On September 21, 2020, the Prosecution Service of the Federal District and Territories (MPDFT) in Brazil filed a public civil action against a user who used an e-commerce website, which functioned as a marketplace, to sell personal data.
This user has offered a significant amount of personal data, including name, CPF (Individual Taxpayer Registration Number) and address. The MPDFT claimed that there was an illegal processing of personal data, which caused damage to the data subject, breaking not only LGPD (Brazilian General Protection Regulation – Law No. 13.709/2018), but also the Civil Code, Civil Act of Internet and the Constitution.
The 17th Civil Court of Federal District Court of Justice has accepted MPDFT requests. The user was condemned to stop providing personal data, free of charge or not, under penalty of a fine of BRL 5,000.00 for each operation in this way.
The judicial decision has confirmed the fact that personal data protection and privacy are constitutional rights, including that the Supreme Court of Brazil (STF) recognized the personal data protection as a fundamental right in 2020 before LGPD came into effect. The decision was also based on the alleged necessity of a specific consent from each of the data subjects to share their data.
The main point presented, and the big concern that arose with this judicial decision, was the retroactivity of the LGPD enforcement, considering that the facts of the case occurred before LGPD came into force—which happened only on September 18, 2020. The judge mentioned that this retroactivity causes discussion among lawyers, but the LGPD prescribes that it can be applied in situations before its effects, based on its article 63:
Article 63: The national authority will establish rules on the progressive compliance with the databases constituted to the effective date of this law, considering the complexity of the processing operations and the nature of the data.
However, it is important to mention that the article 63 relates to the transitional provisions of the LGPD and that ANPD (Brazilian Data Protection Authority) is responsible for regulating it, which has not yet been done. In addition, the judicial decision can still be appealed by the accused user.
For more information related to this Legal Update, please contact our Data Privacy and Intellectual Property group.