LGPD and retroactive effects of pecuniary sanction

Posted by on

On August 1st, provisions of the General Data Protection Law that establish the application of administrative sanctions (art. 52, LGPD), including those of pecuniary nature, which may total 2% of the revenues of the business group, up to a maximum of 50 million reais per breach. However, the Brazilian National Data Protection Authority (ANPD) has clarified that such fines would only apply after the regulation, particularly regarding the definition of methods to establish the amounts of fines.

However, if in 2021 the ANPD devoted itself to the provision of general guidelines, 2022 will be a year marked by the issuance of regulations of a more practical nature, as stated by the representatives of such authority. According to the 2021-2022 biannual schedule, the regulation of pecuniary sanctions should take place in the first semester of 2022.

It so happens that ANPD surprised many when, in January this year, it ensured that such sanctions may be applied retroactively, that is, reaching breaches occurred since the entry into force of the corresponding provisions, on August 1st, 2021. Thus, any breaches between such date and the effective regulation of the penalties provided for in art. 52, II and III of the LGPD may be object of fines, even if retroactively.

It is estimated that over 600 million data had been leaked only in 2021, just in the three cyber-attacks occurred in January, February and September, with a total estimate of 44.5 million attempts of virtual swindle scams and 41 million malware1 blocks. This scenario illustrates the concern handling agents in view of imminent regulatory innovations. After all, if a security breach is detected in such data leakage cases, administrative sanctions will be applicable to the agents responsible.

It is worth mentioning, however, that the purpose of the inspection and fines is to protect the rights of data subjects and encourage companies to comply with the law. ANPD stresses that a company will only be punished in case of negligence in the handling of personal data. If the company complies with the LGPD rules, there is nothing to worry about.

However, according to verifications carried out by Patricia Peck, sitting member of the Brazilian National Council for the Protection of Personal Data and Privacy (CNPD)2, by January 2022, less than 30% of private companies and public institutions were in 100% compliance with the LGPD, which should be seen as a warning sign.

If, in 2021, around 600 cases mentioning the LGPD were brought to court, with the current scenario of low adhesion to compliance policies combined with the

imminent regulation of the amount of pecuniary penalties, it is expected that such number will be easily exceeded in 2022.


If you have any questions about this, please use the form below and our experts will contact you.

Written by Fernando Borges, associate at Drummond Advisors

Quer conhecer sobre as principais leis de proteção de dados ?

Baixe aqui seu Guia Comparativo e saiba mais!


Share on facebook
Share on linkedin
Share on whatsapp
Share on email

Let's talk?

Notícias relacionadas

LGPD already shows return to companies

A trial held a few weeks ago drew much attention for involving the terms of the General Data Protection Law (LGPD). In the case, a consumer stated that their personal data had been shared without their authorization. As a result

Read More »

LGPD: Duration of penalties

Last August 1, 2021, the provisions of the General Data Protection Law (LGPD) on administrative penalties, which are applicable to data processing agents who commit violations of the rules provided for in the Law, entered into force. However, despite being

Read More »