For years, the Brazilian credit industry operated on a comfortable assumption: that a legitimate purpose at the point of data collection was sufficient justification for everything that happened to personal data afterward. Sharing identifiable consumer information with third-party consulting firms, market intelligence companies, and downstream analytics platforms was treated as a natural extension of the credit protection legal basis embedded in Brazil’s General Data Protection Law, the Lei Geral de Proteção de Dados (LGPD).
That assumption is no longer tenable.
In a decision that has quickly achieved landmark status, Brazil’s Superior Court of Justice (Superior Tribunal de Justiça — STJ) ruled in REsp 2.201.694/SP that credit protection as a legal basis under the LGPD does not constitute blanket authorisation for credit bureaus to share identifiable consumer registration data with third parties without specific consent. The ruling, handed down in 2025 and now reshaping compliance strategies across the Brazilian credit ecosystem, draws a clear and consequential distinction between what a lawful purpose permits internally and what it authorises externally.
For privacy professionals, data governance leads, and legal counsel operating in or advising organisations connected to Brazil’s credit market, this decision marks a genuine inflection point — not a technical clarification, but a structural shift in how data flows through the credit system must be designed, documented, and governed.
The Facts Behind the Ruling
The case originated with a consumer challenging the conduct of a credit information management company — a credit bureau — that had shared his identifiable registration data with third parties without obtaining his specific consent. The data in question was not negative credit information, such as records of missed payments or defaults. It was registration data: name, taxpayer identification number, address, phone number, and estimated income — the kind of information that defines an individual’s position in the consumer economy and that, in the Brazilian market, had long circulated freely within the credit ecosystem under the shelter of the LGPD’s credit protection provisions.
The consumer’s argument was straightforward. This data was collected for one purpose — credit risk assessment — and shared for other purposes, with other parties, without his knowledge or agreement. The credit bureau’s defence was equally familiar: the LGPD expressly permits the processing of personal data for credit protection purposes without consent, and that legal basis, in the bureau’s view, extended to the full chain of data sharing that credit market operations involve.
The STJ rejected that reading.
The Court’s Core Finding: Purpose Has Boundaries
The majority opinion in REsp 2.201.694/SP turned on a distinction that privacy professionals will recognise immediately, even if its explicit articulation in Brazilian case law is relatively recent: the difference between processing data internally and disclosing it externally.
The court held that the LGPD’s credit protection legal basis — set out in Article 7, X — legitimises the internal use of personal data for risk analysis and credit scoring. It does not, however, automatically authorise the transfer of identifiable registration data to third parties for purposes that extend beyond the immediate credit protection context. Purpose matters not only at the point of collection but at every subsequent stage of the data lifecycle, including every disclosure to a new recipient.
This is a meaningful departure from the market’s prevailing interpretation. The practical consequence is that a data flow which was previously defended on the basis of a single upstream legal basis now requires its own justification at each point of sharing. Where identifiable data is passed to third parties — whether consulting firms, marketing intelligence platforms, or affiliated companies — the organisation disclosing that data must be able to point to a specific, legitimate legal basis for that particular transfer. For most such transfers, the court’s reasoning indicates that specific consent will be required.
Not All Credit Data Is Legally Equal
One of the ruling’s most practically useful contributions is its insistence that the Brazilian credit market acknowledge what privacy professionals have long understood: “credit data” is not a single homogeneous category, and its legal treatment must reflect the meaningful differences between its constituent types.
The court implicitly distinguished between three layers of data that commonly circulate in credit-related contexts:
Credit scores and statistical risk models. A score derived from aggregated variables expresses a probability, not a personal identity. Brazilian case law has long accepted that scoring models may be operated without individual consent, provided that transparency, proportionality, and non-discrimination principles are respected. The LGPD’s credit protection basis is well-suited to this use.
Credit history and payment behaviour. Information about past and present payment conduct is regulated in Brazil primarily through the Cadastro Positivo — the Positive Credit Registry — which establishes a specific framework for the inclusion and use of payment history data, along with defined rights for data subjects. This layer operates under its own regulatory architecture.
