Webinário - Resultados da Tomada de Subsídios do Projeto Regulatório de Dados Biométricos

Name: Webinário - Resultados da Tomada de Subsídios do Projeto Regulatório de Dados Biométricos
Uploaded: 2025-12-02T19:04:05.000Z
Duration: 2 h 50 min 11 s

Webinar on Regulatory Project for Biometric Data

Introduction to the Webinar

The webinar is introduced as a session focused on the results of a public consultation regarding a regulatory project concerning biometric data.

The structure of the webinar includes an opening by the president director, followed by a presentation of results and a panel discussion featuring perspectives from civil society, government, and private sector.

Opening Remarks by President Director

The president director introduces himself, describing his appearance and expressing pleasure in leading the discussion on biometric data regulation.

He emphasizes the growing importance of biometric data usage across various sectors, including sports venues and healthcare facilities.

Acknowledges that while biometrics are increasingly utilized, they must be handled with strict legal compliance to protect sensitive information.

Public Consultation Insights

The public consultation lasted two months and garnered approximately 83 contributions, highlighting significant interest in regulatory challenges surrounding sensitive data use.

Stresses that biometric data requires high levels of protection due to its sensitive nature; thus, it necessitates rigorous regulatory oversight.

Importance of Robust Regulation

Discusses Brazil's rapid adoption of biometrics for innovation but warns that this should be accompanied by strong regulations to safeguard fundamental rights.

The president director hands over to Rodrigo for further proceedings after wishing participants an excellent event.

Presentation Overview

Rodrigo expresses gratitude towards Caroline Capel and her team for their excellent work during the public consultation process related to regulatory evaluation.

He outlines that this item is part of a broader regulatory agenda approved earlier in 2025, indicating its priority status within ongoing projects.

Regulatory Process Explanation

Rodrigo explains the structured approach taken in developing regulations: forming project teams, conducting consultations, analyzing impacts, and drafting guidelines or regulations based on feedback received.

Emphasizes that public consultations are crucial steps where drafts are shared with society for input before finalizing any regulations.

Conclusion on Participation Strategy

Highlights that social participation has always been strategic within ANPD (National Data Protection Authority), ensuring stakeholder engagement throughout the regulatory process.

Consultation and Contributions in Data Protection

Importance of Public Consultation

The NPD emphasizes the significance of public consultation, stating that it collects valuable insights from society, which informs regulatory documents.

A total of 124 contributions were received regarding AI, 49 for data subjects' rights, and 63 concerning the treatment of personal data for children and adolescents.

Overview of Contributions

The contributions represent a vast amount of information due to multiple questions and attachments submitted by participants.

The consultation was divided into five blocks, running from June 2 to August 1, with a total of 88 contributions leading to 1594 responses across various questions.

Breakdown of Consultation Blocks

Block One: Definitions and Principles

This block focused on defining biometric data and principles such as purpose, necessity, and behavioral biometrics as sensitive data.

Block Two: Legal Hypotheses

Discussed legal hypotheses including consent, fraud prevention, compliance with legal obligations, and research studies.

Block Three: Facial Recognition

Addressed facial recognition technology's applications, innovations, impacts, proportionality in use while considering risks and contexts.

Block Four: Security and Governance

Covered security measures related to technical administration practices outlined in Article 50 of LGPD (General Data Protection Law).

Block Five: Rights of Vulnerable Groups

Focused on the rights of vulnerable groups like children; discussed appropriate legal hypotheses for their data treatment.

Statistical Insights from Contributions

Notably, 71% of contributions came from the Southeast region; this highlights a challenge in achieving balanced representation across regions.

Most contributors were from the legal field (55%), with significant participation also from individuals (47%) and private initiatives (32%).

Methodology for Analyzing Contributions

The analysis methodology identified convergences and divergences among responses. This approach provided insight into general consensus among experts regarding biometric data definitions.

Discussion on Biometric Data and Consent

Physical, Physiological, and Behavioral Characteristics

The consensus was reached regarding the importance of physical, physiological, and behavioral characteristics in defining biometric data. However, merely having these traits does not constitute biometric data without appropriate sensors to collect that information.

Definition of Biometric Data

A simple video recording of a person without specific parameters (e.g., facial recognition) does not qualify as biometric data. Only when equipped with proper technology can such information be classified as biometric.

Transparency and Divergence in Standards

There was a divergence in opinions about establishing transparency standards concerning risks associated with different agents. Some argued for general guidelines while others believed each case should be approached individually based on its specifics.

