On August 1st, provisions of the General Data Protection Law that establish the application of administrative sanctions (art. 52, LGPD), including those of pecuniary nature, which may total 2% of the revenues of the business group, up to a maximum of 50 million reais per breach. However, the Brazilian National Data Protection Authority (ANPD) has clarified that such fines would only apply after the regulation, particularly regarding the definition of methods to establish the amounts of fines.
However, if in 2021 the ANPD devoted itself to the provision of general guidelines, 2022 will be a year marked by the issuance of regulations of a more practical nature, as stated by the representatives of such authority. According to the 2021-2022 biannual schedule, the regulation of pecuniary sanctions should take place in the first semester of 2022.
It so happens that ANPD surprised many when, in January this year, it ensured that such sanctions may be applied retroactively, that is, reaching breaches occurred since the entry into force of the corresponding provisions, on August 1st, 2021. Thus, any breaches between such date and the effective regulation of the penalties provided for in art. 52, II and III of the LGPD may be object of fines, even if retroactively.
It is estimated that over 600 million data had been leaked only in 2021, just in the three cyber-attacks occurred in January, February and September, with a total estimate of 44.5 million attempts of virtual swindle scams and 41 million malware1 blocks. This scenario illustrates the concern handling agents in view of imminent regulatory innovations. After all, if a security breach is detected in such data leakage cases, administrative sanctions will be applicable to the agents responsible.
It is worth mentioning, however, that the purpose of the inspection and fines is to protect the rights of data subjects and encourage companies to comply with the law. ANPD stresses that a company will only be punished in case of negligence in the handling of personal data. If the company complies with the LGPD rules, there is nothing to worry about.
However, according to verifications carried out by Patricia Peck, sitting member of the Brazilian National Council for the Protection of Personal Data and Privacy (CNPD)2, by January 2022, less than 30% of private companies and public institutions were in 100% compliance with the LGPD, which should be seen as a warning sign.
If, in 2021, around 600 cases mentioning the LGPD were brought to court, with the current scenario of low adhesion to compliance policies combined with the
imminent regulation of the amount of pecuniary penalties, it is expected that such number will be easily exceeded in 2022.
If you have any questions about this, please use the form below and our experts will contact you.
Written by Fernando Borges, associate at Drummond Advisors
Do you know what the General Data Protection Law (LGPD) is? It is the set of rules that regulates any and all personal data processing activities in Brazil. Since August 2020, the LGPD has been in force and, starting August
Signed in August 2018, Law nº 13.709, known as the General Personal Data Protection Law (LGPD), which regulates the use and storage of personal information, came into effect on the 18th of September 2020, after being signed off by the