The two judgments, REsp No. 2147374/SP and AREsp No. 2130619/SP – which are not technically “precedents”, and this distinction from civil proceedings is important –, in terms of “background”, are similar. What changes is the opinion of the Third Panel, in relation to the Second Panel, and this is essential because the first is private law and will potentially analyze very relevant cases involving private sector players and data subjects.
In defending the panel’s jurisdiction to assess the matter, the rapporteur also argued that it is the responsibility of private law panels to decide on civil liability in cases involving public service concessionaires. This raises a new red flag: it is possible that data leaks involving the State will be by a panel that has already stated that in order to convict on the LGPD. Proof of damage is not essential.
This position is innovative and is not from the literal meaning of art. 42, according to which it would be necessary for purposes and conviction based on the LGPD, in theory, to demonstrate the legal violation, the data processing and the damage. In other words, they would be cumulative requirements.
The before and after
The new ruling by the STJ establishes the db to data that the macro-system of data protection involves an “active” or “proactive” responsibility, from which the agent of personal data processing must demonstrate the adoption of “effective measures” that attest to “observance and compliance with data protection standards”. The underlying idea, according to the ruling, is that processing agents, including the Public Authorities, have the obligation not only to comply with the law, but to prove this compliance – in order to avoid civil liability.
What can be from the new ruling, when it comes to the adoption of adequate security measures, is that the data processing agent who does not wish to be judicially must, within the scope of the procedural investigation, prove that he “complies with the law”, including demonstrating what governance measures and good practices.
Data protection litigation
It should be that the judge (thinking about data protection litigation. In adherence to this logic, would need to start from the presumption of guilt of the processing agent. If the security incident, it is because the appropriate the role of backlinks in seo measures were not. It would then be up to this agent to erode this presumption, demonstrating that he adopted the appropriate and necessary security measures, sufficient, based on the technology available at the time, to avoid the undesirable result (which occurred anyway). And this evidence is extremely delicate. It is even questionable whether it is feasible to do it without an expert assessment or audit – which is relevant considering that this new understanding of the STJ will certainly be applied in Small Claims Courts, where the delay in evidence is not even allowed.
What to expect?
The decisions of the Superior Court of Justice shape opinions and guide behavior. The first ruling was based on the LGPD and demonstrated a concern for judicial policy, thinking precisely about the domino effect of a decision that admitted b2c fax damage in matters of data protection and, perhaps, the inevitable repercussions of this type of paradigm for the State. The second ruling, although it did not explicitly mention the damage, took away its prominence, which in practice became presumed to the extent that it is not relevant to the conviction, or even that it automatically results from “non-compliance with the law”. Non-compliance did indeed become expressly presumed – and brought a complex burden of proof to the data processing agent. The emphasis here seems to be on toughening enforcement.