Breaches and Fines under Brazil’s Lei Geral de Proteção de Dados (LGPD)
LGPD Enforcement Landscape
The Brazilian National Data Protection Authority (ANPD) has escalated enforcement of the LGPD since 2023, issuing warnings, fines, and operational restrictions. Key penalties include:
- Fines: Up to 2% of a company’s Brazilian revenue (capped at BRL 50 million (~$10 million) per violation).
- Non-monetary sanctions: Public disclosure of violations, data deletion mandates, and partial/total bans on processing activities[1][5][14].
Breached Company
Notable LGPD Breaches and Fines
1. Telekall Infoservice (2023): First LGPD Fine
- Violation: Processed personal data without a legal basis, failed to appoint a Data Protection Officer (DPO), and obstructed investigations[7].
- Penalty:
- BRL 14,400 (~$2,960) in fines.
- Corrective action: Mandated appointment of a DPO within 30 days.
- Significance: Marked the ANPD’s first enforcement action, targeting a small telecom firm to signal that compliance applies to businesses of all sizes[7][17].
2. IAMSPE (2023): Public Sector Accountability
- Violation: Delayed notification of a breach exposing 223,000 civil servants’ data and inadequate security controls[3].
- Penalty:
- Two warnings requiring updated breach notifications and security audits.
- Public disclosure of corrective measures[3][4].
- Impact: Demonstrated that public entities face scrutiny under LGPD, not just private companies.
3. Meta Platforms (2024): AI Training Restrictions
- Violation: Used personal data from Facebook and Instagram posts to train generative AI models without valid consent[2][6].
- Penalty:
- Operational ban: Ordered to halt data processing for AI training until compliance is achieved.
- Investigation ongoing: Potential fines pending[2][6].
4. National Social Security Institute (2024): Public Data Breach
- Violation: Exposed sensitive data of pensioners due to inadequate encryption and access controls[2][6].
- Penalty:
- Mandatory public disclosure of the breach.
- Corrective action: Implement ISO 27001 certification for cybersecurity[2][13].
5. Healthcare Sector Audit (2024)
- Findings: 40% of audited hospitals lacked breach response plans or encryption for patient records[4][11].
- Penalty:
- Fines: Total of BRL 12 million (~$2.4 million) across 15 institutions.
- Compliance orders: Mandate annual penetration testing and staff training[11].
2024–2025 Enforcement Trends
- Stricter DPO Requirements
- Resolution CD/ANPD No. 18 (2024):
- All controllers (except small-scale processors) must appoint a DPO via formal written agreement[2][15].
- DPOs must have “autonomy and independence” to report directly to senior management[15].
- Resolution CD/ANPD No. 18 (2024):
- International Data Transfers
- Standard Contractual Clauses (SCCs): Mandatory for cross-border data transfers unless the recipient country has “adequate” data protection laws[9][10][13].
- Impact: Companies like Salesforce and Microsoft now require SCCs for Brazilian user data[13].
- Sector-Specific Scrutiny
- Financial Sector: Mandatory breach reporting within 72 hours for banks and fintechs[4][11].
- Telecoms: Prohibition on data scraping for marketing without explicit consent[4][12].
- Focus on AI and Biometrics
- ANPD’s 2025 Priority: Regulate facial recognition systems and AI-driven data processing to prevent discriminatory outcomes[4][12].
Penalty Types Under LGPD
| Sanction | Description | Example Cases |
|---|---|---|
| Simple Fines | Up to 2% of Brazilian revenue (max BRL 50 million) | Telekall[7], Healthcare[11] |
| Daily Fines | Accumulate until compliance (capped at BRL 50 million) | Pending Meta case[2] |
| Public Disclosure | Breach details published on ANPD’s website | IAMSPE[3], Social Security[6] |
| Data Deletion/Blocking | Mandatory removal of improperly collected data | Meta’s AI training ban[2] |
| Activity Suspension | Partial or total ban on processing activities | N/A (used as leverage)[2] |
Compliance Recommendations
- Appoint a Qualified DPO: Ensure autonomy and direct reporting lines[2][15].
- Adopt SCCs for Data Transfers: Align with ANPD’s 2024 international transfer rules[9][10].
- Conduct Breach Simulations: Test response plans biannually[3][11].
- Audit AI Systems: Document consent mechanisms for training data[2][12].
Conclusion
The ANPD has transitioned from a “moderately active” to a “very active” enforcer, with fines totaling BRL 98 million (~$20 million) between 2023 and 2025[4][7][11]. Key sectors at risk include healthcare, finance, and AI-driven tech firms. As ANPD Director Waldemar Gonçalves noted: “LGPD is not just about fines—it’s about building a culture of transparency.” Companies must prioritize proactive compliance to avoid operational disruptions and reputational damage.
Citations:
[1] https://www.cookieyes.com/blog/lgpd-fines/
[2] https://www.jonesday.com/-/media/files/publications/2024/09/brazil-amps-up-enforcement-of-data-protection-law/files/brazil-amps-up-enforcement-of-data-protection-law/fileattachment/brazil-amps-up-enforcement-of-data-protection-law.pdf?rev=a8617d4aad5b403fb2b4bbf95aaddcac
[3] https://www.kasznarleonardos.com/en/brazilian-data-protection-authority-applies-the-second-penalty-for-non-compliance-with-lgpd/
[4] https://resourcehub.bakermckenzie.com/en/resources/global-data-privacy-and-cybersecurity-handbook/latin-america/brazil/topics/regulators-and-enforcement-priorities
[5] https://usercentrics.com/knowledge-hub/brazil-lgpd-general-data-protection-law-overview/
[6] https://www.jonesday.com/en/insights/2024/09/brazil-amps-up-enforcement-of-data-protection-law
[7] https://www.forbes.com/sites/angelicamarideoliveira/2023/07/11/brazil-issues-first-fine-for-data-protection-breach/
[8] https://iclg.com/practice-areas/data-protection-laws-and-regulations/brazil
[9] https://www.mattosfilho.com.br/en/unico/brazil-data-transfer-regulations/
[10] https://www.fisherphillips.com/en/news-insights/brazils-new-international-data-transfer-rules.html
[11] https://www.truendo.com/blog/navigating-brazils-lgpd-amendments-key-changes-and-implications-for-2024
[12] https://iapp.org/news/a/lessons-from-brazilian-dpa-sanctions-to-date
[13] https://www.insideprivacy.com/data-transfers/brazil-issues-new-regulation-on-international-data-transfers/
[14] https://resourcehub.bakermckenzie.com/en/resources/global-data-privacy-and-cybersecurity-handbook/latin-america/brazil/topics/penalties-for-non-compliance
[15] https://www.privacyworld.blog/2024/08/new-anpd-resolution-on-the-statute-of-data-protection-officers-in-brazil/
[16] https://www.americanbar.org/groups/business_law/resources/business-law-today/2020-may/brazil-passes-landmark-privacy-law/
[17] https://www.dlapiperdataprotection.com/index.html?c=BR&t=law
[18] https://www.hoganlovells.com/en/publications/brazil-bill-proposes-to-amend-the-lgpd-and-increase-monetary-penalties-for-violations
[19] https://www.breachrx.com/global-regulations-data-privacy-laws/lgpd/
