During January 2021, Brazil experienced what could be its biggest data leak to date, involving the personal data of more than 220 million people and 40 million companies. The number of leaked data is greater than the number of inhabitants in Brazil.

The breach is said to have leaked personal ID numbers (CPF), dates of birth, and full names of nearly all of the Brazilian population, besides their addresses; headshots; credit scores, income and other financial information; individual income tax; telephone service registration data; information on schooling; social payment benefits; data relating to public servants; and LinkedIn information.

At this point it is still unclear who is responsible for the leak. Consumer protection agencies such as Procon and Senacon have already done their part asking for further clarification from Serasa Experian (a company providing information and data services), who has denied that the leak originated from its base. The Federal OAB (the Brazilian bar association) has also filed a request with the ANPD to investigate and assert its position on what happened, but the agency has not yet done so.

It is worth mentioning that in a number of recent incidents, Serasa Experian has been challenged in Brazil for its alleged commercialization of personal data. In the first of these incidents, a Brazilian Federal District Court in Brasilia ordered the company to stop selling personal data of consumers, under penalty of a daily fine.

The case involved a civil action taken by the Public Prosecutors Office, alleging that the company’s activities violate the LGPD (Brazil’s Data Protection Law). The case alleges that the company sells personal profile information (including in packages starting at a cost of R$1 per registered person) to companies looking to attract new customers, and that it is involved in the trade of the personal data of more than 150 million Brazilians, including names, personal ID numbers (CPF), telephone numbers, location, financial profile, purchasing power, and social class.

The public prosecutor that brought the action argued that the practices also violate other laws, such as the Brazilian Civil Code, the Consumer Protection Law, and the Brazilian Civil Rights Framework for the Internet.

It is clear that in practice, the Brazilian Judiciary is already dealing with a significant overlap between data protection and privacy issues with consumer protection and employment law, as well as other issues considered to be in the public interest. To date, however, these types of actions have had mixed outcomes, generating legal uncertainty, and reinforcing the need for clearer standards in the privacy and data protection matters.