Brazil — Enforcement & Penalties

The Autoridade Nacional de Proteção de Dados (ANPD) is Brazil's sole supervisory authority for enforcement of the Lei Geral de Proteção de Dados Pessoais (LGPD, Law No. 13,709 of August 14, 2018). Created by Article 55-A as added by Law No. 13,853 of July 8, 2019, ANPD is a government agency of special nature (órgão da administração pública de natureza especial) endowed with technical and decision-making autonomy, with its own assets and headquarters in the Federal District.

Exclusive enforcement jurisdiction. Article 52 of the LGPD establishes that ANPD, and only ANPD, may apply the administrative sanctions set out in the statute for violations of data-protection obligations. Article 55-J assigns ANPD regulatory, monitoring, and punitive powers. ANPD's competence on personal-data protection prevails over correlative competencies of other administrative agencies. This does not, however, preclude concurrent enforcement under other statutes — notably the Consumer Protection Code (Law No. 8,078/1990) or sector-specific laws — by consumer-protection agencies or sectoral regulators exercising their own statutory mandates.

Article 52 sanctions catalogue. After an administrative proceeding that ensures full defense, adversarial process, and due process of law (Law No. 9,784 of January 29, 1999), ANPD may impose the following sanctions:

1. Warning (advertência), with an indication of the deadline for adoption of corrective measures;
2. Simple fine of up to 2 percent of the private legal entity's, group's, or conglomerate's revenue in Brazil in its last fiscal year (taxes excluded), capped at R$ 50,000,000 (fifty million reais) per infraction;
3. Daily fine (multa diária), subject to the same R$ 50,000,000 total cap per infraction;
4. Publication of the infraction after investigation and confirmation (publicização da infração);
5. Blocking of personal data to which the infraction relates until regularization;
6. Deletion of personal data to which the infraction relates;
7. Partial suspension of the database to which the infraction relates for a maximum of six months, renewable for an equal period, until the controller regularizes the processing activity;
8. Suspension of the data-processing activity to which the infraction relates for a maximum of six months, renewable for an equal period;
9. Partial or total prohibition of activities related to data processing.

Article 52, § 6 — as added by Law No. 13,853/2019 and promulgated notwithstanding a partial veto — provides that the severe sanctions in items 10, 11, and 12 (suspension and prohibition measures, renumbered as items 7–9 above in the consolidated text) may only be applied (i) after at least one of the lighter sanctions (warning, fine, publication, blocking, deletion) has already been imposed for the same specific case, and (ii) in cases of controllers or processors that have obtained substantial economic advantage from the violations or have acted with bad faith.

Dosimetry and responsive enforcement. Article 52, § 1 lists eleven factors ANPD must consider when determining which sanction to impose and the amount of fines: gravity and nature of the infractions; good faith; advantage obtained; economic condition of the offender; recidivism; degree of damage; cooperation; adoption of compliance mechanisms; prompt adoption of corrective measures; proportionality between the gravity of the fault and the intensity of the sanction; and any other aggravating or mitigating circumstances. Article 53 mandated that ANPD issue a regulation on sanctions and dosimetry methodologies before applying fines; ANPD published Resolution CD/ANPD No. 4 of February 24, 2023, the Regulation on Dosimetry and Application of Administrative Sanctions (Regulamento de Dosimetria e Aplicação de Sanções Administrativas), which entered into force immediately and specifies the calculation methodology for base fines and the circumstances for daily fines. The sanction provisions of Articles 52–54 took effect on August 1, 2021.

ANPD follows a responsive regulation model prioritizing orientation, prevention, and cooperation before punitive enforcement. The enforcement process regulation (Resolution CD/ANPD No. 1 of October 28, 2021, as amended) distinguishes monitoring, guidance, preventive activities, and repressive enforcement. Repressive action — the administrative sanctioning process (processo administrativo sancionador) — is characterized by coercive measures to interrupt harm or risk, restore full compliance, and punish violators through the Article 52 sanctions.

Fine revenue allocation. Article 55-A, § 5 (as added by Law No. 13,853/2019 and later promulgated) directs that proceeds from fines imposed by ANPD, whether or not registered as active debt, shall be allocated to the Diffuse Rights Defense Fund under Article 13 of Law No. 7,347 of July 24, 1985, and Law No. 9,008 of March 21, 1995.

Source: Law No. 13,709 of August 14, 2018 (LGPD), as amended by Law No. 13,853 of July 8, 2019; ANPD official English translation of LGPD; Resolution CD/ANPD No. 4 of February 24, 2023 (Dosimetry Regulation, English)

Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD) creates a direct private right of action for data subjects to sue controllers and processors in civil court for damages caused by unlawful processing. This enforcement pathway operates independently of ANPD's administrative sanctioning power under Article 52, and is the primary mechanism Brazilian data subjects have used to seek compensation for data breaches and privacy violations.

