Initial Remarks on the Concept of Personal Data under the Brazilian Legal System
Keywords:
Personal data, Identifiability, Anonymised data, Pseudonymised data, LGPDAbstract
This article focuses on the notion of personal data and its elements in the light of the Brazilian legal system. The work consists of doctrinal qualitative legal research. The methodological approach adopted is in accordance with the deductive method to achieve the aims of outlining the contours of the legal concept of personal data in Brazil, and objective criteria to the interpretation-application of corresponding data protection legal norms. Structured in three main parts, the paper (i) considers regulatory perspectives and theoretical-dogmatic approaches to the concept of personal data, taking advantage of some relevant lessons on the identifiability of the human person; (ii) analyzes elements other than identifiability that are relevant to the conceptualization of personal information; and (iii) appreciates the distinction between personal data and non-personal data in the LGPD system, taking into account the boundaries between anonymized and pseudonymized data, as well as some of its legal effects. It is concluded that the expansionist approach adopted by the Brazilian regulation expresses itself in the broad concept of personal data, creating certain complexities brought by both objective and relative approaches as regards to the data subject identifiability, especially the criteria of the means reasonably likely to be used, i.e. of the reasonable efforts, for (re)identifying the data subject.
Downloads
References
ADRIAANS, Pieter. Information. The Stanford Encyclopedia of Philosophy – Edward N. Zalta (ed.). Disponível em: https://plato.stanford.edu/. Acesso em: 06 abr. 2023.
AGENCIA ESPAÑOLA DE PROTECCIÓN DE DATOS. Introducción al hash como técnica de seudonimización de datos personales. [S.l.]: AEPD, 2019. Disponível em: https://www.aepd.es/. Acesso em: 06 abr. 2023.
ALBERS, Marion. A complexidade da proteção de dados. Direitos Fundamentais & Justiça, v. 10, n. 35, p. 19–45, 2016.
A-LEVELS and GCSEs: How did the exam algorithm work? BBC, [s.l.], 20 ago. 2020. Disponível em: https://www.bbc.com/. Acesso em: 30 jun. 2022.
ANDRADE, Manuel A. Domingues de. Teoria geral da relação jurídica. reimp. Coimbra: Almedina, 1992, v. 1.
ARTICLE 29 DATA PROTECTION WORKING PARTY. Opinion 4/2007 on the concept of personal data. Bruxelas: [s. n.], 2007, p. 12. Disponível em: http://ec.europa.eu/. Acesso em: 06 abr. 2023.
ARTICLE 29 DATA PROTECTION WORKING PARTY. Privacy on the Internet – An integrated EU Approach to On-line Data Protection. Bruxelas: [s. n.], 2000. Disponível em: http://ec.europa.eu/. Acesso em: 06 abr. 2023.
ARTICLE 29 DATA PROTECTION WORKING PARTY. Opinion 2/2010 on online behavioral advertising. Bruxelas: [s. n.], 2010. Disponível em: https://ec.europa.eu/. Acesso em: 06 abr. 2023.
AUTORIDADE NACIONAL DE PROTEÇÃO DE DADOS. Nota Técnica nº 3/2023/CGF/ANPD. Disponível em: https://www.gov.br/. Acesso em: 19 mar. 2023.
BENNETT, Colin J.; RAAB, Charles D. The Governance of Privacy: Policy Instruments in Global Perspective. 1. Ed. London-New York: Routledge, 2003.
BIONI, Bruno. Xeque-Mate: o tripé de proteção de dados pessoais no xadrez das iniciativas legislativas no Brasil. São Paulo: GPOPAI, 2015.
BIONI, Bruno R. Proteção de dados pessoais: a função e os limites do consentimento. 1. ed. Rio de Janeiro: Forense, 2019.
BIONI, Bruno R. Compreendendo o conceito de anonimização e dado anônimo. Revista do Advogado, São Paulo, v. 39, n. 144, p. 22-32, nov. 2019.
BORGESIUS, Frederik Zuiderveen. Singling out people without knowing their names – Behavioural targeting, pseudonymous data, and the new Data Protection Regulation. Computer Law and Security Review, v. 32, n. 2, p. 256–271, 2016.
BORGESIUS, Frederik Zuiderveen. The Breyer Case of the Court of Justice of the European Union: IP Addresses and the Personal Data Definition. European Data Protection Law Review, v. 3, n. 1, p. 130–137, 2017.
BENNETT, Colin J.; RAAB, Charles D. The Governance of Privacy: Policy Instruments in Global Perspective. 1. ed. London-New York: Routledge, 2003.
BUTLER, Brian E. Legal Pragmatism: Banal or Beneficial as a Jurisprudential Position? Essays in Philosophy, v. 3, n. 2, p. 269-286, jun. 2002.
