I. Introduction to the Brazilian Data Protection Regime and Regulatory Nexus
A. Contextual Background of LGPD (Law No. 13.709/2018)
The Lei Geral de Proteção de Dados Pessoais (LGPD), enacted as Law No. 13.709/2018, represents the establishment of a comprehensive legal framework governing the processing of personal data within Brazil. Its core mandate is the protection of fundamental rights, specifically the freedoms, privacy, and the free development of the personality of natural persons [1]. Modeled conceptually after international precedents, particularly the European General Data Protection Regulation (GDPR), the LGPD established rigorous standards for any entity—public or private—that handles personal data concerning individuals located in Brazil or that uses data collected within the Brazilian territory [2].
The efficacy of the LGPD
rests on key pillars, including the principle of transparency (facilitated access to clear, adequate information
about processing), purpose limitation
(data must be processed for explicit, legitimate purposes), necessity (processing must be relevant
and proportionate to the stated purpose), and free access (data subjects must be able to exercise their rights
unencumbered and free of charge) [3, 4].
While the LGPD was
promulgated in 2018, its substantive rules became effective in September 2020
[5]. This period of implementation was characterized by institutional delay and
initial regulatory uncertainty. The immediate effectiveness of the law, hastened
by legislative decisions that rejected attempts to postpone its commencement,
placed the framework into force before its institutional cornerstone—the
enforcement body—was fully operational [6, 7]. This rapid entry into force
created a period where rights were enforceable, but the centralized
administrative enforcement mechanism was structurally deficient.
B.
Clarification of the 2020 Regulatory Environment: Analyzing Decrees 10.467/2020
and 10.474/2020
The user query
specifically identifies Decree 10.467/2020. A critical analytical distinction
must be drawn between this decree and Decree 10.474/2020, as the latter
constitutes the true regulatory nexus for the institutionalization of the LGPD.
The Specific
Nature of D-10.467/2020
Decree 10.467/2020,
dated August 18, 2020, had a highly specific and narrow object: the
qualification of the public service of fixed-quota betting lotteries
(instituted by Law 13.756/2018) for inclusion in the Investment Partnerships
Program (PPI) and the National Privatization Program (PND) [8, 9]. This decree
focused entirely on economic policy—desestatização—and administrative
management, designating the National Bank for Economic and Social Development
(BNDES) and the Ministry of Economy to manage the privatization process [8].
Consequently, its relationship to the LGPD is indirect. Compliance with data
protection standards would be a mandatory requirement for the future private
sector entities operating this newly concessioned public service, but the decree
itself did not regulate the LGPD or the ANPD. It is further noted that Decree
10.467/2020 is no longer in force, having been revoked by Decree No. 11.935, of
2024 [9].
The
Foundational Nature of D-10.474/2020
In contrast, Decree
10.474/2020, published shortly after D-10.467/2020 on August 27, 2020, was the
foundational instrument concerning LGPD institutionalization [10, 11]. This
decree approved the essential structure for the Autoridade Nacional de Proteção de Dados (ANPD), including its
Regimental Structure and the framework for commissioned positions and functions
of confidence [12].
The timing of this
decree, following the legislative rejection of Measure Provisional (MP)
959/2020 (which sought to delay the LGPD's entry into force), indicates a
governmental response to a rapidly approaching regulatory reality [1, 6]. The
simultaneous publication of the law’s effectiveness and the ANPD’s
organizational chart reflected an immediate, though rushed, attempt to
establish institutional oversight. However, the subsequent delay in the ANPD’s
operationalization, contingent upon the presidential appointment and Senate
confirmation of its Director-President [6], resulted in a critical period where
the law was effective but lacked its central enforcement and regulatory body
[7]. This initial structural deficit underlined the reliance on judicial recourse
and existing sectoral regulators for compliance enforcement in the first years
of the LGPD.
Table 1 provides a
functional comparison of these critical 2020 normative acts.
