This Monday, August 14, we celebrate the 5th anniversary of enactment of the General Personal Data Protection Law, and in this first five-year period of effectiveness, some reflections and future outlook for related regulation are worthy of note.
The first of these concerns the completion by ANPD (National Data Protection Authority) of one of the eight of its ongoing sanctioning administrative proceedings, which resulted in the imposition of fine and warning sanctions for offenses against LGPD to Telekall Infoservice, owing to the “offer to candidates for municipal elections of a list of WhatsApp contacts of voters from the City of Ubatuba, State of São Paulo, for the purpose of disseminating electoral campaign material without the possibility of processing; lack of proof of registration of personal data processing operations; lack of submission of impact report on the protection of personal data pertaining to their processing operations; lack of proof of appointment of a Data Protection Officer.”[1]
Among the legal and regulatory provisions infringed are Articles 7 and 11 of LGPD owing to the lack of proof of a legal hypothesis for the processing of personal data, supporting the comprehension of personal data regulated and protected by law, and clearing any doubts that may still exist about the need for a legal basis for processing personal data extracted from public databases of free access on a website or even on social media, used for a purpose other than that originally identified.
That said, as concerns the characterization of information pertaining to an individual as personal data or sensitive personal data, it is important to analyze it within a set of information, which, together, can identify an individual or make them identifiable, which has implied the application of LGPD to the case under analysis.
As an example, geolocation information by itself may not be considered as personal data, since from a simple analysis outside a particular context, it does not make it possible to identify the natural person to which it refers, however, added to other information, such as IP address, this identification can be achieved. The same holds true to the framing of an individual’s image as simple personal data in a given context or sensitive personal data in the context of biometric data for identification through specific reading systems.
As a matter of fact, this is what is extracted from the administrative proceeding in question, in which from the information provided by the defendant Telekall stating that “our contact list is targeted and filtered by region and neighborhood, which personalizes your communication with the voter […] you will receive the listing with the user’s name, WhatsApp number, and full address,” it was concluded that LGPD applies to the case and, therefore, ANPD is the competent jurisdiction for trying and processing the administrative case.
Another perspective based on the sanctioning proceeding concerns the extraction of public-based personal data, still considered by many as a factor that, in theory, would rule out the application of LGPD, owing to the simple fact that, because it is public, “everyone can use it.” In fact, the defendant’s statement followed this approach, as it answered: “our first impression was that, if data is on the web or on social media, it would be public and, therefore, could be used (treated) by anyone.”
However, when extracting public-based personal data, processing agents are expected to comply with the provisions of Articles 6, I; 7, Paragraphs 3, 4 and 7, all of LGPD, which together support that it is possible to process this data for legitimate, specific, express, and informed purposes as regards the data subject, without the possibility of further processing in a manner inconsistent with these purposes, that is, the data may have public access for a certain purpose, such as public access legal proceedings included in the databases of our National Courts. Nevertheless, when extracted from these databases (full copies of record, for example) and used for different purposes, the hypothesis of processing changes, and with it the legal basis should also change.
In fact, it should be noted that, as to the criteria for imposing a fine on private law entities in cases of leakage of personal data, after a request from the Economic Development Committee of the Chamber of Deputies, the date of August 15 of the current year was set for a public hearing aimed at, inter alia, discussing the possibility of removing the phrase “for infringement,” contained in Item II, of Article 52 of LGPD, as well as the need for a more specific allocation of the amounts collected through the pecuniary sanctions, currently directed to the Diffuse Rights Defense Fund, as expressly provided for in Paragraph 5, of said Article 52.
The second and no less important reflection necessary on this date concerns the regulation of the use of Artificial Intelligence in Brazil and related discussions, especially those focused on the impact of its use on the data subject’s personality rights. As concerns the subject, LGPD, in its Article 20, establishes the right of the data subjects to request review of decisions rendered solely on the basis of automated processing of personal data[2], but leaves open the limitation of such review, raising the following question: should this review be performed by humans or by machine?
