Consultation on anonymization, pseudonymization, and data subject rights opened in Brazil
Contributions to these topics can be sent to the Brazilian Data Protection Authority until February 28 and March 4, 2024, respectively
Subjects
Public Consultation on Anonymization and Pseudonymization
On January 30, 2024, the Brazilian Data Protection Authority (ANPD) opened a public consultation on preliminary studies addressing the processes of anonymization and pseudonymization. The ANPD has also made a draft of its Anonymization and Pseudonymization Guide (Draft Guide) publicly available, together with technical and case studies that experts and civil society and experts can contribute to.
While the Brazilian Data Protection Law (Law No. 13,709/2018 – LGPD) presents concepts related to the processes of anonymization and pseudonymization of personal data, the regulation of applicable techniques and standards falls to the ANPD. The publication of a document for guiding and clarifying how the anonymization and pseudonymization techniques provided for in the LGPD should be used was included in ANPD’s 2023-2024 Regulatory Agenda.
The main topics and issues that the Draft Guide and technical and case studies cover are outlined below:
Initial concepts and notions
The Draft Guide and the studies present basic concepts related to anonymization and pseudonymization. Some of these concepts have been taken directly from the LGPD (such as anonymized data), while others are presented for the first time:
- Anonymized data: Data initially linked to a natural person that has been disassociated from them by virtue of the use of reasonable technical means available at the time of processing. One of the documents differentiates between anonymized data and anonymous data, the latter of which is defined as data that is not linked to a natural person from the very outset;
- Ancillary data: The additional identifier used to link personal data that has undergone a pseudonymization process. It is capable of allowing the natural person to be re-identified;
- Direct identifiers: Data with the capacity to identify a natural person without any additional information. Examples include a person’s full name and taxpayer ID number;
- Indirect identifiers: Also known as ‘quasi-identifiers’, this is a form of data that is not capable of identifying a natural person by itself yet can be aggregated or linked to ancillary data to achieve this purpose. Examples include a person’s zip code, nationality, age, race, phenotypic characteristics and IP address;
- Base metric: A value defined to measure the risk of reidentification calculated solely on the basis of the data set itself, such as class equivalence;
- Contextual metric: A metric derived from a base metric with the incorporation of particular elements;
- Reidentification: The process of trying to discern identifiers that have been removed from de-identified data, including through data anonymization techniques.
The ANPD has indicated that the distinction between anonymized and pseudonymized data lies in the possibility (in the latter case) of reversing the process and re-establishing the association of the data with the data subject’s original identity. The circumstances, context and the technical means used in the processing activity are also factored into this distinction.
In pseudonymization, the controller keeps additional information stored separately in a controlled and secure environment to re-establish the link between the pseudonymized data and the identity of the data subject at any time. On the other hand, anonymization removes any and all identifiers, meaning the data ceases to be considered personal data for any entity (including the data controller) and becomes unidentifiable by any existing means at that time and state of the art.
Important points presented by the ANPD
- Anonymization as a form of processing in and of itself: Anonymization should be seen as a process that contains different stages, with the initial act being a personal data processing operation. Therefore, the rules and principles that the LGPD sets out must be observed in this process;
- The need for legitimate processing: Anonymization alone cannot legitimize a processing activity that was originally unlawful due to the lack of a legal basis for it. The anonymization process must presuppose that data processing is lawful and must only take place after the data processing agent adequately assesses a need for it – observing the principles of the LGPD, especially the purpose, adequacy and necessity of the data;
- Duty of information and adequacy: Considering that the Draft Guide considers anonymization to be a personal data processing activity, the controller must inform data subjects that one of the purposes of collecting personal data is future anonymization, in line with the principle of transparency. If this is not done, the processing must be compatible with the purpose initially indicated to the data subjects;
- Risk of reidentification: The ANPD recognizes that the anonymization process will always be subject to future reidentification risk factors. One example of such risks that the ANPD has mentioned regards the inference technique. This involves inferring the value of an attribute from the values of a set of other attributes and then using means that did not exist at the time to re-identify data subjects;
- Concept of ‘reasonable efforts’: The ANPD understands this term to be an indeterminate concept, which still requires further assessment by the authority itself. The ANPD has reiterated that the lawfulness of reasonable efforts must also be considered, given unlawful acts or cybercrimes are considered unreasonable efforts to re-identify or reverse the anonymization process. Likewise, factors such as the cost and time required to make re-identifying data subjects and reversing the anonymization process possible must also be considered;
- Concept of ‘own means’: The ANPD has a delimited interpretation of the term “own means” (meios próprios), understanding it to refer to the skills, data, instruments and techniques available to the processing agent responsible for anonymization at the time of processing;
- Human participation: The ANPD believes that anonymization should not be fully automated. Automated tools can be used, but considering the significance of the topic, it may be necessary for a human expert to oversee the process.
