Brazil’s Autoridade Nacional de Proteção de Dados (ANPD) is calling for views on the definition of “high-risk processing” under the country’s federal data protection law, the Lei Geral de Proteção de Dados Pessoais (LGPD). The consultation is the latest in a long series of ordinances, resolutions, and guidance notes produced by the ANPD since the LGPD became enforceable in 2020. Here’s a roundup of the Brazilian regulator’s recent activity.
High-risk processing consultation
Like its European counterpart, the GDPR, the LGPD distinguishes “high-risk” processing in several contexts. In a consultation opened on 17 April, the ANPD seeks to pin down what high-risk processing means in practice. The regulator notes that high-risk processing is a subject of much debate among academics and professionals and is particularly important given the fast development of technology and the importance of innovation to Brazil’s burgeoning tech sector.
The definition of high-risk processing matters to LGPD compliance, too. The law’s tiered penalty system applies high fines to riskier activities, and processes like data protection impact assessments (DPIAs) and incident reporting are affected by risk. The consultation is open to response until 15 May, and references several other of the ANPD’s many, many LGDP-related publications.
Other publications
Like several other Latin American regulators, the LGPD has been extremely productive in publishing documents related to data protection compliance and enforcement. Since March 2021, the ANPD has produced:
- Three ordinances that establish its internal rules, processes, and structure.
- Fifteen resolutions addressing topics such as the LGPD sanctioning process, the processing of adolescents’ personal data, and the ANPD’s priorities throughout 2024-25.
- Fourteen technical notes about subjects such as the registration of child users on TikTok, WhatsApp’s privacy policy, and LGPD compliance in the pharmaceutical industry.
- Technical studies about anonymisation, children’s data, and processing personal data for academic purposes.
These publications provide insights into the ANPD’s interpretation of Brazil’s evolving data protection framework, and feature alongside annual reports, planning documents, and—of course—sanctions.
Fines and sanctions
The LGPD gained the power to issue sanctions under the LGPD in August 2021. The law allows for fines of up to BRL 50 million (GBP 7.8 million) or 2% of annual turnover. The regulator has issued only two monetary penalties under the law so far, both against telecoms firm Telekall last July for failing to appoint a data protection officer or produce records of processing activities.
However, the ANPD has served non-financial sanctions against:
October 2023:
- Santa Catarina State Department of Health (data breach)
- Institute of Assistance to the State Public Server of Sao Paulo (IAMSPE)
February 2024:
- National Institute of Social Security (INSS)
- Office of Education of the Federal District (SEEDF)
The first three of these sanctions related to an alleged failure to communicate cybersecurity incidents.
Like its fine against Telekall, the ANPD’s most recent sanction—against the Office of Education—was issued for allegedly failing to appoint a DPO, as was required of the organisation under the LGPD.
As a global consultancy offering DPO services across a broad range of markets, HewardMills has a team of Latin American data protection experts. Talk to us about how we can help you meet Brazil’s increasingly strict regulatory standards.
