Brazil’s data protection authority opens public consultation on high-risk data processing

The Brazilian Data Protection Authority (ANPD) has opened a public consultation regarding potential guidelines and criteria for defining data processing activities deemed as high-risk.

Resolution No. 2/2022 contains a list of general and specific criteria, with high-risk activities defined as those that meet criteria from both categories. The general criteria cover large-scale personal data processing, or processing that can significantly affect the interests and fundamental rights of data subjects. In turn, the specific criteria address processing involving the use of emerging or innovative technologies, surveillance or control of areas accessible to the public, decisions made solely via automated personal data processing, or the use of sensitive personal data or personal data of children, adolescents, and elderly people. The ANPD’s public consultation includes a draft of a guide that aims to clarify these concepts to facilitate and direct how  processing agents interpret them.

The definition of high-risk processing is important factor in the ANPD’s ability to conduct different assessments. These include determining the regime that should apply to small processing agents; analyzing the seriousness of infractions regarding personal data processing or the need to report breaches to the ANPD and data subjects; and defining whether a data protection impact assessment needs to be prepared.

 Please see a summary of the ANPD’s draft guide below:

General criteria

• Large scale: The draft guide points out that large-scale processing is characterized as that which involves the data of a ‘significant’ number of subjects – in numerical terms, the ANPD has defined this as any personal data processing involving at least two million data subjects. Beyond this main aspect, the volume of data involved, duration, frequency, and geographic extent of the processing carried out are all factors that must also be considered.

In cases involving data processing with a number of data subjects lower than two million, the controller must still evaluate the additional factors mentioned. The ANPD advises that a six-step methodology (outlined in the guide) must be used to measure these criteria, which assigns different weights depending on the characteristics of the data processing.

• Significant effects on fundamental interests and rights: While defining large-scale processing involves quantitative analysis, this criterion involves a qualitative analysis. The ANPD defines three central elements that help to assess whether data subjects’ interests and rights will be significantly affected: when data processing could prevent the subject’s ability to exercise their rights, or prevent them from using of a service, or may cause the data subject to suffer material or moral damage – such as discrimination, the violation of image rights, financial fraud.

The potentially affected interests and rights must be directly related to the personal data processing the processing agent carries out. The draft guide proposes the assessment consider both the severity and the probability of effects on the data subjects, with only situations involving high severity and a high probability of occurrence falling within the concept of ‘significantly affecting’.

The ANPD has also emphasized that the way the processing is carried out (for example, secondary uses of data or data sharing) and the nature of the relationship between the processing agent and the data subjects must be evaluated. More information about these concepts and practical examples can be found in the draft guide.

Specific criteria

• The use of emerging or innovative technologies: Despite highlighting that this criterion will need to be assessed periodically, the ANPD defines artificial intelligence, machine learning and generative artificial intelligence, facial recognition, and autonomous vehicles as ‘emerging technologies’ – without prejudice to future updates.
• Surveillance or control of areas accessible to the public: The draft guide establishes that surveillance or control may involve the collection, storage, and shared use of personal data to control the flow and/or monitor the movement of people in public areas. As an example, the ANPD considers security cameras, monitoring drones, and GPS tracking devices as control and surveillance tools.
• Decisions made solely based on automated personal data processing: According to the ANPD, automated data processing involves the use of computer systems and algorithms to carry out operations or decision-making, including data classification, evaluation, approval, or rejection based on predefined criteria.
• The use of sensitive personal data or personal data of children, adolescents, and the elderly: Processing can be considered high risk when it involves sensitive data and/or the data of subjects less than 18 years old or 60 years and over. The ANPD emphasizes that sensitive data can be revealed via processing information that is not originally considered sensitive (for example, via inference procedures or database crossing). If sensitive aspects are disclosed or indirectly identified (with the potential to harm data subjects’ rights and interests), the special legal regime for sensitive data provided for in the LGPD must also apply.

The ANPD will accept public contributions on its draft guide until May 16, 2024. Submissions must be made exclusively through the Espaço Opine Aqui on the government’s Participa+ Brasil platform.

For more information, please contact Mattos Filho’s Data Protection & Cybersecurity practice area.