Brazil’s Sept. 18, 2020. As with any law imposing compliance requirements, a key issue is enforcement — how will the law be administered, and what potential penalties may be imposed for noncompliance?
Generally, the LGPD creates an enforcement agency, the National Data Protection Authority, which is authorized to monitor compliance with the law and impose sanctions, including fines, for violations. While this new agency is still being established and the LGPD’s administrative sanctions provisions do not come into force until Aug. 1, 2021 (Article 65, I-A), it is helpful to review the ANPD’s scope of authority and structure to understand its anticipated role. Businesses also should be aware that regardless of the ANPD’s ability to impose sanctions, the LGPD can be immediately enforced by individuals and other authorities.
This is the final installment in a five-part series exploring the top operational impacts of the LGPD. Before examining the enforcement issues, it is worth considering the other operationally significant aspects of the law, addressed in prior installments as follows: part two, data governance, including protections for personal data and data security; part three, international data transfers; and
Immediate enforcement of LGPD
In the first of a series of discussions of Privacy Around the Globe, IAPP Vice President and Chief Knowledge Officer Omer Tene and lawyer and law professor Danilo Doneda explained “the (LGPD) can already be applied by the courts or other competent authorities” and “any person can rely on the law to assure their rights, as can consumer protection agencies, public prosecution services and other representatives of the public interest on behalf of groups.” She discussed the precedent for consumer protection agencies and public prosecution services to be involved in data protection cases prior to the LGPD coming into force, describing the LGPD as “basically consolidate[ing] and specifically defin[ing] the rules on data protection already established in general by the Federal Constitution, Consumer Defense Code and Internet Civil Framework (Law 12,965/2014).”
Alan Campos Elias Thomaz of Alan Thomaz Advogados also a private right of action and a public right of action to the Brazil Public Prosecutors’ Office.) According to Elias Thomaz, “there’s an actual possibility of enforcement by individuals, public prosecutors and consumer protection organizations even if the administrative sanctions will be enforced next year.”
IAPP Country Leader for Brazil Dirceu Santa Rosa likewise alleged violations of the LGPD. The suit involves the alleged improper sale of personal information from 500,000 people. While administrative sanctions may not be available until next year, enforcement of the LGPD has begun.
It is also worth noting the LGPD specifically discusses controllers and processors being subject to potential liability (not just administrative sanctions) for their conduct in processing personal data. Section III in Chapter VI, Personal Data Processing Agents (Articles 42 through 45) addresses “liability and loss compensation” in the context of controllers or processors that cause damage to others when processing personal data. Article 42, Section 3 specifically provides “[l]awsuits for compensation for collective damages ... may be filed collectively in court, subject to the provisions of related legislation.”
Processors are considered jointly liable for damages if they have not complied with the law or the controller’s instructions. In addition, the law permits the judge in a civil lawsuit to “reverse the burden of proof in favor of the data subject when the allegation appears to be true, there are no funds for the purpose of producing evidence or when production of evidence by the data subject would be overly burdensome.” Controllers and processors who fail to adopt the security measures identified in Article 46 also can be held liable for damages (Article 44).
While enforcement by the ANDP may not be a focus for organizations now, their attention is likely to shift as the agency begins to take shape and August 2021 approaches. Understanding the agency, including its structure, sanctioning powers and other authorities, will be important before administrative enforcement begins.
Structure of ANPD
The LGPD uses the term “national authority” to describe its data protection authority, defining it in Article 5 as the “body of the public administration responsible for supervising, implementing and monitoring the compliance” with the LGPD. Article 55-A of the LGPD creates this national authority, the ANPD. Decree 10.474/2020, published by the Brazilian Presidency on Aug. 27, 2020, approved the structure of the ANPD and further defined its responsibilities. Hunton Andrews Kurth has an overview of the August Decree here.
