Brazil’s comprehensive data protection law, the Lei Geral de Proteção de Dados (LGPD) became enforceable on August 1, 2021—nearly a decade after the bill was first published in 2012.
The LGPD places some strict rules on organisations operating in Brazil, and the country’s data protection authority, the Autoridade Nacional de Proteção de Dados (ANPD) can impose substantial fines and other penalties against companies who violate the law.
On 29 October 2021, the ANPD published its first set of LGPD regulations, which set out how the authority will inspect and sanction organisations suspected of infringing the LGPD.
This article will take a deep dive into these regulations. If you’re operating in Brazil, this will give you an insight into how the ANPD treats enforcement and what you can expect if you’re accused of violating the LGPD.
About the ANPD
The ANPD was created by the enactment of Article 55-A of the LGPD and is governed by a set of internal regulations, Ordinance No. 1 of March 8, 2021. The ANPD consists of several bodies:
- Board of Directors
- National Council for the Protection of Personal Data and Privacy (an advisory body)
- Bodies of “direct and immediate assistance to the Board of Directors”:
- General Secretariat
- General Administration Coordination
- General Coordination of Institutional and International Relations
- Sectional bodies:
- Internal Affairs
- Legal Advice
- Specialised bodies:
- General Standardisation Coordination
- General Inspection Coordination
- General Coordination of Technology and Research
Article 55-J of the LGPD sets out the ANPD’s tasks, which include, among other activities:
- Ensuring the protection of personal data
- Ensuring the observance of commercial and industrial secrets
- Developing guidelines on data protection and privacy
- Monitoring and applying sanctions for non-compliant data processing activity
- Handling data subject complaints
- Promoting knowledge of data protection and security among the general population
- Developing and promoting studies on national and international practices for the protection of personal data and privacy
- Stimulating the development of standards for products and services that enable data subjects to have greater control over their personal data
- Promoting international cooperation with other data protection authorities
Penalties Under the LGPD
Before we look at what’s revealed in the inspections and sanctions regulations, here’s a reminder of the sanctions available under Article 52 of the LGPD:
- A warning, together with a deadline for applying corrective measures
- A fine of up to 2% of an organisation’s gross revenue in Brazil for the previous financial year, up to a maximum of 50 million BRL per violation (approximately 8.8 million USD)
- A daily fine of the same maximum amounts identified above
- Publication of the details of the violation
- Blocking of the relevant personal data until the violation is rectified
- Deletion of the relevant personal data
- Partial suspension of the controller or processor’s database for up to six months until the violation is rectified (extendable for the same period)
- Suspension of processing for up to six months until the violation is rectified (extendable for the same period)
- Partial or total suspension of activities related to data processing
Overview of the Inspection and Sanctions Regulations
The full name of the inspections and sanction regulations is Regulation CD/ANPD No. 1. The regulations follow from the power granted to the ANPD by Article 55 (J) (IV) of the LGPD: to monitor and apply sanctions for non-compliant data processing.
The regulations refer throughout to “agentes de tratamento” (processing agents), meaning people and organisations covered by the LGPD, which includes both controllers and processors. Processors can be directly subject to enforcement activity under certain conditions.
The regulations cover the following topics:
The duties of processing agents when subject to an inspection by the ANPD
- Procedural provisions, including the details around deadlines and communications methods
- The “interested parties” involved in the inspections and sanctions processes
- The various monitoring, prevention, and enforcement activities available to the ANPD
- The process for handling complaints
- The issuing of “compliance plans” to non-compliant regulated agencies
- The sanctioning process
- The appeals process
Duties of Processing Agents
Article 5 of the regulations explains that processing agents subject to an ANPD inspection must:
- Provide copies of relevant documents within a deadline and in a place and format specified by the ANPD
- Allow the ANPD access to facilities, equipment, applications, systems, tools, resources, data and information
- Provide the ANPD with information about data processing systems
- Submit to audits
- Keep documents, data and information for the period specified in legislation, and for as long as necessary for the administrative process
- On request, make a representative available with knowledge and autonomy to provide data to cooperate with the ANPD
The processing agent must make the ANPD aware of any relevant issues around commercial or industrial secrecy that may inhibit the ANDP’s access to information.