Balancing Transparency and Commercial Secrecy

Discussions highlighted the need for a balance between transparency requirements and commercial secrecy as outlined in the LGPD (General Data Protection Law). This topic remains contentious without definitive conclusions being drawn in the technical note produced from these discussions.

Regulation Differences: Common vs Behavioral Biometrics

Significant differences were noted regarding regulations for common biometrics versus behavioral biometrics, particularly emphasizing the heightened risk factors associated with behavioral data collection methods. This led to debates over necessary specifications for handling such sensitive information.

Consent Validation Challenges

Free Choice in Consent

The validation of consent hinges on whether individuals have made free choices; discussions explored how this might vary depending on context or situation affecting consent validity.

Legal Hypotheses Prioritization Debate

There was debate over whether consent should take precedence over other legal hypotheses; however, it was clarified that no prioritization exists according to NPD's stance on legal frameworks governing personal data use.

Financial Compensation Influence

The influence of financial compensation on validating consent was raised as an important consideration during discussions about ethical practices surrounding biometric data usage.

Legal Obligations Clarity

Contributions varied regarding whether legal obligations related to using biometric technology should be explicitly stated within laws or if flexibility is acceptable based on situational needs for utilizing such technologies.

Research Data Safeguards

Concerns were expressed about selling biometric data collected initially for research purposes due to high re-identification risks; thus, additional safeguards are recommended to ensure secure treatment of this sensitive information.

Facial Recognition Technology Guidelines

Restrictions in Sensitive Environments

A consensus emerged against using facial recognition technology in sensitive environments like schools or hospitals due to potential misuse or discrimination risks inherent in mass surveillance contexts.

Security Measures Necessity

Emphasis was placed on implementing specific security measures tailored for facial recognition applications including diverse datasets and continuous monitoring mechanisms to mitigate bias and enhance reliability of results obtained through this technology.

Feedback Mechanisms Importance

Contributions stressed the necessity for feedback channels allowing users to contest errors or biases encountered during facial recognition processes; ensuring transparency and governance over personal data management is crucial here too.

Technical Safeguards Against Misuse

Specific technical safeguards like liveness detection were discussed as essential tools needed to prevent spoofing attacks against facial recognition systems, highlighting ongoing concerns around security vulnerabilities within these technologies.

Alternatives Consideration

Divergent views surfaced regarding offering alternatives instead of relying solely on facial recognition technology especially within sectors like finance where fraud prevention is critical; some advocated strongly for exploring alternative solutions while others disagreed with this approach altogether.

Security Measures and Educational Actions in Data Management

Adoption of Security Measures

The discussion emphasizes the necessity of adopting security measures and educational actions to protect data, highlighting the importance of encryption and strict access controls.

It mentions using biometric templates instead of raw data, segregating networks, and maintaining logs for traceability as essential practices.

Continuous monitoring and a well-defined information security policy are crucial for effective data management.

Importance of Education

Educational initiatives are vital to ensure that individuals handling data understand the associated risks involved with their responsibilities.

Regulatory Divergences in Data Treatment

Regulatory Approaches

There is a divergence regarding regulations that may reduce the autonomy of data processing agents; some suggest relying on established standards like NIST or ISO.

Others argue for regulations based on internal governance analyses rather than external standards, indicating a preference for tailored organizational control.

Surveillance Concerns

A significant point raised is about real-time surveillance in public spaces using biometric data, which could infringe upon fundamental rights.

While some contributions argue against mass treatment of biometric data under current laws, others believe it can be compatible with legal frameworks if handled correctly.

Child Protection and Vulnerable Groups

Rights of Children

There is consensus on respecting children's rights as outlined in articles 9 and 18, emphasizing their best interests and progressive development.

Additional Protections for Vulnerable Groups

Divergent views exist regarding additional protective measures for vulnerable groups; some advocate for enhanced security while others see no need.

Facial Recognition Usage Guidelines

Conditions for Use

A consensus emerged around the exceptional use of facial recognition technology solely when no alternative methods are available to verify age.

Conclusion and Further Resources

Technical Note Access

The speaker highlights an important slide containing a QR code linking to a technical note available on the NPD website, encouraging participants to explore further details beyond this presentation.

Webinar Introduction by Director Miriam

Acknowledgments

Director Miriam expresses gratitude towards CGN, ASCOM, guests, and contributors who provided diverse perspectives during the consultation process regarding biometric data regulation.

Contextualizing Biometric Data Usage

She notes the increasing normalization of biometric data usage across various sectors while stressing its classification as sensitive personal information under LGPD.

Discussion on Biometric Data Risks and Benefits

Introduction to Biometric Data Concerns

The discussion begins with the acknowledgment that handling sensitive personal data, particularly biometric data, poses significant risks to individuals.

