I must admit that I hesitated to talk about this topic, as I see it as a purely legal matter—and let’s be honest, for a software engineer, the last field I want to step into is law.

However, for anyone working with privacy and data protection, avoiding this discussion is simply impossible.

In re ipsa

Explaining it simply:

Imagine you go to a bank, register your information, and trust that your personal details—such as your name, photo, and address—will be kept secure. Now, picture a scenario where, due to a mistake by the bank, this data ends up publicly exposed on a random website. Even if no one directly misuses this information against you, just the fact that it’s out there already puts you at risk, right?

Well, Brazil's Superior Court of Justice (STJ)1 ruled that in such cases, individuals do not need to prove a specific financial or emotional loss to claim compensation. The exposure of their data alone is enough to establish what is called "presumed non-material damage", meaning the affected person has the right to compensation simply because their privacy was violated.

This is important because, often, people whose data has been exposed don’t immediately realize the problem, but they may become victims of fraud or identity theft in the future. Previously, to claim compensation, it was necessary to prove that the breach caused concrete harm, such as financial fraud.

Now, the courts recognize that the mere exposure of personal data is already a violation, even if no sensitive data was involved in the breach.

Although I am a strong advocate for privacy and data protection—a field I have worked in for years and which inspired the creation of this blog—I don’t believe this kind of legal interpretation should gain traction. To explain why, let’s look at two cases from jurisdictions where privacy law has a more mature legal framework.

The concept of “presumed moral damages” (non-material damages) in Brazil closely relates to ongoing discussions in Europe2 about how to compensate victims of data breaches under the GDPR. The key debate there is determining when non-material damages—such as anxiety, stress, or the risk of fraud—should warrant compensation. The Court of Justice of the European Union (CJEU) has ruled that a data breach alone does not automatically entitle someone to compensation, but at the same time, victims do not need to prove direct financial loss. The challenge is that, without clear criteria, different European countries apply these rules inconsistently, leading to legal uncertainty.

In Europe, there is still a divide on how far this protection should go. Some courts require victims to show real emotional distress, while others accept that the mere violation of privacy is enough. This variation highlights how the interpretation of harm from a data breach depends on the legal culture of each country.

For example, take this case3 from Germany last year: A vaccination center made a mistake and sent an unprotected email to 1,200 recipients, exposing the personal data of 13,000 patients. This email contained sensitive information, including names, addresses, dates of birth, phone numbers, and even details about which vaccine the person was scheduled to receive. As a result, 532 of the affected individuals assigned their claims to a specialized legal entity, which then sued for at least €800 per person, seeking a total of over €425,000 in non-material damages.

The German court accepted that these claims could be transferred and pursued collectively—setting a precedent for something similar to a class action lawsuit. However, the court awarded only €600 in damages for two out of the 532 claims, dismissing the rest because the plaintiffs failed to demonstrate that all victims had actually suffered significant emotional or psychological harm.

Now, coming back to my reasoning. Under most privacy laws, a data breach is not just the high-profile cases where millions of records are exposed after a malicious hacker breaks into a company’s servers. A breach can also occur through any unauthorized use, access, deletion, or sharing of personal data—even if it affects just one person—whenever it goes against the purpose originally expected by the data subject.

In other words, if I:

• Sent an email to the wrong recipient;

• Accidentally deleted résumés from a recruitment system;

• Added the wrong marketing tag in a CRM tool, causing unwanted emails to be sent;

• Changed the physical location of my database to another country.

Not every operational mistake or failure should automatically create a right to compensation. This is because compensable damage, especially non-material damages, depends on legal elements such as the violation of a subjective right, the culpability of the agent, and, in some jurisdictions, the demonstration of actual harm suffered.

Minor, everyday mistakes may represent compliance failures and require corrective measures, but they do not necessarily reach the level of seriousness required to justify non-material damages. If every trivial mistake in data processing were treated as a compensable breach, we would risk diluting the right to compensation, creating an excessive legal burden on companies without delivering meaningful benefits to data subjects.

If everything is a data breach, then nothing is a data breach.

I believe there must be a balance between privacy protection and reasonable application of the right to compensation. On one hand, presuming non-material damages every time a data incident occurs makes it easier for individuals to seek justice. On the other, it risks creating an excess of rights, turning operational mistakes into disproportionate financial liabilities. The concept of non-material damages assumes that the affected person has suffered some form of real distress, even if not a direct financial loss—which is an important factor to weigh in this discussion.

That’s why, in my non-legal perspective, the best approach would be a standard that considers the material impact on the individual, requiring at least some concrete evidence of distress caused by the incident. This would ensure that privacy remains a fundamental right, without turning minor errors or even large but harmless data breaches into automatic grounds for financial compensation.

Ultimately, liability should be reserved for cases where a breach truly compromises the dignity, security, or informational self-determination of the individual, without trivializing the concept of non-material damages. For example, imagine if the leaked data included electronic voting records linked to individual voters? That would clearly be a situation where privacy violations could have severe consequences. Think about it.