Table 1: Comparison of
Key 2020 Brazilian Federal Decrees and the LGPD
|
Regulation |
Type and Number |
Primary Subject |
Relationship to LGPD
Implementation |
|
LGPD |
Law No. 13.709/2018 |
Establishes comprehensive personal data protection rights and
obligations. |
Core legislation; source of all rights and administrative
sanctions. |
|
Privatization Decree |
Decree 10.467/2020 |
Qualification of fixed-quota lottery services for
privatization (PND/PPI). |
Indirect: Mandated LGPD compliance for the privatized entity's
data processing. (Revoked) [8, 9] |
|
ANPD Structure Decree |
Decree 10.474/2020 |
Approves the Regimental Structure and staffing of the ANPD. |
Direct: Created the institutional body responsible for
enforcing and regulating the LGPD [10, 12]. |
II. The
Foundational Provisions of the Lei Geral de Proteção de Dados (LGPD)
To understand the scope
of the ANPD's regulatory efforts, particularly under Decree 10.474/2020, an
overview of the LGPD's foundational elements is essential.
A. Definitions
of Personal Data and Processing Agents
The LGPD defines Personal Data broadly as information
linked to a natural person that can identify them [13]. A subset of this, Sensitive Personal Data, receives
heightened protection due to its potential for discrimination. This category
includes data related to racial or ethnic origin, religious beliefs, political
opinion, trade union affiliation, membership to
religious/philosophical/political organizations, health or sex life data, and
genetic or biometric data [13].
Processing is comprehensively defined to include "any operation
carried out with personal data." This sweeping definition captures the
entire data lifecycle, encompassing collection, production, receipt,
classification, use, access, reproduction, transmission, distribution,
processing, archiving, storage, deletion, modification, communication,
transfer, dissemination, and extraction [13].
The law assigns distinct
roles and responsibilities to the processing agents:
1.
Controller: The natural or legal
person (public or private) responsible for making decisions regarding the
processing of personal data [14].
2.
Operator: The natural or legal person that processes personal
data on behalf of the Controller [13].
Controllers
and Operators are collectively known as Processing Agents [13].
B. Core
Principles and Rights of Data Subjects (Titulares)
All processing agents
must adhere to the guiding principles of the LGPD [4]. These include Finalidade (Purpose), Adequação (Adequacy), Necessidade (Necessity/Minimalism), Transparência (Transparency), and Livre Acesso (Free Access) [3, 4].
The LGPD grants Data
Subjects (Titulares) extensive rights
designed to ensure autonomy and control over their personal information. The
right to transparency and access is fundamental, requiring that information
about data processing be made available in a clear, adequate, and notable
manner, including the specific purpose of the processing. This access must be
provided unencumbered and free of charge [3].
Specific rights granted
to data subjects include:
●
The right to confirm the existence of data processing [14, 15].
●
The right to access their personal data, including requesting a
legible copy in printed or electronic format [14, 15].
●
The ability to correct, edit, or update incomplete, inaccurate,
or outdated data [14].
●
The capacity to limit unnecessary, excessive, or non-compliant
processing through anonymization, blocking, or elimination [14, 15].
●
The power to revoke consent, which subsequently allows the data
subject to request the elimination of data processed solely under that legal
basis [14, 15].
●
The right to receive information regarding public and private
entities with which the Controller has shared their data [15].
●
The right to request a review of decisions made exclusively
based on automated data processing that affects their interests, such as
profiling, consumer assessments, and credit scoring [2].
This
final provision, concerning the right to review automated decisions, imposes a
significant operational burden on Controllers. By granting individuals the
right to scrutinize algorithmic decisions that determine their profile or
access to services, the LGPD effectively compels organizations to adopt
principles of explainable artificial intelligence (XAI). Controllers must
implement robust data logging and transparency mechanisms sufficient to
articulate the logic and rationale behind these complex algorithmic outcomes,
positioning the LGPD at the forefront of regulating the ethical and fair use of
automated systems.
