The penalties provided for in the General Data Protection Law (LGPD) start to apply from Sunday (01/08). The body responsible for applying the sanctions provided for in the legislation — which was approved in 2018 and which took effect in September 2020 — is the National Data Protection Authority (ANPD). But experts heard by Techblog they say that companies are still not well adapted to the LGPD, and those who do not adjust could suffer long-term losses.
ANPD can fine companies up to R$50 million
As of Sunday, the LGPD sanctions provided for in Article 52 will apply to companies classified as data operators: who use information processing as an inherent part of their business model.
ANPD can gradually apply fines to companies that do not comply with the law, the first being just a warning without a fine, with a deadline for correction of the violation. From this notification, the company can be fined up to 2% of its sales, excluding taxes, in a ceiling that can reach R$ 50 million reais.
Upon the first fine, repeat offenders may face daily penalties (up to R$50 million). ANPD can publish the fine and even block the use of the data involved in the process. The maximum penalty provided is a total ban on the processing of personal customer data for up to 6 months.
The sanctions should have started to take effect in 2020, but a law published by the federal government in June of that year extended the sanctions so that they would only start from the second half of 2021.
Companies are not LGPD-adapted, experts say
In the evaluation of Nicolo Zingales, professor at FGV Direito Rio and member of the Center for Technology and Society (CTS), this adaptation of companies is still moving slowly in Brazil. The pandemic made this adjustment difficult, which became just another cost in a period of financial constraint.
“The problem is that for companies that had not adjusted their internal policies before the crisis, they have additional costs: mapping the internal flow and reallocating agents [de dados] within the company, nominate the person in charge [DPO] that acts as a channel with data holders. It is not a process that can be done at nightfall: it requires preparation”, explains Zingales.
Companies are mainly behind when it comes to spreading the LGPD’s principles among employees, according to experts consulted by the Techblog. It’s a good practice that can prevent headaches in the future, such as more severe fines that can be imposed by enforcement authorities.
This employee awareness process can take months, according to Daniel Gatti, a professor of computing at PUC-SP, and Plínio Higasi, a master in Intelligence Technology and Digital Design, also from PUC-SP. For them, the market still shows signs that it is in the adjustment phase or has even started preparations to meet the LGPD’s commitments.
Lawyer Juliano Maranhão, director of the LGPD Institute, says that it would be prudent if ANPD applied lighter punishments in the first months from August onwards:
“Many companies and public bodies are still not fully adequate to the requirements of the LGPD and there are still several issues to be regulated by ANPD. Therefore, it would be healthy if, in this beginning and period of implementation of the data protection culture, ANPD adopted a milder dosimetry of penalties, with an educational character.”
This is also the assessment of lawyer Caroline Dinucci, an expert on LGPD. For her, the focus of the data protection authority is not on harming companies through fines:
“ANPD has existed since 2019, and it is also undergoing an adaptation: its leaders are learning about the LGPD. They’re not just interested in sanctioning companies; they don’t want to harm business, but rather put into practice a culture of data treatment.”
Also according to the lawyer at Dinucci Barreto Advogados, one of the punishments that can most negatively impact a company is not the fine, but the disclosure of the penalty, which can affect the brand’s reputation; consumers will think twice before purchasing products and services from someone fined by ANPD.
“Now we have to show that we have respect for consumer data. This makes the company competitive. It can be the difference between closing deals, making the consumer loyal, even for the future of the business”, points out Dinucci.
ANPD has no targets, even with data leaks
Although some companies and institutions face lawsuits for leaking information, such as Serasa and INSS, an ANPD spokesman said in an interview with Techblog which, for the time being, does not have a list of pending investigations.
“As complaints arrive, the inspection process starts immediately”, says the agency, which has an ombudsman to register complaints from data subjects.
On July 8, ANPD published an ordinance that defines the regulatory processes used to apply the LGPD to companies. To apply the fines, the authority will consider some criteria, such as: “the gravity and nature of the violations and the affected personal rights, the economic condition of the offender, the degree of damage, the offender’s cooperation, the adoption of a good policy practices and governance and the prompt adoption of corrective measures”.
However, the agency states that it will still submit the rule regarding sanctions to public consultation.
Procon will collaborate with ANPD in exchanging information
To assist in the application of punishments, ANPD will be able to count on the exchange of information with other institutions. She is part, for example, of the senacon (National Consumer Secretariat), with which the Procon.
To the Techblog, Guilherme Farid, Chief of Staff of the Procon-SP, states that the pro-consumer agency should work in partnership with the ANPD in exchanging information, and may even request investigations. However, he points out that Procon is only triggered in violations of Consumer Protection Code (CDC), while ANPD punishes LGPD-related cases. Farid points out that companies can lose if they do not comply with both laws:
“It will cost a lot for the company that doesn’t adapt. It’s the best of investments. If she doesn’t do this with the data in mind, there will be a fine. Procon can even suspend products involving the leakage of consumer data.”
However, ANPD should not distribute the same punishments to all companies that fail to protect data. There is a difference between large companies, which have had more budget to adapt and establish a data protection officer (DPO), than small and medium-sized companies.
In this sense, the LGPD is asymmetric, evaluates Nicolo Zingales, from FGV:
“Bigger companies are more on target because it’s something that worries them the most. In addition to having a person in charge, both as an authority and for data processing, companies must report on the impact of minimizing risks. LGPD is asymmetric. The same doesn’t apply to everyone. Agents with higher risk require more significant measures.”
Finally, Daniel Gatti and Plínio Higasi emphasize that the IT sector gains even greater importance, as it is responsible for protecting consumer data. According to the LGPD, in case of leaks, companies are required to indicate whether the failure was intentional and who is responsible.
“Without a careful IT sector, well managed and valued by the company, the administrative penalties and possible criminal issues could be even greater”, conclude the specialists from PUC-SP.