On 27 February, the Brazilian data protection authority (ANPD) published the highly anticipated regulation on the application of administrative sanctions, which is a function allocated to the authority under Brazil’s data protection law (LGPD).
The Brazilian General Law for the Protection of Personal Data (LGPD) came into effect on August 18, 2018, and was a major reality check for the market, providing for possible fines of up to BRL 50 million reais on companies that do not treat data in a proper manner.
As a result of the new regulation, the ANPD will now be able to apply administrative sanctions based on clear and established requirements, bringing the country in line with best data protection practices in other jurisdictions.
Short background
In 2021 the ANPD released a draft Resolution in order to provide a necessary framework to exercise its sanctioning powers and complement the regulation on the inspection and administrative sanctioning processes (Resolution CD/ANPD No. 1 of 2021).
The agency’s legal powers were further boosted last year when it was transformed into a special autonomous government entity (Provisional Measure no. 1,124).
Although the legal competencies and organizational structure have not been changed, the MP reinforces the technical and decision-making autonomy of the ANPD, which will have its own assets, and head office and jurisdiction in the Federal District (Article 55-A of the General Personal Data Protection Law – LGPD).
In August 2022, the draft resolution was opened to a public consultation process to obtain feedback from society on the subject, including from data protection and data security experts. Overall, the draft resolution received 2,504 contributions from society in the public consultation. A public hearing was also held, with a further 24 contributions being received.
Looking forward
In a recent interview, the current President of the ANPD, Waldemar Gonçalves Ortunho Júnior, indicated that there are already numerous cases ready for the application of penalties and that the regulation would provide a greater basis for the application of such sanctions.
The new resolution provides clarity on the appropriate sanction for a violation of the LGPD, and lists the various parameters and criteria to be taken into account, such as the seriousness of the infraction, the personal rights affected, whether the liable party was acting in good faith, its economic condition, the damage or harm caused to data subjects for non-compliance with the LGPD, among others.
Sanctions will be applied after an analysis carried out in an administrative process on a case-by-case basis. Such process should provide the opportunity for a broad defence, according to the peculiarities of the specific case and in line with the above-mentioned criteria (seriousness of infraction, personal rights affected, etc.).
Our Technology, Privacy and Data Protection team is available to answer questions and provide support on issues related to this topic.