None. There is no agency in Brazil specialized in verifying compliance with data protection rules. However, the new government may propose this year a bill of law that will deal specifically with data protection and its compliance in Brazil.
Individuals can bring claims for actual as well as moral damages. In case of violation of data protection rules established in the Internet Legal Framework, civil sanctions can vary from: (a) warnings, (b) fines in the amount of up to 10% of the economic group’s (to which the company that has violated the rule belongs to) revenues in Brazil in the last year, (c) temporary suspension of data collection activities or (d) prohibition of data collection activities. Please see below in general comments for more detailed information on the Internet Legal Framework. As such Law has been recently enacted, some provisions are yet to be regulated by the government. Besides, a violation of any data protection rule established in the Consumer Defense Code, as further explained below, can be penalized with fines up to R$ 6.000.000. Such penalties may be imposed by specialized agencies entitled to “defend” consumers’ rights broadly (“PROCONs”) or the Consumer District Attorney’s Office. Administrative procedures as such have been conducted by authorities, but in a confidential basis which prevent us from having further details about them.
Potential criminal liability for unauthorized interceptions of electronic communications (subject to imprisonment from 2 to 4 years, plus fines) and other specific matters. In addition, depending on the nature of the data (e.g. banking, tax), unauthorized access or breaches also constitute a crime (subject to imprisonment from 1 to 4 years, plus fines). There is also criminal liability for accessing computer devices to obtain information without the computer owner’s authorization (subject to imprisonment from 3 months to 1 year, plus fines, and such penalty might be increased up to 1/3 if the breach caused economic damage). The penalty shall be increased if the information obtained consists of private electronic communications, confidential information or trade secrets (subject to imprisonment from 6 months to 2 years, plus a fine if no greater offence was committed). If a greater offence was committed, e.g. if confidential information is obtained by breaching a computer device and a fraud is committed by using such information, such individual shall be subject to imprisonment from 1 to 5 years, plus fine (which is the penalty applicable for fraud) instead of imprisonment from 6 months to 2 years, plus fine. Please note that, in this event, the penalty for fraud shall not complement the penalty for obtaining private electronic communications, confidential information or trade secrets by breaching computer devices, but will rather replace it.
Selected Enforcement Actions / General Comments