New Regulation Brings Potential Administrative Sanctions for Brazil

The Data Protection Agency of Brazil has made it clear how they will punish people or companies that break the General Data Protection Law in the country.

Brazil's Data Protection Agency (ANPD) recently released new rules called the "Regulation of Dosimetry and Application of Administrative Sanction," which outlines the penalties and fines for companies that violate Brazil's General Data Protection Law (LGPD). The ANPD hopes this new regulation will encourage companies to comply with LGPD before they face any penalties. This blog will explain the nine possible penalties the ANPD may enforce and the situations in which companies are most likely to receive them. Additionally, we will discuss ways businesses can lower their risk of being penalized for noncompliance.

The ANPD has established three different levels of breaches in their regulations: light, average and serious. An average breach has a considerable impact on the data subject's interests and fundamental rights, hindering their access to services, their exercising of rights or causing harm, whether material or moral, such as discrimination. A serious breach includes all the elements of the average breach, and, in addition, features at least one of the processing situations described below.

When handling personal data in a big way, it's important to think about how much data there is, how long you'll be handling it, how often you'll be working with it, and how widespread it is geographically.

The person who breaks the rules has a plan or has already gained some financial benefit from their actions.

The violation poses a danger to the lives of the data subjects.

Breaking the rule happens when dealing with confidential information or when handling personal data belonging to individuals who are either underage or above a specific age limit.

The culprit is handling confidential information without satisfying any of the lawful reasons indicated by the LGPD.

The procedure leads to unfair or harmful discriminatory outcomes.

The culprit has consistently utilized abnormal methods for handling things.

A minor violation is a violation that does not fulfill the criteria of a typical or severe violation.

The ANPD released the Regulation to make sure that everyone follows the LGPD rules without having to enforce penalties. They will consider several factors, including how severe and what type of violation occurred, if the offender is genuinely trying to follow the rules, the number of times the violation happened, how significant the infringement was, and if the offender is cooperating in fixing the issue. If the ANPD investigates and finds a violation, they may impose sanctions.

A warning will be given as a mild consequence in two instances: (1) the offense committed is not severe and does not happen frequently or (2) the perpetrator does not require corrective actions.

The legislation contains a thorough discussion about the method of calculating a fine that is easy and imposed daily, as explained in the section called "Daily Fine." The ANPD reserves the right to impose a straightforward fine in situations where (1) the offender did not adhere to preventative or corrective measures within the designated timeline, (2) the infraction is categorized as severe, or (3) alternative sanctions are not adequate for the type of infraction, data processing, individual data involved, and the unique circumstances of the case.

The ANPD considers the violation committed, the severity of harm caused and the amount of fines to be imposed before charging a daily fee. The maximum amount of penalty imposed on a business guilty of breaking the law is a fixed percentage of 2% of their income in Brazil or a maximum amount of R$50 million for each infringement.

The type of fine that ANPD gives out will depend on a few different factors, including the type and severity of the violation, as well as whether or not the offender has complied after a certain period of time. The Regulation stipulates that there is a specific way to calculate the amount of a simple fine, and it also outlines circumstances where the fine may be reduced if certain criteria are met. Conversely, there are also situations where the fine may increase if certain aggravating circumstances are present.

By establishing and upkeeping internal protocols and systems to decrease harm to individuals whose personal data is being processed, it can prevent or decrease penalties.

4) Revealing and making known the violation

The ANPD might ask the person who committed the offense to publicly confess about their wrongdoing on specific platforms. However, this will only happen after the ANPD has thoroughly examined the incident and verified that it actually occurred. Additionally, the ANPD will take into account the public's interest and the importance of the offense before making a decision. [14]

of the regulations When someone violates the regulations relating to personal data, their personal information should be blocked. This means that it should be made inaccessible to other people or organizations. Blocking the personal data helps to ensure that it is not misused or further compromised. It also allows for an investigation to take place without the risk of additional data breaches. Overall, blocking personal data is an important step in protecting individuals' privacy and enforcing data protection laws.

The ANPD, which deals with personal data, has the authority to pause any processing activity that violates the rules. This temporary halt can be lifted once the offender fixes the issue at hand. The aim is to ensure that all personal data handling practices are in compliance with the applicable laws and regulations.

Deleting the personal information that was involved in the violation.

When a person has been sanctioned, they are obliged to remove any related data from their database immediately and inform the ANPD once the deletion process is complete. However, there are specific instances where communication may still be permitted, albeit with certain limitations, as outlined in the Regulation. [16]

of terms of service Database operations related to violating terms of service have been partially suspended.

The ANPD has the power to demand that those who break data protection laws stop using their database that contains personal information. This can last for up to six months, but it can be made longer until the breach has been fixed. [17]

The violation has resulted in the cessation of processing personal data.

The ANPD might ask the wrongdoer to stop working with any personal information that has been impacted. This suspension can last up to six months at the most, and it may also be prolonged until the issue is resolved. [18]

The restriction or complete ban on actions connected to handling information

Sometimes, certain activities involving data processing may be forbidden either partially or completely. This can happen for several reasons, such as when someone repeatedly breaks the rules and is penalized with a temporary ban on accessing certain data, or when personal information is processed for illegal or unauthorized purposes. Additionally, if someone responsible for data processing no longer has the necessary technical skills or resources to safely manage this information, they may also face limitations or restrictions in their ability to do so.

It's important to mention that the three most recent punishments, which involve stopping a database activity and either partially or completely prohibiting data processing, are not allowed until the wrongdoer has already been given one of the penalties listed in options (2) through (6). So, before an entity can face a partial or complete ban on processing operations, the ANPD must give them a fine that clearly states the violation, make the violation public, block the processing of any personal information that's been affected, or get rid of that information altogether. [20]

The ANPD now has the power to impose fines and other sanctions on companies that do not comply with the LGPD. This is due to the adoption of the Regulation of the Inspection Process and the Administrative Sanctioning Process on October 28, 2021.

If a company follows the LGPD rules, they will have a higher level of protection against penalties. To show that they're following the LGPD rules in good faith, they should have a program in place that complies with Brazilian data privacy rules. By conducting a data mapping exercise, the company can find out if they need to improve their compliance measures to stay clear of the latest penalties.

Mike Summers also made a contribution to this piece of writing.

The law firm Greenberg Traurig is not authorized to give legal advice in Brazil and cannot assist with matters concerning Brazilian law. If you have any concerns regarding the LGPD or Brazilian legal compliance, you should consult with a lawyer who is licensed to practice law in Brazil.

In simple terms, GT didn't use an official translation of the Regulation in the English language.

The 10th and 16th governing rules of the regulations.

On October 28, 2021, the ANPD released Resolution No. 1 which sets forth guidelines for the inspection and administrative sanctions processes within the National Data Protection Authority. This new regulation also covers the way in which penalties are issued.

The blog section is copyrighted by Greenberg Traurig, LLP and cannot be used without permission. It is featured in the 13th volume and 82nd edition of the National Law Review.