On August 14, 2019, Bill nº 4.496/2019 was presented by Senator Styvenson Valentim (PODEMOS / RN) at the Senate Plenary, which intends to amend Law nº 13.709/2018 (General Law of Personal Data Protection - “LGPD”) to define the term “automated decision” as a “process of choosing, classifying, approving or rejecting, grading, measuring, ranking or scoring, calculating risk or probability, or other similar, performed by processing personal data using rules, calculations, instructions, algorithms, statistical analyses, artificial intelligence, machine learning, or other computational technique.”
The justification for the amendment reinforced the importance of LGPD as a milestone in the protection of citizens rights in the processes of dealing with personal data that, with technological evolution, become increasingly present, complex and intrusive; however, he pointed out that, with regard to the processing of data for automated decisions, the legal provision requires improvements to generate the necessary effectiveness. In addition, he stated that the lack of definition of the concept of “automated decision” would leave a gap that could compromise the intended data protection.
Admitting that there are several ways to make automated decisions - from easily understandable ones like rule-based or predefined algorithms, to more sophisticated and less explicit ones, like those that apply machine learning techniques and artificial intelligence – the PL mentions that the inclusion of these techniques in the concept of “automated decision” would be essential to guarantee the “right to explanation”, provided for in article 20, paragraph 1 of the same law, i.e. the citizens right to obtain clear and appropriate information on the criteria and procedures used for automated decision-making. This is because, although data controllers generally do not refuse to provide information about automated decisions based on traditional algorithms, they would not provide appropriate clarification for decisions based on more complex techniques.
In parallel, the European General Data Protection Regulation (GDPR) does not present a concept of “automated decision”, defining only in its Article 4 (4) profiling as a means of automated processing of personal data, which consists of the use of personal data to evaluate certain personal aspects concerning a natural person, in particular, to analyze or predict aspects relating to professional performance, economic status, health, personal preferences, interests, reliability, behavior, location or travels. Thus, PL represents an innovation in the definition of concepts related to data protection.
Moreover, during the public hearings of Provisional Measure nº 869/18 (“MP 869/18”), the third meeting was intended to address, precisely, the issue of automated decisions, for which, at that time, questioned the need for a review by natural people, which shows us that the issue in question has been the subject of numerous discussions from the heart of the legislation
To receive key news on the privacy and data protection legislative scenario, follow Azevedo Settes Technology, Media and Telecommunications team.
Check the full request of PL 4.496/19 here.