Additional Author: Ana Letícia Allevato
In 2023, the Brazilian Data Protection Authority (ANPD) made public several Technical Notes, with the aim of increasing transparency on ANPD actions on several matters, and to provide guidance on specific topics in the Brazilian General Data Protection Law (LGPD), paving the way for data subjects, controllers, processors, and society at large to make more informed decisions regarding data protection. In this Legal Update, we have compiled these notes and the main outcomes from each of them.
Technical Note No. 175/2023/CGF
Purpose:
This Technical Note addresses the processing and sharing of personal data by the Safe Stadium Project, which seeks to make sports stadiums safer by combating racism and violence. The Safe Stadium Project aims to use technology to promote security, through means such as facial recognition to check the criminal records of people who want to enter stadiums.
Main outcomes from this Technical Note:
- The ANPD reinforces that data protection impact assessments must analyze each of the principles of the LGPD and how they affect the processing in question.
- Organizations should consider, as good practice, restricting access to these files and information, as well as the records (i.e., logs) of the use, movement and access of this information for future auditing and verification.
- The ANPD also reinforces the importance of informing data subjects when that data is collected in a public place, especially through video surveillance.
- Finally, the long-term retention of images obtained by surveillance cameras would not be considered reasonable by the ANPD.
Technical Note No. 12/2023/CGF
Purpose:
This note deals specifically with the risk of re-identification of data subjects, based on data publicly disclosed by the National Institute of Educational Studies and Research (INEP).
Main outcomes from this Technical Note
- Most importantly, the ANPD recognizes that anonymized data may have a certain degree of chance of re-identifying its subjects, and that this would not violate the LGPD. In other words, anonymized data does not need to be completely exempt from the risk of its subjects being re-identified.
- The ANPD recognizes suppression and generalization as data anonymization techniques, and deems the 'k-anonymity' metric appropriate to measure the effectiveness of the suppression process.
- In this note, the ANPD again indicated that establishing criteria for controlling and recording access to personal data would be an important security measure.
- The ANPD reinforced that the data protection impact must be carried out voluntarily, in the event that the controller sees a high-risk treatment— not only when requested by the ANPD.
- The use of apparently anonymous public data for the purpose of reidentifying data subjects would not be valid, based on the LGPD.
Technical Note No. 19/2023/CFG
Purpose:
This note deals with the ANPD's own monitoring activities on the highly regulated Brazilian financial and telecommunications markets.
Main outcomes from this Technical Note
- The ANPD indicated that the scope of application of the legal basis for credit protection is limited and has a restrictive interpretation, applying to treatments that improve the risk analysis of the data subject’s ability to honor their financial commitments. The ANPD also stated that entities would be authorized to share personal data on the legal basis of credit protection, as long as the purpose of the processing is maintained.
- According to this note, attempted fraud would not automatically result in the leaking of personal data, and that in the event of a suspected leak, the data subject must contact the processing agent and verify its occurrence, and what the subject must do to protect their rights.
Technical Note No. 16/2023/CGTP
Purpose:
This Technical Note deals with Bill No. 2338/2023, the proposed regulatory framework for artificial intelligence (AI), currently under debate in the federal Senate.
Main outcomes from this Technical Note
- In this note, the ANPD argues that it is the ideal central authority to regulate and supervise AI in Brazil.
- The ANPD also proposed an institutional model, structured in four instances that should act in a coordinated and articulated manner: (i) the competent authority (i.e., central regulatory body, which would be the ANPD itself); (ii) the Executive Branch (developing public policies for the development of AI systems); (iii) sectoral regulatory bodies (acting in coordination with the central regulatory body); and (iv) an advisory council (an advisory body that ensures public participation in the decision-making processes of all instances).
Technical Note No. 6/2023/CGF
Purpose:
This Technical Note was the result of an investigation, initiated by the ANPD, to analyze the processing of personal data of children and teenagers by a global social network platform.
Main outcomes from this Technical Note
- The ANPD ordered the platform to review some points of its governance, such as implementing more robust age verification mechanisms, and amending its privacy notices and the legal bases of certain treatments. In the latter case, the ANPD understood that the execution of a contract would not be an adequate basis for targeted advertising.
Technical Note No. 4/2023/CGTP
Purpose:
The note deals with the alignment of retail pharmacies with the LGPD, especially loyalty and discount programs, in which sensitive data is collected, and the large-scale sharing of data with various entities.
Main outcomes from this Technical Note
- The ANPD made it clear that it will randomly evaluate privacy notices on the internet and expects to find information regarding legal bases, even though Article 9 of the LGPD does not require this information to be public. - The ANPD also reinforced that privacy policies and notices must be made available to data subjects through the same means by which the data is collected, including in person.
- The ANPD also recommends that, when there is a discount, loyalty program, or similar benefit, it is important to have the relevant regulation published in an easily accessible environment.
- According to the note, the collection of biometric data for identity validation purposes should be avoided if there are other, less invasive—yet secure—means.
Technical Note No. 3/2023/CGF
Purpose:
This Technical Note deals with the display of the name, photo and length of service of Brazilian Federal Highway Police (PRF) officers in memorials on the PRF website.
Main outcomes from this Technical Note
- In this note, the ANPD argues that the LGPD only applies to the living. In other words, the LGPD does not afford protection to the personal data of deceased individuals.
