In this first edition of the Cybernews Bulletin in 2025, we comment on the publication of ANPD's Regulatory Agenda for 2025-2026 and the relevance of ANPD's role in regulating Artificial Intelligence.
In addition, while we wait for the Judiciary Branch to resume trials in this new year, we also highlight the main news on data protection that permeated the end of 2024, such as the decision handed down by the Superior Court of Justice in December, in which the Court stated that companies are responsible for protecting the personal data of their customers, even in case of cyberattacks. The decision held Enel responsible for the leak of a consumer's data after a hacker attack, as the company did not adopt the necessary security measures, as required by the Brazilian General data Protection Law (LGPD).
In addition, the National Consumer Secretary, Wadih Damous, pointed out that it is abusive to make data protection conditional on paying for extra services, which is a violation of both the LGPD and the Brazilian Consumer Protection Code (CDC). He stressed out that data protection must be guaranteed at no extra cost to consumers, an obligation imposed on companies.
Finally, Burger King was reported for violating LGPD during its “Penny Pix” campaign. Idec (Consumer Protection Institute) accused the company of misusing customers' personal data, such as social security number and e-mail, raising serious concerns about digital harassment practices.
