All questions
Year in review
As mentioned above, 2020 was marked by the entry into force of the LGPD, which is largely based on the EU General Data Protection Regulation.5 The LGPD sets out numerous principles and obligations applicable to all kinds of entities that collect, process and store personal data.
There has, therefore, been litigation with respect to data protection provisions and significant new lawsuits based on the provisions of the LGPD. In one landmark case, a consumer association filed a collective action against a company that operates a subway line in São Paulo and was using facial recognition software in its stations. The first instance judge of the 37th Civil Court of São Paulo obliged the defendant to cease using any facial recognition software and to pay an indemnification of 100,000 reais in collective moral damages.
In March 2022, public entities of the state of São Paulo, along with civil associations, filed another lawsuit against the company that operates the São Paulo subway and obtained an injunction to prevent the defendant from implementing a system’s functionality that would collect biometric data from individuals for facial recognition purposes. The plaintiff filed an interlocutory appeal, which is still pending decision, but the reporting judge did not suspend the injunction granted by the first instance court. The main lawsuit is also pending a final decision.
In 2020, the Federal District Public Prosecutor’s Office filed a suit against a company that operates a credit ratings database and other databases, obtaining an injunction to prevent the company from selling individuals’ personal data and offering certain marketing and sales prospecting services that rely on the disclosure of personal data. In another case, a judge from a labour court in the city of Montenegro in the state of Rio Grande do Sul agreed with a labour union’s requests to oblige an employer to comply with certain provisions of the LGPD, including appointing a data protection officer and confirming the adoption of measures to ensure the confidentiality and safety of personal data.
An association also filed a civil public action against a large credit bureau that suffered a data breach incident and against the Federal Union, requiring that the credit bureau pay an indemnification per each data subject affected by the breach (totalling 200 million reais) and that the Brazilian Data Protection Authority (ANPD) carry out a technical audit to investigate the issue. The case is still being processed in a federal first instance court.
The same association filed a lawsuit against Meta and WhatsApp before the latter’s new privacy policy entered into force, requesting that the judge prevent the companies from sharing users’ personal data amongst their economic group. The judge rejected the injunction sought by the plaintiff under the justification that there was no prima facie indication that there would be any violation to data protection norms. The lawsuit is still being processed in the first instance, but the new WhatsApp privacy notice has already been examined and ratified by the ANPD. The ANPD has also examined and issued recommendations with respect to the cookie policy of the Brazilian government’s website (gov.br) to have the policy comply with the Brazilian legislation.
The ANPD is still focused on issuing norms about many aspects of the LGPD that still require further regulation and on educating companies. It has not yet applied penalties for non-compliance with the LGPD. It has published guidelines about the processing of personal data by the government, processing of data with respect to elections, information security for small-sized processing agents, data protection officers and data breaches. It has also issued regulations concerning its monitoring and sanctioning proceedings, although it is yet to issue other norms, including those regarding the international transfer of data.
In a very relevant case, at the end of 2020, a large power utility company suffered a data security incident that resulted in the personal data of around 4 per cent of its customers being unduly released. This resulted in several actions, including an administrative investigation from the Consumer Protection Agency of São Paulo, Procon-SP, which concluded in 2021 that the power company failed in its privacy obligations and in not addressing the incident correctly according to the law. Consumers filed suit individually against the power utility company. There was at least one decision in which the judge found that the plaintiff did not demonstrate that their data was actually breached and that they suffered any damages due to the incident in question. This same type of individual lawsuit is increasing in volume across all Brazilian courts.
Another remarkable case concerned the Direct Unconstitutionality Actions filed against a provisional measure enacted by the President in September 2021 that aimed to change the Civil Rights Framework for the Internet to require a ‘justified cause’ for application providers to remove content published by users, listing the types of causes that could be accepted. The provisional measure was suspended by the Brazilian Supreme Court in September 2021, then Congress decided to remove the piece of legislation, thus ending the discussions and causing the Direct Unconstitutionality Actions to be dismissed as they were no longer necessary.
There was also a spike in the number of cases filed against music and audio-visual streaming services by rights holders and individuals claiming that their works or images were used by the services without their authorisation or in a way that infringed their rights. In 2021, the Brazilian Supreme Court decided, in a binding precedent, that the right to be forgotten is generally not compatible with Brazilian law and with the Constitution, and that the rights to obtain information and to free speech with respect to public information should prevail in a democracy. This same understanding is being adopted by lower courts in deciding similar cases, especially with respect to content that is of a journalistic nature, such as documentaries.
There has also been litigation related to mobile apps and app stores in which civil associations questioned certain practices, including the offering of free apps with the possibility of in-app purchases as well as the offering of apps and games incorporating a loot box system, in which users or players have the possibility of obtaining in-app items or other benefits randomly and can pay for higher or additional chances of getting better prizes. The latter case involves several apps and games developers as well as companies that operate app stores. There is also collective litigation against manufacturers of mobile devices about alleged defects in their products.
Another aspect that surfaced recently are lawsuits filed by associations or investigations started by public entities questioning the accessibility of websites, especially with respect to individuals that are visually or hearing impaired.
Finally, a trend that is continuing to yield numerous lawsuits, both civil and criminal in nature, is individuals or law enforcement authorities requesting the disclosure of subscription data, IP addresses, content or logs from third parties. Most such requests relate to content from apps (e.g., messaging or social media apps) or content from websites or that is otherwise stored in the cloud and are addressed to the companies of the economic group that provide or operate such apps or cloud and hosting services.
Specifically in relation to criminal cases, the Brazilian Supreme Court has yet to decide on Declaratory Action for Constitutionality No. 51, filed by the Federation of Associations of Information Technology Companies, Assespro, to determine whether Decree No. 3,810/2001 establishing the Mutual Legal Assistance Treaty in Criminal Procedures between Brazil and the United States is constitutional and whether it should be the avenue through which law enforcement authorities request information pertaining to users of foreign internet application providers. Currently, authorities usually send official requests or court orders to a local company in the economic group that operates an app, cloud or hosting service requesting the disclosure of data or content. The Supreme Court decision may mean that this practice will have to be reconsidered if the data or content requested pertains to users of foreign companies.