Strict liability standard — Article 42. Article 42 of the LGPD establishes that a controller or processor that, when performing personal-data-processing activities, causes pecuniary, moral, individual, or collective damage to others in violation of data-protection legislation shall be required to compensate for such damage. The statute does not require proof of fault or negligence; liability arises from the violation itself and the resulting damage. The language "dano patrimonial, moral, individual ou coletivo" encompasses both economic loss (lost wages, identity-theft costs, credit-monitoring expenses) and non-economic harm (emotional distress, reputational injury, loss of privacy itself), and permits both individual and collective claims.

Joint and several liability — Article 42, § 1. To ensure effective compensation to data subjects, Article 42, § 1 imposes joint and several liability in two scenarios. First, a processor is jointly liable for damages caused by processing when it (i) fails to comply with LGPD obligations or (ii) does not follow lawful instructions from the controller, in which case the processor is deemed equivalent to a controller. Second, multiple controllers directly involved in the same processing activity that caused damage to the data subject are jointly liable. In both cases, liability is subject to the exclusion defenses in Article 43.

Defenses — Article 43. Processing agents (controllers and processors, collectively) will not be held liable if they prove any one of three defenses: (i) they did not perform the personal-data processing attributed to them; (ii) although they performed the processing attributed to them, there was no violation of data-protection legislation; or (iii) the damage resulted from the exclusive fault of the data subject or a third party. The burden of proof lies with the processing agent; the plaintiff data subject need only demonstrate the processing, the violation, and the damage.

Burden-shifting — Article 42, § 2. In civil proceedings, the judge may shift the burden of proof in favor of the data subject when, in the judge's view, the allegation is plausible, the data subject is unable to produce evidence for reasons of insufficient resources, or producing the evidence would impose an excessive burden on the data subject. This procedural mechanism, borrowed from Brazil's Consumer Protection Code (Law No. 8,078/1990, Article 6, VIII), reflects the recognition that controllers and processors hold the technical records and processing logs necessary to defend against liability claims, while data subjects typically lack visibility into backend processing operations.

Unlawful processing — Article 44. Processing of personal data is considered irregular (and therefore a violation triggering Article 42 liability) when it fails to comply with the LGPD or when it does not provide the security the data subject can reasonably expect. Article 44 lists relevant circumstances to assess the security expectation, including the purposes of the processing, the data subject's reasonable expectations at the time of processing, and the data-processing techniques available at the time the processing occurred. The sole paragraph of Article 44 specifies that a controller or processor who fails to adopt the security measures required by Article 46 of the LGPD and thereby causes damage is liable for damages resulting from the security-breach violation.

Collective actions — Article 42, § 3. Actions for collective damages under Article 42 may be brought collectively in court, in accordance with the applicable procedural legislation. Brazil's Consumer Protection Code, Article 81, and Law No. 7,347 of July 24, 1985 (Public Civil Action Law) establish that collective actions for homogeneous individual rights may be filed by the Public Prosecutor's Office (Ministério Público), consumer-protection agencies (including PROCON), legally constituted associations, and the Public Defender's Office. Collective data-breach litigation in Brazil has followed this model, permitting a single judicial action to obtain compensation on behalf of a defined class of affected data subjects.

Relationship to ANPD enforcement. Article 42–44 civil liability is independent of ANPD's Article 52 administrative sanctions. A data subject may file a civil suit for damages without waiting for ANPD to open an administrative proceeding, and a controller or processor may face both an ANPD fine and a civil judgment for the same underlying violation. In practice, ANPD enforcement decisions and dosimetry resolutions (Resolution CD/ANPD No. 4 of February 24, 2023) serve as persuasive evidence in civil proceedings, but civil courts apply their own analysis of violation, causation, and quantum of damages under the Brazilian Civil Code and LGPD Articles 42–44.

Statute of limitations. The LGPD does not specify a limitations period for Article 42 civil actions. Brazilian courts have applied the general tort statute of limitations in the Civil Code (Law No. 10,406 of January 10, 2002), Article 206, § 3, V: three years from the date the data subject became aware of the damage and its author. For latent data breaches where the harm is not immediately apparent (e.g., credential stuffing attacks exploiting data stolen months earlier), the three-year clock begins when the data subject discovers the breach and the identity of the controller or processor responsible.

