Overview
In this webinar on April 26, McDermott lawyers, Jessi McGahie Sawyer and Fran Forte, were joined by Nuria López and Renata Idie from the Daniel firm in Brazil to review the rules published by the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados, or ANPD) for the application of sanctions and the methodology for calculating fines for violation of their General Data Protection Law (Lei Geral de Proteção de Dados Pessoais, or LGPD).
Below are the key takeaways from the discussion:
Who must comply with the Brazilian LGPD?
Any legal entity, public or private, that processes personal data and any person who processes personal data for non-private purposes with profitable means must comply with the LGPD, provided that:
- The data subjects are in Brazil
- Data processing is taking place in Brazil
- Data being processed was collected in Brazil
Even if I’m GDPR-compliant, does the LGPD include additional requirements?
Businesses that are already compliant with the EU’s General Data Protection Regulation (GDPR) face additional requirements under the LGPD. Entities and persons subject to the LGDP must:
- Report any local data-collection and processing activities, the legal basis for such activities and any lawful international transfers of data subject to the LGPD
- Prepare data protection impact assessments (DPIAs) on high-risk activities under the Brazilian legal context
- Appoint a data protection officer (DPO) for communicating with local data subjects and authorities (it is not mandatory, however, to appoint a representative)
- Include clauses in contracts that address the LGPD
- Comply with Brazilian law with regard to data subject rights in Brazil (and addressing specific deadlines and risks associated with consumers, labor and other parties)
- Include compliance with Brazil’s LGPD in cybersecurity incident response plans
What is the role of the Brazilian Data Protection Authority?
The ANPD) is already established and active. Among other duties, the ANPD is responsible for inspection and enforcement of the LGPD. The inspection activity of the ANPD involves monitoring, orienting and preventing non-compliance, while the enforcement activity includes preparatory sanctioning phases.
What sanctions apply under the LGPD?
According to the LGPD, the ANPD can apply the following sanctions:
- Warnings
- Simple fines
- Daily fines
- Publicization of the violation
- Blocking of personal data
- Deletion of personal data
- Partial suspension of the database
- Suspension of the personal data processing activity
- Partial or total prohibition of the activity concerning personal data processing that is related to the violation
The LGPD established only what sanctions could be applied, but there was no regulation of when and how these sanctions would be applied.
The ANPD’s dosimetry regulation established the following:
- The ANPD can apply more than one sanction to the same infraction if such action is deemed necessary
- The sanctions must be applied proportionally to the severity of the violation and also to the damages caused
- To determine the sanction, the authority must evaluate criteria such as:
- The type of violation
- The damages caused
- The behavior of the organization
- Whether the organization had high information-security standards
- Actions taken by the organization, after the infraction, to minimize the damages caused
How are violations classified?
According to the rules, infractions can be classified as “light,” “medium” or “high.”
- Light infractions do not meet the criteria for medium or high classification
- Medium infractions cause significant obstruction and restriction of the personal data subject’s rights or use of services, as well as material or moral damages
- Examples of significant obstruction and restriction of the personal data subject’s rights include discrimination, violation of physical integrity, violation of the right to image and reputation, financial fraud and unauthorized use of a person’s identity.
- High infractions include significant obstruction and restriction of the personal data subject’s rights and involve at least one of the following circumstances:
- The processing of personal data on a large scale
- The offender earns or intends to gain economic advantage
- There is risk to the lives of the data subjects
- The processing of sensitive data or personal data of children, adolescents or the elderly
- There is unlawful processing of personal data
- There are unlawful or abusive discriminatory effects of the data processing
- The offender systematically adopts irregular practices
An infraction will also be classified as high when the offender obstructs the inspection activity. This includes refusing to give answers or failing to send documents and information by the deadline without a plausible explanation.
What are the potential fines?
The Brazilian Data Protection Law states that two types of fines can be applied: daily fines and simple fines
- Daily fines can be imposed to ensure the fulfillment of a non-pecuniary sanction or obligation determined by the ANPD, to interrupt any inspection obstruction and when there is a permanent, ongoing violation
- Simple fines can be imposed when the party does not adopt preventive or corrective measures at the time of the established deadline, when there is a high violation, or when it is not possible to apply any other sanction considering the circumstances of the case, the nature of the violation, the nature of the treatment activity or of the personal data
With respect to both types of fines, the fine amount cannot exceed 2% of the company’s latest revenue, excluding taxes, or 50 million reais.
How is the fine calculated?
The regulation provides mathematical formulas and rates to determine the amount of the fine. The following steps are used to calculate the fine:
- Step 1: The base amount is determined using the company’s most recent revenues, excluding taxes, and the degree of damage
- Step 2: Aggravating and extenuating factors are applied to the base amount
- Step 3: The fine is adjusted with respect to the minimum and maximum amounts fixed by the regulation and by the LGPD
Aggravating factors. The amount of the fine is increased according to the following circumstances:
- For specific recidivism, a sanction for the same infraction within five years of the first infraction: from 10% to 40%
- For non-specific recidivism, when a party has been previously sanctioned within the last five years for a different infraction: from 5% to 20%
- For non-compliance with preventive or orientation measures provided by the ANPD: from 20% to 80%
- For non-compliance with corrective measures determined by the ANPD: from 30% to 90%
Extenuating factors. The amount of the fine will be reduced if:
- The offender ceases the violation
- The offender implements good practices and governance policy or repeatedly adopts and demonstrates internal mechanisms and procedures capable of minimizing damage to data subjects
- The offender demonstrates cooperation or good faith, before there is the singular decision of the ANPD at the sanctionative procedure
What are my next steps?
Companies subject to the LGPD should:
- Establish a security incident response flow
- Establish procedures to document what the company did after it became aware of a security incident
- Provide a report about the company’s security measures
- Create a list of external partners that can help with forensic analyses
- Document technical measures that could be adopted to contain or minimize damage and that could help to comply with legal obligations
- Provide internal training on effective cybersecurity practices