Unlike traditional identification methods (e.g., ID cards), biometric data breaches are often irreversible, leading to potential long-term harm for individuals affected.

Advantages of Biometric Data

Despite the risks, there are numerous advantages associated with using biometric data in various contexts, enhancing security and user authentication.

The National Data Protection Authority (NPD) is actively addressing these issues through regulation and oversight, indicating a strong focus on balancing innovation with safety.

Contextual Use of Biometrics

The conversation emphasizes the importance of evaluating when biometric use is not only relevant but also advisable based on security needs versus alternative options available to users.

Panel Introduction

Helena Secaf from Internet Lab is introduced as a representative of civil society; she brings expertise in privacy and digital regulation.

Lívia Vanderlei from Febraban represents the private sector; her background includes leadership roles in privacy and ethics at Itaú.

Wudson Vinícius Mesquita represents government interests; he has extensive experience in digital identity initiatives within public administration.

Discussion Format Overview

Each panelist will present their perspectives for five minutes regarding contributions made during consultations or their institutional views on biometrics.

The aim is to explore diverse viewpoints rather than reach consensus, highlighting different angles on the topic while allowing audience engagement through questions later.

Discussion on Biometric Data Regulation

Introduction and Context

The speaker expresses gratitude and provides a brief self-description, indicating they are a white woman with hair tied back, wearing headphones, and dressed in a sleeveless navy blue top against a white background.

The discussion centers around the contributions made to the Internet Lab, highlighting foundational guidelines used for formulating responses regarding biometric data.

Key Premises on Biometric Data

Sensitive Nature of Biometric Data: Emphasizes that biometric data is classified as sensitive personal information, which carries a higher risk of discrimination and violation of fundamental rights.

Regulatory Obligations: Stresses the need for regulations to clearly define robust obligations for handling biometric data to ensure legal security for both data handlers and subjects.

Alternatives and Ethical Considerations

Less Invasive Options: Advocates for using less invasive alternatives when available, reflecting concerns about the increasing normalization of biometric data usage.

Compliance with LGPD Principles: Highlights that all personal data treatments must comply with the principles outlined in Brazil's General Data Protection Law (LGPD), ensuring respect for individual rights.

Specificity in Purpose

Importance of Specific Purposes: Argues that vague purposes like "security" or "efficiency" are insufficient; regulations must require specific purposes to assess compliance with other principles effectively.

Legal Basis for Fraud Prevention: Discusses how LGPD permits processing sensitive personal data if necessary for fraud prevention but requires balancing this against individuals' fundamental rights.

Operationalizing Legal Tests

Balance Test Implementation: Introduces the concept of a balance test as essential in evaluating compliance when processing sensitive data under fraud prevention laws.

Clarification Needed on Balance Testing: Points out existing ambiguities regarding how to implement balance tests specifically within fraud prevention contexts under current regulations.

Conclusion and Transition

The speaker concludes their initial remarks by thanking participants and emphasizing the importance of careful consideration when dealing with sensitive personal data.

Following this introduction, another speaker is invited to present insights from FEBRABAN, an important entity in the financial sector.

The Role of Biometric Data in Brazil's Financial Sector

Importance of Dialogue and Regulation

Emphasizes the necessity for open dialogue to create a regulatory framework that protects data subjects' rights while promoting innovation and security in digital environments.

Active Participation of Febraban

Highlights Febraban's active involvement in public consultations and contributions to discussions led by the National Data Protection Authority (NPD), showcasing their commitment to shaping regulations.

Digital Transformation in Finance

Discusses the financial sector's digital transformation, noting that approximately 80% of transactions are now conducted online, which presents challenges for security and authentication.

Benefits and Challenges of Increased Digitalization

Acknowledges the benefits of digitalization for customers but stresses the importance of maintaining trust and preventing fraud through robust security measures.

Significance of Biometric Technologies

Argues that facial recognition technology is essential for securing operations, preventing credential reuse, and safeguarding high-risk transactions from fraud.

Key Contributions on Facial Recognition Technology

Outlines five critical points regarding facial recognition technology's use in finance, emphasizing a risk-based approach that ensures proportionality and technological neutrality.

Need for Additional Protective Measures

Stresses the current high volume of digital fraud necessitates additional protective layers beyond existing regulations to enhance user safety.

Proportional Regulation Approach

Advocates against a one-size-fits-all regulation for biometric data usage, arguing it could stifle innovation while ensuring adequate protection for users based on risk assessment.