Source: Law No. 13,709 of August 14, 2018 (LGPD), Articles 42–44; ANPD official English translation of LGPD

The Lei Geral de Proteção de Dados Pessoais (LGPD) itself does not create criminal offenses or authorize criminal prosecution for data-protection violations. However, LGPD Article 45 expressly preserves the application of concurrent criminal liability under other Brazilian statutes, and data controllers, processors, and individual employees face potential criminal exposure under Brazil's general criminal law for conduct that also constitutes an LGPD violation. Understanding this enforcement layering is critical for risk assessment: a single unlawful-processing incident may trigger ANPD's administrative sanctioning process (Articles 52–54 LGPD), civil damages liability (Articles 42–44 LGPD), and criminal investigation and prosecution under the Brazilian Criminal Code (Código Penal, Decree-Law No. 2,848 of December 7, 1940, as amended) or sectoral criminal statutes.

LGPD Article 45 — preservation of concurrent enforcement. Article 45 of the LGPD provides that violations of the data subject's rights that occur within the context of consumer relations remain subject to the liability rules provided in the relevant legislation. Article 52, § 2 (as renumbered and added by Law No. 13,853/2019) states that the administrative sanctions provisions of LGPD do not replace the application of administrative, civil, or criminal sanctions provided in the Consumer Protection Code (Law No. 8,078 of September 11, 1990, Article 7, VI; Articles 61–80) and in specific legislation. This language confirms that LGPD enforcement by ANPD operates in parallel with, rather than preempting, criminal prosecution by the Public Prosecutor's Office (Ministério Público) and police authorities.

Criminal Code Article 154-A — unauthorized computer-device invasion. The most frequently invoked criminal statute for data-protection violations is Article 154-A of the Brazilian Criminal Code, added by Law No. 12,737 of November 30, 2012 (popularly known as the "Carolina Dieckmann Law" after a high-profile celebrity data breach). Article 154-A criminalizes invading another person's computer device (dispositivo informático alheio), whether or not connected to a computer network, by improperly violating a security mechanism, with the purpose of obtaining, altering, or destroying data or information without the express or tacit authorization of the device's owner, or installing vulnerabilities to obtain unlawful advantage. The base penalty is detention from three months to one year plus a fine.

Enhanced penalties — Article 154-A, §§ 1–5. Article 154-A, § 1 applies the same penalty to anyone who produces, offers, distributes, sells, or disseminates a computer device or program with the intent to permit commission of the invasion conduct described in the main provision. Article 154-A, § 2 increases the penalty by one-sixth to one-third if the invasion results in economic loss. Article 154-A, § 3 substantially enhances the penalty — **imprisonment (reclusão) from six months to two years plus a fine — if the invasion results in obtaining the content of private electronic communications, commercial or industrial secrets, or confidential information as defined by law, or if it results in unauthorized control of the invaded device remotely. Article 154-A, § 4 doubles the penalty (one to four years imprisonment plus fine) for qualified invasion that results in any of the Article 154-A, § 3 harms and** the conduct is committed against the President of the Republic, state governors, the Federal District governor, or mayors; against a public administration entity or a financial services provider, payment institution, or credit-card issuer; or for purposes of commercial or industrial advantage. Article 154-A, § 5 specifies that criminal action (ação penal) for the basic Article 154-A offense (main provision, §§ 1–3) is conditioned on a complaint by the victim (ação penal privada), whereas the qualified offenses under Article 154-A, § 4 are prosecuted as public criminal actions (ação penal pública incondicionada) — the Public Prosecutor may prosecute without the victim's complaint.

Application to LGPD violations. A data-processing activity that violates the LGPD can also satisfy the elements of Article 154-A if it involved (a) unauthorized access to a computer device or database (b) by circumventing a security mechanism (c) with the purpose of obtaining, altering, or destroying personal data without authorization. For example, an employee of a data processor who accesses a customer database beyond the scope of the controller's instructions and exfiltrates personal data for resale satisfies both LGPD Article 42, § 1, item I (processor liability for failure to follow lawful controller instructions) and Criminal Code Article 154-A, § 3 or § 4 (unauthorized invasion to obtain confidential information). The same facts support an ANPD administrative sanction against the processor entity, a civil damages claim by affected data subjects under LGPD Article 42, and criminal prosecution of the individual employee (and potentially the company's officers under criminal-law complicity or corporate-liability doctrines).

Other applicable criminal statutes. Depending on the nature of the unlawful processing and the resulting harm, prosecutors may also charge violations under other Criminal Code provisions: Article 153 (unauthorized disclosure of secrets, violação de segredo profissional); Article 325 (violation of functional secrecy by a public official, violação de sigilo funcional); Articles 171–179 (fraud and related property crimes, if the processing was part of a scheme to defraud); or Article 7, X of Law No. 8,078/1990 (crimes against consumer relations for failure to safeguard consumer data under the Consumer Protection Code). The Consumer Protection Code's criminal provisions (Articles 61–80) include imprisonment from six months to two years for placing in the market a product or service in conditions known to be dangerous to health or safety (Article 63), and the federal courts have recognized data-breach exposure can constitute a "dangerous service" under this standard when the controller or processor knew of systemic security deficiencies.