Failure to comply with the above duties may constitute obstruction of the ANPD.
Article 8 of the regulations cover the issuing of deadlines by the ANPD:
- Deadlines start from the day that the ANPD provides official notice
- Deadlines are counted in working days
- If a deadline falls on a day that the ANPD is closed then it will be extended to the next working day.
- If the ANPD’s “electronic petition system” is unavailable on the deadline day, the deadline will be extended to the next working day under certain conditions
The ANPD can present processing agents with an “intimação”, translated as “subpoena”.
Subpoenas will contain information about the purpose of the subpoena, whether the relevant processing can continue, deadlines for taking action, and whether the processing agent must appear before the ANPD in person.
Monitoring, Guidance, Prevention and Sanctions
The regulations divide the ANPD’s activities into four types of activities:
- Monitoring: Gathering relevant information to support decision-making, handling data subject complaints
- Guidance: Promoting guidance, awareness and education among processing agents
- Prevention: Constructing solutions designed to bring processing agents back into full compliance or to avoid or remedy harmful situations
- Sanctioning: Coercive action aimed at stopping harmful or risky processing and punishing non-compliant processing agents
The ANPD’s monitoring activities serve to promote knowledge of data protection and security among data subjects and processing agents.
Handling data subject complaints also falls under the ANPD’s monitoring activities. The ANDP will accept complaints if it can verify:
- That the complaint falls within the ANPD’s competence
- The applicant’s identity or (if applicable) anonymity
- The applicant’s legitimacy
- The identity of the relevant processing agent
- A description of the facts
If a data subject is complaining about the failure of a processing agent to satisfy a data subject rights request, then the data subject must prove that the processing agent has exceeded the response deadline set out in the LGPD (15 days).
The ANPD will accept anonymous complaints where the facts can be verified, and where the data subject’s identity is not required to investigate the facts.
The ANPD’s monitoring activities are informed by two reports:
- Monitoring Cycle Report (Relatório de Ciclo de Monitoramento): An annual report prepared by the ANPD’s Board of Directors to evaluate the year’s inspection activities and direct the following year’s activities.
- Map of Priority Themes (Mapa de Temas Prioritários): A biannual report developed by the ANPD’s General Inspection Coordination and that establishes priority areas for inspection activities.
The ANPD’s guidance activities include producing guidance, raising awareness and educating processing agents.
Article 28 of the regulations confirms that guidance activities do not count as sanctions against processing agents.
Guidance activities include:
- Preparing good practice guides and document templates
- Suggesting to processing agents that they should conduct training or courses
- Developing self-assessment and risk assessment tools for processing agents
- Recognising and disseminating good practice and governance rules
- The use of particular technical standards
- The implementation of a Privacy Governance Program
- The compliance with a code of conduct or the good practice of a certification body
Other measures, so long as they are provided within the scope of the ANPD’s guidance activities and are not sanctions
Prevention activities aim to bring a processing agent back into compliance with the LGPD and to avoid or remedy situations that may lead to risk or harm.
Article 31 of the regulations confirms that prevention activities, like guidance activities, do not in themselves count as sanctions against processing agents.
Prevention activities include:
- Disclosing aggregated information, such as the rate of resolution of problems
- Giving notice to a processing agent to allow them to identify corrective measures
- Requesting “regularisation” or a report, in the case of a relatively simple infraction that does not warrant the submission of a compliance plan (see below)
In some cases, the ANPD can also produce a compliance plan to help will bring a processing agent into LGPD compliance. The compliance plan will contain:
- The object of the compliance plan
- Planned actions to reverse the alleged violation
- Criteria for monitoring whether the processing agent has brought itself into compliance
- The trajectory for achieving the results sought by enacting the compliance plan
A compliance plan does not exempt a processing agent from its LGPD obligations. Failure to comply with a compliance plan will lead to enforcement action.
