Luanna R. Peporini and Matheus Perez Matsuno
Despite the uproar caused by the entry into force of the articles of Law No. 13.709/18 (Brazilian General Data Protection Law or LGPD), on August 1, that deal with the application of administrative sanctions by the National Data Protection Authority (ANPD), at this first moment the sanctions should not be the main reason for companies to suit the LGPD.
In force since 18 September last year, the LGPD provides for the processing of personal data – i.e. data of identified or identifiable individuals – and aims to protect the fundamental rights of freedom and privacy and the free development of the personality of the natural person. Thus, the search for the rights of privacy and data protection of data subjects should be a goal set by all companies.
In contrast, as a practical guarantee of respect for the rights mentioned, non-compliance with the provisions of the LGPD, since its entry into force, may lead to individual or collective legal proceedings, as well as the application of penalties provided in the Consumer Protection Code and the Civil Framework of the Internet by consumer protection agencies, which have already been acting in this regard.
Furthermore, as a way of ensuring compliance with the LGPD, the standard itself provides for the application of administrative sanctions by the ANPD (Articles 52 to 54). Among them, we mention the fine of up to 2% of the billing in the last fiscal year, excluding taxes, with a limit of R$ 50 million for infringement, and the partial or total prohibition of the exercise of activities related to the processing of personal data. Such sanctions apply only to facts initiated after August 1, 2021 or continuing facts initiated before that date.
However, it seems that the application of these penalties will not be the initial posture of the ANPD. This is because Article 53 of the LGPD states that the ANPD must issue its own regulation in relation to sanctions, including methodologies that guide the calculation of the basic value of the applicable fines. The so-called Regulation of Supervision and Application of Administrative Sanctions has undergone public consultation and is in the process of being completed, with the exception of dosimetry and fines, which will still be the subject of public consultation.
The document can still be edited but presents a structure that does not provide for the immediate application of sanctions to data processing agents, but rather an initial conduct of an educational nature. For example, the Regulation first provides for monitoring, guidance and preventive activities before addressing the application of sanctions.
Not only that, the LGPD determines that the application of such sanctions requires careful assessment and consideration of different circumstances, in line with the severity and nature of the offences, as well as the personal rights affected, degree of damage, economic condition of the infringer, their level of cooperation, adoption of good practice and governance policy and prompt adoption of corrective measures.
The application of administrative sanctions must respect the right to due process and broad defense, in accordance with Law No. 9,784/99 and the ANPD regulations themselves. To that end, the Regulation stipuorders that the sanctioning procedure will comprise the following phases: establishment, investigation, decision and appeal.
At this first moment after the entry into force of administrative sanctions, the ANPD's stance tends to be more didactic and educational, prioritizing, at most, the application of the warning sanction, in order to contribute to awareness of privacy and data protection issues through dialogue.
However, non-compliance with the rules for the processing of personal data is also subject to other penalties not provided for in the LGPD, since these do not replace the application of administrative, civil or criminal sanctions defined in the Consumer Protection Code and in specific legislation, at the initiative of other bodies, such as the Public Prosecutor's Office, Procon, Public Defender's Office and associations, by filing administrative proceedings or filing class actions, or even on the initiative of individuals, via individual actions.
Our recommendation is that companies seek to adapt to the LGPD not only because of sanctions that may be imposed by the ANPD, but also out of respect for the rights of personal data subjects and for all other risks related to lack of adequacy.
Sign up here if you would like to receive our newsletter with official information from the ANPD.