On August 1, 2021, came into force the articles of the Brazilian General Data Protection Law (“LGPD”) that establish the inspection and application of penalties by the National Data Protection Authority (“ANPD”) in the administrative sphere for violations of the LGPD.

After proper assessment through administrative procedure, the applicable sanctions provided for in article 52 of the law are:

  • warnings, indicating the deadline for taking corrective measures;
  • fines of up to 2% of the revenue of the legal entity, group or conglomerate in Brazil for the prior fiscal year, limited to R$50 million per infraction;
  • daily fines;
  • publicizing the assessed and evidenced violation;
  • blocking of personal data to which the violation refers to until its regularization;
  • deletion of personal data;
  • suspension of collection and processing activities, without prejudice to compensation for damages caused to data subjects; and
  • partial or total prohibition of the exercise of activities related to data processing.

In order to regulate the art. 52 of the law, ANPD submitted to public consultation, in May 2021, a proposal for a Resolution on the agency’s inspection strategy. The document establishes that the inspection will consist of monitoring, guidance, preventive and repressive activities, based on the following values:

  • evidence-based regulation;
  • proportionality between risks and allocated resources;
  • transparency and permeability, which allow society to monitor and contribute to the improvement of ANPD’s performance;
  • transparent and fair processes, with clear rules on rights and obligations; and
  • promotion of compliance by the most diverse instruments and approaches.

In order to glimpse the dynamics of the imposition of fines by Data Protection Authorities around the world, there are the fines based on the GDPR (General Data Protection Regulation), the European data protection regulation in force since May 2018. In the period of just over three years of its effectiveness, the GDPR has already given cause to the application of more than 700 fines, reaching the amount of almost €300 million Euros. That amount was recently surpassed by a single fine imposed on Amazon.com Inc.

In a decision of July 16, 2021, Luxembourg National Data Protection Commission (CNPD) sanctioned Amazon with the highest fine ever imposed in the amount of 746 million euros ($888 million). The CNPD considered that Amazon would have processed personal data of its customers in violation of the GDPR. The case refers to a complaint filed in 2018 by the French data protection rights group “La Quadrature du Net”, and the decision is still subject to appeal. Before that, the largest fine applied to date was a 50 million-euro penalty imposed on Google issued by CNIL, French’s enforcement agency for data privacy protection.

However, it is important to remember that in addition to the imposition of fines, other penalties that may be even more harmful to the business can apply, and which can result in loss of customers, brand value and credibility in the market.

Even though the ANPD is focused on the regulation, guidance and education about the law, companies must be prepared for the monitoring of ANPD, together with other public agencies and entities that defend collective interests such as the public prosecutor’s office.

For more information, please contact us.