The breach of data confidentiality of social networks users has raised relevant debates in the legal and social environments. If on the one hand it is recognized that the user of social networks can freely exercise their freedom of speech, on the other hand it is certain that this freedom is limited by the personality rights of other people.

Recently, the Superior Court of Justice (STJ) published the newsletter 720, which highlights the trial of REsp 1.914.596/RJ, rapporteurship of Minister Luis Felipe Salomão. In this trial the Fourth Panel unanimously decided that internet access providers must provide the registration data (name, address, identity and CPF) of users responsible for posting videos with slanders to the memory of former councilwoman Marielle Franco.

Although the judgment has not yet been drawn up, it is possible to draw some relevant conclusions from the judgment, which is fully available in the stj channel in the YouTube. The first concerns the discussion about the breach of confidentiality of an internet user's registration data when they have committed an unlawful act, which could allow victims to use that data to exercise their rights.

In the specific case, Marielle Franco's family filed a lawsuit against Google (administrator of YouTube) asking for the removal of offensive videos to the former councilwoman, which was granted in the District Court and confirmed by the Court of Appeal of  Rio de Janeiro (TJ /RJ). Google was also requested to break the confidentiality of data of those who carried out the offensive postings, which was denied by the court.

The state court rejected the request for a letter dispatch to internet access providers to provide the full identification of those responsible for the postingof the videos, under the following arguments:

  • judicial intervention for the identification of connection providers should be unnecessary;
  • the breach of data confidentiality must occur through criminal procedure;
  • impossibility of conviction outside of what was requested by the author; and
  • impossibility of convicting third parties who did not join the court.

However, the minister rapporteur Luis Felipe Salomão rejected, one by one, all these arguments, being established that, in the face of evidence of illegality, the only way to obtain data protected by secrecy, as a way to instruct civil and criminal proceedings, is through judicial intervention. The position reaffirmed what is already expressly provided for in Article 22 of the Civil Framework of the Internet – MCI (Law 12.965/14) and is in line with the recent jurisprudence of the Supreme Court on the subject (

According to the minister if you have an ongoing court case, this doesn’t breach the data protection act because it doesn’t fall within the definition of protection of the flow of information, outlined in law 9.296/96, but the court proceedings assesses the level of indemnification for the breach of the data protection act.

In relation to the third argument, the minister clarified that the request for user identification  is in full line with the cause of the action and even added that the jurisprudence of the Supreme Court allows the magistrate to extract from the logical-systematic interpretation of the application what the party intends to obtain from the action.

Another relevant point highlighted by the Minister concerns the need to prove the evidence of illegality in the user's conduct and that the request for breach of confidentiality is specific. In the specific case, the request was specific to provide the data of the users who actually posted the offensive videos, whose IPs had already been provided by Google. It is worth remembering that the STJ has already dismissed a claim to breach the confidentiality of data of users who shared a video which speech that later was considered offensive (REsp 1.859.665/SC).

For the minister there is no need to talk about conviction of third parties because the case refers to the hypothesis of duties imposed on third parties in order to assist the fulfillment of court orders, as stipulated by the arts. 77 and 139 of the Code of Civil Procedure.

There is a more recent understanding of the STJ (REsp 1,306,157/SP) that the access provider is obliged to identify, based on IP, internet user author of an illegal act, when provoked by the Judiciary, even if the act was practiced before the validity of the Civil Framework of the Internet.

In giving the special appeal, the minister stressed that such conclusions do not conflict with the General Data Protection Law - LGPD (Law 13.790/18), because it does not exclude the breach of confidentiality. In addition, the provision of information by internet connection providers should comply with the rules provided for in the arts. 23 and following the LGPD.

With this decision, Minister Luis Felipe Salomão reaffirms the position he already held in 2014, when he declared that "the judiciary can and should be inducing civilizing agendas of behaviors in the world computer network".[1] The breach of data secrecy thus becomes an important mechanism for the enforcement of the right of those who have their personality rights violated in social networks. It is also relevant the indication of the STJ that such a mechanism can be exercised in civil claims and does not contradict the LGPD.


[1] REsp 1,306,157/SP