The Brazilian Data Protection Authority (ANPD) published the regulation on February 27, establishing parameters and criteria for applying enforcement measures.
Besides providing specific rules for the application of sanctions, such as gradual, isolated, or cumulative application, the regulation also ensures that the ANPD will only apply an enforcement measure after an administrative procedure and based on a reasoned decision, ensuring the right to a full defense, adversarial proceedings and due process of law.
Infractions may be classified as severe, moderate, or mild. The violation significantly affecting data subjects’ interests and fundamental rights is considered moderate. The ANPD will consider severe infraction when there is an obstruction to the inspection activity and, in addition:
- involves the processing of personal data on a large scale.
- there is an economic advantage because of the offense committed.
- involves risk to data subjects’ lives.
- involves processing sensitive data or personal data of children, adolescents, or the elderly.
- carry out the processing of personal data without support in one of the legal bases provided in the Brazilian Personal Data Protection Law (Law 13.709/18 – “Lei Geral de Proteção de Dados”);
- data processing with illicit or abusive discriminatory effects; or
- continuous irregular practices by the offender.
An infraction that does not characterize one of the hypotheses above will be considered mild.
Although the LGPD already provided the sanctions for violation of the law, the ANPD presented more criteria for evaluating these sanctions:
- concerning the warning penalty, the ANPD will apply it for a mild or moderate infraction when it does not characterize specific recidivism or when there is a need to impose corrective measures.
- simple fine of up to 2% of the revenues – limited to BRL 50 million – per breach if one of the following occurs: (i) a severe infraction; (ii) lack of preventive or corrective measures; or (iii) due to the nature of the breach, processing activity or personal data and the circumstances of the particular case.
One of the appendixes to the regulation establishes the criteria for identifying the basis value for applying a fine. The same appendix provides classifications applicable to information, offender’s revenue, and degree of damage.
The regulation also provides specific rules for defining revenue, which may be considered the gross revenue, the total amount of funds earned, or a value determined by the ANPD for cases where the offender does not present supporting documentation according to regulation-established criteria.
In addition, the regulation establishes that the simple fine may be increased by up to 40% for cases of specific recidivism, up to 20% in cases of generic recidivism or for each non-compliance with guidance or preventive measures, and up to 30% for each non-compliance with corrective actions.
The ANPD can also reduce the fines up to 75% in cases of cessation of the infringement, implementation of a good practice and governance policy, demonstration of internal mechanisms and procedures capable of minimizing damage to data subjects, and proof of measures capable of reversing or mitigating the effects of the infringement on the personal data subjects affected.
- daily fine, applicable to ensure compliance with a non-pecuniary sanction or with a determination established by the ANPD, considering the time between the imposition of the fine and the fulfillment of the obligation, and considering the classification of the offense and the degree of harm to data subjects.
The ANPD may also apply this sanction after failure to adjust irregularities within the deadline, obstruction of the inspection activity, or the practice of permanent infraction that has not ceased until the decision. The fine may be reduced when the offender waives the right to appeal of the decision.
The offender must pay the daily fines within up to 20 working days, from the first working day of delay in complying with the enforcement measure, or from the working day after the notification of the decision. The absence or delay in payment will result in the applicable interest and a fine of 0.33%.
- blocking personal data related to the infraction until its regularization, which is the temporary suspension of any processing procedure with personal data until the conduct is regularized. In these cases, the offender must communicate the fulfillment of the obligation and prove the regularization for the unblocking.
- deleting personal data related to the infraction, which is the deletion of the data or set of data stored in a database. The fulfillment must also be communicated to the ANPD, except when communication is proven impossible or involves disproportionate effort.
- partial suspension of the usage of the database related to the infraction for a maximum period of six months, extendable for an equal period, until the controller regularizes the processing activity. For these cases, the offender must also prove the fulfillment to restore operation.
- suspension of personal data processing related to the infraction for a maximum period of six months, extendable for an equal period, considering the public interest, the impact on the rights of the data subjects, and the classification of the infraction.
- partial or total prohibition of personal data processing for cases where: there is recidivism of the infraction punished with a partial suspension of the database or the processing of personal data; processing personal data for illicit purposes or without legal support; or when it does not meet the technical and operational conditions to maintain the adequate processing of personal data.
The regulation does not establish more details about the sanction that determines the publication of the infraction after its occurrence. It only provides that it must be distinct from the publication of a decision to apply an administrative sanction in the Official Gazette or with the other acts carried out by the ANPD to comply with the principle of administrative publicity.
In addition to the above, the regulation also establishes the following rules:
- the sanctions of partial suspension of database usage, suspension of personal data processing and partial or total prohibition of personal data processing will only be applied after at least one of the other sanctions has already been imposed for the same specific case.
In these cases, the ANPD will inform the main sectoral regulatory body so that it can express its opinion, within 20 days, on any consequences of the imposition of sanctions for the economic activities;
- sanctions may be applied to public entities, except for sanctions that provide for the imposition of fines; and
- the parameters and criteria for defining the sanction must follow:
- the severeness and nature of the infringements and personal rights affected.
- the good faith of the offender.
- the advantage gained or intended by the offender.
- the economic condition of the offender.
- the specific recurrence.
- generic recurrence.
- the degree of damage.
- the offender’s cooperation.
- the repeated and demonstrated adoption of internal mechanisms and procedures capable of minimizing damage, aimed at the safe and adequate data processing, per the LGPD.
- the adoption of good practice and governance policy.
- prompt adoption of corrective measures; and
- proportionality between the seriousness of the fault and the intensity of the sanction.
The ANPD also describes the methodology for calculating fines in the appendixes to the regulation. For the simple fine, the total calculation includes the basis value of the fine multiplied by one plus the sum of aggravating percentages minus the sum of mitigating percentages.
It is necessary to define the basis rate for applying this formula, which ranges from 0.08%, the minimum rate for minor violations, to 1.5%, the maximum rate for severe violations.
After defining the rate, the ANPD must determine the degree of damage, classified from 0 to 3, which ranges from the absence of damage or insignificant impacts to the data subjects to injury or offense to diffuse, collective or individual rights or interests, as well as the minimum values and maximum for defining the basis value of the fine.
Once the ANPD determines the degree of damage, the basis rate for the fine must be determined, which considers the maximum rate based on the classification of the infraction minus the minimum rate, divided by three, multiplied by the degree of damage, and added to the minimum rate.
The basis value for applying the fine is calculated by multiplying the basis rate by gross revenue, excluding taxes. For cases where there is no billing, a calculation similar to that of the rate will be carried out, considering, however, a maximum and minimum value depending on the classification of the infraction.
The basis value may be at least BRL 1,500 for minor violations, up to BRL 15,750.00, for severe violations.
For cases where the advantage obtained is estimable, the fine amount will be double the advantage. For these cases, there will be an adjustment to the minimum and maximum limits of the fine: BRL 1,000 to BRL 4,000 for individual or legal entities without billing, and from BRL 3,000 to BRL 12,000, for other types of legal entities.