The new, as-yet unregulated social behavior precedes legislative innovation; that is, there is no way to establish rules for something to be developed. Sufficient time and maturation are needed for problems to arise and the legislator to regulate them.
It was no different with data protection laws. First, companies founded their foundations on the use and exploitation of their users’ data. There they found an open and poorly regulated flank to grow on. However, they did so without respecting personal and sensitive data, and the examples of abuse of this use are numerous, among them the case of Cambridge Analytica, responsible for the scheme of using Facebook’s data for electoral purposes.
Obviously, the enactment of the LGPD and other similar legislation in other countries, especially in the European Union (RGPD), are structured answers on how companies should use personal data; extremely valuable source of information in the development of efficient sales strategies and mechanisms.
Nevertheless, the LGPD is a dense data protection framework, requiring complex measures from companies. However, it does not seem reasonable to demand the same intensity of adaptation from large technology companies, whose main business is data processing, and from medium and small companies, whose use of data has become a mandatory requirement in the continuity and potential of their business.
As if that were not enough, the technology market has a strong monopolistic tendency and part of the abuse of personal and sensitive data is closely linked to this monopoly.
The importance of the LGPD to protect and safeguard personal and sensitive data, until then used indiscriminately by companies, is not discussed. The motion rests on two other points:
(i) Adaptation to the reality of medium and small companies, under penalty of the law becoming unenforceable; and
(ii) Violating the monopoly of large technology companies.
It is true that it is up to the Judiciary Branch to observe proportionality and reasonableness in the application of the legal system. However, as these are absolutely different realities, the legislator could have balanced measures of adequacy and penalties according to the volume of data and the profile of companies. It is unreasonable to imagine that small ones, who do not have “data” as their primary source of income, have the same adequacy traction and suffer the same consequences as large technology companies, which motivate all regulation.
This problem will not be solved with the expansion of the vacatio legis, postponing the validity of the law, but with measures capable of facilitating the proper processing of personal data for medium and small companies, thus creating fertile soil for the adjustments required by the legislation.
The mismatch increases if we consider the internet to be today’s public square and data the new fuel for the economy. The only way not to turn them into services to be franchisers by the State is to regulate and protect the use of data, as well as violate monopolies and increasing competition in the technological sector.
The LGPD, as well as other data protection legislation, is an important step forward, but it should be followed by other legislative innovations capable of materializing and facilitating its applicability to medium and small businesses.
André Salgado Felix: Partner at the Ernesto Borges firm. Professor at PUC/SP. Master’s student at PUC/SP. Law Graduate from PUC/SP, with specialization in Civil Litigation from School of Magistracy of São Paulo. Postgraduate degree in Contract Law from FGV/SP.
Available at: https://www.conjur.com.br/2021-mai-10/andre-felix-lgpd-pequenas-medias-empresas
Autor:
