Despite the General Data Protection Act (LGPD) having entered into force in 2020 and its penalties in 2021, only on July 6, 2023 did the Brazilian Data Protection Authority (ANPD) publish in the Federal register of the current month, the first sanction applied to a company for violating the LGPD.
As a matter of fact, the ANPD's General Inspection Office (CGF) concluded that the microenterprise Telekall Infoservice violated article 7 and article 41 of the LGDP, in addition to article 5 of the ANPD Inspection Regulation. Two separate sanctions were applied to the company, as listed below:
|
TYPE OF PENALTY |
DESCRIPTION |
|
Warning |
No imposition of corrective measures for breach of article 41 of the LGPD, which provides for the following: “Article 41. The controller shall appoint the officer for the processing of personal data”. |
|
Simple Fine |
For the following amounts: (i) BRL 7,200.00 (seven thousand and two hundred reais) for breach of article 7 of the LGPD which provides the following: “Article 7 Processing of personal data shall only be carried out under the following circumstances: I – with the consent of the data subject; II – for compliance with a legal or regulatory obligation by the controller; III – by the public administration, for the processing and shared use of data necessary for the execution of public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments, subject to the provisions of Chapter IV of this Law; IV – for carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data; V – when necessary for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject; VI – for the regular exercise of rights in judicial, administrative or arbitration procedures, the last pursuant to Law #9,307, of September 23, 1996 (the “Brazilian Arbitration Law”) ; VII – for the protection of life or physical safety of the data subject or a third party; VIII – to protect the health, exclusively, in a procedure carried out by health professionals, health services or sanitary authorities; IX – when necessary to fulfill the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties which require personal data protection prevail; or; X – for the protection of credit, including as provided in specific legislation.” (ii) BRL 7,200.00 (seven thousand and two hundred reais) for breach of article 5 of the Inspection Regulation , which provides the following: “Article 5 Regulated agents are subject to inspection by the ANPD and have the following duties, among others: I – provide physical or digital copies of documents, data and information relevant to the assessment of personal data processing activities, within the deadline, place, format and other conditions established by the ANPD; II – allow access to plants, equipment, applications, facilities, systems, tools and technological resources, documents, data and information of a technical, operational and other nature relevant to the evaluation of personal data processing activities, held by them or a third-party ; III – let the ANPD be aware of the information systems used to process data and information, as well as their traceability, updating and replacement, by making available the data and information arising from these instruments; IV – submit to audits carried out or determined by the ANPD; V – keep the physical or digital documents, data and information during the periods established in the legislation and in specific regulations, as well as during the entire period of processing of administrative processes in which they are necessary; and VI – make available, whenever requested, a representative able to support the activities of the ANPD, with knowledge and autonomy to provide data, information and other aspects related to their object.” |
The ANPD investigation was initiated by a complaint that the company was offering a WhatsApp contact list containing voters from Ubatuba-SP, for the purpose of spreading election campaign material in 2020. The CGT then identified the following violations to the following provisions:
|
LGPD PROVISIONS VIOLATED LGPD |
DESCRIPTION |
|
Article 7 and article 11 |
no proof of a legal hypothesis for the processing of personal data; |
|
Article 37 |
no proof of recording of personal data processing operations; |
|
Article 38 |
no impact report sent on the protection of personal data regarding its processing operations; |
|
Article 41 |
no proof of appointment of an officer. |
On the other hand, it is interesting to read the arguments used by the ANPD during the analysis of the circumstances of the infraction and infractor, as listed below:
6.1. The evidence collected in the case file is sufficient to state that the company Telekall offered a list of WhatsApp contacts for the purpose of sending messages. Indeed, in the attached document (SEI #2358139), attached to the records of preparatory procedure 00261.000040/2021-13, there is the document Decisao_1785290_DC___0150068.2020__SEI____encaminhar_para_autoridade_nacional_de_dos__signado_pdf, in which the public prosecutor Fernando Fietz Brito, acting in the 4th Public Prosecutor's Office of Ubatuba Consumer, noted the following (pgs. 1/2 of the pdf): “By browsing the website of the aforementioned legal entity (https://telekall.com/) attention is drawn to the fact that its commercial activity consists of providing a digital platform for sending Voice, SMS, and Whatsapp messages, announcing a database of 130 million people, with doubts arising about the legality of the means used to obtain this data and whether the treatment given to it is in accordance with the provisions stipulated in the General Data Protection Act (Law #13,709/2018)”. For this reason, the member of the Public Ministry of the State of São Paulo determined that a full copy of the ANPD file be forwarded. The aforementioned document reveals that the website offered a digital messaging platform with a database of 130 (one hundred and thirty) million people, was sent by an official body, and was not refuted by the regulated agent when presenting the defense, which is why it is suitable for proving the infringement. 