Public Civil Actions in data privacy breaches

Class actions are used in various jurisdictions as a key mechanism for the protection of collective rights. The Brazilian legal action that most closely resembles class actions in the USA is the Public Civil Action (ACP), which has served over the years as the primary tool for protecting personal data in Brazil.

Before the LGPD came into force, the Consumer Protection Code was the legal basis for Public Civil Actions (ACPs), as personal data breaches usually impacted consumer rights. Additionally, these lawsuits were backed by the general right to privacy provision, as established in the Brazilian Federal Constitution.

Legitimate parties

Unlike other jurisdictions, individuals in Brazil do not have the right to file class actions. Under Brazilian law, this right is reserved for certain entities, including designated private associations and public institutions like the Union and the Public Prosecutor’s Office. The Public Prosecutor’s Office, alongside these associations, has been the most frequent claimant in ACPs.

Object of the claims

Regarding the subject matter in dispute, most cases involving data breaches pertain to either (i) the unlawful processing of personal data or (ii) data leaks, and are based on consumer rights, privacy, and data protection regulations.

Controller’s liability

The assessment of the controller’s civil liability in ACPs related to data breaches involves two primary factors: (i) whether the damage is presumed (in re ipsa) and (ii) whether the liability is strict.

Although the Brazilian Superior Court of Justice (STJ) has not yet ruled on class actions (ACPs) concerning data protection breaches, in 2023, the court held that moral damages were not in re ipsa (i.e., presumed) in an individual lawsuit related to a data leak.

For more details on this case, read our Watch Out.

The STJ has previously established that collective moral damages are presumed in ACPs involving rights other than data privacy. Therefore, it is likely that the court will extend this principle to ACPs addressing data privacy violations.

Regarding the type of liability for controllers, the most accurate interpretation of the LGPD provisions is that an assessment of the controller’s fault is required to establish guilt. However, the LGPD stipulates that in consumer relations, data breaches are subject to the liability rules of the Brazilian Consumer Code, which imposes strict liability. Therefore, when a violation occurs within the context of a consumer relationship, the Consumer Code will take precedence over the LGPD provisions.

Sanctions

Regarding sanctions, courts have generally favored imposing obligations on the controller to take or refrain from specific actions (e.g., halting processing activities, deleting data, removing websites, etc.), rather than awarding indemnifications for non-material damages.

Although this approach indicates that the primary goal of ACP rulings is to educate wrongdoers, there have been instances where lower courts have imposed pecuniary sanctions for both collective and individual moral damages.

Final remarks

It is premature to assert a clear pattern in ACP rulings related to violations of data protection regulations, as the current cases have not yet been reviewed by higher courts. Nonetheless, we anticipate that the number of ACPs aimed at addressing this type of violation will rise in Brazil in the coming years. This expectation is grounded in the newly established and significantly more comprehensive legal framework introduced by the LGPD, as well as the fact that ACPs are exempt from legal costs and attorney’s fees, and generally, the damage is presumed (in re ipsa).