The possibility of companies being ordered to pay compensation for personal data security incidents (data breaches) has always been widely debated, especially regarding the qualification of presumed moral damages.

The first landmark decision issued by the Brazilian Superior Court of Justice (STJ) on this matter occurred in 2022, in Special Appeal No. 2130619 – SP, where through a unanimous understanding, the Court ruled that the breach of common personal data, by itself, does not generate presumed moral damages, requiring proof of actual harm caused.

However, in cases involving sensitive personal data breaches (those concerning racial or ethnic origin, religious belief, political opinion, union membership or religious, philosophical or political organization affiliation, health or sexual life data, genetic or biometric data), presumed moral damages would be qualified. It is worth noting that this ruling did not address the thesis of exclusive third-party liability.

Although the decision did not meet society’s expectations, it was extremely relevant for the market, given the large number of personal data incidents recorded annually and, especially, considering the volume of affected data subjects.

Subsequently, in December 2024, the STJ ruled in Special Appeal No. 2.147.374/SP that companies cannot evade responsibility for data breaches, even when claiming they were victims of hacker attacks or that the incidents were caused exclusively by third parties.

This precedent reinforces companies’ need to demonstrate, through concrete evidence, the adoption of effective security measures and risk prevention related to personal data processing, in an efficient and appropriate manner for each circumstance, under risk of liability for damage to data subjects.

The STJ’s position emphasizes the importance of data compliance, that is, conformity with security standards, governance, and good practices in personal data processing, to ensure transparency, continuous monitoring, and an effective concrete structure to protect personal data and guarantee data subjects’ rights.

These decisions establish highly relevant precedents demonstrating corporate responsibility, reinforcing that potential incidents may lead to judicial consequences and financial implications for companies, either through lawsuits filed by data subjects regarding breaches and damages caused, or through administrative proceedings by the Brazilian Data Protection Authority (ANPD)** or Public Prosecutors’ Offices.

*STJ: Superior Tribunal de Justiça (Superior Court of Justice) is Brazil’s highest court for non-constitutional matters.

**ANPD: Autoridade Nacional de Proteção de Dados (National Data Protection Authority) is the Brazilian data protection regulatory body.