The Right to Explanation in Brazilian Data Protection Law
Brazil has passed a few, but highly relevant, laws related to the internet and similar modern technologies. On the one hand, the country seems to have been quite innovative in approving some key legislation that has been protective of online liberties. On the other, it seems that Brazil always lags behind on certain key issues. The most notable of these laws has been Law nº 12.965, approved in 2014, the Marco Civil da Internet, known in English as the Brazilian Internet Bill of Rights, which established a number of individual and collective online liberties. The law has been much praised for its innovative approach to internet regulation and the fact that it is highly averse to the criminalisation of the internet and highly protective of internet liberties, with a strong focus on the protection of freedom of speech and privacy.
In 2018, Brazil took a step towards regulating data protection in a general sense. Propelled by the establishment of the European General Data Protection Regulation (GDPR) in the same year and the Cambridge Analytica scandal, the Brazilian Congress approved a data protection Law that had been debated in Congress for almost ten years.
The Brazilian Law nº 13.709, called Lei Geral de Proteção de Dados, or simply the LGPD (General Data Protection Law), was approved in Congress in 2018, but that was not the end of the discussion and there was turbulence involved in its coming into force. Since Data Protection and Privacy culture are still very underdeveloped in Brazil, many Brazilian companies, political groups and even civil society organisations failed to recognise the urgency in quickly applying the Law. Moreover, since there was little protection already in place in the country, adaptation meant heavy costs for businesses and organisations.
For these reasons, even after its approval, there was intense resistance to the LGPD, and there were many manoeuvres to attempt to postpone its application. First, it was scheduled to come into force 18 months after the approval of the Bill. This later became 24 months. With the COVID-19 pandemic in 2020, a group of Congressmen tried to push the implementation of the Law back yet another year. Even the Executive Power stepped in, trying to postpone the Law via Presidential Decree. These multiple struggles caused enormous uncertainty, so that people could not really affirm the applicability of the Law. Fortunately, today, it seems that issue has been mostly settled. The Law came into force in September 2020, and its penalties will be applicable from August 2021 – an odd solution, which hints at a gradual application.
At a first glance, one might think that the LGPD is an attempt to copy the European statute. Indeed, the pieces of legislation have many similarities, and they have been inspired by the same set of principles and rights that underpin privacy and data protection. However, one must note that the Brazilian Law also has many peculiarities, most interestingly, for this discussion, a strong basis to support the existence of a Right to Explanation.
The LGPD's text includes elements that provide a strong case for the Right to Explanation in the Brazilian Legislation. This Right can be defined as the right of an individual or collective to demand that the operator of an automated decision system provide an explanation as to why the automated system has produced a determined output. In other words, it is an entitlement to know and understand the reasoning and criteria that are encoded within a system's algorithm.
Such a Right also entails extra-legal obligations, affecting the ethical and technical spheres of automated decision-making. In order to conform with this obligation, developers need to take measures to ensure that the data subject has substantial means of requesting and understanding the explanations, which means adapting designs, interfaces and even policies.
Also, emerging technologies and their great potential for the automation of a large number of activities that can affect individual and collective rights have raised the issue of the establishment of an informational due process.
This article presents, in Part I, the relevance of this new Right in the context of massive data processing, indicating the relevant statutes and revealing the legal arguments for the existence of a Right to Explanation in Brazil; it also argues why emerging technologies demand an informational due process for protecting individual and collective rights. Part II presents legal precedents for the Right to Explanation in the context of consumers’ rights and discusses the development of data protection in the courts, culminating in recent decisions that have recognised informational self-determination as a fundamental constitutional right. Part III argues that the interpretation of the LGPD and relevant court decisions leads to the conclusion that data protection law should be seen within a procedural justice context and proposes a framework for procedural due process in automated decision-making.