Last February 27, the Brazilian National Data Protection Authority (ANPD) issued a Resolution providing for administrative sanctions in cases of personal data protection violations. The fines - which had not yet been applied in Brazil - will be all over the news from now on.
According to the Brazilian General Data Protection Regulation Act (LGPD), fines are limited to a maximum of 2% of the revenue generate by the company or its corporate group in the previous fiscal year, excluding taxes and capped at 50 million BRL per violation. The act provides for other types of administrative sanctions, which can range from a warning to a partial or total ban on exercising activities related to data processing, depending on the classification of the infraction (light, medium, serious).
Reputational damage is another sanction – an unwritten one – that causes great concern to companies. No organization would like to have its name associated with an infraction which could undermine consumer confidence in the brand's products and services. In the information society, prevention has never been so important.
In this sense, it pays to have developed - and maintained - a proper personal data governance plan in an organization. It should be noted that ANPD inspections may require copies of relevant documents to evaluate personal data processing activities. The Authority may also access facilities, equipment, applications, systems, tools, technological resources, data and information of a technical, operational and other relevant nature, regardless of whether these are under possession of the company or of a third party. Inspections will clarify whether the organization's compliance program is generic and limited in scope, or whether it was tailored to the business and comprehensive, as is recommended.
Furthermore, the ANPD regulation confers special importance to training on personal data protection and cybersecurity. This initiative must involve all employees, suppliers, partners, and other stakeholders. Moreover, it is known that real achievements are reached through a change in culture; the mere advent of a law or regulation does not, by itself, change people's behavior and the organization's operational processes. That is why the emphasis on training, courses, workshops, etc. is so necessary. Not surprisingly, the ANPD expressly suggests "to the regulated agents to carry out training and courses". In fact, non-compliance with this guideline is considered an aggravating circumstance for the purposes of calculating the administrative sanction.
With an inspection at the gates, it is important to clarify that this procedure may occur at the initiative of the ANPD itself, as a result of either periodic inspection programs, or in a coordinated manner with other public agencies and entities, such as CVM, BACEN, CADE, SENACON (respectively, equivalents of the SEC, Central Bank, Antitrust authority and the Bureau of Consumer Protection) among others, or in cooperation with the personal data protection authorities of other countries.
The Sentencing Regulation informs that in order to define the sanction, authorities will take into consideration whether or not the offender displayed the following:
- good faith;
- cooperation with authorities;
- reiterated and proven adoption of internal mechanisms and procedures capable of minimizing the damage, aimed at the safe and adequate treatment of data, in accordance with the LGPD;
- adoption of a policy of governance and best practices;
- prompt adoption of corrective measures.
As can be seen from the criteria mentioned above, the application of a fine in a procedure is beset by considerations of the offender's behavior, prevention and reaction. In other words, it hinges on:
- behaving properly (good faith and cooperation)
- preventing violations through consistent, planned work (adoption mechanisms to reduce damages) and the elaboration of rules and internal processes that assure comprehensive compliance with personal data protection law. These are to be established and implemented by data processing agents through the adoption of best practices and governance rules, as per LGPD, Art. 50, header and § 1º or through a privacy governance program, as per LGPD, Art. 50, header and § 2º (adoption of best practices and governance policy)
- reacting, by responding promptly and assertively to incidents and irregularities found (prompt adoption of corrective measures)
As for the calculation of the fines, the Sentencing Regulation presents a specific methodology for applying the sanction. The calculation is based on a base rate, which will take into account the percentage of the violator's revenues, ranging from 0.08% to 0.15%, when the violation is light; from 0.13% to 0.5% of revenues when the violation is medium; and from 0.45% to 1.50% of revenues when the violation is serious. In addition, for the calculation of the base rate, the level of damage caused by the infraction will also be taken into account.
Levels of damage are divided into four categories.
The first category, of zero value, corresponds to violations that cause no damage or only cause damage with insignificant impacts, which derive from predictable or ordinary situations and do not justify the need for compensation.
The second category, of value level 1, corresponds to violations causing injury or offense to the rights or interests of a small number of holders, with limited material or moral impact, which can be reversed or compensated relatively easily.
The seriousness rises to a third level, of value level 2, which corresponds to violation affecting diffuse, collective or individual rights or interests that, given the circumstances of the case, generate impacts on the holders of a material or moral nature that cannot be easily reversed or compensated.
Finally, the degree of the most serious damage is reached, of value level 3, corresponding to an offense to diffuse, collective or individual rights or interests has an irreversible or difficult to reverse, causing, among the impacts of material or moral order, aspects of discrimination, violation to physical integrity, to the right to image and reputation, financial fraud or misuse of identity.
The degree of damage is a factor in the mathematical operation contained in the Regulation, therefore its definition and respective level will be very relevant for the values resulting from this equation, which will also have the infraction's classification, and its respective percentage of the infractor's revenues as a portion to be considered.