On the subject, we highlight the discussions, not yet closed, involving Bills No. 5051/2019[3], 21/2020[4] and 872/2021[5] that establish foundations, principles, and guidelines for the development and application of artificial intelligence in the country, as well as the final report of the committee of jurists responsible for supporting the preparation of a substitutive relating to artificial intelligence in Brazil[6], in which a position emerges in the sense that it is capital to take into consideration the possibility of human intervention, introducing a human component in the automated decision-making process.
Although the discussions have not ended and in view of the increasingly widespread use and free access within society to Artificial Intelligence tools, there remains a warning about the conscious use of these tools, understanding their benefits without neglecting the risks they bring to privacy and data protection, as well as data subjects personality rights, especially in relation to biases of discrimination and improper processing. On the subject, during this year some examples caught the attention of law professionals, such as the Colombian case of use of ChatGPT by a judge to write a conclusion of judgment[7], or even the imposition of a fine for malicious prosecution by the Superior Electoral Court to a lawyer who tried to intervene as amicus curiae through a motion written by ChatGPT[8].
In this context, the importance of structuring the Data Governance Program by personal data processing agents gains momentum, so much so that, in the midst of constant changes and the emergence of new technologies, they are capable of ensuring compliance with the provisions in LGPD and laws concerning the issue, such as the Brazilian Civil Rights Framework for the Internet and the Consumer Protection Code.
From a social perspective, these five years have shown us the importance of establishing a strong data protection culture, to which law professionals, private entities, and especially ANPD, as a guardian of the fundamental right to the protection of personal data, contribute.
In conclusion, it may be argued that we have a long way to go to achieve full regulation of personal data protection and related topics, such as the aforesaid use of artificial intelligence or even the issue of taxation in the digital economy, however the achievements made so far and the unceasing debates raised in the scholarly and legislative realms show that we are on the right path.
As it turns out, there is indeed a lot to celebrate![9]
Available at: https://www.conjur.com.br/2023-ago-22/opiniao-cinco-anos-lei-geral-protecao-dados
[1] Instruction Report No. 1/2023/CGF/ANPD. Available at:< https://www.gov.br/anpd/pt-br/assuntos/noticias/sei_00261-000489_2022_62_decisao_telekall_inforservice.pdf > Accessed on: August 13, 2023.
[2]Article 20. Data subjects are entitled to request review of decisions rendered solely on the basis of automated processing of personal data that affect their interests, including decisions intended to define their personal, professional, consumer, and credit profile or aspects of their personality.
[3] Available at:< https://www25.senado.leg.br/web/atividade/materias/-/materia/138790 > Accessed on: August 10, 2023.
[4] Available at: < https://www.camara.leg.br/propostas-legislativas/2236340 > Accessed on: August 10, 2023.
[5] Available at:< https://www25.senado.leg.br/web/atividade/materias/-/materia/147434 > Accessed on: August 10, 2023.
[6] Available at: < https://ibdautoral.org.br/novo/wp-content/uploads/2023/01/2-Relatorio-final-versao-completa-CJSUBIA.pdf > Accessed on: August 10, 2023.
[7] Available at: < https://g1.globo.com/tecnologia/noticia/2023/02/03/juiz-usa-robo-chatgpt-para-redigir-sentenca-de-caso-de-crianca-autista-na-colombia.ghtml > Accessed on: August 10, 2023.
[8] Available at: <https://www.conjur.com.br/2023-abr-18/tse-multa-advogado-peticao-baseada-conversa-chatgpt > Accessed on: August 10, 2023.
[9] Sentence by Danilo Doneda in a text celebrating the 4th anniversary of LGPD. Available at:< https://www.gov.br/anpd/pt-br/assuntos/noticias-periodo-eleitoral/4-anos-da-lei-geral-de-protecao-de-dados-pessoais > Accessed on: August 10, 2023.
Autor: Raissa Varrasquim Pavon • email: raissa.pavon@ernestoborges.com.br