In view of the current landscape of Brazilian and European privacy laws, and given the increasing risks of data leaks and invasive attacks such as ransomware, companies must take certain measures to protect their assets and comply with privacy regulation requirements in order to mitigate risks, potential costs, lawsuits, reputational damage, and legal sanctions, among other possible consequences.
In 2018, the Brazilian Government adopted Law No. 13,709, commonly referred to as the General Data Protection Law (“LGPD”). This legislation, inspired by the European Union’s General Data Protection Regulation (“GDPR”), was enacted in 2016, imposing obligations and duties on Brazilian companies as well as foreign entities doing business in Brazil.
Although these regulations share several similarities, there are differences in the possible sanctions a company could be subject to in Brazil and in Europe.
Both jurisdictions grant administrative authorities the power to impose warnings, fines, corrective measures, enforcement, and penalties. However, under the GDPR [1], for instance, fines may reach up to 20 million euros or 4% of the total global annual turnover from the previous fiscal year (whichever is higher) per violation, depending on the severity of the breach. Under the LGPD, fines may be up to 2% of the revenue of the company, group, or conglomerate earned in the year prior to the investigation, excluding taxes, with a maximum of R$ 50,000,000 per violation.
In addition, the LGPD establishes two types of monetary fines – the simple fine and the daily fine [2] – applicable only to private entities. The GDPR, on the other hand, establishes a single category of administrative fines, applicable to both private organizations and government bodies.
To clarify the distinctions, we compare below the main administrative sanctions imposed by the GDPR and the LGPD:
In addition to the administrative sanctions mentioned above, individuals affected by identity theft or unauthorized access to their accounts following a data breach, for example, may, in both jurisdictions, seek civil liability from companies in court, requesting compensation.
In summary, both the LGPD in Brazil and the GDPR in Europe provide for a range of sanctions and penalties to ensure compliance with data protection laws and to defend individuals’ rights to privacy and data protection.
European countries, such as France, Germany, the United Kingdom, Italy, and Ireland, are known for their strict enforcement of data protection laws. The French authority (CNIL), for example, is renowned for imposing severe and significant sanctions, with notable cases such as the heavy fines imposed on Google and Amazon for violations of consent and cookie [4] usage. In Brazil, despite the more recent establishment and consolidation of the ANPD, there is also a strong commitment to enforcing the LGPD.
Finally, it is important to highlight the dual compliance obligation with both the LGPD and the GDPR for a company incorporated in France, for example, that has subsidiaries in Brazil.
Addressing the specific nuances of the LGPD therefore requires a tailored compliance approach, beyond a mere replication of the GDPR. Partnering with GT Lawyers’ DataTeam serves as a safeguard against potential compensation costs and sanctions mentioned above, whether at the administrative level or in legal proceedings.
[1] Unlike the LGPD, the GDPR has two levels of fines: (i) administrative fines for less serious violations, which can reach up to €10 million or 2% of global annual turnover (whichever is higher), and (ii) fines for more serious violations, which can reach up to €20 million or 4% of global annual turnover (whichever is higher). The determination of the type and amount of the fine takes into account factors such as the nature, severity, and duration of the violation, the degree of cooperation with supervisory authorities, the impact on the rights of the affected individuals, and any measures taken to mitigate the violation.
[2] The simple fine is a one-time penalty for a specific violation of the LGPD, while the daily fine is applied continuously until the authority’s determination is complied with by the company. Although the GDPR does not explicitly mention a ‘daily fine,’ it allows authorities to impose sanctions repeatedly in cases of ongoing non-compliance, effectively serving a similar role to that of a ‘daily fine.
[3] The publicity of the breach, once properly investigated and confirmed by the authority, is not one of the sanctions under the GDPR, as it is under the LGPD. For example, the Brazilian authority (ANPD) may require that the decision be published on the violating company’s website, in widely circulated newspapers, or through other relevant channels, depending on the extent needed to ensure appropriate publicity of the penalty. However, both the LGPD and the GDPR emphasize the importance of transparency and public awareness when it comes to protecting privacy and personal data rights. In this regard, both laws require that individuals be notified in the event of certain data breaches.
[4] Available at: https://www.cnil.fr/en/cookies-council-state-confirms-2020-sanction-imposed-cnil-against-amazon e https://privacyinternational.org/news-analysis/4347/cnil-fines-google-and-amazon-unlawful-use-cookies.
