Brazil

Overview

Brazil’s privacy landscape is shaped by an unusual combination: one of the world’s strongest constitutional privacy frameworks, a comprehensive data protection law modeled on the GDPR, and a surveillance apparatus that operated illegally under a prior administration to target journalists, judges, and political opponents using Israeli spyware.

The 1988 Federal Constitution established foundational privacy rights through Article 5, including inviolability of private life and correspondence (Art. 5, X and XII), the right of habeas data (Art. 5, LXXII), and — since Constitutional Amendment EC 115/2022 — the explicit protection of personal data as a fundamental right (Art. 5, LXXIX), including in digital media.^[1] This amendment also granted the federal government exclusive jurisdiction to legislate personal data protection and processing.

Brazil is not a member of any of the Five Eyes, Nine Eyes, or Fourteen Eyes signals intelligence alliances. It is a founding member of BRICS (with Russia, India, China, and South Africa) and maintains bilateral intelligence and law enforcement cooperation with the United States through a Mutual Legal Assistance Treaty signed in 1997.^[2] The 2013 Snowden revelations that the NSA had intercepted President Dilma Rousseff’s personal communications and hacked Petrobras’s computer network profoundly shaped Brazil’s approach to digital sovereignty, directly motivating the EllaLink submarine cable project to bypass US routing for Brazil-Europe traffic.^[3]

In January 2026, Brazil became the first Latin American country to receive EU mutual adequacy recognition, creating what has been described as the world’s largest zone for free and secure cross-border data flows.^[4]

Data Protection Authority: ANPD

Structure and Independence

The Autoridade Nacional de Proteção de Dados (ANPD) was created by the LGPD and began operations in November 2020. Originally established as a body linked directly to the Presidency — raising significant independence concerns — the ANPD underwent a transformative change in September 2025 when Provisional Measure (Medida Provisória) 1,317/2025 converted it into a full independent regulatory agency with functional, technical, decision-making, administrative, and financial autonomy.^[5] The ANPD now holds the same institutional status as Brazil’s telecommunications (ANATEL), health (ANS), and energy (ANEEL) regulators.

The agency is led by Director-President Waldemar Gonçalves Ortunho Junior and governed by a five-member board of directors serving staggered terms. PM 1,317/2025 created permanent positions for data protection regulatory specialists and added 44 commissioned roles, addressing longstanding staffing constraints that had limited enforcement capacity.^[6]

Enforcement Powers

Under the LGPD, the ANPD can impose nine types of sanctions:^[7]

• Warnings with corrective deadlines
• Simple fines up to 2% of revenue in Brazil, capped at BRL 50 million (~USD $10M) per infraction
• Daily fines (subject to the BRL 50M cap)
• Publicization of the infraction
• Blocking of personal data related to the infraction
• Deletion of personal data
• Partial suspension of database operations (up to 6 months, extendable)
• Suspension of data processing activity (up to 6 months, extendable)
• Partial or total prohibition of data processing activities

Notable Enforcement Actions

Telekall Infoservice (July 2023): The ANPD’s first-ever fine. BRL 14,400 for selling a WhatsApp contact list to a 2020 election candidate without lawful basis. The company also failed to appoint a Data Protection Officer or comply with ANPD document requests.^[8]

Meta Platforms (July 2024): Preventive measure ordering immediate suspension of personal data processing for AI training (Meta AI), with daily fines of R$ 50,000 for non-compliance. Resolved in August 2024 after Meta submitted a compliance plan and committed not to use children’s data for AI training.^[9]

X Corp / Grok AI (December 2024): Decision No. 29/2024 ordering X to suspend use of personal data from users under 18 for training Grok AI within five business days. Required clear privacy policy disclosures and banned sharing children’s data with third parties for AI training.^[10]

INSS (National Social Security Institute): Sanctioned for failing to notify data subjects about a security incident from August–September 2022. Required to disclose the violation on its website and Meu INSS app for 60 days.^[11]

DPO Compliance Sweep (November 2024): The ANPD opened investigatory proceedings against 20 large companies for not appointing a Data Protection Officer or providing ineffective communication channels. By April 2025, all 20 companies had come into compliance.^[12]

LGPD (Lei Geral de Proteção de Dados – Law 13.709/2018)

Scope and Application

The LGPD was enacted on August 14, 2018, became effective on September 18, 2020, and its administrative sanctions provisions became enforceable on August 1, 2021. It applies to any processing of personal data by natural persons or legal entities (public or private), regardless of the means or country of the processor, provided: (a) processing occurs in Brazil; (b) processing relates to data of individuals located in Brazil; or (c) the data was collected in Brazil.^[13]

