backIntroduction
After publishing a public consultation on the subject, the National Data Protection Authority (ANPD)[1] approved, on October 28, 2021, Resolution CD/ANPD No. 1 regarding inspection and application of administrative sanctions by the ANPD (the “Resolution”).
Using a responsive regulation methodology, the Resolution detailed the ANPD’s inspection actions (Article 15 and following), including monitoring activities (Article 18), guidance (Article 27), and prevention (Article 30), as well as repressive activities (Article 37). Although the Resolution did not expressly establish that preventive measures would be prioritized over repressive activities, it highlighted the role of the ANPD in encouraging data controllers to comply with the LGPD, assisting such controllers in understanding the changes introduced by the LGPD.
The Four Stages of ANPD’s Inspection Activities
The ANPD’s inspection activities include four stages: (i) monitoring activities, (ii) guidance activities, (iii) preventive activities, and (iv) repressive activities. These activities may be carried out on the ANPD’s own initiative or upon request from third parties, both in periodic programs conducted by the ANPD and in coordination with other public bodies and entities or in cooperation with international data protection authorities.
Regarding coordination between the ANPD and other government bodies, the ANPD has already signed technical cooperation agreements with the National Consumer Secretariat (SENACON) in March 2021 and with the Administrative Council for Economic Defense (CADE) in June 2021. These agreements aim to align efforts and strengthen inspection activities to protect consumers’ personal data, including against security incidents and activities that may harm the economic order.
Besides guidance on ANPD’s actions, the Resolution establishes specific duties to be observed by data controllers and other interested parties. These include not obstructing the ANPD’s inspection activities, providing documents when requested, allowing access to their facilities, equipment, and systems, permitting the ANPD to conduct audits, maintaining specific documentation, and providing a representative to support the ANPD in its inspection actions. The activities carried out by the ANPD are subject to the Access to Information Law (Law No. 12,527/11) and, therefore, as a rule, are not confidential. If the ANPD collects any information related to a data controller or interested party, the respective party must request confidentiality of their information. However, the Resolution does not expressly establish under which circumstances the ANPD will accept confidentiality requests.
Monitoring Activities
The monitoring activity aims to collect relevant information and data to support the ANPD’s decision-making and ensure regular compliance with the LGPD by data controllers. The ANPD will periodically monitor how companies process personal data, and the first monitoring cycle will begin in January 2022.
The Resolution creates two monitoring instruments to support the authority in the strategic application of the LGPD: the Monitoring Cycle Report and the Priority Topics Map. The Resolution also established initial guidelines for analyzing data subject requests. The Monitoring Cycle Report is described as an accountability and planning mechanism for the ANPD’s inspection activity. It will assist the Authority in evaluating its inspection activities within the monitoring cycle, based on concrete indicators and results obtained in the previous period, guiding its performance strategies and directives, and consolidating the information obtained during the period. The Priority Topics Map, in turn, will be issued every two years and will establish priority themes for studying and planning enforcement activities during the period, based on risk, severity, and importance of the subject.
According to the ANPD, the expectation with the promulgation of the Resolution is that the Authority may use these instruments to (i) plan and support inspection activities with relevant information, (ii) analyze the compliance of data controllers with personal data protection, (iii) consider regulatory risk based on data controllers’ behavior, allocating resources and adopting actions compatible with the risk, (iv) prevent irregular practices, (v) foster a culture of personal data protection, and (vi) correct irregular practices and repair or minimize any damages.
Guidance Activities
The ANPD will promote guidance measures aimed at directing, raising awareness, and educating data controllers, data subjects, and other parties that may have an interest in personal data processing. The guidance measures include (i) developing best practice guides and document templates to be used by data controllers, (ii) suggesting the conduct of training and courses, (iii) making available on public platforms self-assessment compliance tools, (iv) disseminating best practices and governance rules, and (v) recommending the use of technical standards to allow data subjects to exercise control over their data, recommending the implementation of privacy governance programs, and recommending observance of codes of conduct and best practices established by certification bodies or other responsible entities.