Table 2: Key Data
Subject Rights under LGPD (Articles 18-20)
|
Right of the Data
Subject (Titular) |
Description
(Actionable Item) |
Relevant LGPD
Provision |
|
Confirmation and Access |
Confirm the existence of processing and access data in a
legible format, free of charge. |
Art. 18, I and II [3, 14, 15] |
|
Correction |
Request editing, correction, or updating of incomplete,
inexact, or outdated data. |
Art. 18, III [14, 15] |
|
Limitation/Anonymization |
Request data blocking, elimination, or anonymization if data
is unnecessary, excessive, or non-compliant. |
Art. 18, IV [14, 15] |
|
Revocation of Consent |
Withdraw consent at any time, leading to the potential
elimination of processed data. |
Art. 8, § 5º and Art. 18, IX [14, 15] |
|
Shared Use Information |
Right to information on public and private entities with which
the Controller shared data. |
Art. 18, VII [15] |
|
Review of Automated Decision |
Right to request review of decisions based solely on automated
processing (e.g., profiling/credit). |
Art. 20 [2] |
C. Legal Bases
for Processing and Exceptions
Data processing under
the LGPD is only legitimate if performed under one of the ten defined legal
bases [4]. Consent remains a
paramount legal basis, requiring that it be explicit, informed, and
unambiguous. Controllers must implement robust consent mechanisms that use
clear language and provide individuals with easy options to change or withdraw
their consent [13].
However, processing may
also be justified by other key bases, including the fulfillment of a legal or
regulatory obligation, the execution of public policies, or the legitimate
interest of the controller [4].
It is crucial to
recognize that adherence to the core principles of the LGPD is mandatory, even
when a valid legal basis is present. For instance, even if processing relies on
legitimate interest, if the activity fails the test of necessity (e.g., if the
Controller collects data that is unnecessary or excessive for the stated
purpose), it still constitutes a violation of the law [4, 15]. Compliance is
thus demonstrated not merely by checking a legal basis box, but by consistently
proving the proportionality and minimization of data handling throughout the
processing lifecycle.
The LGPD does include
exceptions to its applicability: the law does not apply if the processing is
carried out by a natural person solely and exclusively for private,
non-commercial purposes [3]. Furthermore, the processing of children's data is
heavily restricted; exceptions to the consent requirement only apply if the
processing is necessary to contact parents/legal guardians or to protect the
child. Such data must be used once, not stored, and not shared with third
parties without specific consent [3].
III. Analysis
of Decree 10.467/2020: Desestatização and Data Privacy Intersections
A. Primary
Object and Purpose: Qualification of Fixed-Quota Betting Lotteries
Decree 10.467/2020
served primarily as an instrument of economic policy. Signed on August 18,
2020, its specific mandate was to qualify the public service of fixed-quota
lottery betting for inclusion in the National Privatization Program (PND) and
the Investment Partnerships Program (PPI) [8, 9]. The goal was to prepare this
sector for private sector exploration via concession or permission [9]. The
decree explicitly designated the National Bank for Economic and Social
Development (BNDES) for the execution and follow-up of this privatization
process, under the coordination and monitoring of the Ministry of Economy [8].
B. The Indirect
Relationship to LGPD: Obligations of Future Private Operators
Although Decree
10.467/2020 did not contain provisions explicitly regulating the ANPD or data
protection, the privatization process it mandated inherently created a nexus
with the LGPD. The operation of any lottery service, especially modern
fixed-quota betting platforms, requires the processing of vast amounts of
personal and financial data. The future concessionaire or private operator,
upon taking over the public service, assumes the role of a Controller or a
joint Processing Agent [13, 14].
The LGPD’s pervasiveness
meant that the administrative and legal documents governing the desestatização—including necessary
studies, projects, and contracts—had to fully incorporate mandatory LGPD
compliance standards [4, 5]. Data protection thus became a material condition
and a factor in assessing the economic and operational risk of the concession.
This decree illustrates how LGPD compliance transitioned from a general,
horizontal legal obligation to a specific, vertical requirement embedded in
major government economic transactions. Data protection adherence, including
rigorous security measures and respect for data subject rights, became
inextricably linked to the economic viability and contractual success of the
privatization initiative [9].
C. Legal Status
and Revocation of D-10.467/2020
The institutional
relevance of Decree 10.467/2020 to contemporary LGPD enforcement is limited by
its subsequent revocation. The decree was revoked by Decree No. 11.935, of 2024
[8, 9]. While the privatization object remains relevant, the specific administrative
act of 2020 is no longer legally in force.
IV. Decree
10.474/2020: Establishing the Autoridade Nacional de Proteção de Dados (ANPD)
The true regulatory
cornerstone for the LGPD’s institutional framework is Decree 10.474/2020, which
formally established the administrative body tasked with interpreting and
enforcing the law.
