Alterar idioma para EnglishAlterar idioma para Japonês

Brazilian data protection authority applies first penalty for violation of data protection act

July 18, 2023

Despite the General Data Protection Act (LGPD) having entered into force in 2020 and its penalties in 2021, only on July 6, 2023 did the Brazilian Data Protection Authority (ANPD) publish in the Federal register of the current month, the first sanction applied to a company for violating the LGPD.

As a matter of fact, the ANPD's General Inspection Office (CGF) concluded that the microenterprise Telekall Infoservice violated article 7 and article 41 of the LGDP, in addition to article 5 of the ANPD Inspection Regulation. Two separate sanctions were applied to the company, as listed below:

                                                                                                                                       
               

                   TYPE OF PENALTY                

           		               

                   DESCRIPTION                

           
               

                   Warning                

           		               

                   No    imposition of corrective measures for breach of                    article 41 of the LGPD, which    provides for the following:                    “Article 41. The controller shall appoint the    officer for                    the processing of personal data”.                

           
               

                   Simple Fine                

           		               

                   For    the following amounts:                

               

                   (i)                                            BRL 7,200.00 (seven thousand and two hundred reais) for                        breach of    article 7 of the LGPD                                        which provides the following: “Article    7 Processing of                    personal data shall only be carried out under the following                    circumstances: I – with the consent of the data subject; II                    – for compliance    with a legal or regulatory obligation by                    the controller; III – by the public    administration, for                    the processing and shared use of data necessary for the                    execution of public policies provided in laws or                    regulations, or based on    contracts, agreements, or                    similar instruments, subject to the provisions of    Chapter                    IV of this Law; IV – for carrying out studies by research                    entities,    ensuring, whenever possible, the anonymization                    of personal data; V – when    necessary for the execution of                    a contract or preliminary procedures related    to a                    contract of which the data subject is a party, at the                    request of the    data subject; VI – for the regular                    exercise of rights in judicial,    administrative or                    arbitration procedures, the last pursuant to                                            Law #9,307, of September    23, 1996 (the “Brazilian                        Arbitration Law”)                                        ; VII – for the protection of life or    physical safety of                    the data subject or a third party; VIII – to protect the                    health, exclusively, in a procedure carried out by health                    professionals,    health services or sanitary authorities;                    IX – when necessary to fulfill the    legitimate interests                    of the controller or a third party, except when the data                    subject’s fundamental rights and liberties which require                    personal data    protection prevail; or; X – for the                    protection of credit, including as    provided in specific                    legislation.”                

               

                   (ii)                                            BRL 7,200.00 (seven thousand and two hundred    reais)                        for breach of article 5 of the Inspection Regulation                                        ,    which provides the following: “Article 5 Regulated                    agents are subject to    inspection by the ANPD and have the                    following duties, among others: I –    provide physical or                    digital copies of documents, data and information                    relevant to the assessment of personal data processing                    activities, within the    deadline, place, format and other                    conditions established by the ANPD; II –    allow access to                    plants, equipment, applications, facilities, systems, tools                    and technological resources, documents, data and information                    of a technical,    operational and other nature relevant to                    the evaluation of personal data    processing activities,                    held by them or a third-party ; III – let the ANPD be                    aware of the information systems used to process data and                    information, as    well as their traceability, updating and                    replacement, by making available the    data and information                    arising from these instruments; IV – submit to audits                    carried out or determined by the ANPD; V – keep the physical                    or digital    documents, data and information during the                    periods established in the    legislation and in specific                    regulations, as well as during the entire period    of                    processing of administrative processes in which they are                    necessary; and VI    – make available, whenever requested, a                    representative able to support the    activities of the                    ANPD, with knowledge and autonomy to provide data,                    information and other aspects related to their object.”                

