Brazil’s National Data Protection Authority (ANPD) has imposed its first fine for a breach of the General Data Protection Law (LGPD), nearly three years after the local regulations were enforced.
On July 6, ANPD imposed a warning and two fines on Telekall Infoservice, a small telecommunications firm, with each fine amounting to R$ 7200 ($1483). The ruling noted that Telekall offered large-scale messaging services via SMS and WhatsApp with capacity to send up to 2 million messages a day to specific audiences. The company had been investigated for supposedly offering bulk messaging services through WhatsApp to politicians.
Also according to the data protection authority’s ruling, the company failed to appoint a data protection officer, and also failed to provide a legitimate legal basis for processing personal data, and did not cooperate during investigations.
Telekall defended itself by asserting that while they had made contact with potential clients, they had not actually sold any services, and had temporarily suspended their bulk messaging operations to comply with the data protection regulations.
Telekall has been given a 20-day working window to settle the fines. If the company opts not to challenge the decision, they stand to receive a 25% reduction, lowering the total fine to R$ 10800 ($2225). Should Telekall fail to adhere to the decision, the Federal Prosecutor’s Office will take over the case.
Brazil’s data protection legislation was implemented in September 2020, having been approved two years prior in 2018. The associated financial penalties only became active in August 2021, providing companies with ample time to adapt to the new rules. The specific details of the law were subsequently detailed and clarified in February 2023.
The fact that Brazil’s first data protection fine was imposed on a small company was “surprising”, says Nycolle de Araújo Soares, a lawyer and CEO at Lara Martins Advogados and president of the Goiano Institute of Digital Law.
“This move defied expectations that larger companies, which repeatedly violate the LGPD, would be targeted first”, Soares noted. The specialist highlighted that this indicates Brazil’s data protection authority won’t restrict its actions to large companies, underscoring that “data protection compliance should be a concern for all businesses.”
Read the full article here