According to the General Data Protection Law (LGPD), personal data would be all information that allows the direct identification of an individual, such as name, telephone number, address, ID, CPF, passport, work card, voter registration card, among others.
However, Fulgencio Madrid Conesa (1984, p. 45, apud OLIVEIRA, 2017, p. 66) teaches about the Mosaic Theory, according to which isolated data, which cannot be considered personal because they do not identify the owner, connected with other isolated data, can serve to identify the owner, as well as small pieces that make up a mosaic. By bringing together small, seemingly insignificant pieces (data) and structuring them in an orderly way, the figure (information) gains complete meaning.
To clarify, Maia (2019) explains that a license plate, in itself, is not considered personal data, but it can allow the identification of its owner if the owner has outstanding IPVA (vehicle tax) payments. A search in the Electronic Official Gazette using the license plate number is sufficient to identify the vehicle owner's CPF (Brazilian taxpayer ID). Thus, the concept of personal data, based on this mosaic theory, can encompass any data with this capacity, be it an IP number, email address, login, license plate number, among others.
Search engines like Google, Yahoo, and Bing catalyze, cross-reference, and select information, producing a network of increasing complexity with multiple and unpredictable results (MENDOZA, BRANDÃO, 2016, p. 11). Thus, Mosaic Theory warns us that much information considered irrelevant can, given the possible results of a simple internet search, lead us to establish complete profiles of a person (MENDOZA, BRANDÃO, 2016, p. 11).
According to this theory, it would also be possible to include data that indirectly has the potential to identify its owner within the scope of protection granted by the General Data Protection Law (LGPD). Companies will need to take extra care when collecting data from customers, employees, and partners.
[instagram-feed]
REFERENCES
MAIA, Cristiana Campos Mamede. The impacts of the Data Protection Law on the Compliance of new [and old] businesses. Canal Compliance, [sl], 2019. Available at: http://www.ccompliance.com.br/2019/04/10/os-impactos-da-lei-de-protecao-de-dados-no-compliance-dos-novos-e-velhos-negocios/. Accessed on: February 23, 2021
MENDOZA, Melanie Claire Fonseca; BRANDÃO, Luiz Mathias Rocha. From the Right to Privacy to Data Protection: From Supporting Theories to the Requirement of Contextualization. Journal of Law, Governance and New Technologies, Brasília, v. 1, n. 2, p. 223 – 240, 2016.
OLIVEIRA, Tassyara Onofre de. Gestão de Dados Pessoais: Uma análise de casos concretos a partir do ordenamento jurídico brasileiro. 2017. Dissertação de Mestrado (Mestrado) – Universidade Federal da Paraíba, João Pessoa, 2017. Disponível em: https://repositorio.ufpb.br/jspui/bitstream/tede/9770/2/Arquivo%20total.pdf. Acesso em: 23 fev. 2021.