           

The ANPD investigation was initiated by a complaint that the company was offering a WhatsApp contact list containing voters from Ubatuba-SP, for the purpose of spreading election campaign material in 2020. The CGT then identified the following violations to the following provisions:

                                                                                                                                                                                                                       
               

                   LGPD PROVISIONS VIOLATED LGPD                

           		               

                   DESCRIPTION                

           
               

                   Article 7 and article 11                

           		               

                   no    proof of a legal hypothesis for the processing of                    personal data;                

           
               

                   Article 37                

           		               

                   no    proof of recording of personal data processing                    operations;                

           
               

                   Article 38                

           		               

                   no    impact report sent on the protection of personal data                    regarding its    processing operations;                

           
               

                   Article 41                

           		               

                   no    proof of appointment of an officer.                

           

On the other hand, it is interesting to read the arguments used by the ANPD during the analysis of the circumstances of the infraction and infractor, as listed below:

   6.1.  The evidence collected in the case file is sufficient to state that    the company  Telekall offered a list of WhatsApp contacts for the purpose of    sending  messages. Indeed, in the attached document (SEI #2358139), attached    to the  records of preparatory procedure 00261.000040/2021-13, there is the    document    Decisao_1785290_DC___0150068.2020__SEI____encaminhar_para_autoridade_nacional_de_dos__signado_pdf,    in which the public prosecutor Fernando Fietz Brito, acting in the 4th    Public  Prosecutor's Office of Ubatuba Consumer, noted the following (pgs.    1/2 of the  pdf): “By browsing the website of the aforementioned legal    entity (https://telekall.com/) attention is drawn to the fact that its  commercial activity consists of    providing a digital platform for sending Voice,  SMS, and Whatsapp messages,    announcing a database of 130 million people, with  doubts arising about the    legality of the means used to obtain this data and  whether the treatment    given to it is in accordance with the provisions  stipulated in the General    Data Protection Act (Law #13,709/2018)”. For this  reason, the member of the    Public Ministry of the State of São Paulo determined  that a full copy of    the ANPD file be forwarded. The aforementioned document  reveals that the    website offered a digital messaging platform with a database  of 130 (one    hundred and thirty) million people, was sent by an official body,  and was    not refuted by the regulated agent when presenting the defense, which  is    why it is suitable for proving the infringement. 6.2. The attached document    (SEI #2358139), in turn, also brought the    E_mail_1721636_1__protocolo_1885_2020.pdf, attached to the preparatory    procedure as Annex #1 of Letter CGF - “Email com denúncia” (SEI #2412924),    in  which on page 2, it was found that on October 22, 2020, the email    account sender@telekall.com    , “Telekall Infoservices” sent at 02:30:53 an  email to xxxxxxxxxx@uol.com.br    , with the subject "Alex Da Saúde Lista de  Contatos Whatsapp de Ubatuba” In    the body of the email, candidate Alex da Saúde  was offered the “best    WhatsApp contact list in your city. Now you have the  possibility to    synchronize thousands of numbers in your Google campaign  accounts without    having to type it on your cell phone. Our contact list is  segmented and    filtered by region and neighborhood, which makes it possible to  customize    your communication with the voter”. On pg 3 of the pdf, there is    information that “you will receive the listing with user name, whatsapp    number  and full address. Delivered via download in Excel format, which    makes it easy  to import into multiple applications. Get your whatsapp base    today and get  ahead. We offer packages with 5, 10, 25, 50 and 100 thousand    contacts. Call  now, or return this email to [/compose?    