The inclusion of civil liability for data breaches is something very well regulated by the General Data Protection Law (LGPD). However, the subject is also addressed in the Civil Code, with the changes being made to it and the creation of Digital Law
Addressing the same topic in two distinct laws or regulations, even if of different levels, it may lead to confusion and interpretative difficulties. It is the role of jurists – whether they are lawyers, judges, prosecutors or promoters – to appease the doubts, it is up to the Courts to standardize the understanding of the issues presented for consideration
The concomitance of laws often brings legal uncertainty and greater complexity to the lives of citizens and legal entities. However, there is still much to mature, both in Brazil and in other countries, regarding the data leak. Although the cases that occurred attract a lot of attention, the quantity of them is still considered small compared to the existing flow of data in the world
The changes to the Civil Code introduce concepts and rules regarding the provision of digital services (art. 609), digital assets of the deceased (art. 1791-A, digital asset legacies (art. 1918-A) and some concepts, principles and rules of Digital Law. They address the topic of data in several points, like in Art. 1791-A § 3, which provides that "any contractual clauses aimed at restricting the powers of the person to dispose of their own data are null and void", except for those who, by its nature, structure and function had limits of use, of enjoyment or of disposition
Criteria are also pointed out to define the lawfulness and regularity of the acts and activities that take place in the digital environment. This is characterized as the "virtual space interconnected through the internet, understanding global computer networks, mobile devices, digital platforms, online communication systems and any other interactive technologies that enable creation, the storage, the transmission and reception of data and information.”
When listing the foundations of the discipline called Digital Law, the amended Civil Code indicates "the respect for privacy, to the protection of personal and property data, as well as to informational self-determination. The LGPD is not limited to regulating data circulating on the internet, also addressing data processed in internal and external environments of controllers and operators, be it in written form, physical or even verbal
The modified Civil Code and the LGPD coexist. They are not contradictory. In this way, The Civil Code will serve as a basis for the interpretation of any gaps in the LGPD. For example, it analyzes the question that arose about whether the deceased person has the right to data protection. In the same way for the hereditary transmission of data. The LGPD does not address this specific issue, but the changes to the Civil Code make it clear that the deceased has this right
In another way, one can analyze the issue of data leakage. The LGPD is clear in establishing penalties for data breaches. The changes to the Civil Code, in turn, establish conceptual definitions for the theme. This happens, for example, when introducing the guarantee of security in the digital environment, revealed by data protection systems, as a fundamental parameter for the interpretation of the events that occurred in the digital environment
The changes to the Civil Code even repeat some provisions of the LGPD, such as the one that states that data protection is a right of natural persons. It cannot be overlooked that they add to the LGPD the protection of data for legal entities if the facts occur in the digital environment: "People have rights, natural or legal, in the digital environment, in addition to others provided for by law or in international documents and treaties to which Brazil is a signatory: I – the recognition of your identity, presence and freedom in the digital environment; II – the protection of data and personal information, in accordance with personal data protection legislation;”
The amended Civil Code also adds provisions related to brain data, how: “(…)VI – right to protection against discriminatory practices, envies based on brain data. § 3 The neurorights and the use or access to brain data may be regulated by specific norms, as long as the protections and guarantees granted to personality rights are preserved.”
Specifically about the data leak, the new Art. 609-E brought the forecast that "digital service providers will take measures to safeguard the expected and necessary security for the digital environment and the nature of the contract, especially against frauds, against malicious software programs, against data breaches or against the creation of other risks in the field of cybersecurity. Sole paragraph. Digital service providers are civilly liable, in the manner provided for in this Code and by the Consumer Protection Code, for the leaks of information and user or third-party data.”
In summary, the changes to the Civil Code repeat or add protections in relation to those established by the LGPD, but always regarding the existing data in the digital environment. The Superior Court of Justice (STF) is the best parameter one can have when analyzing the jurisprudence on data leaks, since all processes that have an appeal will be decided by the same one, ultimately
Currently, the STF has ruled that the holder of the leaked data must prove the actual damage when seeking compensation. Therefore, the damage is not considered as presumed. No damage occurring, there will be no compensation, although the responsible party may be fined by the ANPD (National Data Protection Authority)
As the years go by, it will be possible to observe practical occurrences so that legislation can be more efficient on the subject, without removing the necessary freedom of action for companies in this regard. One must reach a balance between prohibitions, penalties and permissions, so that everyone can better enjoy the circulation of data. Understandings on the subject will become more uniform as the volume of legal issues increases and is brought for consideration
