backNewsletter (#005/2025) on Privacy and Data Protection by Campos Thomaz Advogados
Alerts, materials, and updates on Privacy, Data Protection, and Cybersecurity.
To subscribe, click here.
Find out more about our DPO as a Service
We have prepared specific material to explain how the external DPO as a Service works. Contact our partners
ANPD Technical Note Provides Guidelines on AI and Data Protection
The Brazilian Data Protection Authority (ANPD) has published Technical Note No. 12/2025, consolidating contributions received during its Public Call for Input on artificial intelligence (AI) and personal data protection. The initiative gathered insights from legal professionals, private sector entities, academia, and civil society on how best to align the General Data Protection Law (LGPD) with the growing use of automated decision-making systems. The analysis was structured around 15 questions, grouped into five thematic blocks: LGPD principles, legal bases, data subject rights, good governance practices, and regulatory guidelines.
Key discussions revolved around the principle of necessity in AI training processes that often require massive datasets. While there was consensus on the need for safeguards — such as anonymization, privacy by design, and impact assessments — opinions diverged on whether certain protective measures should be mandatory and on the legal grounds for processing sensitive data. The report also highlighted the challenge of ensuring transparency and upholding data subject rights without hindering technological development, especially in the context of general-purpose AI systems and the complex allocation of responsibilities between developers and deployers. Learn more.
Irish Data Protection Commission Fines TikTok €530 Million
The Irish Data Protection Commission (DPC) has announced its final decision in an inquiry into TikTok, examining the legality of transferring personal data of users in the EEA to China. The DPC found that TikTok violated the General Data Protection Regulation (GDPR) by failing to ensure that user data was adequately protected, as required by EU law. The investigation also identified issues with TikTok’s transparency in informing users about these transfers. As a result, TikTok was fined €530 million and ordered to bring its processes into compliance with the GDPR within six months, or face suspension of data transfers to China. Learn more.
EU Fines Meta and Apple Millions Over Digital Markets Act Violations
The European Commission has fined Meta €200 million for violating the Digital Markets Act (DMA) through its “Consent or Pay” model, introduced in late 2023. The system required EU users of Facebook and Instagram to choose between accepting the use of their personal data for targeted ads or paying a subscription to avoid them. The Commission concluded this model failed to provide a meaningful alternative with reduced data processing and did not allow users to freely consent to the combination of their data across Meta’s services. Learn more.
XP Reports Data Breach Involving External Vendor Database
On April 24, XP Inc. informed its clients about a data breach involving unauthorized access to a database hosted by an external provider. According to the company, basic registration and financial information—such as names, emails, phone numbers, account balances, and credit limits for March—were compromised. XP emphasized that no sensitive data like passwords, CPF numbers, biometric information, or credentials enabling financial transactions were exposed. The company acted promptly to block the unauthorized access and assured that none of its internal systems were affected. Learn more.
Labor Court Convicts Companies for LGPD Violation in Recruitment via Gupy
In a ruling issued in April 2025, Brazil’s 15th Regional Labor Court (Campinas/SP) ordered two companies to pay R$ 200,000 in collective moral damages due to violations of the Brazilian General Data Protection Law (LGPD) during recruitment processes conducted through the Gupy platform. The Public Labor Prosecutor’s Office (MPT) alleged that candidates were subjected to intrusive and disproportionate questions — such as “I criticize authorities when I disagree with them” and “I have trouble sleeping” — which could lead to the inference of sensitive data without adequate legal basis. In addition to the fine, the court prohibited further collection of such information and imposed governance measures, including appointment of a Data Protection Officer (DPO), maintenance of data processing records (ROPA), and review of privacy policies. Learn more.
Paraná Prosecutor Files Lawsuit over Facial Biometric Data Collection in Public Schools
The 3rd Public Prosecutor’s Office of Campo Mourão (state of Paraná, Brazil) filed Civil Lawsuit No. 0004208-55.2025.8.16.0058 against the State of Paraná, state IT company Celepar, and a private company, for alleged violations of Brazil’s General Data Protection Law (LGPD). The lawsuit challenges the collection and processing of facial biometric data from public school students as part of an AI-based facial recognition attendance system, carried out without proper transparency or valid consent. According to the Prosecutor’s Office, the practice breached key LGPD principles such as purpose limitation, necessity, and transparency, and undermined the students’ right to informational self-determination. Learn more.
Brazil Unveils National Data Center Policy and Reinforces Role in Green Economy
On May 5, 2025, Brazil’s Finance Minister Fernando Haddad participated in the 28th Global Conference of the Milken Institute in Los Angeles, marking the first-ever session in Portuguese at the event. During his address, Haddad outlined Brazil’s vision for sustainable growth, with a strong emphasis on digital transformation and ecological transition. A key announcement was the upcoming National Data Center Policy, which anticipates the effects of the Tax Reform for the digital sector, including investment and export tax exemptions. The goal, he stated, is to power Brazil’s digital infrastructure with clean energy while ensuring both legal and cybersecurity, positioning the country as a global digital and green leader. Learn more.
LGPD Infographic
Access the LGPD infographic prepared by our firm. Access here
Explore our series of content on privacy, data protection, and cybersecurity.
Discover our series of content on privacy, data protection, and cybersecurity. Access the full series here.
Produced by Alan Campos Thomaz and João Marcelo de Oliveira
share