Legal Bases for Processing

The LGPD provides ten legal bases for processing personal data (compared to GDPR’s six):^[14]

1. Consent of the data subject
2. Legal or regulatory obligation of the controller
3. Execution of public policies by the public administration
4. Research by study bodies (with anonymization where possible)
5. Execution of a contract or preliminary procedures related to a contract
6. Exercise of rights in judicial, administrative, or arbitration proceedings
7. Protection of life or physical safety of the data subject or third party
8. Health protection (by health professionals or health entities)
9. Legitimate interest of the controller or third party
10. Credit protection

Data Subject Rights

The LGPD grants nine rights to data subjects: confirmation of the existence of processing; access to data; correction of incomplete, inaccurate, or outdated data; anonymization, blocking, or deletion of unnecessary or excessive data; data portability; deletion of data processed with consent; information about public and private entities with which data has been shared; information about the possibility of denying consent and its consequences; and revocation of consent.^[15]

International Data Transfers

Resolution 19/2024 (August 23, 2024) established the framework for international data transfers under the LGPD. Available mechanisms include: adequacy decisions by the ANPD, Standard Contractual Clauses (SCCs) approved by the ANPD (compliance deadline August 23, 2025), Binding Corporate Rules (requiring specific ANPD approval), and LGPD-specified exceptions such as consent and contract necessity.^[16] On January 26, 2026, the EU became the first jurisdiction recognized as adequate by Brazil through Resolution CD/ANPD No. 32.^[4]

Key Differences from GDPR

While closely modeled on the GDPR, the LGPD differs in several respects: it provides 10 legal bases versus GDPR’s 6 (adding credit protection, public policy, research, and judicial proceedings); requires all controllers to appoint a DPO (GDPR limits this to specific circumstances); caps penalties at 2%/BRL 50M versus GDPR’s 4%/EUR 20M; and specifies breach notification in a “reasonable timeframe” (recently clarified as 48 hours by ANPD guidance, versus GDPR’s 72 hours to the supervisory authority).^[17]

Marco Civil da Internet (Law 12,965/2014)

Brazil’s Marco Civil da Internet, enacted April 23, 2014, functions as an “Internet Bill of Rights” establishing foundational principles for internet governance. Key provisions include net neutrality (prohibiting ISPs from discriminating against content), freedom of expression as the default online, and a structured data retention framework.^[18]

Data Retention Requirements

The Marco Civil mandates: connection logs (date/time of start and end of connection, duration, IP address) must be retained by ISPs for 1 year; application access logs (date/time of use, IP address) must be retained by commercial application providers for 6 months. Access to stored logs requires a court order. ISPs are prohibited from storing application-layer access logs, and application providers cannot store logs from other applications without user consent.^[19]

Platform Liability

Article 19 originally shielded platforms from liability for user-generated content unless they ignored a specific court order to remove it. On June 26, 2025, the Supremo Tribunal Federal (STF) declared Article 19 partially unconstitutional, establishing a new liability framework: platforms can now be held liable without a prior court order for hate speech, incitement to violence, serious disinformation, child sexual abuse material, and terrorism content. The ruling introduced a “systemic failure” liability model for platforms that fail to implement effective content moderation systems.^[20]

Other Key Laws

Lei Carolina Dieckmann (Law 12,737/2012)

Brazil’s first cybercrime law, named after actress Carolina Dieckmann whose computer was hacked in 2011 leading to leaked intimate photos. Criminalizes unauthorized access to computer devices, obtaining or tampering with data without authorization, and installing vulnerabilities in computer systems. Penalties range from 3 months to 1 year imprisonment plus fine — widely criticized as too lenient for the severity of the offenses covered.^[21]

Access to Information Law (Law 12,527/2011)

Brazil’s freedom of information law, enacted November 18, 2011. Guarantees citizens access to documents of federal, state, provincial, and municipal government across all three branches of government. Establishes a transparency framework for public administration with defined response timelines.^[22]

General Telecommunications Law (Law 9,472/1997)

Established the regulatory framework for telecommunications and created ANATEL (Agência Nacional de Telecomunicações). ANATEL Resolution 738/2020 requires telecommunications providers to retain subscriber, fiscal, billing data, and call records for 5 years, and internet connection records (date/time, duration, IP, ports) for 1 year.^[23]

ECA Digital (Law 15,211/2025)

