STJ Rules that Consumer Data Breach Only Entitles Compensation if Actual Damage Is Proven


On March 17 of this year, the Superior Court of Justice (STJ) analyzed a case of compensation for the leak of personal data by an electricity distribution company. When judging the Appeal in RESP No. 2,130,619/SP, the ministers understood that mere data leakage is not enough to give rise to the right to compensation for moral damages to the consumer; it is necessary to prove actual damage caused by this leakage.

Among the main arguments presented by the rapporteur, Minister Francisco Falcão, the need to prove moral damage in cases of common and sensitive personal data leaks stands out. The ruling establishes that the leakage of personal data, by itself, is not sufficient to generate compensable moral damage. It is necessary for the data subject to prove any damage resulting from the exposure of this information.

Another relevant point concerns the nature of the leaked data capable of configuring moral damage. So-called sensitive personal data are those that relate to the privacy of the natural person and are provided for in article 5, item II, of the LGPD (General Data Protection Law), among which can be highlighted: racial or ethnic origin, religious belief, political opinion, membership in a union or religious organization, as well as data related to sexual health and other intimate information.

Common data, on the other hand, are information that does not allow the direct or indirect identification of a specific natural person. These data can be used to describe generic characteristics of a group of people, such as age, gender, profession, geographic region, and consumption preferences.

In the case at hand, the defendant Concessionaire did not protect the privacy of the following data of the plaintiff: date of birth, CPF and RG numbers, gender, address, telephone numbers, cell phone, address, installed load, estimated consumption, type of installation, and reading. For the STJ, such information would not be considered sensitive since they are only intended to identify the natural person and do not identify data of an intimate nature. Furthermore, the plaintiff did not effectively demonstrate the damages caused by the leakage of the information. Therefore, the possibility of compensation for moral damages due to the undue disclosure of this data would be excluded.

In view of this recent stance in the upper court, the importance of adopting appropriate security measures to protect the personal data of customers and consumers, as provided for in the LGPD, regardless of their nature, is clear. This includes the implementation of clear and transparent policies regarding the processing of personal data and informing customers how their data will be used and what technical and organizational measures have been adopted to ensure the security of this information, as well as to establish a relationship of trust between companies and their customers.

Even if the data is considered less sensitive than personal data themselves, they must still be protected by companies and organizations that collect and process them. The LGPD establishes clear rules for the use of this data, including the need to obtain the consent of data subjects before collecting them and to ensure the security and privacy of this information throughout the processing process.


Stay updated on the latest news and bulletins in the tax and corporate sectors.

    By providing my data, I agree to the Privacy Policy.