A. Legislative
Mandate and Institutionalization Timing
Decree 10.474/2020 was
published on August 27, 2020, immediately following the Senate’s approval of MP
959/2020 without the provision that would have delayed the LGPD's main
enforcement articles [1, 6]. The decree thus affirmed the government's
intention to rapidly institutionalize the ANPD to avoid a complete regulatory
vacuum.
The Decree approved the
Regimental Structure and the detailed framework for commissioned positions
(DAS) and functions of confidence (FCPE) necessary for the Authority’s
immediate staffing [10, 11, 12]. However, the decree included a critical
provision: it would only enter into force upon the publication of the
appointment of the ANPD's Director-President in the Official Gazette [10]. This
created significant delays in the Authority's functional operational capacity,
as the appointment required time-consuming processes, including Senate
confirmations that were hindered by the pandemic [6]. The result was a formal
institutional establishment on paper that masked a functional delay, forcing
the ANPD to prioritize guidance, orientation, and public consultation over
immediate enforcement in its nascent period [7].
B. The ANPD’s
Status and Corporate Bodies
Decree 10.474/2020
established the ANPD as an organ of the direct federal public administration,
initially integrated into the Presidency of the Republic, possessing technical
and decisional autonomy and nationwide jurisdiction, headquartered in the Federal
District [1]. The Authority’s mission is to safeguard the fundamental rights of
freedom and privacy as set forth in the LGPD [1].
The governing structure
is composed of key corporate bodies:
1.
Council Director
(Conselho Diretor): This is the maximum body of direction, consisting of five
Directors, including the Director-President, responsible for institutional
representation and management [11, 16].
2.
Regulatory Restrictions: Strict rules apply to
the Council members, prohibiting the use of privileged information obtained
from their positions and preventing them from having a "significant
interest" (direct or indirect) in companies that process personal data,
subject to further ANPD regulation [11].
3.
National Council for the
Protection of Personal Data and Privacy (CNPD): Established as an
advisory body to articulate with various sectors of society [11, 17].
The
structure defined by D-10.474/2020 has been subject to continuous refinement.
Subsequent decrees (D-10.975/2022, D-11.202/2022, and D-11.758/2023) have
altered the structure, most recently adjusting the composition and selection
processes of the CNPD [12, 17, 18]. This legislative evolution reflects an
important trend toward structural autonomy, moving the ANPD away from its
initial position within the Presidency toward an increasingly independent and
technically robust regulatory agency, essential for establishing global
credibility and regulatory stability.
C. Competencies
and Regulatory Powers of the ANPD
The Decree cemented the
ANPD’s role as the central interpretation and guidance authority for the LGPD.
Its comprehensive competencies, defined by both the LGPD and articulated in
Decree 10.474/2020, cover enforcement, guidance, and regulation [19].
Key regulatory and
normative powers granted to the ANPD include:
●
Elaborating guidelines for the National Policy on Personal Data
Protection [1].
●
Providing technical standards and issuing specific norms, such
as those governing data sharing (especially in the public sector) [4].
●
Regulating the forms of publicizing processing operations while
respecting commercial and industrial secrets (a key component of the LGPD’s
transparency principle) [20].
●
Publishing standards and techniques for data anonymization and
verifying the security of these techniques, thereby promoting innovation while
ensuring privacy [20].
●
Issuing norms to define simplified requirements for compliance
for microenterprises, small entities, and startups [21].
Furthermore,
the Decree reinforced the ANPD’s primary role in Fiscalization and Sanctioning, empowering the Authority to oversee
compliance, conduct inspections, and apply administrative sanctions against
processing agents that fail to adhere to the legislation, all subject to a
formal administrative process ensuring the right to defense [1, 22].
V. The LGPD
Enforcement Mechanism: Sanctions and Dosimetry
The LGPD enforcement
mechanism reached full maturity only after the ANPD, acting under the
institutional structure provided by D-10.474/2020, exercised its regulatory
competence to define the methodology for applying penalties.
A.
Administrative Penalties Defined in LGPD Article 52
LGPD Article 52 defines
the list of administrative penalties applicable to processing agents for
infringements. These sanctions are to be applied gradually, isolatedly, or
cumulatively, following an administrative procedure that provides for the
opportunity of ample defense [22].
The sanctions include
both financial and operational penalties:
●
Advertência (Warning): Requires mandatory
corrective measures to be adopted by the agent [23].