Transparency Requirements

Calls for transparency in biometric data usage while cautioning against excessive disclosure that could aid malicious actors.

Legal Bases Beyond Consent

Suggests that while consent is valid, other legal bases such as fraud prevention should also be considered essential when handling biometric data across all operational stages.

Biometric Technologies and Their Role in Security

Importance of Behavioral Biometrics

Behavioral biometrics play a crucial role as a complement to facial recognition and other biometric data, focusing on typing patterns and velocity checks. This integration enhances security measures in banking operations.

Continuous authentication is vital for detecting anomalies during banking transactions, ensuring that user behavior aligns with established patterns. The implementation of behavioral biometrics must be accompanied by necessary safeguards.

Role of NPD in Data Protection Awareness

The National Data Protection Authority (NPD) is pivotal in raising awareness about the safe and proportional use of biometrics, contributing to the democratization of data protection in Brazil. Education on these topics is essential for societal understanding.

The financial sector demonstrates a strong commitment to data protection and compliance with the General Data Protection Law (LGPD), adopting various diligence measures to implement biometric technologies securely. Collaboration with NPD helps establish guidelines that protect users while fostering innovation.

Discussion on Risk Management and Contextual Evaluation

Acknowledgment of risk management, proportionality, and technological neutrality are critical when discussing biometric data treatment standards due to varying realities across different contexts. Establishing uniform standards can be challenging given these differences among data handlers.

Initiatives by SGD Regarding Biometric Data Use

Wudson from SGD highlights ongoing government projects utilizing biometrics for citizen identification, including the new identity card initiative aimed at reidentifying all Brazilians by 2032 through comprehensive biometric recapture processes.

The GolfBR platform serves as a significant user of biometric data, managing over 170 million citizens' records, facilitating secure digital identity verification through multiple biometric databases including national ID cards and driver's licenses. This system aims to enhance civil identification quality across Brazil.

Digital Government Initiatives and Biometric Data Management

Expanding Access to Digital Services

The initiative aims to reach a broader audience, ensuring that individuals who may not have access due to various reasons (e.g., lack of driver's license or electoral registration) can still engage with digital government services.

Role of the Central Authority in IT

The SGD serves as a central authority for federal IT, focusing on enhancing governmental maturity regarding privacy and security through the Privacy, Security, and Information Program.

Transparency in Data Handling

Emphasizing transparency, the GOVDR was one of the first rapid initiatives by the federal government aimed at clear communication about data treatment processes involving citizens' information.

Citizen-Initiated Biometric Interactions

Biometric data usage is strictly initiated by citizens themselves; there is no sharing or use of biometric data without their consent during validation processes.

Mitigating Risks with Biometrics

Citizens control their biometric interactions via applications or self-service kiosks, reducing risks associated with unauthorized biometric data usage while maintaining secure identification for public services.

Alternative Identification Methods

The platform seeks to minimize reliance on biometrics by offering alternative methods for accessing digital services, such as partnerships with banks for authentication and using digital certificates.

Balancing Security and Accessibility

Efforts are made to balance security needs against accessibility; biometrics are reserved for critical identification scenarios where other forms of verification are insufficient.

Ongoing Concerns About Data Protection

Continuous efforts focus on ensuring maximum transparency and protection concerning biometric data usage within government projects aimed at secure digital environments.

Discussion on Data Retention Policies

Questions Regarding Biometric Data Disposal

A question raised about how to properly dispose of biometric data aligns with principles like necessity and elimination rights—emphasizing that data should not be retained longer than necessary.

Retention Duration Queries

Related inquiries address how long biometric data should be retained and whether it should be excluded from backups, highlighting concerns over privacy policies related to biometric information.

This structured summary captures key insights from the transcript while providing timestamps for easy reference.

Discussion on Facial Recognition Technology and Data Protection

Risks Associated with Facial Recognition Technology

The conversation begins by addressing the risks related to personal data treatment, particularly in the context of increasing facial recognition technology usage by public entities and private organizations.

There is a concern about ensuring that such technologies do not normalize systematic surveillance practices, especially concerning vulnerable populations like children and adolescents. Suggestions for institutional safeguards and technical parameters are sought to align with LGPD principles.

Trust in Financial Services

Acknowledgment of the financial sector's maturity in digital services highlights trust as a key aspect; users will only engage if they believe their data is secure and institutions can respond effectively to issues.

Inquiry into best practices for using biometric data, including facial recognition, emphasizes protecting citizens' rights while maintaining security standards within financial services.

Legal Safeguards for Data Usage

Discussion shifts towards legal, regulatory, and organizational safeguards necessary for secure data utilization, focusing on both data protection and user rights. The speaker invites insights from Wudson regarding these aspects based on his experience at SGD.

