Brazil is in the middle of one of the most ambitious identity overhauls in the democratic world. Under Decree 10.977/2022, the federal government is replacing the country's 27 state-issued Registros Gerais (RGs) with a single Carteira de Identidade Nacional (CIN), anchored on the Cadastro de Pessoas Físicas (CPF) as the sole national identifier. The new document carries a QR code that resolves to a record in the federal gov.br digital identity platform, which is increasingly the front door to hundreds of public services — from tax filings and pension claims to driver's licences and SUS health appointments.
The promise is real. Brazil has long suffered from fragmented identity infrastructure: a citizen could hold multiple RGs with different numbers across different states, creating fertile ground for fraud, duplicate benefits, and clunky service delivery. A unified, biometrically verifiable ID, properly built, could reduce friction for tens of millions of Brazilians and unlock genuine productivity gains in a country where queuing at cartórios and government counters still consumes enormous amounts of citizen time.
But the rollout has hit serial delays — the federal deadline for states to issue only the CIN has been extended more than once, most recently pushing full transition deeper into the late 2020s — and the National Data Protection Authority (ANPD) has begun publicly flagging risks. The questions Brazil is asking right now are the right ones, and the answers will determine whether the CIN becomes a model for the Global South or a cautionary tale.
What the decree actually does
Decree 10.977/2022 doesn't merely standardise a plastic card. It does three structurally important things at once:
- Collapses identifiers. The CPF — originally a tax number — becomes the universal civil identifier. Every Brazilian, in every interaction with the state, is now keyed off the same 11-digit string.
- Centralises verification. The QR code on the card points back to a federal registry. Authentication, in practice, runs through gov.br, which already had more than 150 million registered accounts as of 2024 according to the Ministry of Management and Innovation.
- Concentrates biometrics. Facial templates and fingerprints captured by state issuing bodies flow into federal systems, integrated with databases originally built for elections (TSE) and federal police records.
Each of these moves is defensible in isolation. Together, they create a single, high-value target — and a single set of governance choices that will shape Brazilian digital life for a generation.
The ANPD's concerns are not hypothetical
Brazil's data protection regulator, established under the Lei Geral de Proteção de Dados (LGPD, Law 13.709/2018), has flagged the architecture's reliance on a unique persistent identifier and the centralisation of biometric processing. These are textbook privacy-engineering red flags, not abstract objections.
The international evidence is sobering. India's Aadhaar — the closest analogue — has weathered repeated reports of data exposure through enrolment-operator misconduct and downstream API leaks, and the Supreme Court of India in Puttaswamy v. Union of India (2018) limited Aadhaar's use precisely because mandatory linkage created disproportionate exclusion and surveillance risk. Estonia's well-regarded e-ID had to be partially revoked in 2017 after the ROCA vulnerability affected an estimated 750,000 cards. When identity is centralised, the blast radius of any single failure expands accordingly.
A single national identifier wired into a single federal authentication platform is not a privacy strategy. It is a design choice that requires extraordinary safeguards to remain proportionate.
The pro-innovation case for getting this right
It would be a mistake to read these concerns as opposition to digital ID. Modern identity infrastructure is one of the highest-leverage investments a state can make. Done well, it expands access to credit and formal employment, reduces fraud against the public purse, and lets the private sector build services — open finance, telemedicine, regtech — on top of trustworthy identity rails. Brazil's open-finance regime, already one of the most advanced in the world, depends on exactly this kind of plumbing.
The question is not whether to modernise, but how. A proportionate, pro-innovation rollout would look quite different from a maximally centralised one:
- Federated, not monolithic. Verification should be possible without every query touching a single federal endpoint. Selective disclosure ("is over 18" rather than full date of birth) should be the default, in line with global digital-credential standards such as W3C Verifiable Credentials and ISO/IEC 18013-5 mobile driving licences.
- Purpose limitation with teeth. The LGPD already requires it. ANPD should be empowered to audit gov.br access logs and sanction function creep — particularly by law enforcement and tax authorities — without needing a fresh political fight each time.
- Genuine opt-outs. Citizens who cannot or will not enrol biometrically must retain meaningful access to public services. India's Aadhaar litigation showed what happens when "voluntary" becomes coercive in practice.
- Independent security review. The cryptographic stack underpinning the CIN QR code and the gov.br authentication flows should be published and subject to external review, as Estonia's e-ID code now is.
- Hard breach-notification timelines. ANPD's current guidance is a floor, not a ceiling. For a database of this sensitivity, citizens deserve notification in hours, not weeks.
The window is now
Because the federal deadline keeps slipping, Brazil has an unusual gift: time. The CIN is not yet fully deployed across all 27 federative units, and the architectural decisions baked in over the next 18 months will be very hard to reverse. Congress, ANPD, and civil society — including organisations like InternetLab, Data Privacy Brasil, and IDEC — should use this window to demand a published threat model, a federated rather than monolithic verification architecture, and statutory limits on cross-database linkage.
A unified national ID is not, in itself, a civil-liberties violation. A unified national ID without privacy by design, without independent oversight, and without a genuine opt-out for the marginalised would be. Brazil can have the first without the second — but only if it chooses to.