Privacy for Individuals: Privacy Day has passed, bringing with it a week of reflection. Although many people today are empowered to deal with data protection and privacy, we generally perceive that most people lack "digital literacy," first to understand essential concepts, and then to apply them to their reality.

LGPD and CDC

When researching the most popular social media networks, it's not uncommon to come across posts that encourage the public to "fight for their rights," as if the General Data Protection Law (LGPD) were an addendum to the Consumer Protection Code (which also aims to protect individual rights, but operates with a very different logic). While data protection should be a matter of culture and behavior, consumer protection operates through the coercive force of sanctions.

Consent

It turns out that this "confusion" is also naturally present in conversations and everyday life, including – and markedly – ​​in the Judiciary, whether in petitions or decisions that revolve, basically, around requests for compensation and conceptual errors, which leads us to another source of misunderstandings: the common belief that everything "in life" depends on consent.

It may seem clichéd among professionals who truly specialize in the subject, but it is incredibly common for people to believe – and this is replicated in the Judiciary – that consent is the most important legal basis for data processing, or even the only truly valid one, to justify the actions of data controllers. It is necessary to keep repeating this, but before that, to explain, that there is no hierarchy among the bases for data processing and that consent, with all its value and relevance, is a rather inefficient and extremely complex basis, effectively making it unfeasible to base an entire business model on it, for example.

Sensitive data

The conceptual barrier becomes evident again when people discuss sensitive data, casually or otherwise. It is common to assert, quite eloquently, that "sensitive" data was "leaked" to the telemarketing company – without due "consent" – when neither sensitive data was involved, nor was there a "security incident," making it perfectly possible to base the telemarketing on legitimate interest. In fact, a "social" myth has been constructed that everything that is "mine" is sensitive "because it is mine." Because "I" understand that the situation is sensitive. Because "it bothered me." The concept of sensitive data, on the other hand, is objective and definitive and is included in the LGPD (Brazilian General Data Protection Law), in article 5, II: "personal data concerning racial or ethnic origin, religious beliefs, political opinions, membership of a trade union or religious, philosophical or political organization, data concerning health or sex life, genetic or biometric data, when linked to a natural person."

Data protection: Fraud

Many, along these lines, would find it shocking to assert that just because fraud occurred doesn't mean the LGPD (Brazilian General Data Protection Law) was violated. Certainly, no one gives "consent" to someone harmed by a fraudster, but the legal basis for assisting a client or user – what the company genuinely believed was happening, being the least interested party in the fraud – is usually contractual or even legal. 

While it was not possible to expect different conduct from the service provider, it is evident that no one is immune to making mistakes and that it is not possible to alter a contract to include a new service, for example, without "tampering" with personal data. This type of logic – "if I didn't want it, it must be against the LGPD" – also disregards the fact that for a third party to impersonate someone, it is an unavoidable premise that they already possessed their data (at least registration and authentication data) before necessarily contacting the data controller. Therefore, it remains surprising that in cases of fraud, the controller is judicially condemned for "data leakage" when they were approached by a criminal who already possessed the necessary data beforehand.

All for privacy

A better understanding of data protection, as we know, requires a cultural shift that will necessarily involve educating society. And this is a huge challenge. In the meantime, it is essential, especially among those who apply the law – in any position – to have a minimum level of in-depth knowledge to avoid not only "teaching" incorrectly, but also propagating these misconceptions throughout the Judiciary, thereby building a body of case law that will solidify and replicate avoidable errors.

Meanwhile, we will all benefit from helping to spread awareness of what seems obvious, but is far from it. During Data Protection Week, let's do this. mea culpa to try to contribute, whenever possible, to the cultural change and knowledge that we want to see reflected around us.

Did you enjoy this content? Check out other articles from this initiative. Privacy Week That might interest you:

Privacy for Businesses: Responsibilities and benefits of protecting data.

Privacy for the State: The role of public policies in data protection.