●
Multa Simples (Simple
Fine): Can
amount to up to 2% of the legal entity's revenue in Brazil for the preceding
fiscal year, capped at R$50 million per infraction [24, 25].
●
Multa Diária (Daily
Fine): A
fine levied daily until compliance is achieved, also subject to the R$50
million total limit per infraction [24].
●
Non-Financial Penalties: These include the
publication of the infraction, blocking or elimination of personal data related
to the irregularity, suspension (partial or total) of the database operation,
and, most severely, the partial or total prohibition of data processing activities
[22, 24].
It is
stipulated that all funds generated from these administrative fines are
allocated to the Fund for the Defense of Diffuse Rights (Fundo de Defesa de Direitos Difusos) [24]. Importantly, the
imposition of ANPD administrative sanctions does not preclude the application
of civil or penal sanctions defined in other specific legislation, such as
consumer protection law [22, 26].
B. The Role of
Resolution CD/ANPD No. 4/2023: Establishing Dosimetry
The true enforcement
risk under the LGPD only became tangible with the publication of Resolution
CD/ANPD No. 4/2023 in February 2023, which approved the Regulamento de Dosimetria e Aplicação de Sanções Administrativas
[24, 27, 28]. Prior to this resolution, enforcement operated under a "soft
compliance" regime, focusing largely on guidance. The Dosimetry Regulation
signaled a definitive shift to "hard compliance," where the financial
and operational threat of sanctions became measurable.
This resolution
established the criteria necessary for applying penalties with transparency and
justice [28, 29]. Infractions are classified based on their gravity, nature,
and the degree of rights affected, into categories of light, medium, or grave
[30].
The methodology for
calculating financial penalties (Multa Simples) is detailed. It starts with a Value-Base derived from the infraction
classification, the infrator’s annual revenue (faturamento), and the perceived degree of damage. This value is
then adjusted through the application of aggravating and attenuating factors
[29, 30].
Table 3: Administrative
Sanctions under LGPD (Art. 52) and Dosimetry Framework
|
Sanction Type |
LGPD Limit / Provision |
Implementation Context
(Resolution 4/2023) |
|
Warning (Advertência) |
Imposition with indication of mandatory corrective measures. |
Applied for minor infractions, prioritizing corrective
guidance [23]. |
|
Simple Fine (Multa Simples) |
Up to 2% of the legal entity's revenue in Brazil (limit R$ 50
million per infraction). |
Calculated based on infraction gravity, economic capacity, and
aggravating/attenuating factors [24, 25, 30]. |
|
Daily Fine (Multa Diária) |
Subject to the R$ 50 million total limit per infraction. |
Applied for persistent non-compliance following initial
warnings or directives [24]. |
|
Publicity of Infraction |
Publicizing the infraction after substantiation. |
Serves as a reputational damage tool, listed as a primary
sanction [25]. |
|
Blocking/Elimination |
Blocking or elimination of personal data related to the
irregularity. |
Severe measure directly impacting the data lifecycle and
business operations [22]. |
|
Prohibitive Measures |
Partial or total prohibition of activities related to data
processing. |
The most severe sanction, potentially suspending all relevant
business activities [22]. |
C. Criteria for
Application and Nuances in Enforcement
Resolution 4/2023
mandates that sanctions be applied proportionally, considering a comprehensive
set of parameters. These include the severity of the violation, the good faith
and economic condition of the infrator, the advantage gained or intended, and any
specific or generic reincidence [30].
Crucially, the
regulation establishes that the adoption of internal governance policies,
compliance mechanisms, and prompt corrective measures are key attenuating factors [30]. This means
that robust compliance programs are not merely mechanisms for breach avoidance,
but are essential components for managing post-incident regulatory liability
and mitigating the ultimate fine calculation. The defined criteria thus function
as an explicit roadmap for risk management and compliance diligence.
Furthermore, the ANPD is
required to engage in sectoral
coordination. In cases involving highly regulated sectors, the ANPD must
notify the principal sectoral regulator (e.g., in finance or energy) regarding
the infraction. This collaborative approach is intended to prevent the
occurrence of bis in idem, ensuring
that a single incident does not lead to cumulative administrative punishment
under both the LGPD and specific sectoral laws [7, 26].
