factually

Brazil's LGPD recent changes

Checked on November 28, 2025
Disclaimer: Factually can make mistakes. Please verify important information or breaking news. Learn more.
NatLawReview
Hunton
Chambers and Partners
Zonos
Searched for:
"Brazil LGPD updates November 2025"
Found 15 sources

Executive summary

Brazil’s General Personal Data Protection Law (LGPD) remains the country’s cornerstone data-privacy framework, aligned in many respects with the EU’s GDPR and enforced by the National Data Protection Authority (ANPD) [1] [2]. Recent regulatory activity includes ANPD rules on international transfers (Resolution 19/2024 and new Standard Contractual Clauses deadline of August 22, 2025) and an EDPB opinion praising Brazil’s framework while flagging transparency limits and oversight questions [3] [4].

1. What changed most recently: international transfers and SCCs

Brazil’s ANPD issued a regulation implementing LGPD’s international-transfer regime and published new standard contractual clauses (SCCs) via Resolution 19/2024; controllers using contractual clauses were required to replace older contracts with the new SCCs by August 22, 2025 [3]. The Resolution sets out pathways for transfers — adequacy decisions, SCCs / binding corporate rules, or specific legal grounds — mirroring structures familiar to data-exporting organizations [3].

2. Europe’s view: adequacy praise with caveats

The European Data Protection Board (EDPB) issued an opinion on the European Commission’s draft adequacy decision for Brazil that commends Brazil’s LGPD, presidential decrees, and ANPD rules for substantial alignment with the GDPR and EU case law [4]. The EDPB nonetheless raised concerns: practical monitoring of Data Protection Impact Assessments, potential limits to transparency where “commercial and industrial secrecy” can restrict information access, and the need for clearer definitions of oversight roles between the ANPD and Brazil’s National Council for Personal Data and Privacy Protection [4].

3. Enforcement is real and evolving

Enforcement under LGPD is not theoretical: Brazilian authorities and other public bodies have initiated investigatory and compliance actions. The ANPD opened investigative proceedings — for example, against 20 companies over DPO issues in November 2024 and closed that proceeding in April 2025 after remediation — showing active supervision and follow-up [5]. Outside the ANPD, prosecutors and consumer agencies also play roles in privacy enforcement in Brazil [5].

4. Scope, rights and penalties that matter to businesses

LGPD applies broadly to processing tied to individuals located in Brazil, processing undertaken in Brazil, or offers of goods or services aimed at people in Brazil [1]. It grants a suite of rights (access, correction, deletion, anonymization) and imposes controller obligations including records of processing, data minimization, and accountability measures [2]. Administrative fines can reach 2% of company revenue in Brazil up to BRL 50 million per infraction, a material exposure for companies operating there [6].

5. Practical compliance items in play right now

Regulators and practitioners emphasize concrete tasks: appoint and disclose a Data Protection Officer where required, maintain a centralized record of processing activities, perform DPIAs, adopt the new SCCs for cross‑border transfers, and update privacy policies and contracts [5] [3] [2]. Many observers expect the ANPD — not Congress — to drive further implementation and sectoral guidance through rules, technical notes and investigations [7].

6. Competing viewpoints and political pressure

Sources note a mix of perspectives: legal and industry commentators say LGPD’s alignment with GDPR helps adequacy hopes and cross‑border trade [4] [2], while others point to legislative efforts in Congress to amend LGPD and ongoing debate over the law’s reach — especially as it touches public authorities and criminal investigations [7] [4]. The EDPB’s call to monitor transparency exceptions signals that international partners are watching whether national trade or secrecy claims erode data‑subject rights [4].

7. Limitations in available reporting and what’s not found

Available sources document the ANPD’s SCC rule, enforcement actions like the DPO probe, EDPB’s opinion, and practical obligations for companies [3] [5] [4] [2]. Available sources do not mention any specific new monetary fines actually levied under LGPD since the ANPD’s more active enforcement phase, nor do they provide a comprehensive list of every bill in Congress seeking LGPD changes — those legislative items are described as numerous but not enumerated [7] [5].

8. Bottom line for organizations and watchers

Treat LGPD as mature and operational: the ANPD is issuing binding rules (notably on transfers), enforcement is active, and international regulators are closely scrutinizing Brazil’s balance between business secrecy and transparency [3] [5] [4]. Businesses should prioritize the ANPD’s transfer framework, SCCs replacement deadlines, DPO and recordkeeping compliance, and DPIAs to reduce legal and reputational risk [3] [5] [2].

Want to dive deeper?
What are the key amendments in Brazil's LGPD as of 2025 and when did they take effect?
How do the recent LGPD changes affect cross-border data transfers involving Brazilian companies?
What new enforcement powers or penalties were introduced for ANPD under the updated LGPD?
How should multinational businesses update compliance programs to align with Brazil's LGPD amendments?
How do the LGPD revisions compare with recent updates to the EU GDPR and California privacy laws?
About
Blog
Contact
FAQ
Terms
Privacy
Manage data