BRAZIL Law and Practice Contributed by: Patricia Barboza, Alinne Gordilho and Amanda Costa, CGM Advogados
The exercise of data subject’s rights is not yet fully regulated by Brazil’s National Data Protection Agency (ANPD), though it remains a priority topic. Additional requirements or limitations may arise as new regula - tions are implemented. 7.4 AI The use of AI in internal investigations in Brazil remains uncommon. However, as AI adoption con - tinues to grow, its application in such processes may become more frequent, raising important considera - tions regarding data protection and compliance with the LGPD. Although there is no specific provision in Brazilian law regulating the use of AI, it is essential that any processing through AI tools complies with LGPD requirements. This includes ensuring robust security measures so that data imputed into AI sys - tems remains confidential and that the tool operates in a closed and controlled environment, preventing the use of the imputed data for AI training purposes. Additionally, there must be a clear and legitimate pur - pose for the processing, transparency provided to data subjects, and safeguards to prevent discrimina - tory outcomes. Contractual safeguards with AI vendors are also important to ensure compliance with LGPD, includ - ing auditability and clear allocation of responsibilities. Conducting a Data Protection Impact Assessment (DPIA) when using AI in internal investigations may also be advisable, depending on the kind of data or legal basis involved. These measures not only help mitigate legal and reputational risks but also dem - onstrate accountability, strengthen governance, and build trust with stakeholders by ensuring that AI-driv - en processes remain secure, transparent, and aligned with data protection principles. When using AI, the company must bear in mind that, under the LGPD, data subjects also have the right to request a review of decisions made solely on the basis of automated processing of personal data that affect their interests, including decisions intended to define their personal, professional, consumer, or credit profile, or other aspects of their personality – which might be the case regarding certain AI platforms/tools.
Finally, it is essential to ensure transparency through - out every stage of the process, particularly when using AI. Furthermore, it is advisable to implement human review during the workflow and, most importantly, at the final stage, to guarantee that the outcome does not contain bias, which can occur with automated systems. This practice reinforces trust and integrity, ensuring that decisions are fair and aligned with the organisation’s ethical principles.
8. Special Cases 8.1 Whistle-Blowing
In Brazil, whistle-blowing is addressed in the Brazil - ian Anti-Corruption Act, but there is no legal defini - tion of a whistle-blower. From an employment point of view, the is no statutory protection guaranteed to the whistle-blower, but internal policies of the companies or applicable collective bargaining agreements can provide such protections. 8.2 Sexual Harassment and/or Violence There is no specific legal protection for reporting sex - ual harassment and/or violence, but internal company policies or applicable collective bargaining agree - ments can provide such protections. Since September 2022, companies required to estab - lish a CIPA must implement an internal policy outlining the procedure for receiving and monitoring complaints related to sexual harassment and other forms of work - place violence. They must also provide a reporting channel that safeguards the reporter’s identity, should they wish to remain anonymous. From a criminal perspective, sexual harassment is defined as: “Coercing someone with the intent of obtaining sexual advantage or favour, exploiting the perpetrator’s position as a hierarchical superior or authority inherent to their role, position or function.” Another crime is defined as: “Engaging in a lewd act with someone without their consent, with the intent to satisfy one’s own lust or that of a third party.” However, not all conduct classified as sexual harass - ment under internal regulations meets these legal definitions. Employers should exercise caution when
46 CHAMBERS.COM
Powered by FlippingBook