If, on the one hand, the Consumer Protection Code establishes that, regardless of the existence of fault, the award of damages will be mandatory by the responsible person or member of the production chain, thus applying the principle of strict liability, the Civil Code follows an opposite trend, one that advocates the application of fault liability, in which there is a need to evidence the loss and causal connection, considering, for such purpose, intent and violation of a right as fault.
Although there is a divergence as to the type of liability attributed in consumer relations to the reverse of civil residual relations, LGPD (General Data Protection Law), which transits between the two worlds, no longer directly covers specifications about civil liability in its totality of relations, since it only pointed out in its Article 45 that, in the consumer level, its provisions remain subject to those of CDC (Consumer Protection Code).
In view of this, LGPD did not clearly translate which of the principles above should be applied when one harms a right pertaining to the unlawful handling of data outside the consumer scope.
Even though there is a section dedicated exclusively to liability, in which the criteria for award of damages and the circumstances that characterize an unlawful handling of personal data are addressed, the specification of the civil liability regime is not made.
It ought to be pointed out that within the scope of the General Data Protection Law, an unlawful conduct is substantiated, with consequent violation of the law, in the event that a controller or operator handling data fails to abide by the legal provisions expressly set forth by LGPD.
Since the laws leave room for divergent understanding, protectionist views have already emerged in the condemnatory grounds to the detriment of the most diverse companies that, in actions comparable to the allegation of data leakage, ended up suffering convictions in nonpecuniary damages in the presumptive form, that is, without the effective regard for the result of the alleged leakage.
The fact is that, although the inefficient handling of data that may generate a possible leakage by a company consists of an unfortunate failure and that should certainly be countered, it is not able, individually as an act, to pose any nonpecuniary loss to a data subject without effective proof of the occurrence of the loss. Thus, in cases of this type, nonpecuniary loss could not be presumed, and it is up to the data subject to prove not only the leakage, but that in fact they have suffered the alleged loss caused by the exposure of such information.
This was also the recent and unanimous prevailing position of the 2nd Panel of the Superior Court of Justice, which overruled a decision rendered by the Court of Appeals of São Paulo, which had ordered an electricity utility to compensate, for nonpecuniary loss, a consumer who had their personal data leaked, regardless of proof of the occurrence of effective loss. (AREsp (Special Appeal) No. 2.130.619).
According to Justice Francisco Falcão, rapporteur of the appeal, the personal data leaked refers to that which the consumer usually provides in any type of registration, thus considered simple data, of which unwanted disclosure, by itself, would not be enough to substantiate a violation of any of the rights arising from personality right.
The justice also pointed out that Article 5, Item II, of LGPD, establishes an exhaustive list of personal data considered sensitive, which, according to Article 11, require special handling. Among this data was information on racial or ethnic origin, religious conviction, political opinion, membership of a trade union or religious organization, as well as data pertaining to sexual health and others of an intimate nature.
According to the Justice’s opinion, the leaked data should not be classified as sensitive, but of a common nature, besides the fact that the existence of loss suffered as a result of the unlawful handling of such data was not proven, which, therefore, would not support the relevant damages.
Although the decision consists of an initial position on the subject, it is noted that the position has the strength to prompt a deeper reflection on the inapplicability of the presumption of nonpecuniary loss thesis in the case of leakage of personal data of any nature.
In this vein, it is worth noting that the position of the judiciary was accurate, considering that it sets forth an early formulation of precedents that tend to ensure greater legal certainty to other entities involved in the handling of data, on top of assisting in ensuring the accurate and fair resolution of problems and procedural divergences in this realm.
Available at: https://www.estadao.com.br/politica/blog-do-fausto-macedo/limitacao-da-responsabilidade-civil-na-lgpd-e-a-nao-presuncao-dos-danos-morais/
Autor: Lucas Rodrigues Lucas • email: lucas.lucas@ernestoborges.com.br
