Brazilian Data Protection Authority Penalties Can Now Be Applied

On February 27, 2023, the Brazilian Data Protection Authority (ANPD) approved the Regulation on Dosimetry and Application of Administrative Sanctions (the “Regulation”), which determines the methodology for applying the nine sanctions provided for in Law No. 13,709/2018 (LGPD). As a result, as of February 27, 2023, the following sanctions may be applied:

(i) a warning;
(ii) a single fine, of up to 2% of the legal entity's, group’s, or conglomerate's revenue in Brazil in its last fiscal year, excluding taxes, up to a maximum of R$50 million per violation;
(iii) a daily fine, with the fines totaling no more than R$50million;
(iv) publication of the infraction;
(v) blocking of the personal data to which the infraction refers until it is healed;
(vi) deletion of the personal data to which the infraction refers;
(vii) partial suspension of the operation of the database to which the infringement relates, for up to 6 months and extendable for an equal period, until the infringement is healed;
(viii) suspension of the processing activity of the personal data to which the infraction refers for up to 6 months and extendable for an equal period; and
(ix) partial or total prohibition from performing activities related to data processing.

Observations:

Sanctions (vii) to (ix) can only be applied after the imposition of one of the sanctions described in items (ii) to (vi) for the same case. The sanctions are triggered whenever there is any noncompliance with any obligation established by the LGPD.

1) The Regulation applies to ongoing administrative proceedings;

2) The Regulation established the concept of "group or conglomerate of companies”¹ and revenue². Such concepts directly impact the calculation basis of the fine of up to 2% of the revenues of this group in Brazil.

3) The ANPD may add up the revenues in all affected lines of business when (i) the infringement has occurred in more than one line of business or (ii) the personal data covered by the infringement are used to leverage, relate to, or are used as a source of information for processes in other lines of business of the company, group, or conglomerate.

4) Infractions will be increased in three levels, as briefly detailed below:

• Mild:

Established by elimination criteria, that is, mild is characterized by the absence of the elements of average and severe offenses.

• Average:

When the infringement significantly affects the interests and fundamental rights of the data subjects. This includes situations in which the processing activity may prevent the exercise of rights or the use of a service and/or cause material or moral damage to the data subjects, such as discrimination, violation of physical integrity, violation of the right to image and reputation, financial fraud, or identity theft.

• Severe:

When the infraction involves obstructing the inspection activity or when an average infraction is verified together with any of the following factors:

(a) processing of personal data on a large scale (significant number of data subjects or significant amount of personal data, long duration or significant frequency, or significant geographical extent)
(b) the infractor receiving or intending to receive an economic advantage as a result of the infraction committed;
(c) risking the life or physical integrity of the data subjects;
(d) processing sensitive data or personal data of children and adolescents and/or the elderly;
(e) personal data processing not supported by one of the legal hypotheses foreseen in the LGPD;
(f) unlawful or abusive discriminatory treatment; or
(g) the systematic adoption of irregular practices.

5) Based on the seriousness of the violation, the ANPD will determine the administrative sanctions. The Regulation sets out these LGPD sanctions:

6) The Regulation also details how the single fine will be calculated. The daily fine will also take into account the classification of the infraction (mild, average or severe) as well as the degree of damage, as explained below. The methodology involves the following phases:

A. Classify the infraction as mild, average or severe, as detailed above.

B. Gauge the percentage of turnover, if the offender is a legal entity with revenue, as follows:

For those legal entities with no revenue in the last fiscal year, the base value for calculating the fine shall be (i) the value of the violator's last revenue, excluding taxes, updated to the last day of the fiscal year prior to the application of the sanction or (ii) in the absence of that value, the following ranges of absolute values:

C. Determine the degree of damage. The ANPD has made available a table describing the possible grades, with a multiplication factor for the fine:

D) Calculate the base fine. According to steps 1 to 4 above, the base rate of the fine is calculated based on the following formula:

Base rate = (A2 – A1 ) x Degree of damage + A1
                         3

In this sense, the base value of the fine, over which aggravating and mitigating factors will be applied, is verified from the following calculation:

Base fine = Base rate x (revenue – taxes)

For legal entities without revenue, the basic fine value will be calculated as follows:

Base fine = (V2 – V1 ) x Degree of damage + V1
                         3

E) Analyze whether aggravating and/or mitigating factors could apply. Once the base fine is reached, the Regulation determines an increase or reduction percentage for several listed aggravating or mitigating situations, which can be cumulated. 

→ It is clear that maintaining a data protection governance program is relevant and significant for the ANPD, and is a mitigating factor in the fines.

