Brazil sees first lawsuit after introduction of data protection regulations

Real estate firm Cyrela has been ordered to pay compensation after sharing a customer's personal details with partners.

Brazil has seen the conclusion of the first lawsuit where the final ruling was based on the General Data Protection Regulations, which have been introduced in the country last month.

The case involves Cyrela, one of the largest real estate companies in Brazil, and was initiated by a customer who bought property from the firm and successfully demonstrated that he had been harassed by various companies from the Cyrela partner ecosystem, offering services ranging from loans to furniture and architecture services.

As a result, a São Paulo court has ordered the company to pay 10,000 reais (US$ 1,759) in compensation for sharing that particular customer's personal information without authorization. In addition, Cyrela will have to pay 300 reais (US$ 52) for every contact that is shared in the same way. Cyrela could not explain how the customer's details had been forwarded on to these companies.

What is GDPR?

Everything you need to know about the new general data protection regulations

General Data Protection Regulation, or GDPR, is coming. Here's what it means, how it'll impact individuals and businesses.

Read More

In a statement, the company said "it has hired the best professionals available to roll out a far-reaching program to comply with the General Data Protection Regulations, including training for all staff and suppliers."

Brazil's data protection regulations have been sanctioned by president Jair Bolsonaro on September 18, after nearly a month of uncertainty over the actual go-live date of the rules.

The regulations prohibit illicit or abusive processing of personal data from a specific person or a group to support business decisions, public policies, or the performance of a government agency. Sanctions for non-compliance range from warnings to daily fines of up to 50 million reais (USD 9.2 million), in addition to a partial or total suspension of activities related to data processing.

The interpretation of what can be deemed non-compliance with data protection laws is currently down to individual courts. When the regulations were created in 2018, it was decided that an agency would be responsible for enforcing the rules. However, the National Data Protection Authority, which is set to include members from industry, academia and national Internet governance bodies, still needs to be formed.