Data protection: resolution for applying administrative sanctions approved in Brazil

On February 27, 2023, the Brazilian Data Protection Authority (ANPD) published CD/ANPD Resolution No. 4/2023 to approve the Regulation for Calculating and Applying Administrative Sanctions, which concerns the application of Articles 52 and 53 of Brazil’s General Data Protection Law (LGPD). This regulation defines the criteria and parameters that the ANPD must apply in relation to monetary and non-monetary sanctions, as well as the criteria for pecuniary sanctions, also amending Articles 32, 55 and 62 of CD/ANPD Resolution No. 1, which previously approved another regulation to improve the administrative sanctioning and inspection process.

Prior to publication, the ANPD submitted a draft resolution to public consultation and a public hearing, and after deliberation, the board of directors approved the final text on February 24, 2023. This initiative is part of the ANPD’s 2023-2024 regulatory agenda (approved by Ordinance No. 35 of November 4, 2022), which also provides for regulating other pending topics provided for in the LGPD.

The Regulation for Calculating and Applying Administrative Sanctions establishes the circumstances, conditions and methods for applying administrative sanctions provided for in Article 52 of the LGPD. Among other criteria, it considers damage or harm to data subjects resulting from data processing agents’ non-compliance with the LGPD.

The regulation has been designed to guarantee that any sanctions applied are in proportion with the seriousness of the data processing agent’s conduct, as well as provide legal security to inspection processes and guarantee the right to due process and adversarial proceedings.

As the regulation is effective from the date it was published, the ANPD can now apply all the sanctions the LGPD provides for, including:

• Official warnings;
• A one-time fine of up to 2% of the company’s revenue, limited to BRL 50 million per breach;
• A daily fine, limited to BRL 50 million;
• Publicly disclosing the infraction;
• Blocking access to the personal data in question;
• Destroying the personal data in question;
• Partially suspending the activities involving the database concerned for up to six months (extendable for an equal period) until the situation is resolved;
• Suspending personal data processing activities for a maximum of six months (extendable for an equal period);
• A partial or total prohibition of conducting data processing activities.
As the ANPD itself has declared, any sanctions will only be applied after possible infractions have been analyzed via administrative proceedings. This should safeguard the parties’ right to a full defense, adversarial proceedings, and ensure the specific characteristics of each case are considered – in line with the criteria provided for in Article 52, paragraph 1 of the LGPD.

Complementary material

As part of their contributions to the discussion, Mattos Filho’s specialists have prepared a booklet on the new regulation that addresses its key points.

An infographic outlining the new parameters and criteria defined in the regulation is also available.

The regulation has been published in the Official Federal Gazette. Please click here to view an English translation.

For more information about the ANPD’s supervision and enforcement of sanctions, please contact Mattos Filho’s Data Protection & Cybersecurity practice area.