The discussion on the nature of civil liability in the General Data Protection Act

The General Personal Data Protection Law (LGPD) came into force in Brazil in September 2020 and brought with it a series of changes to the way companies and organizations should handle personal data.
Among these changes, one of the most important is the inclusion of civil liability in the processing of personal data.
And when we talk about the LGPD, we can’t leave aside other rules of national legislation that are in line with the regulation under analysis.
Here we can mention the institute known as the “dialog of sources”, an expression coined by Erik Jayme, which deals precisely with the simultaneous application of more than one law to a specific case.
It is from this idea that the normative solution of the General Data Protection Law arises when disciplining civil liability, since it establishes that any breaches that give rise to reparation are subject to the liability rules provided for in the relevant legislation.
Civil liability is one of the fundamental principles of Brazilian law.
It is the obligation that an individual has to repair the damage caused to another person, whether by action or omission.
In the LGPD, civil liability is present in several articles, mainly in articles 42 to 45.
According to the LGPD, anyone who suffers damage as a result of the improper processing of their personal data can demand compensation for the damage suffered.
This means that companies and organizations that collect, store and process personal data must take all necessary measures to ensure the security of this data and prevent any kind of leakage or improper access.
In addition, the LGPD also stipulates that companies and organizations must inform data subjects of the use that will be made of this data, as well as its purpose and how it will be processed.
This obligation to comply with the principle of transparency is fundamental to ensuring that data subjects can exercise their rights, such as accessing, rectifying and deleting their personal data.
In this sense, the LGPD seeks to ensure mechanisms to safeguard the information of natural persons.
The controversy lies, in fact, in the legal details that can greatly alter the decisions to be made by law enforcers.
There are those who believe that the civil liability discussed here is subjective liability, while there are many advocates of classifying this liability as objective.
Subjective liability is based on the idea that a person or company can only be held liable for damage caused when there is actual proof that they acted with fault or intent, i.e. with the intention to harm.
Objective liability, on the other hand, means that the person or company is responsible for the damage caused regardless of fault or intent, as long as the action or omission that caused the damage occurred.
In the General Data Protection Law, strict liability is provided for in article 37, which states that “the controller or operator who, as a result of carrying out the activity of processing personal data, causes damage to property, morals, individual or collective, is obliged to repair it”.
In other words, the company can be held liable even if it has not acted with fault or intent, as long as it has caused damage to one (or more) data subjects. On the other hand, subjective liability is defended by some scholars, who argue that the LGPD should not be applied indiscriminately, but in accordance with each company’s responsibility for data processing.
In other words, the company should only be held responsible when it is proven that it acted with fault or intent, and not just because it caused damage.
Objective liability can be seen as more rigorous, since the company is responsible for the damage caused, regardless of fault or intent.
This can encourage companies to invest more in data security to avoid possible damage.
On the other hand, subjective liability can be seen as fairer, as it only holds the company responsible if there is proof of fault or intent.
This can prevent companies from being unfairly held responsible for damage they did not intentionally cause.
With regard to this discussion, the most important thing to bear in mind is that the LGPD is an extremely recent piece of legislation, which is why there are still many doubts about its application.
The discussion about subjective versus objective liability is just one of the many questions that arise from interpreting the law.
Given all this, it is essential that companies and organizations seek expert legal advice to ensure that they are in compliance with the law and to avoid any kind of sanction or civil liability.  

Want to know more? Get in touch with our team of experts!

Mais Insights

Manipulation of sports results and the importance of prevention programs

Gender equality and female participation in companies: what you need to know

The use of Legal 365 in process management

The discussion on the nature of civil liability in the General Data Protection Act