Far Beyond the LGPD: Challenges for the ANPD and CNPD

Created in 2018 and enacted in 2019, the ANPD (National Data Protection Authority) is the federal body responsible for supervising and enforcing the LGPD (General Data Protection Law). Meanwhile, the National Council for the Protection of Personal Data and Privacy (CNPD) is an advisory body to the ANPD, composed of both government and civil society members.

Its creation is based on Article 58-B of Law No. 13,709/2018 (LGPD – General Data Protection Law).

Among its main responsibilities are:

• Proposing strategic guidelines and providing support for the development of the National Policy on the Protection of Personal Data and Privacy and for the ANPD’s activities;

• Preparing annual evaluation reports on the implementation of the National Policy on the Protection of Personal Data and Privacy;

• Suggesting actions to be carried out by the ANPD; conducting studies, debates, and public hearings on personal data and privacy protection; and

• Disseminating knowledge about personal data and privacy protection to the public.

As its name suggests, unlike the ANPD, the CNPD is an advisory, not an executive, body. Participation as a CNPD member is considered a relevant public service and is unpaid. Legally, the Council is expected to meet three times a year in ordinary sessions and additionally in extraordinary sessions whenever convened by its President.

The CNPD will be composed of 23 full and alternate members, with a two-year term, appointed by the President of the Republic. According to Article 15 of Decree No. 10,474/2020, the representation system for each CNPD member is defined. Currently, the CNPD is in the process of selecting nominees for the triple list of civil society representatives, which will be submitted to the President of the Republic for appointment of the Councilors. In total, there are 122 candidates competing for the available seats.

Reference Notice | Vacancies | Nominations Received

Notice 1 – Civil Society Organizations: 3 vacancies | 28 nominations

Notice 2 – Scientific, Technological, and Innovation Institutions: 3 vacancies | 25 nominations

Notice 3 – Labor Confederations: 3 vacancies | 13 nominations

Notice 4 – Business Sector Representative Entities: 2 vacancies | 47 nominations

Notice 5 – Labor Sector Representative Entities: 2 vacancies | 9 nominations

Total: 122 nominations

Among the selection criteria are each candidate’s representativeness and technical knowledge, aimed at addressing current and emerging challenges in Brazil’s data privacy compliance.

A Challenging Horizon

In recent decades, the world has witnessed a revolution in technologies capable of generating electronic data, largely due to the proliferation of smartphones and sensors. There are now more mobile phones in use than people on Earth. The number of Internet-connected sensors is now counted in tens of billions. From a privacy perspective, mobile phones are far more intrusive and effective than electronic ankle bracelets, capable of monitoring and tracking their owner continuously, 24/7.

This multi-angular monitoring now spans intimate aspects of an individual’s life, including location, contacts/friends, and even highly personal preferences such as purchasing habits, sexual proclivities, and medical conditions. This enables highly accurate predictions of human behavior (behavioral science) through prescriptive data analytics.

With the advent of the Internet of Things (IoT), these sensors have been placed in previously unimaginable locations: streetlights, vehicle fuel injectors, asthma inhalers, and even inside human hearts. Although the number and type of these data-collection devices have recently increased, the underlying issues were envisioned more than 50 years ago.

In 1965, Gordon Moore, co-founder of Intel, predicted the exponential increase in computational power needed to handle massive amounts of data. Moore’s Law is not a mathematical law but a practical simplification of exponential computing growth. Science fiction writer Isaac Asimov discussed the social and ethical implications of cognitive computational power arising from rich data analysis. Meanwhile, Yuval Noah Harari, in his book Homo Sapiens, addresses the moral/social dilemmas of algorithms deciding how autonomous vehicles behave in risk situations, where only two mutually exclusive alternatives exist: save the passenger’s life or the pedestrian’s life.

This paradoxical, legal, and philosophical complexity is exactly what Big Data poses for both the ANPD and CNPD. With massive volumes of data, a new scale emerges, where the amount of data doubles each year. In 2016, humans produced as much data as all previous history combined. Some estimates suggest data will double every 12 hours by 2025. The valuation of this data directly follows the “5 V’s” principle.

