Brazil has a highly litigious tradition that ends up being reflected in the assessment of the General Data Protection Law (LGPD). Therefore, the Judiciary has been repeatedly called upon to resolve disputes involving the protection of personal data, to the point that it has become a de facto co-regulator on issues about which the National Data Protection Authority (ANPD) has not yet had the opportunity to rule, and in individualized situations that sometimes completely deviate from the legal logic enshrined in the applicable law – because it is inherent that judges have legal interpretations that will not necessarily align with the regulator's mindset.

Accountability

It is important to keep in mind that the LGPD created a regime of accountability which takes into account the simultaneous fulfillment of three requirements: legal violation, (unlawful) data processing, and proof of harm. (article 42)The processing will be considered irregular when it does not comply with the legislation or when it does not provide the safety that the data subject could expect, considering relevant circumstances such as (i) the method of processing; (ii) the reasonably expected results and risks; and (iii) the state of the art at the time. 

It is also necessary to weigh the adequacy of the security measures (a constant issue on the ANPD's regulatory agenda, but still open), with it being widely accepted today that measures contained in international frameworks such as ISO would be adequate, for example. In addition to all these criteria, it is necessary to observe whether there are exclusions of liability, such as, for example, the victim's exclusive fault. 

It is already clear that civil liability under the LGPD (Brazilian General Data Protection Law) is (or should be) the result of a complex alchemy with many distinct elements, and that it was not conceived to "penalize first and ask questions later," but, quite the contrary, to promote good intentions, prevention, and precautions.

This is because the macro-system for data protection is based on raising awareness among personal data processing agents and their collaboration with the ANPD (National Data Protection Authority), especially since the Authority needs feedback from all stakeholders in the development and fine-tuning of its policies and regulations.

The role of the ANPD

Thus, and in line with this conclusion, in the area of ​​accountability, the ANPD (National Data Protection Authority) issued regulations establishing several mitigating factors for the liability of data processing agents, such as proof of implementation of self-regulation, best practices, and proof of good faith. This is because It is part of the philosophy of responsive data protection regulation in Brazil to use sanctions as a last resort. ratioInvesting, first and foremost, in changing behaviors and adopting better paradigms, believing in the transformative power of warnings and reputational zeal.

This is the metric behind regulations on security incidents: the more the Authority knows and understands about security incidents, the better it can educate and regulate about them. Therefore, it is much more important for her to have the information than to apply the sanction – since applying sanctions would tend to make data controllers wary and less transparent.

Judicialization of data protection

In this In this context, the decision of the Superior Court of Justice in the judgment of AREsp No. 2.130.619-SP, reported by Minister Francisco Falcão (DJe/STJ No. 3592 of 03/10/2023), was very positive, as it established that there is no presumed damage in matters of personal data protection: concrete proof of harm is always necessary.

This signal was crucial in ensuring that both the Judiciary and the market felt secure regarding the adoption of transparent and pro-adequacy positions, preventing the general understanding that any "error" on the part of the data controller could result in legal liability. (which would result in an increase in the volume of compensation claims with this type of argument). 

The premature or unnecessary judicialization of disputes over data protection may compromise the regulatory development of the area, considering that the right to data protection is constantly evolving, and the judicial interpretation of norms that are still maturing may solidify temporary understandings that do not reflect best practices or future technological advances. 

Furthermore, the premature judicialization of issues related to data protection could lead to a lack of consistency in judicial decisions, given that the LGPD (Brazilian General Data Protection Law) is still in the implementation and interpretation phase. Different judges could – and probably would – adopt different solutions and interpretations for similar issues, resulting in a diverse set of decisions that hinder a clear and uniform understanding of the law and lead to a scenario of great legal uncertainty.

The better structured the data processing agent is to accommodate the demands of the personal data subject, the better equipped it will be to handle disputes both within and outside the judicial sphere.The greater your credibility in the market and with your regulator, the ANPD – which can provide you with a platform and opportunities to contribute, including through your own example, to building a healthy and appropriate ecosystem for the protection of personal data in Brazil.

Want to know more about the ANPD? Find out what happened in... 1st ANPD Meeting of Data Protection Officers.