Brazilian General Data Protection Law: sanctions take effect
The ANPD may apply sanctions for infractions or continuing violations occurring as of August 1, 2021
Law No. 13,709/2018 (the General Data Protection Law, or LGPD) first took effect in September 2020, with the exception of certain provisions concerning the right of the National Data Protection Authority (ANPD) to apply administrative sanctions. In consideration of upheaval caused by the Covid-19 pandemic, Law No. 14,010/2020 was edited to extend the deadline until August 1, 2021 for these sanctions to take effect.
As of August 2021, the following penalties may be applied:
- A warning, with a specific deadline to adopt corrective measures;
- A one-time fine of up to 2% of the private legal entity or group’s before-tax revenue in its preceding fiscal year in Brazil, limited to a total of BRL 50 million per infraction;
- A daily fine, considering the limit mentioned above;
- Mandatory public disclosure of the infraction after its occurrence is confirmed;
- Processing of the corresponding personal data may be blocked until the infraction is corrected;
- The obligation to delete personal data corresponding to the infraction;
- Partial suspension of the database corresponding to the infraction for up to six months, until the adoption of corrective measures;
- Suspension of data processing corresponding to the infraction for up to six months, which can be renewed for the same amount of time; and
- Partial or total prohibition of exercising data processing operations.
When applying sanctions, the ANPD will take the following criteria into account:
- the gravity and nature of the infractions, and the individual rights affected;
- whether the offender acted in good faith;
- the offender’s financial situation;
- the offender’s cooperation in the matter;
- whether the offender has adopted internal mechanisms and procedures capable of minimizing damage;
- whether best practice and governance policies have been adopted; and
- how quickly corrective measures were adopted. It is important to emphasize that the penalties referred to above in items 7, 8 and 9 can only be applied after one of the other sanctions mentioned for the same concrete case has already been applied.
The ANPD has already clarified that these sanctions will only apply to infractions occurring as of August 1, 2021, or for continuing violations that commenced prior to that date.
Furthermore, the ANPD is currently in the final stages of developing its Regulation for Inspecting and Applying Administrative Sanctions, which includes steps for monitoring and guiding compliance, as well as preventing and penalizing infractions. The methodology for applying fines is still to be subject to future public consultation.
For further information about how the ANPD monitors and applies sanctions, please contact Mattos Filho’s Data Protection and Cybersecurity practice area.