FPF at CPDP LatAm 2022: Artificial Intelligence and Data Protection in Latin America

This summer the first-ever in-person Computers, Privacy and Data Protection Conference – Latin America (CPDP LatAm) took place in Rio de Janeiro on July 12 and 13. The Future of Privacy Forum (FPF) was present at the event, titled Artificial Intelligence and Data Protection in Latin America, participating in two panels and submitting a paper for publication. In this blog post, we provide an overview of both the panels, as well as a brief summary of the accepted research paper.

CPDP LatAm is a relatively new event on the international privacy conference circuit, designed to provide a Latin American platform to discuss privacy, data protection, and technology. All the below sessions were recorded by the CPDP organizers, and we will include a link to the recordings as soon as they are made available. Currently, only the opening and closing plenary sessions are available online.

Research Data, AI and Data Protection Law: What Research ‘Exceptions’ Mean for the Development and Use of AI Technologies:

On the first day of CPDP LatAm, FPF got off to a roaring start – hosting a deep-dive panel on how general data protection regulations treat processing personal data for research purposes in the context of AI technologies. Moderated by FPF Policy Counsel Katerina Demetzou, the panel featured contributions from:

• Pablo Palazzi, Partner, Allende & Brea; adjunct professor at the School of Law of UdeSA 
• Nelson Remolina Angarita, Associate Professor, Universidad de los Andes; former Superintendent for the Protection of Personal Data, Colombia;
• Marcela Mattiuzzo, Partner, VMCA;
• Lucas Borges de Carvalho, Project Manager/Advisor, Board of Directors, ANPD;
• Lee Matheson, Senior Counsel, Future of Privacy Forum.

The panel explored how “general scope” data protection regimes often treat processing personal data for research purposes differently, sometimes exempting personal data processed for qualifying purposes from other provisions, such as individuals’ rights to request access to or the deletion of such data. The panel discussed how in the AI ​​context, where high quality datasets containing personal data are critical to train and develop core algorithms and to continuously improve them, these exceptions are particularly crucial to the development of new technologies – but may also represent a significant increase in risk to the individuals concerned. 

Panelists identified a number of areas where regulators in Latin America are currently working to issue more specific guidance on the subject of research exceptions – particularly in defining the scope of what kinds of processing activity “count” as acceptable “research” – and whether “research exceptions” should include research activities carried out by the private sector. Such an example is the Brazilian regulator, the ANPD, who recently issued a technical study titled “The LGPD and personal data processing for academic purposes and studies by research organisations” (the original title is “LGPD e o tratamento de dados pessoais para fins acadêmicos e para a realização de estudos por órgão de pesquisa”, original available in Portuguese). The panel also discussed the role of the Ibero-American Network of Data Protection (RIPD) in the matter, as well as how the emerging regulatory regimes in Latin America dealing with the use of personal information for research purposes compare to, and differ from, the European Union’s approach to this issue under the General Data Protection Regulation.

Algorithmic Transparency, Accountability, and Trade Secrets

On the second day of CPDP LatAm, FPF Policy Counsel Katerina Demetzou also spoke on a panel regarding Algorithmic Transparency, Accountability, and Trade Secret Preservation (original title ‘Transparência algorítmica, accountability e preservação do segredo de negócio’). This panel, moderated by Danilo Doneda, CEDIS-IDP, featured contributions from:

• Monica Tiemy Fujimoto, CEDIS-IDP;
• Flavia Mitri, Privacy Director for Latin America, Uber;
• Rafael Zanatta, Director, Data Privacy Brazil;
• Katerina Demetzou, Policy Counsel, Future of Privacy Forum.

The panel focused on how to balance transparency obligations core to effective data protection laws with the need to maintain trade secrecy central to much commercial development of artificial intelligence, and how to structure data protection laws such that trade secrecy claims are not able to prevent individuals from effectively exercising their privacy rights. Panelists discussed issues such as the necessity of disclosing application or software source code when providing “explainability” of decision-making to data subjects, and debated the level of detail necessary in disclosures required under transparency obligations. Ms. Demetzou focused on how this tension is treated under the EU’s General Data Protection Regulation, and discussed several examples of EU Member State enforcement actions that balanced the substantive rights granted to individuals by the GDPR with the confidentiality rights created by other national laws regarding trade secrets.

FPF Paper Accepted for Publication

In addition to the above panels, FPF also submitted an academic paper to CPDP LatAm 2022. Titled “Thin Red Red Line: Refocusing Data Protection Law on ADM, A Global Perspective with Lessons from Case-Law” and co-authored by FPF Vice President Gabriela Zanfir-Fortuna, Policy Counsel Katerina Demetzou, and Policy Counsel Sebastião Barros Vale, the paper focuses on how existing data protection laws in the EU and a selection of six global jurisdictions (Brazil, Mexico, Argentina, Colombia, China and South Africa) are currently being applied in the context of automated decision-making (ADM). The paper successfully completed the conference double blind peer review process and will be published in a CPDP LatAm special issue of the Computer Law & Security Review, edited by FGV Professors Luca Belli and Nicolo Zingales.