While the Brazilian General Data Protection Law (LGPD) was signed into law in 2018 and has been in effect since 2020, until recently it lacked an enforcement mechanism. In February 2023, Brazil’s Data Protection Agency (ANPD) announced the sanctions available under the law and now has the means to enforce compliance.
The LGPD brings 40 different laws governing personal data in Brazil under a single umbrella. It applies to at least 12,000 large companies (over 250 employees) that control or process data involving Brazilian citizens, granting them rights to confirm, access, correct, anonymize, delete, and otherwise control personal data. As the largest economy in Latin America, Brazil helps define standards for the region—but it is also a prominent target for cybercriminals. Giving ANDP a means of requiring compliance may help spur companies with lax data protection postures to take corrective action more quickly, reducing the risk of cybercrime.
On February 24th , 2023, ANDP issued the Regulation on Calculation and Application of Administrative Sanctions, which explains the enforcement mechanisms available under the LGPD and sets out the criteria to be used by the ANPD in calculating and applying sanctions for non-compliance with the LGPD. While penalties can be quite severe, the ANPD does offer leniency for companies that make good faith efforts to comply and correct issues, and the regulations do require the agency to take into account both mitigating and aggravating factors when determining the penalty for a given infraction.
ANDP has a wide range of enforcement tools under the regulation, ranging from warnings to single or daily fines, as well as requiring disclosure of infractions, deletion of personal data, up to the suspension or prohibition of data use or processing. Single fines can rise to the level of 2% of the company’s total revenue, capped at 50 million Brazilian Real, about US$1 million. Daily fines can also reach that level, quickly becoming prohibitive for most businesses that must comply. More severe sanctions (such as the prohibition of data use or processing) may only be imposed on repeat offenders, after fines and other less severe enforcement actions have been taken by ANDP.
This new regulation sets a clear example on how Data Protection Authorities are focused on raising awareness and making data protection stronger by collaborating with data controllers and processors. Experiences in many other countries, like Spain, France and the UK have shown that, in order to obtain a high level of compliance with privacy regulations, dialogue and cooperation between authorities and corporations always work better than just imposing huge monetary fines.
This should be an incentive for data controllers and processors in Brazil to design and implement a strong Privacy program (for those who hadn´t started yet) and, at the same time, to start building and honest and transparent relationship with the ANPD, seeking guidance and collaboration for those cases where either things go wrong or interpretation of the regulation could be difficult. This model already works in many other countries, so Brazil is set on the right path to succeed in the Privacy-by-Design environment.
Link your data management engine with multiple privacy, legal and business regulatory obligations to substantiate your decisions based on rich, contextual data insights.
Download the PDF version of this Data Privacy Alert here.