Institutional roles — ANPD does not prosecute crimes. ANPD's authority under Article 55-J of the LGPD is limited to administrative enforcement — investigation of administrative infractions and application of Article 52 sanctions (warnings, fines, blocking, deletion, suspension, prohibition). ANPD expressly states on its public website that it "does not conduct criminal investigations" (não realiza especificamente investigação de crimes); criminal investigation is the jurisdiction of the state and federal police forces (Polícia Civil and Polícia Federal) and prosecution by the Public Prosecutor's Office (Ministério Público). However, ANPD may refer cases involving apparent criminal conduct to the appropriate police or prosecutorial authorities, and prosecutors may use ANPD administrative-proceeding findings and evidence as a basis for initiating criminal investigation. The two tracks operate independently: ANPD may close an administrative proceeding with a fine or warning, and the same facts may still be the subject of an ongoing criminal prosecution.

Statute of limitations — criminal versus administrative. Criminal-law statutes of limitations under Criminal Code Article 109 apply to Article 154-A prosecutions: for the base offense (three months to one year detention), the limitation period is three years from the date of the offense (Article 109, VI); for the qualified offense under Article 154-A, § 4 (one to four years imprisonment), the limitation period is eight years (Article 109, IV). ANPD administrative sanctions under LGPD Article 52 are subject to a five-year statute of limitations from the date ANPD became aware of the violation (Lei No. 9,873 of November 23, 1999, Article 1), which begins running when ANPD receives a complaint or otherwise acquires knowledge of the facts. A controller or processor may thus face administrative sanctions from ANPD even when the parallel criminal investigation has been time-barred, or vice versa.

Corporate criminal liability. Under Brazilian criminal law, legal entities (companies) can be held criminally liable in limited circumstances — most notably environmental crimes under Law No. 9,605 of February 12, 1998, Article 3. For data-protection and cybercrime violations under Article 154-A, current criminal-law doctrine treats criminal liability as personal to the individual perpetrator (the employee, officer, or director who committed the invasion or instructed it). However, corporate officers and directors may face personal criminal exposure under theories of co-authorship (coautoria) or participation (participação) if they ordered, directed, or knowingly permitted the unlawful processing, and companies face collateral consequences including administrative fines, contractual liability, and reputational damage even when they cannot be directly charged with a crime.

Source: Law No. 13,709 of August 14, 2018 (LGPD), Article 45 and Article 52, § 2; Law No. 12,737 of November 30, 2012 (Cybercrime Law — Carolina Dieckmann Law), adding Article 154-A to the Criminal Code; ANPD official English translation of LGPD

Since the LGPD sanctions provisions took effect on August 1, 2021, Brazil's Autoridade Nacional de Proteção de Dados (ANPD) has pursued a responsive regulation model that prioritizes orientation, prevention, and cooperation before punitive enforcement. This measured approach—explicitly recognized in ANPD's enforcement-process regulation (Resolution CD/ANPD No. 1 of October 28, 2021, as amended by Resolution CD/ANPD No. 4 of February 24, 2023)—distinguishes monitoring, guidance, preventive activities, and repressive enforcement. Repressive action (the processo administrativo sancionador, or administrative sanctioning process) is reserved for cases involving coercive measures to interrupt harm or risk, restore compliance, and punish violators through Article 52 sanctions. Understanding ANPD's enforcement practice, published sanctions decisions, and priority areas is critical for controllers and processors calibrating compliance investment and remediation timelines.

First sanctions imposed — Telekall Infoservice (July 2023). ANPD applied its first administrative sanctions in July 2023, concluding a sanctioning process against Telekall Infoservice, a private-sector company. The Coordenação-Geral de Fiscalização (CGF/ANPD, General Coordination of Enforcement) published its decision in the Diário Oficial da União on July 6, 2023. CGF/ANPD found that Telekall violated Article 7 (absence of a lawful basis for processing), Article 41 (failure to designate a data-protection officer or provide adequate contact for the encarregado), and Article 5 of Resolution CD/ANPD No. 1/2021 (failure to comply with requisitions from ANPD during the investigation). For the Article 7 and Article 5 violations, ANPD imposed simple fines (multa simples); for the Article 41 violation, ANPD imposed a warning (advertência). The proceeding followed the full administrative-process framework: CGF/ANPD issued an Auto de Infração (Notice of Infraction) after the company failed to respond to enforcement requests, Telekall filed a defense, CGF/ANPD concluded the instruction phase, and the decision was published with a right to appeal to ANPD's Board of Directors (Conselho Diretor). ANPD's public announcement of the Telekall decision does not disclose the monetary amounts of the fines, consistent with ANPD's practice of publishing case summaries and enforcement statistics while treating specific fine quantum as non-public unless the sanctioned entity voluntarily discloses it or ANPD imposes the Article 52 publication sanction (publicização da infração).

