Brazil’s Data Protection Agency clarifies what sanctions look like for violations of the country’s General Data Protection Law.[1]

On Feb. 27, 2023, Brazil’s Data Protection Agency (ANPD) issued the Regulation of Dosimetry and Application of Administrative Sanction (Regulation), which details fines and other sanctions for violations of Brazil’s General Data Protection Law (LGPD) by applicable businesses.[2] The ANPD released the Regulation to encourage businesses to comply with LGPD before the agency begins applying penalties for noncompliance. This blog post describes the nine possible sanctions available to the ANPD, circumstances that could generate such sanctions, and considerations for businesses to reduce their risk of being penalized.

Classifications of Infractions

The ANPD outlined three ranks of infractions in the Regulation: (1) mild (“light”), (2) medium (“average”), or (3) severe (“serious”).[3] An average infraction significantly affects the interests and fundamental rights of data subjects in situations that prevent or limit the data subject from using a service, exercising their rights, or causing material or moral damage to the data subject, such as discrimination.[4] A serious infraction contains the elements of an average infraction, as well as at least one of the following processing situations:

1. The processing of personal data on a large scale, taking into consideration the volume, duration, frequency, and geographic extent;

2. The violator intends to or actually earns an economic advantage as a result of the infraction;

3. The infraction involves risk to data subjects’ lives;

4. The infraction involves processing of sensitive data or the personal data of minors or adults over a certain age;

5. The offender processes personal data without one of the LGPD’s listed legal hypotheses;

6. The processing involves illicit or abusive discriminatory effects; or

7. The offender has systematically adopted irregular practices of processing.[5]

A light infraction is an infraction that has not met the elements of an average or serious infraction.[6]

Sanctions

The ANPD’s intention in issuing the Regulation is to ensure compliance with the LGPD before having to resort to sanctions. In doing so, the ANPD represents that they will take into consideration a variety of factors, including but not limited to the seriousness and nature of the violation, the offender’s good-faith compliance efforts, the amount of times the violation occurs, the level of infraction, and the offender’s cooperation in mitigating the violation.[7] The following sanctions may be issued after investigation by the ANPD:

1) Warning

The least threatening sanction, a warning will be issued when (1) the infraction is light or average and does not involve specific recurrence or (2) there is no need to impose corrective measures on the offender.[8]

2) Simple fine

The Regulation has a robust discussion on how to calculate a simple and daily fine, as detailed in the “Daily fine” section below. The ANPD may apply a simple fine when (1) the offender has not complied with the preventive or corrective measures imposed on it within the established deadlines, when applicable, (2) the infraction is classified as severe, or (3) it is not appropriate to apply another sanction based on the nature of the infraction, the processing activity or personal data, and the circumstances of the specific case.

3) Daily fine

A daily fine may be applied after taking into consideration the type of infraction, the degree of damage, and the total amount of any fines the ANPD intends to administer. If a simple or daily fine is issued, the maximum fine can be up to 2% of the offending business’s revenue in Brazil, with a cap of R$50 million per infraction.[9]

Whether ANPD issues a simple fine or daily fine depends on the circumstances, such as classification of the infraction, degree of infraction, or the offender’s ensured compliance within a given period.[10] The Regulation establishes a mathematical methodology for determining the base value of a simple fine.[11] Further, the Regulation outlines mitigating circumstances, whereby if one of the situations listed is present, the fine may be reduced.[12] On the other hand, the Regulation presents aggravating circumstances where, if present, the fine would increase by a certain percentage.[13]

Implementing and maintaining internal procedures and mechanisms for minimizing damage to data subjects when processing personal data should help avoid or reduce fines.

4) Disclosure and publicization of the infraction

The ANPD may require the offender to disclose the infraction publicly in certain mediums, after the ANPD has properly investigated and confirmed the infraction’s occurrence and has reviewed the public interest and relevance of the infraction.[14]

5) Blocking of the personal data used in the infraction

The ANPD can temporarily suspend any processing related to personal data affected by an infraction until the offender cures it.[15]

6) Deletion of the personal data used in the infraction

The offender must delete data from its database upon notice of this sanction and notify the ANPD once it has been deleted. The Regulation provides for limited exceptions for communication.[16]

7) Partial suspension of the database operation related to the infraction

The ANPD may require the offender to suspend the operation of its database housing personal data for a maximum period of six months, which can be extended, until the infraction has been resolved.[17]

8) Suspension of the personal data processing activity related to the infraction

The ANPD may require the offender to suspend processing of affected personal data, and such suspension will be in place for a maximum period of six months, which can be extended, until the infraction has been resolved.[18]

9) Partial or total prohibition of activities related to data processing

Partial or total prohibition of activities related to data processing may be applied in cases where (1) there is a recurrence of an infraction punished with partial suspension of the operation of the bank of data or suspension of the activity of processing personal data, (2) processing of personal data occurs for illicit purposes, or without legal support, or (3) the offender no longer meets the technical and operational conditions to maintain the adequate processing of personal data.[19]

Of note, the last three sanctions (prior to partial suspension of a database)—suspension of a processing activity, and partial or total ban on data processing—cannot occur until the offender has received at least one of the sanctions listed in (2) through (6). For example, prior to a partial or total ban on processing operations, the ANPD must first issue a fine to the entity outlining the exact infraction, publicly disclose the infraction, block the processing of affected personal data, or delete the affected personal data.[20]

Key Takeaways

With the recent adoption of this Regulation, as well as the Regulation of the Inspection Process and the Administrative Sanctioning Process of Oct. 28, 2021, the ANPD may now issue fines and other penalties for applicable businesses who are not in compliance with the LGPD.[21]

A business that complies with the LGPD should be better protected against a sanction. Good faith compliance in the LGPD can be evidenced by the implementation and maintenance of a Brazilian data privacy compliance program. A data mapping exercise can help determine if the business should implement or strengthen compliance measures to avoid the newly minted and defined sanctions.

Mike Summers also contributed to this article.

FOOTNOTES

[1] Greenberg Traurig is not licensed to practice law in Brazil and does not advise on Brazilian law. Specific LGPD questions and Brazilian legal compliance issues will be referred to lawyers licensed to practice law in Brazil.

[2] GT used a non-official English translation of the Regulation.

[3] Regulation, Article 8.

[4] Id. at §2.

[5] Id. at §3.

[6] Id. at §1

[7] Regulation Article 7.

[8] Regulation Article 9.

[9] LGPD Article 52.

[10] Regulation Articles 10, 16. 

[11]Regulation Appendix 1.

[12] Regulation Article 13.

[13] Regulation Article 12.

[14] Regulation Article 20.

[15] Regulation Article 22.

[16] Regulation Article 23.

[17] Regulation Article 24.

[18] Regulation Article 25.

[19] Regulation Article 26.

[20] Regulation Article 3.

[21] Resolution ANPD No. 1 of Oct. 28, 2021, The Regulation of the Inspection Process and the Sanctioning Administrative Process within the scope of the National Data Protection Authority, is the other regulation that outlines the ANPD’s procedures for issuing penalties.