In Brazil, the General Data Protection Act (LGPD – Law No. 13.709/2018) has been fully in force since August, 2021. However, the Regulatory Authority was unable to apply the financial fines and other administrative sanctions (such as warnings, suspensions and processing bans), as a specific regulation on the subject was pending. This gap has been filled and now processing agents can be fined.
On Monday, February 27, 2023, the Brazilian Data Protection Authority (ANPD) published the Resolution No. 4, which approves the Regulation on How to Proceed with the Application of Sanctions (“Regulation”), taking effect immediately, including with regard to proceedings already in progress prior to its publication.
The Regulation aims to establish the parameters and criteria for the application of the sanctions provided for in article 52 of the LGPD, in addition to clarifying how the pecuniary sanctions (fines) will be calculated, considering, among other aspects, the damage or loss caused to data subjects due to non-compliance with the LGPD and/or the regulations issued by the ANPD.
The sanctions provided for in the LGPD are:
a) Warning;
b) Simple fine, of up to two percent (2%) of the companys revenue, limited, in total, to fifty million reais (BRL 50,000,000.00), per infraction;
c) Daily fine, with a total limit of fifty million reais (BRL 50,000,000.00);
d) Publication of the infraction;
e) Blocking of personal data;
f) Elimination of personal data;
g) Partial suspension of database operation for a maximum of six (6) months, extendable for an equal period, until the situation is remedied;
h) Suspension of the activity of processing personal data for a maximum of 6 (six) months, extendable for an equal period;
i) Partial or total prohibition of carrying out activities related to data processing.
According to the Regulation, suspension and prohibition sanctions will only be applied to processing agents if at least one of the other sanctions mentioned above has already been imposed (warning, fine, publication of the infraction, blocking and/or elimination of personal data). In addition, with the exception of fines, all other sanctions may be applied to the Public Authorities.
All sanctions will be applied by ANPD after the analysis of the specific case in the administrative proceeding (assuring the right of adversary proceeding and fair hearing to the processing agent), according to its peculiarities and according to the following criteria, which may mitigate (decrease) or aggravate (increase) the penalty:
a) Seriousness and nature of the infractions and the personal rights affected;
b) Offenders good faith;
c) Advantage obtained or intended by the offender;
d) Economic condition of the offender;
e) Recidivism;
f) Degree of damage;
g) Offenders cooperation;
h) Adoption of internal mechanisms and procedures capable of minimizing the damage;
i) Adoption of a good practices and governance policy;
j) Prompt adoption of corrective measures; and
k) Proportionality between the seriousness of the fault and the intensity of the sanction.
Violations will be classified according to their seriousness and nature, in addition to the personal rights affected, in three levels:
I – mild: when the infraction does not fall under “medium” or “serious”;
II – medium: when the infraction may significantly affect the interests and fundamental rights of the personal data subjects, characterized in situations in which the processing activity may significantly hinder or limit the exercise of rights or the use of a service, as well as cause pecuniary or moral damages to the subjects
III – serious: when it constitutes an obstruction to the inspection activity or when the infraction can cause the same damages as a “medium” infraction and, cumulatively, reach at least one of the hypotheses below:
a) involve processing of personal data on a large scale, characterized when it covers a significant number of subjects, also considering the volume of data involved, as well as the duration, frequency, and geographic extent of the processing carried out;
b) the offender earns or intends to earn economic advantage as a result of the offense committed;
c) the infraction implies risk to the life of the data subjects;
d) the infraction involves the processing of sensitive data or personal data of children, adolescents, or elderly people;
e) the offender carries out the processing of personal data without support in one of the legal basis provided for in the LGPD;
f) the offender carries out the processing with illicit or abusive discriminatory effects; or
g) systematic adoption of irregular practices by the offender is verified.
For the calculation of fine penalties, the following elements will be considered: (a) the classification of the infraction (mild, medium, or serious), (b) the revenue of the offending processing agent in the last financial year available prior to the application of the sanction, and (c) the degree of damage. The fine sanctions must be paid within a period of up to twenty (20) business days, counted from the official awareness of the decision for the application of the sanction, except for small processing agents, in which case a double period will be granted for the payment.
Finally, depending on the circumstances of each case, the ANPD may apply sanctions gradually, separately, or cumulatively. In addition, the ANPD may grant a deadline for the statement of a sectoral regulatory body that has sanctioning powers against the offending processing agent.
It is important to emphasize that the application of a sanction does not exclude the possibility of adoption of other administrative measures by the ANPD in order to guarantee the compliance of the offending processing agent with the personal data protection legislation, nor does it prevent the processing agent from being sued by a data subject seeking compensation for moral or material damages.
Azevedo Sette Advogados is fully available for further clarifications on the subject through its senior partner Ricardo Baretto Ferreira and the Data Protection Coordinator Lorena Pretti Serraglio via email tmtconsultivo@azevedosette.com.br.