Last August 1, 2021, the provisions of the General Data Protection Law (LGPD) on administrative penalties, which are applicable to data processing agents who commit violations of the rules provided for in the Law, entered into force.
However, despite being listed among such penalties (art. 52, LGPD), administrative fines will not yet be applied, since, according to the National Data Protection Authority, such legal provisions still need regulation.
It should be remembered that, since the approval of the legal text, these administrative fines have caused great concerns among companies that carry out treatment activities, due to the substantial amounts they can reach. According to the LGPD, such fines can reach the amount of 2% of the gross revenue of the group to which the infringing company belongs, up to a limit of R$50,000,000.00.
Such concerns have recently taken shape after an episode in which Amazon was fined US$886,600,000 by the Luxembourg National Data Protection Commission after being accused of not complying with European law regarding its data processing activities.
Although the facts that supported the application of such a penalty are not clear, it is important to emphasize that, according to the General European Data Protection Regulation (GDPR), the amount of any fine must be calculated by taking into account the seriousness, duration and peculiarities of the infraction. These criteria are similar to those used by the LGPD.
According to Amazon, the referred penalty has no merit and the company says it will vigorously contest it, but the episode makes us reflect on a future in which such amounts will be defined a priori by the National Data Protection Authority (ANPD).
The ANPD stated that it would be listening to companies and entities directly impacted by such provisions, in order to define a regulation that makes sense, especially with regard to the dosimetry, the calculation of the penalty. However, regardless of the clarity and transparency with which this point is regulated, the situation ahead is still worrying. After all, these are amounts capable of withdrawing companies from the market.
Because of this, it is extremely important to be in compliance with the LGPD and especially to make use of efficient cybersecurity mechanisms. The Law provides for specific obligations regarding the adoption of security measures compatible with the nature of the processed data, with the processing agent being held liable in the event of damage caused by irregular processing (art. 44, LGPD). That is, if a leak occurs due to the non-adoption of security mechanisms compatible with the legitimate expectation of security of the data in question and with the risks associated with a potential leak, the processing agent will have to indemnify the affected parties in addition to suffering the application of an administrative sanction.
Both accountability to third parties and the application of sanctions by ANPD will be modulated according to the adoption of an ideal of security and compliance with the Law, with little room for defense when such ideal is not pursued. Thus, in addition to these measures, it is extremely important to maintain good governance practices and demonstrate a real interest in repairing any damage caused, all of which is taken into account by ANPD in the case of possible penalties.
Written by Fernando Borges, Associate at Drummond Advisors
