Courts and Crisis Management: What Data Breaches in São Paulo Teach Us About the LGPD

A few years have passed since Brazil's General Data Protection Law (LGPD) came into force, but it was between 2024 and 2026 that the "game" truly changed in the courts. What was once legal uncertainty has turned into an avalanche of lawsuits. Both city governments and large corporations have learned, the hard way, that personal data is a high-risk asset.

But why are some companies ordered to pay heavy damages while others win their cases even after a confirmed breach? The answer lies in the technical distinction between presumed damages and proven damages.

The fine line between "mere annoyance" and a violation of dignity

The Brazilian Judiciary, led by the São Paulo Court of Justice (TJSP), has stopped treating every data breach the same way. Today, the defense or prosecution strategy depends almost entirely on which "bucket" the data belongs to:

Registration Data (the "basics"): Name, taxpayer ID (CPF), and address. Courts have settled on the view that exposure of this data, while unpleasant, is part of the inherent risk of digital life. Without proof that the data subject became a victim of actual fraud, the lawsuit rarely succeeds. This is the so-called "abstract risk."
Sensitive Data (where the real danger lives): This includes medical records, biometrics, and personal convictions. In these cases, harm is inherent to the exposure itself. The discussion is no longer about financial loss; it is about the violation of intimacy.

judiciario

Cases that draw the line on whether data exposure caused real harm

For anyone seeking authority on the subject, two cases are essential to understand this balance:

The Barueri setback (STJ - AREsp 2,130,611/SP): The municipality saw a conviction upheld by the Superior Court of Justice (STJ) because it leaked health data. The court was emphatic: medical data demands absolute protection. The damage here is in re ipsa (presumed) — meaning the victim did not need to prove they suffered prejudice; the exposure itself was the harm.
Enel's victory in Osasco (Case 1025071-20.2020.8.26.0405): On the other side, in a massive registration data breach, the São Paulo court denied compensation to a customer. The judge ruled that, since there was no proof of unlawful use of the data, the lawsuit was merely an attempt to monetize a technical incident with no practical consequences.

The difference lies right there, as shown above.

Risk Management in 2026: Far Beyond Compliance

What this data shows is that the ANPD (Brazilian Data Protection Authority) is no longer companies' only concern. Judicial liability has become the biggest financial nightmare.

Today, data governance is no longer just about avoiding administrative fines — it is about creating an audit trail that can serve as a defense in court. If a company can prove it had encryption and access controls in place, it dramatically reduces the size of any potential judgment. In the public sector, the challenge is even greater: city governments hold massive volumes of sensitive data (health and education) but rarely have the security infrastructure of large corporations.

The rise in lawsuits will not slow down. The trend is that individual claims will give way to class actions, where damages are discussed collectively. For anyone handling data, the golden rule is now clear: classify your data before a judge does it for you.

judiciario

Sources and References

Data on case volume: Judicial Statistics Panel (CNJ). General data from courts, covering civil, criminal, consumer, constitutional, and tax law cases.
Sensitive Data Case Law: STJ, AREsp 2,130,611/SP (Barueri Case).
Common Data Case Law: TJSP, Case 1025071-20.2020.8.26.0405 (Enel/Osasco Case).
Regulation and Incidents: ANPD Transparency Reports (gov.br/anpd).