CARVALHO, Sérgio M.; FIORINI, Carolina. Dados não pessoais: a retórica da anonimização no enfrentamento à COVID-19 e o privacywashing. Internet & Sociedade, v. 1, n. 2, p. 126–149, dez. 2020.
CAVOUKIAN, Ann; EMAM, Khaled El. Dispelling the Myths Surrounding Anonymization Remains a Strong Tool for Protecting Privacy. Information and Privacy Commissioner, Ontario, Canada, n. June, 2011. Disponível em: https://www.ipc.on.ca/. Acesso em: 06 abr. 2023.
CORDEIRO, António Barreto Menezes. Dados pessoais: conceito, extensão e limites. Revista de Direito Civil, Coimbra, v. 3, n. 2, p. 297-321, 2018.
COUNCIL OF EUROPE. Recommendation CM/Rec(2021)8 of the Committee of Ministers to member States on the protection of individuals with regard to automatic processing of personal data in the context of profiling. Disponível em: https://search.coe.int/. Acesso em: 12 nov. 2021.
CRAWFORD, Kate; BOYD, dana. Critical questions for Big Data: Provocations for a cultural, technological, and scholarly phenomenon. Information, Communication & Society, v. 15, n. 5, p. 662–679, 2012.
CUEVA, Ricardo Villas Bôas. Proteção de dados pessoais no Judiciário. Revista do Advogado, São Paulo, n. 144, p. 6–12, nov. 2019.
CUKIER, Kenneth; MAYER-SCHÖNBERGER, Viktor. Big Data: A Revolution That Will Transform How We Live, Work, and Think. Boston: Houghton Mifflin Harcourt, 2013.
DE MONTJOYE, Yves-Alexandre et al. Unique in the Crowd: The privacy bounds of human mobility. Scientific Reports, v. 3, p. 1–5, 2013.
DONEDA, Danilo. Da privacidade à proteção de dados pessoais. 2. ed. São Paulo: Revista dos Tribunais, 2020.
DUHIGG, Charles. How Companies Learn Your Secrets. The New York Times Magazine, 16 fev. 2012. Disponível em: https://www.nytimes.com/. Acesso em: 06 abr. 2023.
DWORKIN, Ronald. O império do direito. Trad. Jefferson Luiz Camargo. São Paulo: Martins Fontes, 1999.
ENGISCH, Karl. Introdução ao pensamento jurídico. 8. Ed. Trad. João Baptista Machado. Lisboa: Fundação Calouste Gulbenkian, 2001.
ESTADOS UNIDOS. Children’s Online Privacy Protection Act of 1998. Disponível em: https://www.law.cornell.edu/. Acesso em 14 jan. 2021.
EUROPEAN UNION AGENCY FOR FUNDAMENTAL RIGHTS. Handbook on European Data Protection Law. Luxembourg: Publications Office of the European Union, 2018.
EUROPEAN AGENCY FOR CYBERSECUIRTY. Deploying pseudonymisation techniques: the case of the health sector. [S.l.]: ENISA, 2022. Disponível em: https://www.enisa.europa.eu/. Acesso em: 06 abr. 2023.
FACIAL recognition: School ID checks lead to GDPR fine. BBC News, 27 ago. 2019. Disponível em: https://www.bbc.com/. Acesso em: 14 jan. 2020.
FINCK, Michèle; PALLAS, Frank. They Who Must Not Be Identified – Distinguishing Personal from Non-Personal Data Under the GDPR. International Data Privacy Law, v. 10, n. 1, p. 11–36, 2020.
FINOCCHIARO, Giusella. Anonimato. In: Digesto delle Discipline Privatistiche – Sezione Civile. Aggiornamento. Torino: UTET, 2010. p. 12-20.
FLORIDI, Luciano. The ontological interpretation of informational privacy. Ethics and Information Technology, v. 7, n. 4, p. 185–200, 2005.
FRAZÃO, Ana; CARVALHO, Angelo Prata de; MILANEZ, Giovanna. Curso de proteção de dados pessoias: fundamentos da LGPD. Rio de Janeiro: Forense, 2022.
GARFINKEL, Simson L. De-Identification of Personal Information. [S.l.]: National Institute of Standards and Technology, 2015. Disponível em: https://nvlpubs.nist.gov/. Acesso em: 06 abr. 2023.
GITELMAN, Lisa (Org.). ‘Raw data’ is an oxymoron. Cambridge; London: The MIT Press, 2013.
GRATTON, Éloïse. Understanding Personal Information: Managing Privacy Risks. Markham: LexisNexis, 2013.