VI. Practical
Implications for Compliance Agents
The regulatory framework
resulting from the LGPD, structurally supported by Decree 10.474/2020 and
operationalized by subsequent resolutions, has profound implications for
compliance agents across all organizational sizes.
A. Simplified
Procedures for Agents of Small Porte (Small Entities)
Recognizing the
disproportionate burden strict compliance requirements can place on smaller
entities, the ANPD published Resolution No. 02/2022. This regulation introduced
measures to flexibilize LGPD application for agentes de tratamento de pequeno porte (small processing agents),
which include microenterprises (ME), small enterprises (EPP), startups,
non-profit organizations, and specific natural persons [21]. The resolution
allows for simplified procedures and differentiated compliance deadlines [21].
However, the application
of these simplifications is subject to a fundamental risk-based assessment.
Flexibility is explicitly denied if the data processing is deemed to be of high risk to the data subjects or
involves large scale data processing
[21, 31]. This demonstrates that the LGPD framework is fundamentally
risk-centric: the severity or volume of data processed supersedes the
organization’s size or revenue as the primary determinant of regulatory
stringency. Consequently, small entities must still conduct a comprehensive
internal risk assessment; if their activities involve sensitive data or large
volumes, they must adhere to the full general requirements of the LGPD,
regardless of their designation as a small enterprise.
This regulatory
extension has led to legal debate regarding the scope of the ANPD's legislative
authority (Art. 55-J, XVIII). Critics argue that while the ANPD can simplify procedures, it cannot diminish the
foundational rights of the data subjects (titulares), nor should it extend
flexibility to certain entities not explicitly defined in the law without
robust justification [31].
B. Requirement
for Governance and Impact Assessments
The enforcement
structure established by Decree 10.474/2020 solidifies key governance
requirements mandated by the LGPD.
1.
DPO Appointment: The appointment of the
Data Protection Officer (Encarregado de
Dados) is a mandatory institutional element, serving as the critical point
of communication between the Controller, the data subjects, and the ANPD [16,
19].
2.
Data Protection Impact
Assessments (RIPD): The LGPD requires Controllers to maintain robust governance
measures to mitigate risks. The ANPD is empowered to request public sector
agents to publish Data Protection Impact Assessments (RIPD) [5]. These
assessments are vital tools for demonstrating adherence to proportionality and
necessity principles before initiating high-risk processing activities.
3.
Ongoing Regulatory
Engagement:
Given the ANPD's active regulatory function (as initially structured by
D-10.474/2020), compliance is not a static state. The Authority continues to
issue specific normative acts—including those pertaining to technical standards
like anonymization and the transfer of data—requiring compliance agents to
continuously monitor and participate in the ANPD’s regulatory agenda, often
conducted through public consultations and hearings [20, 32].
VII. Conclusion
The analysis of the
relationship between Decree 10.467/2020 and the Lei Geral de Proteção de Dados
(LGPD) reveals a complex administrative landscape in Brazil’s regulatory
history. Decree 10.467/2020 played a narrow, indirect role, serving as an
economic policy measure (lottery privatization) that subsequently mandated LGPD
compliance for the contracted private sector entity. Its contemporary relevance
is diminished by its 2024 revocation.
The functional
implementation of the LGPD, however, is fundamentally intertwined with Decree
10.474/2020. This decree created the foundational administrative structure of
the Autoridade Nacional de Proteção de
Dados (ANPD), granting it the autonomy and competence necessary to act as
the central interpreter and enforcer of the law. While D-10.474/2020 initially
led to a paradoxical situation where the law was effective but the ANPD was not
fully operational due to political contingencies, subsequent regulatory actions
have closed this gap.
The current enforcement
environment has transitioned from guiding principles to measurable, tangible
administrative risk. The publication of Resolution CD/ANPD No. 4/2023
(Dosimetry Regulation) completed the enforcement framework of LGPD Article 52.
This resolution mandates a rigorous, criteria-based methodology for applying
sanctions, including fines up to R$50 million and the prohibition of data
processing activities. Crucially, the detailed criteria for mitigation within
the Dosimetry Regulation confirm that compliance is a dynamic state where
comprehensive internal governance, prompt corrective actions, and demonstrated
proportionality are essential not only for avoiding infractions but also for
minimizing liability exposure when a breach occurs.
No comments:
Post a Comment