In December 2024, the Brazilian National Data Protection Authority (ANPD) published its Regulatory Agenda for the 2025–2026 cycle. This agenda is a key governance tool that defines the Authority’s regulatory priorities for the coming years. It is designed not only to promote transparency and predictability but also to guide public and private stakeholders in their compliance planning, enabling more efficient allocation of regulatory and technical resources.
The new agenda consolidates 16 initiatives, distributed across four implementation phases, ordered by priority and complexity. Some of these initiatives continue discussions initiated in previous cycles, while others reflect the increasing relevance of emerging technologies and social concerns, including biometric systems, AI governance, and children’s data protection in digital environments.
Among the central themes, the agenda highlights the need to clarify the practical exercise of data subjects’ rights under the Brazilian General Data Protection Law (in Portuguese, LGPD), such as access, correction, deletion, and data portability. The ANPD also intends to regulate the use of Data Protection Impact Assessments (DPIAs), particularly for high-risk processing activities. A key challenge in this area is to balance the level of detail required in such reports with the operational realities of small and medium-sized organizations, while promoting interoperability with international standards such as those developed by the OECD and the European Data Protection Board.
Special attention is given to the processing of sensitive data, especially biometric data, which has seen a sharp rise in use across sectors like education, public safety, and financial services. The agenda anticipates rules to ensure proportionality, technical safeguards, and mechanisms to prevent discriminatory outcomes, particularly in systems relying on facial recognition or fingerprint authentication. In the same direction, the Authority is preparing specific guidance on the processing of personal data of children and adolescents, including how to obtain parental consent and implement age verification mechanisms in apps and online platforms. This approach seeks to align Brazil’s regulatory practices with international frameworks such as the OECD Recommendation on Children in the Digital Environment.
Artificial intelligence also appears prominently in the agenda, continuing the Authority’s recent work in this area. The ANPD plans to advance discussions on how to interpret Article 20 of the LGPD, which ensures the right to request human review of automated decisions. It also intends to develop parameters for data governance and legal bases applicable to AI-driven processing. This aligns with broader legislative developments in Brazil, such as Bill No. 2,338/2023, which proposes a national legal framework for AI currently under debate in Congress.
Further points of the agenda include establishing minimum security standards, regulating anonymization and pseudonymization techniques, and promoting accountability mechanisms such as sectoral codes of conduct and good governance practices. These initiatives aim to harmonize the implementation of the LGPD with the actual capacities of data controllers and processors, while also responding to international expectations of regulatory consistency and sophistication.
Ultimately, the 2025–2026 Regulatory Agenda demonstrates ANPD’s commitment to consolidating a robust, balanced, and inclusive data protection framework in Brazil. It offers a structured approach to dealing with both long-standing and novel regulatory challenges, and it strengthens Brazil’s position within the global privacy community. For international observers and stakeholders, the agenda sends a clear message: Brazil is advancing steadily in the development of a coherent, forward-looking, and internationally aligned data protection regime.
Article provided by INPLP member: Fábio Lacaz (ALV, Brazil)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
