Does the leaking and sharing of personal data create presumed moral damage?

Marcela Volponi, Ciro Starling, and Henrique Buldrini

Presumed moral damage (in re ipsa), that is, inherent to the fact itself, is applied and recognized by the case law of the Superior Court of Appeals (STJ) in several situations involving consumer relations in Brazil, such as in cases involving:

moral damage due to contamination of food with a foreign body;^[1]
trademark misuse;^[2]
improper registration in a delinquent debtor registry;^[3]
refusal of the health plan to authorize emergency medical treatment;^[4]
marketing and sale of personal data in a database.^[5]

Regarding the last topic, the 3rd Panel of the STJ, on November 12, 2019, in the judgment of Special Appeal 1.758.799 (REsp 1.758.799), in an opinion drafted by Justice Nancy Andrighi, defined that the provision or marketing and sale of personal data of a consumer contained in a database, without the knowledge of its holder, even if they do not fit in the concept of sensitive or confidential data, constitutes a case of moral damage in re ipsa.

Nevertheless, the 2nd Panel of the Superior Court, in the recent judgment of Interlocutory Appeal in Special Appeal 2130619/SP (AREsp 2130619/SP), handed down on March 7, 2023, and the opinion of which was drafted by Justice Francisco Falcão, the Court held that, although the leaking and sharing of consumers' personal data is not a desirable act, this event does not have the power, on its own, to establish presumed moral damage.

In the special appeal, it was argued that the decision handed down by the São Paulo Court of Appeal (TJSP), according to which a simple leak of reserved data would be sufficient to establish fault in the provision of services and presumed moral damages to the consumer, violated articles 42, 43, II and III, 46 and 48, of the General Data Protection Law (LGPD) and article 14, paragraph 3, of the Consumer Protection Code (CDC), which deals with the strict liability of suppliers.

According to the unanimous understanding of the STJ, data of an ordinary nature, personal and not intimate, capable of identifying an individual, should not be classified, under the LGPD, as sensitive. Thus, in case of mere leakage and/or sharing of the consumer's personal data, a finding of presumed moral damage would be ruled out.

Hearing the AREsp, admitting the REsp in part and granting relief in that part, the STJ entered into the concepts of "personal data" and "sensitive personal data" provided for in sections I and II of article 5 of the LGPD. The Court recognized that the rule provided for in subsection II of this article provides "a list of what would be sensitive personal data and, because they have this condition, require different treatment, as provided for in article 11 of the same LGPD."

Thus, it concluded that the leaking of sensitive data, because they are related to the intimacy of an individual, constitutes moral damage in re ipsa. Therefore, differently from what the TJSP concluded, the personal data leaked would not be sensitive data, since they do not fit within the exhaustive list (and not in the list of examples) of the rule.

Although, in this case, the contents of articles 42, 43, II and III, 46 and 48, of the LGPD and article 14, paragraph 3, of the CDC were not analyzed by the STJ - because for the reporting justice these provisions were not preserved for appeal - it should be remembered that the head paragraph of article 42 of the LGPD provides that "the controller or operator that, by virtue of the exercise of the activity of processing personal data, causes another person economic, non-economic, individual, or collective damage, in violation of the legislation for the protection of personal data, is obliged to repair it.”

In this context, processors will not be held liable only when they prove that they did not perform any data processing, that there was no violation of data protection legislation, or that the damage is the result of the exclusive fault of the data subject or a third party, as provided for in articles 43, 46, and 48 of the LGPD.

Article 42, paragraph 2, of the LGPD allows the judge, at his discretion, to reverse the burden of proof in favor of the data subject in the following cases:

likelihood of his allegations;
weaker position to produce evidence; or
when the production of evidence by the holder becomes excessively burdensome.

Producing evidence regarding possible damages suffered by consumers in cases of leakage and/or sharing of data, however, is not a simple matter, either because of the difficulty of accessing information, the speed and agility with which information travels over the Internet, or the lack of transparency and ease ofin tracking the means of sharing data on the Internet.

