backIntroduction
Following the public consultation on the matter, the Brazilian Data Protection Authority (“ANPD”)[1] approved, on October 29, 2021, Ordinance CD/ANPD No. 1 regarding the monitoring and enforcement of administrative sanctions by the ANPD (the “Ordinance”).
Using a responsive regulation methodology, the Ordinance provides for specifics of ANPD’s enforcement actions (Article 15 and following), including the monitoring activities (Article 18), orientation activities (Article 27), preventive measures (Article 30), as well as repressive activities (Article 37). The Ordinance does not expressly establish that the preventive measures will be considered a priority compared to the repressive actions. Nevertheless, it details the authority’s role in encouraging processing agents to comply with the LGPD, assisting agents in consolidating the understanding of the changes introduced by the LGPD.
The Four Stages of ANPD’s Enforcement Activities
ANPD’s enforcement activities include four stages: (i) monitoring activities, (ii) orientation activities, (iii) preventive measures, and (iv) repressive activities. Such activities might be implemented directly by ANPD and upon request by third parties, in periodic programs carried out by the ANPD, in coordination with other public bodies and entities, and in cooperation with international data protection authorities.
The Ordinance emphasizes the importance of coordination between the ANPD and other government agencies. In this regard, the ANPD signed technical cooperation agreements with the National Consumer Secretariat of the Ministry of Justice of Brazil (SENACON) in March 2021 and the Administrative Council for Economic Defense (CADE) in June 2021. Such agreements aim to align efforts and strengthen the enforcement activities to protect consumer data, including against security incidents and combat activities that may harm the economic order. Those are good examples of ANPD’s effort to establish cooperation with other government authorities.
In addition to the administrative procedure for applying administrative sanctions, the Ordinance establishes specific duties to be observed by regulated entities. These include not obstructing enforcement actions of the ANPD, providing documents when requested, allowing access to its premises, equipment, and systems, allowing ANPD to conduct audits, retaining specific documentation, and indicating a representative to support ANPD in its enforcement actions. The activities undertaken by the ANPD are subject to the Information Access Act (Law No. 12.527/11) and, therefore, not confidential by default. If the ANPD collects any information related to a regulated entity, such entity shall request secrecy concerning its information. However, the Ordinance does not expressly establish in which circumstances the ANPD will accept secrecy classification requests.
Monitoring Activities
The monitoring activity aims to collect relevant information and data to support decision-making by the ANPD and ensure the regular compliance of processing agents with the LGPD. The ANPD will periodically monitor how companies process personal data, and the first monitoring cycle will begin in January 2022.
The Ordinance creates two monitoring instruments to support the authority in strategically enforcing the LGPD – the Monitoring Cycle Report and the Map of Priority Themes. The Ordinance also set forth initial guidelines for the analysis of data subjects requests. The Monitoring Cycle Report is described as an accountability and planning mechanism for ANPD’s monitoring activity. It will assist the authority in evaluating its enforcement activities within the monitoring cycle based on concrete indicators and results obtained in the previous period, directing the strategies and guidelines of its performance and the consolidation of information obtained in the period. The Map of Priority Themes will be issued every two years and will establish the priority themes to study and plan the enforcement activities of the period, based on the risk, severity, and subject matter importance.
According to the ANPD, the expectation with the enactment of the Ordinance is that the authority may use such resources to (i) plan and support inspection activities with relevant information; (ii) analyze the compliance of processing agents concerning the protection of personal data; (iii) consider the regulatory risk based on the behavior of processing agents, to allocate resources and adopt actions compatible with the risk; (iv) prevent irregular practices; (v) foster a culture of protection of personal data; and (vi) correct irregular practices and repair or minimize any damages.
Orientation Activities
The ANPD will promote orientation measures aimed at guiding, raising awareness, and educating processing agents, personal data subjects, and other parties that may have an interest in the processing of personal data. The orientation measures include the (i) drafting of guidelines on best practices and documents to be used by processing agents, (ii) suggestion for conducting training sessions and courses, (iii) developing self-assessment tools to be made available on public platforms, (iv) disseminating good practice and governance rules, and (v) recommending technical standards to allow data subjects to exercise control over their data, implementation of privacy governance programs, and codes of conduct and good practices issued by certification entities.
