On February 27, 2023, the Directing Council of the Brazilian National Data Protection Authority (ANPD) published the Resolution CD/ ANPD No. 04/2023 that rules the application of sanctions and the methodology for calculating fines for violation of the Brazilian General Data Protection Law (LGPD).
The resolution states the situations and methods for applying administrative sanctions provided in Article 52 of the LGPD, as follows:
- A one-time fine of up to 2% of the company’s revenue, limited to BRL 50 million per breach;
- A daily fine, limited to BRL 50 million;
- Official warnings;
- Publicly disclosing the infraction;
- Blocking access to the personal data in question;
- Destroying the personal data in question;
- Partially suspending the activities involving the database concerned for up to six months (extendable for an equal period) until the situation is resolved;
- Suspending personal data processing activities for a maximum of (6) six months (extendable for an equal period);
- A partial or total prohibition of conducting data processing activities.
And, among other criteria, it considers damage or harm to data subjects resulting from data processing agents’ non-compliance with the LGPD.
The LGPD violations will be classified considering the severity and type of the law infraction and the rights affected:
Medium Infraction: when the violation can significantly affect fundamental rights of personal data subjects, in other words: whenever the infraction significantly causes obstruction and restriction of the personal data subjects’ rights or use of services, as well cause material or moral damages, such as discrimination; violation of physical integrity; violation of right to image and reputation; financial frauds or unauthorized use of a person’s identity if it is not classified as high)
High Infraction: when there is obstruction of the inspection activity or when it happens to be a hypothesis describes as medium combined with at least one of the following cases:
- It involves processing of personal data in large scale;
- The offender earns or intends to gain economic advantage because of the infraction committed;
- There is risk to the lives of the data subjects;
- It involves processing of sensitive data or personal data of children, adolescents, or the elderly;
- There is unlawful processing of personal data (without legal basis provided for in the LGPD);
- There are unlawful or abusive discriminatory effects of the data processing; or
- There is systematic adoption of irregular practices by the offender.
Light Infraction: when the violation cannot be classified in any of the medium or high hypotheses.
In the case of application of the fines, to define the amount, in addition to this classification of severity, the ANPD will consider elements such as the violator’s billing in the last financial year prior to the application of the sanction. If information regarding the branch of activity in which the violation occurred is not available, the authority will consider the total billing of the group or conglomerate of companies in Brazil.
The economic condition of the agent may aggravate the penalty or be a mitigating factor. In addition, other possible factors, according to the new ANPD rule, would be non-recurrence, the agent’s good faith and the advantage gained or intended with the violation.
The resolution details the application of the formula in which the agent must follow a few steps:
- Determine the applicable tax rate (light, medium or right);
- Determine the degree of the injury/damage: on a scale of 0 to 3;
- Determine the base amount: multiplying the tax rate by gross income (-taxes);
- Determine the fine: applying the aggravating or mitigating circumstances;
- Determine the maximum and minimum value of the fine.
The main objective of such details is to guarantee that the sanctions are in proportion with the seriousness of agent’s conduct, in addition to provide legal security to inspection processes and guarantee the right to due process and adversarial proceedings.
The new regulation is already in force and the ANPD should start judging the first cases, the expectation is that the first decisions will be issued soon. From now on, the monitoring of the decisions of ANDP will be even more important given the creation of jurisprudence that will shed further light on the interpretation and enforcement of sanctions.