The Brazilian law firm BMA Advogados reports that the Brazilian National Data Protection Authority (“ANPD”) adopted a landmark and long-awaited regulation for the enforcement of the Brazilian General Data Protection Law (“LGPD”).

On February 27, 2023, Resolution No. 4/2023 of the ANPD approved the Regulation on the Setting and Application of Administrative Penalties under the LGPD (the “Regulation”).

The Regulation sets forth the methodology for calculating fines – which can be up to 2% of the annual turnover of the data controller or processor, limited to BRL 50 million per infringement – and determining other administrative penalties under the LGPD, such as public disclosure of the infringement and suspension of data processing activities.

The Regulation provides criteria to classify infringements as minor, moderate or severe, which include, among others, (1) whether the infringement can cause material or moral damages to data subjects, (2) the intent or negligence of the data controller, and (3) the type and volume of data processed. In addition, the Regulation establishes aggravating and mitigating factors to be assessed by the ANPD to decide which penalty will be imposed against the data controller or processor. These factors include the cooperation of the offender with the ANPD, the economic advantages obtained and the offender’s history of non-compliance.

The Regulation also states that penalties may be imposed in the administrative proceedings already in course, i.e., infringements that have taken place prior to the Regulation’s publication.

With the Regulation in force, BMA Advogados anticipates that the ANPD will become increasingly active and  administrative proceedings will advance quickly, with the first monetary penalties to be imposed in the following months.

For a more detailed analysis, read the full report from BMA Advogados.