Brazil: ANPD regulation on enforcement
Following public consultation on the matter, the Brazilian data protection authority1 ('ANPD') approved, on 29 October 2021, Regulation CD/ANPD No. 1 ('the Regulation'), regarding the monitoring and enforcement of administrative sanctions by the ANPD. The Regulation entered into effect on the same day it was enacted. Despite the sanctioning prerogatives of the ANPD entering into force on 1 August 2021, the Regulation is necessary for allowing the ANPD to act out this function. Alan Campos Elias Thomaz and Thaissa Lencastre Pinto, Founding Partner and Attorney respectively at Campos Thomaz Advogados, discuss the Regulation and its provisions.
Using a responsive regulation methodology, the Regulation provides for the specifics of the ANPD's enforcement actions, including monitoring activities (Article 18), orientation activities (Article 27), preventive measures (Article 30), and repressive activities (Article 37). The Regulation does not expressly establish that the preventive measures will be considered a priority compared to repressive actions. Nevertheless, it details the ANPD's role in encouraging processing agents to comply with the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD'), as well as assisting them in understanding the changes introduced by the LGPD.
The four stages of ANPD's enforcement activities
The ANPD's enforcement activities include four stages:
- monitoring activities;
- orientation activities;
- preventive measures; and
- repressive activities.
Such activities might be implemented directly by the ANPD and upon request by third parties, in periodic programs carried out by the ANPD, in coordination with other public bodies and entities, and in cooperation with international data protection authorities.
The Regulation emphasises the importance of coordination between the ANPD and other government agencies. In this regard, the ANPD signed technical cooperation agreements with the National Consumer Secretariat of the Ministry of Justice of Brazil ('SENACON') in March 2021 and the Administrative Council for Economic Defence in June. Such agreements aim to align efforts and strengthen the enforcement activities to protect consumer data, including against security incidents, and combat activities that may harm the economic order. These are good examples of the ANPD's effort to establish cooperation with other government authorities.
In addition to the procedure for applying administrative sanctions, the Regulation establishes specific duties to be observed by regulated entities. These include not obstructing enforcement actions of the ANPD, providing documents when requested, allowing access to its premises, equipment, and systems, allowing the ANPD to conduct audits, retaining specific documentation, and indicating a representative to support the ANPD in its enforcement actions. The activities undertaken by the ANPD are subject to Law No. 12.527/11 of 18 November 2011 (Information Access Act) and, therefore, are not confidential by default. If the ANPD collects any information related to a regulated entity, it shall request secrecy concerning its information. However, the Regulation does not expressly establish in which circumstances the ANPD will accept secrecy classification requests.
Monitoring activities aim to collect relevant information and data to support decision-making by the ANPD and ensure the regular compliance of processing agents with the LGPD. The ANPD will periodically monitor how companies process personal data, and the first monitoring cycle will begin in January 2022.
The Regulation creates two monitoring instruments to support the authority in strategically enforcing the LGPD - the Monitoring Cycle Report and the Map of Priority Themes ('the Map'). The Regulation also sets forth initial guidelines for the analysis of data subject requests. The Monitoring Cycle Report is described as an accountability and planning mechanism for the ANPD's monitoring activity. It will assist the authority in evaluating its enforcement activities within the monitoring cycle based on concrete indicators and results obtained in the previous period, directing the strategies and guidelines of its performance and the consolidation of information obtained in the period. The Map will be issued every two years and will establish which themes are a priority to study and plan the enforcement activities of the period, based on risk, severity, and importance of subject matter.
According to the ANPD, the expectation with the enactment of the Regulation is that the authority may use such resources to:
- plan and support inspection activities with relevant information;
- analyse the compliance of processing agents concerning the protection of personal data;
- consider the regulatory risk based on the behaviour of processing agents, to allocate resources and adopt actions compatible with the risk;
- prevent irregular practices;
- foster a culture of protection of personal data; and
- correct irregular practices and repair or minimise any damages.