GRAY, Stacey. A Closer Look at Location Data: Privacy and Pandemics. Future of Privacy Forum, 2020. Disponível em: https://fpf.org/. Acesso em: 06 abr. 2023.
HILDEBRANDT, Mireille. Smart Technologies and The End(s) of Law. Cheltenham-Northampton: Edward Elgar, 2015.
HOEPMAN, Jaap-Henk. Privacy is hard and seven other myths: achieving privacy through careful design. Cambridge: The MIT Press, 2021.
HOOFNAGLE, Chris J.; VAN DER SLOOT, Bart; BORGESIUS, Frederik Z. The European Union general data protection regulation: what it is and what it means. Information & Communications Technology Law, v. 28, n. 1, p. 65–98, 2019.
INTERNATIONAL COMMITTEE OF THE RED CROSS. Handbook on Data Protection in Humanitarian Action. 2. ed. Geneva: ICRC, 2020.
KERR, Ian. Foreword. In: GRATTON, Éloïse. Understanding Personal Information: Managing Privacy Risks. Markham: LexisNexis, 2013.
KUNER, Christopher; BYGRAVE, Lee A.; DOCKSEY, Christopher. The EU General Data Protection Regulation: A Commentary. 1. ed. Oxford: Oxford University Press, 2020.
MACHADO, Diego C.; SOUZA, Carlos Affonso P. Tutela da privacidade, guarda de registros e portas lógicas no direito brasileiro. In: FERRARI, Isabela; BECKER, Daniel (Org.). Regulação 4.0 – Novas tecnologias sob a perspectiva regulatória. São Paulo: Revista dos Tribunais, 2019. p. 247-277.
MANTELERO, Alessandro. Responsabilità e rischio nel Reg. UE 2016/679. Le Nuove Leggi Civili Commentate, v. XL, n. 1, p. 144-164, 2017.
MARTINS, Guilherme M.; LONGHI, João Victor R.; FALEIROS JÚNIOR, José Luiz de M. Comentários à Lei Geral de Proteção de Dados Pessoais: Lei 13.709/2018. Indaiatuba: Editora Foco, 2022.
MACHADO, Diego; MENDES, Laura Schertel. A proteção dos dados sensíveis inferidos: um comentário ao Caso C-184/20 do Tribunal de Justiça Europeu. Revista de Direito do Consumidor, São Paulo, v. 144, a. 31, p. 97-121, nov./dez. 2022.
MENDES, Laura Schertel. Privacidade, proteção de dados e defesa do consumidor: linhas gerais de um novo direito fundamental. São Paulo: Saraiva, 2014.
MENDES, Laura Schertel. Habeas data e autodeterminação informativa: os dois lados da mesma moeda. Direitos Fundamentais & Justiça, v. 12, n. 39, p. 185–216, 2018.
MENDES, Laura Schertel; FRITZ, Karina Nunes. Case Report: Corte Alemã Reconhece a Transmissibilidade da Herança Digital. Direito Público, Porto Alegre, v. 15, n. 85, p. 188–211, 2019.
MIRANDA, Pontes de. Tratado de direito privado. Rio de Janeiro: Borsoi, 1954, t. 1.
MOURBY, M. et al. Are ‘pseudonymised’ data always personal data? Implications of the GDPR for administrative data research in the UK. Computer Law and Security Review, v. 34, n. 2, p. 222–233, 2018.
NARAYANAN, Arvind.; SHMATIKOV, Vitaly. Myths and fallacies of personally identifiable information. Communications of the ACM, v. 53, n. 6, p. 24–26, 2010.
NARAYANAN, Arvind.; SHMATIKOV, Vitaly. Robust de-anonymization of large sparse datasets: a decade later. Disponível em: https://www.cs.princeton.edu/. Acesso em: 17 jun. 2022.
OFQUAL. Executive Summary – Awarding GCSE, AS, A level, advanced extension awards and extended project qualifications in summer 2020: interim report. Londres: [s. n.], 13 ago. 2020. Disponível em: https://assets.publishing.service.gov.uk/. Acesso em: 29 jul. 2022.
OHM, Paul. Broken promises of privacy: responding to the surprising failure of anonymization. UCLA Law Review, n. 57, p. 1701-1777, 2010.
OLEJNIK, Lukasz; ACAR, Gunes; CASTELLUCCIA, Claude; DIAZ, Claudia. The leaking battery A privacy analysis of the HTML5 Battery Status API. Disponível em: https://eprint.iacr.org/. Acesso em: 06 abr. 2023.
PEARCE, Henry. Big data and the reform of the European data protection framework: an overview of potential concerns associated with proposals for risk management-based approaches to the concept of personal data. Information and Communications Technology Law, v. 26, n. 3, p. 312–335, 2017.
