backThe Brazilian Superior Court of Justice (STJ) ruled that Enel (formerly Eletropaulo) is responsible for providing complete information to customers whose non-sensitive data was exposed, even in the event of a hacker attack . The company must disclose the entities with which it shared the data, the criteria used, the origin, the purpose of the processing, and provide a copy of all data related to the individual, as stipulated by Article 19, II of the LGPD (Brazil’s General Data Protection Law).
In Case REsp 2.147.374, the court rejected Enel’s argument that the breach should be an exclusion of liability under Article 43, III of the LGPD. The ruling emphasized that the company’s obligation to protect consumer data is not exempt from third-party illegal activities.
Key Aspects of the Decision
1. Data Protection as a Fundamental Right and Security Measures
Minister Ricardo Villas Bôas Cueva, the case’s rapporteur, ruled that data protection is a fundamental right under Constitutional Amendment 115/2022. As a data controller, Enel was expected to implement adequate security measures. The court found that the lack of sufficient security constituted a failure in service delivery and violated the legitimate expectation of data protection held by the consumer.
2. Transparency Obligations
Enel was ordered to provide full disclosure about the processing of the affected data, including its origin, sharing details, and processing purposes, under Articles 18, VII, and 19, II of the LGPD.
3. Exclusion of Liability Argument Rejected
The court dismissed the argument that the incident was caused exclusively by third parties (Article 43, III of the LGPD). It ruled that Enel failed to prove the breach was entirely outside its control, thus maintaining the decision of the São Paulo Court of Justice (TJSP).
4. Compliance and Governance
The judgment highlighted the critical role of robust data compliance programs. Beyond mere legal formalities, companies must demonstrate the implementation of effective protection measures and risk mitigation strategies.
5. Rejection of Force Majeure Argument
The STJ explained that data breaches caused by cyberattacks do not always constitute external fortuitous events. The court stated that ensuring system security is an inherent part of corporate responsibility.
Lessons from the Decision
The ruling reinforces that data controllers bear the responsibility for protecting personal data, even in cases of cyberattacks, and must ensure transparency and compliance with LGPD requirements. It also underscores the growing importance of data governance in corporate accountability, emphasizing proactive measures to safeguard the rights of data subjects.
This decision sets a significant precedent for data protection liability in Brazil, reiterating that breaches resulting from insufficient security measures can lead to legal and financial repercussions for businesses.
share
