7.4 Latin America — LGPD & Beyond

Latin America has become one of the most active regions globally for data protection reform. Led by Brazil's landmark 2020 law, the region is converging — unevenly but persistently — toward GDPR-inspired frameworks that give individuals meaningful rights and establish independent enforcement authorities.

Brazil: LGPD

Brazil's Lei Geral de Proteção de Dados (LGPD) entered into force in 2020, with administrative sanctions from August 2021. It is by far the most significant privacy law in Latin America, covering a country of over 215 million people and Latin America's largest economy.

The LGPD follows the GDPR's architecture closely:

• Ten legal bases for processing (including consent, legitimate interest, and contract performance)
• Data subject rights: access, correction, anonymization, portability, deletion, information about sharing, and revocation of consent
• Data Protection Officer (Encarregado) requirement for controllers
• Data Protection Impact Assessments
• Mandatory breach notification
• Cross-border transfer restrictions (similar to GDPR Chapter V)

The Autoridade Nacional de Proteção de Dados (ANPD) is Brazil's national data protection authority, established in 2020 under the executive branch. The ANPD has the power to issue regulations, investigate violations, and impose sanctions including fines of up to 2% of a company's revenue in Brazil in its prior fiscal year, capped at R$50 million (approximately USD$50million(approximatelyUSD10 million) per violation.

Enforcement has been gradual. The ANPD issued its first significant enforcement guidance in 2023 and is still building capacity — but its work has increased in scope and ambition each year.

Argentina: PDPA

Argentina's Personal Data Protection Act (Law 25.326, PDPA) dates from 2000, making it one of the oldest comprehensive privacy laws in the Americas. It was groundbreaking at the time, granting rights of access, correction, and deletion, and establishing the Agency for Access to Public Information (AAIP) as regulator. Argentina holds a European Commission adequacy decision — one of only a handful of countries outside Europe to do so — meaning personal data can flow freely from the EU to Argentina without additional safeguards. However, the PDPA is now dated and a reform bill has been under discussion for several years.

Chile

Chile's original data protection law (Law 19.628, 1999) was minimal by modern standards — no supervisory authority, no breach notification, weak rights. A comprehensive reform law passed in late 2024, introducing a dedicated data protection authority, meaningful consent requirements, and GDPR-style rights, bringing Chile into alignment with the regional trend.

Colombia

Colombia's data protection framework is built around Law 1581 (2012) and Decree 1377 (2013), enforced by the Superintendencia de Industria y Comercio (SIC). It covers collection, storage, use, and transmission of personal data and requires authorisation (consent) as the primary legal basis. The framework is active: the SIC has issued fines for violations and published sector-specific guidance.

The regional trend: GDPR convergence

The pattern across Latin America is clear: countries are moving from outdated or weak frameworks toward GDPR-inspired statutes with independent authorities, data subject rights, and meaningful enforcement. Drivers include trade relationships with the EU (which may require adequacy decisions or standard contractual clauses), pressure from civil society, and recognition that a strong privacy framework attracts digital investment.

Your takeaway

Brazil's LGPD is the dominant force in Latin American privacy law, but it operates in an increasingly active regional ecosystem. If you work with data from Brazilian, Argentine, Chilean, or Colombian data subjects, you are operating in a regulated environment — even if enforcement is still maturing.