Personal Data Protection – Fines for infringing the General Personal Data Protection Law (LGPD) will start to be applied in Brazil

Personal Data Protection – Fines for infringing the General Personal Data Protection Law (LGPD) will start to be applied in Brazil

By Marina Inês Fuzita Karakanian and Ana Carolina Lee Barbosa Del Bianco

The LGPD – General Personal Data Protection Law (Law 13,709/2018) was published in Brazil on 14 August 2018 and entered into force on 18 September 2020, except in relation to administrative penalties which came into force in the country only on 1 August 2021.

Nevertheless, it was only on 27 February 2023 that the National Data Protection Authority (ANPD) published the Regulation on Calibration and the Application of Administrative Sanctions (Regulation) establishing the criteria for its application.

In other words, it was only following publication of the mentioned Regulation that the ANPD began to have clear and established criteria for the application of administrative sanctions, including for calculating the base value of fines. The sanctions, on the Other hand, will have retroactive effects, and infringers may be penalised for violations that have occurred since 1 August 2021.

There are currently eight sanctioning administrative procedures instituted by the ANPD at the production of supporting evidence stage, which were awaiting publication of the Regulation, and over six thousand complaints in the queue to be processed by the Agency.

The administrative penalties are set forth in Articles 52 and 53 of the LGPD, and range from a warning, with an indication of the deadline for adopting corrective measures, to the imposition of a fine of a maximum of 2% of the company’s revenue, limited to 50 million Brazilian reais per infringement.

It is important to emphasise that the harm caused by infringement of the LGPD rules may not only be financial, since one of the penalties set forth is the publication of the infringement, after it has been investigated and confirmed, which also generates reputational damage for infringers, which often ends up being even more important to the company than the value of the fine.

Added to the risks, the criteria set forth in the Regulation for the application of penalties for infringements of the LGPD further evidence the need for companies to adopt good governance practices and comply with the LGPD. They are (Article 7 of the Regulation):

(i) the seriousness and nature of the infringements and personal rights affected;

(ii) the infringer’s good faith;

(iii) the advantage gained or intended by the infringer;

(iv) the infringer’s economic situation;

(v) recurrence;

(vi) level of damage;

(vii) the infringer’s cooperation;

(viii) the adoption of internal mechanisms and procedures capable of minimising the damage;

(ix) the adoption of good practices and Governance policy;

(x) prompt adoption of corrective measures;

(xi) proportionality between the seriousness of the fault and the intensity of the sanction.

It is important to note that the regulation on calibration sets forth mitigating circumstances that may significantly reduce the amount of the fine, such as the cessation of the infringement in the shortest possible time, the implementation of a good practice and governance policy, in addition to measures to mitigate damages to data subjects.

In addition to the penalties that may be applied by the national authority, infringements of the LGPD may also generate a claim for compensation by data subjects, both for material and moral damages. In this regard, in a recent ruling of 7 March 2023, the Superior Court of Justice, in the case records of Special Appeal no. 2.130.619-São Paulo (2022/0152262-2), took the view that moral damages are not presumed, that is, data subjects must prove the damage resulting from the leak of their data.

Such ruling, however, is not binding, and, as the LGPD does not provide a specific definition on the issue, the Judiciary must analyse, in each case of a data leak, whether the damage caused is presumed or whether it must be proven.

In any event, it appears that, although a compliance project often fails to shield companies from the possibility of incurring an infringement, it certainly significantly reduces this risk, in addition to ensuring companies are better prepared so that damages are minimised in the event of a data leak, which will consequently reduce the severity of any penalty, the amount of a possible fine and even possible compensation.

Incidentally, it may not be enough for companies only to comply with the LGPD. In the event of a security incident, companies must have documents that effectively prove their good practices, especially a Record of Processing Activities (ROPA), demonstrations of employee training and minutes of the privacy committee’s periodic meetings, in addition to Other governance measures.