ANPD, The Brazilian Data Protection Authority, publishes Rules to Calculate and Enforce Administrative Sanctions under LGPD
The Regulation was considered the last hindrance for ANPD to effectively impose administrative penalties under LGPD
On February 27, 2023, the Brazilian Data Protection Authority (“ANPD“) published Resolution CP/ANPD no. 4/2023, which approved the Rules to Calculate and Enforce Administrative Penalties (“Regulation“). This provision establishes criteria and parameters to apply administrative sanctions under article 52 of Brazil’s General Personal Data Protection Law (“LGPD“). It also defines calculation methods for how hefty the fines will be.
The Regulation ensures legal certainty and predictability to proceedings with ANPD by establishing a sanction fit to the seriousness of the offender’s behavior. Also, the Regulation amends Resolution CD/ANPD no. 1, issued on October 28, 2021, which approved the Inspection Process Regulation and the Administrative Sanctioning Process already in force.
The Regulation’s publication had been long awaited because it was the last regulatory obstacle for ANPD to effectively impose administrative sanctions if an offender fails to comply with LGPD. The Regulation now underscores ANPD’s enforcement and containment action, so the body should soon apply its first sanctions.
Therefore, companies and organizations still failing to comply with LGPD should strive to do so as soon as possible. They should also revise and update their data protection governance programs to ensure they are up-to-date with ANPD’s latest rules and guidelines. In fact, having sound data protection policies and governance framework may be an objective criterion to ease the penalty if an organization receives an administrative sanction from ANPD.
Here are some considerations on the Resolution and its main points.
Regulation’s Scope: administrative penalties and application criteria
The Regulation defines each sanction explicitly under LGPD’s article 52, and ANPD is the exclusive authority to apply these fines:
- Simple fine;
- Daily fine;
- Publicizing the offense;
- Blocking of personal data;
- Deletion of personal data;
- Database operation partial suspension;
- Personal data processing activity suspension; and
- A partial or total ban on data processing-related activities.
After ANPD applies a penalty, and after the due administrative process that ensures the offender’s broad defense and adversary proceeding, the authority must provide a sanction proportional to the severity of the offender’s behavior.
For such, the Regulation, in tune with LGPD, establishes the following criteria to apply a penalty:
- Seriousness and nature of the offense and categorie of the affected personal data
- The offender’s good faith;
- The offender’s intended or obtained advantage;
- The offender’s financial situation;
- Specific recidivism;
- Generic recidivism;
- Degree of damage;
- How cooperative the offender is;
- Reiterated, proven adoption of LPGD-compliant internal mechanisms and procedures to mitigate the damage and adequate and secure data processing;
- Adoption of data protection good practices policy and governance framework;
- Prompt implementation of corrective measures; and
- Proportionality between the offense’s seriousness and the sanction’s severity.
Regulation’s key points
The Regulation’s main aspects are:
- Limiting the application of more severe penalties.
Under the Regulation, ANPD will only apply severe sanctions, i.e., database operation partial suspension, personal data processing activity suspension, and partial or total ban on data processing-related activities, after the authority has applied at least one of the other lesser strict penalties, such as warnings or fines;
- Non-compliance with penalties or failure to regularize the behavior.Suppose the processing agent (controller or processor) fails to comply with the sanction (e.g., refusing to pay a fine) or refrains from regularizing the offense. In that case, ANPD may apply more severe penalties without prejudice to other appropriate containment measures;
- Offense classification.
ANPD will classify the seriousness and nature of offenses and affected personal data to apply penalties as follows:
- Light, in less damaging cases that do not fit as medium or serious;
- Medium, when the offense may impact data subjects’ fundamental rights and interests significantly, e.g., when data subjects cannot exercise their rights or when the offense causes material or moral damage to data subjects. This includes cases of discrimination, physical threat, risk to data subject’s honor and reputation, fraud, and identity theft; and
- Serious, after the offense is classified as “medium” as defined above, and any of the following situations occur in a concrete case:
- The offense involves large-scale personal data processing;
- The offender obtains or intends to take financial advantage of the offense;
- The offense threatens data subjects’ lives;
- The offense pertains to processing special category of data (sensitive data, as defined by LGPD) or children’s (ages 0-12), teenagers’ (ages 12-18), or elderly’s (ages 60 and above) personal data;
- The offender has processed personal data without a legal basis under the LGPD;
- The offender processes data with unlawful or abusive discriminatory effects; or
- The offender has verifiably adopted systematic irregular practices.
