Penalties for Non-compliance
What are the potential penalties / remedies for non-compliance with the key data privacy and security laws in the jurisdiction?

[Last updated: January 2023]

There are:

☒        administrative remedies from regulators and law enforcement

According to the LGPD, sanctions include:

  • Warnings, with an indication of a deadline for correction measures to be taken
  • Simple fine of up to 2% of the net turnover of the economic group in Brazil, in its last fiscal year, limited to BRL 50 million (approx. USD 10.5 million) per violation
  • Daily fine, considering the total limits of the previous fine
  • Disclosure of the violation, after having properly verified and confirmed its occurrence
  • Blocking of the personal data the subject of the violation, until remedied
  • Deletion of the personal data, which is the subject of the violation
  • Suspension of the relevant database for six months, renewable for another six-month period
  • Suspension of the processing activities for six months, renewable for another six-month period
  • Prohibition of processing activities

** Please note that ANPD is currently preparing a regulation for applicability of penalties, that may set forth criteria for the applicability of such penalties.

☒        criminal penalties from regulators and law enforcement

According to the Brazilian Criminal Code, it is a criminal offense to invade third parties' information devices, whether or not such devices are connected to the internet, by means that aim to obtain, alter or destroy data or information without the express or implied authorization from the device owner or to install vulnerabilities to obtain illicit advantages. The crime is punishable by detention of three months to one year, plus a fine. This penalty also applies to anyone who makes, offers, distributes, sells or discloses a computer device or software aimed at enabling the conduct described above. Also, in the event that the invasion results in obtaining content from private electronic communications, industrial or trade secrets, confidential information or the unauthorized remote control of the device, the penalty is increased to imprisonment for six months to two years, plus a penalty. This latter penalty is also increased in the event that the data or information obtained is disclosed, traded or transmitted to third parties.

☒        private remedies

The imposition of administrative remedies does not preclude the right of affected individuals to claim indemnification for damages caused by the processing of personal data. The Brazilian Federal Constitution expressly entitles the data subject to indemnification for both moral and material damages for violations of the individual's rights to data protection, intimacy, privacy and honor.

☐        other

If data subjects have private remedies, what form can these remedies take?

☒         individual personal actions

☒        representative actions (e.g., brought by a consumer / data privacy body or the supervisory authority)

☒        class actions