Contextual Limitations of Facial Recognition

Helena introduces critical points about contexts where facial recognition should not be used due to significant risks to fundamental rights; she cites public safety as an example where evidence supporting its efficacy is lacking.

Concerns are raised about how such technologies can lead to generalized surveillance that treats everyone as potential suspects, undermining constitutional guarantees like the presumption of innocence. This creates an environment of distrust and repression rather than safety.

Mitigating Risks through Impact Assessments

While some contexts may justify the use of facial recognition after robust justification, it’s essential to implement safeguards such as conducting a Data Protection Impact Assessment (DPIA) that must be publicly accessible and regularly updated for social control purposes.

Emphasis is placed on effective communication regarding these assessments so that individuals can exercise their fundamental rights adequately amidst growing technological applications in society.

Communication Channels and Governance in Technology

Importance of Clear Communication

Emphasizes the necessity for communication channels to be clear, accessible, and rapid, especially when dealing with sensitive biometric data.

Response Time for High-Risk Situations

Suggests that response times for data controllers should be shorter in high-risk scenarios due to the potential severity of issues involved.

Accessibility and Inclusion

Highlights the need for multiple communication channels (both written and oral) to ensure accessibility for vulnerable populations, including those who are illiterate or have limited literacy skills.

Governance Measures in Technology

Addressing Technological Neutrality

Discusses the concept of technological neutrality, asserting that governance measures should not favor specific technologies but rather apply principles universally across all technologies.

Regulatory Adaptability

Stresses that regulations must remain adaptable to keep pace with rapid technological advancements without being tied to specific technologies.

Three Pillars of Responsible Governance

Legal Measures

Outlines legal measures focusing on proportionality and context while ensuring active transfer rights to individuals regarding their data.

Institutional Governance Practices

Describes institutional governance practices such as supplier analysis, compliance with privacy laws (LGPD), documentation transparency, and multidisciplinary committees for evaluating practices.

Technical Security Measures

Details technical security measures including testing accuracy, minimizing bias or discrimination in technology applications, and conducting tests in isolated environments before deployment.

Security Protocols and Risk Management

Information Security Techniques

Mentions various information security techniques like liveness detection, encryption, network segregation, and anti-spoofing mechanisms aimed at protecting biometric data during collection and storage.

Continuous Risk Assessment

Emphasizes ongoing risk assessments through audits and continuous monitoring to ensure robust security protocols are maintained over time.

Governance and Data Protection in the Financial Sector

Understanding Governance in Finance

Governance encompasses all aspects of data management, particularly in the financial sector, which is characterized by strict regulations regarding information security and data protection.

The financial industry has a long history of implementing measures to protect personal data, emphasizing the need for context-specific governance practices tailored to each controller's operations.

Importance of Robust Governance

A more robust level of governance correlates with increased security, especially for high-stakes uses aimed at preventing fraud and ensuring safety.

Contributions from Experts

Lívia expresses gratitude for the opportunity to engage in dialogue about these critical issues, highlighting their importance for internal reflections within organizations.

Woodson discusses safeguards and projects developed within his organization, noting Brazil's reputation as a leader in data protection legislation that serves as a model for others.

Transparency and Citizen Engagement

The creation and maintenance of impact reports enhance transparency, allowing citizens to understand how their data is collected, stored, and shared—particularly concerning biometric information.

Citizens have the right to request deletion of their accounts on platforms where their biometric data is stored, reinforcing user control over personal information through clear privacy notices.

Addressing Vulnerable Groups

Initiatives like the Balcão GolfBR program aim to provide humanized support for populations with low digital literacy who may feel insecure using biometric systems online. This ensures equitable access to digital services.

Technical Safeguards

All sensitive data are encrypted during storage and transmission; they reside on national servers under government control to mitigate external access risks. Continuous monitoring helps prevent unauthorized access or attacks on biometric systems.

Regular evaluations are conducted on biometric systems to address potential biases or inaccuracies while leveraging citizen feedback for rapid improvements in service delivery. This highlights an ongoing commitment to refining algorithms used in identification processes.

Future Opportunities

There exists a significant opportunity alongside challenges to build a secure identification ecosystem centered around citizen needs; future regulations will likely clarify usage rights concerning biometrics across Brazil.

Conclusion of Discussion

The webinar concludes with thanks extended towards experts who contributed insights into this important discussion about governance and data protection practices within Brazil’s financial sector, emphasizing ongoing efforts toward clarity and security in biometrics use by society at large.