The Resolution of the Brazilian Data Protection Authority, which addresses the application of administrative sanctions for non-compliance with our General Data Protection Law, was published on February 27th, 2023. The eagerly awaited Regulation on Sentencing Guidelines and Application of Administrative Sanctions is a set of rules established by the national authority that elaborate and detail the application of sanctions in cases of violation of Law 13.709 (LGPD).
The approval of the regulation strengthens the supervisory and sanctioning capacity of the ANPD in response to violations of the LGPD, providing the authority with legitimacy and enforcement power. It should be noted that the development of the regulation is a requirement stipulated in Article 53 of the LGPD, essential for the application of fines by the National Data Protection Authority.
Objectives of the Sentencing Guidelines:
The Sentencing Guidelines aims i) to regulate Articles 52 and 53 of the LGPD, defining parameters and requirements for the application of sanctions (pecuniary and non-pecuniary) by the ANPD, as well as establishing methodologies for calculating the base value of fines; and ii) to amend Articles 32, 55, and 62 of Resolution No. 1 CD/ANPD, improving the sanctioning and supervisory administrative process – allowing for enforcement action by the ANPD (always protecting due process, the right to be heard, and providing legal certainty and transparency).
Elaboration Process:
The participation of different stakeholders was crucial for the development of the Sentencing Guidelines. During the consultation period (August 15th to September 15th, 2022), 2,504 contributions were received regarding the draft regulation. A public hearing was also held, which received 24 contributions.
What are Sentencing Guidelines?
Sentencing guidelines are essential for determining the most appropriate penalty for each situation of possible violation of the provisions of the LGPD, as well as assisting in the monetary calculation of the fine amount. The Sentencing Guidelines will consider, in addition to the criteria and procedures for the application of sanctions, other factors involved, such as the damage or harm caused to data subjects.
Objectives
The Sentencing Guidelines aim to ensure adequacy and proportionality between the offender’s conduct and the sanction to be applied, guaranteeing legal certainty and the protection of due process. Sanctions must be balanced and fair.
Article 53 of the General Data Protection Law provides that “the national authority shall define, through its own regulation on administrative sanctions for violations of this Law, which shall be subject to public consultation, the methodologies that will guide the calculation of the base value of fine sanctions.” That is, the regulation is a condition for the application of fines and for the effectiveness of inspection processes.
What sanctions can be applied?
• Warning;
• Simple fine, up to 2% (two percent) of the company’s revenue, limited, in total, to R$ 50,000,000.00 (fifty million reais) per violation;
• Daily fine, with a total limit of R$ 50,000,000.00 (fifty million reais);
• Publicizing the violation;
• Blocking of personal data usage;
• Elimination of personal data;
• Partial suspension of the operation of the database for a maximum of 6 (six) months, extendable for an equal period until the situation is regularized;
• Suspension of the exercise of personal data processing activity for a maximum of 6 (six) months, extendable for an equal period;
• Partial or total prohibition of activities related to data processing.
• There is also the possibility of blocking or permanently deleting personal data that is irregularly processed by violators of the LGPD.
It should be noted that all sanctions provided for, except for fines, may also be applied to the Public Administration.
What happens with the money collected from fines?
The money collected from fines imposed by the ANPD will be directed to the Fund for Diffuse Rights (FDD) – which aims to repair damages caused to consumers, the environment, artistic, historical, aesthetic and tourist assets, economic order infractions, and more.
Application of the Sanctions:
Sanctions can only be applied after a proper analysis conducted in administrative proceedings that guarantee due process of law and the right to a full defense.
The following criteria should serve as a guideline for the application of sanctions:
• Severity and nature of the infractions and the personal rights affected;
• Good faith of the offender;
• Advantage obtained or intended by the offender; • Economic condition of the offender; • Recidivism;
• Degree of harm;
• Offender’s cooperation;
• Adoption of internal mechanisms and procedures capable of minimizing harm;
• Adoption of good practices and governance policies;
• Immediate adoption of corrective measures; and
• Proportionality between the severity of the offense and the intensity of the sanction.
Sanctions and their Usefulness
To complement the enforcement approach used by the ANPD in the enforcement process, administrative sanctions serve as an incentive for compliance with the LGPD. However, the ANPD is not restricted to sanctions, adopting a responsive model of enforcement that includes preventive and educational measures to promote compliance with data protection laws.
What changes from now on?
The Sentencing Guidelines allows the ANPD to apply administrative sanctions in a clear, objective, and secure manner – guaranteeing the protection of citizens’ fundamental rights with respect for the privacy of personal data. Brazil has been increasingly aligning itself with the best international data protection practices, promoting a safe and transparent business environment for everyone.
We recently published an explanatory guide to the new ANPD resolution (available here, in Portuguese), which will soon be made available in English. In the meantime, if you would like to deepen your knowledge about the application of sanctions for non-compliance with data protection legislation in Brazil, or if you have any questions, please do not hesitate to contact our team of experts.
