Extract from Tasneem Bandukwala’s article “Brazil Announces Sanctions for Violations of LGPD”
While the Brazilian General Data Protection Law (LGPD) was signed into law in 2018 and has been in effect since 2020, until recently it lacked an enforcement mechanism. In February 2023, Brazil’s Data Protection Agency (ANPD) announced the sanctions available under the law and now has the means to enforce compliance.
The LGPD brings 40 different laws governing personal data in Brazil under a single umbrella. It applies to at least 12,000 large companies (over 250 employees) that control or process data involving Brazilian citizens, granting them rights to confirm, access, correct, anonymize, delete, and otherwise control personal data. As the largest economy in Latin America, Brazil helps define standards for the region—but it is also a prominent target for cybercriminals. Giving ANDP a means of requiring compliance may help spur companies with lax data protection postures to take corrective action more quickly, reducing the risk of cybercrime.
On February 24th, 2023, ANDP issued the Regulation on Calculation and Application of Administrative Sanctions, which explains the enforcement mechanisms available under the LGPD and sets out the criteria to be used by the ANPD in calculating and applying sanctions for non-compliance with the LGPD. While penalties can be quite severe, the ANPD does offer leniency for companies that make good faith efforts to comply and correct issues, and the regulations do require the agency to take into account both mitigating and aggravating factors when determining the penalty for a given infraction.