LGPD – Controller liability in the event of a security incident

Vanessa Salem Eid
Lawyer at Marcos Martins Advogados

Considering the recurrence of incidents related to data leaks from users of various services and the advent of the General Data Protection Law (LGPD), it is of the utmost importance to address and analyze the liability of the parties involved in leak situations, creating the obligation to indemnify.

Civil liability can be subjective or objective. In the former, there is a need to prove fault, i.e. the agent’s intention, as well as damage and the causal link, while the latter requires proof only of damage and the causal link. Objective civil liability will be characterized when the activity implies, by its nature, risks to the rights of others or when the law so establishes.

Section III of Chapter VI (articles 42 to 45) of the LGPD deals with civil liability and has not removed the element of culpability, which leads us to believe that its regime is subjective, not least because the articles are based on the fault of the data controller or operator.

In this vein, article 42 of the LGPD states that “the controller or operator who, as a result of carrying out the activity of processing personal data, causes property, moral, individual or collective damage to others, in violation of the legislation on the protection of personal data, is obliged to repair it”, in other words, liability may fall on the person who must be diligent in relation to the database, whether for a Legal Entity or an Individual.

It is important to note that the controller will be jointly and severally liable for the damage caused if it is directly involved in the damage caused, except as provided for in article 43 of the LGPD, i.e. processing agents will only not be held liable if they prove:

I – That they have not carried out the processing of personal data assigned to them;

II – That, although they have carried out the processing of personal data assigned to them, there has been no violation of data protection legislation; or

III – That the damage is the exclusive fault of the data subject or a third party.

However, with regard to the operator’s liability, if it is proven that it caused the damage suffered by the data subject, it will be jointly and severally liable when it is confirmed that it failed to comply with the obligations and provisions of the LGPD or the lawful instructions of the controller.

It is not enough to point out that each situation depends on a qualitative analysis of the agent’s conduct in monitoring and processing data, as this requirement is essential for the obligation to compensate for the damage caused to arise. Analyzing the law in its entirety, it is easy to detect that if the legislator had opted for strict liability, he would not have listed the specific conduct that must be observed by the agent when processing data.

Using the Consumer Defense Code, we see that if the legislator had intended liability to be objective, the expression that highlights the damage caused “Regardless of fault” would have been maintained .

The issue is fairly recent, but the São Paulo Court of Justice has already been forming a conviction that the liability applied by the law in question is subjective. Let’s see:

“INNOMINATE APPEAL. MORAL INDEMNITY ACTION. CONSUMER FRAUD. EXCLUSION OF LIABILITY. Fault of a third party (hacker) and of the consumer who, in manifest negligence, maintained contact with fraudsters on the defendant’s unofficial channels and whose social network profiles, created by the fraudsters, did not even register followers. Lack of proof of leakage of personal data, under the terms of article 43 of the LGPD. Judgment of dismissal upheld. Appeal dismissed.”[1]

Therefore, when the provisions of the law are interpreted systematically, analyzing its final objectives and the assets protected, the conclusion is that the LGPD applies subjective civil liability. In short, the law states that, as well as damage, causation and an unlawful act, fault is also an essential element in establishing the duty to compensate.

The matter is still quite new and is likely to divide opinion over the coming months, which is why Marcos Martins Advogados is closely monitoring the evolution of the law’s application, so that it can serve its clients in the safest and most up-to-date way possible.

[1] Civil Appeal No. 1001686-42.2021.8.26.0400 – First Civil Chamber of the TJSP – judged on January 31, 2022

Share on social media