On May 15, 2024, the ANPD held a webinar to clarify aspects of processing high-risk personal data, per Resolution CD/ANPD No. 2/2022. The event covered themes such as large-scale data and emerging technologies, including artificial intelligence and facial recognition.

For the first time, the Brazilian Authority stated that large-scale data involves a minimum of 2 million data subjects. It highlighted, however, that assessing the geographical extent, duration, and purpose is necessary to confirm that the data fulfills the proposed definition.

It was also highlighted in the webinar that sensitive data on children, adolescents, and senior citizens, as well as data that causes violations of interests and fundamental rights, fall into this category.

To access the webinar recording, click HERE.

❮ Back to the bulletin LGDP Express no. 05/24

On March 12, 2024, the Court of Diffuse and Collective Interests of São Luís do Maranhão released its decision, ordering the companies responsible for the Facebook and Zoom apps to pay compensation of BRL 20 million as collective moral damage, as well as BRL 500 for each user of Apple’s mobile operating system (IOS) who had their data collected without authorization.

The sentence was handed down in a Public Civil Action filed by the Brazilian Institute for the Study and Defense of Consumer Relations in Maranhão (IBEDEC-MA).

Despite the companies’ defense, which claimed that the data only contains technical information, the judge ruled that the data can violate privacy by targeting ads and personalizing the user experience and ordered the apps to stop collecting and sharing technical data obtained through the Zoom “SDK” tool for iOS, among themselves and with third parties, without the users’ explicit consent.

To access the full news, click HERE.

❮ Back to the bulletin LGDP Express no. 05/24

On 06.03.2024, Senator Angelo Coronel presented Bill No. 615/2024 which aims to ensure the autonomy of the ANPD.

The ANPD was initially established as a body linked to the Presidency of the Republic and later transformed, by Law No. 14.460/2022, into a  special nature autarchy, endowed with technical and decision-making autonomy.

However, the legislative amendment raised doubts about the concept of special autarchy and the administrative prerogatives granted to the ANPD to carry out its legal functions, resulting in uncertainty regarding the legal and true extent of the entity’s autonomy. Thus, the Bill seeks to objectively grant the ANPD the same prerogatives attributed to other regulatory agencies and the Administrative Council for Economic Defense (CADE), which are entities with similar powers similar.

To access the entire Bill, click HERE.

❮ Back to the bulletin LGDP Express no. 05/24

In 2022, the European Union (EU) approved a package of regulations consisting of the Digital Market Act (DMA) and the Digital Services Act (DSA). While the DSA addresses consumer protection legislation, the DMA aims to promote fair competition and equity in digital markets.

Both acts include specific data protection provisions, reflecting this theme’s growing importance in today’s digital landscape.

The regulations came into force in the first semester of 2024 and have extraterritorial applicability. They also include rules to promote the best interests of children and adolescents in the digital environment.

In this context, CONANDA Resolution No. 245/2024 came into force, establishing guidelines to protect the rights of children and adolescents in the digital environment, including explicit provisions on personal data processing. The Resolution highlights the importance of obtaining free and prior consent from those responsible, which must be requested for specific purposes and, whenever possible, involving the child or adolescent, taking into account their level of maturity, especially in commercial and advertising contexts.

For more information on the Regulations, click HERE.

❮ Back to the bulletin LGDP Express no. 05/24

Following its efforts to improve the regulation of the matter, on May 08, 2024, the ANPD delivered to the Temporary Committee on Artificial Intelligence in Brazil a 25-page document with its contributions to the Substitute of Bill 2338/2023, which regulates the use of Artificial Intelligence in the country.

The authority’s proposed amendments include  revising definitions, a new approach to data subjects’ rights, considerations about biometric systems, classification of high-risk systems, as well as the regulation and governance of artificial intelligence. In addition, the document suggests adjustments to the regulatory and standardization process, administrative sanctions, guidelines for implementing the regulatory sandbox, and the deadline for appointing the competent authority.

For those interested in delving deeper into this subject, we highlight the Technical Note presented by the Network Rights Coalition, published at the beginning of the first half of 2024.

To access the entire document, click HERE.

❮ Back to the bulletin LGDP Express no. 05/24

On March 24, 2024, the European Data Protection Supervisor (EDPS) confirmed that the European Commission has breached data protection provisions of the Regulation (EU) 2018/1725 when using the Microsoft 365.

The breaches were identified based on information provided by Microsoft Ireland Operations Limited, and include failure to provide adequate safeguards to ensure that personal data transferred outside the European Union received a level of protection equivalent to that guaranteed in the EU/EEA. Another violation was a lack of specification in the use of Microsoft 365 as to the types of personal data to be collected and the explicit and specific purposes for which they would be used.

Thus, the EDPS ordered the European Commission to suspend, as of December 9, 2024, all data flows arising from the use of Microsoft 365 to Microsoft and its affiliates and subcontractors located in countries outside the EU/EEA that are not covered by an adequacy decision. In addition, the EDPS has ordered the Commission to ensure that the processing operations resulting from the use of Microsoft 365 comply with Regulation (EU) 2018/1725. The Commission has until December 9, 2024, to demonstrate compliance with both orders.

To access the decision in full, click HERE.

❮ Back to the bulletin LGDP Express no. 05/24

On January 16, 2024, the ANPD launched SUPER, its own electronic protocol system for previously enrolled external users. The SUPER replaced the Electronic Information System (SEI).

For more information, access our newsletter HERE.

❮ Back to the bulletin LGDP Express no. 05/24

On January 29, 2024, the ANPD started the project entitled “Technology Radar“. This project comprises a series of periodic technical publications produced by the entity that aim to offer concise approaches to emerging technologies that impact or will impact the national and international data protection landscape.

The first volume of the Technology Radar addresses the Smart Cities, so deemed the urban spaces characterized by the intensive use of technology and data to improve urban quality of life, efficiency, and sustainability.

To access the Technology Radar, click HERE.

❮ Back to the bulletin LGDP Express no. 05/24