In order to better comprehend the development of data protection culture in Brazilian Courts, the Center of Law, Internet and Society (“CEDIS-IDP”) of the Brazilian Institute of Education, Development and Research (“IDP”), along with the legal search platform, Jusbrasil, have launched the second edition of the Painel LGPD nos Tribunais (“Panel”). The research presents an analysis of the main court decisions related to Law N. 13.709/18, known as the Brazilian General Data Protection Law (“LGPD”).

During this research, 1.789 documents were analyzed from September 2021 to September 2022. The Painel LGPD nos Tribunais identified that most of the relevant Court decisions related to LGPD were issued by São Paulo’s Court of Justice, followed by Bahia’s Court of Justice.

Regarding the most discussed chapters of the LGPD, this year’s study has shown that chapters related to the Requirements for the Processing of Personal Data, and of Accountability and Compensation for Damages were the most analyzed topics by the Courts. According to the research specialists’, this indicates that the discussion has turned over to more specific and practical subjects, when compared to the 2021 results.

One of the main subjects of the 2022 Panel was the request to produce digital evidence of employee geolocation in labor lawsuits. These requests are not only made by employers to verify where their employees were during working hours but also made by employees who want to prove their labor rights. Several decisions have rejected the request of the employee’s geolocation under the argument of possible LGPD violations.

Another discussion regarding the LGPD was the civil liability for security incidents and data leaks. The research has also identified that some decisions recognized service failures but did not grant compensation. The reason for this is the need to prove a loss or damage was directly caused by the leak. Some Court of Appeals decisions understand that one can only receive compensation if sensitive personal data are leaked.

Undue inscriptions in the register of bad debtors (such as Serasa Limpa Nome) were also a recurrent theme in the LGPD-related decisions. Concerning this topic, some of the Court decisions have considered this platform generates damage to the person’s reputation and reliability, violating the Brazilian data protection law, as well as the Consumer Protection Code. One decision about this theme has considered the practices that stimulate consumers to pay for debts beyond the statute of limitations as abusive and violates the LGPD principle of nondiscrimination (article 6, IX, Law n° 13.709/18).

The fourth most recurrent topic identified by the research was the right to review the automated processing of personal data as established by article 20 of LGPD. Most of the decisions are related to users banned from digital platforms because of decisions taken exclusively by artificial intelligence. In most of the analyzed decisions, the Courts have denied the request to review the automated decisions. In addition, it was observed a tendency to deny the production of evidence, which was considered by the research as a barrier to the effectiveness of the rights specified in the law.

Concerning the conclusions taken by the Panel, the research indicates that there has been an evolution of the discussions about the LGPD, with more complex controversies brought to the Courts. While the debates analyzed in the research’s first edition were mainly about principles, this year’s Painel LGPD nos Tribunais has observed a higher quality of the arguments not only in trial courts but also in courts of appeals.

Another conclusion observed by the research was that, compared to last year’s analysis, the number of relevant decisions related to LGPD has almost tripled, which evidences that the data protection discussion in Brazil has gained more complexity and relevance.

For more information, please contact Saud Advogados.