Brazil: Issued Brazil's Supreme Court of Justice ruling in Eletropaulo v De Souza on the right to compensation for alleged damages following data breach

On 7 March 2023, the Second Panel of Brazil's Supreme Court of Justice issued its ruling on the Eletropaulo v De Souz case, involving the right to compensation under Law for the General Protection of Personal Data (LGPD) for alleged damages following a data breach, overturning the previous ruling in the case. The plaintiff claimed that her personal data was leaked, including name, date of birth, address and identification document number, and later shared with third parties and "generated potential danger of fraud and harassment". The Court of Justice of São Paulo ruled in the plaintiff's favour and fined Eletropaulo BRL 5'000 for the data leak. The Supreme Court overturned the previous ruling and ruled that the burden of proof falls on the plaintiff that claims damages after her personal data was leaked due to a data breach. In particular, the Court stated that the plaintiff must prove the existence of "indemnifiable moral damage" if the data leaks did not include sensitive data, which would require Eletropaulo to implement additional security measures to protect such information. Furthermore, the Supreme Court stated that the data leak represents a failure in the Eletropaulo provision of services, but the company cannot be held liable for data breaches that don't have the potential of causing "indemnifiable moral damage".