Enacted September 17, 2025, the ECA Digital updates the 1990 Statute of the Child and Adolescent for the digital age. Taking effect March 2026, it bans profiling children for behavioral advertising, prohibits using children’s data in ways that violate their privacy or best interests, requires parental consent for app downloads by minors, and mandates that social networks allow linking accounts of users under 16 to legal guardians. Platforms with 1 million or more minor users in Brazil must publish semiannual transparency reports. Penalties reach up to 10% of economic group revenue in Brazil, capped at BRL 50 million per violation. The ANPD is designated as the regulatory and enforcement body.^[24][25]

AI Regulation

PL 2338/2023, Brazil’s proposed AI Act, was approved by the Senate on December 10, 2024 and forwarded to the Chamber of Deputies on March 17, 2025 for review. As of February 2026, it must still pass the Chamber and be signed by the President to become law.^[26]

The bill would create a National AI Regulation and Governance System (SIA) and establish prohibited uses including: subliminal manipulation, mass surveillance, social scoring, autonomous weapons without human control, AI for criminal risk assessment, and generation of child sexual abuse material. It guarantees the right to explanation and review of algorithmic decisions, protects against discriminatory bias, and addresses copyright and intellectual property for AI training data. Penalties include fines up to BRL 50 million per violation or 2% of sales revenue, bans on regulatory sandbox participation for up to 5 years, and suspension of AI activities.^[27]

Intelligence and Surveillance

ABIN and SISBIN

The Agência Brasileira de Inteligência (ABIN), created by Law 9,883/1999, is Brazil’s civilian intelligence agency and the central body of SISBIN (Brazilian Intelligence System). ABIN reports directly to the President and integrates intelligence planning and execution across federal agencies, including the Federal Police, Federal Revenue Department, Central Bank, and various ministries. ABIN itself does not have police powers or legal authorization to intercept communications.^[28]

ABIN representatives have the right to access databases of other SISBIN member agencies via electronic means, a capability that was systematically abused during the Bolsonaro administration (see below).

Federal Police Wiretapping

While ABIN cannot intercept communications, the Polícia Federal can conduct wiretapping under judicial authorization per Law 9,296/1996, which implements Article 5, XII of the Constitution. A 2008 case revealed that ABIN had accessed intercepted communications through the Federal Police’s systems, demonstrating how intelligence agencies can exploit inter-agency SISBIN cooperation to bypass their own legal restrictions.^[29]

Parliamentary Oversight

The Comissão Mista de Controle das Atividades de Inteligência (CCAI), a joint commission of Congress, provides parliamentary oversight with authority to summon ABIN’s Director-General and review classified reports. The CCAI has been widely criticized as lacking staff and technical means for effective oversight. The Ministério Público Federal provides prosecutorial oversight, and the Secretaria de Controle Interno monitors operations within the executive branch.^[30]

The Parallel ABIN Scandal

Between 2019 and 2021, under ABIN Director Alexandre Ramagem (appointed by President Jair Bolsonaro in 2020), a “parallel intelligence” structure was established within ABIN to illegally monitor government opponents, journalists, and members of the judiciary.^[31]

First Mile Spyware

The primary tool was First Mile, manufactured by Israeli company Cognyte (formerly part of Verint Systems). ABIN purchased the software in 2018 for approximately R$ 5.7 million, with the contract first appearing in the Federal Official Gazette on December 1, 2017, during the Michel Temer administration. First Mile can track real-time cell phone geolocation, monitor movements, and analyze routines of up to 10,000 targets every 12 months.^[32]

Scale and Targets

More than 60,000 illegal surveillance searches were conducted. Confirmed targets include at least 12 journalists (including prominent columnists Mônica Bergamo and Reinaldo Azevedo), STF Justices Gilmar Mendes and Alexandre de Moraes, former Chamber of Deputies president Rodrigo Maia, Education Minister Camilo Santana, former São Paulo governor João Doria, and IBAMA (environmental agency) public servants.^[33][34]

Investigation and Conviction

The Federal Police launched Operation Last Mile in 2023. A 1,150-page Federal Police report was unsealed by the STF in January 2024. Ramagem was formally indicted in June 2025 and convicted on September 11, 2025 in a 4-to-1 STF vote for multiple crimes including participation in the 2022–2023 coup plot, receiving a sentence of 16 years, 1 month, and 15 days. He fled to the United States before arrest.^[35]

Cognyte’s Broader Footprint

Beyond ABIN, at least 9 Brazilian state public security departments signed contracts with Cognyte totaling R$ 65.7 million, including Goiás, Espírito Santo, Mato Grosso, and São Paulo — most without competitive bidding.^[36]

