Starting August 1, 2021, the Brazilian Data Protection Law (LGPD) will have some teeth.
The LGPD was enacted in August 2018, but its provisions were scheduled to take effect in three separate phases. The provisions relating to the creation of the Brazilian National Data Protection Agency (ANPD) and its role in enforcing the new law became effective in December 2018, although the ANPD did not become operational until November 2020. The general provisions relating to the rights of data subjects and obligations of data controllers, processors, and privacy officers took effect in September 2020. Finally, the provisions authorizing the administrative sanctions the ANPD can impose are scheduled to take effect on August 1, 2021.
The ANPD has put together a two-year plan to address various topics through guidelines and regulations. So far, the ANPD has been actively working on guidelines, but it is also starting to focus on major leaks and mass distribution of personal data. Therefore, we expect that the ANPD will soon start using its new enforcement powers against companies that process large amount of personal data. Eventually, however, any non-compliant company may become a target, so companies that are not yet fully compliant should make sure they are working on getting there soon.
Under the LGPD, data processing agents (which include controllers and processors of data) are subject to the following administrative sanctions:
- warning with a deadline for taking corrective measures;
- simple fine of up to 2% of the company’s revenue in its last fiscal year, excluding taxes, capped at R$ 50,000,000 (fifty million reais) (approximately $10,000,000 USD) per infraction. Entities subject to this fine include any legal entity governed by private law, group or conglomerate in Brazil;
- daily fine, subject to the total limit referenced above;
- publicizing the infringement after it is duly investigated and confirmed;
- blocking the personal data to which the infringement refers until its correction;
- deleting the personal data subject to the infringement;
- partial suspension of the database operation that is the subject of the infringement for up to six months, extendable for an equal period, until the controller corrects the unlawful processing activity;
- suspension of the personal data processing activity to which the infringement refers for up to six months, extendable for an equal period; and
- partial or total prohibition of the activities related to data processing.
The ANPD will take into consideration certain factors, such as the seriousness of the infraction, the size and economic means of the violator, the damages caused, the cooperation of the violator, and the existence of policies and mechanisms to safeguard and safely process personal data, among others.
Companies that do not work with individual customers (B2B activities) will still need to comply with the LGPD. The processing of employees’ personal data in Brazil and the international transfer of such data to U.S. headquarters are subject to the LGPD. Therefore, companies with operations in Brazil should make sure they have adequate mechanisms to process personal data to avoid charges for violations of data privacy rights.