The Court of Justice of São Paulo (TJSP) reversed, in second instance, the conviction of the construction company Cyrela in a case where the company was accused of share data and a customer’s contacts with stores and banks, without their knowledge, after purchasing a property from them.
The company had been convicted in the case in September of last year, in what became the first sentence by the General Data Protection Law (LGPD) in Brazil, the law that guaranteed consumers the right to know and control the use that companies make of their information.
In the new judgment, held last week, on August 24, the understanding was that there was not enough evidence to prove that the sharing of information had been done by the developer, and not by other real estate companies and brokers with whom the client also had contact. .
The judges also highlighted the fact that the LGPD was not yet in effect when the purchase of the property took place in November 2018. The client’s lawyers told the CNN Brasil Business who will appeal the decision.
Approved in August 2018, the LGPD entered into force on September 18, 2020 – eleven days before the first decision that condemned Cyrela, issued on September 29.
Despite the new decision now favorable to the company, lawyers consulted by CNN Business assess that the outcome of this first case does not necessarily harm consumers in future cases linked to the LGPD, as the law is still very young and is just beginning to form the first consensus in the Judiciary.
Decoration and financing offers
In the action, the client – who is also a lawyer in the area of digital rights – says that he started to receive a series of messages and calls from services related to the real estate market, such as financing, renovations and decoration, weeks after completing the purchase of an apartment of Cyrela in São Paulo.
Many of the approaches directly mentioned the name and location of the development where the property was purchased.
In the first trial, last year, the judge in charge of the case understood that there was a violation of the consumer’s privacy protection and ordered Cyrela to pay an indemnity of R$ 10 thousand for moral damages; decision that the construction company appealed and is now reversed.
In addition to pointing out the insufficiency of evidence, the new decision that exonerates Cyrela also overturned the payment of the indemnity, considering that “the simple forwarding of generic messages by email or WhatsApp is not a conduct likely to cause moral damage” and is just a “mere annoyance”, according to the vote report.
It is a common understanding in decisions regarding bank charges and other types of sales, in which only calls considered “abusive”, which are repeated dozens of times in a few hours, for example, are usually condemned.
Right before LGPD
To CNN Business, the VilelaCoelho office, responsible for the prosecution, said it will appeal the decision. “How will the consumer prove it was Cyrela? Only if you have access to her database or if she confesses”, said lawyer and partner at VilelaCoelho Mario Filipe Santos.
“It’s a decision that sets a dangerous precedent, because it raises the idea that the company can protect itself in the consumer’s hardship and therefore violate the law at will.”
Santos also claims that the right to protection of consumer data by the companies to whom it is provided has existed since long before the LGPD, which would not invalidate the claim just because it was made before the new data law.
“It’s in the Constitution, in the Consumer Defense Code, in the Marco Civil da Internet, in the Positivo Registry. The LGPD is a law that brought together all these rights”, he stated.
The new law is cited in the action, which was filed in 2019, but is not the main reference used in the indictment, which uses as a basis other previous legislation that already addressed the protection of consumer privacy.
The assessment that the developer’s actions would also have violated the recently approved LGPD was later expanded by the judge who analyzed the case at the first instance and who rendered the first conviction last year.
In a note to the report, Cyrela reinforced the lack of evidence indicating the misuse of its customers’ data and stated that it has carried out several programs to expand data protection policies and adapt to the requirements of the new data law.
Among the actions taken, the developer mentions the creation of an internal privacy committee, the hiring of specialists dedicated exclusively to data protection management and training of employees, partners and brokers on the new LGPD rules.
“This result [do processo] is extremely relevant for the real estate market, highlighting the importance of implementing the company’s privacy program, which has dedicated efforts to the preventive aspect (…) and to intensifying internal and external communications regarding data protection”, said Cyrela.
LGPD gives more security to future cases
In the assessment of attorney Patrícia Peck, president of the Data Protection Committee of the Brazilian Bar Association in São Paulo (OAB-SP), the “Cyrela case” suffers from being the first and from having happened in a moment of transition to the General Data Protection Law.
For that reason, she doesn’t believe that a decision in favor of the company now will make it difficult for other consumers to complain in the future.
“The jurisprudence on the LGPD is still being formed,” said Peck. “This is just one of the first cases, and in a very particular situation. It should not be decisive for future cases.”
Also according to the lawyer, with the LGPD now fully operational, the consumer tends to more automatically gain protections which, in this trial, ended up weighing in Cyrela’s favor.
It is the case that the responsibility for proof (the company that must prove that it has not shared data with third parties) is transferred from the consumer to the company, as well as the company’s obligation to also answer for partners and third parties, in the case of real estate companies and partner brokers.
These obligations, according to her, now appear much more explicitly in the General Data Protection Law. “If the law had already been in force, the outcome could certainly have been different,” he said.