On July 6, 2023, Brazil's primary data protection authority, the National Data Protection Authority (ANPD), issued its first regulatory sanction against an organization (Telekall Infoservice) for failing to comply with the General Personal Data Protection Act (LGPD).
Telekall Infoservice, a telecommunications company, found itself subject to regulatory fines prescribed by the LGPD for non-compliance nearly three years after the law first went into effect in September 2020.
Furthermore, the ANPD has escalated its enforcement actions, highlighting Meta's alleged non-compliance with LGPD regulatory requirements through its Threads platform with a detailed analysis of its data processing activities already underway.
Hence, understanding the alleged violations of these two platforms can help organizations working in Brazil ensure compliance in their data processing activities.
The Telekall Infoservice Case
The Alleged Violation/Non-Compliance
The Telekall Infoservice case is historic. It represents the first-ever sanctions imposed by the ANPD under the LGPD. The company is accused of violating Articles 5, 7, and 41 of the LGPD.
Article 5 contains a detailed list of definitions. Article 7 states the legal basis for the processing of personal data.
Article 41 requires the controllers to appoint an officer in charge of their personal data processing activities. Such personnel's contact details and identity must be publicly disclosed on the controller’s website.
The initial investigation into Telekall Infoservice's non-compliance began in March 2022, after it came to light that Telekall Infoservice had not appointed a data protection officer and had proceeded to process user data without their express consent.
In the official press release issued jointly by the Ministry of Justice and Public Security, the ANPD, and the General Coordination of Supervision (CGF), Telekall Infoservice is issued both a warning and a fine.
Potential Penalties
The mechanisms around the fine are a bit complicated.
The official amount levied is R$ 7,200 ($1,450) for violating Article 5 and R$ 7,200 ($1,450) for violating Article 7. For violating Article 41, it has received a warning without imposing corrective measures.
However, suppose Telekall Infoservice can resolve the violations as per the provisions of Article 18 of the LGPD and renounce the right to appeal the decision. In that case, the company will be entitled to a 25% reduction in the total fine applied.
Telekall Infoservice will have ten (10) working days to comply with the decision or launch an official appeal and twenty (20) working days to pay the fine. This period will begin as soon as Telekall Infoservice has received official knowledge of the sanctions.
If Telekall Infoservice fails to comply with the abovementioned sanctions, its case will be forwarded to the Specialized Federal Prosecutor’s Office (PFE). The PFE will then initiate their own sanctions and fines per the Informative Register of Unpaid Credits of the Federal Public Sector (Cadin) and in the Active Debt of the Union.
The Threads Case
The Alleged Violation/Non-Compliance
In July 2023, the ANPD announced that it had begun analyzing Meta's sensitive and personal data processing activities on its Threads platform.
Furthermore, a preliminary study has already been conducted by the General Coordination of Technology and Research (CGTP). This initial study will help the ANPD gain a basic understanding of Thread’s data collection practices before it starts its comprehensive analysis.
The announcement came after several privacy and data protection experts within the country, raised objectives over Meta's disproportionate data collection practices and lack of transparency around the purpose of such data collection.
Additionally, users are required to consent to the collection of sensitive information such as their health-related data, financial data, and online purchasing history.
The ANPD's analysis primarily determines whether it should recommend a supervisory process to the General Coordination of Supervision (CGF).
Potential Penalties
Meta's potential fines and penalties will be clarified once the ANPD concludes its analysis and decides whether to forward the case to the CGF. At that point, Meta's exact violations of the LGPD will become clear, allowing for a better estimate of the potential fines it may face if found guilty of the alleged violations.
How Can Securiti Help
With the ANPD escalating its supervision of LGPD compliance, it has become critically important for organizations to adopt a proactive approach to their compliance efforts.
Automation offers organizations the chance to do so both effectively and efficiently.
Securiti's Privacycenter.cloud solution enables organizations to adopt a dynamic and automated approach towards their LGPD compliance efforts related to data privacy, security, and governance.
With its easy-to-use interface and a centralized dashboard, the Privacycenter.cloud solution offers organizations the chance to implement changes in real-time in addition to monitoring compliance efforts across multiple domains.
Additionally, in-built data mapping assessment enables organizations to identify risky processes when data has been collected or retained without consent, allowing you to take corrective actions and avoid non-compliance with LGPD provisions.
Request a demo today and learn how Securiti can help your organization better comply with LGPD regulations.