In addition to administrative sanctions, within the competence of Brazil’s data protection authority, the Autoridade Nacional de Proteção de Dados, the General Data Protection Law provides civil liability to the controller or processor that, when carrying out data processing activities, causes property, moral, individual or collective damage in violation of the law.

On one hand, administrative sanctions are not yet a reality in Brazil since the ANPD did not conclude the regulation process of the parameters and criteria for enforcement actions, though this should occur in the first half of 2023. The Judiciary in Brazil has  continuously sought to address the LGPD, mainly by data subjects seeking compensation for material and moral damages.

Opice Blum Advogados' Jurimetrics Report analyzed more than 400 decisions in second instance (state courts and the Superior Court of Justice), throughout 2022, to understand how the judiciary is applying the new data privacy regulation. The study found some interested trends to closely monitor in the space.

1. Data breaches do not necessarily generate obligation to indemnity

The courts are not automatically granting the right to compensation for individuals who  experience a data breach. Data subjects are being required to prove the moral or material damage suffered from the data breach, since just allegations that the data breach causes damage are not accepted by the courts.

2. Debt collection and credit scoring are generating more litigation

Nearly half of the court decisions we analyzed were related to the processing of personal data for debt collection or credit protection.

There is already recognition in the courts of the legal basis of credit protection (in the EU General Data Protection Regulation, it is the “legitimate interest”), regardless of consent. In one specific case, the court ruled in favor of the individual and ordered the defendant to immediately stop disclosing, allowing access to or sharing the individual's personal data without their consent. The court also granted a partial order stating that all data not directly related to credit protection — such as voter registration number, name of mother, lifestyle, social class, schooling, marginal propensity to consume and georeferencing — must be excluded.

With the fraudulent use of data (such as false bank slips) in debt collection, the courts understood that the processing activity was not lawful and ordered the data controller to pay compensation to the individual, ranging from $500 to $2,000.

We also noted that when the courts understood the processing was necessary and lawful for credit protection, the sharing of personal data for this purpose was allowed without the need to collect consent from the data subject.

3. Fraud and data protection

Fines imposed for companies regarding frauds using personal data are not something new. Spain’s data protection authority, the Agencia Española de Protección de Datos, recently fined Vodafone since they issued a SIM card for a fraudster, which involves processing the victim’s personal data. In this case, since the victim did not request the service, Vodafone did not have a legal basis to process their personal data.

In a similar path, our research also found court decisions in Brazil that held companies liable for compensating victims of fraud, arguing that the LGPD holds data processing agents responsible for ensuring personal data is processed in compliance with the law and states that it is the company's responsibility to monitor for fraud, according to the profile of customers, for example.

4. Secondary use of data without the proper transparency

Courts are being tough in cases where personal data is used for a secondary purpose, especially when the data processing agent did not use proper measures to be transparent of how data could be used posteriorly. More than 80% of the courts ruled in favor of the data subject when there is a diversion of purpose in the processing of personal data and, when combined with the lack of transparency, this number jumps to 91%, with indemnities that reached up to $2,000.

Other takeaways

Other interesting takeaways we could extract from the more than 70-page report include:

  • In nearly all cases where individuals requested the deletion of their personal data, the court ruled in their favor. This was the most pursued right in the claims made in courts with an appearance in 64% of all cases mapped in our research.
  • Claims regarding improper sharing or disclosure of personal data were responsible for two-thirds of the claims that reach higher courts.
  • In 80% of claims that resulted in a favorable result to the data subject, the data processing agent had to pay an indemnity. In 59% of them, the court obliged the data processing agent to stop a processing activity or to delete the data.
  • Court decisions ruled that consent is not necessary to process data for debt collection or credit protection.

The 2021 report released one year ago focused on entrance courts and found the main reason data subjects filed claims was due to data breaches and questioning the legal basis for processing personal data. Though the data collected did not provide insight into the reason for the shift between entrance and superior courts, it is likely that either companies are opting for agreements in these cases rather than appealing and prolonging the discussion or the data subjects themselves are giving up the appeal in the face of an unfavorable first instance decision.

Trends observed in previous years, such as the majority of claims being related to data exclusion requests, the requirement for data subjects to prove the harm they have suffered to receive compensation and the low rate of negative sentences for data processing agents have continued to be present.

Also, in both reports, we noted that the courts (in entrance or superior levels) are being very careful to not indiscriminately condemn companies to indemnities when the material or moral damage was not proved, avoiding a collateral damage of massification in lawsuits and weakening incentives for companies in Brazil to embrace the data-driven economy.

Lastly, the courts are showing they understand the possibility of usage of other legal bases to process personal data other than consent, such as credit protection. The existence of such possibilities to process data is a major development in our regulatory environment and important to foster innovation and digital economy, now recognized and consolidating in our courts.

Overall, while there are valuable insights and a general understanding of how courts are interpreting the LGPD, the Brazilian privacy landscape is constantly evolving. More time is needed to establish a consistent understanding, and the regulations set to be released by the ANPD could significantly change the current understanding of the courts.