Preventive Measures
The preventive measures are based on the joint and dialogued construction of solutions and actions to avoid or remedy situations that may cause risk or damage to personal data subjects and other processing agents.
ANPD’s preventive measures include (i) the disclosure of aggregated and performance sector information and data, (ii) notice containing the description of the situation and information sufficient for the processing agent to identify the necessary measures, (iii) request for compliance adjustment or report, in cases whose complexity does not justify the preparation of a compliance plan, and (iv) request for a compliance plan, which should include the object, deadline, actions planned, monitoring criteria and the trajectory of achieving the expected results. The measures applied during preventive activity do not constitute a sanction to the regulated entity. However, failure to comply with the compliance plan will cause the ANPD to pursue a repressive action and will be considered an aggravating factor if a sanctioning procedure is instituted.
Repressive Actions
ANPD’s repressive actions are also contemplated in the Ordinance, according to Article 55-J, IV of the LGPD. The repressive activity characterizes the coercive action of the ANPD, aimed at interrupting situations of damage or risk, reconducting the agent for full compliance with the LGPD, and imposing the applicable sanctions provided for in Article 52 of the LGPD through a sanctioning administrative process.
The Ordinance establishes the principles that must be observed by the ANPD when conducting the sanctioning administrative procedure, including, among others, the principles of legality, purpose, motivation, reasonability, proportionality, moderation, right of defense, public interest, and efficiency. It also provides for the structure and deadlines applied to the administrative process.
The General Enforcement Coordination (“CGF”) is the first instance for conducting repressive actions, responsible for initiating official administrative investigations, preparatory activities, and sanctioning procedures. The Ordinance provides that the processing agent is entitled to present a settlement proposal after establishing the sanctioning process. If accepted, the process is shelved. If not, the processing agent shall have 10 business days to file a defense. In this regard, having a concrete action plan to assist in elaborating a proper response to the complaint is critical to conform with such a short deadline. After the decision rendered by the CGF, the processing agent may file an appeal within ten business days from the receipt of the intimation of the decision, which will be judged by the Board of Directors, the last instance of the administrative process. The possible sanctions under the LGPD include warning and public disclosure, monetary fines, blocking, deletion, and suspension of data processing activities.
Conclusion
On ANPD’s 1st anniversary, the Ordinance demonstrates that ANPD is working in line with its strategic planning and promoting a reasonable data protection landscape in Brazil. The Ordinance properly values educational and preventive actions, leaving no doubt that the imposition of a fine will be used gradually, depending on the behavior of the processing agent, when the ANPD’s orientation and preventive measures are not sufficient to ensure compliance with the LGPD.
The Ordinance lacks rules and criteria for the imposition of penalties, particularly regarding calculating monetary fines and aggravating or mitigating circumstances. Therefore, the authority is still unable to apply monetary sanctions as it still needs to enact a regulation defining “the methodologies that will guide the calculation of the amount for fines.” (Article 53 of the LGPD)
Note that the ANPD is not the only governmental body with powers to impose penalties concerning the processing of personal data in Brazil. The Ordinance and the LGPD do not limit consumer protection agencies’ ability to apply other administrative, civil, or criminal sanctions, such as those defined in Law No. 8,078/1990 (Brazilian Consumer Protection Code) or other specific legislation. In this regard, SENACON, the State Departments for Consumer Protection and Defense (Procon), and the Public Prosecutor’s Office of the Federal District and Territories (MPDFT) have also been adopting a proactive position in the sanctioning for infringement of data protection standards since before the entry into force of the LGPD (e.g., MPDFT vs. Serasa, Procon vs. Raia Drogasil, Procon vs. Facebook, Senacon vs. Banco Itaú Consignado, and IDEC vs. Hering).
[1] Pursuant to Article 5, XIX of the LGPD, the ANPD is a government body responsible for ensuring, implementing and supervising the compliance with the LGPD.
share
