OBJECTIVE CIVIL LIABILITY OF DIGITAL PLATFORMS FOR PERSONAL DATA BREACHES IN LIGHT OF THE GENERAL DATA PROTECTION LAW (LGPD): FOUNDATIONS, LIMITS AND INFORMATION SECURITY MEASURES

Abstract

This article investigates how the General Personal Data Protection Law (LGPD – Law No. 13.709/2018) grounds the strict civil liability of digital platforms in cases of data breaches, as well as the limits of this obligation in the face of information security requirements and the actions of third parties. The growing digitalization has transformed personal data into a high-value economic asset, driving massive collection by internet platforms and social networks. Given the inherent risks, the research was developed through a qualitative bibliographic review, with systematic analysis of the legislation and the doctrine of Batistella (2025), Silva (2025), Fortes (2026), Constantino et al. (2025), and Carvalho Júnior and Rezende (2024). The study addresses data protection as a fundamental right and a dimension of informational self-determination. The main results indicate that Article 42 of the LGPD, combined with the risk-benefit theory (Civil Code, Article 927) and the Consumer Defense Code, consolidates the strict liability of platforms, dispensing with proof of fault and requiring only the causal nexus and damage. It is demonstrated that incidents resulting from cyberattacks (hackers) generally constitute internal fortuitous events, not breaking the causal nexus when technical negligence or the absence of the "state of the art" in cybersecurity is evidenced (Articles 46 and 47). It is concluded that the LGPD acts as a tool for digital accountability, requiring alignment with STJ Theme 1.199/DF (2025) to balance technological innovation with the preservation of the dignity and informational sovereignty of the data subject.