Preventive Measures
Preventive measures are based on the joint and dialogued construction of solutions and actions to avoid or remediate situations that may cause risks or harm to data subjects and other data controllers.
ANPD’s preventive measures include (i) dissemination of aggregated sectoral information and performance data, (ii) notices containing descriptions of the situation and sufficient information for the data controller to identify necessary measures, (iii) requests for regularization and information in cases where the complexity does not justify the elaboration of a compliance plan, and (iv) requests for a compliance plan, which must include the object, deadlines, planned actions, monitoring criteria, and the trajectory for achieving the expected results. Measures applied during preventive activities do not constitute sanctions against the inspected entity. However, failure to comply with the compliance plan will lead the ANPD to proceed with repressive action, being considered an aggravating factor if an administrative sanctioning procedure is initiated.
Repressive Activities
The ANPD’s repressive activities are also foreseen in the Resolution, pursuant to Article 55-J, IV of the LGPD. The repressive activity characterizes the ANPD’s coercive action aimed at interrupting harmful or risky situations, ensuring the full compliance of the data controller with the LGPD, and imposing applicable sanctions provided in Article 52 of the LGPD through an administrative sanctioning process.
The Resolution establishes principles to be observed by the ANPD when conducting the administrative sanctioning process, including, among others, the principles of legality, purpose, motivation, reasonableness, proportionality, moderation, right to defense, public interest, and efficiency. It also provides the structure and deadlines applied to the administrative process.
The General Coordination of Inspection (CGF) is the first instance responsible for conducting repressive actions, including initiating preliminary investigations, inquiries, and sanctioning procedures. The Resolution foresees that the data controller has the right to submit a proposal to enter into a conduct adjustment agreement after the sanctioning process is initiated. If accepted, the process is archived. Otherwise, the data controller will have 10 (ten) business days to present their defense. Therefore, having a concrete action plan to assist in preparing an adequate response to the complaint is crucial to meet such a short deadline. After the decision rendered by the CGF, the prosecuting party may appeal within 10 (ten) business days from receipt of the decision notification, which will be judged by the Board of Directors, the final instance of the administrative sanctioning process. Possible sanctions provided by the LGPD include warning, publication of the infraction, fines, blocking, prohibition, and suspension of data processing activities.
Conclusion
On the ANPD’s first anniversary, the publication of the Resolution demonstrates that the ANPD is working in accordance with its strategic planning and promoting a reasonable data protection environment in Brazil. The Resolution adequately values educational and preventive actions, leaving no doubt that the application of fines will be used gradually, depending on the data controller’s behavior, when the ANPD’s guidance and preventive measures are insufficient to ensure LGPD compliance.
The Resolution lacks rules and criteria for applying penalties, particularly regarding the calculation of fines and aggravating or mitigating circumstances. Therefore, the ANPD is still unable to impose pecuniary sanctions, as it still needs to enact a resolution defining “the methodologies that will guide the calculation of the base value of fines” (Article 53 of the LGPD).
It is worth remembering, however, that the ANPD is not the only governmental body empowered to impose sanctions related to personal data processing in Brazil. The Resolution and the LGPD do not limit the capacity of consumer protection agencies to apply other administrative, civil, or criminal sanctions, such as those defined in Law No. 8,078/1990 (Brazilian Consumer Defense Code – CDC) or other specific legislation. In this sense, SENACON, Consumer Protection Programs (Procons), and the Public Prosecutor’s Office of the Federal District and Territories (MPDFT) have also adopted a proactive stance in applying sanctions for violations of data protection rules even before the LGPD came into force (see, for example, MPDFT vs. Serasa, Procon vs. Raia Drogasil, Procon vs. Facebook, Senacon vs. Banco Itaú Consignado, and IDEC vs. Hering).
share
