Diego Gualda and Laura Aliende da Matta

With the entry into force of the General Data Protection Law (LGPD) on September 18, its obligations became enforceable and the issue of liability came to the fore. While administrative sanctions can only be applied after August of 2021, civil liability is immediately applicable, which makes it essential to resume the debate on the conditions for holding data processing agents liable under the LGPD.

The rules on the liability of the controller and operator are of the utmost interest to the market, given the potential for significant financial impact. Consideration should also be given to the novelty of the law for operators of the law, especially in the Judiciary, who will certainly approach the LGPD on the basis of already established models, including from the point of view of civil liability.

In this context, it is possible that many consider the civil liability rules of the LGPD without greater care with the possibilities of interpretation left opened by the text of the law. What we propose in this article is precisely to draw attention to this examination. In particular, we argue regarding the departure from an interpretation that considers strict liability as the general rule on the processing of personal data.

Strict or subjective liability

There is a debate about the nature of civil liability under articles 42 to 45 of the LGPD. Some argue that the legislator's original vision was to prepare a system of strict liability, which would be evident in the justifications and motivations of the LGPD bill itself. Others consider the activity of data processing to be risky.

On the one hand, it is a fact that the standard mode of liability in Brazilian civil law is subjective liability. Article 927 of the Civil Code itself establishes that the obligation to repair the damage caused to another is due to the ascertainment of a tort, according to the provisions of articles 186 and 187 of the code. Furthermore, the sole paragraph of article 927 establishes the exceptional form of strict liability:

“Sole paragraph. There will be an obligation to repair the damage, independent of fault, in the cases specified in the law, or when the activity as normally conducted by the perpetrator of the damage implies, by its nature, risk to the rights of another.”

In general, Brazilian case law has maintained the interpretation that strict liability will only occur in exceptional cases, either by express legal determination or on the occasion of activities that represent a risk inherent to the rights of third parties.

In fact, the LGPD does not present an express determination on liability independent of fault. In addition, the provision states that the conduct of the processing agent must be in violation of personal data protection legislation, that is, in the face of failure to comply with the duties brought about by the law, which provides for fault in the broad sense as the basis for liability. The reproachability of the conduct of the processing agent is linked to the breach of the duty to comply with the provisions of the LGPD.

Without prejudice, it would then be appropriate to assess whether the data processing was a risky activity in itself. This may be an undetermined issue because of the wide variability of personal data processing activities, which may refer to elementary conduct with low potential for harm, such as exchanging business cards in commercial activities, to profiling on the basis of sensitive personal data, which has a higher degree of risk for the data subject.

Thus far, in general, the case law has relegated the classification of risky activity to activities that strictly present serious potential offense to the rights of third parties.

In any case, considering the LGPD's focus on the conduct of processing agents - so much so that liability and accountability are principles for the processing of personal data - the conclusion in favor of a strict liability model is contradictory to the very spirit of the law, which instead seeks to encourage processing agents to adopt good practices.

Again, it seems to us that the focus on the conduct of the processing agent, either by referring to the necessary act of violation of legislation to establish liability, or by recognizing accountability as a fundamental principle of data processing activity, leads to the subjective nature of civil liability in the LGPD as the general rule of its system. The text of the law says:

"Article 42. The controller or operator who, due to the exercise of personal data processing activity, causes to another person property damage, non-economic, individual or collective, in violation of personal data protection legislation, is obliged to repair it.

  • Paragraph 1, subsection I - the operator is jointly and severally liable for damages caused by the processing when it fails to comply with the obligations of the data protection legislation or when it has not followed the lawful instructions of the controller, in which case the operator is equated to the controller, except in the cases of exclusion provided for in article 43 of this Law.”

Even more indicative of subjective liability is the scenario for exclusion from liability set out in subsection II of article 43:

"Article 43. Processing agents shall not be held liable when they prove:

I - that they have not carried out the processing of personal data attributed to them;

II - that, although they have carried out the processing of personal data attributed to them, there has been no violation of the data protection legislation; or

III - that the damage is the sole fault of the data subject or a third party."

While sections I and III normally refer to exclusions in cases of strict liability, since they would affect the causal link with the conduct of the processing agent, section II turns to the element of conduct, whether or not it violates the legislation. Under the provision, even if conduct related to data processing may cause damage to a data subject, if such conduct is not unlawful, if it is not contrary to the duties of the law, then the controller should not be held liable.

This concept reinforces and preserves the principle of liability of the agent, the encouragement of observance of good practices in the processing of personal data. In fact, it encourages processing agents to make an effort to conduct and implement good adaptation processes, to make decisions on the processing of personal data in a conscientious manner, to carry out accurate assessments of the risk of processing in relation to the data subject, since a demonstration of LGPD-compliant conduct, in addition to mitigating liability, may well exclude full liability, depending on the circumstances of the specific case.

It is worth emphasizing again that the strict liability of the processing agents would make them liable for damages caused to holders, regardless of any conduct contrary to the legislation. In other words, they could be held liable for occurrences of damage to the holders that do not result from any legal or regulatory provision regarding the parameters necessary for data processing. In this scenario, the question would be: if the conduct of the agent does not call for the application of liability, what is the reason for the adoption of good practices or investment in expensive adaptation measures?

It seems to us that the most appropriate interpretation of the liability established in the LGPD is that it would be based on fault (even if one could argue for civil liability with presumed fault). This interpretation also manifests itself as pointing to the best interest of the data subject himself, because the incentive for good practices - resulting from the focus on the wrongful conduct of the agent - results in greater protection for the data subject.

Thus, companies will be able to demonstrate in court the measures effectively taken to maintain compliance with the legislation and data protection regulations to guard against liability. If the processing agent proves adoption of the conduct expected under the LGPD, it cannot be held liable.

Future regulations of the ANPD (National Data Protection Authority) may work as an optimal parameter for reasonable efforts to be made by companies for each type of processing activity, by purpose and/or by sector of operation. Thus, not only will protection of the data of the data subjects be guaranteed, but so also will criteria for the conduct to be adopted by the processing agents, in line with the principle of accountability.