The organizational structure of the ANPD is set forth in LGPD Articles 55-C through 55-I and the August decree. The highest governing body is the board of directors, comprised of a CEO and four other members. Board members are appointed by Brazil’s president, subject to Senate approval, and must be Brazilians “with an immaculate reputation, a high level of education and considered renowned” in their field. They serve four-year terms, except for the first board members whose terms are staggered. The board is to meet at least monthly.
Brazil’s president recently provided insight into the board members and their backgrounds for The Privacy Advisor.
The ANPD also includes an advisory body, the National Council of Personal Data Protection and Privacy, discussed in LGPD Articles 58-A to 58-B and the August decree. The National Council is comprised of 23 representatives who serve in an unpaid, public service capacity.
Membership will represent varied interests and include representatives from Brazil’s executive and legislative branches, civil and business sector representatives with experience related to personal data protection, and representatives from “scientific, technological and innovative” institutions. It is charged with providing guidance to the ANPD and educating the public on personal data protection and privacy. The council is scheduled to meet at least three times a year unless additional meetings are called by its president.
Other departments within the ANPD include an Internal Affairs Office, Ombudsman Office, legal advisory body, and necessary administrative and specialized units to apply the law (Article 55-C). The president’s August decree provides further detail regarding the roles of each of these entities, as well as the departments and staff supporting them.
ANPD’s sanctioning powers
The ANPD has “sole responsibility” for applying sanctions under the LGPD (Article 55-K). These sanctions, identified in Article 52, can include:
- Warning and corrective measures.
- Fines of up to 2% of a company’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reais (roughly $8.7 million U.S.) per infraction.
- Daily fines, subject to the total maximum described above.
- Disclosure and publicization of the infraction.
- Blocking of the personal data which is the subject of the infraction until the issue is resolved.
- Deleting the personal data which is the subject of the infraction.
- Partially suspending the operation of the database related to the infraction for up to six months, extendable by another six months, until the issue is resolved.
- Suspension of the personal data processing activity related to the infraction for a maximum period of six months, extendable by another six months.
- Partial or total prohibition of activities related to data processing.
Certain criteria are to be considered in determining the appropriate sanction, including (1) the severity and nature of the infractions and of the personal rights affected; (2) the good faith of the offender; (3) whether the offender received or intended to receive an advantage; (4) the offender’s economic condition; (5) recidivism; (6) the level of damage; (7) the offender’s cooperation; (8) “repeated and demonstrated adoption of internal mechanisms and procedures capable of minimizing the damage, for secure and proper data processing”; (9) adoption of good practices and governance policy; (10) the prompt adoption of corrective measures; and (11) the proportionality between the severity of the breach and the intensity of the sanction.
ANPD’s role more broadly
In addition to its sanctioning authority, the LGPD lists 24 specific duties of the ANPD (Article 55-J), including:
- Ensuring the protection of personal data.
- Receiving pleadings from data subjects against controllers.
- Carrying out audits.
- Educating the public regarding the protection of personal data.
- Promoting cooperation with DPAs of other countries.
- Editing regulations and procedures on the protection of personal data and privacy, as well as on data protection impact assessments where the processing represents a high risk to the LGPD’s data protection principles.
- Ensuring data processing for the elderly “is carried out in a simple, clear, accessible and adequate form to their understanding.”
Beyond these enumerated duties, there are many other provisions in the LGPD that require ANPD involvement. For example, Article 10, which relates to a controller processing personal data, states the ANPD may require a data protection impact assessment from the controller when the processing is based on their legitimate interest. Article 12 addresses anonymized data and states the national authority “may provide for standards and techniques to be used in processes of anonymization ....” The ANPD also has a significant role in international data transfers, as discussed by IAPP Research Director Caitlin Fennessy, CIPP, in the third part of this series.
A joint paper by the Centre for Information Policy Leadership and Centro de Direito, Internet e Sociedade of Instituto Brasiliense de Direito Público includes a helpful appendix that maps both the ANPD’s primary duties under