Today the Brazilian National Data Protection Authority (“ANPD” or “Brazilian DPA”) published the Resolution CD/ANPD nº 4, approved on February 24th, 2023 (“Regulation”), providing rules for the dosimetry and enforcement of the administrative sanctions on data protection matters by the authority. The Regulation was expected to bring more clarity regarding the Brazilian DPA activities, particularly on defining the criteria and parameters for the penalties’ enforcement.
The Regulation established the possibility of adopting preemptive measures beyond those already provided by Resolution CD/ANPD nº 01/2021, determining that the noncompliance with these measures shall be considered as an aggravating circumstance, in case of a sanction.
Moreover, the Regulation determined that it will be deemed as recidivist a processing agent who, within the first 5 years after being subject of a condemnatory final sentence by the ANPD, has a new failure to comply with a provision from the data protection legislation or regulation. This recidivism can be considered as specific, when both the new and the old infraction are related to the same law, or generic, in all other cases.
Another new aspect by the Regulation is the provision that, for the enforcement of the sanctions of prohibiting or suspending the processing agent’s activities, when the offender operates in a regulated sector, the ANPD will inform the sector’s entity regarding the administrative procedure, allowing it to express the possible consequences of the services’ interruption, especially when related to public services.
However, the main provisions by the Regulation are concerning the sanctions’ dosimetry, with the creation of a classification according to the severity of the harm caused by the offender, as follows:
(i) Minor Damage: all offenses that are not deemed as medium or major damages;
(ii) Medium Damage: when the offense prevents or limits rights or a services’ use, significantly affecting the interests and fundamental rights of the data subjects, except when the offense will be included in the below cases of major damage; or
(iii) Major Damage: when the offense, beyond fulfilling the requirements to be considered as medium damage, also involves: (i) large-scale data processing; (ii) an intended or obtained economic advantage by the offender; (iii) life-risk to the data subjects; (iv) sensitive, minors or elderly data; (v) without grounds on at least one of the LGPD’s legal grounds; (vi) with illicit or abusive discrimination; or (vii) with the systemic adoption of wrong practices. Furthermore, it will also be considered as major damage the offense that aims to obstruct the ANPD’s supervisory activities.
Regarding the sanctions’ enforcement, the Regulation determined that a warning will be issued by the Brazilian DPA when there is a minor or medium damage that is not recidivist or when there is a necessity for corrective measures. On the other hand, a simple fine will be enforced when there is a major offense, the offender has not complied with corrective or preemptive measures or when the ANPD considers that the enforcement of other sanction will be inadequate.
Concerning the monetary sanctions, to estimate the simple fine value, the Regulation provided a mathematical formula, using a base value, considering the offense nature, the offender’s revenue in the past year and the severity of the damage, as well as aggravating and attenuating circumstances. It should be noted that, on certain cases, this revenue amount can be defined by ANPD itself.
According to the Regulation, it will be deemed as aggravating circumstance for the estimation of the simple fine the generic or specific recidivism, as well as the noncompliance with guidance, corrective or preemptive measures issued by the ANPD, with specific percentage for each one of them.
On the other hand, the offense’s termination before the issuing of the first sentence by the Brazilian DPA, as well as the existence of governance and best practices’ policies and the implementation of measures that have reversed or reduced the harmful effects of the offense are considered as attenuating circumstances.
It should be highlighted that, when there are multiple aggravating circumstances, the respective percentage shall be added. The same will occur when there are several attenuating circumstances.
The Regulation also provides that the daily fine will consider the same criteria as the simple fine, being enforced when there is a permanent offense, an obstruction to the ANPD’s supervisory or a noncompliance with an obligation to correct an irregular act.
The deadline for paying daily or simple fines will be 20 business days, with the exception of fines issued to small processing agents, according to Resolution CD/ANPD n. 02/2022, which will be 40 business days. Furthermore, waiving the right to appeal after the first sentence will grant a 25% reduction of the enforced fine.
Concerning the nonmonetary sanctions, the Regulation determined additional rules regarding disclosure of the offense, blocking or deletion of the personal data, partial suspension of the operation of the database and partial or full prohibition of the processing related to the offense.
Hence, it should be noted the provision that both the suspension of the database and the partial prohibition of the processing will be limited to a 6 month period, renewable once. On the other hand, the full prohibition of the processing will be enforced when one of the previous sanctions was imposed, the processing lacks a legal ground or technical and operational adequacy or has illicit purposes.
Our team is at your disposal for further clarifications, as well as to provide assistance with the procedures for fulfilling LGPD and/or ANPD regulatory obligations.