ANPD Applies First Sanctions of 2024

Additional author     Ana Letícia Allevato

The Brazilian Data Protection Authority (Autoridade Nacional de Proteção de Dados, “ANPD”), applied its first two sanctions of 2024 against two Brazilian governmental institutions. It is worth noting that, as both are public bodies, neither entity is subject to fines.

First Sanction

In the first case, the ANPD found that a 2021 security breach improperly exposed the contents of a public school program made by the governmental institution in question, including the registration information and health data of 3,030 minors and their guardians. According to the ANPD, human error contributed to the improper access of the program’s participants’ data by unauthorized parties.

The ANPD classified the incident as “serious,” as it involved the access to the personal health data of a significant number of subjects, including minors. The ANPD initially demanded that necessary measures be taken to address the breach. Subsequently, ANPD demanded that the entity submit a record of personal data processing operations ("ROPA"), data protection impact assessment ("DPIA"), communications to the affected data subjects, and its information security and privacy incident management plan. Such requests by the ANPD for additional information and evidentiary support of a compliant information security program following security incidents are routine.

According to the ANPD, its demands were not fully met by the impacted governmental institution, which only provided evidence of communication to data subjects during the ANPD's sanctioning process; eight months after the Authority's initial demand to do so.

Ultimately, the ANPD applied four sanctions:

• Warning for the minor violation of not maintaining an ROPA (Art. 37, LGPD);
• Warning for the minor violation of not preparing a DPIA after a request from the ANPD (Art. 38, LGPD);
• Warning for the serious violation of not notifying the data subjects of the security incident within a reasonable time; however, the ANPD understood that the delayed communication was compliant with LGPD regulations (Art. 48, LGPD); and
• Warning for the serious violation of not presenting an incident management plan within the deadline established by the ANPD, which constituted—according to the Authority—obstruction of the ANPD’s inspection activity, and therefore, a serious infraction (Article 5, Dosimetry Regulation).

The governmental institution narrowly avoided a potential fifth sanction. The ANPD alleged that the governmental institution failed to adequately train users to use the impacted platform (a violation of Article 46’s duty to adopt administrative measures for information security). However, the ANPD dismissed this sanction after taking into consideration the impact the COVID-19 pandemic had on public and private entities, including the inability to reasonably carry out training. In light of these extenuating circumstances, ANPD concluded that the pandemic constituted a force majeure in this case and, thereby rendering potential sanctions connected to the infraction moot.

When reviewing the ANPD’s decision, it is important to note that:

(i) DPIAs can be prepared after the ANPD’s request has been made, and its prior absence does not appear to constitute a LGPD violation.
(ii) Training users on specific platforms carries significant relevance, and its failure to do so may be seen as a violation of the LGPD by the ANPD.

Second Sanction

In the second case, a governmental institution was penalized after failing to inform data subjects of a security incident that occurred in 2022, and which was reported to the ANPD. In this case, a data leak compromised the registration, health, and financial data of an undetermined number of subjects.

ANPD’s full report has not yet been published, but additional details about the grounds for ANPD’s decision may be disclosed at a later date (including the severity of the violation and sanctions).

The ANPD found that the incident caused a “relevant risk” to the data subjects and determined that the governmental institution should report the incident, as outlined in Article 48 of the LGPD. The governmental institution claimed, however, that it did not have the technical capacity to detail which user base had its data leaked, and therefore made the decision to not notify impacted individuals. The ANPD did not accept the governmental institution’s argument, particularly because the LGPD makes clear that when affected data subjects cannot be identified, the entity must issue a form of substitute notice instead, seeking to reach all users of the platform by alternate means.

Accordingly, the ANPD imposed the following penalty:

• Announcement of the infraction through a notice on the first page of the governmental institution’s website, as well as by sending a message to all users of their app. Both the website notice and the in-app notice must be available for sixty days. Notably, the ANPD indicated the exact text to be used by the governmental institution, which begins: "(…), in light of the fact that [the entity] was convicted by the National Data Protection Authority for violation of the duty to notify data subjects of the occurrence of security incidents, communicates [...]".

The potential damage to the reputation of any company is significant, even if it does not carry the threat of a financial penalty.