Brazilian DPA can start to apply fines now
Last February 24th, due to the Resolution nº 4, the National Data Protection Authority (ANPD) established the rules for the calculation of severity levels related to data breach and other personal data violations, to start the execution of administrative sanctions, which was missing point to apply the fines.
The main purpose to establish a dosimetry approach aims to point out proportionality criteria between the infraction and the measure adopted by ANPD, which includes three tiers of penalty for an infringement, according to the severity. It also sets out aggravating and mitigating circumstances that will be taken into account in arriving at a fine, as well as a mathematical formula for assessing the amount of fines imposed.
Although, they intended to be effective, proportionate and dissuasive, and will be decided on a case by case basis. The practical implications are to enable the initiation of penalties by the ANPD.
Since the law came into force, in September 2020, there are many cases being conducted by Authority's administrative procedures - there have already been more than seven thousand reports of complaints related to personal data-violation until March 2023 last report of ANPD. Because it is an extremely detailed law, the institutions have been preparing themselves in so different ways for this moment. Traditionally in Brazil, the law effectiveness only happens with the possibility to impose a fine.
This is a major advance in achieving a culture of privacy and data protection in Brazil. Those who had already implemented security programs should review the standards and procedures, paying attention to possible updates. For those who have not yet started, it is high time to invest in LGPD compliance actions.
Details of Resolution #4
It is important to note that the Resolution nº 4 is applicable both for infractions before its publication date and for future infractions, which means that administrative proceedings already underway before the ANPD will be based on the published rules. From now on it is expected that the first decisions regarding sanctions will be issued, including the publication of infractions - as provided in article 52 of LGPD.
Another point of attention is that some concepts were not well defined, which may generate a trend to judicialization of its decisions - as in the case of serious infringements. There was an expectation of greater objectivity, but the ANPD ended up not providing a more detailed definition of what is considered large-scale processing, leaving a subjective definition, such as a significant number of users and volume of data, without more assertive parameters. The standard talks about a 'significant number of affected data subjects'. But it does not stipulate a percentage of the total data subject base.
A positive aspect was the provision for the hearing of other sector regulators at the time of instruction, which reduced the risk of divergent understandings and increases the alignment between Authorities. Otherwise, there is a great concern related to the possible application of fines calculated considering the total revenue of the Economic Group of Enterprises.
Regulatory agencies, such as CADE (Administrative Council for Economic Defense), Anatel (National Telecommunications Agency), Aneel (Brazilian Electricity Regulatory Agency), will be heard in the processes of companies whose sectors are regulated, since the same case may have different interpretations. But the ANPD continues to have the priority of conducting and deciding, and will hear to the entity about the impacts of a sanction on the market.
It is also worth mentioning that the best practices policy generates mitigating factors. For example, it is possible to have a fine discount of up to 20% if the application of best governance practices is demonstrated. Many companies have started to implement their Privacy and Data Protection programs since 2018, but as time goes by there ends up being a certain cooling or even interruption or lack of continuity of actions. Therefore, it is extremely important to update the LGPD Program and keep the Privacy Committee active, a role that is usually played by the Data Protection Officer (DPO).
Therefore, one of the expected results with the valorization of governance measures as mitigation is to contribute to DPOs gaining space, relevance, priority in the executive agenda, budget, so that they give continuity to the compliance program. In addition to having to comply with the LGPD, it becomes a good shield when faced with an inspection. For this purpose, it is necessary to maintain educational campaigns, data protection committee, regular meetings, and generate minutes. It is an ongoing program, not a project.
Article provided by INPLP members: Patricia Peck and Lorena Botelho (Peck Advogados, Brazil)
Dr. Tobias Höllwarth (Managing Director INPLP)