Public-sector sanctions — warnings and corrective measures. ANPD's enforcement decisions against public entities reflect the statutory limitation in Article 52, § 3 of the LGPD: administrative fines (multa simples or multa diária) cannot be applied to public entities or public organs. ANPD may apply the non-pecuniary sanctions—warning, publication, blocking, deletion, suspension—but not monetary fines. In October 2023, ANPD concluded a sanctioning process against the Instituto de Assistência ao Servidor Público Estadual de São Paulo (IAMSPE), a state public-health entity. CGF/ANPD found that IAMSPE violated Article 49 of the LGPD (failure to maintain secure systems for storing and processing personal data of civil servants and dependents). ANPD applied two warnings (advertências) and ordered corrective measures: implementation of a schedule to upgrade system security and reduce vulnerability to security incidents, and public communication to affected data subjects maintained on IAMSPE's website for at least 90 days. Similarly, ANPD's published list of concluded sanctioning processes shows cases against the Instituto Nacional do Seguro Social (INSS) (for failure to notify data subjects of a security incident under Article 48 LGPD, despite having reported the incident to ANPD), the Secretaria de Estado de Educação do Distrito Federal (SEEDF) (for failure to comply with ANPD requisitions, including failure to produce a data-protection impact assessment / RIPD when requested under Article 38 LGPD), and multiple proceedings against the Ministério da Saúde. These decisions establish that ANPD applies the responsive-regulation sequence even for public entities: orientation and information requests first, escalation to a sanctioning process when requests are ignored, and warnings paired with mandatory corrective-action plans rather than fines.

Enforcement priorities and thematic focus areas. ANPD's Monitoring Cycle Report 2023 (published November 2023) and public press releases identify consistent priority areas:

1. Failure to respond to ANPD requisitions. Multiple sanctioning processes cite Article 5 of Resolution CD/ANPD No. 1/2021 (non-compliance with information requests, failure to produce records or impact assessments). ANPD treats non-cooperation during an investigation as an independent violation that escalates enforcement from preventive to repressive.

1. **Absence of a data-protection officer (encarregado) or functional communication channel.** Article 41 LGPD requires controllers to designate an encarregado and publish contact details. In December 2024, ANPD announced a monitoring cycle targeting 20 large private-sector companies across technology, telecommunications, education, healthcare, and retail sectors for failure to designate an encarregado or provide an effective communication channel for data subjects to exercise access, rectification, and deletion rights. ANPD's press release named the companies under monitoring and warned that persistent non-compliance after the monitoring phase would result in sanctioning processes under Article 52.

1. Breach-notification failures. Article 48 LGPD requires controllers to notify ANPD and affected data subjects of security incidents that may cause risk or relevant harm. ANPD's Monitoring Cycle Report 2023 documents sanctioning processes against public entities for failure to notify data subjects even when the controller did notify ANPD, clarifying that the Article 48 dual obligation is independent.

1. Data security deficiencies — Article 46 and Article 49. Article 46 obligates controllers and processors to adopt technical and administrative security measures to protect personal data from unauthorized access and accidental or unlawful destruction, loss, alteration, communication, or dissemination. Article 49 obligates public-administration bodies to maintain integrated, standardized security for centralized personal-data management and access. The IAMSPE decision establishes that ANPD will impose warnings and mandatory remediation timelines for systemic security failures even when no breach has yet occurred, if the vulnerability creates ongoing risk.

1. Children's data and education-technology platforms. ANPD's Monitoring Cycle Report 2023 documents an investigation of multiple educational-technology platforms (Centro de Mídias da Educação de São Paulo, Descomplica, Escola Mais, Estude em Casa, Explicaê, Manga High, Stoodi) for alleged unlawful collection and sharing of children's and adolescents' personal data with advertising-technology (AdTech) companies during remote learning in the COVID-19 pandemic. The investigation originated from complaints filed by the Brazilian Chamber of Deputies and Human Rights Watch.

