The Brazilian State is responsible for the largest volume of personal data processing in Brazilian territory. The Union, States, Federal District, and Municipalities process the personal data of more than 215 million inhabitants, in addition to foreigners who, in one way or another, maintain relationships with Brazil. This volume obviously implies a gigantic responsibility for the Public Administration, as it is inseparable from the provision of services dedicated to the population, with registers of taxpayers, students, patients of the public health network, and civil servants. By definition, all personal data processing must occur, and is not optional for the public administration, through the three branches of government, which, also by the principle of legality, are obliged to carry it out in accordance with the LGPD (Brazilian General Data Protection Law) in the public sector.

This obligation to process information that identifies or makes identifiable natural persons remains accompanied by the unavoidable compliance with other relevant regulations, especially the LGPD (Brazilian General Data Protection Law), as it is understood within the terms of Article 37 of the 1988 Constitution of the Federative Republic of Brazil (CRFB/88), which enshrines the principle of legality, alongside impartiality, morality, publicity, and efficiency.

These principles condition state action in all its dimensions and, in particular, in the collection, use and sharing of personal data, imposing limits and related duties, under the terms of Constitutional Amendment No. 115, enacted on February 10, 2022, which elevated the protection of personal data, including in digital media, to the status of a fundamental right, reinforcing the obligation to observe these parameters, as per item LXXIX of article 5 of the Federal Constitution.

It is important to remember that the Supreme Federal Court, when judging ADI 6.387/DF in a 2020 decision, expressly recognized the fundamental right to the protection of personal data and to informational self-determination as implicit fundamental rights in the 1988 Constitution, even before the promulgation of Constitutional Amendment No. 115/2022. In that judgment, which analyzed Provisional Measure No. 954/2020 (which provided for the sharing of telephone user data with the IBGE during the COVID-19 pandemic), the Court established that informational self-determination stems from the general clause protecting the dignity of the human person (Article 1, III, CF/88) and the right to privacy (Article 5, X, CF/88), guaranteeing the holder the power to decide on the flow of their personal information. Thus, in Brazil, through concentrated constitutional review, data protection was established as an autonomous fundamental right, reinforcing the binding nature of the General Data Protection Law (Law No. 13.709/2018) within the scope of Public and Private Administration.

This normative dialogue is also integrated by the terms of §6 of article 37 of the Brazilian Federal Constitution of 88, which establishes the objective responsibility of the State, according to the theory of administrative risk, encompassing damages caused by its agents, in that capacity, to third parties. Thus, when incidents such as leaks, unauthorized access, or misuse of personal data by a public body or as a result of public conduct occur, the injured party only needs to prove the damage and the causal link, dispensing with the need to demonstrate intent or negligence on the part of the agent (DI PIETRO, 2023). The obligation to compensate, therefore, is due regardless of the subjective verification of the conduct of the public administration through its agents.

However, it is worth remembering that this rule does not preclude the possibility of a right of recourse against the responsible employee or manager in cases of fraud or gross negligence, as also provided for in §6 of article 37 of the Brazilian Federal Constitution of 88. Conduct such as the unlawful sharing of registration databases, the failure to appoint a Data Protection Officer (DPO), the failure to implement recommended security measures, or resistance to complying with the determinations of the Data Protection Officer (DPO) constitute, at least in theory, gross negligence and give rise to a right of recourse (MENDES; COELHO; BRANCO, 2022) by the administration against the manager and the employee.

In these terms, violation of Law No. 13.709/2018 (General Data Protection Law – LGPD) by public entities may also constitute an act of administrative misconduct, according to Law No. 8.429/1992, amended by Law No. 14.230/2021, since Article 11 classifies as misconduct the offense against the principles of Public Administration, so that the abusive or distorted use of personal data, whether for political persecution, illicit enrichment, discrimination, or even improper sharing, may result in sanctions such as the payment of fines, compensation, and even the loss of public office, suspension of political rights and civil fines.

