The General Personal Data Protection Law (Lei Geral de Proteção de Dados Pessoais), better known as the LGPD, celebrates 5 years since its enactment. The Law was created after a long and tough legislative process, largely inspired by the European law (General Data Protection Regulation – GDPR). It is a milestone in the Brazilian society in terms of advocating for the rights of personal data subjects, with the National Data Protection Authority (Autoridade Nacional de Proteção de Dados, ANPD) as the supervisor and guarantor of the fundamental right to the protection of personal data, which became constitutionally guaranteed in 2022, through Constitutional Amendment No. 115/2022.

Throughout this week in which the LGPD turns 5, the ANPD’s program includes: (i) the opening of a public consultation on the international transfer of personal data; (ii) the start of subsidy-taking to prepare the Guidelines on legitimate interest; (iii) publication of the follow-up report on the 2023/2024 agenda; (iv) publication of the Authority’s communication policy; and (v) publication of the report on the monitoring and inspection cycle.

Over the last five years, the culture of privacy and protection of personal data has become increasingly widespread in Brazil, as a result of the work of ANDP, other consumer rights authorities, as well as companies and the society in general, which have become increasingly aware of the importance of their role in relation to the protection of personal data.

The years 2022 and 2023, in particular, were marked by the new developments regarding the LGPD, with the publication of three regulations by the ANPD, namely:

• Resolution CD/ANPD No. 02/2022 which rules the application of the LGPD for small-size agents;
• Resolution CD/ANPD N° 04/2023, which establishes the procedure for dosimetry and enforcement of administrative sanctions by the authority; and,
• Statement N° 01/2023, on the processing of data on children and adolescents.
• The ANPD published other resolutions and ordinances aimed at its structuring and acting in general.

The year 2023 also saw an important decision by the Superior Court of Justice, which ruled out presumed moral damage (in re ipsa) in cases of personal data leaks, as well as the enforcement of the first administrative sanction by the ANPD, out of the 16 cases brought by the Authority. At the same time, there was a gradual increase in lawsuits involving the LGPD, with considerable fines being imposed for damage caused to data subjects, one of which reached R$20 million.

It is worth noting that, in the same year, there was a 2.3% increase in the average global cost of privacy incidents compared to 2022, reaching $4.45 million, as reported by the Cost of a Data Breach Report 2023. This average cost is the highest ever recorded, representing an increase of 15.3% since 2020.

In Brazil, the average cost of privacy incidents in 2023 is $1.22 million, with the health, financial, pharmaceutical, energy and industrial sectors being the most affected. These figures are especially meaningful considering the more than 185 security incident reports submitted to the ANPD from January to June 2023.

There is a clear increase in the impacts caused by privacy incidents, especially on processing agents who are not in compliance with the laws, reinforcing the importance of adopting an effective Privacy and Data Protection Governance Program, which involves constant monitoring.

On the other hand, despite the constant evolution of the regulations surrounding the LGPD, the law still has a long way to go before reaching the necessary maturity. In this sense, several topics provided for in the LGPD are still pending regulation. ANPD’s agility in implementing this regulatory agenda will also tend to speed up the actions to be taken by companies to fit into the LGPD, so that a culture of data protection and respect for privacy becomes part of the everyday life of businesses.