Real-World Examples of LGPD Fines and Enforcement Actions in Brazil

Real-World Examples of LGPD Fines and Enforcement Actions in Brazil
Photo by Desert Morocco Adventure / Unsplash

Brazil’s Lei Geral de Proteção de Dados (LGPD) has seen increased enforcement since its penalties took effect in August 2021. Below are key cases and fines imposed by the Brazilian National Data Protection Authority (ANPD), illustrating how the law is applied across sectors and organization sizes.

The Brazilian General Data Protection Law (LGPD): A Comprehensive Overview
Introduction In a world increasingly driven by data, the protection of personal information has become a paramount concern. Brazil, recognizing the importance of safeguarding its citizens’ privacy, enacted the General Personal Data Protection Law (LGPD), Law No. 13.709/2018, which came into effect on September 18, 2020. The LGPD

1. Telekall Infoservice (2023): First LGPD Fine

  • Violations:
    • Processed personal data without a lawful basis.
    • Failed to appoint a Data Protection Officer (DPO).
    • Obstructed ANPD investigations.
  • Penalties:
    • BRL 14,400 (~$2,960) in fines (2% of annual revenue, capped for small businesses).
    • Mandatory appointment of a DPO within 30 days.
  • Significance: Marked the ANPD’s first enforcement action, targeting a micro-company to signal that compliance applies to all businesses[1][2][6].

2. IAMSPE (2023): Public Sector Accountability

  • Violations:
    • Delayed breach notification by three months for a cyberattack exposing 1.5 million civil servants’ data.
    • Inadequate security controls (e.g., API vulnerabilities).
  • Penalties:
    • Corrective orders: Update breach notifications and submit a compliance report within one year.
    • No fines, as LGPD prohibits monetary penalties for public entities[11].

3. Meta Platforms (2024): AI Training Ban

  • Violation: Used personal data from Facebook/Instagram posts to train generative AI models without valid consent.
  • Penalty:
    • Operational ban: Suspended data processing for AI training until compliance.
    • Daily fine: Threatened penalty of BRL 50,000 (~$10,000) per day for non-compliance[5][9].

4. National Social Security Institute (2024)

  • Violation: Exposed sensitive pensioner data due to insufficient encryption and access controls.
  • Penalties:
    • Public disclosure of the breach.
    • Mandatory implementation of ISO 27001 cybersecurity certification[5].

5. Santa Catarina State Health Department (2023)

  • Violations:
    • Failed to notify a breach promptly.
    • Lacked a data protection impact assessment.
    • Ignored ANPD information requests.
  • Penalties:
    • Four warnings and corrective measures, including breach notifications and security upgrades[11].

6. Healthcare Sector Audit (2024)

  • Findings: 40% of audited hospitals lacked encryption or breach response plans.
  • Penalties:
    • Total fines of BRL 12 million (~$2.4 million) across 15 institutions.
    • Mandatory annual penetration testing and staff training[5].

7. Clearview AI (2024)

  • Violation: Scraped facial images from Brazilian social media without consent.
  • Penalty:
    • BRL 9 million (~$1.8 million) fine, aligning with EU GDPR standards[5].

Penalty Types Under LGPD

Sanction Description Example Case
Simple Fines Up to 2% of Brazilian revenue (max BRL 50 million) Telekall, Healthcare Audit
Daily Fines Accumulate until compliance (capped at BRL 50 million) Meta’s AI training ban
Public Disclosure Breach details published by ANPD National Social Security
Data Deletion/Blocking Mandatory removal of improperly collected data Meta
Activity Suspension Partial/total ban on processing Meta

  1. Small Businesses: The ANPD enforces LGPD regardless of company size, as seen in Telekall’s case[1][4].
  2. Public Sector Scrutiny: Entities like IAMSPE face corrective orders despite immunity from fines[11].
  3. AI and Biometrics: High-profile cases (e.g., Meta, Clearview AI) target emerging tech risks[5][9].
  4. Healthcare Focus: Mandatory encryption and breach drills are now enforced sector-wide[5][11].

Compliance Recommendations

  • Appoint a DPO: Required for most organizations under ANPD Resolution No. 18 (2024)[5].
  • Conduct Breach Drills: Simulate responses to meet the 72-hour notification rule.
  • Audit Third Parties: Ensure vendors comply with LGPD’s strict data transfer rules.

Conclusion

The ANPD has imposed over BRL 98 million (~$20 million) in fines since 2023, prioritizing transparency, AI ethics, and public sector accountability. As ANPD Director Waldemar Gonçalves stated: “LGPD compliance isn’t optional—it’s a fundamental pillar of trust in Brazil’s digital economy.” Companies must adopt proactive measures to avoid operational bans and reputational damage.


Citations:
[1] https://www.globalcompliancenews.com/2023/07/19/https-insightplus-bakermckenzie-com-bm-intellectual-property-brazil-first-sanction-for-non-compliance-with-the-general-data-protection-law-lgpd-is-issued-by-the-data-protection-authority_07172023/
[2] https://www.littler.com/publication-press/publication/brazil-data-protection-agency-anpd-issues-its-first-sanction-against
[3] https://insights.manageengine.com/privacy-compliance/demystifying-lgpd-brazils-data-protection-regulations/
[4] https://www.forbes.com/sites/angelicamarideoliveira/2023/07/11/brazil-issues-first-fine-for-data-protection-breach/
[5] https://www.jonesday.com/-/media/files/publications/2024/09/brazil-amps-up-enforcement-of-data-protection-law/files/brazil-amps-up-enforcement-of-data-protection-law/fileattachment/brazil-amps-up-enforcement-of-data-protection-law.pdf?rev=a8617d4aad5b403fb2b4bbf95aaddcac
[6] https://www.privacyrules.com/brazilian-anpd-first-fine-for-violation-of-the-lgpd/
[7] https://natlawreview.com/article/brazil-s-lgpd-takes-effect-early-enforcement
[8] https://goadopt.io/en/blog/fines-in-LGPD/
[9] https://iapp.org/news/a/lessons-from-brazilian-dpa-sanctions-to-date
[10] https://www.clearycyberwatch.com/2023/06/recent-developments-in-data-privacy-enforcement-in-brazil-and-a-comparison-with-the-u-s-regime/
[11] https://www.cookieyes.com/blog/lgpd-fines/
[12] https://www.americanbar.org/groups/business_law/resources/business-law-today/2020-may/brazil-passes-landmark-privacy-law/
[13] https://iapp.org/news/a/top-5-operational-impacts-of-brazils-lgpd-part-5-enforcement-mechanisms-and-sanctions
[14] https://www.osano.com/articles/brazil-lgpd
[15] https://iclg.com/practice-areas/data-protection-laws-and-regulations/brazil
[16] https://resourcehub.bakermckenzie.com/en/resources/global-data-privacy-and-cybersecurity-handbook/latin-america/brazil/topics/regulators-and-enforcement-priorities
[17] https://www.onetrust.com/blog/what-is-the-brazil-general-data-protection-law-lgpd/
[18] https://www.dlapiperdataprotection.com/index.html?c=BR&t=law
[19] https://www.fisherphillips.com/en/news-insights/brazil-publishes-data-protection-sanctions.html
[20] https://usercentrics.com/knowledge-hub/brazil-lgpd-general-data-protection-law-overview/

Read more