A new Bill has been introduced to the Brazilian Chamber of Deputies that prohibits facial recognition being the sole identification method in public and private sectors. If it passes it will enter into effect 90 days after its publication.
This Bill has been introduced due to the fact that the use of facial recognition for identification purposes is increasing. It is used in public and private sectors for things such as identifying wanted persons, authenticating permits or employees or for customers to access services. However, there are a lot of concerns that the more this is used the more likely it could be abused.
Some of the issues that are being addressed are:
- Situations where facial recognition services are used but there are no staff members monitoring the process to deal with problems
- Misuse of the data due to commercialization of the data
- Data leaks
- Fraud and identity theft
Any biometric data from facial recognition must:
- Comply with LGPD
- May not be passed on to third parties
- Unless it is exclusively for cases of public security, national defence and investigation and stopping criminal activities
Biometric data from facial recognition technologies cannot be used without an alternative means of recognition in case there is a problem. If an institution decides to use facial recognition technology then they need to provide an annual report, available to the public. This report must contain and assessment of the use of the technology in a given case, any user complaints and solutions adopted in each case, and judicial or administrative proceedings in which the institution has been a defendant.
Consent must be obtained with regard to the transfer of data to third parties.
Biometric data cannot be used as a form of identification without a report into the impact on privacy. The report must demonstrate why other forms of identification without biometric data are not feasible options. It must also include:
- An analysis of the individual liberties and human rights potentially affected and the damages
- History of documented breaches of reliability
- Fraud resulting from not using this technology
It must also be available for inspection by the body for data protection.