STJ: victim of data leak needs to prove damage – 03/16/2023 – Market
Victims of data leaks will need to present what losses they suffered in lawsuits against companies for moral damages. The precedent was created by decision of the STJ (Superior Court of Justice) on LGPD (General Data Protection Law).
Until then, lawyers used the Consumer Protection Code to argue that it was up to companies to prove that there was no damage.
In a trial held on the 7th, the STJ understood that leaks of personal data do not presume moral damage from the company to the victim. The second panel of the court unanimously rejected the request for compensation from Maria Edite de Souza, an elderly woman who had leaked contractual data with the energy concessionaire Eletropaulo.
For Thiago Sombra, an expert in cybersecurity at the Mattos Filho office, who provided technical assistance to the defense of Enel (the Italian company that controls Eletropaulo), the interpretation of the superior court prevents the installation of an “indemnity industry”, since consumers could propose actions without having suffered harm.
A survey by Mattos Filho shows that, between 2020, when the LGPD came into force, and 2022, the number of actions in the area grew by 500%: from less than 20 to 120.
Questioned, Enel says it will not comment on the lawsuit.
Maria Edite’s representative in the lawsuit against Eletropaulo, lawyer Luis Eduardo Borges da Silva, told the report that “in this specific case, there was a flagrant affront to article 14 of the CDC”. This section of the law determines that the supplier, whether guilty or not, is responsible for repairing damages to the consumer.
“The LGPD cannot be applied or interpreted in isolation”, says Silva.
A cybercriminal leaked Maria Edite’s identity document number, age, phones, address and energy consumption information. Eletropaulo presented its personal data protection protocols and argued that the digital crime was committed by someone outside the commercial relationship. Therefore, the Consumer Protection Code could not be applied.
The company’s defense claimed that a decision on this matter should respect, in addition to the CDC, the articles of the LGPD on liability and compensation for damages. According to the legislation, the operator and data controller are presumed innocent. The judge can reverse the burden of proof if he thinks the holder may have difficulties gathering evidence.
Reporting Minister Francisco Falcão agreed with the argument and had the vote accompanied by his two classmates. The superior court understood that Maria Edite had had the chance to present concrete evidence in the first instance, when she lost the action. The woman’s defense claimed that she had been exposed to fraud risks with the leak.
The decision of the STJ in the special appeal reversed the conviction of the Court of Justice of the State of São Paulo against Eletropaulo. The company would have to pay R$ 5,000 to Maria Edite for having leaked personal data of an elderly person.
In the sentence of the special appeal filed by Eletropaulo, Falcão disagrees with the state court. He said the leaked data was not sensitive. The LGPD classifies as sensitive information about racial or ethnic origin, religious conviction, political opinion, union membership or organization of a religious, philosophical or political nature.
For Sombra, from Mattos Filho, the decision brings legal stability to companies that process customer data. The most recurrent theme in LGPD actions in 2021 and 2022 was civil liability in cases of security incidents, such as data leaks. The joint application of the LGPD with the CDC also stood out in 2021.
In cases where there was a conviction for violating the LGPD, magistrates set fines between R$ 2,000 and R$ 20,000 against companies, according to a survey by Mattos Filho.
The courts of São Paulo, Minas Gerais and the Federal District were the most active in the area; the service provision, infrastructure and energy and financial sectors, the most involved in the actions.
According to the Mattos Filho specialist, recent announcements by the ANPD (National Data Protection Authority) can accelerate the adaptation of companies to the LGPD.
At the end of February, the agency released the Regulation for Dosimetry and Application of Administrative Sanctions, with guidelines for defining indemnities. Fines can reach R$ 50 million.
ANPD inspections began in 2020, when the LGPD came into force, but without dosimetry, the agency could not apply administrative sanctions.