Brazil’s National Data Protection Authority (ANPD) has initiated a public consultation to shape future AI and automated decision-making regulations, aligning these frameworks with Brazil’s General Data Protection Law (LGPD). This marks a proactive move to ensure that AI-driven processes adhere to data protection principles, while balancing technological growth with the rights of data subjects.  

The ANPD’s consultation is via a detailed questionnaire on the Participa+Brasil portal, covering four key areas: the foundational principles of the LGPD, legal frameworks for AI-related data processing, data subject rights, and governance standards. It has asked for responses to be submitted by 5 December 2024. 

A reminder for data protection and privacy teams to strengthen processes 

The public consultation is a timely reminder for global data protection and privacy officers to mitigate the impact of any future regulations and have compliance-ready privacy programmes in place. Here are a few ways to remain ahead of any future changes: 

  • Reinforce Policies on Data Governance 

Privacy teams should update known requirements for compliance with AI laws into current data governance systems. This involves reviewing privacy impact assessments to consider AI and make sure data processes with AI adhere to LGPD’s foundational principles.  

  • Review Compliance with Article 20 

Article 20 of the LGPD grants data subjects the right to request a review of automated decisions affecting them. Privacy teams should ensure mechanisms are in place to provide transparent information regarding such decisions, without exposing sensitive proprietary information. If companies refuse to disclose certain processes, the ANPD reserves the right to audit to prevent discriminatory outcomes. 

  • Prepare for Potential AI Legislation 

The ANPD’s consultation may influence Brazil’s forthcoming AI legislation, such as Bill No. PL 2338/2023 is now under Senate review. This legislation aims to protect data subjects while promoting responsible AI innovation. Privacy teams should be prepared for regulatory shifts that may impose new compliance requirements around transparency, bias mitigation, and data subject rights. 

Future-proofing compliance 

As the collection and processing of data continues to fuel technological innovation, data protection professionals will be at the coalface of balancing innovation with regulatory compliance. Anticipating changes to requirements means continuous monitoring and documentation to stay compliant with both LGPD and upcoming AI-specific regulations.   

As AI use expands, upskilling staff on privacy risks and responsible AI practices cannot be avoided. This includes training that addresses compliance through privacy by design, risk minimisation and hygiene around data retention or destruction. Heward Mills’ team of AI governance experts keeps a close eye on evolving regulatory changes and can support your team to comply with emerging data protection laws.

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at dpo@hewardmills.com.