TJSP and STJ decisions on the topic generate questions

It seems that the recent decision of the STJ has the potential to create a great debate about the definition of the concept of privacy, intimacy, and protection of sensitive personal data of consumers, due to the great number of interests and rights protected in the name of personal data privacy.

The classic formula for viewing privacy and intimacy - "the right to be let alone"^[6] - no longer fits today's reality, considering the exponential technological evolution.

From a reading of the decisions handed down by the TJSP and the STJ, some questions inevitably arise:

Is it possible to state that the list of sensitive personal data provided for in the LGPD is exhaustive and not exemplary?
Are all the cases provided for in the LGPD sufficient to guarantee the defense of the sensitive personal data of Brazilian citizens?
Are there different levels of damage depending on the nature of the data leaked?
Can it be said that all persons who have personally identifiable data leaked due to a security breach by a supplier responsible for handling personal data, in the context of a consumer relationship, do not suffer presumed moral damages?
Should people/public figures be treated differently?

Another pertinent question is related to the possible application, by analogy, of strict liability and the establishment of presumed damage in cases of personal data leakage by credit protection databases and consumer data records. The joint and several liability between databases and suppliers, in this case, is guaranteed by the sole paragraph of article 7 of the CDC and article 16 of the Credit History Records Law (12,414/11).

There are still no definitive answers to all the questions, not least because this recent understanding is one of the first opportunities that the STJ has had to discuss part of the matter involving consumer rights and guarantees based on the LGPD, which entered into force in September of 2020. More analysis will probably occur on other occasions.

Since the LGPD entered into force, which guarantees, as one of its fundamental principles, the security and prevention of personal data (articles 6, subsections VII and VIII, 42, 43, 44, 45, and 46 of the LGPD) - there was (and still is) a fear on the part of companies regarding the application of civil, administrative, and criminal sanctions related to the activity of collection, storage, use, and transmission of personal data.

Although the STJ's understanding has not been established under the system of repetitive appeals, it seems that the result of the judgment has the ability to ensure, albeit temporarily, greater security for companies that perform data processing, by preventing the insetting of the well-known moral damages industry.

^[1] STJ, REsp 1.899.304/SP, opinion drafted by Justice Nancy Andrighi, decided on November 30, 2021.

^[2] STJ, REsp 1.507.920/SP, opinion drafted by Justice Maria Isabel Gallotti, decided on November 20, 2019.

^[3] STJ, AgRg no AREsp 821839/SP, opinion drafted by Justice Antonio Carlos Ferreira, decided on April 26, 2016.

^[4] STJ, REsp 1.839.506/RS, opinion drafted by Justice Ricardo Villas Bôas Cueva, decided on October 26, 2020.

^[5] STJ, REsp 1.758.799/MG, opinion drafted by Justice Nancy Andrighi, decided on November 12, 2019.

^[6] BENJAMIN, Antonio Herman; Marques, Claudia Lima; BESSA, Leonardo. Manual de Direito do Consumidor [“Handbook of Consumer Law”], 8th Ed., Revista dos Tribunais, Thomson Reuters, 2017.

Does the leaking and sharing of personal data create presumed moral damage?

STJ decision rules out scenario of this type of damage to the consumer in the case of mere leakage and sharing

Authors

Who we are

CAREER

CAREER

LEGAL INTELLIGENCE CENTER

Privacy

Does the leaking and sharing of personal data create presumed moral damage?

STJ decision rules out scenario of this type of damage to the consumer in the case of mere leakage and sharing

Authors

Assuntos Relacionados

CJF encourages the use of artificial intelligence in arbitration

CVM’s new rules on the disclosure of confidential arbitration proceedings

Possession of leased property

The existential minimum and the Over-indebtedness Law

The controversy of the companion as a necessary heir

OECD research analyzes the relationship between marketplaces and consumer law

Digitization of judicial proceedings gains another chapter

Who is responsible for the fees for loss in suits for non-economic damages?

Who we are

CAREER

CAREER

LEGAL INTELLIGENCE CENTER

Privacy