Technological advancements have brought powerful tools to society, such as facial biometrics and image recognition, promising speed and efficiency in various areas, from public safety to financial services. The use of these tools has expanded significantly; biometrics already equips more than 4.2 billion mobile devices worldwide, according to Juniper Research, and in Brazil, facial recognition already monitors approximately 401,300 people in various contexts, according to studies by the Public Defender's Office of the Union (DPU) in partnership with the Center for Studies on Security and Citizenship (CESeC).
However, these resources imply significant risks to privacy and fundamental rights. Biometric data is sensitive by nature: unlike passwords or document numbers, it cannot be altered if leaked, making its responsible use a legal and ethical obligation. Reports such as Deloitte's estimate that AI-driven fraud could generate losses of R$4.5 billion by the end of 2025, with growth exceeding R$800% in the use of deepfakes in the country.
Facial recognition — used in authenticating financial transactions and payments, in physical access control in companies, condominiums and airports, and in identification for issuing official documents, among other applications — is already a common reality in a world marked by technological disruption. Technology should, in fact, serve society; however, its responsible use requires organizations offering these services to strike a balance between innovation, ethics, and the protection of fundamental rights.
In Brazil, the General Data Protection Law (LGPD) establishes clear rules regarding the collection, storage, and use of biometric data, which are classified as sensitive personal data (Article 5, II). Explicit and prominent consent from the data subject, for specific purposes, is mandatory in most cases.
Beyond consent, companies have a duty to ensure transparency and security in all processes involving this information. Data leaks or misuse can cause serious harm, such as fraud or unauthorized exposure. An additional risk, frequently debated, is so-called "algorithmic racism," where a lack of diversity in training data can lead to higher error rates and discrimination against certain racial groups in facial recognition, as pointed out in studies on public safety.
Thus, the National Data Protection Authority (ANPD) has intensified regulation, including opening Public Consultations to guide future regulatory action on the processing of biometric data.
The penalty for non-compliance with the LGPD (Brazilian General Data Protection Law) can result in fines of up to 21% of the company's revenue, limited to R$ 50 million per infraction, in addition to sanctions such as the suspension or prohibition of data processing.
However, with proper legal guidance, including the preparation of Data Protection Impact Assessments (DPIAs), it is possible to adopt advanced solutions without compromising human dignity or the legal security of companies, thus ensuring that technology is an ally and not a source of legal violations and penalties.
Nicoly Crepaldi Minchuerri, a lawyer specializing in civil law at the law firm Mazzucco & Mello Sociedade de Advogados.
Leonardo Neri, lawyer, holds a master's degree in sports business from England and is a partner in the Technology, Media and Telecommunications (TMT) area of the law firm Mazzucco & Mello Sociedade de Advogados.
SOURCE: TIINSIDE.