How does brazilian law regulate data sharing and consent for the digital id?
Executive summary
Brazil’s digital identity and data-sharing landscape is governed principally by the General Data Protection Law (LGPD), which requires a lawful legal basis (including consent) for processing personal data and treats consent as revocable at any time [1] [2]. The ANPD has tightened cross‑border rules: Standard Contractual Clauses (SCCs) became mandatory for many international transfers and had to be implemented by 23 August 2025 [3] [4] [5].
1. LGPD sets the baseline: purpose-limited processing and multiple legal bases
Brazil’s LGPD is the core statute that governs collection, storage, sharing and processing of personal data, including for digital identity systems; it requires that processing rest on one of the law’s enumerated legal bases (consent being one) and that controllers provide comprehensive transparency about processing activities [1] [6]. The law explicitly aims to protect privacy and the free development of personality and applies broadly to processing connected to Brazil, whether done domestically or from abroad [1] [7].
2. Consent is central — but flexible and withdrawable
Consent under the LGPD must be free, informed and unambiguous; it is a valid legal basis for data sharing for digital IDs, but the law treats consent as revocable at any time, meaning systems built on consent must be able to operate if consent is withdrawn or must rely on other legal bases for continued processing [8] [2]. Practical consequence: relying solely on consent for a national digital identity program could create operational risk because users can withdraw consent and thereby remove the supporting legal foundation [2] [8].
3. Public‑sector sharing has distinct contours and gaps
The LGPD allows data sharing between public bodies or between public and private actors where authorised for public purposes, legal powers, or public‑service duties — but that sharing must still respect Article 25 and other LGPD safeguards [6]. Sources note remaining gaps: the law contains no explicit rules on sharing of technical assets like source code and requires further regulatory guidance on how government access and operational sharing should work in practice [6] [9].
4. Biometric and sensitive data attract extra scrutiny
Brazilian regulators and commentators highlight special concern about processing of biometric and other sensitive personal data — particularly when used in AI or digital identity systems — and the ANPD has opened consultations and issued technological guidance on topics such as age verification and biometric processing [10] [2]. This signals regulatory caution and the potential for stricter administrative rules or constraints on how digital ID projects handle sensitive attributes [10] [2].
5. International transfers now governed by ANPD SCC regime
When data underpinning a digital ID crosses borders, controllers must follow the ANPD’s Resolution on international transfers: approved Standard Contractual Clauses became mandatory by 23 August 2025, and organisations must publish transparent information and make SCC texts available on request [3] [4] [5]. The regime aligns Brazil more closely with Europe’s approach and was designed to ensure exported data remains protected to LGPD standards [3] [5].
6. Supervision and enforcement — ANPD ramping up activity
The National Data Protection Authority (ANPD) has been actively enforcing LGPD obligations — for example, investigating failure to appoint or publish Data Protection Officer contacts and requiring remediation — indicating real administrative teeth behind sharing and consent rules [4]. The EDPB and international actors are also scrutinising ANPD powers and the law’s interaction with law enforcement exceptions, so oversight remains an evolving area [9] [4].
7. Design implications for digital ID architects
Designers of digital ID systems must embed transparency, modular legal bases, and portability to respond to consent withdrawal; they must also minimise sensitive data holding, adopt privacy‑by‑design practices, and plan legal mechanisms for cross‑border flows [8] [1]. Technologies such as zk‑SNARKs and other privacy‑enhancing techniques are mentioned by practitioners as ways to reduce exposure while enabling verifiable transactions without revealing raw personal data [2].
8. Unresolved questions and where reporting is thin
Available sources do not mention granular rules on how a national digital ID program must operationalize consent withdrawal in live authentication flows, nor do they provide a single, consolidated regulation expressly tailored to “digital ID” as distinct from general processing [1] [6]. There is clearly active rule‑making and consultation — especially on biometrics and international transfers — but implementation details and sectoral standards remain in flux [10] [4].
Context matters: LGPD provides robust principles and the ANPD has moved to tighten cross‑border and sensitive‑data controls, yet the law’s treatment of consent as revocable and the lack of explicit operational rules for government access mean digital‑ID proponents must design systems that can survive consent withdrawal, minimise sensitive attributes, and comply with evolving ANPD guidance [1] [2] [10].