Introduction

On February 27, 2023, the Brazilian National Data Protection Authority (ANPD), the primary regulatory authority in the data governance domain, promulgated Resolution No. 04. Resolution No. 04 summarizes a substantial effort to strengthen the legal architecture that governs data protection in Brazil. Rooted in the evolving digital ecosystem, Resolution No. 04 stands as a guiding line to stakeholders on their path to data privacy compliance. Until now, the ANPD did not possess an operational structure for updating inspections. Moreover, and most importantly, the ANPD did not have a legal framework for calculating fines, which prevented its application. Considering only the text of the LGPD, in effect since 2020, the ANPD only had at its disposal the classifications of administrative sanctions but lacked to authority to enforce them. Resolution No. 04 comes at a time of caution, as, theoretically, public and private companies would already be in the process of adapting to LGPD since 2018, when the law was published. While it's acknowledged that only a small number of processing entities have truly prioritized the protection of personal data, it was inevitable that the time when sanctions could be enforced would eventually arrive.

This article will be concerned, firstly, with providing a general context of the LGPD, addressing the gap left by the legislator in Articles 52 to 54, as well as the constitutionality of such an omission and how this would have legal consequences for the performance of the supervisory agent. Secondly, it will undertake a specific analysis of Resolution No. 04, aiming to better understand its purpose, applicability, and temporality. Always keeping an eye on the Brazilian constitutional perspective, the retroactivity of pecuniary sanctions, along with how the ANDP behaves in this matter. Finally, the article will reach the point where a practical analysis of the current inspection processes of the ANPD cases that have resulted in convictions will be conducted. Although these cases are still limited, they will be briefly mentioned to better understand the behavior of the competent authority and to anticipate what can be expected in the future.

The LGPD and its regulatory gap to be filled

The LGPD addresses the topic of legal supervision and administrative sanctions in its Chapter VIII, from Articles 52 to 54. The legal text enacted in 2018 determines sanctions such as warning, simple fine, daily fine, publicizing the infraction, blocking of personal data, deletion of personal data, partial suspension of the operation of the database, total suspension of the exercise of data processing activities personal data, and partial or total prohibition of carrying out processing activities.

It is important to highlight that the application of administrative sanctions outlined in the LGPD does not rule out the possibility of simultaneously applying administrative, civil, or criminal sanctions, in accordance with the Consumer Protection Code (CDC). Among a few other still superficial predictions, the LGPD reinforces that the ANPD has the regulatory competence to properly define administrative sanctions in matters of personal data protection. Furthermore, the regulation must outline the methodology that will guide the calculation of the value for fine sanctions and establish the circumstances and conditions for the adoption of a simple or daily fine.

It was expected that the LGPD would not provide layers from practical application in the short term. Given this, the law chose to establish parameters for classifying sanctions and delegated to the competent authority the task to technically regulate how dosimetry would be applied. As a result of the LGPD, the mere classification of sanctions without a methodology would not be sufficient for effective inspection regarding data protection, nor would it be legally possible. The principle of impossibility of applying a sanction without a legal basis is a cornerstone of the Brazilian Federal Constitution (the Constitution). This principle asserts that actions taken by the State, such as the imposition of penalties or sanctions, must be firmly grounded in law. Among other principles, it is worth highlighting the principle of legality and the principle of typicality. The principle of legality means that the State can only act within legal limits, making it impossible to apply penalties or sanctions without a legal basis that authorizes such action. On that same interpretation, the principle of typicality requires the sanctioned conduct to be defined in law so that the agent knows what is prohibited by law before he can be sanctioned for it. Incidentally, the LGPD itself reaffirms the principle of typicality by expressly reminding that 'the methodologies referred to in the caput of this article must be previously published, for the knowledge of processing agents.'

In summary, until there were specific regulations on sanctions and dosimetry, the LGPD would lack legal force for punishment. In view of this, Resolution No. 04 published in 2023 addresses and fills a gap left by the LGDP.  

Resolution No. 04 and its temporal applicability

On the issue of data protection, Brazil took a significant step towards achieving accuracy with the implementation of Resolution No. 04 by the ANPD. Resolution No. 04 focuses on dosimetry, addresses critical aspects of the application of penalties under the LGPD. The concept of dosimetry consists of the calculation made to define what penalty will be imposed on a person as a result of a legal violation. Resolution No. 04 appears to define a method of guidance for applying the sanction in a proportionate and appropriate manner to the violation of the LGPD, also considering the calculation to be made to arrive at the applicable sanction, especially if it requires a pecuniary value. Until then, without ANPD Resolution No. 04, the LGPD's effort to classify the types of sanctions would still be insufficient.

By establishing the circumstances, conditions, and methods of applying sanctions, Resolution No. 04 seeks to strike a balance between the seriousness of the violation and the sanctions imposed. Therefore, it is necessary to emphasize that the dosimetry regulation incorporated in Resolution No. 04 is not just a mere mathematical and procedural gap, but a mechanism to guarantee justice, proportionality, suitability, and legal certainty in the application of data protection laws. The LGPD's administrative sanctions were scheduled to take effect from August 1, 2021. However, given the three-year time gap between the publication of the LGPD and the release of Resolution No. 04, questions about the delay in regulating the inspection process can be raised. Having already overcome the debate on the need for legal regulation to properly apply the known sanctions, there was a political lobby from companies in the National Congress to postpone the definition of dosimetry that would make it possible to impose fines. Furthermore, it cannot be ignored that ANPD, even though it had been established in 2019, did not have the operational strength to supervise. It is noted that the Government chose not to prioritize the organizational infrastructure of the ANPD, which directly impacted the agency's ability to fulfill its responsibilities and, consequently, publish the necessary regulations (mandated by the LGPD) to better clarify how its supervision would function its supervision.