Data and the 5 V’s

The valuation of data is framed by the 5 V’s: Volume, Variety, Veracity, Velocity, and Value.

Volume refers to Big Data, data lakes, and endless sources of information about countless individuals. In data analysis, size matters: the larger the volume, the greater the potential for exploitation.

Variety refers to the breadth of approaches to each data subject, providing a holistic view of the individual and enabling complete behavior pattern analysis. While volume is quantitative, variety and veracity are qualitative measures.

Veracity is the accuracy of collected data. The more reliable the data, the higher its value, as interpretations and conclusions will be more accurate. Volume without variety and veracity is useless.

Velocity is the speed at which data can be processed. Moore’s 1965 law stated that computational power doubles approximately every 18 months. While conventional processing may be reaching limits, quantum computing promises unprecedented speeds.

Value is the sum of the preceding four V’s. Aggregating value is the mantra of the digital economy, influencing ROI relative to operational costs. Successful companies compete for value, not price.

Robotics, Algorithms, and Artificial Intelligence

Combining the 5 V’s with Isaac Asimov’s Laws of Robotics highlights the proliferation of algorithms and analysis, enabling AI systems connected to the cloud to operate independently of human intervention. Metaphysically, Kant’s dictum “thoughts without content are empty; intuitions without concepts are blind” can be modernized as: “algorithms without data are empty; data without algorithms are blind.”

Asimov’s three laws:

A robot may not harm a human being or, through inaction, allow a human to be harmed.

A robot must obey human orders except when conflicting with the First Law.

A robot must protect its own existence unless this conflicts with the First or Second Law.

Building on Asimov, Professor Dr. Mark Rotenberg (Electronic Privacy Information Center) proposed two additional laws for algorithm and AI transparency:

Robots must always reveal the basis of their decisions.

Robots must always reveal their identities.

Similarly, Microsoft CEO Satya Nadella proposed AI design principles emphasizing privacy:

AI should be designed to help humanity.

AI should be designed for intelligent privacy.

AI should be transparent.

AI requires algorithmic accountability to allow humans to undo unintended harm.

These principles are not yet legally binding but form a foundational framework for privacy practices, addressing algorithmic bias and discriminatory practices affecting rights related to gender, age, ethnicity, color, belief, and other human characteristics.

Comparative Law, Harmonization, and International Integration

Comparative law studies differences and similarities between legal systems, including legislation, case law, and doctrines. In data privacy, this approach enables harmonization and integration of legal systems across countries, allowing secure cross-border data sharing.

Europe, the inspiration behind Brazil’s LGPD via GDPR, does not yet recognize Brazil as providing adequate data protection. In comparison, Argentina and Uruguay are recognized as “safe harbors” for European data transfers. Other Latin American countries, like Mexico and Chile, are negotiating to reach this level.

Brazil also aspires to join the OECD, which requires establishing a competent, independent, and technical national data authority. OECD privacy guidelines, first issued in 1980 and updated in 2013, remain an essential reference. They require personal data to be processed transparently, adequately, and securely, with special rules for sensitive data and automated processing, including profiling and high-risk operations. Risk assessments, privacy by design, and privacy by default are mandatory, and breach notifications are required.

Conclusion

Theoretical discussions once confined to academia now permeate the corporate world, influencing operators and controllers to protect reputations and sustain existence. In corporate Darwinism, survival depends on adaptation. Scientific and philosophical paradoxes illustrate vectors of the digital transformation requiring adaptation.

For data protection and privacy, this adaptation is equally crucial. Regardless of culture, regulatory models, or organizational structure, privacy principles are universal and harmonize disparate laws. The exponential growth of computational power, accelerated further by 5G and quantum computing, highlights the often-conflicting dichotomy between law and technological progress.

Privacy professionals serve both society and themselves through continuous study and research. Certifications and qualifications foster a virtuous cycle of intellectual evolution. With technical expertise, multilingual skills, interdisciplinary knowledge, and moral integrity, data privacy professionals can remain at the forefront of societal change.

(Originally published in ESTADÃO on 04/24/2021)

Daniel Majzoub - Embaixador Institucional do IBREI para o Golfo Pérsico