Brazil’s data protection authority recently published regulations that could lead businesses and employers that violate the country’s data privacy laws to be punished with administrative penalties – adding yet more incentive to comply with the strict laws. The regulations, released on February 27, add the enforcement bite that was missing since Brazil’s General Law for the Protection of Personal Data (LGPD) went into effect in 2020. Local and foreign entities processing data in Brazil or processing data involving Brazilian residents should take proactive measures to ensure compliance with the LGPD and avoid potentially severe consequences. Keep reading for what your business needs to know regarding the new regulations and three proactive steps to avoid running afoul of the LGPD.
LGPD Refresh
The LGPD is Brazil’s federal law regulating the collection and use of personal data of individuals in Brazil. Before processing personal information, organizations must ensure they have a legal basis to do so under the LGPD with the data subject’s consent.
The law covers data processing carried out by any natural person or public or private entity. Absent limited exceptions, the law applies to:
- any data processing that takes place in Brazil for the purposes of offering goods and services to process data; or
- data involving people who are located in Brazil.
The means of processing are not relevant. Common to international privacy laws, the entity conducting the data processing need not be headquartered or have a physical presence in Brazil to be subject to the LGPD. Simply conducting data processing in Brazil or of data subjects located in Brazil is sufficient.
Penalties for LGPD Violations
Despite existing for approximately two-and-a-half years, the LGPD lacked an effective enforcement mechanism – until now. The newly enacted regulations authorize the Brazilian data protection authority (ANPD) to impose a range of penalties for noncompliance, which range from a warning or fine to a partial or total ban. Monetary fines can consist of a single fine of up to 2% of the company's revenue, limited in total to R$ 50,000,000.00 Brazilian Real (or nearly $1 million US Dollars) per infraction; or a daily fine with a total limit of R$ 50,000,000.00 Brazilian Real (or nearly $1 million US Dollars). Additionally, the ANPD may apply other severe punishments to offenders of the LGPD, such as blocking or definitive elimination of personal data irregularly processed.
Leniency for Good Faith Compliance
Given the potentially severe penalties at stake, well-intentioned businesses may fear facing the ire of the ANPD for unintended violations of the LGPD. To help alleviate these fears, the ANPD fortunately provides leniency to businesses that enact good faith efforts to comply and work with the ANPD to correct any infractions.
The ANPD’s regulations promise to take into account both mitigating and aggravating factors when administering penalties, such as the seriousness of the offense, the type of personal data compromised, the offending party’s good faith efforts to adopt data protection best practices and the offender’s speed in correcting the infringements. The ANPD’s stated goal is to ensure the applied sanction fits the seriousness of the offender’s conduct. The ANPD has further indicated it will work with processing entities to ensure compliance with the LGPD rather than seeking punishment first.
Three Compliance Steps for Employers and Business
Employers and businesses located in Brazil or who process data of employees or customers in Brazil should immediately follow three steps to ensure good faith compliance with the LGPD and avoid severe sanctions by the ANPD:
- Understand the Requirements
You should ensure the individuals responsible for processing consumer data in your organization are familiar with the LGPD and its potential application to your processing activities. The law mostly impacts large companies that control or process personal information, affecting businesses that employ 250 or more people. If however your organization processes any personal information that is not specifically excluded from LGPD’s application, you should become familiar with the law and enact steps to ensure your processing of personal information has a legal basis under the LGPD with the individual’s consent.
- Create and Maintain an LGPD Governance Program
You can demonstrate good faith compliance with the LGPD by creating and maintaining a governance program for compliance with Brazil’s data protection legislation. Organizations will want to work closely with their employment counsel to ensure their compliance policies are tailored to their data processing activities. The organization’s efforts to avoid the risk of data breaches as well as the organization’s response to discovered or suspected data breaches should be well-documented.
- Cooperate with the ANPD
Finally, if your organization finds itself the subject of an inquiry from the ANPD, cooperate and be proactive about eliminating the infraction or data breach. The ANPD is less likely to impose a severe penalty, or any penalty at all, against organizations that are quick to address potential data breaches and demonstrate a good faith effort to adhere to the LGPD’s requirements.
Conclusion
Brazil’s new regulations for enforcement of its data privacy law signal the country’s effort to closely monitor businesses that use personal information of its citizens and hold entities accountable for privacy violations. Organizations are well advised to take steps towards compliance as soon as possible.
