Brazil is finishing one of the largest civil-registry overhauls in the democratic world. The Carteira de Identidade Nacional (CIN), created by Decree 10.977/2022, is replacing the patchwork of state-issued RGs with a single document anchored to the CPF — the same eleven-digit number Brazilians already use for taxes, banking, and social benefits. The rollout is now live across all 27 federative units, with SERPRO and the federal government pressing states to complete biometric enrollment and wire the CIN into the gov.br digital identity stack, which authorities say serves more than 160 million Brazilians. For a country that has long lost billions of reais a year to identity fraud and duplicated records, this is a genuine modernisation win. It should not be slowed down — but it does need real LGPD discipline now, before architectural choices harden.
What changed, and why it matters
Until recently, a Brazilian could legally hold up to 27 different RG numbers, one per state, with no national reconciliation. That fragmentation made benefit fraud easier, raised onboarding costs for fintechs, and left poorer Brazilians stuck in queues to prove who they were. The CIN folds this into one card with a QR code, an ICAO-compliant travel-document zone, and a digital twin inside gov.br. The General Personal Data Protection Law (LGPD, Lei 13.709/2018) and the National Data Protection Authority (ANPD), created in 2018 and made autonomous in 2021, provide the legal scaffolding.
The upside for innovation is real:
- Friction down. Account opening, KYC, and government-service onboarding collapse from days to minutes. That is pro-competition: it helps small fintechs and challenger banks more than incumbents.
- Fraud down. A single, biometrically bound identifier closes the seams that synthetic-identity rings exploit across state RGs.
- Inclusion up. Programs like Bolsa Família and BPC reach more people, faster, with fewer leakage points — a quiet but enormous welfare gain.
None of this requires abandoning the open internet or building a Chinese-style social-credit substrate. The CIN, on paper, is closer to Estonia's e-ID or India's Aadhaar-with-DEPA than to any authoritarian model. The question is whether the implementation will earn that comparison.
The centralisation problem
Using CPF as the single citizen identifier is convenient, but it also turns one number into a master key. Brazil already had a painful preview of the risk: in early 2021, a database surfaced that reportedly exposed personal data tied to the CPFs of nearly every adult Brazilian, prompting an ANPD investigation. That episode did not happen because LGPD failed; it happened because too many private and public actors had accumulated CPF-linked dossiers with too little oversight.
The CIN, if poorly governed, risks amplifying that pattern. A few specific failure modes deserve naming:
- Function creep. An ID built for civil registration quietly becoming the default key for health records, school enrolment, transit, and private-sector loyalty schemes — without a new legal basis each time.
- Linkage by stealth. Private platforms scraping CPF as a join key across datasets the citizen never intended to merge.
- Single point of failure. A gov.br outage or credential-stuffing wave becoming a nationwide service outage.
- Surveillance drift. Biometric templates collected for one purpose being repurposed for law enforcement matching without judicial control.
The proportionate path
The right answer is not to halt the rollout. Reverting to 27 incompatible RGs would punish the poor and entrench fraud. The answer is to lock in LGPD-grade guardrails while the architecture is still soft:
- Purpose limitation with teeth. ANPD should publish a binding list of permissible uses of the CIN/CPF tuple by federal agencies and require a documented LGPD legal basis (Art. 7 or Art. 11) for any new use, with sunset clauses.
- Federated, not pooled. Verification should return a yes/no attestation through gov.br rather than dumping attributes into requesting systems. Estonia's X-Road and India's recent move toward Verifiable Credentials show this is technically routine.
- Selective disclosure by default. Citizens should be able to prove age, residence, or eligibility without revealing the underlying CPF — a capability the W3C Verifiable Credentials standard already enables.
- Biometric minimisation. Templates on-device where possible; centralised storage only with judicial oversight for matching, and a hard ban on commercial use.
- An independent breach clock. ANPD's recent push for 72-hour incident reporting should be tested on a real CIN-scale incident drill before, not after, one happens.
- Open APIs for the private sector. Regulated, audited access for banks, fintechs, and platforms — so the productivity gains are not captured by a handful of incumbents.
The bigger picture
Digital identity is the rails on which a modern internet economy runs. Countries that get this right — Estonia, Singapore, increasingly India after the DPDP Act and DEPA — pull ahead on financial inclusion, public-service delivery, and digital exports. Countries that get it wrong end up with either paralysing analog friction or surveillance infrastructure waiting for a future government to misuse.
Brazil, uniquely, has both a serious data-protection statute and a regulator (ANPD) that is finally finding its voice, including on AI and biometric matters. The CIN rollout is a test of whether that legal architecture can shape, rather than merely react to, a once-in-a-generation infrastructure decision. The pro-innovation answer is to ship the CIN — and to make LGPD the binding constraint that keeps it trustworthy.