The Second Panel of the Superior Court of Justice ("STJ") has unanimously held that a security incident involving a leak of non-sensitive personal data does not automatically grant the affected data subjects an indemnification right against controllers, as per the decision published on March 10, 2023, on the Interlocutory Appeal in Special Appeal No. 2.130.619. In this scenario, there is no presumed moral damage that would automatically give rise to the duty to indemnify. Therefore, it is up to the individual to evidence the moral damage suffered as a result of the leak of their personal data.
In this case, the plaintiff argued that the data subject's personal data should be seen as sensitive under the Brazilian General Data Protection Law (“LGPD”), as the individual is an elderly person and, thus, more vulnerable and entitled to a higher level of protection. However, the Second Panel of the STJ decided that the list of sensitive personal data in Article 5, II, of the LGPD is exhaustive. This means that only the categories of sensitive data expressly listed in this provision may be considered sensitive.
This decision, the STJ's first on this topic, strengthens an understanding that has been gradually adopted by Brazilian courts: Security incidents do not automatically lead to moral damages to the affected individuals. Thus, data subjects must evidence the damage they have suffered.