ANPD opens consultation on draft Guidelines about High-Risk Processing of Personal Data
Last Wednesday, April 17, the National Data Protection Authority (ANPD) opened a consultation on draft Guidelines about high-risk processing of personal data. The draft clarifies the general and specific criteria that characterize high-risk processing, originally set out in Resolution CD/ANPD No. 2/2022, which addresses the application of the Brazilian General Data Protection Law (“LGPD”) to small processing agents and excludes small processing agents that carry out high-risk processing of personal data from the beneficial treatment established under such Resolution. According to the Resolution, processing that cumulatively meets at least one general criteria and one specific criteria must be considered high-risk.
One of the general criteria for characterizing high-risk processing is large scale. The draft presents objective elements for classifying the processing of personal data as large-scale, including the parameter that any processing involving the personal data of more than 2 million data subjects should be considered large-scale. The processing of personal data involving less than 2 million data subjects may also be considered large-scale if other parameters are met in relation to the volume of data processed, duration, frequency and geographical extent of the processing, in accordance with the methodology set out in the Guideline.
Even if the processing is not considered large-scale, it may be considered high-risk if it has the potential to significantly affect the fundamental rights and interests of data subjects – for example, if the processing activity could prevent the exercise of rights or the use of a service, or cause material or moral damage to data subjects, such as discrimination, violation of physical integrity, the right to image and reputation, financial fraud or identity theft. The draft Guideline provides details and examples of such situations to support the processing agent in the interpretation the rules.
According to Resolution CD/ANPD No. 2/2022, the specific criteria for characterizing high risk encompass: (i) the use of emerging or innovative technologies; (ii) the surveillance or control of areas accessible to the public; (iii) decisions made solely on the basis of automated processing of personal data; and (iv) the use of sensitive personal data or personal data of children, teenagers and the elderly. The draft Guideline provides additional information in relation to each of these criteria, including references to artificial intelligence (AI) technologies, machine learning, generative AI, facial recognition systems and autonomous vehicles as examples of technologies currently considered as emerging or innovative, and proposes practical examples of the combination of the general and specific criteria mentioned above.
In addition to its relevance for small processing agents, the detailing of the above parameters is critical to allow for processing agents in general to correctly identify processing activities considered to be high risk and take the necessary measures to comply with the LGPD.
The consultation will be available on the “Participa Mais Brasil” platform until May 16, 2024.
For more information, please contact the leaders of our Privacy and Data Protection team.
Adriano Chaves (adriano.chaves@cgmlaw.com.br)
Marcia Mandelbaum (marcia.mandelbaum@cgmlaw.com.br).
This bulletin is for information purposes only and should not be relied upon to obtain legal advice on any of the topics dealt with here.
CGM Advogados. All rights reserved.