Escalation pathway and compliance signals ANPD rewards. ANPD's enforcement practice follows a graduated response:

• Monitoring and orientation: ANPD sends information requests and may publish guidance. No formal proceeding.
• Preventive measures: ANPD issues formal requisitions for records, DPIAs (RIPDs), or remediation plans. Failure to comply triggers escalation and becomes an aggravating factor in any subsequent sanctioning process.
• **Administrative sanctioning process (processo administrativo sancionador):** CGF/ANPD issues an Auto de Infração when there is evidence of an infraction and non-cooperation. The controller/processor files a defense (with full due-process rights under Law No. 9,784/1999), CGF/ANPD issues an instruction report and decision, and the sanctioned party may appeal to the Board of Directors within 10 business days.

The Dosimetry Regulation (Resolution CD/ANPD No. 4 of February 24, 2023, Article 7) lists factors ANPD must consider when selecting sanctions and calculating fine amounts, including mitigating factors: good faith, cooperation with ANPD, adoption of a privacy-governance program (policy of good practices and governance under Article 50 LGPD), prompt adoption of corrective measures after notification, and demonstrated internal mechanisms to minimize harm. The Dosimetry Regulation defines specific recidivism (repetition of the same violation within five years of a final sanctioning decision) and generic recidivism (any new violation within five years) as aggravating factors, and Article 52, § 6 restricts the severe sanctions (suspension, prohibition) to cases where (i) at least one lighter sanction has already been imposed for the same case and (ii) the controller/processor obtained substantial economic advantage from the violations or acted in bad faith.

Transparency and public access to decisions. ANPD maintains a public page listing concluded sanctioning processes with links to published instruction reports (Relatórios de Instrução) and final decisions, and documents in concluded cases are available through ANPD's public SEI (Sistema Eletrônico de Informações) portal without login. ANPD launched a Fiscalização Dashboard (Painel da Fiscalização) in November 2024 aggregating enforcement statistics. However, case details remain restricted during the pendency of appeals, and ANPD does not routinely publish the specific monetary amounts of fines in individual cases. As of the data available in ANPD's published reports through early 2024, ANPD had concluded at least seven sanctioning processes (Telekall, IAMSPE, INSS, SEEDF, two proceedings against Ministério da Saúde, and one involving the Instituto de Pesquisas Jardim Botânico do Rio de Janeiro), with multiple processes under instruction or appeal.

No criminal jurisdiction; referral to prosecutors. ANPD expressly states on its public website that it does not conduct criminal investigations (não realiza especificamente investigação de crimes). Criminal investigation and prosecution for conduct that violates both the LGPD and criminal statutes (such as Criminal Code Article 154-A unauthorized computer invasion) are the jurisdiction of state and federal police (Polícia Civil, Polícia Federal) and the Public Prosecutor's Office (Ministério Público). ANPD may refer cases involving apparent criminal conduct to the appropriate authorities, and prosecutors may use ANPD's administrative findings as evidence, but the two tracks operate independently.

Source: ANPD Press Release — First Fine (Telekall), July 7, 2023; ANPD Press Release — IAMSPE Sanctioning Decision, October 6, 2023; ANPD — Decisions in Sanctioning Processes (published instruction reports); ANPD — Monitoring Cycle Report 2023 (PDF, enforcement statistics and case summaries); ANPD Press Release — Monitoring 20 Companies for Encarregado / DPO Violations, December 13, 2024

Brazil's Autoridade Nacional de Proteção de Dados (ANPD) transitioned from regulatory development to active enforcement starting in 2023, following the February 24, 2023 publication of Resolution CD/ANPD No. 4, the Regulation on Dosimetry and Application of Administrative Sanctions (Regulamento de Dosimetria e Aplicação de Sanções Administrativas). This dosimetry regulation satisfied the Article 53 LGPD precondition that ANPD issue methodology guidance before imposing fines, and enforcement actions accelerated immediately thereafter. Understanding ANPD's published decisions—the violations targeted, the sanctions imposed, and the dosimetry applied in practice—is essential for compliance prioritization and risk assessment.

First monetary sanction — Telekall Infoservice (July 2023). On July 6, 2023, ANPD published its first-ever monetary sanction in the Diário Oficial da União: a total fine of R$ 14,400 against Telekall Infoservice Ltda., a micro-enterprise telemarketing company (process No. 261.000489/2022-62, initiated March 10, 2022). The Coordenação-Geral de Fiscalização (CGF, ANPD's Inspection and Enforcement Directorate) found three violations:

1. Violation of Article 7 LGPD (absence of a lawful basis for processing personal data) — fine of R$ 7,200 (approximately USD $1,480 at July 2023 exchange rates);
2. Violation of Article 41 LGPD (failure to appoint a Data Protection Officer / encarregado de dados pessoais) — warning (advertência) without corrective measures, as Telekall did not demonstrate that it performed only low-risk processing that would exempt it from the DPO requirement;
3. Violation of Article 5 of Resolution CD/ANPD No. 1/2021 (failure to cooperate with ANPD information requests during the investigation) — fine of R$ 7,200.

