Recently, the Brazilian National Data Protection Authority (ANPD) voted to suspend the application of Meta’s new privacy policy in Brazil, as this policy might violate Brazil’s General Data Protection Law (LGPD).

Based on an analysis of the policy, the ANPD identified that Meta would start processing data such as images, audios and videos from its users, including children, for training its Generative AI, without, however, observing the principles and rules of the LGPD, including:

  1. Inadequate Legal Basis: Meta was using “legitimate interest” to justify collecting personal data for AI training, which isn’t adequate, especially for sensitive data.
  2. Lack of Transparency: Meta’s information about how it uses data for AI is unclear. Users don’t get a straightforward explanation, making it hard to understand what’s really happening with their data.
  3. Difficult to Control Data: The tools Meta provides for users to manage their data are complicated and not user-friendly, which might discourage users from taking control of their data.
  4. Children’s Data: Meta was collecting data from children and teenagers without the necessary protections, given their vulnerability.

Because of these issues, the ANPD recommended immediately suspending the application of Meta’s privacy policy in Brazil regarding the use of personal data for AI training. They also recommended stopping the processing of personal data for this purpose in all Meta products, with a daily fine of R$ 50,000 for non-compliance due to the potential severe and hard-to-repair harm to users’ rights.

Meta requested a review of this decision and proposed a plan to address the issues. However, the ANPD rejected this request, stating that Meta didn’t provide a clear plan or specific dates for making the necessary changes.

Impact on Other Companies

Lawyer Cecília Freitas, from Emerenciano, Baggio & Associados – Advogados, commented, “The Meta case is a warning to all companies that the regulator is serious about protecting citizens’ rights. Companies processing data for their activities, including AI training, must comply with LGPD.”

Following LGPD is mandatory in Brazil and can prevent suspensions, fines, and damage to reputation.

To avoid similar issues, companies should:

– Always base their data activities on the legal grounds set by LGPD.

– Be transparent with users about data usage, allowing them to understand and control their data.

– Implement special protections for data from children and teens.

The law firm EMERENCIANO BAGGIO & ASSOCIADOS – ADVOGADOS specializes in privacy, data protection, innovation, and technology, helping clients comply with data protection laws and other regulations.

This information is for general purposes and does not constitute legal advice.