Brazil: Bill amending General Data Protection Law to prohibit commercialisation and improper sharing of sensitive data (Bill No. 5226/2025) was introduced in Chamber of Deputies

On 15 October 2025, the Chamber of Deputies introduced Bill No. 5226/2025, amending the General Data Protection Law to prohibit the commercialisation and improper sharing of sensitive data. The Bill forbids the disclosure, sharing, transfer, or sale of sensitive personal data except where expressly permitted by law. It regulates the processing of biometric data for access control in private areas, allowing it only when there is a specific legal basis, a legitimate security purpose, and a Data Protection Impact Assessment (RIPD). Access to judicial records containing sensitive data is limited to formal and justified requests, judicial warrants, or cases involving research, journalism, or overriding public interest, provided that anonymisation and confidentiality are maintained. The Bill also assigns the National Data Protection Authority (ANPD) the responsibility to coordinate preventive and enforcement actions with the Public Prosecutor’s Office, the Federal Police, and consumer protection authorities to combat the illicit trade in personal data. It will enter into force on the date of its publication.