F) Determine the final value.

The final amount of the fine, both for legal entities with and without revenue, will be determined as follows:

Value of the fine = Base fine x (1 + sum of aggravating factors - sum of mitigating factors)

The Regulation also stipulates that the amount of the simple fine cannot be less than double the advantage obtained or intended, when estimable.

In addition to this minimum standard earned from the advantage, in any case the final amount of the fine cannot be less than the minimum amounts described below for legal entities with revenues:

For legal entities without revenue, the minimum values will be:

G. Exception to the above methodology

The ANPD may depart from the entire dosimetry methodology set forth above, "in cases where harm to proportionality between the seriousness of the violation and the intensity of the sanction is found" (art. 27). According to the Dosimetry Regulation, the decision to depart from the methodology must demonstrate "the necessity and adequacy of the measure imposed, the disproportionality found, the public interest to be protected and the parameters adopted in the application of the sanction, considering the practical consequences of the decision" (sole paragraph of art. 27).

8. Payment

As a general rule, the simple fine and the daily fine must be paid within 20 business days³. The single fine is to be counted from the official date of the decision that imposed it. The daily fine, on the other hand, must be counted from the official date of the decision that assessed the respective amount due.

If the violator does not pay the fine within this period, interest will accrue at the Selic rate, plus 1% in the month of payment, in addition to a moratorium fine of 0.33% per day of delay, up to a limit of 20%.

If the violator does not make the payment within the deadlines described above, they will also lose the 25% reduction in the amount of the fine, which they may have secured by waiving the right to appeal the first instance decision.

Given the entry into force of the Dosimetry Regulation, it is clear that compliance with the LGPD and the ANPD regulation, besides being a matter of good business practice and ethics, is a legal necessity for any entity that wants to conduct business with personal data.

It is essential, therefore, that privacy governance programs are implemented or constantly reviewed and updated, with measures such as, mapping of the processing of personal data performed, the adequacy of contracts with third parties and privacy policies for data subjects, including employees, the implementation of policies and processes aimed at responding to information security incidents, proper disposal of personal data and compliance with data subjects' rights, the mapping of high-risk processing activities with the corresponding performance of impact reports, strengthening of organizational and technical controls for the security of personal data, among other various controls and measures.

We will always keep our customers and partners up to date on the data protection legal and regulatory landscape in Brazil.

¹ The group of companies, in fact or in law, with their own legal personality, under the direction, control or administration of a natural or legal person, or even a group of people who have, individually or jointly, power of control over the others, provided that integrated interest, effective communion of interests and joint performance of the companies that are part of it are demonstrated.

² I - gross revenue as per Article 12 of Decree-Law 1.598, of December 26, 1977 (income tax law), excluding returns and cancelled sales, as well as discounts granted unconditionally;

II - the gross revenue referred to in § 1 of art. 3 of Complementary Law no. 123, of December 14, 2006 (micro-enterprises or small-sized companies), excluding returns and cancelled sales, as well as discounts granted unconditionally, for legal entities that have opted for Simples Nacional;

III - the total amount of funds earned, excluding sales taxes, for non-profit private legal entities, under current legislation; or

IV - the value defined by the ANPD, which may consider: (a) the billing limit established in items I and II of art. 3 or in § 1 of art. 18-A, as the case may be, of Complementary Law no. 123, of December 14, 2006 (respectively, gross revenue equal to or less than R$360,000 and gross revenue higher than this amount and equal to or less than R$4.8 million), in the case of those opting for Simples Nacional;

(b) the billing limit provided for in item I, § 1, art. 4 of Complementary Law No. 182 of June 1, 2021 (gross revenue of up to R$16 million or R$1,333,334 multiplied by the number of months of activity in the previous calendar year, when less than 12 months), in the case of startups;

(c) the total turnover of the company, group or conglomerate of companies in Brazil if the information is not available for the line of business activity in which the violation occurred;

(d) the sum of the income received by natural persons related to personal data processing activities, directly or indirectly;

or

(e) in all other cases, the turnover limit corresponding to the maximum fine of R$50 million.

The ANPD may define the billing value, according to item IV above, when:

I - the violator does not present unequivocal and suitable documentation, characterized, among other forms, by fraud, falsehood, error, inaccuracy, simulation or omission as to any element defined by law as being a mandatory declaration;

II - the violator fails to present documentation within the period established by the ANPD; or

III - the billing value is submitted incompletely.

³ except if it is a small processing agent, in the form of Resolution No. 2 of the ANPD, when they will have 40 working days.