LGPD (Brazil)

The Lei Geral de Proteção de Dados is Brazil's comprehensive data protection law, in force since 2020. It is broadly modeled on GDPR with a Brazilian-specific enforcement regime.

LGPD basics

The Lei Geral de Proteção de Dados Pessoais (Law 13,709/2018) entered force in August 2020 and became enforceable for fines in August 2021. It is enforced by the Autoridade Nacional de Proteção de Dados (ANPD), a relatively new authority that has been steadily increasing enforcement activity. LGPD applies extraterritorially: any organization processing personal data of individuals in Brazil, or processing that takes place in Brazil, falls within scope regardless of where the organization is headquartered.

Similarities and differences vs GDPR

LGPD borrows heavily from GDPR: ten legal bases for processing (one more than GDPR — "credit protection"), data subject rights (access, correction, deletion, portability, anonymization), DPO requirement, breach notification, and DPIA equivalent (Relatório de Impacto à Proteção de Dados, RIPD). Maximum administrative fines are 2% of Brazilian revenue, capped at R$50 million per infraction. Key differences from GDPR: Brazil does not have an EU-style adequacy mechanism; international transfers rely on contractual clauses, standard certifications, or specific consent. ANPD has issued model SCCs as of 2023.

AI procurement in Brazil

For AI vendors selling into Brazil, the operative questions are: have you appointed a DPO with Brazil representation (Encarregado), do you support data subject rights requests in Portuguese with Brazil-equivalent timelines (15 days for access vs GDPR's 30), do you have a current LGPD-compliant contract template, and what international transfer mechanism do you rely on. ANPD's draft AI regulation borrows from the EU AI Act's risk-based approach and is expected to formalize over the next 18-24 months.