back2024 marked a year of maturity for Brazil’s National Data Protection Authority (ANPD) and significant advancements in data protection! Here are the 15 most relevant privacy events of the year:
1. Guidance on Legitimate Interest
The ANPD issued guidelines on the balancing test for using legitimate interest as a legal basis, including recommendations for sensitive data, such as biometrics, in fraud prevention.
2. Incident Notification Regulation (Resolution No. 15/2024)
In April, the ANPD established new rules for incident notifications, introducing revised deadlines, risk assessment criteria, and the requirement for formal records to enhance response agility in case of breaches. Know more.
3. Regulation of Data Protection Officers (Resolution No. 18/2024)
Published in July, this resolution details DPO responsibilities, including formal appointment and public disclosure of contact information on the data controller’s website. Know more here and here.
4. International Data Transfers (Resolution No. 19/2024)
The ANPD regulated international data transfers in August, adopting standard contractual clauses (SCCs) and global corporate rules, requiring compliance by August 2025. Know more.
5. Investigation of TikTok
The ANPD launched an investigation into TikTok for improperly collecting data from children and adolescents, highlighting the lack of valid consent and age verification mechanisms.
6. Sanction Against INSS for Data Incident
The INSS (Department of Pension) was sanctioned for failing to notify data subjects of an incident involving 90 million sensitive records, marking the ANPD’s first administrative appeal decision.
7. Public Consultation on AI and Data Protection
The ANPD initiated a public consultation to align artificial intelligence practices with LGPD, addressing algorithmic bias and responsible innovation.
8. Preventive Measures Against Meta
Following the announcement of Meta’s secondary data use policy, the ANPD suspended its privacy policy, prompting negotiations and adjustments to comply with LGPD. Know more.
9. Investigation Into X Corp’s Grok AI
The ANPD investigated X Corp for collecting data without consent for AI training, assessing changes to its privacy policy for LGPD compliance.
10. Declaration of Public Officials’ Assets
The Superior Court of Justice (STJ) confirmed that the disclosure of annual declaration of revenue and assets by public officials does not exceed regulatory power and complies with the Constitution and LGPD.
11. Automated Driver Profiles
The STJ ruled that aggregated data analyzed by apps for driver selection is considered personal and subject to LGPD, ensuring transparency and the right to review automated decisions.
12. Compensation for Data Breaches
The STJ’s Second Panel ruled that data breaches do not guarantee automatic compensation, requiring proof of actual harm and, in another situation, it decided that the controller has a duty of diligence in protecting personal data from data breaches.
13. Disclosure of User Data by Platforms
The STJ determined that internet applications such as YouTube must disclose user data responsible for offensive content when necessary for legal actions, in accordance with LGPD.
14. Deletion of Unauthorized Data on B3
The Brazilian stock exchange organization was ordered by the STJ to delete fraudulently inserted data from investor profiles, reinforcing the LGPD’s right to rectification.
15. Bank Responsibility in Fraud Cases
The STJ held financial institutions accountable for inadequate data storage that facilitated fraud, classifying this as a service failure under the LGPD and the Consumer Protection Code (CDC).
share