PERSONAL DATA PROTECTION COMMISSION. Guide to basic anonymisation. Singapura: PDPC Singapore, 2022. Disponível em: https://www.pdpc.gov.sg/. Acesso em: 06 abr. 2023.
PINHEIRO, Alexandre Sousa et. al. Comentário ao Regulamento Geral de Proteção de Dados. Coimbra: Almedina, 2018.
PINTO, Paulo Mota. O direito ao livre desenvolvimento da personalidade. Boletim da Faculdade de Direito da Universidade de Coimbra. Número especial Portugal-Brasil ano 2000. Coimbra: Coimbra Editora, 1999.
POLONETSKY, Jules et. al. The seven states of data: when is pseudonymous data not personal information?. The Future of Privacy Forum, 2013. Disponível em https://fpf.org/. Acesso em: 06 abr. 2023.
POSNER, Richard A. Overcoming Law. Cambridge: Harvard University Press, 1995.
PYRGELIS, Apostolos; TRONCOSO, Carmela; DE CRISTOFARO, Emiliano. Measuring Membership Privacy on Aggregate Location Time-Series. Proceedings of the ACM on Measurement and Analysis of Computing Systems, v. 2, n. 4, 2020.
PURTOVA, Nadezhda. The law of everything. Broad concept of personal data and future of EU data protection law. Law, Innovation and Technology, v. 10, n. 1, p. 40–81, 2018.
RESTA, Giorgio. La “morte” digitale. Il Diritto dell’Informazione e dell’Informatica, Milão, v. XXIX, n. 6, p. 891–920, 2014.
ROCHER, L.; HENDRICKX, J. M.; DE MONTJOYE, Y. A. Estimating the success of re-identifications in incomplete datasets using generative models. Nature Communications, v. 10, n. 1, 2019.
SMITH, Mick Smith; AGRAWAL, Rajeev. Anonymization Techniques. In: SCHINTLER, Laurie A.; MCNEELY, Connie L. (Orgs.). Encyclopedia of Big Data. Cham: Springer, 2022. p. 30-33.
THOMPSON, Stuart A.; WARZEL, Charlie. The Privacy Project – Twelve Million Phones, One Dataset, Zero Privacy. The New York Times, 19 dez. 2019. Disponível em: https://www.nytimes.com/. Acesso em: 14 jan. 2020.
SCHÜRHOLZ, Daniel; KUBLER, Sylvain; Zaslavsky, Arkady. Artificial intelligence-enabled context-aware air quality prediction for smart cities. Journal of Cleaner Production, v. 271, 2020.
SCHWARTZ, Paul M.; SOLOVE, Daniel J. The PII Problem: Privacy and a New Concept of Personally Identifiable Information. New York University Law Review, v. 86, p. 1814–189, dec. 2011.
SOLOVE, Daniel J. Understanding Privacy. Cambridge; London: Harvard University Press, 2008.
SPINDLER, Gerald; SCHMECHEL, Philipp. Personal Data and Encryption in the European General Data Protection Regulation. Journal of Intellectual Property, Information Technology and Electronic Commerce Law, v. 7, p. 163-177, 2016.
UNIÃO EUROPEIA. Regulamento (UE) nº 2016/679 do Parlamento Europeu e do Conselho, de 23 de abril de 2016, relativo à proteção das pessoas singulares no que diz respeito ao tratamento de dados pessoais e à livre circulação desses dados e que revoga a Diretiva 95/46/CE (Regulamento Geral sobre a Proteção de Dados). Jornal Oficial da União Europeia, Estrasburgo, 04/05/2016. Disponível em: https://op.europa.eu/. Acesso em: 06 abr. 2023.
UNIÃO EUROPEIA. Tribunal de Justiça da União Europeia. Segunda Seção. Case C-434/16, Peter Novak v. Data Protection Commissioner. Luxemburgo, 20 dez. 2017.
VIMERCATI, Sabrina de C., FORESTI, Sara. Quasi-Identifier. In: VAN TILBORG, Henk C. A.; JAJODIA, Sushil (Orgs.). Encyclopedia of Cryptography and Security. Springer: Boston, 2011.
WACKS, Raymond. Personal Information: Privacy and the Law. Oxford: Oxford University Press, 1989.
WACHTER, Sandra; MITTELSTADT, Brent D. A Right to Reasonable Inferences: Re-thinking Data Protection Law in the Age of Big Data and AI. Columbia Business Law Review, v. 2019, n. 2, p. 494-620, 2019.
ZENO-ZENCOVICH, Vincenzo. Informazione (profili civilistici). In: Digesto – Sezione Civile. Torino: UTET, 1993. v. IX.
Civilistica.com is licensed under a 