6.2. The attached document (SEI #2358139), in turn, also brought the E_mail_1721636_1__protocolo_1885_2020.pdf, attached to the preparatory procedure as Annex #1 of Letter CGF - “Email com denúncia” (SEI #2412924), in which on page 2, it was found that on October 22, 2020, the email account sender@telekall.com , “Telekall Infoservices” sent at 02:30:53 an email to xxxxxxxxxx@uol.com.br , with the subject "Alex Da Saúde Lista de Contatos Whatsapp de Ubatuba” In the body of the email, candidate Alex da Saúde was offered the “best WhatsApp contact list in your city. Now you have the possibility to synchronize thousands of numbers in your Google campaign accounts without having to type it on your cell phone. Our contact list is segmented and filtered by region and neighborhood, which makes it possible to customize your communication with the voter”. On pg 3 of the pdf, there is information that “you will receive the listing with user name, whatsapp number and full address. Delivered via download in Excel format, which makes it easy to import into multiple applications. Get your whatsapp base today and get ahead. We offer packages with 5, 10, 25, 50 and 100 thousand contacts. Call now, or return this email to [/compose? to=info@telekall.com]info@telekall.com or send us a message via WhatsApp: (xx). xxxxx.xxxx”. according to page 1 of Annex #1 of LetterCGF – “Email com denúncia” (SEI #2412924), on October 22, 2020, at 8:14 am, Marcelo Santos Mourão, by email ms.mourao@uol.com.br , after answering the e-mail sent by Telekall, sent a copy of the document to Heloise Maia da Costa, e-mail HeloiseCosta@mpsp.mp.br , electoral promoter, in view of the possible configuration of electoral crime. This document is capable of proving that the offer was sent by email to the recipient xxxxxxxx@uol.com.br on October 22, 2020, as it was sent to the ANPD by an official body and never had its legitimacy questioned by Telekall in the defense. 6.3. The finding is strengthened by the document “Correspondência Resposta da Telekall” to letter 21 #2 (2515300), in which the company confirmed that “Yes, there was an initial contact via Whatsapp with the candidate for councilman Alexandre Mandl, which did not result in any commercial activity ”. If there was contact, it implies in commercial activity described in the present case file and object of legality analysis throughout the inspection activity. 6.5. The cell phone informed in Attachment #1 of Letter CGF - “E-mail com denúncia” (SEI #2412924), pages 2/3, in turn, coincides with what is present in Certificate 1 (SEI #3264998), through which the CGF made contact with Mr. Emmanuel Gomes de Jesus regarding the Infraction Notice (SEI #3231560), after which the Office received the Defense (SEI #3324700). The same cell phone number - (xx) x.xxxx.xxxx - appears on page 2 of Attachment #1 of LETTER 19 – “Telas do site da Telekall” (SEI #2412960), which consists of a print screen of the company's website: https://telekall.com/zap/index.html . As such, there is no doubt that the aforementioned cell phone number was used to offer telephone contacts. 6.6. On the website, in turn, according to Attachment #1 of Letter 19 – “Telas do site da Telekall” (SEI #2412960), there is the information that “If you need new contacts, we offer the best segmented WhatsApp list. updated with 130 million users”, in addition to “Geographic targeting for city, neighborhood, zip code or via CBO occupation code. E.g. Doctor, Teacher, dentist, etc…” . There is also information that “No matter the size of your campaign, we have the capacity to send up to 2 million messages per day. Fast and guaranteed service with high delivery rate”. This information, which is also protected by official body and was not contested by the defense, demonstrates the ability to reach millions of data subjects. 6.7. Within the document “Correspondência Resposta da Telekall” to letter 21 #1 (SEI # 2515289), page 5, there is information that the Public Prosecutor's Office of the State of São Paulo, Campinas Public Prosecutor's Office, through the electoral justice prosecutor who acts before the 379th Electoral Zone (Campinas), instituted an electoral preparatory procedure on 03/02/2021 in order to determine possible irregular electoral propaganda, in view of receiving factual news registered under SEI # 29.0001.0154642-2020-33, through which there was information that the company Telekall offered candidate Alexandre Mandl the WhatsApp contact list from Campinas. In addition, in the factual news SEI #29.0001.0007538.2021-76, it was informed that a voter received electoral propaganda from the candidate for mayor of Campinas Wilson Matos through WhatsApp, although his telephone number was registered with PROCON so as not to receive calls, a circumstance that serves as a basis for the finding that Telekall carried out commercial activity of selling telephone contacts. 6.8. This investigation is also supported by consulting the website https://telekall.com/ , attached to process 00261.000040/2021-13 under document SEI #3110999, in which the offer of WhatsApp contacts was verified, which indicates that the company continued to offer services on the market on May 01, 2022. The website, however, was deactivated, as can be seen in document 3223051, of July 03, 2022.
As can be seen from the reading above, the complaint, which was previously based only on voters from Ubatuba-SP, did not even remotely cover the 130 million holders contained in that database. The company even boasted that it could send 2 million messages a day.
It is quite true that, at first glance, there is room to improve the issue of penalty dosimetry or even consider changes in the LGPD with regard to penalties. In the case in question, as it is a micro-enterprise, Telekall had the value of each infraction limited to 2% of its gross revenue, following the provisions of article 52, II of the LGPD, totaling its penalty at BRL 14,400.00. The question that remains is whether such a penalty is consistent with the inadequate treatment of the personal data of 130 million data subjects.