After the definition of the base rate, in a second stage of sentencing, the incident taxes are considered, subtracting them from revenue, which will lead to the so-called base amount of the fine. Aggravating and mitigating circumstances will then be considered (third stage), to reach the final sanction to be imposed.
In cases where there is an advantage gained, and this can be reckoned, there is a fourth stage in the sentencing, in which authorities verify whether the resulting fine is at least double the amount of the advantage gained. If the amount of the fine is lower than this threshold, an adjustment will be made so that the final amount of the fine is twice the amount of the advantage obtained from the violation.
The following are considered aggravating circumstances: recidivism and failure to comply with an orientation measure or a corrective measure not complied with during the inspection process or the preparatory procedure that preceded the administrative sanctioning process.
In cases of recidivism, the base amount fined will be increased by 5% in cases of general recidivism, and 10% in cases of specific recidivism, up to the limit of 20% to 40%, respectively. The commission of a violation by the same violator is considered generic, regardless of the legal or regulatory provision, and the repetition of the violation under the same legal or regulatory provision is considered specific. In both cases, for the purpose of applying recidivism, the period of 5 years between the date of becoming res judicata of the previous administrative sanctioning process and the date of the new infraction is counted.
Non-compliance with guidelines and preventive measures during inspection or preparatory proceedings that preceded the administrative sanctioning process will be considered as an aggravating factor. There is an increase of 20% for each measure not complied with, up to the limit of 80%. ANPD orientation measures include:
(i.) the preparation and availability of best practices guides and document templates to be used by treatment agents,
(ii.) the suggestion to regulated agents of training and courses,
(iii.) the preparation and availability of compliance self-assessment and risk assessment tools to be used by treatment agents,
(iv.) the recognition and disclosure of the rules of best practices and governance,
(v.) the recommendation:
a) of the use of technical standards that facilitate the control by the holders of their personal data;
b) of the implementation of the Privacy Governance Program; and,
c) the observance of codes of conduct and best practices established by certification bodies or other responsible entities.
In cases of non-compliance with corrective measures - that is, those determined by the ANPD with the purpose of correcting the violation and bringing the violator back into full compliance with the LGPD and the regulations issued by the ANPD - the increase on the amount of the base fine will be of 30% for each measure, up to the limit of 90%.
If there is more than one aggravating circumstance in a given case, e.g. recidivism of the violator and also non-compliance with the orientation measure, the percentages relating to each portion must be added.
As for the mitigating factors, the base amount fined will be reduced by 75% to 30% in cases where the infringement is ceased. The reduction will be of 75% when the infringement is ceased before the preparatory proceedings are initiated by the ANPD; of 50% when it occurs after the preparatory proceedings are initiated and until the sanctioning administrative proceeding is initiated; and of 30% if it occurs after the sanctioning administrative proceeding is initiated and until the first instance decision is rendered in the sanctioning administrative proceeding. It is important to note that in the cases mentioned above, the cessation of the violation resulting from the mere compliance with an administrative or judicial determination will not be considered a mitigating factor.
It is also considered as mitigating factor, with a 20% reduction, for the offender to have implemented a best practices and governance policy, or to have repeatedly and demonstrably adopted internal mechanisms and procedures capable of minimizing the damages to the data subjects, aimed at the safe and adequate treatment of data. However, in order to be considered a mitigating factor, this must have occurred before the first instance ruling is rendered in the administrative sanctioning proceeding.
When the offender proves the implementation of measures capable of reverting or mitigating the effects of the violation on the affected holders of personal data, there will be a 20% reduction, provided that this has occurred prior to the initiation of preparatory proceedings or administrative proceedings for sanctions by the ANPD. There will be a 10% reduction when such implementation has occurred after the opening of the preparatory proceeding and before the opening of the sanctioning administrative proceeding. The adoption of measures by the offender as a result of the mere compliance with an administrative or judicial determination will not be considered as a mitigating factor.
If the ANPD finds the offender to have cooperated and acted in good faith, this will also be considered a mitigating factor, leading to a fine reduction of 5%. In case there is more than one mitigating factor, following the same rationale of the aggravating circumstances, the percentages should be added up in benefit of the offender.
The payment of the fine, once imposed by the ANPD, after due process, must be paid within 20 business days from the official acknowledgement of the ruling. An exception is made for small treatment agents, who will have a term twice as long for payment. In cases of arrears, a default penalty interest and a late payment fee of 0.33% will apply.
The ANPD ruling may be appealed; however, if an offender expressly waives this right, it will be entitled to a 25% reduction in the amount of the fine imposed. In turn, if an appeal is filed and granted, the amount of the fine paid will be refunded, adjusted by the Brazilian base interest rate (Selic rate).
In conclusion, it is vital is it to stay alert and apply knowledge derived from the rules of inspection and sentencing. This can be achieved by working with specialists in data protection, privacy and cybersecurity, either as your internal team and/or as third parties, in order to plan the governance of your company in a proper and up-to-date fashion.