LGPD: Penalties are here. What next?

Since the first day of August 2021, the feared penalties provided for in the Brazilian General Personal Data Protection Law – LGPD entered into force and may now be enforced by the Brazilian National Data Protection Authority – ANPD, the regulatory entity in charge, against any offenses committed from August 1, 2021 onwards, or that have a continued nature initiated before this date.

However, the application of penalties of this nature is not as simple and trivial as one might believe.

Article 52 of the LGPD itself, in Paragraph 1, provides that these penalties will be applied only after the due administrative procedure, observing the right of defense. This may happen in a gradual, isolated or cumulative manner, according to the peculiarities of each case and certain objective parameters and criteria.

Such parameters and criteria should guide the assessments and conclusions of the authorities in order to establish and apply those penalties. Moreover, the ANPD itself should not go out applying penalties without the due regulatory process of supervision and application of penalties.

After a brief period of public consultation between May 28 and June 28, 2021, the ANPD is close to finalizing the first draft of the Regulation on the Supervision and Application of Administrative Penalties, the draft of which is available for consultation and subject to change and will soon be submitted for deliberation and validation by the ANPD Board of Directors. In addition, the ANPD will open for public consultation the proposed norms concerning sanctions and their effective application, the so-called dosimetry.

That being said, what conclusions can we extract?

Contrary to what many had believed before the LGPD entered into force, the ANPD, correctly, has been working with the required common sense, so that it can play the role assigned to it in the most complete, effective and responsible way.

In the face of those who had bet on a mostly punitive stance, greedy for the application of fines and money chasing, the ANPD signals that its actions should be guided much more by monitoring, guidance, prevention and repression, as can be seen in the information and guidelines disclosed so far.

It is not surprising that most companies, who will be acting as Controllers and Processor agents according to the LGPD (and, as such, potential subjects of penalties), have not yet adapted to the requirements and innovations introduced by law. That is, they do not comply with the privacy and personal data protection best practices yet.

Even after one of the longest vacatio legis (period for the law to enter into force) in Brazilian legislative history, perhaps in the world, there was still no widespread movement on the part of companies to prepare and adapt minimally to the new rules. Given the unpredictability and complexities brought by the pandemic of COVID-19, from now on, there are no more excuses to escape from the obligations that knock on the door of the Brazilian business environment.

The ANPD signals, as it should, that in the early stages of enforcement of the new law, the main drives will be caution and awareness. However, who knows how long this apparent “tolerant” attitude will be prevalent, before the penalties begin to be duly enforced?

Those who were fast in adopting measures for compliance with the requirements introduced by the LGPD are convinced they have taken the correct decisions and are prepared to face any turbulence related to personal data protection issues.

To those who have not yet followed the path of adequacy and deployment of information security measures for their data processing, the warning remains the same: do not waste time and seek assistance as soon as possible to recover lost time, since the culture of privacy and personal data protection is definitely here to stay.