The year 2025 definitively consolidated data protection as one of the pillars of the Brazilian public debate. While previously the topic seemed restricted to specialists, lawyers, security technicians, and regulators, it has now become a structural part of discussions about digital citizenship, public security, corporate responsibility, technology, and even culture and sports.

In just a few months, the country experienced a convergence of events that reshaped the collective understanding of privacy, revealing weaknesses, opportunities, risks, and the urgent need for more mature digital governance.

The symbolic milestone of this movement was the transformation of the then National Data Protection Authority into a special type of Regulatory Agency. The change represented much more than an administrative evolution. The country now has an institution with decision-making autonomy, expanded oversight capacity, its own technical staff, and prerogatives similar to those of other agencies that regulate essential sectors.

Institutional strengthening was accompanied by the creation of new specialized positions, expanding the agency's capacity to conduct more thorough and technically sound audits, impact analyses, inspections, and sanctioning processes. During the same period, the approval of the Digital Statute for Children and Adolescents broadened the regulatory scope by establishing a new pact for child protection on the internet. The legislation reinforced principles already present in the LGPD (Brazilian General Data Protection Law), such as the best interests of the child, and imposed a more rigorous responsibility on economic agents to guarantee safe and transparent digital environments.

This restructuring occurred against a backdrop of increasing exposure to vulnerabilities. The ANPD (National Data Protection Authority) launched public security incident dashboards which, for the first time, allowed the country to clearly visualize the true extent of the problem.

The data revealed an alarming frequency of incidents reported by companies and public bodies from different sectors, especially finance, education, retail, and healthcare. At the same time, a global massive credential breach known as the "mother of all breaches" drew worldwide attention by involving billions of records and demonstrating the destructive effect of unauthorized access to digital systems. This episode raised concerns about the structural fragility of password-based authentication, stimulating debates about multifactor authentication, biometrics, tokens, and more sophisticated digital identity policies.

The country also faced, even under the new mandatory notification rules, the challenge of structuring rapid incident responses. Organizations responsible for data processing now have only three business days to report relevant incidents to the ANPD (National Data Protection Authority) and data subjects, one of the strictest deadlines in the world. This requirement pressured companies to review their internal processes, improve governance, formalize response plans, create multidisciplinary committees, and invest in training. Security maturity has ceased to be a desirable attribute and has become a condition for institutional survival.

But perhaps the most symbolic debate of the year arose outside the digital realm. The advancement of facial biometrics in football stadiums mobilized different segments of society. In a country that breathes sport and whose stadiums are traditionally spaces occupied by families, the growing adoption of facial recognition systems has brought to light profound doubts about proportionality, legality, obligation, and consent. Clubs and arena operators justified the measure as a security mechanism, a means of preventing violence and combating ticket scalping, and argued that biometric capture would allow for greater access control and monitoring. However, the practice quickly exposed legal and ethical dilemmas of great magnitude.

Biometrics are considered sensitive data under the LGPD (Brazilian General Data Protection Law), requiring specific legal bases and reinforced security measures. It is also permanent data, meaning that in case of a breach, it cannot be replaced like a password. When it involves children and adolescents, data collection becomes even more delicate, as it must respect the best interests of the minor and avoid any form of coercion.

But it was precisely at this point that the main criticisms arose. In different stadiums, families reported that facial registration seemed mandatory for entry, even when it involved minors. The voluntary nature of consent, an essential principle in the LGPD (Brazilian General Data Protection Law), began to be questioned in situations where the collection of biometrics was presented as a condition for exercising a basic right: accessing a sporting event.

The possibility of less intrusive alternatives also gained prominence, as technologies such as dynamic QR codes, token validation, hybrid turnstiles, and multi-step check-ins could achieve similar objectives with less risk.

The topic gained economic and political relevance. Experts began arguing that clubs and arena operators should prepare Data Protection Impact Assessments before implementing biometric technologies, justifying their necessity, demonstrating mitigation measures, and assessing short- and long-term risks. The ANPD (Brazilian National Data Protection Authority), in its Regulatory Agenda, had already indicated that biometrics, sensitive data, and high-risk processing would be priorities, and the sports sector quickly became one of the most visible contexts for this debate.

It is likely that, starting in 2026, the country will see more targeted regulations, possibly with specific guidelines, thematic inspections, and formal governance requirements for clubs, federations, and stadium administrators.

Observing all these developments, it becomes evident that 2025 was a year of profound reconfiguration in the relationship between technology, security, privacy, and public power. The institutional maturity of the ANPD (National Data Protection Authority), the consolidation of policies aimed at child protection, the unprecedented transparency regarding security incidents, the regulatory rigor in notification deadlines, and the debate on biometrics in sports environments reveal that the country has definitively entered the era of digital responsibility. Governance is no longer an option. Technological practices now require solid justifications and regulatory alignment. And society, more informed and more critical, has begun to demand proportionality and respect for fundamental rights.

If 2023 was the year of awareness and 2024 the year of adaptation, 2025 became the year of consolidation. Data protection has assumed its role as an essential component of public and private life, influencing policies, regulations, business decisions, and social behaviors. The country ends the year facing a new horizon, in which privacy and security go hand in hand not only as legal values, but as indispensable conditions for building trust and for the very contemporary experience of citizenship.