Judge orders Facebook to compensate 8 million people for data breach.

Conjur - When fundamental personality rights, which protect privacy, private life, honor, and image, are violated, compensation for moral or material damages must be imposed. With this understanding, Judge Douglas de Melo Martins, of the Court of Diffuse and Collective Interests of the Court of Justice of Maranhão (TJ-MA), ordered Facebook Serviços Online do Brasil Ltda to pay compensation for moral damages in the amount of R$ 500 to each user directly affected by a personal data breach that occurred in 2021. In Brazil, 8,064 million people had sensitive information exposed by the company.

Furthermore, Facebook was ordered to pay R$ 72 million in collective moral damages, with the amount to be allocated to the State Fund for Diffuse Interests.

The ruling partially upheld the requests made in a class action lawsuit filed by the Brazilian Institute for the Defense of Consumer Relations (Ibedec/MA). The organization argued that Facebook violated the legal protection guaranteed to consumers regarding their fundamental rights to privacy, intimacy, honor, and image by indiscriminately leaking personal data such as phone numbers, emails, names, dates of birth, and places of work. 

Personal data gained greater protection after the enactment of Constitutional Amendment 115/2022. The decision also highlighted the norms of the General Data Protection Law (LGPD), which states as fundamental principles respect for privacy and informational self-determination, stipulating that the processing of personal data can only occur with the consent of the data subject.

The judge also cited the Brazilian Internet Bill of Rights, which establishes principles, guarantees, rights, and duties for internet use in Brazil and consumer protection. online.

"It is important to point out that data controllers must adopt technical and administrative security measures capable of protecting personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication, or any form of inappropriate or unlawful processing," the judge stated. 

Martins understood that Facebook acted in total disregard of Brazilian law by allowing the extraction of data from its platforms, from millions of users, by automated tools, regardless of whether the illicit processing was committed by a third party, since it was Facebook's responsibility to guarantee the protection of its users' personal data. 

The judge observed that the amount of compensation for collective moral damages cannot be insignificant, otherwise it will fail to achieve its educational purpose, but it also should not be excessive and disproportionate to the point of becoming unduly burdensome.

"In Brazil, unlike in the United States and Europe, compensation has been awarded in ridiculously low amounts, especially in recent years, largely due to past absurdities where simply returning a check resulted in multimillion-dollar compensation," he cited, recalling a case in which Petrobras was forced to pay a fine of US$853,2 million, an amount that currently equates to R$4,21 billion.

"It should be considered that the data breach affected a significant range of users across the country and that, in cases similar to the one discussed in this lawsuit, the defendant proposed settlements and received multimillion-dollar judgments for the repeated practice of data breaches, as in the 'Cambridge Analytica' case, in which Facebook received a $5 billion fine from the Federal Trade Commission (FTC) for the misuse of personal data of approximately 87 million users," he highlighted. 

The company's conviction to pay R$ 500 in individual moral damages to the directly affected users, once the judgment becomes final, must occur through individual enforcement of the sentence in the jurisdiction of residence of each affected consumer.