Brazil has a highly litigious tradition that ends up being reflected in the assessment of the General Data Protection Law (LGPD). For this reason, the Judiciary has been repeatedly called upon to resolve disputes involving the protection of personal data, to the point that it has become a de facto co-regulator of issues on which the National Data Protection Authority (ANPD) has not yet had the opportunity to express its views and in individual situations that, at times, completely deviate from the legal logic enshrined in the applicable law – because it is inherent that judges have legal interpretations that will not necessarily align with the mindset of the regulator.
Accountability
It is important to keep in mind that the LGPD an accountability regime in which. The simultaneous configuration of telegram data requirements is into account. Legal violation, (irregular) data processing and proof of damage (article 42) . The processing will be irregular when it does not comply with the legislation or when it does not provide the security that the data subject could expect considering relevant circumstances such as (i) method of implementation; (ii) reasonably expected results and risks and (iii) the state of the art at the time.
It is also necessary to consider
The adequacy of security measures a constant issue on the ANPD’s regulatory agenda,still open. As it is widely today that the measures contained in international frameworks such as ISO, for example, would be adequate. In addition to all these criteria, it is necessary to observe whether there are exclusions of liability, such as, for example, the exclusive fault of the victim.
It is now clear that civil liability under the LGPD is (or should be) the result of a complex alchemy with many distinct elements and that it what is the difference between guilt and responsibility? not designed to “penalize first and ask questions later”, but, quite the opposite, to honor good intentions, prevention and precautions.
The role of ANPD
Thus, and in line with this conclusion, in the area of accountability, the ANPD issued regulations establishing several mitigating factors for holding data processing agents accountable, such as proof of implementation of self-regulation, good chine directory and proof of good faith. This is because it is part of the philosophy of responsive data protection regulation in Brazil to use sanctions as a last resort , investing first in changing behaviors and adopting better paradigms, believing in the transformative power of warnings and reputational care.
Judicialization of data protection
In this context, the decision of the Superior Court of Justice in the judgment of AREsp No. 2,130,619-SP. By Minister Francisco Falcão (DJe/STJ No. 3592 of 03/10/2023) was very positive. When it was that there is no presumed damage in matters of personal data protection. Concrete proof of damage is always necessary.