ARBITRATION OF DATA PROTECTION DISPUTES

By Antonio Alberto Rondina Cury

Counsel at Wald, Antunes, Vita e Blattner Advogados

Recently, debates on data protection have become more common and more intense in Brazil. Previously developed in more restricted debate circles, the topic grew in importance and exposure with the entry into force of the Brazilian General Data Protection Law (in Portuguese, “Lei Geral de Proteção de Dados” or “LGPD”, Law n. 13709/18).  Thus, data protection left the domains of the academia and IT specialized firms to become part of companies’ everyday life, regardless of their size or business.

There was no other way. With the advance and popularization of technology, the volume of data processing has increased exponentially, as well as the utility of such information – and, consequently, its monetary value. By the words of  Bruno Ricardo Bioni, they became “um ativo na economia da informação” (translated freely into English as “an asset in the information economy”). On the other hand, one cannot dismiss its purely personal and potentially sensitive character, as is the case of ID numbers, income parameters, and medical records – which are given to banks and health insurance providers, for example.

In this background, breaches in data processing have become much more frequent, from the unauthorized sharing of e-mail addresses for their inclusion in advertising mailing lists, to cyberattacks in very extensive databases, such as those from government agencies –  for example, not so long ago, in December 2020, a protection weakeness in the systems of the Brazilian Ministry of Health exposed registration data of 243 million people. Such breaches are not only frequent, but also inevitable; after all, a bulletproof system of protection or control is theoretically inconceivable.

To address this situation, art. 22 of the LGDP provides that the enforcement of data subjects’ rights and interests can “ser exercida em juízo, individual ou coletivamente, na forma do disposto na legislação pertinente, acerca dos instrumentos de tutela individual e coletiva” (translated freely into English as “be sought in courts, individually or collectively, according to the applicable legislation on individual and collective procedural remedies”). It followed the example of Whereas n. 141 of the European General Data Protection Regulation, which assures the right to an “effective judicial remedy”. That article should be read not only as a simple repetition of the right to petition – already guaranteed constitutionally; its purpose is, precisely, to promote broad access to justice, by all jurisdictional means – including arbitration.

Its use, of course, must respect the limits imposed by art. 1 of the Brazilian Arbitration Law, that is, only for patrimonial rights that may be disposed by its holder. This limitation excludes important situations, such as data breaches involving minors (subjective inarbitrability), as well as discussions on criminal liability, or  aspects concerning the supervision and enforcement powers of the national data protection authority (objective inarbitrability). However, inside that legal framework, mainly on disputes regarding material and moral damages arising from the data breach[1], there is, at first, no obstacle to its use.

The advantages of the use of arbitration are clear, such as the higher protection of confidentiality, a speedier resolution, and the judgment by experts on this subject matter (since most lawyers and judges are still not fluent on the theme, as in many other themes related to technology). In contrast, there are great obstacles too: higher costs, which can be a barrier for individuals, the only data subjects protected by the LGPD; and the importance of obligations to do and not to do in this department, which could only be enforced through an arbitral letter, increasing time and costs for the resolution of the dispute.

The use of arbitration, however, implies that the damages arising from a failure in data protection are related to a contract with an arbitration clause. Article 8, paragraph 1, of the LGPD provides that the consent for processing data must be given in writing and that such clause must be highlighted. Therefore, it is possible for the same contract to provide, at the same time, for express consent to data processing and arbitration of disputes arising from such contract, including those related to the data processing. Moreover, there is no obstacle for parties to enter, after the violation, into an arbitration agreement.

In this initial development of the issue in Brazil, three precedents from the United States authorizing arbitration to solve data-related disputes can provide some guidance.

The first one is Shore et al v. Johnson & Bell, decided by the Northern District Court of Illinois. The discussion was centered not on a specific event, but on the possibility of a data breach on a Chicago-based law firm’s client database, once, according to the plaintiffs, the security systems employed by the firm did not meet an adequate standard. The court declared the validity of the arbitration clause inserted in the supply contract signed between the parties, referring them to individual arbitration, with no permission to class arbitration.

The second one is Lamps Plus Inc. v. Varela, about a data breach in the companies’ employee database, exposing sensitive tax information, causing damages to some of them due to a fraudulent federal income tax return. Initially, the Court of Appeals for the Ninth Circuit referred the parties to a class arbitration; the decision, however, was overruled by the Supreme Court of the United States, by a narrow majority, concluding that “a court may not compel class-wide arbitration when an agreement is silent on the availability of such arbitration”.

A third precedent illustrates a potential fault in this rationale[2]. Class action Lyles v. Chegg, Inc was dismissed in April 2020 by the District Court for the District of Maryland. The court declared the validity of the arbitration clause inserted in contracts celebrated between education technology company Chegg and its users – encompassing possible damages caused by a massive data breach in the company’s platform in 2018. Less than a month later, however, more than 15,000 requests for arbitration were filed in the American Arbitration Association. Aside from operational questions for both parties, Chegg was caught in a very delicate situation, when compelled to pay the applicable filing fees (by the AAA Consumer Arbitration Rules, part of the fees is paid by the defendant company): non-refundable US$ 300 for each proceeding, amounting to more than US$ 4.5 million.

The aforementioned precedents demonstrate that it is possible to submit disputes related to damages arising from a data-related contract breach, since they may be characterized as freely transferable property rights. Transposing their conclusion to the Brazilian reality, there is no obstacle to reach the same conclusion, i.e., the arbitrability of this kind of dispute.

Nonetheless, at least for now, these disputes will not have, in Brazil, the same reach they have in the United States, mainly due to the limitations perceived here in arbitration proceedings regarding consumer and labor relations. Despite the recent developments, the use of arbitration in these areas still has limited acceptance in Brazil, which may be an obstacle to the use of arbitration proceedings to solve disputes related to the treatment of consumer and employees’ data.

Withal, the subject is still recent and will certainly raise many intricate questions when faced with its practical application – which, one hopes, will aid the development of arbitration itself, as well as the enforcement of the rights guaranteed by the LGPD.

[1] For example, the first judicial award for damages based on the LGPD (Lawsuit n. 1080233-94.2019.8.26.0100, 13th Civil Court of São Paulo, decision issued on 09.29.2020). The dispute concerns an unauthorized transmission of the plaintiff’s personal data to third parties, unrelated to the contract signed with the defendant company. Despite several subject matters being analyzed by the decision, it relied on the contractual relationship between the parties and the damages arising from the breach of one of its clauses. Although this case was brought to state courts, there was a clear indication of transferable property rights, which could be submitted to an arbitral tribunal. Therefore, this decision demonstrates the arbitrability of the questions at hand.

[2] In Brazil, art. 22 of the LGPD assures access to “individual and collective procedural remedies”. Apart from the discussion on strictly collective disputes (that is, not only multiparty arbitration), and bearing in mind that data protection-related rights are potentially collective or homogeneous individual rights (not natural rights), one may conclude for advantages arising from the use of arbitration in those cases.Among them, for example, procedural efficiency, legal certainty (compared to hundreds of individual proceedings), and the effectiveness of the access to justice.