Controllers’ liability in cases of personal data breaches

The Superior Court of Justice (“STJ”, together with the Supreme Court, the two highest Brazilian courts) issued a decision last March restricting the controllers’ liability related to personal data breaches.  

A claim seeking compensation for moral damages was filed by a consumer against a Brazilian power utility company due to a leakage of personal data, including name, ID, address, date of birth, and telephone number. The decision, which inaugurated the discussion in the Superior Court, stated that the mere occurrence of a breach does not grant the data subject the right to compensation for moral damages. The Court of Justice of the European Union (“CJEU”) recently ruled in the same way. The claim related to the sale of personal data to political organizations for targeted advertising purposes.   

It is important to note, however, that aside from the judicial assessment, violation of both data privacy laws – GDPR (General Data Protection Regulation) and LGPD (Brazilian General Data Protection Law) – entail administrative sanctions. In this regard, the Brazilian Data Protection Authority (“ANPD”) has already indicated that controllers’ liability is not dependent upon the occurrence of damages to the data subject; conversely, the mere violation of the law suffices to apply administrative sanctions. 

It is too early to say that the STJ decision mentioned herein will be followed by other court panels in future cases of LGPD violation. So far, in other consumer-related claims, the STJ ruled on the grounds of a damage in re ipsa (mere violation of the law gives rise to an indemnification right). 

Stay tuned for new developments on the matter.