We are handing over fundamental decisions about our lives to invisible, self-learning codes. Instead of people, it is algorithms that now evaluate, approve, reject, and categorize. Artificial intelligence isn't arriving; it's already deciding.
From systems that analyze credit and set interest rates in seconds, to automated filters that eliminate resumes from selection processes, to mechanisms that shape the content consumed on social media, society is witnessing a silent but profound transformation: the delegation of traditionally human decisions to machines.
These systems, when based exclusively on personal data and operated autonomously, constitute what is called automated decision-making. The General Data Protection Law (LGPD), in force in Brazil since 2020, recognizes the impact of this type of processing and provides specific guarantees for data subjects. Article 20 of the LGPD ensures the individual's right to request a review of decisions made solely on the basis of automated processing that affect their interests, as well as the right to receive clear and adequate explanations about the criteria and procedures used.
The advancement of automation technologies is not, in itself, a problem. On the contrary, many of these solutions promote efficiency, standardization, and resource savings. However, when algorithms begin to determine whether a person will have access to credit, employment, or a public service, without any possibility of contesting or understanding the logic used, concrete risks to privacy, dignity, and non-discrimination arise.
The LGPD (Brazilian General Data Protection Law) establishes a robust legal basis by requiring transparency, security, prevention, and accountability from data processing agents. Even so, its practical application in the context of automated decisions remains limited, especially given the technical complexity of the models used and the lack of specific regulations from the National Data Protection Agency (ANPD).
This regulatory gap is concerning. Predictive and classification models used in automated decisions often operate as "black boxes," without providing intelligible justifications or allowing for auditing of the criteria applied. This scenario directly challenges the principle of transparency, enshrined in Article 6 of the LGPD (Brazilian General Data Protection Law), which imposes on data controllers the duty to provide data subjects with clear, accurate, and accessible information about the processing of their data.
Beyond opacity, one of the greatest risks is the reproduction of structural discrimination. Algorithms trained with historical data often carry the same biases present in society and, therefore, can amplify them. International studies have already demonstrated, for example, that criminal risk analysis systems and hiring algorithms tend to penalize historically marginalized groups, such as Black people and women. In Brazil, there are similar complaints involving facial recognition systems with high error rates for Black people.
Another critical point is the lack of effective channels for reviewing decisions. Although the LGPD (Brazilian General Data Protection Law) guarantees this right, many companies do not even acknowledge the existence of automated decision-making processes, nor do they offer clear mechanisms for contesting them. This puts data subjects at a disadvantage, as they are subjected to decisions with significant effects, such as credit denial or exclusion from a job opportunity, without knowing how or why this occurred.
The need for regulation becomes even more urgent in the face of the rise of emerging technologies. The rapid incorporation of tools based on generative artificial intelligence, BiometryNatural language models and predictive systems raise risks and complicate the scenario. These technologies operate with self-learning capabilities, large volumes of data, and opaque statistical logic. In many cases, they produce decisions or inferences without human intervention, directly affecting the lives of individuals without them understanding how they were evaluated, categorized, or excluded.
Generative systems, for example, can reconstruct highly sensitive profiles of people based on fragments of behavioral data, which enhances the processing of sensitive data and generates risks of improper profiling. Surveillance systems based on facial recognition, widely used in the public and private sectors, operate using biometric data, whose protection is reinforced by the LGPD (Brazilian General Data Protection Law), requiring specific legal hypotheses, additional security measures, and impact assessments.
At the same time, the contracting of emerging technologies as outsourced services, often without transparency in contracts or guarantees regarding data governance, increases the responsibility of data controllers. These agents need not only to justify the choice of technology, but also to demonstrate, through records and documentation, that the adopted system complies with the LGPD (Brazilian General Data Protection Law).
In this context, the institutional transformation of the ANPD into an independent regulatory agency represents a significant milestone. Provisional Measure No. 1.317/2025 incorporated the ANPD into the list of federal regulatory agencies, granting it technical, decisional, administrative, and financial autonomy. This change has the potential to considerably strengthen its capacity to act, allowing the new agency to operate with greater independence from political or economic interests and increase its regulatory presence in sectors that operate with high risk to privacy and data protection.
With the creation of a dedicated regulatory career path and the expansion of its technical team, the new agency will be able to respond more quickly to incidents, intensify inspections, develop more detailed regulations, and promote an environment of legal certainty for both data subjects and data controllers. Furthermore, the new structure incorporates responsibilities related to the Digital Statute of Children and Adolescents, expanding its oversight of sensitive data concerning minors in the digital environment.
On the other hand, the challenges are not trivial. Achieving institutional autonomy depends on adequate resources, continuous training, and resilience in the face of potential political pressures. There is also a need for regulatory coordination with other public entities and for maintaining technical capacity given the rapid pace at which emerging technologies develop.
In this scenario, algorithmic governance becomes an indispensable element. It involves adopting policies, practices, and internal controls that ensure the compliance of automated systems with the rights of data subjects. This includes conducting impact assessments, establishing human oversight mechanisms, defining objective criteria for reviewing decisions, and requiring explainability—that is, the obligation to make the logic behind automated decisions understandable, even when based on complex models.
Data protection should not be seen as an obstacle to innovation, but as an essential component of its legitimacy. Society's trust in AI systems depends directly on the guarantee that its rights are being respected. This includes the right to know how decisions are made, to challenge them, and not to be discriminated against because of them.
Building an ethical and transparent ecosystem requires coordinated action between the public sector, private initiative, academia, and civil society. It is up to the legislator and the new regulatory agency to define clear parameters. Companies must implement robust compliance structures. And society must demand accountability, transparency, and uphold the rights established in the LGPD (Brazilian General Data Protection Law).
The challenge is complex and structural, but it can no longer be postponed. Ensuring that decisions made by machines regarding identity, access, opportunities, and career paths respect human dignity, equity, and fundamental rights is not just a data protection guideline; it is a democratic commitment. Addressing this reality requires more than just regulations: it demands an institutional culture of accountability, transparent practices, algorithmic governance mechanisms, and active societal participation in monitoring the ethical and legal limits of artificial intelligence.
Want to learn more about AI? Understand the changes it has brought to the world of football. here.
