Facebook found liable for data breaches and consumer rights violations in Brazil

The 29th Civil Chamber of the District State Court of Belo Horizonte found Facebook liable for violating federal statutes, including the Consumer Protection Code, Civil Rights Framework for the Internet, and the General Data Protection Act. Two class actions accused Facebook of data breaches and security lapses, resulting in a penalty of R$20 million and individual compensation of R$5.000,00. The Court rejected certain injunction requests, citing insufficient evidence and overly broad scope.

In mid-July, the 29th Civil Chamber of the District State Court of Belo Horizonte, Minas Gerais, issued a joint ruling in two class actions, both filed by the Instituto Defesa Coletiva. This ruling pertains to two cases against Facebook, which was found liable for violations of federal statutes, including the Consumer Protection Code[1] (CDC), the Civil Rights Framework for the Internet[2], and the General Data Protection Act (LGPD)[3].

Combined, the two class actions accused Facebook of three safety violations. First, it was alleged that Facebook had suffered a data breach resulting in the leakage of user data due to a hacker attack – i.e., the 2018 Facebook data breach. Second, Facebook was accused of illegally allowing data access by third-party apps due to a bug. Third, the ruling also addressed the 2019 WhatsApp spyware attack, which led to snooping of users’ smartphone activity.

As a result of this ruling, Facebook has been ordered to pay compensations for collective non-material damages totaling R$20.000.000,00 (R$10.000.000,00 for each class action). Additionally, each affected user is entitled to receive R$5.000,00 in compensation for individual non-material damages.

Regarding the initial two violations, which were the subject of dispute in the first class action, the Court determined that Facebook had contravened Art. 6º, I and III, CDC, which stipulates the obligation to provide information and mitigate risks associated with the provision of services. In addition, for these same reasons, the Court also found Facebook in contravention of Art. 6º, VII and VIII, LGPD, which enshrines the principles of safety and prevention in data protection as they require the implementation of appropriate technical and organizational security measures. It was determined that the vulnerabilities present within Facebook’s platforms not only facilitated these violations but were also foreseeable due to their intrinsic alignment with Facebook’s business model. Consequently, Facebook is precluded from invoking a defense grounded in “acts of third parties” to absolve itself of liability in this matter.

In the examination of non-material damages, both at the collective and individual levels, the Court assessed the extent of the violation committed by Facebook. The basis for evaluating collective non-material damages rested upon the profound and widespread harm inflicted, impacting not only the platform’s users but also eroding trust in its services. The Court considered pertinent precedents from the Superior Court of Justice (STJ). In particular, the Court referred to the STJ’s established principles for determining collective non-material damages, where such damages are discerned in re ipsa – essentially, they are inferred from the existence of a defect in the service and its direct causation of harm[4]. The Court also took into account the context that emerged last fall when Facebook incurred a fine of R$6.600.000,00, imposed by the National Consumer Secretariat (SENACON) due to its involvement in the Cambridge Analytica scandal. As for individual non-material damages, particular emphasis was placed on the emotional distress resulting from the loss of confidentiality of personal data. In light of these considerations, the Court concluded that both collective and individual harm had been incurred.

However, the Court declined the request for an injunction aimed at halting Facebook’s alleged unauthorized sharing of user data. The decision rested on two grounds: first, no evidence indicated that Facebook had willingly engaged in illegal data sharing, and second, the obligation to safeguard user data is already enshrined in pertinent federal statutes, including the CDC, the LGPD, and the Civil Rights Framework for the Internet. Furthermore, the Court also dismissed the request for an injunction obligating Facebook to conduct an awareness campaign on security measures for data protection, deeming it overly broad in scope.

Concerning the third violation, which has been disputed within the framework of the second class action, analogous reasoning was employed to establish the infringement. This entailed the application of Art. 6º, I and III, CDC, alongside Art. 6º, VII and VIII, LGPD. Like the first class action, it was discovered that vulnerabilities in WhatsApp facilitated and were predictable due to alignment with the business model. Moreover, in the assessment of non-material damages, the in re ipsa doctrine was once again applied to determine the causation of collective harm, with consideration given to SENACON’s fine. Simultaneously, the occurrence of emotional distress resulting from the data breach equally provided the basis to ascertain individual harm. Finally, the Court rejected a request for an injunction that would oblige WhatsApp to create an automatic reinstall feature, as it could impede consumer freedom to opt for alternative applications, thus contravening the principle of consumer self-determination outlined in Art. 2º, II, LGPD. Another injunction request for an awareness campaign was also denied on the grounds of its overly broad scope.

This is a first-instance ruling, accompanied by inherent uncertainties regarding the future. However, this decision takes place within a broader context marked by significant advancements in Brazilian class actions[5]. Most notably, the pivotal 2021 ruling by the Supreme Federal Court (STF) extended nationwide res judicata effect to judgments rendered in class actions. The National Council of Justice (CNJ) has decreed that all Brazilian courts are now required to maintain a public registry for class actions, aiming to enhance the overall management of class actions across the country[6]. Moreover, these advancements are further complemented by a standard-setting ruling from the STJ, which stipulates that affiliation to the claimant association is not required for consumers who benefited from a class action to enforce the respective judgment[7]. In addition to these developments, the enactment of Law n. 14.470/2022 has introduced innovative provisions for class actions related to antitrust damages in Brazil[8]. To be continued.

 

Eduardo Silva de Freitas[9]

[1] Law n. 8.078/1990.

[2] Law n. 12.965/2014.

[3] Law n. 13.709/2018.

[4] STJ, REsp n. 1.610.821/RJ, 26/2/2021.

[5] STF, RE n. 1.101.937, 14/6/2021.

[6] Resolution CNJ n. 339, 8/9/2020.

[7] STJ, REsp n. 1.438.263/SP, 24/5/2021.

[8] Lucas Macedo and I have written more extensively about this here: https://www.lexology.com/library/detail.aspx?g=f13fa643-dfc6-48cf-9bc9-fee60343e23e

[9] PhD candidate at Erasmus University Rotterdam, affiliated with the VICI Project Affordable Access to Justice

Foto Credit: AI Bing Image Creator

tag post :

Leave a Reply

Your email address will not be published. Required fields are marked *