An extract from The Technology Disputes Law Review, 1st Edition
Year in review
As mentioned above, 2020 was marked by the entry into force of the LGPD, which is largely based on the EU General Data Protection Regulation.5 The LGPD sets out numerous principles and obligations applicable to all kinds of entities that collect, process and store personal data.
There has, therefore, been litigation with respect to data protection provisions and significant new lawsuits based on the provisions of the LGPD. In one landmark case, a consumer association filed a collective action against a company that operates a subway line in São Paulo and was using facial recognition software in its stations. The first instance judge of the 37th Civil Court of São Paulo obliged the defendant to cease using any facial recognition software and to pay an indemnification of 100,000 reais in collective moral damages.
In the second half of 2020, the Federal District public prosecutor's office filed a suit against a company that operates a credit ratings database and other databases, and obtained an injunction to prevent the company from selling individuals' personal data and offering certain marketing and sales prospecting services that rely on the disclosure of personal data.
In another case, a judge from a labour court in the city of Montenegro in the state of Rio Grande do Sul agreed with a labour union's requests to oblige an employer to comply with certain provisions of the LGPD, including appointing a data protection officer and confirming the adoption of measures to ensure the confidentiality and safety of personal data.
Also in the context of personal data, there has been an increase in the filing of legal actions resulting from data breaches or data scraping incidents reported in the media, including the Cambridge Analytica incident that affected Facebook. One example is a lawsuit filed by a consumer protection association, based on data protection principles and consumer protection rules, against Facebook back in 2018 in which the first instance court decided that there was no illegal action attributable to Facebook and thus it should not be held liable for any disclosure of data. The association appealed and the case is now being tried by the São Paulo Court of Appeals.
There was also a spike in the number of cases filed against music and audio-visual streaming services by right holders and individuals claiming that their works or images were used by the services without their authorisation or in a way that infringed their rights. In 2021, the Brazilian Supreme Court decided, in a binding precedent, that the right to be forgotten is generally not compatible with Brazilian law and with the Constitution, and that the rights to obtain information and to free speech with respect to public information should prevail in a democracy.
There has also been litigation (ongoing during the past year or that started within that period) related to mobile apps and app stores in which civil associations questioned certain practices, including the offering of free apps with the possibility of in-app purchases and the offering of apps and games with the loot-box system, in which users or players have the possibility of obtaining in-app items or other benefits randomly and can pay for higher or additional chances of getting better prizes. The latter case involves several apps and games developers and companies that operate app stores. There is also collective litigation against manufacturers of mobile devices about alleged defects in their products.
Finally, a trend that is continuing to yield numerous lawsuits, both civil and criminal in nature, is for private entities to request individuals or law enforcement authorities of the disclosure of subscription data, IP numbers, content or logs from third parties. Most of such requests relate to content from apps (e.g., messaging or social media apps) or content from websites or that is otherwise stored in the cloud and are addressed to the companies of the economic group that provide or operate such apps or cloud and hosting services.
Specifically in relation to criminal cases, the Brazilian Supreme Court has yet to decide on Declaratory Action for Constitutionality No. 51, filed by the Federation of Associations of Information Technology Companies, Assespro, to determine whether Decree No. 3,810/2001 establishing the Mutual Legal Assistance Treaty in Criminal Procedures between Brazil and the United States is constitutional and whether it should be the avenue through which law enforcement authorities request information pertaining to users of foreign internet application providers. Currently, authorities usually send official requests or court orders to a local company in the economic group that operates an app, cloud or hosting service requesting the disclosure of data or content, and the Supreme Court decision may mean that this practice will have to be reconsidered if the data or content requested pertains to users of foreign companies.