Commercial Surveillance Procurement

Cellebrite

Brazil’s Federal Police actively use Cellebrite UFED for digital forensics and mobile phone data extraction. In Operation Enterprise, a multinational drug trafficking investigation spanning nine countries, Federal Police used Cellebrite to extract evidence that led to the seizure of 776 kg of cocaine.^[37]

Chinese Surveillance Technology

In São Paulo, Huawei, Hikvision, Dahua, and ZTE donated at least 4,000 security cameras for the City Cameras program. In Campinas (São Paulo state), Huawei donated 30 smart cameras for testing in 2018. Israeli and Chinese firms have been actively offering discounted or free surveillance equipment to Brazilian cities, raising concerns about foreign government access to surveillance infrastructure.^[38]

Facial Recognition

Facial recognition technology has been deployed across multiple Brazilian cities:^[39]

• São Paulo: Plans for up to 20,000 cameras with an integrated video surveillance platform supporting emergency services, traffic, public transport, and police. Civil society organizations have filed lawsuits challenging the deployment.^[40]
• Rio de Janeiro: Expanded AI surveillance network combining fixed cameras and mobile units. Facial recognition drones were deployed during Carnival 2025 for crowd monitoring. In an earlier pilot at Maracanã stadium, 63% of identifications were false positives (7 errors out of 11 arrests).
• Salvador (Bahia): Cameras helped arrest 209 fugitives through June 2021.

Racial bias is a critical concern: a study by the Center for Studies on Public Security and Citizenship (CESeC) found that more than 90% of individuals arrested through facial recognition in Brazil are Black.^[41]

Submarine Cable Infrastructure

Brazil is a major submarine cable hub, with Fortaleza serving as the primary landing station for transatlantic connections. The country’s cable infrastructure was directly shaped by the 2013 Snowden revelations about NSA surveillance of Brazilian communications.^[42]

Key Submarine Cables

• EllaLink (operational June 2021): 6,000 km direct connection from Sines, Portugal to Fortaleza, with 100 Tbps capacity across 4 fiber pairs. Explicitly motivated by the Snowden revelations — previously, most Brazil-Europe internet traffic routed through US nodes, enabling NSA upstream collection.^[43]
• SACS (operational 2018): Fortaleza to Sangano, Angola — the first direct submarine cable connecting South America and Africa.^[44]
• Monet (operational 2017): Santos to Fortaleza to Boca Raton, US — operated by Algar, Angola Cables, and Google.
• BRUSA: Rio de Janeiro to Fortaleza to San Juan, Puerto Rico to Virginia Beach, US — 8 fiber pairs.^[45]
• Firmina (operational 2025): US East Coast to Praia Grande, Brazil, with extensions to Uruguay and Argentina — 14,517 km, operated by Google, delayed approximately 2 years by IBAMA environmental licensing.^[46]
• SAIL (operational 2018): Fortaleza to Cameroon, operated by China Unicom and Cameroon Telecom.

Interception Concerns

While EllaLink was designed to bypass US surveillance chokepoints, security experts have noted that submarine cables remain vulnerable to interception regardless of physical routing. Snowden documents showed that the NSA could access cables from multiple vendors regardless of location, and cable landing stations themselves can serve as interception points.^[47]

International Data Sharing

US-Brazil MLAT

A bilateral Mutual Legal Assistance Treaty was signed in Brasília on October 14, 1997 and entered into force on February 21, 2001. It enables prosecutors to enlist each other’s investigatory authority to secure evidence (physical, documentary, testimonial) for criminal proceedings. The US and Brazil have expanded partnership to combat transnational crime, including drug trafficking, cybercrime, and financial crimes.^[2][48]

BRICS Cooperation

As a BRICS founding member (Brazil held the 2025 presidency), Brazil participates in the BRICS Working Group on ICTs, which has agreed to exchange real-time threat intelligence against cyber threats and work toward a BRICS Data Economy Governance Understanding. The 11th in-person Working Group meeting was held in Brasília.^[49]

EU Mutual Adequacy

On January 26, 2026, Brazil and the EU officially announced mutual recognition of adequacy for personal data transfers. The arrangement is reciprocal — Brazil recognizes the EU as adequate under the LGPD through Resolution CD/ANPD No. 32, while the EU recognizes Brazil under GDPR Article 45. The timeline included: a European Commission draft adequacy decision (September 5, 2025), an EDPB Opinion 28/2025 finding Brazil’s framework “closely aligned” with the GDPR (November 4, 2025), and the formal mutual announcement (January 26, 2026). The EU conducts reviews every 4 years.^[4][50][51]

Mercosur

The EU-Mercosur Partnership Agreement was signed in early 2026, reinforcing the adequacy decision. Individual Mercosur member states maintain separate data protection regimes; no unified Mercosur-wide data transfer framework exists as of February 2026.

