We have prepared specific material to explain how the external DPO as a Service works. Contact our partners
LGPD Infographic
Access the LGPD infographic prepared by our firm. Access here
Explore our series of content on privacy, data protection, and cybersecurity.
Discover our series of content on privacy, data protection and cybersecurity. Access the full series here.
Produced by Alan Campos Thomaz and João Marcelo de Oliveira
share