Internationally, the European Union's General Data Protection Regulation (Regulation (EU) 2016/679 – GDPR) includes the same requirements as the LGPD for public bodies, such as compliance with the law and the duty to adopt appropriate technical and organizational measures (Article 24), the non-compliance of which implies the responsibility of the controller and the operator for unlawful processing (Article 82), a responsibility that may extend to public servants.

Although the GDPR does not expressly use the strict liability regime for the public sector, it imposes on Member States the obligation to ensure full redress for damages, thus approaching, in practice, the protection offered by the Brazilian model, which expressly constitutionalizes this liability (KUNER et al., 2020), as is the case in Brazil.

In turn, the National Data Protection Authority (ANPD), in exercising its sanctioning power (article 55-J, XVIII, of the LGPD), has already applied penalties to public bodies. Recent cases include formal warnings, the requirement to prepare Data Protection Impact Assessments (DPIAs), the demand to correct legal bases used in government programs, and the imposition of public disclosure of the infraction.

It is worth noting that, although under Article 52, §3, of the LGPD (Brazilian General Data Protection Law), public entities are not subject to the pecuniary fine imposed by the ANPD (National Data Protection Authority), the applicable sanctions – such as the suspension of irregular processing and the obligation to adopt corrective measures – generate significant reputational and operational impacts, to which may be added pecuniary sanctions established in judicial proceedings or terms of adjustment of conduct which, borne by the State, give it the right of recourse against the public servants, which also occurs in relation to findings by the courts of accounts.

The relevance of the topic led the National Authority for the Protection of Personal Data – ANPD itself to develop the Guidance Guide for the Processing of Personal Data by the Public Authorities in 2023, reinforcing, for example, that the most common legal basis for state action is the fulfillment of legal and regulatory obligations alongside the execution of public policies (Article 7, II and III, and Article 23 of the LGPD), generally dispensing with the consent of the data subject, but without disregarding the principles of purpose, necessity, transparency and security, in addition to warning of the need to include data protection clauses in administrative contracts and agreements, preventing joint liability.

Therefore, the responsibility of the Public Administration for the processing of personal data is broad and multifaceted: objective in relation to the injured data subject; regressive against public servants and managers who act with intent or gross negligence; and potentially punitive in the field of administrative misconduct. Comparison with the GDPR demonstrates convergence regarding the protection of the data subject and the accountability of agents, but highlights that the Brazilian constitutional model offers greater protective scope by adopting the objective responsibility of the State. Observing the constitutional parameters, the LGPD (Brazilian General Data Protection Law), and the guidelines of the ANPD (National Data Protection Authority) is an indispensable condition for preserving social trust and the legitimacy of the exercise of public power in the digital age.

Want to read more texts by this author? Click here. here And understand why PROCONs (consumer protection agencies) are key players in protecting personal data.

References

BRAZIL. Constitution (1988). Constitution of the Federative Republic of Brazil. Brasília, DF: Federal Senate, 1988.

BRAZIL. Constitutional Amendment No. 115, of February 10, 2022. Amends the Federal Constitution to include the protection of personal data among fundamental rights and guarantees. Official Gazette of the Union: section 1, Brasília, DF, February 11, 2022.

BRAZIL. Law No. 8.429, of June 2, 1992. Provides for administrative misconduct. Official Gazette of the Union: section 1, Brasília, DF, June 3, 1992.

BRAZIL. Law No. 13.709, of August 14, 2018. General Law on the Protection of Personal Data (LGPD). Official Gazette of the Union: section 1, Brasília, DF, August 15, 2018.

BRAZIL. National Data Protection Authority. Guidance Guide for the Processing of Personal Data by Public Authorities. Brasília, DF: ANPD, 2023.

DI PIETRO, Maria Sylvia Zanella. Administrative Law. 36th ed. Rio de Janeiro: Forense, 2023.

KUNER, Christopher; BYGRAVE, Lee A.; DOCKSEY, Christopher (org.). The EU General Data Protection Regulation (GDPR): A Commentary. Oxford: Oxford University Press, 2020.

MENDES, Gilmar Ferreira; COELHO, Inocêncio Mártires; BRANCO, Paulo Gustavo Gonet. Course on Constitutional Law. 15th ed. São Paulo: Saraiva, 2022.