to=info@telekall.com]info@telekall.com  or send us a message via WhatsApp:    (xx). xxxxx.xxxx”. according to page 1 of  Annex #1 of LetterCGF – “Email    com denúncia” (SEI #2412924), on October 22,  2020, at 8:14 am, Marcelo    Santos Mourão, by email ms.mourao@uol.com.br    , after answering the e-mail sent by Telekall,  sent a copy of the document    to Heloise Maia da Costa, e-mail HeloiseCosta@mpsp.mp.br    , electoral promoter, in view of the possible  configuration of electoral    crime. This document is capable of proving that the  offer was sent by email    to the recipient xxxxxxxx@uol.com.br    on October 22, 2020, as it was sent to the ANPD by an official body and    never had its legitimacy questioned by Telekall in the defense. 6.3. The    finding is strengthened by the document “Correspondência Resposta da    Telekall”  to letter 21 #2 (2515300), in which the company confirmed that    “Yes, there was  an initial contact via Whatsapp with the candidate for    councilman Alexandre  Mandl, which did not result in any commercial activity    ”. If there was contact,  it implies in commercial activity described in the    present case file and object  of legality analysis throughout the inspection    activity. 6.5. The cell phone  informed in Attachment #1 of Letter CGF -    “E-mail com denúncia” (SEI #2412924),  pages 2/3, in turn, coincides with    what is present in Certificate 1 (SEI  #3264998), through which the CGF made    contact with Mr. Emmanuel Gomes de Jesus  regarding the Infraction Notice    (SEI #3231560), after which the Office received  the Defense (SEI #3324700).    The same cell phone number - (xx) x.xxxx.xxxx -  appears on page 2 of    Attachment #1 of LETTER 19 – “Telas do site da Telekall”  (SEI #2412960),    which consists of a print screen of the company's website: https://telekall.com/zap/index.html    . As such, there is no doubt that the  aforementioned cell phone number was    used to offer telephone contacts. 6.6. On  the website, in turn, according    to Attachment #1 of Letter 19 – “Telas do site  da Telekall” (SEI #2412960),    there is the information that “If you need new  contacts, we offer the best    segmented WhatsApp list. updated with 130 million  users”, in addition to    “Geographic targeting for city, neighborhood, zip code  or via CBO    occupation code. E.g. Doctor, Teacher, dentist, etc…” . There is  also    information that “No matter the size of your campaign, we have the  capacity    to send up to 2 million messages per day. Fast and guaranteed service  with    high delivery rate”. This information, which is also protected by official    body and was not contested by the defense, demonstrates the ability to reach    millions of data subjects. 6.7. Within the document “Correspondência    Resposta  da Telekall” to letter 21 #1 (SEI # 2515289), page 5, there is    information that  the Public Prosecutor's Office of the State of São Paulo,    Campinas Public  Prosecutor's Office, through the electoral justice    prosecutor who acts before  the 379th Electoral Zone (Campinas), instituted    an electoral preparatory  procedure on 03/02/2021 in order to determine    possible irregular electoral  propaganda, in view of receiving factual news    registered under SEI #  29.0001.0154642-2020-33, through which there was    information that the company  Telekall offered candidate Alexandre Mandl the    WhatsApp contact list from  Campinas. In addition, in the factual news SEI    #29.0001.0007538.2021-76, it was  informed that a voter received electoral    propaganda from the candidate for  mayor of Campinas Wilson Matos through    WhatsApp, although his telephone number  was registered with PROCON so as    not to receive calls, a circumstance that  serves as a basis for the finding    that Telekall carried out commercial activity  of selling telephone    contacts. 6.8. This investigation is also supported by  consulting the    website https://telekall.com/    , attached to process 00261.000040/2021-13 under  document SEI #3110999, in    which the offer of WhatsApp contacts was verified,  which indicates that the    company continued to offer services on the market on  May 01, 2022. The    website, however, was deactivated, as can be seen in document  3223051, of    July 03, 2022.

As can be seen from the reading above, the complaint, which was previously based only on voters from Ubatuba-SP, did not even remotely cover the 130 million holders contained in that database. The company even boasted that it could send 2 million messages a day.

It is quite true that, at first glance, there is room to improve the issue of penalty dosimetry or even consider changes in the LGPD with regard to penalties. In the case in question, as it is a micro-enterprise, Telekall had the value of each infraction limited to 2% of its gross revenue, following the provisions of article 52, II of the LGPD, totaling its penalty at BRL 14,400.00. The question that remains is whether such a penalty is consistent with the inadequate treatment of the personal data of 130 million data subjects.

RECENT POSTS

LINKEDIN FEED

ícone