RIO DE JANEIRO, BRAZIL – The General Data Protection Act (LGPD) has “caught on.” Consumers have been turning to the courts to claim compensation for leaked personal data. However, for now, courts are divided on a point that experts consider to be key: the need for evidence to justify awarding “moral damages”.
This is the most common claim among the 660 lawsuits on conflicts related to personal data protection brought between January and mid-June, according to a survey by LBCA law firm.
The vast majority (636 lawsuits) were brought in the State of São Paulo. Only 26 cases are currently under analysis by appellate courts.
In addition to consumer redress, the courts have been sought by both workers and companies for access to data. Employees are requesting work schedule records and payment statements. Companies want the authorities to disclose their employees’ transportation voucher statements. There are also lawsuits to block the use of personal data for the execution of public policies, such as the fight against the pandemic.
In the opinion of attorney Ricardo Silveira, partner at LBCA, the number of lawsuits and the widespread nature of complaints disprove claims that the LGPD (Law No. 13,709 of 2018) has not caught on. “There are many individual lawsuits in progress, irrespective of fines imposed in the administrative sphere,” he says.
Although the law was published almost three years ago, many companies have not yet begun to implement internal measures to comply with the rules for handling personal data, according to Silveira. A survey by Logicalis technology company showed that only 11% of 120 companies surveyed are in compliance with the law.
Starting this August, the National Data Protection Authority (ANPD) may fine companies up to US$50 million for violating the law. In addition to the ANPD, the National Consumer Secretariat (SENACON) and the Consumer Protection Agency (PROCON) may also impose sanctions.
However, it is through individual lawsuits that compensation for leaks are awarded to data subjects, and not to funds.
Courts are divided over the need for evidence of actual losses incurred in order to award moral damages. Judge Mario Sergio Leite, of the 2nd Civil Court of Osasco (São Paulo), dismissed the claim of an ENEL customer who sought R$10,000 (US$1,955) in damages. She claimed that she began receiving messages and telemarketing calls after her data was disclosed, and had to redouble precautions not to pay fraudulent bills.
The judge said ENEL failed in its obligation to protect customer data. However, he adds in the ruling that no compensation would be owed to the consumer who failed to prove loss with the leaked data – which according to the case, “probably” occurred due to hacking.
“No fraud was committed against her. She failed to prove that any unwanted e-mails and calls from companies were related to the data leak, because it is very common to receive them without a leak,” the judge stated in the ruling issued in April (Case No. 1025226-41.2020.8.26.0405).
In a note, ENEL reports that the hacking of its system occurred in November and reached 4% of the customer base – all from the city of Osasco, a suburb of São Paulo. It says it immediately disabled access to the database and reported the incident to the affected consumers. “The company is exercising its rights for a proper enforcement of the law,” it said.
However, in another case no evidence was required by the court. The 4th Appellate Panel of the Special Civil and Criminal Courts of Bahia ordered a vehicle consortium administrator to compensate a consumer in R$9,600 for moral and material damages. He claimed to be the victim of fraud after his personal data was leaked.
“The LGPD guarantees that any data collector who causes damage must repair the consumer, irrespective of fault, which means that it is enough to prove that the leak occurred, even if it was not the ‘intention’ of the data collector,” Judge Mary Angélica Santos Coelho, the rapporteur of the case, said in the ruling. The decision was unanimous.
With no requirement for evidence, attorneys point out the risk of a mass judicialization of similar cases. “It could become a trivialization of the law. There are cases in which the leak, by itself, will not cause any damage,” said Marcela Mattiuzzo, partner and head of the technology area of VMCA Advogados.
Head of data protection at Tauil & Chequer Advogados, Cristiane Manzueto notes a particularity of moral damage linked to data leak that raises doubts about the response of the courts. “We are facing an immaterial asset. It is not a car that crashes. The plaintiff has to demonstrate the link between the leak and the damage, but this evidence is not always easy.”
For attorney Juliana Oms, from the Brazilian Consumer Defense Institute (IDEC), the leak or the undue sharing of data, by itself, can cause individual or collective moral damages. She argued that the company’s liability is objective in relation to consumer data. “The attempts in the lawsuits to exclusively blame hackers are irrelevant.”
Source: Valor