On February 27 , 2023, the Brazilian Autoridade Nacional de Proteção de Dados (ANPD) published regulations for the application of administrative sanctions which will empower the ANPD to mete out punishments for non-compliance with the General Data Protection Law (LGPD).

Violation of the General Data Protection Law may result in administrative sanctions being implemented by the National Data Protection Agency (ANPD). The maximum fine for these violations is R$50 million. The criteria for determining the penalties were released by the agency on Monday with Resolution Number 4.

Lawyers are already cautioning that businesses may need to go to court depending on how the rules are construed.

As the organization’s president, Waldemar Gonçalves Ortunho Jnior, has already noted, the ANPD was only waiting for the publication of these regulations to enforce the fines in at least eight instances. Inspections have been conducted since Law 13,709 became effective in September 2020; the ANPD has already received more than 6,900 complaints and 300 self-reports.

Article 28 of the Resolution provides a guarantee for Resolution No. 4’s retroactive application. In it, it is said,

The motion defines a violation according to the severity of the harm: small, medium, and serious. For instance, where it interferes with the fundamental rights of the owners of personal data or inhibits the use of a service while also causing the owners of the data material or moral harm, such as financial fraud and discrimination, it will be deemed medium.

The ANPD will consider factors including the offender’s earnings in the latest available year prior to the imposition of the sanction in the case of the imposition of a fine, in addition to this rating of the seriousness of the breach. The overall revenue of the group or conglomerate in Brazil shall be taken into account by the ANPD if there is no information available regarding the industry in which the infraction occurred.