The inclusion of civil liability for data leaks is well regulated by the General Data Protection Law (LGPD). However, the subject also begins to be addressed in the Civil Code, with the changes being made to it and the creation of Digital Law.
Dealing with the same subject in two different laws or regulations, even if at different levels, can lead to confusion and interpretative difficulties. It is the role of jurists – whether they are lawyers, judges, prosecutors, or prosecutors – to resolve doubts, with the Courts responsible for standardizing the understanding of the issues submitted for review.
The coexistence of laws often brings legal insecurity and greater complexity to the lives of citizens and legal entities. However, there is still much to be matured, both in Brazil and in other countries, regarding data leaks. Although the cases that have occurred attract a lot of attention, their number is still considered small compared to the flow of data existing in the world.
The changes to the Civil Code introduce concepts and rules regarding the provision of digital services (art. 609), digital assets of the deceased (art. 1791-A), legacies of digital assets (art. 1918-A), and some concepts, principles, and rules of Digital Law. They address the issue of data at various points, such as in Art. 1791-A § 3°, which provides that "any contractual clauses aimed at restricting the powers of the individual to dispose of their own data are null and void, except for those that, by their nature, structure, and function, have limits on use, enjoyment, or disposal."
Criteria are also pointed out to define the legality and regularity of acts and activities carried out in the digital environment. This is characterized as the "virtual space interconnected through the internet, including global computer networks, mobile devices, digital platforms, online communication systems, and any other interactive technologies that enable the creation, storage, transmission, and reception of data and information."
When listing the fundamentals of the discipline called Digital Law, the amended Civil Code states "respect for privacy, protection of personal and patrimonial data, as well as informational self-determination." The LGPD does not restrict itself to regulating data circulating on the internet, also addressing data processed in the internal and external environments of controllers and operators, whether in written, physical, or even verbal form.
The modified Civil Code and the LGPD coexist. They are not contradictory. In this way, the Civil Code will serve as a basis for interpreting any gaps in the LGPD. For example, it analyzes the doubt that arose about whether the deceased person has the right to data protection. Similarly for the hereditary transmission of data. The LGPD does not address this specific issue, but the amendments to the Civil Code make it clear that the deceased has this right.
Alternatively, the issue of data leakage can be analyzed. The LGPD is clear in establishing penalties for leaks. The changes to the Civil Code, in turn, establish conceptual definitions for the topic. This happens, for example, when introducing the security guarantee of the digital environment, revealed by data protection systems, as a fundamental parameter for interpreting the events that occurred in the digital environment.
The changes to the Civil Code go as far as to repeat some provisions of the LGPD, such as the one stating that data protection is a right of natural persons. It cannot be overlooked that they add to the LGPD the protection of data for legal entities if the facts occur in the digital environment: "These are the rights of persons, natural or legal, in the digital environment, in addition to others provided for by law or in international documents and treaties to which Brazil is a signatory: I – the recognition of their identity, presence, and freedom in the digital environment; II – the protection of personal data and information, in accordance with personal data protection legislation;"
The amended Civil Code also adds provisions relating to brain data, such as: “(…)VI – right to protection against discriminatory practices, biased based on brain data. § 3 Neurorights and the use of or access to brain data may be regulated by specific rules, provided that the protections and guarantees granted to personality rights are preserved.”
Specifically regarding data leaks, the new Art. 609-E provided that “digital service providers shall take measures to safeguard the expected and necessary security for the digital medium and the nature of the contract, in particular against fraud, against malicious computer programs, against data breaches or against the creation of other cybersecurity risks. Sole paragraph. Digital service providers shall be civilly liable, as provided for in this Code and by the Consumer Protection Code, for leaks of information and data of users or third parties.”
In summary, the changes to the Civil Code repeat or add protections in relation to those established by the LGPD, but always concerning data existing in the digital environment. The Superior Court of Justice (STJ) is the best benchmark to have when analyzing jurisprudence on data leaks, since all cases with appeals will be decided by it, in the final instance.
Currently, the STF has been ruling that the data owner must prove actual damage when seeking compensation. Therefore, the damage is not considered as presumed. Without damage, there will be no compensation, although the responsible party may be fined by the ANPD (National Data Protection Authority).
Over the years, it will be possible to observe practical occurrences so that legislation can be made more efficiently on the subject, without removing the necessary freedom of action for companies in this regard. A balance must be reached between prohibitions, penalties, and permissions so that everyone can better enjoy the flow of data. The understandings on the topic will become more uniform as the volume of legal issues increases and are brought under review.
