Privacy Day has come and gone, bringing with it a week of reflection. Although many people today are trained to deal with data protection and privacy, we have noticed that, in general, most people lack the so-called “digital literacy”, first to understand essential concepts, and then to apply them to their reality.
LGPD e CDC
When researching popular social networks, it is not uncommon to come across posts encouraging the public to “fight for their rights”, as if the telegram data Data Protection Law (LGPD) were an addendum to the Consumer Protection Code (which also aims to protect individual rights, but operates with a very different logic). While data protection should be cultural and behavioral, consumer protection operates based on the coercive force of sanctions.
Consent
It turns out that this “confusion” is also, naturally, present in conversations and in everyday life. Including – and markedly – in the Judiciary. Thether in petitions or in decisions that basically revolve around compensation claims and structure the text by subtitles errors. Which leads us to another source of misunderstandings. The common belief that everything “in life” depends on consent.
It may seem like a cliché among professionals who (truly) specialize in the subject, but it is incredibly common for people to believe – and this is again replicated in the Judiciary – that consent is the most important legal hypothesis for data processing, or even the only “truly valid” one, to justify the actions of data processing agents. It is necessary to keep repeating, but before that, explaining, that there is no hierarchy between the bases for data processing and that consent, with all its value and relevance, is an inefficient and extremely complex hypothesis, making it effectively unfeasible to base an entire business model on it, for example.
Sensitive data
The conceptual barrier becomes evident again when people discuss, casually – or otherwise – sensitive data. It is common to state, quite eloquently, that “sensitive” data was “leaked” to the telemarketing company – and without due “consent” – when it was not sensitive data, nor was there a “security incident”, and it is perfectly possible to base telemarketing on legitimate interest. In fact, a “social” myth has been constructed that everything that is “mine” is sensitive “because it is mine”. Because “I” understand that the situation is sensitive. Because “it bothered me”.
Frauds
Many, in this vein, would find it shocking to hear that the LGPD was not because fraud occurred. Of course, no one gives “consent” to be uae phone number by a fraudster, but the legal basis for serving a customer or user – which the company genuinely was happening, being the least in the fraud possible – is usually contractual or even legal.
While it was not possible to expect a different conduct from the service provider, on the other hand, it is clear that no one is immune to making mistakes and that it is not possible to change a contract to include a new service, for example, without “tampering” with personal data. This type of logic – “if I didn’t want it, it must be against the LGPD” – also disregards the fact that for a third party to impersonate someone, it is an unavoidable premise that they already had their data (at least registration and authentication data) before necessarily contacting the data controller. Therefore, it continues to be surprising that in cases of fraud. The controller is in court for “data leaking. When they were by a criminal who already had the data they beforehand.