The ANPD will promote orientation measures aimed at guiding, raising awareness, and educating processing agents, personal data subjects, and other parties that may have an interest in the processing of personal data. The orientation measures include the:
- drafting of guidelines on best practices and documents to be used by processing agents;
- suggestions for conducting training sessions and courses;
- developing self-assessment tools to be made available on public platforms;
- disseminating good practice and governance rules; and
- recommending technical standards regarding the implementation of privacy governance programs, codes of conduct, and good practices issued by certification entities, as well as to allow data subjects to exercise control over their data.
The preventive measures include joint dialogue and the construction of solutions and actions to avoid or remedy situations that may cause risk or damage to personal data subjects and other processing agents.
The ANPD's preventive measures include:
- the disclosure of aggregated and performance sector information and data;
- the power to issue a notice containing the description of the situation and information sufficient for the processing agent to identify the necessary measures;
- the power to request for a compliance adjustment or report, in cases the complexity of which do not justify the preparation of a compliance plan; and
- the power to request for a compliance plan, which should include the object, deadline, actions planned, and monitoring criteria, as well as the trajectory of achieving the expected results.
The measures applied for preventive activities do not constitute a sanction on the regulated entity. However, failure to comply with the compliance plan will cause the ANPD to pursue a repressive action and will be considered aggravating factor if a sanctioning procedure is instituted.
The ANPD's repressive actions are also contemplated in the Regulation, according to Article 55-J, IV of the LGPD. Repressive activities include any coercive action of the ANPD, aimed at interrupting situations of damage or risk, reconducting the agent for full compliance with the LGPD, and imposing the applicable sanctions provided for in Article 52 of the LGPD through an administrative sanctioning process.
The Regulation establishes, among other things, the principles of legality, purpose, motivation, reasonability, proportionality, moderation, right of defence, public interest, and eficiency. Those must be observed by the ANPD when conducting the sanctioning administrative procedure. It also provides for the structure and deadlines applied to the administrative process.
The General Enforcement Coordination ('CGF') is firstly responsible for conducting repressive actions, responsible for initiating official administrative investigations, preparatory activities, and sanctioning procedures. The Regulation provides that the processing agent is entitled to present a settlement proposal after the sanctioning process has been established. If accepted, the process is shelved. If not, the processing agent shall have ten business days to file a defence. In this regard, having a concrete action plan to assist in elaborating a proper response to the complaint is critical to conform with such a short deadline. After the decision rendered by the CGF, the processing agent may file an appeal within ten business days from the receipt of the intimation of the decision notice, which will be judged by the Board of Directors, the last instance of the administrative process. The possible sanctions under the LGPD include warning and public disclosure, monetary fines, blocking, deletion, and suspension of data processing activities.
On the ANPD's first anniversary, the Regulation demonstrates that ANPD is working in line with its strategic planning and promoting a reasonable data protection landscape in Brazil. The Regulation properly values educational and preventive actions, leaving no doubt that the imposition of a fine will be done gradually, depending on the behaviour of the processing agent, when the ANPD's orientation and preventive measures are not sufficient to ensure compliance with the LGPD.
The Regulation lacks rules and criteria for the imposition of penalties, particularly regarding calculating monetary fines and aggravating or mitigating circumstances. Therefore, the authority is still unable to apply monetary sanctions as it still needs to enact a regulation defining 'the methodologies that will guide the calculation of the amount for fines' (Article 53 of the LGPD).
Note that the ANPD is not the only governmental body with powers to impose penalties concerning the processing of personal data in Brazil. The Regulation and the LGPD do not limit consumer protection agencies' ability to apply other administrative, civil or criminal sanctions, such as those defined in Law No. 8.078/1990 of 11 September 1990 (Brazilian Consumer Protection Code) or other specific legislation. In this regard, SENACON, the State Departments for Consumer Protection and Defence, and the Public Prosecutor's Office of the Federal District and Territories have also been adopting a proactive position in the sanctioning for infringement of data protection standards since before the entry into force of the LGPD.
1. Pursuant to Article 5, XIX of the LGPD, the ANPD is a government body responsible for ensuring, implementing and supervising the compliance with the LGPD.