São Paulo Metro facial recognition system halted by court over privacy concerns
In May 2021 a São Paulo court ordered ViaQuatro to stop capturing passengers' images and biometric data with facial-recognition technology after civil-society organizations challenged the deployment on privacy grounds. The court decision, reported by major Brazilian outlets and advocacy groups, found that data such as gender, age and emotional metrics had been collected without proper authorization and imposed a monetary sanction. The episode drew attention from rights groups and news media and resulted in continuing litigation.
An automated facial-recognition system collected passengers' biometric data without proper authorization, prompting a court-ordered halt.
Key facts
- What
- In May 2021 a São Paulo court ordered ViaQuatro to stop capturing passengers' images and biometric data with facial-recognition technology after civil-society organizations challenged the deployment on privacy grounds.
- Incident date
- May 7, 2021
- Who
- ViaQuatro (concessionaire for São Paulo Metro)
- Failure mode
- Policy Violation
- AI surface
- Computer Vision
- Severity
- High
What happened
Civil-society organizations challenged a facial-recognition deployment on São Paulo Metro's Line 4 operated by concessionaire ViaQuatro, arguing it collected biometric and personal data without authorization. On May 7, 2021 a judge ordered ViaQuatro to stop capturing images and other personal data with the system. Brazilian media and consumer-rights groups reported the court found the practice infringed passenger privacy and imposed a monetary penalty on the company.
What broke inside the model
- 01 · TriggerA prompt pushes against a deployment boundary.
- 02 · Model stepThe model produces the disallowed output.
- 03 · Control gapNo enforcement blocks it at generation time.
- 04 · FailureThe output crosses the policy line.
- 05 · ConsequenceA limit the business set is breached in public.
The output crosses a policy boundary the deployment had defined.
The deployed system performed automated facial detection and biometric profiling (reportedly extracting gender, age and emotional metrics) without obtaining passenger consent or a lawful basis for processing. The failure was primarily a policy and legal compliance failure: the deployment violated privacy norms and was judged by a court to be unlawful. The technical system itself was not publicly demonstrated to be misclassifying identities in published reporting; the documented issue centers on unauthorized collection and processing of biometric data.
What it cost
Sources
- PressJustiça multa concessionária em R$ 100 mil por coleta de dados de passageiros na Linha 4-Amarela do Metrô de SPg1.globo.com
- PressSao Paulo court bans facial-recognition cameras in metroaccessnow.org
- PrimaryViaQuatro é condenada por reconhecimento facial no Metrô de SPidec.org.br
- PrimarySão Paulo Metrô deploys facial recognition tech from ISSissivs.com
Cite this entry
https://failureindex.ai/failures/paulo-metro-facial-recognition-halted-privacyAI Failure Index. "São Paulo Metro facial recognition system halted by court over privacy concerns" (FI-0467). Realm Labs. https://failureindex.ai/failures/paulo-metro-facial-recognition-halted-privacy (indexed Jun 10, 2026).Data fields CC-BY 4.0, prose citation permitted. Incident ID FI-0467. Full dataset at /data.
Note from Realm Labs, the Index steward
How Realm fits
- Prism
- OmniGuard
This entry sits in the index's predictive wing: a system that scores, ranks, perceives, or steers rather than generates. Realm's runtime layer is built for the generative and agentic systems now moving into these same decision seats, where it watches a model's internal state and holds an unsupported claim or an unchecked action before it commits. The control gap on this record, an automated decision that reached people with no runtime check in front of it, is the same gap. The index keeps predictive failures on the record because the pattern carries straight into the systems shipping today.