Telekall is classified as a microempresa under Brazilian law (annual revenue up to R$ 360,000, approximately USD $74,000), and ANPD applied the Article 52 dosimetry factors—particularly the economic condition of the offender—to cap each fine at 2 percent of the company's gross revenue. The decision remains subject to administrative appeal to ANPD's Conselho Diretor (Board of Directors) under Resolution CD/ANPD No. 1/2021, Article 61. The Telekall decision is significant as a signal that ANPD will enforce against small businesses and that even modest revenue thresholds do not insulate controllers from LGPD obligations, although economic condition is a mitigating dosimetry factor that substantially reduces fine amounts for micro and small enterprises.

First public-sector sanctions — IAMSPE (October 2023). On October 6, 2023, ANPD published its first sanctions decision against a government entity: the Instituto de Assistência Médica ao Servidor Público Estadual de São Paulo (IAMSPE), a São Paulo state public health-assistance agency (process No. 00261.001969/2022-41, initiated September 30, 2022). CGF concluded that IAMSPE violated Article 48 LGPD (duty to communicate security incidents to ANPD and to affected data subjects) and Article 49 LGPD (duty to maintain technical and administrative security measures appropriate to the nature of the processing) in connection with a data breach affecting approximately 1.5 million public servants and their dependents who are beneficiaries of IAMSPE health services. The agency delayed notification to affected data subjects by approximately three months after discovering the breach (August–September 2022) and failed to maintain adequate security controls.

ANPD imposed non-monetary corrective sanctions only—warnings and mandatory corrective measures including timely breach notification and security upgrades—because Article 52, § 5 of the LGPD (as added by Law No. 13,853/2019) prohibits the imposition of monetary fines on public-sector entities (órgãos e entidades públicas). This statutory carve-out creates an asymmetry: private controllers face fines up to the Article 52 cap (R$ 50 million per violation), while public-sector controllers and processors are subject only to warnings, publication of the infraction, blocking, deletion, suspension, and prohibition measures—powerful operational sanctions, but no direct financial penalty. IAMSPE was entitled to appeal the CGF decision to the Conselho Diretor within ten business days of receiving the intimation.

Santa Catarina Health Department (October 2023). On October 18, 2023, ANPD sanctioned the Secretaria de Estado da Saúde de Santa Catarina (SES-SC, the Santa Catarina State Department of Health) (process No. 00261.001886/2022-51, initiated September 14, 2022) for four LGPD violations: (1) failure to present a required data-protection impact assessment (DPIA / relatório de impacto à proteção de dados pessoais, Article 38 LGPD); (2) inadequate security measures for storing and processing personal data (Article 49 LGPD); (3) delayed notification of a security breach to ANPD and to affected individuals (Article 48 LGPD); and (4) failure to respond to ANPD information requests (Article 18, § 8 and Article 5 of Resolution CD/ANPD No. 1/2021). ANPD imposed four warnings and corrective measures, including mandatory breach notifications and security improvements. SES-SC had ten days to appeal. As a public entity, SES-SC faced no monetary fine. The decision illustrates ANPD's emphasis on foundational compliance obligations—DPIAs for high-risk processing, proactive security, timely breach reporting, and cooperation with supervisory-authority investigations—across both private and public sectors.

Enforcement against public entities — Ministry of Health and INSS (2024). ANPD's published enforcement-decision list includes concluded processes against major federal public entities, including two Ministry of Health (Ministério da Saúde) processes (No. 00261.000456/2022-12, initiated March 7, 2022, concluded 2024; and No. 00261.001882/2022-73, initiated September 12, 2022, with appeal under review by the Conselho Diretor as of 2024) and the Instituto Nacional do Seguro Social (INSS, Brazil's National Social Security Institute) (process No. 00261.001888/2023-21, appeal decided by the Conselho Diretor in Circuito Deliberativo No. 15/2024, process concluded). The Ministry of Health processes investigated failures to respond to ANPD information requests, absence of a designated DPO (encarregado), and failure to notify ANPD of security incidents. The INSS case involved a data breach affecting INSS beneficiaries between August and September 2022 and resulted in corrective sanctions after administrative appeal. These decisions confirm that federal agencies—including those processing massive volumes of sensitive personal data (health, social security)—are active targets of ANPD enforcement, although monetary fines remain unavailable under the Article 52, § 5 public-sector exemption.

