Lessons from Brazilian DPA sanctions to date

Brazil's data protection landscape is still relatively new, as the General Data Protection Law officially took effect in September 2020.

Although the LGPD is heavily inspired by the EU General Data Protection Regulation, as evidenced by its data processing requirements and concepts, it is clear Brazil's data protection authority, Autoridade Nacional de Proteção de Dados, is undergoing a herculean task in receiving complaints, carrying out inspections and applying sanctions.

The ANPD has issued several regulations and guidelines that are shaping an authentic Brazilian data protection regime, marked by its own specificities.

Some recent highlights are regulations on data breach reporting, the role of the DPO and conflict of interests, and international data transfers.

ANPD sanctions

Scenarios where things did not go as expected offer valuable opportunities for lessons learned. Companies and professionals in data protection and privacy can gain insights into common challenges, risk areas and inadequate practices based on the ANPD's sanctioning decisions.

It is worth noting that under the LGPD, sanctions can result not only from a violation of obligations, but also from regulations issued by the ANPD.

Of the ANPD's seven sanctioning decisions published to date — most for the public sector — five dealt with violations of Article 48 regarding communication of data breaches. In these cases, insufficient or absent communication was identified, either to the ANPD itself or affected data subjects.

For example, the ANPD ordered the National Social Security Institute to publicize an Article 48 violation on its website. A deficiency in data governance, evidenced by the INSS's inability to accurately identify data subjects affected by a 2022 security incident, resulted in the determination of broad communication — forced transparency — to meet the legal requirement.

The management of security incidents involving personal data is a fundamental pillar of a privacy program and the implementation of security measures and data governance itself are elements that support this aspect.

Specific rules regarding communication of data breaches, and when it may cause a high risk to data subjects, were established in April 2024 under Resolution CD/ANPD No. 15, and must be included in companies' response plans.

Three of the ANPD's sanctioning decisions dealt with violations of Article 49, relating to ensuring security in systems that operationalize the processing of personal data.

Three sanctions involved a violation of Article 5 of Resolution CD/ANPD No. 1, which reflects the duty of cooperation with the ANPD.

In this regard, it is the duty of the processing agent to implement governance that complies with legislation and demonstrates the adopted measures and their effectiveness, including the ability to provide evidence in an inspection or audit.

These aspects point to operational challenges in the public sector that are also faced by the private sector. In fact, private companies, which often have fewer resources and capacity, may face even greater challenges.

Of the seven published decisions, only one was related to a private processing agent, for promoting the sale of personal data. This does not imply, however, that the issue is unimportant to the private sector.

First, concern about data protection has been a topic in Brazilian society. It is a pillar of a company's trust and reputation, and news of leaks or data misuse has been making headlines in the mainstream press.

Second, several processes are underway at the ANPD, including decisions against agents yet to be defined and published.

Third, the published decision against a private processing agent dealt with one of the most basic aspects, the existence of a legal basis to legitimize personal data processing.

Fourth, the ANPD ordered Meta to suspend the processing of personal data for AI training, under the penalty of a daily fine of BRL50,000. By the end of August, this order was suspended, conditional on Meta's compliance with a plan to be monitored by the ANPD. Among the obligations is the facilitation of the exercise of the right to object, without prejudice to the continuity of the authority's oversight actions.

The road ahead

It is worrying to see that the first violations came, for the most part, from the public sector, which should be held as a model, especially when dealing with citizen data in the context of public policies.

The ANPD's enforcement actions highlight some aspects of low maturity in managing and responding to security incidents, as well as challenges in cooperating with the authority itself to comply with its determinations and provide requested information.

On the other hand, the sanctioning of the public sector highlights the authority's rigorous stance.

The difficulties seen also serve to indicate the barriers the private sector may be facing. Recognizing these difficulties allows for a more effective and realistic approach to data protection rules by the public and private sector.

Given this panorama, it is essential that both the public and private sectors intensify efforts to strengthen compliance practices. In addition to avoiding new sanctions, a renewed commitment to information security and full cooperation with the ANPD are essential to guarantee the protection of data subjects.

It is essential to adjust internal processes and avoid incidents, deviations and penalties. By understanding the justifications and criteria adopted by the ANPD in its decisions, it is possible to develop more effective, preventive and corrective strategies, promoting an organizational culture of respect for privacy and information security.

Jean Carlo Jacichen Luz, CIPM, CDPO/BR, is an attorney at Peck Advogados.