Brazilian National Data Protection Agency (ANPD) Discloses List of Companies Being Investigated

In the wake of the Brazilian National Data Protection Agency (ANPD) issuing further regulations1 on the determination of penalties for violations of the Data Protection Law (LGPD),2 on March 23, 2023 the ANPD launched a new webpage with the list of companies and government agencies currently under investigation in a punitive administrative process.

The list currently includes only eight entities: one private company and seven government agencies. The list includes their names, date the investigation started, the process number, current status, and a brief description of the alleged violations. The main alleged violations include:

  • Not complying with an ANPD request;
  • Lack of notice of data breach incident to data subjects; and
  • Lack of security measures.

The only private company being investigated is facing some potentially more serious allegations, including “lack of proof of legal basis,” “lack of records of processing activities,” “non-remittance of a Data Privacy Impact Assessment,” and “lack of a Data Privacy Officer.”

This public list may negatively affect the business of companies that become a target of an ANPD investigation. The market and public opinion may see a company on this list as a non-compliant business they need to avoid or deal with carefully, even if the investigation may not end in a penalty or a warning. Therefore, non-Brazilian companies with subsidiaries in Brazil that may not be fully compliant with the LGPD should prioritize their data privacy program and get it in compliance as soon as possible.

According to the new ANPD’s Regulation of Dosimetry and Application of Administrative Sanctions, if a company is audited, the General Coordination of Inspection can order that company to undertake certain preventive measures, such as requiring it to become compliant and to create a plan of compliance, which are not considered penalties. If these measures are not followed, the ANPD can require new preventive measures or issue other more repressive measures, and such non-compliance will be considered an aggravating circumstance if a punitive administrative process is opened. The ANPD may impose a flat fine if the company has not timely complied with the preventive or corrective measures previously imposed on it, which can be increased or decreased based on company’s actions (e.g., repeating the same non-compliant practice or mitigating the effects of the infraction, respectively). These penalties, however, are without prejudice of other sanctions eventually being imposed to the company under article 52 of the LGPD. In sum, the ANPD has now in place all the tools to audit, correct and penalize non-compliance.

Companies should also keep in mind that employees’ personal data is protected under the LGPD, so many companies that do not process a large volume of client data may still process a large volume of employee data and have its processes scrutinized by the ANPD.

In fact, such companies, in addition to having to respond to the ANPD, may also be subject to “moral damages” (a type of pain and suffering damage) that the labor courts can grant to individual employees for the employer’s use of their personal data in violation of the LGPD. Also, depending on the circumstances, companies might also be subject to “collective moral damages” sought by the Labor Prosecutor’s Office under a type of class action.

Recent changes to the Data Security Incident Report form3 that companies must use in Brazil to report a data security incident to the ANPD can also lead to potential individual or collective moral damage claims if not carefully filled out. The revised form includes a number of multiple-choice answers and one, in particular, could be misinterpreted as an admission of causing harm.

The Data Incident Report form asks, “What are the probable consequences of the incident to the data subjects?” The possible answers for the company to mark are: Moral Damages; Social Discrimination; Social Engineering/Fraud; Restriction of Rights; Material Damages; Reputation Damages; Limitation to Access a Service; Loss of Access to Personal Data; Physical Integrity Violation; Identity Theft; Exposure of Data Protected by Professional/Legal Secrecy; Others. The following question (“What is the probable impact of the incident to the data subjects? A: May not suffer damages or suffer negligible damage or which can be overcome without difficulty”) may mitigate the answer to the prior question mentioned above, but still the initial answer can be damaging the way it is phrased.  

In sum, companies must continue to improve their data privacy processes and security measures in Brazil. HR and employment counsel should be included in the planning of such mechanisms, as many employment actions, such as recruitment, selection, background check, internal investigations, transfer of personal data to headquarters in the United States (and other countries), can, if not properly processed, violate the LGPD.

See Footnotes

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.