Request a Demo
Request a Demo

The future of data protection in Brazil: is a new industry of moral damages being established? PART I

Estimated reading time: 3 minutes

Summary

Lately, data protection has experienced a certain "drought" in terms of academic and institutional interest. Books continue to be written and published, meetings continue to be held, academic discussions continue, but the subject seemed to have cooled down. 

Some may disagree, and rightfully so, after all, the National Data Protection Authority (ANPD) has made more decisions recently than in all previous years combined. Furthermore, the events promoted by the authority in Brasília during 2024 were very well-attended, as were the international seminars.

The leading role of AI

The fact is that these circumstances, however valid they may be as an argument, do not alter the reality that, on the eve of AI regulation, it was literally necessary to shift many professionals and scholars from the area of ​​privacy and personal data protection to AI task forces. In the technical and academic field, many opinion leaders ended up "migrating" to AI debates and, however active and proactive the ANPD (National Data Protection Authority) may be – respecting its limitations – what it had been doing in terms of decision-making was minimally impacting the market in practice.

The general expectation, apparently, was that data protection would gradually regain its prominence as the ANPD's consultations and regulations became available. There was some curiosity regarding the public competition that the authority is about to hold: how would the integration of so many new employees impact and even alter the dynamics – until then known and to some extent predictable – of the ANPD?

The recent decision of the Superior Court of Justice

What certainly wasn't on anyone's radar was a (new) decision by the Superior Court of Justice (STJ) regarding civil liability for data leaks, as happened now in Special Appeal (REsp) No. 2147374/SP, reported by Minister Ricardo Villas Bôas Cueva. The potential of this ruling to impact the market is more than relevant. Especially given the attention it has been receiving in the media and among groups dedicated to the subject. 

The Third Panel of the Superior Court of Justice (STJ) unanimously decided that the appellant, Eletropaulo, is civilly liable, based on the General Data Protection Law, for the illicit sharing of data (through the actions of a hacker) and should therefore compensate the data subject who filed the compensation lawsuit.

The data breach addressed in the lawsuit, according to the court ruling, involved the disclosure of the holder's full name, ID number, CPF (Brazilian taxpayer ID), address, and telephone number. The initial judgment of dismissal was partially overturned on appeal, at which point civil liability was dismissed – also in line with a previous ruling by the Superior Court of Justice (STJ) in Appeal in Special Appeal (AREsp) No. 2130619/SP, reported at the time by Minister Francisco Falcão in the Second Panel of the superior court. 

In that case, judged in March 2023, the Superior Court of Justice (STJ) understood that it would not be appropriate to condemn ENEL for presumed moral damages (in re ipsa) in matters of data protection, especially in an incident that did not involve sensitive data. In other words, the court had understood that if no harm is proven from the security incident, even if it occurred, there is no right to compensation. The starting point here was to grade the security incident or illicit processing and assess, in accordance with the risk and damage grading system of the LGPD itself, whether the conduct effectively impacted the legal sphere of the data subject – the theoretical and abstract possibility of damage that did not materialize being irrelevant.

The recent decision by the Superior Court of Justice (STJ) is based on the premise that it is not the holder of the right to prove the damage, but the treatment provider who must prove that it "complies with the law." But what does "complying with the law" mean?

Did you enjoy the text? This article continues in Eduarda Chacon Rosas' next post. Want to read more of her work? How about starting with this one: Governance and Compliance in Data Protection: Essential for Guaranteeing Privacy and Competitiveness in the Market

About the Author

Meet the author of this article.

  • Lawyer and Coordinator at BFBM Advogados. Professor. Author of books and articles. PhD candidate and Master's degree from UNB. Postgraduate degree (lato sensu) in Business Law from Fundação Getúlio Vargas, FGV. Postgraduate degree (lato sensu) in International Relations, UnB. Law degree from Universidade Federal do Rio Grande do Norte, UFRN. Researcher at IDP (Ethics4AI). CIPM and CDPO certified by IAPP. ECPC-B DPO certified by Maastricht University. Member of the AI ​​Commission and the National Observatory of Cybersecurity, Artificial Intelligence and Data Protection of the OAB (Brazilian Bar Association).
see all posts

Want to see how Privacy Tools can help your company in practice?

Request a personalized demonstration and see how our solutions adapt to your needs.

Logo-7
Logo-6
Logo-8
Logo-20
Logo-19
Logo-17
Logo-16
Logo-18
Logo-15
Logo-14
Logo-13
Logo-12
Logo-11
Logo-10
Logo-9
Logo-5
Logo-4
Logo-3
Logo-2
Logo-1
Schedule demo

Related articles section

Read also

What stood out at the IAPP Global Summit 2026?

The IAPP Global Summit 2026 in Washington, which took place between March 30th and April 02nd, maintained its fundamental characteristic:...

Read more

Technology Governance: Why new technologies require new legal security mechanisms.

Every day we become more dependent, both as individuals and as a society, on new technologies. If, until a few years ago, the legal debate focused...

Read more

Everything you need to know about the Digital ECA.

The internet has become a central part of the lives of children and teenagers. Social networks, online games, video platforms, and apps are ubiquitous...

Read more

Artificial Intelligence without a DPO? Unthinkable! Innovation demands AI governance.

Technological evolution creates the illusion that speed is more important than structure. And artificial intelligence is no exception...

Read more

Map of Priority Themes of the ANPD (National Data Protection Authority): what changes for companies in 2026

Topics related to information security, privacy, and the protection of children's and adolescents' data were the subject of other articles...

Read more

Governance that generates growth: why SMEs need a strategic DPO.

For a long time, data protection was perceived by small and medium-sized enterprises as a distant issue—relevant, but not necessarily...

Read more