Despite the General Data Protection Law having been approved almost 4 years ago, the ANPD – which was recently designated an autonomous agency and is responsible for oversight and the application of sanctions and fines – is encountering difficulties in doing its job.
In June the National Data Protection Authority It was transformed into a special type of autonomous agency, similar to the Central Bank, Anvisa (Brazilian Health Regulatory Agency), and ANATEL (Brazilian National Telecommunications Agency), but despite having autonomy, the ANPD It still does not have enough positions to ensure that satisfactory oversight is carried out.
As if that weren't enough, the local authority has been running into a bureaucratic issue regarding the application of applicable fines: The fact that it depends on the publication of an ordinance outlining the methodology to be used in calculating the amounts of these fines.
The situation is likely to change soon.
The expectation is that this ordinance will be made available for public consultation by August, and that its publication will take place no later than the end of September, with penalties potentially being applied in October, according to information obtained by Poder360.
If everything goes as planned, by the end of the year the ANPD (National Data Protection Authority) would have all the necessary tools to apply these penalties.
“We are discussing a future bill that adjusts the fines collected by the ANPD. By law, these resources obtained from the fines are allocated to the Fund for the Defense of Diffuse Rights. We are considering ways to financially support the ANPD.”"This was stated by Nairane Leitão, director of ANPD."
It is important to emphasize that the sanctions for irregularities with the LGPD guidelines are:
"Article 52. Data processing agents, due to violations of the rules established in this Law, are subject to the following administrative sanctions applicable by the national authority:"
I - warning, with indication of the term for the adoption of corrective measures;
II - simple fine, of at least 2% (dois per cent) of the income of the legal person of private directive, group or conglomerate not Brazil, not its last exercise, excluding taxes, limited, not total, to R $ 50.000.000,00 (fifty thousand reais) for infringement;
III - daily fine, observed or total limit referred to in section II;
IV - publicization of the infraction promptly expedited and confirmed at your request;
V - blocked two specific dice referred to as a violation attached to its regularization;
VI - elimination of two personal dice referred to as infraction;
X - partial suspension of the operation of the data bank to which the infraction refers to a maximum period of 6 (six) months, extended for the same period, attached to the regularization of the controller treatment activity;
XI - suspension of the exercise of the two personal data to which the infraction refers to the maximum period of 6 (six) months, extended for the same period;
XII – partial or total prohibition of carrying out activities related to data processing.
The LGPD (Brazilian General Data Protection Law) brought Brazil into line with countries that have their own regulations regarding the privacy of personal data, by imposing rules on the collection, processing, storage, and sharing of this data, seeking to guarantee a higher level of security and the fundamental right to privacy of the personal data of the data subjects.
