Security Incidents in Brazil: When and How to Notify the Data Protection Authority

Brazil is increasingly in the global spotlight when it comes to cybersecurity threats. With over 10 billion cyberattack attempts recorded in 2023 alone, the country ranks among the most targeted worldwide. These incidents are not abstract: they affect sensitive sectors such as finance and healthcare, including data leaks involving over 220 million data subjects from national institutions and critical infrastructure operators.

While Brazil may seem like a distant jurisdiction, its data protection regime — shaped by the Lei Geral de Proteção de Dados (LGPD) — has growing significance for European businesses operating or partnering in the region. The LGPD, inspired by the GDPR, sets out specific obligations around data breach notification. However, unlike the GDPR’s mandatory 72-hour notification rule, not all security incidents must be reported to the Brazilian Data Protection Authority (ANPD).

So: when exactly should a security incident be reported in Brazil?

When Notification is Required: A Three-Step Test

Under Brazilian law, a security incident involving personal data must be reported to the ANPD only if the following three criteria are cumulatively met:

• The incident has been confirmed.
• It involves personal data subject to the LGPD.
• It poses a relevant risk or damage to data subjects.

This third threshold is critical. According to the ANPD’s Security Incident Communication Regulation (RCIS), relevant risks include incidents that may:

• Prevent the exercise of rights or access to services.
• Cause material or moral harm.
• Involve special categories of data such as: Sensitive personal data / Financial data / Large-scale datasets / Children’s or elderly persons’ data / Authentication credentials / Legally protected information (e.g., medical, legal, or professional secrets).

This approach offers some flexibility – but it also requires careful legal judgment.

When You Don’t Have to Notify

There is no obligation to notify the ANPD if the incident does not result in significant risk or damage. For instance, if the breached data is non-sensitive and publicly available (e.g., general contact information), and no additional harm is expected, companies may reasonably determine that notification is unnecessary.

However, this decision should not be taken lightly. Controllers are expected to assess several contextual factors, such as:

• The volume and nature of the affected data.
• Whether the data subjects can be identified.
• The likely impact on fundamental rights.
• The technical and security measures in place.
• Any steps taken to mitigate the damage.

In practice, each case must be analyzed individually — and well documented — to ensure a defensible position.

How to Notify the ANPD (If Required)

If the thresholds for notification are met, companies must report the incident within three business days from the date they became aware that personal data was affected. The notification must include:

• A description of the breach and affected data.
• The number and profile of impacted data subjects.
• Security measures in place before and after the incident.
• Potential risks to the data subjects.
• Mitigation strategies.
• Identification of the controller and DPO (if applicable).

Notifications are submitted via the ANPD’s online platform (SUPER). Sensitive business information can be protected through a request for confidential treatment, provided it is properly justified.

Strategic Takeaways for European Stakeholders

For European companies and compliance officers, understanding the nuances of Brazilian data breach notification rules is essential for several reasons:

• Cross-border compliance: Companies transferring personal data to Brazil must ensure regulatory alignment under the GDPR’s international transfer rules.
• Due diligence: M&A or vendor screening in Brazil should include assessments of LGPD readiness and breach history.
• Incident response protocols: Global organizations must harmonize breach notification timelines and thresholds across jurisdictions, adapting to Brazil’s risk-based approach.

In a landscape of increasing cyber threats, aligning with the LGPD is not just a regulatory obligation — it’s a strategic necessity.

Final Thoughts

Brazil’s data protection authority does not adopt a “one size fits all” model for breach notification. The LGPD introduces a risk-based, case-by-case approach, which may offer more flexibility than the GDPR — but also places a greater burden on organizations to justify their decisions.

European companies doing business in Brazil must be prepared to evaluate security incidents in light of both local obligations and international expectations. Failing to notify a breach — or notifying too hastily — can have serious reputational, legal, and operational consequences.

Understanding when (and how) to notify the ANPD is a key part of navigating Brazil’s complex but maturing data protection landscape.