Methodologies applicable to anonymization and pseudonymization
The Draft Guide presents a risk-based approach to anonymization. As such, the document defines the three following stages for processing agents to observe:
- First stage: Determining the Acceptable Reidentification Risk (RRA) for a given data set with the aim of stipulating a risk threshold. Context variables (for example, the existence of sensitive personal data or financial data) can lower the acceptable risk threshold;
- Second stage: Applying the chosen set of anonymization techniques to produce an anonymized data set that has a risk of reidentification no greater than the RRA;
- Third stage: Defining a Measured Reidentification Risk (RRM), which involves measuring the risk of a reidentification attack being successful. Factors such as whether the data set is public, shared or private can impact the RRM. Ultimately, the RRM must be compared to the RRA; if the RRM is higher than the RRA, the data set is understood to not be properly anonymized, and thus the anonymization process must be restarted. The study presents considerations on possible metrics for applying and defining such risks.
As for pseudonymization, the Draft Guide suggests a 12-step methodology aligned with the best market practices, including (but not limited to):
- Carrying out an initial assessment to identify the data subject to pseudonymization;
- Defining objectives;
- Selecting techniques;
- Developing policies and procedures;
- Implementation;
- Protecting keys and algorithms; and
- Monitoring and auditing.
The Draft Guide makes it clear that certain pseudonymization techniques can be adopted in compliance with the LGPD, including data substitution, data obfuscation, tokenization, encryption, data masking and salting. The draft also presents techniques for anonymizing structured textual data and images.
The ANPD will accept contributions to the Draft Guide until February 28, 2024. Submissions can be made via the Participa+ Brasil platform.
Consultation on the Rights of Data Subjects
On February 2, the ANPD opened a call for contributions to the drafting of rules that will regulate the rights of personal data subjects. In doing so, the ANPD seeks to receive contributions related to the form, deadlines and operational aspects of data subjects exercising their rights – both from the perspective of the processing agents and the data subjects themselves.
The consultation has been divided into seven blocks totaling 30 questions, which cover the following topics:
- The relationship between data controllers and data subjects: Questions about the guidelines that should govern the timeframe and the manner via which controllers must comply with the rights of data subjects.
- Information on processing: Questions about the possible ways data subjects can obtain information, especially in regard to confirming if processing has taken place, access to data, information on public and private entities the controller has shared data with, and information on the possibility of not providing consent and the consequences of refusing to do so.
- Data portability: Questions about appropriate procedures for ensuring data subjects can both obtain their personal data and receive it in a format that facilitates data transfers between processing agents.
- Correcting processed data: Questions about the procedures and prior considerations for fulfilling this right, including adequate reasons for any refusals, validating the data subject’s identity, and efficient communication with other processing agents.
- Anonymization, blocking, deletion, and opposition in the event of irregular processing: Questions aimed at identifying situations and ways of curbing data processing carried out in breach of the LGPD’s provisions, as well as demanding that this be stopped.
- Revoking consent: Questions aimed at identifying the consequences if a data subject moves to revoke consent.
- Decisions based on automated processing: Questions aiming to identify what would characterize an automated decision, a decision made solely on the basis of automated personal data processing, and the criteria for determining when a data subject’s interests have been affected.
The ANPD will accept responses to its proposed questions until March 4, 2024, which can be submitted via the Opine Aqui section of the Participa+ Brasil platform.
For more information on these subjects, please contact Mattos Filho’s Data Protection & Cybersecurity practice area.