Data breaches are an increasingly common problem in an increasingly digital world. Similarly, data protection and privacy laws seek to reduce risks and guide businesses towards a safer internet. However, risks will always exist. When confidential information is compromised, possession of it can lead to harm for the data owners, such as scams or other potential financial dangers.
On the other hand, the fact that sensitive information is in the hands of criminals and could possibly be used against them creates a sense of distrust among the data subjects. But is that enough to warrant compensation for moral damages?
Do companies have to pay compensation for moral damages?
The justices of the 2nd panel of the Superior Court of Justice (STJ) determined that the leakage of common data, despite being an undesirable failure, does not, by its mere occurrence, have the capacity to generate compensable moral damages.
In other words, if a person has been directly affected by the consequences of data breaches, the data subject will have to prove the harm they suffered. That is, the mere existence of a security incident affecting digital users, while damaging and offensive to their privacy, is not sufficient.
What qualifies as standard personal data?
To simplify, understand "common data" as information that does not qualify as sensitive. Common data is information related to natural persons that can identify them. Some examples are: full name, ID number, tax identification number, date of birth, address, among others.
Now, in turn, sensitive data, as the name suggests, varies according to individuals and offers greater protection from the authority. General Law of Data Protection (LGPD), the legislation in force in Brazil.
Among them are:
- Information relating to racial or ethnic origin, religious beliefs, political opinions, membership in a trade union or religious, philosophical or political organization, data concerning health or sex life, genetic data or biometrics when linked to a natural person.
The definition is found in Article 5, II of the LGPD (Brazilian General Data Protection Law). Currently, banking data is not classified as sensitive data.
Can companies be punished as a result of data breaches?
Yes. The LGPD (Brazilian General Data Protection Law) provides for administrative sanctions. In February 2023, the regulation for the application of administrative sanctions was published. That is, the regulation on Dosimetry. To contextualize: as stated in the official publication on the government website, Dosimetry is understood as the guiding method for choosing the most appropriate sanction for each specific case in which there is a violation of the LGPD, and which allows for the calculation, when applicable, of the amount of the fine applicable to the offender.
Therefore, the regulation establishes the circumstances, conditions, and method of application, considering the damage or harm caused to data subjects and its scale. The regulation aims to keep the sanction applied proportional to the severity of the incidents.
The sanctions that can be applied are already outlined in the General Data Protection Law. They are:
- Warning;
- Simple fine, of up to 2% (two percent) of the company's revenue, limited in total to R$ 50.000.000,00 (fifty million reais), per infraction;
- Daily fine, with a total limit of R$50.000.000,00 (fifty million reais);
- Publication of the infraction;
- Blocking of personal data;
- Deletion of personal data;
- Partial suspension of database operation for a maximum of 6 (six) months, extendable for an equal period, until the situation is regularized;
- Suspension of the exercise of personal data processing activities for a maximum of 6 (six) months, extendable for an equal period;
- Partial or total prohibition on carrying out activities related to data processing.
