Brazil: Anonymization And Pseudonymization: Anpd Kicks Off Public Consultation On Preliminary Study

On January 30, 2024, the Brazilian Data Protection Authority ("ANPD") released its guide on data anonymization and pseudonymization, including a preliminary studies on the topic (the "Preliminary Study"), for public consultation.

According to the General Personal Data Protection Law (Law No. 13,709/2018 – "LGPD"), the anonymization process aims to ensure that a data subject can no longer be identified by certain data, taking into account reasonable technical means available at the time of processing. As such, anonymized data is not considered personal data—unless the anonymization process is reversed— and is therefore excluded from the LGPD's application.

During the pseudonymization process, data loses the possibility of direct or indirect association with a data subject, but it can still lead to the subject's identification with the aid of additional information kept separately by the controller itself. According to the ANPD, the separate maintenance of such additional information must include technical and organizational measures to ensure its security and limited access.

Given this legal framework, the Preliminary Study outlines additional considerations regarding the processes of anonymizing and pseudonymizing personal data.

• The greatest risk in the anonymization process is that the corresponding subjects will still be identifiable from data, even after anonymization. To this end, every anonymization process must follow risk-management guidelines, based on specific metrics (e.g., k-anonymization).
• One of the clearest examples of the pseudonymization process is encryption. The study recommends the adoption of event logs and monitoring systems to ensure the traceability of identifier keys used in this process.
• The ANPD reinforces that a risk management process must be documented—the ANPD may request this re-identification risk assessment during any investigation or sanction. In this sense, the Preliminary Study proposes an anonymization approach based on certain steps, with the aim of continually assessing acceptable risk limits for re-identification. The measurement metric will consider the cost and time required to re-identify the data, taking into account the existing technologies, as well as the diversity of nature, scope, context, and purpose of each treatment.
• As the LGPD itself requires in Article 12, in addition to the above factors, the management of re-identification risk must evaluate the means available to the controller—and the potential, reasonable efforts from third parties—to re-identify data subjects.
  • When the anonymization process can be reversed using the controller's means alone, the data may have only been subject to pseudonymization.
  • Concerning reasonable efforts, the LGPD indicates that cost, time, and novel criteria must be taken into account. The Preliminary Study indicates that burdens stemming from the workforce and human resources, economic costs, and time spent re-identifying data should be evaluated by the processing agent during the risk management assessment in question. The study also points out that cybercrimes and illegal methods cannot serve as a reasonable benchmark in the "novel" criteria for calculating risk of re-identification.
• The risk of re-identifying data subjects does not have to be zero, but must be based on reasonable criteria, taking into account the company's current capabilities, the nature of the data, the source of the data, and the technology used for anonymization.
• The act of anonymizing requires an appropriate legal basis (Article 7 or Article 11 of the LGPD) and requires that such processing be lawful. Anonymizing a database in ways outside the scope of the LGPD does not make the use of such anonymized data legitimate, as the originating access was not in compliance with the LGPD (e.g., a company wants to survey a health database of a hospital to which it had illegal access).
• In general, anonymization processing is secondary, subsequent to the original processing, and must therefore be compatible with the purpose initially disclosed to the data subjects, and must be for a specific, lawful, and useful purpose. Thus, anonymizing personal data to only keep it stored, without any useful and determined purpose, would not, in principle, be valid under the LGPD.
• As anonymization takes into account state-of-the-art technology, it must be constantly re-evaluated to verify that the level of risk of re-identification of data subjects remains acceptably low.
• The ANPD recommends that the anonymization process should not be fully automated, so that a human expert may ensure the effectiveness of the process.

Finally, the guide provides a non-exhaustive list of anonymization and pseudonymization techniques, depending on the type of data (e.g., structured text or images) processed:

• Anonymization: suppression, generalization, masking, adding noise, permutation, blurring, and pixelation.
• Pseudonymization: substitution, hash function, and encryption.

The public consultation on the Preliminary Study will be available until February 28, 2024.

Visit us at Tauil & Chequer