ANPD'S 2025-2026 REGULATORY AGENDA HIGHLIGHTS 16 TOPICS

On December 11, 2024, the National Data Protection Authority (ANPD) released its Regulatory Agenda for the 2025-2026 biennium. The document, published in ANPD Resolution 23/24, establishes the agency's priority actions for the period and was prepared based on contributions from society. With this, the ANPD aims to provide greater transparency, predictability, and efficiency to the regulatory process. 

The initiatives set out in the agenda are organized into 16 themes distributed in four phases in order of prioritization:

Phase 1 (continuation of 2023-2024 agenda processes)

• Rights of data subjects: regulate rights provided for in the Brazilian Data Protection Law (LGPD), including Articles 9, 18, 19 and 20.
• Data Protection Impact Assessment: define regulations and procedures for processing activities that represent high risk.
• Data sharing by the public authorities: establishing requirements for the sharing of personal data by the public sector.
• Processing of personal data of children and adolescents: provide guidance to ensure the protection of minors’ data , especially in the digital environment.
• Sensitive personal data – biometric data: establish parameters for the proper processing of biometric data, considering risks and benefits.
• Security, technical and administrative measures: define minimum security standards to protect personal data.
• Artificial intelligence: establish guidelines for the use of AI in compliance with the LGPD.
• High-risk data processing activities: provide guidance for identifying and managing high-risk data processing.
• Religious organizations: establish specific guidelines for the adaptation of these organizations to the LGPD.
• Anonymisation and pseudonymisation: provide guidance on techniques to protect the identity of data subjects.

Phase 2 (start within one year)

• Guidelines for the National Policy for the Protection of Personal Data and Privacy: to develop strategic guidelines for data protection in the country.
• Best practices and governance standards: establish criteria for recognition and dissemination of good practices in data processing.

Phase 3 (start within one year and six months)

• Personal data aggregators: regulate the activities of aggregators, considering practices such as data scraping.
• Sensitive personal data – health data: define rules for the processing of health data, including legal hypotheses and protection in the context of the Unified Health System (SUS).

Phase 4 (start within two years)

• Legal hypothesis – consent: guidance on the use of consent as a legal basis for data processing.
• Legal hypothesis – credit protection: establish guidelines on the processing of data for credit protection.

In addition to indicating the ANPD's priorities for the biennium, the agenda serves as a guideline for inspection actions and enforcement measures. It is therefore recommended to map and monitor the company's internal practices and policies that relate to the topics on the agenda. This initiative allows anticipating possible impacts of regulation and adopting the appropriate measures to minimize the risks of questioning. Machado Meyer is ready to support your company in this process.