Cybersecurity & Data Privacy
The electronic monitoring system with facial recognition that will be installed in the subways of São Paulo City, and it is the object of a bidding process in the amount of BRL 59 million, is being challenged in Court. The Judge of the 1st Public Court of São Paulo issued a decision, in a lawsuit of anticipated production of evidence proposed by six entities that represent consumer protection, ordering the company operating the majority of the city’s subway network, Companhia Metropolitana de São Paulo (Metro), to provide clarifications on risk and impact assessment expected with the implementation of the new technology, on how personal data will be processed by Metro, technical databases and security systems issues, and actions to mitigate the potential risk of a data breach.
The claim is grounded on the Federal Constitution, the Consumer Protection Code and the Brazilian Data Protection Law (LGPD), even though is not yet effective. The purpose is to investigate possible violation of privacy rights and informational self-determination of users of the São Paulo subway system, if such system is effectively installed. This is because, although LGPD brings exceptions from its application to personal data processed under the scope of public security, national defense, state security or activities of investigation and prosecution of criminal offenses, there are no current indications of what user information will be captured and used by Metro nor how the children and teenagers’ right to image will be safeguarded, rights ensured not only in the Brazilian Statute of Children and Adolescents, but also by LGPD itself, which expressly brings in its content the need for the express consent of one of the parents or legal representative for the usage of the personal data.
The use of facial recognition technology and its legal and ethical implications have been discussed in the foreign scenario for some time. In Brazil, this lawsuit against Metro is not unprecedented. In 2018, the company “Via Quatro”, operating the 4-Yellow Line of the São Paulo subway, was forced by the Judiciary to discontinue a facial recognition project that involved the collection of the passengers’ images, which is a personal data. The cameras were designed to identify passengers’ "emotions" (how they responded to advertising) and to recognize the gender and age group of public transport users.
At the time, Metro complied with the court decision and defended itself by arguing that the technology used was not related to facial recognition, but to the detection of faces classifiable in categories of expressions, gender and biotypes. The process is in the phase of producing evidence.
Last year, the Federal Consumer Authority opened an administrative investigation against a clothing company about its facial detection system, through which it estimates the gender, age group and mood of consumers during the act of purchase. The administrative proceeding has not yet been judged.
It is also worth noting that there are already judicial decisions considering that reports of impacts on the personal data protection, as established by LGPD, cannot yet be demanded, since the law itself is not yet in force, nor is there any regulation by the competent body to do so, the Brazilian National Data Protection Authority (ANPD).
Our Technology, Privacy and Data Protection practice area has an extensive experience in the subject and is available for any further clarification.