On April 17, 2024, the Brazilian data protection authority (ANPD) requested public comments on draft guidance on the processing of high-risk personal data. In particular, the ANPD highlighted that the guidance aims to clarify the concept of high-risk processing of personal data.

The guidance states that the treatment of personal data will be high risk where:

• the processing of personal data is on a large scale and includes sensitive data or data from children and adolescents; or
• the processing of personal data may significantly affect the rights and interests of data subjects, in which emerging or innovative technologies are used.

Notably, the guidance details that processing that does not involve at least one general criterion above will not be considered high risk. For example, processing that is not carried out on a large scale or does not significantly affect the rights and interests of data subjects, even if carried out in an automated manner, would not be classified as high risk.

The guidance provides that, regardless of the size of the organization carrying out the processing, the size of processing operations will be considered in determining whether it is on a large scale.

The scale of processing may be determined according to the number of holders, volume of data, duration of processing, frequency, and geographic scope of processing. Specifically, processing on a large scale will be considered by the ANPD as processing involving a minimum of two million holders. Regarding the volume of data processed, the guidance states that in order to determine such a factor, organizations must record their processing operations in accordance with Article 37 of the General Personal Data Protection Law (LGPD). On the frequency of processing, the guidance stipulates that the higher the repetition risk with which data subjects' personal data is processed (daily, weekly, monthly), the greater the risk to privacy.

Processing that impedes the exercise of data subject rights must also be considered in determining whether a processing operation is high risk, for instance, if the processing makes it difficult for a data subject to access relevant information or if the processing exposes data subjects to processing by unauthorized third parties.

In addition, the guidance clarifies the definition of emerging and innovative technology as those with the potential to shape or remodel business models and exert significant influence on the economy. Accordingly, organizations should assess the level of risk based on the state of the art and technological development. Examples provided by the guidance of technologies that fit into the concept of emerging and innovative technologies include:

• artificial intelligence (AI), machine learning, and generative AI;
• facial recognition systems; and
• autonomous vehicles.

Public comments can be submitted here until May 16, 2024.

You can read the press release here and download the guidance here, both only available in Portuguese.