Preventive measures and daily fines — Meta (July–August 2024). In July 2024, ANPD issued a preventive measure (medida preventiva, Article 30 of Resolution CD/ANPD No. 1/2021) suspending Meta Platforms' privacy policy update titled "Facebook Online Services of Brazil," which would have permitted Meta to process personal data from Facebook, Instagram, and Messenger for training generative-AI systems. ANPD found four violations: (1) inadequate disclosure to data subjects about AI training purposes; (2) failure to implement safeguards for processing children's data; (3) absence of accessible opt-out mechanisms; and (4) failure to respect the legitimate expectations of Brazilian users under Article 6, VI LGPD (processing must respect the reasonable expectations of the data subject). ANPD did not impose a final sanction but threatened a daily fine (multa diária) of R$ 50,000 per day (approximately USD $10,000/day at 2024 exchange rates) if Meta failed to comply with the preventive measure. Meta responded by updating its privacy policy to provide clearer notices, obtain consent for AI training, permit opt-outs, and commit to not processing children's data for AI training; ANPD lifted the preventive measure on August 30, 2024. The Meta intervention illustrates ANPD's use of interim enforcement tools—preventive measures with daily-fine threats under Article 52, III LGPD—to halt ongoing processing violations without waiting for a full administrative sanctioning process (processo administrativo sancionador), and signals ANPD's enforcement priority on AI/generative-AI data processing and transparency obligations.

Enforcement trends and priorities — 2023–2025. As of mid-2025, ANPD has published dozens of concluded and ongoing administrative sanctioning processes, with enforcement concentrated in four violation categories:

1. Breach notification failures (Article 48 LGPD and Resolution CD/ANPD No. 15 of April 2024, which establishes that controllers must notify ANPD within three business days of learning of a security incident involving risk or harm to sensitive personal data, children's or elderly data, financial data, authentication data, professional-secrecy-protected data, or large-scale data);
2. Inadequate security measures (Article 49 LGPD, particularly failures to encrypt sensitive data, inadequate access controls, and absence of breach-response plans);
3. Absence of a designated DPO (Article 41 LGPD, with ANPD strictly enforcing the DPO requirement except for demonstrated low-risk processing under Resolution CD/ANPD No. 18 of August 2024);
4. Failure to cooperate with ANPD investigations (Article 18, § 8 and Article 5 of Resolution CD/ANPD No. 1/2021, including ignoring information requests and obstructing inspections).

ANPD has imposed sanctions across private micro-enterprises, large technology platforms, and federal/state public entities, and has made clear that organizational size and public/private status do not exempt controllers from core LGPD obligations. However, monetary fines remain modest compared to EU GDPR enforcement: as of early 2025, reported ANPD fines total approximately R$ 98 million (approximately USD $20 million) across all concluded processes from 2023–2025, with individual fines ranging from R$ 7,200 (Telekall, micro-enterprise) to fines in the millions of reais for large-scale breach and security failures. The R$ 50 million per-violation statutory cap (Article 52, II) has not yet been reached in any published decision. ANPD follows a responsive regulation model prioritizing guidance, preventive measures, and warnings before punitive fines, and the dosimetry regulation (Resolution CD/ANPD No. 4/2023) weights mitigating factors—good faith, cooperation, prompt corrective action, economic condition—heavily in fine calculation. Controllers that engage transparently with ANPD during investigations, adopt corrective measures promptly, and demonstrate compliance programs receive substantially reduced sanctions.

Published decision repository and transparency. ANPD publishes concluded sanctioning-decision reports (Relatórios de Instrução) on its official website at gov.br/anpd/pt-br/centrais-de-conteudo/decisoes-em-processos-sancionadores-1, organized by year and process number. These reports include the factual findings, legal analysis, dosimetry calculation, and the sanctions imposed. ANPD also publishes a list of ongoing (not yet concluded) administrative sanctioning processes at gov.br/anpd/pt-br/assuntos/noticias/anpd-divulga-lista-de-processos-sancionatorios, identifying the entity under investigation, the alleged violations, the investigation phase, and the process number. Final sanctions are additionally published on the federal government's Transparency Portal (Portal da Transparência), where entities sanctioned by ANPD appear in the National Registry of Punished Companies (CNEP, Cadastro Nacional de Empresas Punidas). This multi-channel transparency reflects ANPD's implementation of the Article 52, IV LGPD sanction of publication of the infraction (publicização da infração), which serves both a punitive and a deterrent function by publicly associating the controller's name with the LGPD violation.

Source: ANPD — Decisões em Processos Sancionadores (Official repository of concluded enforcement decisions); ANPD — First fine announcement (Telekall, July 2023); ANPD — IAMSPE sanctions decision (October 2023); ANPD — Sanções Administrativas (Administrative sanctions page)