On one hand, the lack of knowledge among legal professionals, both lawyers and judges, regarding the concepts, principles, and ideals related to data protection is problematic.

From another perspective, this has not prevented judges from applying the LGPD (Brazilian General Data Protection Law) as they see fit, whether due to the specific needs of the case, a lack of tact, or the well-known juggernaut that is the adjudication of cases in Special Courts, with the benefits of free legal aid and the expectation of reversal of the burden of proof in matters that, in the vast majority of cases, involve data subjects who are consumers.

It is true that data protection law is based on economic development, free enterprise, free competition, and consumer protection. So much so that the law itself provides for the coexistence and reconciliation between its rules and those of a consumer protection nature.

CDC and LGPD

It should be noted, however, that even the Consumer Protection Code (CDC), more than 30 years ago, foresaw the possibility of improvement and evolution by the supplier. This is clear when the law states that the product does not become defective "because a better quality alternative has been placed on the market.(Article 12, second paragraph). The CDC then explains that a service will only be defective if it does not offer the expected safety, taking into account relevant circumstances such as the time when it was provided.

These provisions are identical to those set out in the LGPD itself, in its article 44, according to which "the The processing of personal data will be considered irregular when it fails to comply with the law or when it does not offer security."expected, considered" "the personal data processing techniques available at the time it was carried out"".

“(…) it is necessary to analyze whether the agents complied with the existing and documented security standards at the time and used protection systems proportionate to the risks and characteristics of the processing within what was reasonable and proportionate (article 44 of the LGPD). (…) It seems sensible to conclude, therefore, that in the application of the LGPD – unlike what happens with the Consumer Protection Code (CDC), for example – the agent may to avoid liability for any damages suffered by third parties when demonstrating that the rules were followed. standards necessary for data processing. In consumer relations sensu latuCivil/administrative liability is only excluded with conclusive proof of the non-existence of the defect or the exclusive fault of the victim/third parties.¹

Keeping up-to-date is part of life.

In other words, the evolution of a system – which includes, for example, the adoption of new anti-fraud tools or more rigorous security parameters – does not mean that everything that happened before is illegal or subject to compensation; nor does the adoption of these measures constitute a "confession" by the supplier that the service previously provided was irregular or inadequate. To think otherwise is tantamount to prohibiting businesses from seeking constant improvement.

And this, incidentally, is a reality of the data economy and society. We are routinely updating the operating systems of our phones and computers, downloading new versions of antivirus, Java, applications, and the systems that run electronic processes throughout Brazil are constantly being renewed.

Furthermore, as briefly mentioned above, the article of the General Data Protection Law that establishes the minimum security measures to be adopted by data processing agents is pending regulation and is part of the current regulatory agenda of the ANPD (National Data Protection Authority) for the 2025-2026 biennium.

Grading of damages and risks in data protection

As it stands today, the Brazilian civil liability system (following a Eurocentric orientation formalized in the European General Data Protection Regulation, GDPR) depends on the finding of a legal violation; the occurrence of damage; the relevance of the damage (even if verified); and an assessment of the severity of the risks and losses found. These criteria are cumulative: even if there is damage/risk, if there is no legal violation, there is no liability. Even if there is a violation, if there was no damage/risk, there is no liability. And even if there is damage/risk and a violation, if the damage/risk is not serious, there will not necessarily be liability.

“Nevertheless, even in the event of a data breach, it is necessary to conduct an objective analysis of the situation which, more often than one might imagine, will lead to an opinion that the incident is irrelevant. And if the breach is irrelevant – low risk – in Brazil it is not even necessary to inform the data protection authority (data protection authority – DPA). Note that the LGPD establishes as a criterion for communication to the ANPD in article 48 precisely the possibility of “relevant risk or damage”. The GDPR, on the other hand, establishes that the absence of high risk is grounds for dispensing with communication to data subjects (Considering n^o 86 and art. 34, 1 GDPR).”¹

Furthermore, civil liability will depend on the non-applicability of legal exclusions, such as the fault of third parties and the victim, or the failure to carry out the assigned processing (articles 42 and 43 of the LGPD), as well as the adoption of appropriate and proportionate security and governance measures. Therefore, the Superior Court of Justice has stated that there is no presumed damage in matters of data protection (damage). in d ipsa), except in the case of a security incident involving sensitive data (see AREsp 2.130.619 and REsp 2.121.904).

The uncertainty of the litigation

It is important to clarify the risk involved in the judicial process, litigation, which, regardless of the use of adequate security measures, is part of the burdens of business activity, including facing legal proceedings with all the variables and uncertainties inherent to them (legal uncertainty), in addition to the costs and reputational risk.

The level of maturity of the Judiciary and magistrates, as well as the maneuvers to be adopted by the lawyers of the opposing parties, is beyond the scope of the data processing agents, who need, first and foremost, to organize themselves within what is effectively within their control: compliance with the LGPD (Brazilian General Data Protection Law), adoption of the ANPD (National Data Protection Authority) guidelines, and documentary record of these measures.

Want to learn more about the logic of accountability in other contexts? Read here.

References

Hamaoka, S.; Rosas, E. Security measures and the accountability of the personal data processing agent in extrajudicial contexts.LGPD 2022: debates and relevant topicsEditors: Ana Paula Canto de Lima, Eduarda Chacon Rosas. Recife, PE: Império Jurídico, 2022.