Alerts
Brazil Data Protection Authority issues regulation on dosimetry of penalties
On February 27, the National Data Protection Authority (“ANPD”) published Resolution CD/ANPD 4/2023, which provides on the procedures for the application of administrative sanctions to data processors that violate the General Law on Data Protection (“LGPD” – Law 13,709/2018) and contains a guide for the dosimetry of fines. In interviews, ANPD members have, for several times, stated that they were only waiting for the publication of this Resolution to start applying penalties arising from the violation of the LGPD. Their focus was to ensure uniformity and proportionality of such penalties, bringing greater legal certainty to the LGPD.
Content of the Resolution
As per the LGPD, companies that violate the law are subject to sanctions ranging from a simple warning to fines and obligations such as blocking or deletion of personal data. One of the first issues clarified by the Resolution is that some sanctions may only be applied after the imposition of milder penalties. In this sense, article 3, §1 establishes that the sanctions of partial suspension of the operation of databases, suspension of the exercise of the activity of processing personal data and the prohibition of the exercise of activities related to the processing of personal data should be considered as severe penalties, which can only be applied after other milder sanctions have been applied for the same specific case.
Classification of the Violation
The Resolution establishes a classification of violations, in order to guide the application of penalties:
- Medium violation: is the one that, significantly affect the interests and fundamental rights of the personal data subjects and may prevent or limit the exercise of rights or the use of a service, as well as cause material or moral damages.
- Serious violation: is the one that, in addition to the risks and damages that characterize a medium violation, also involve one of the following hypotheses: (i) processing of personal data on a large scale; (ii) gives the offender an economic advantage; (iii) involves processing of sensitive personal data, data of children, adolescents or the elderly; (iv) entails risks to the lives of the data subjects; (v) is the result of data processing unsupported by one of the legal grounds provided for in the LGPD; (vi) has discriminatory, unlawful or abusive effects; or (vii) is carried out in the context of systematic irregular practices by the offender.
- Mild violation: By exclusion, a mild violation is the one that does not fall under the definitions of medium or serious violations.
The definition of the gravity of the violation has two main purposes: (i) to determine the type of sanction applicable; and (ii) if monetary penalties are applied, such as simple fines and daily fines, they relevant to determine the base value of the penalty. In this sense, for example, it should be noted that serious violations cannot be punished with warnings and should be subject to fines.
Penalty value
Monetary penalty
With respect to simple fines, the Resolution establishes that the following factors will be considered in the calculation of the base amount: (i) the classification of the violation; (ii) the offender’s revenues; (iii) the extent of the damage caused by the violation. This value will then be subject to reductions or increases, depending on the incidence of extenuating or aggravating factors. If the offender is a repeat offender, or has failed to comply with remedial or corrective measures previously imposed by the LGPD, the fine will be increased. On the other hand, the fine may be reduced if the offender ceases the infringement, implements good governance practices policies or internal mechanisms and procedures capable of minimizing the damage to the data subjects, or capable of reversing or mitigating the effects of the infringement.
Finally, after calculating the amount due as a simple fine, the ANPD will verify the following: (i) whether the processing agent obtained an economic advantage as a result of the violation; and (ii) the amount of the offender’s revenues. With regard to the first point, if the processing agent has obtained an economic advantage, the fine must be at least double the advantage obtained. Additionally, the ANPD will verify that the final amount of the fine complies with the limit of 2% of revenues of the company, or R$50 million, as applicable.
Daily fine
Regarding the application of daily fines, the Resolution establishes that this penalty can only be applied when necessary to guarantee compliance, within a certain period, with another non-pecuniary penalty. Alternatively, it may also be applied when the offender fails to remedy irregularities within the specified period or hinder ANPD monitoring, or even commits a permanent violation until the date of the decision.
Other Penalties
The Resolution also clarifies some matters about penalties such as the blocking or deletion personal data or partial suspension of database operation. Whenever the offender is notified of the application of one of these penalties, it must immediately notify the other processing agents with whom it has shared data, so that these third-party agents repeat the same procedure. Such communication will not have to be performed when it is impossible or involves disproportionate effort.
Finally, the Resolution suggests that the most severe penalty is the prohibition of carrying out activities related to the processing of personal data. The ANPD can only apply this penalty when (i) the offender repeats a violation punished with suspension of the operation of the database, or the exercise of the activity of processing personal data; (ii) processing of personal data for illegal purposes or without legal grounds; or (iii) the infringer loses or does not meet the technical and operational conditions to maintain the adequate processing of personal data.
Dias Carneiro’s Privacy and Technology team will continue to monitor the application of this Resolution.
