Brazil’s data protection authority sets enforcement priorities for 2026–2027

Brazil’s National Data Protection Authority (Autoridade Nacional de Proteção de Dados. ANPD) has formally approved its ‘Mapa de Temas Prioritários for the 2026–2027 biennium’, a strategic planning instrument that defines which issues will be prioritised in inspections and supervisory activities over the next two years cd-35-2025-votos[1]. The decision was adopted by the ANPD’s Board of Directors following internal technical analysis and legal review, and was approved through a deliberative voting process.

The Priority Themes Map is required under ANPD’s enforcement regulations and is intended to provide regulatory predictability and transparency by signalling how the authority intends to allocate its supervisory resources. It is informed by risk, severity, relevance, and timeliness criteria, as well as by lessons drawn from the 2024–2025 monitoring cycle.

Among the most significant priorities is the protection of data subjects’ rights, with a particular focus on the secondary use of personal data for purposes incompatible with the original collection. The final text narrows this priority to targeted advertising practices, reflecting their relevance to dominant business models in the digital economy and their impact on users’ autonomy and expectations.

Children’s and adolescents’ data protection is elevated as a distinct priority, reflecting recent legislative developments under Brazil’s Digital Statute of the Child and Adolescent. The Map aligns ANPD’s enforcement plans with new legal duties related to privacy-by-design, age assurance, parental controls, and the prevention of access to harmful or unlawful content. It also clarifies that supervisory actions will focus on providers of digital products and services likely to be accessed by children, rather than relying solely on the concept of data controllers.

In the public sector, ANPD reoriented its focus toward monitoring compliance with forthcoming rules on data sharing between government bodies. Rather than issuing general guidance on exceptional data processing for public security purposes, the authority plans targeted monitoring of how public entities implement shared-use data frameworks, in line with its broader regulatory agenda.

The Priority Themes Map also broadens ANPD’s approach to AI and emerging technologies. Instead of concentrating solely on generative AI, the approved framework covers AI systems more generally, including facial recognition and recommendation systems, particularly where they involve the processing of children’s data. This reflects enforcement experience from previous cycles and signals closer scrutiny of AI-enabled data processing across sectors.

The document was approved with amendments proposed by Director Lorena Giuberti Coutinho and subsequently endorsed by the full Board, including the Director-President. ANPD indicated that the Map may still be adjusted if urgent or unforeseen developments arise, preserving regulatory flexibility while establishing clear enforcement priorities for the 2026–2027 period.