- Methodology to define the simple fine’s base amount.
The Resolution’s Appendix I methodology defines that the simple fine’s base amount is based on offense classification, the offender’s revenue, and the degree of damage.
- Aggravating and extenuating circumstances.
The Resolution also establishes aggravating criteria, whereby the fine amount may be increased by specific percentage in case of recidivism or non-compliance with corrective, preventive, or informative measures. Conversely, extenuating criteria may reduce the fine amount by a percentage, e.g., when the offender stops the offense, implements damage reversion or mitigating measures, cooperates with the investigation, acts in good faith, etc.
- Good practices policy and governance as extenuating circumstances. Amid extenuating circumstances, under the Resolution, the fine may be reduced by 20% if offenders prove they have implemented a data protection good practices policy and governance or have provenly adopted internal procedures and mechanisms to minimize damage to data subjects.
Under the Regulation, two types of recidivism may cause ANPD to apply more severe sanctions. Besides that, recidivisms are considered aggravating circumstances when calculating the fine amount. Specific recidivism means repeating the same offense within 5 years after the administrative proceeding’s decision is final. On the other hand, generic recidivism means any offense an offender commits within a 5-year period.
- ANPD has the discretion to repeal methodology and sanction calculation in some cases
One of the most controversial aspects of the Regulation is article 27. It states that ANPD may repeal the methodology to calculate sanctions and replace applying a fine with another sanction in the Regulation if the authority deems the sanction disproportionate to the offense’s severity. Some have criticized ANPD’s excessive discretionary power to repeal methodology because the methodology aims to bring predictability and legal certainty to processing agents subject to LGPD’s administrative sanctions.
Under article 27, ANPD’s possibility of repealing the sanction methodology must be “based on abstract judicial values” and “motivated and grounded.” However, we cannot rule out the risk that such a provision paves the way to arbitrary or unfair decisions. After all, the Regulation already defines severe sanctions for serious cases according to its own methodology.
Therefore, ANPD’s use of the exception in the Regulation’s article 27 may lead to lawsuits with uncertain results which will depend on the courts’ interpretations.
- Possible application of the Regulation to administrative proceedings that started before the Regulation came into force
Under article 28, the Regulation applies to administrative proceedings that had started before the Regulation came into force. That means the Regulation’s provisions may be enforced immediately to ongoing administrative proceedings.
The possibility of applying Regulation-based administrative sanctions to cases that had begun before its publication may result in lawsuits. Under LGPD article 53 paragraph 1, which defines methodologies to calculate a fine’s base amount, fines “must be published prior, so that processing agents are aware“. This rule may lead to queries if ANPD applies penalties to ongoing administrative proceedings for offenses that occurred before the Regulation was published.
Other important considerations
- Sanction application does not exempt the offender from repairing damages or being subject to other sanctions under other laws
The fact that ANPD may apply administrative sanctions does not exclude the possibility offenders may face lawsuits for material, moral, individual, or collective damages to data subjects due to an organization’s failure to comply with LGPD under LGPD’s articles 42 to 45. In fact, individuals have already been able to file lawsuits for damages due to non-compliance with LGPD since the law came into force in September 2020; the Brazilian courts have already judged several cases so far.
Moreover, potential ANPD’s administrative sanctions do not prevent other authorities, such as customer defense bodies and the Public Prosecutor’s Office, from applying sanctions under other laws, such as the Customer Defense Code.
- Applying sanctions is not the only tool ANPD can rely on to enforce the LGPD ANPD’s containment action, as the body may now apply administrative fines, is just one of the regulatory means it has to enforce compliance with LGPD. Since October 2021, under the Inspection Process Regulation’s and the Administrative Sanctioning Process’s provisions, ANPD’s action must work toward a responsive regulatory approach, focusing on monitoring, advising, and preventing issues. The authority aims to raise awareness of a data protection culture among organizations, but it will apply sanctions if needed to halt offenders and assure compliance with LGPD.
Lefosse’s Technology, Data Protection and Intellectual Property team look forward to assisting our clients and advising them on any questions about the new Regulation and how to adopt legal measures to comply with LGPD.
+55 11 3024 6490