Sanctioning activity is designed to investigate and punish LGPD violations. There is no administrative appeal against the opening of sanctioning proceedings. The ANPD must comply with sound legal principles throughout the sanctioning process.
Enforcement activity consists of several phases, which we’ll consider in turn.
Under the preparatory procedure, the General Inspection Coordination (a body of the ANPD) can carry out preliminary investigations when there is insufficient evidence to move directly to the imposition of an administrative sanction.
Conduct Adjustment Phase
Interested parties (e.g. data subjects) may propose that the processing agent undertake “conduct adjustment.”
The ANPD’s Board of Directors must scrutinise the conduct adjustment proposal. If approved, the enforcement process will be suspended while the processing agent executes the conduct adjustments.
If the processing agent fully complies with the terms, the sanction will be recorded, and the sanctioning process will be concluded.
If the processing agent fails to comply with the terms of the conduct adjustment phase, or if the phase is omitted, the General Inspection Coordination will draw up an infraction notice.
Infraction notices must contain:
- The identity of the accused processing agent
- A statement of the alleged violation and a summary of the facts
- The legal or regulatory provision alleged to have been violated
The General Inspection Coordination will invite the processing agent to present a defence within ten working days. The accused processing agent may present evidence in its defence.
The General Inspection Coordination may subpoena further evidence from the processing agent if required. The ANPD may include evidence gathered via other processes, data protection authorities, or third parties. Expert witnesses may be called.
After the above stages have been completed and the ANPD has delivered the infraction notice to the process agent, the processing agent has ten working days to present closing arguments.
Once the deadline for presenting closing arguments has elapsed, the ANPD will prepare an investigation report. The General Inspection Coordination will consider the investigation report when deciding any sanction.
This closes the investigation phase unless more information is needed, in which case the General Inspection Coordination will issue an order containing relevant instructions.
After the above procedures are complete, the General Inspection Coordination will issue a decision. A summary of the decision will be published in the Federal Official Gazette.
The decision will include a summary of the facts, motivations, and legal grounds, following Article 52 of the LGPD.
The ANPD can consider cases jointly if there is a risk that contradictory or conflicting outcomes could arise if the cases are considered separately.
After the decision has been issued, the processing agent will be summoned to comply with it.
If the processing agent does not accept the decision, it has ten working days from the date of notification of the decision to submit an appeal to the Board of Directors.
If the processing agent’s appeal is successful, the General Inspection Coordination will invite any interested third parties (e.g. the affected data subjects) to submit a further appeal to the Board of Directors within ten working days.
The decision will be suspended throughout the appeal process unless this causes a well-founded risk of harm.
Appeals will not be considered if they are filed:
- Out of time
- By an illegitimate party
- After the administrative processes have been exhaustive
- Against preparatory decisions or other unappealable decisions
After receiving the appeal, the General Inspection Coordination may reconsider its original decision.
If the General Inspection Coordination agrees with the appeal, it may issue a new decision. This decision may not have a worse outcome than the original decision. If the General Inspection Coordination decides to exonerate the processing agent completely, this new decision must be scrutinised by the Board of Directors.
If the General Inspection disagrees with the appeal, in whole or in part, it must refer the appeal to the Board of Directors. The Board of Directors will decide whether to uphold the appeal based on a voting system.
Once the decision has been finalised, the processing agent must comply with any conditions and pay any monetary penalties. The General Inspection Coordination will monitor the processing agent’s compliance with the decision.
The LGPD is a complex and comprehensive law. As we’ve seen, the ANPD has a broad range of enforcement tools available—and the consequences for non-compliance can be severe.
PrivSec LATAM is a live stream event taking place on 2 December 2021.
The event will welcome senior decision-makers from across Latin America seeking the latest advice, guidance and information from subject matter experts, industry leaders and academics focusing on both practical and ethical issues.