Brazilian data protection – The introduction of sanctions

Brazil

Introduction

Having passed the General Data Protection Law in 2018, the LGPD (as the law is known) came into force in September 2020. However, businesses were given a slight reprieve in the form of a delay of the introduction of administrative sanctions until 1 August 2021. With this deadline fast approaching, Brazilian businesses who process personal data are soon at risk of being sanctioned for non-compliance.

The law led to the creation of the ANPD (the National Authority of Data Protection) which started operations in November 2020; and which will have the power to issue the administrative sanctions.  These sanctions include an infraction notice, daily fine, suspension of activities, or a fine of up to 2% of the revenues of the entity, group or conglomerate in Brazil (limited to 50 million Reais).  In January 2021, The ANPD published their biannual regulatory agenda and has since started to work through its plan.

The ANPD’s Regulatory Agenda

Alongside the introduction of sanctions, the ANPD has a busy regulatory agenda, required to fully define the data protection regulatory regime in Brazil. That agenda includes:

  • Publishing their first internal regulation and their 2021-2023 strategic plan;

  • Publishing different regulations for micro and small businesses;

  • Clarifying deadlines and forms for reporting data incidents;

  • Clarifying the rights of data subjects and the legal bases for processing personal data;

  • Publishing a regulation further defining the administrative sanctions, including the circumstances for issuing a fine; and

  • Publishing regulations regarding procedures for protecting personal data and transferring it internationally.

Whilst this represents a significant workload, the ANPD have already published their first regulation and strategic plan and have opened public consultations on the differing regulations for micro and small businesses, and on the procedures and recommended deadline for reporting incidents; (including what form the report will take).

Alongside this, the ANPD have also published their first (non-binding) guide, to provide clarity regarding the definitions of ‘Controller’, ‘Processor’ and ‘Data Privacy Officer’. The guide also introduces the idea of having a ‘Sub-processor’ and ‘Joint Controller’ of data.

Further to their agenda above, the ANPD also took part in the UK-Brazil Digital and Cyber Dialogue 2021, to discuss international data transfers and both countries’ experience in the field of digital and cyber. Further regulation on international transfers is expected to be published by the ANPD in the future. The ANPD is also in the process of building a relationship with the European Commission. Both relationships will be important going forwards to allow the smooth transfer of data internationally.

How Prepared are Brazilian Businesses?

Despite the majority of the LGPD coming into force in September 2020, many Brazilian Businesses are still not fully compliant with the law, even though they already face the risk of individual claims for damages from data subjects, employees and consumer protection bodies for non-compliance with the LGPD. There have also been recent judgements from the labour courts reinforcing the need for employers to comply with the LGPD in the processing of employees’ personal data. Given that from 1 August, businesses will also be subject to the ANPD administrative sanctions, ensuring compliance is now increasingly important.

The ANPD’s recently published guide also further clarified the position regarding Data Privacy Officers (DPOs). It is recommended that each company’s Controller appoint one, though the ANPD will clarify in the future where they may not be required. They may be either an employee or an outside agent, such as an external company and may also be supported by a data protection team. It is important to remember, if appointing externally, that the DPO must be capable of performing his/her role, as the ultimate responsibility remains with the Controller.

Conclusion

With the ANPD actively pursuing its regulatory agenda and soon able to impose sanctions on businesses found to be in breach of the law, compliance has become increasingly important to ensure that businesses are not found to be inadvertently breaching the legislation and then sanctioned accordingly.