Brazilian Data Protection Authority approves the Regulation on Dosimetry and Application of Administrative Penalties

The Brazilian Data Protection Authority (“ANPD” or “Authority”) published, on February 28th, 2023, the Regulation on Dosimetry and Application of Administrative Penalties (“Regulation”), standardizing articles 52 and 53 of the Brazilian General Data Protection Law (Law n. 13.709/2018 – “LGPD”) by setting up the criteria for the enforcement of penalties for noncompliance with the LGPD.

The Regulation was approved after a public consultation that took place between August 15^th and September 15^th, 2022. Also, the Authority received 24 contributions through a public hearing held on September, 2022.

The Regulation brings the same sanctions provided for in the LGPD, namely: (i) warning, (ii) simple fine, (iii) daily fine, (iv) publication of the infraction, (v) blocking of the personal data to which the infringement relates, (vi) deletion of the personal data to which the infringement relates, (vii) partial suspension of the operation of the database to which the infringement relates, (viii) suspension from exercising the activity of processing the data to which the infringement relates, and (ix) partial or total prohibition from exercising activities related to data processing. However, in its article 8, it created a classification for violations according to their gravity, nature, and the personal rights affected:

• Low: when none of the hypotheses listed below is verified.
• Medium: when it could significantly affect the interests and fundamental rights of the personal data subjects, such as discrimination, violation of physical integrity, of the right to image and reputation, financial fraud or identity misuse, provided it is not classified as severe.
• Severe: when the hypothesis established above is verified and, at the same time:

1. Involve a large-scale data processing; or
2. The infringer obtains or intends to obtain an economic advantage; or
3. Imply a risk to the life of the personal data subjects; or
4. Involve the processing of a sensitive, minors or elderly data; or
5. The processing was carried out with no legal basis; or
6. The processing has unlawful or abusive discriminatory effects; or
7. The systematic adoption of irregular practices is verified.

In addition, the Regulation deals with the hypotheses of recurrence, which were divided into two categories: special, characterized when the same agent infringes the same rule in a period of five years from the date of the final ruling until the date of the new infringement; and generic, which will occur when the same infringer neglects any legal or regulatory rule, regardless of which, in the same period.

The Regulation also explains the methodology for calculating the amount of the fines. For light infringements, the rates vary from 0.08% to 0.15% of the infringer’s revenues. The range for medium infringements is between 0.13% and 0.5%, while for serious infringements the values may go from 0.45% to 1.5%. The section also describes the degree of damage, which will be used in a mathematical formula to calculate the fine.

The Regulation’s intention is to guarantee the proportionality between the sanction applied and the significance of the agent’s conduct, as well as to provide legal security to the inspection processes and assure the right to due legal process and adversarial proceedings. Therefore, the sanctions applied shall establish a better correspondence between the purpose to be achieved and the means employed, which should be as right and fair as possible.

With this recent approval, the ANPD will be able to start applying administrative sanctions and will have clearer and more objective means to do so.

Our Digital Law team continues to follow all related developments and may be reached at digital@kasznarleonardos.com.