Data Protection Day: Between Regulatory Maturity and the New Challenges of Artificial Intelligence

Data Protection Day, celebrated on January 28, goes beyond symbolism. Each year, the date reinforces the consolidation of personal data protection, with direct impacts on corporate governance, the use of new technologies, and the regulatory activity of the Brazilian Data Protection Agency (“ANPD”). In this context, we highlight some key points of attention in Brazil for the coming year.

Data Protection and Artificial Intelligence: An Inevitable Convergence

In Brazil, the Bill of Law No. 2,338/2023 establishes the Artificial Intelligence Regulatory Framework and is currently pending review by the Chamber of Deputies, after approval by the Brazilian Senate. The proposal consolidates the legal debate on risk-based regulation, encompassing automated decision-making, algorithmic bias, and the right to human review, clearly demonstrating that personal data protection and artificial intelligence are part of inseparable regulatory agendas.

In this context, the Federal Government proposed the Bill of Law No. 6,237/2025, which establishes the National System for the Development, Regulation, and Governance of Artificial Intelligence (“SAI”). The Bill assigns to the ANPD the authority to regulate sectors that lack a specific regulatory body, leveraging their institutional experience in the governance and supervision of personal data processing.

International Data Transfers: Closer Alignment Between Brazil and Europe

Within the broader context of strengthening economic relations between the European Union and Mercosur – particularly in connection with the EU–Mercosur Agreement -, discussions are progressing toward the mutual recognition of adequate personal data protection standards between Brazil and the European Union. This evolution signals a meaningful advancement in the international data transfer regime, with potential to reduce regulatory and bureaucratic barriers for cross-border operations by reinforcing convergence between the Brazilian General Data Protection Law (LGPD) and the EU General Data Protection Regulation (GDPR). The measure is expected to bring positive outcomes for companies operating in digital environments and global data-processing chains.

ANPD Regulatory Agenda for 2025

ANPD has already pointed out its regulatory priorities for the 2025–2026 biennium (as per Resolution No. 31/2025), including:

• rules on data subjects’ rights (regulation of Articles 18–20 of LGPD);
• data sharing by public authorities;
• sensitive personal data (with a focus on biometric data);
• technical and administrative security measures (including minimum technical security standards);
• artificial intelligence (continuation of the Call for Contributions);
• high-risk personal data processing (issuance of guidance and parameters applicable to small processing agents and identification of high-risk processing scenarios).

ANPD: Five-Year Overview

Upon completing five years of operation, ANPD published its Institutional Report, consolidating its role as a regulatory authority. This period has been marked by the issuance of resolutions and guidance documents, the beginning of sanctioning activities, and increased dialogue with the private sector. The current scenario points to a clear transition from a phase focused on awareness-building to one centered on accountability, in which governance programs, documentation, and evidence of compliance play a central role.

Final Reflections and Next Steps

Personal data protection has moved beyond being merely a legal obligation to become a strategic element of risk management, reputation, and innovation. In an increasingly mature and technologically complex regulatory environment, investing in data governance means investing in legal and business sustainability.

We remain available to assist with risk assessments, review of practices, and compliance with new regulatory requirements. For further information, please contact our team at: digital@kasznarleonardos.com.