In recent times, data protection has experienced a certain “low” in terms of academic and institutional interest. Books continue to be written and published, meetings continue to be held, academic discussions continue to be held, but the subject seems to have cooled down.
Some may disagree, and with good reason, after all, the National Data Protection Authority (ANPD) has decided more things recently than in previous years combined. Furthermore, the events promoted by the authority in Brasília during 2024 were very prestigious, as were the international seminars.
The leading role of AI
The fact is that these circumstances, however valid they may be as an argument, do not change the reality that, on the eve of AI regulation, it was literally necessary to move many professionals and scholars from the area of privacy and whatsapp data data protection to AI task forces. In the technical and academic fields, many opinion makers ended up “migrating” to AI debates and, even though the ANPD is active and effective – respecting its limitations – what it was doing in terms of decision-making was having minimal impact, in practice, on the market.
The general expectation, apparently, was that data protection would gradually regain its prominence, as the ANPD’s consultations and regulations became available. There was a certain curiosity regarding the public tender that the authority is about to hold: how would the integration of so many new employees impact and even change the dynamics – hitherto known and to a certain extent predictable – of the ANPD?
The recent decision of the Superior Court of Justice
What was certainly not on anyone’s radar was a (new) decision by the Superior Court of Justice (STJ) on civil liability for data leaks, as happened evolving according to market trends and customer needs in Special Appeal (REsp) No. 2147374/SP, reported by Minister Ricardo Villas Bôas Cueva. The potential of this judgment to impact the market is more than relevant. Especially given the projection it has been receiving in the media and in groups dedicated to the topic.
The Third Panel of the STJ unanimously decided that the appellant, Eletropaulo, is civilly liable, under the General Data Protection Law, for unlawful data sharing (through the actions of a hacker) and that it should, therefore, compensate the data owner proposing the compensation action.
The data leak referred to in the lawsuit
According to the ruling, involved the disclosure of the full name, ID number, CPF, address and telephone number of the holder. The ruling of dismissal was partially reformed in the second instance, at which time civil liability was dismissed – also in harmony with a previous ruling by the STJ itself in Appeal in Special Appeal (AREsp) No. 2130619/SP, reported at the time by Justice Francisco Falcão in the Second Panel of the higher court.
In that case, tried in March 2023, the STJ understood that it would not be appropriate to condemn ENEL for presumed moral damages (in re ipsa) in b2c fax of data protection, especially in an incident that did not involve sensitive data. In other words, the court had understood that if no damage is from the security incident, even if it, there is no right to compensation. The starting point here was to grade the security incident or unlawful processing and assess, in line with the LGPD’s own risk and damage grading system, whether the conduct effectively had repercussions on the legal sphere of the data subject – the theoretical and abstract possibility of the occurrence of damage that did not materialize being irrelevant.