Data Retention

Brazil operates two overlapping data retention regimes:

Marco Civil da Internet (Law 12,965/2014)

• Connection logs (ISPs): 1 year — date/time of start and end of connection, duration, IP address
• Application access logs (commercial providers): 6 months — date/time of use, IP address
• Access requires a court order in all cases
• ISPs are prohibited from storing application-layer access logs

ANATEL Resolution 738/2020

• Subscriber, fiscal, billing data, and call records: 5 years
• Internet connection records (date/time, duration, IP, ports): 1 year
• Providers must ensure confidentiality and retain minimum necessary data

The Marco Civil governs internet-layer data for legal proceedings; ANATEL’s requirements apply to telecommunications providers for regulatory and law enforcement purposes.^[18][23]

The NSA Spying Scandal (2013)

In September 2013, documents leaked by Edward Snowden revealed that the NSA had intercepted President Dilma Rousseff’s personal communications, hacked the computer network of Petrobras (Brazil’s state oil company), and monitored 29 Brazilian government phone numbers including those of Rousseff’s assistant, secretary, chief of staff, and presidential jet.^[3][52]

The consequences were immediate and far-reaching: Rousseff indefinitely postponed a planned state visit to Washington; she addressed the UN General Assembly to condemn US surveillance; Brazil assembled a CPI (Parliamentary Commission of Inquiry) to investigate; and the revelations directly motivated the EllaLink submarine cable project and the accelerated passage of the Marco Civil da Internet in 2014.^[53]

Recent Developments

EU Mutual Adequacy (January 2026): Brazil became the first Latin American country to receive EU adequacy recognition, with a reciprocal arrangement that also sees Brazil recognize the EU under the LGPD. The decision was linked to the broader EU-Mercosur Partnership Agreement signed in early 2026.^[4]

ANPD Independence (September 2025): Provisional Measure 1,317/2025 transformed the ANPD from a presidentially-linked body into a full independent regulatory agency with financial and administrative autonomy. The measure also added children’s data protection responsibilities to the ANPD’s mandate. Must be ratified by Congress within 120 days to become permanent law.^[5]

ECA Digital Enacted (September 2025): Law 15,211 updated Brazil’s child protection framework for the digital age, banning behavioral advertising profiling of children, requiring parental consent for app downloads, and imposing penalties up to 10% of revenue in Brazil. Takes effect March 2026.^[24]

STF Platform Liability Ruling (June 2025): The Supreme Court declared Article 19 of the Marco Civil partially unconstitutional, establishing that platforms can be held liable without a prior court order for hate speech, incitement to violence, disinformation, child sexual abuse material, and terrorism content.^[20]

AI Bill Progress: PL 2338/2023 passed the Senate on December 10, 2024 and was forwarded to the Chamber of Deputies in March 2025. As of February 2026, it awaits Chamber approval and presidential signature.^[26]

Alexandre Ramagem Conviction (September 2025): The former ABIN Director was convicted by the STF in a 4-to-1 vote for his role in the Parallel ABIN illegal surveillance operation and the 2022–2023 coup plot, receiving a 16-year sentence. He fled to the United States before arrest.^[35]

Notable Data Breaches: The Datasus/SUS breach (September 2024) saw an alleged full replica of the national health database with 177.9 million rows posted on the dark web, including CPF numbers, addresses, and health card numbers.^[54] The FacePass ID biometric breach (March 2025) exposed 1.6 million files including national IDs and verification selfies via an unsecured AWS S3 bucket.^[55] The CIEE recruitment platform breach (July 2025) leaked 248,725 records including scanned personal documents and biometrics.^[56]

ANPD 2026–2027 Supervision Priorities: Resolution 23 (December 2024) set the regulatory agenda with priority topics including data subject rights, Data Protection Impact Assessments, data sharing by government entities, minors’ data processing, biometric data, AI, and anonymization. The 2026–2027 supervision plan targets children’s data, AI/biometrics, and data scraping for inspections.^[57]

Fake News Bill Stalled: PL 2630/2020, dubbed the “Fake News Bill,” remains inactive in Congress as of late 2024. Big Tech lobbying has been credited with blocking the bill’s progress.^[58]

Sources