Regarding public organizations, a relevant addition to be made is that, except for fines, all other regulated sanctions may be applied. Therefore, regardless of the infraction to be investigated and penalized by ANPD, committed by a public entity, it will not incur pecuniary loss through a fine. Although the largest data processing agent, public authorities, cannot be fined, the authority of ANPD can be applied to hold the Government's leaders and entities accountable. As highlighted by ANPD's general inspection coordinator, Fabrício Lopes: "The fact that ANPD cannot impose fines on public authorities does not mean that it does not have other instruments at its disposal to cause embarrassment to public bodies, if necessary. There are other measures, including the possibility of eventually requesting the accountability of managers who do not take the necessary actions."¹

Considering the time gap between the validity suggested by the LGPD in 2021, and the publication of Resolution No. 04 in 2023, a controversial question arises: can the ANPD fine-regulated agents for violations of the LGPD that occurred before the publication date of the dosimetry standard? In other words, is there retroactivity in the application of fines that were legally in force since 2021 if their dosimetry only existed from 2023? To answer this question, it will be necessary to discuss three different points of view.

The first group argues that there is no need to invoke the phenomenon of 'retroactivity,' considering that the sanctions had already been in force since August 1, 2021. Therefore, if the infraction occurred after that date, it could be investigated and penalized by the ANPD, in accordance with the standard that was only published in 2023. It is not surprising to know that this is the position adopted by the ANPD and that it has generated strong concerns in both the private and public sectors. In essence, the ANPD demonstrates that, since 2021, sanctions could be applied as they are in force. But, at the same time, it also recognizes that it was impossible to apply the fine, for example, due to the lack of a methodology defined in the standard, which only came years later.

The second group argues that from the moment the ANPD fines an agent for infractions that occurred before February 2023, this implies that the rule is retroactively being applied. The interpretation of the law, which did not even exist yet, would affect a past event in a way that would penalize past conduct that, at the time, was not necessarily considered as aggravating a potential violation of the LGPD. The decision to retroactively apply the rule to a past fact directly violates the Brazilian Federal Constitution, Article 5, XXXVI, which prohibits retroactive laws that may harm acquired rights or perfect legal acts. Furthermore, the purpose of regulating the dosimetry of sanctions is to contribute to legal certainty and the effectiveness of the LGPD, ensuring that sanctions are applied fairly and proportionately to the infractions committed. For this reason, the position adopted by the ANPD previously discussed would not corroborate the legal certainty and effectiveness of the LGPD. Therefore, the second group firmly argues that the ANPD could not apply any of the sanctions set out in Article 52 to infractions that occurred from February 2023, without any type of exception, at the risk of violating the Constitution and running into unconstitutionality.

Finally, the third group defends an alternative line of thought. They understand that the retroactive application of fines is prohibited, given the principle of non-retroactivity of standards. However, the ANPD could apply other sanctions, such as warnings and data blocking, to infractions that occurred from August 2021 onwards. If Resolution No. 04 innovates by establishing the dosimetric calculation, there is no need to discuss innovation for warnings and data blocking, for example. In fact, the third group reinforces that the methodology for calculating the fine penalty should be published before its application, and this publication only occurred in February 2023. Therefore, a pecuniary fine sanction, specifically, could not be applied to infringements that occurred before that date.

Although it is enriching to discuss three different points of view of the groups mentioned above, the fact is that, in practice, the ANPD already acts in accordance with the first group, applying administrative sanctions to facts after August 2021. Despite the controversial choice by the authority, the ANPD also has the argumentative strength to support this thesis.

Practical cases and final thoughts

Analyzing ANPD's current practice, it still has only a few cases to be debated.

The first company to be fined by ANPD, and the only one to date, is a telemarketing micro-company. The ANPD followed the dosimetry provided for in the legislation, applying two fines worth R$ 7,200.00 (approx. $1.400), making a total of R$14,400.00 (approx. $2.900). Many were surprised by the value of the fine imposed, as they assumed that there would be a more punitive bias from the authority. Given the low value, large-scale private companies may not yet be persuaded to worry about adapting to the LGPD. From the point of view of micro-enterprises, this punishment may be a warning for them to modify their data protection practices and comply with legislation as soon as possible to avoid such penalties. The telemarketing micro-company was not the only one penalized by the ANPD. A few other inspections and condemnation processes have already been reported, but these were against public entities. For this reason, the authority remained within legal restrictions, and no fine was imposed.

The regulation of dosimetry, above all else, emerged as an instrument of constitutional guarantee of due legal process. Despite the questionable actions by the ANPD, particularly concerning the imposition of retroactive fines, it is worth acknowledging that the pace of inspection and penalties remains slow. This pace provides companies, whether public or private, time to seek legal compliance. The LGPD still needs some additional layers and, even though Resolution No. 04 is an important and significant milestone in its regulation, new efforts still need to be taken. Regulating a legal gap is just the first step towards satisfying those who truly must be prioritized: the holders of personal data and their rights. After all, the LGPD aims to protect personal data and those who own it. There is no point in regulating a legal loophole without keeping the most vulnerable subjects in mind.

Parallel to this and conclusively, the legislator must always remain aligned with the fundamental rights guaranteed by the Brazilian Federal Constitution. Without the constitutional blessing and the legal purpose of protecting data subjects, Resolution No. 04 will not be sufficient to fill even the simplest of gaps.

Ana Costa Data Privacy Consultant
[email protected]
FTR Advogados, Brazil