02 de dezembro de 2025
Share
Brazilian Superior Court of Justice’s Fourth Panel Rules that Lack of Consent for Sharing Non-Sensitive Personal Data Does Not Result in Presumed Moral Damages
On 4 November 2025, the Fourth Panel of the Brazilian Superior Court of Justice (STJ) unanimously decided Special Appeal No. 2,221,650/SP, under the rapporteurship of Justice Maria Isabel Gallotti, holding that the mere availability of non-sensitive personal data to credit-consulting entities, without prior notice or consumer consent, does not constitute presumed moral damages (in re ipsa). The decision relied on Articles 7(I) and 7(X) of Law No. 13,709/2018 (LGPD) and Articles 4(III) and 4(IV) of Law No. 12,414/2011 (Positive Credit Registry Act), which restrict how database administrators may process and share personal information.
The case was brought by a consumer against a private credit-information administrator, alleging that his personal data (address, telephone number and estimated income) had been sold without authorization. He sought the erasure of his data and BRL 11,000 in moral damages.
The trial court ordered only the deletion of the data, finding no grounds for civil liability. It held that the alleged disclosure did not expose the consumer to risk, in light of Article 7(X) of the LGPD, which authorizes data processing for credit-protection purposes. The São Paulo Court of Justice reversed and dismissed the action entirely, noting the absence of evidence that the information had been effectively shared with third parties or that any concrete harm had occurred.
In the special appeal, the consumer argued that the decision violated privacy and data-protection rules. He claimed that the sale of his personal information breached Article 21 of the Civil Code, which protects private life and intimacy. He further contended that disclosure without consent contravened Articles 7, 8 and 9 of the LGPD, asserting that personal-data processing requires the data subject’s consent unless expressly authorized by law. He also argued that the Positive Credit Registry Act requires prior notice and specific authorization before any credit-history data can be shared.
He additionally invoked Article 43(1) and (2) of the Consumer Protection Code, which imposes a duty to inform consumers about the existence of databases and establish liability for undue disclosure. On this basis, he argued that the absence of consent constituted a statutory breach and that the exposure of his data should be deemed presumed moral damage, with no need to prove actual harm.
The STJ denied the appeal. It agreed with the state court that there was no evidence the data had been disclosed or that any damage had resulted. Additionally, the reporting Justice noted that the disclosure of third parties’ personal data, by itself, even if unauthorized, does not give rise to a claim for moral damages. The Panel reiterated that Article 7(X) of the LGPD allows data processing for credit protection, but stressed that the Positive Credit Registry Act imposes clear limits: administrators may share identification data and payment records among databases (Art. 4(III)); and may provide to credit-consulting entities only credit scores and, with the data subject’s express authorization, credit-history information (Art. 4(IV)). These rules do not authorize unrestricted dissemination of personal data.
The rapporteur further noted that the legal distinction between “personal data” and “sensitive personal data” is decisive. Sensitive data enjoys heightened protection, whereas ordinary personal data does not give rise to automatic harm. The opinion followed the precedent established in AREsp 2,130,619/SP (a type of interlocutory appeal used to challenge a refusal to process a Special Appeal), which held that leakage or exposure of non-sensitive personal data does not create presumed moral damages and requires concrete proof of harm.
The understanding expressed by the STJ’s Fourth Panel departs from the precedent REsp 2,201,694/SP, dated August 15, 2025, issued by the Court’s Third Panel. In that case, which also concerned the disclosure of personal data on a credit-protection platform, the Court held that the improper disclosure of personal data by database operators to third parties constitutes presumed moral damages (in re ipsa) in favor of the data subject, especially due to the strong sense of insecurity experienced by the individual.
The rapporteur’s opinion and the full judgment are available at: 362283CCBEA3EE_Voto.pdf and F28C85AB9A62E3_Acordao.pdf
Note: For quick release, this English version is provided by automated translation without human review.