Identifiable registration data. Name, CPF (taxpayer ID), address, telephone, and estimated income are direct identifiers. They do not describe behaviour or express a probability — they constitute the individual’s identity as a participant in the credit economy. The court’s ruling is most pointed in relation to this category: it is precisely the sharing of this layer of data with third parties that requires specific consent and cannot be justified solely by reference to the credit protection legal basis.
For compliance teams, the takeaway is that data classification is no longer optional in this context. Governance frameworks that treat all credit-related data as a single pool, subject to a single legal basis, are inadequate in light of this ruling.
Presumed Moral Damages: The Litigation Dimension
Beyond its regulatory significance, the STJ’s decision carries a civil liability dimension that fundamentally changes the risk calculus for credit bureaus and the organisations that receive data from them.
The court confirmed that the unlawful sharing of identifiable registration data constitutes a basis for presumed moral damages — that is, damages that the affected individual does not need to prove through evidence of financial loss, denial of credit, or other concrete harm. The violation of the individual’s informational self-determination — their right to control how personal data about them circulates — is itself the harm.
The implications of this holding are considerable. Brazil’s credit ecosystem involves millions of data subjects and industrial-scale data sharing. An organisation that has been operating on the assumption that the credit protection legal basis covers all downstream sharing is not facing a single regulatory investigation — it is potentially facing systematic litigation exposure across its entire customer base, without any requirement that individual claimants demonstrate concrete injury.
For privacy professionals advising the board or executive leadership of organisations in this sector, this is the argument most likely to compel immediate action. Administrative sanctions from the Autoridade Nacional de Proteção de Dados (ANPD) were already a known risk. The presumed damages holding adds a direct pathway to mass civil litigation that operates independently of the regulatory enforcement track.
The Dissent and the Economic Counter-Argument
The STJ’s ruling was not unanimous, and the dissenting opinion raises a challenge that organisations and regulators will continue to grapple with as the decision’s consequences unfold.
The dissent’s position is grounded in credit market economics. The quality and breadth of information available for credit risk assessment directly affects the accuracy of risk models, the pricing of credit products, and the accessibility of lending to consumers who have demonstrated good payment behaviour. Restricting data flows — particularly by introducing consent requirements that are practically difficult to operationalise at scale — risks increasing informational asymmetries between lenders and borrowers. In the dissent’s view, the downstream effects of that asymmetry — higher interest rates, tighter lending criteria, reduced credit access — represent a real social cost that the majority’s analysis insufficiently weighs.
This is not a frivolous argument. Credit privacy tensions are not unique to Brazil, and the economic case for broad data availability in risk assessment has been advanced in multiple jurisdictions. The majority’s response, however, was deliberate: confronted with a conflict between economic efficiency and the individual’s right to informational self-determination, the court came down firmly on the side of privacy. The ruling does not pretend that consent requirements carry no cost. It holds that the cost is worth bearing.
Whether the right equilibrium has been struck remains, as the court itself acknowledged, an open question. But for compliance and legal teams, the question is largely academic. The ruling is the law, and operational decisions must be made accordingly.
Audit All Data Flows in Brazil and Out of Brazil
The STJ’s decision in REsp 2.201.694/SP does not come with a transitional grace period. Its effects on the legality of existing data sharing arrangements are immediate, and organisations that have not yet assessed their exposure face compounding risk with each passing month. The following are the priority actions for privacy professionals operating in or advising the Brazilian credit market:
Audit all data flows involving identifiable registration data. Map every instance in which your organisation shares — or receives — identifiable consumer registration data with third parties. Identify the legal basis relied upon for each transfer and assess whether that basis survives the court’s reasoning. Flows that were previously justified solely by reference to credit protection will, in many cases, require a different legal footing or must be suspended pending consent collection.
Reassess data sharing agreements. Contracts with third-party recipients of identifiable data should be reviewed in light of the ruling. Representations about lawful processing basis, downstream use restrictions, and liability allocation may all require revision. New agreements should be structured with the STJ’s framework explicitly in mind.
Design a consent architecture that is specific and operationally sustainable. Where consent is the required legal basis, it must meet the LGPD’s standards: freely given, informed, specific, and unambiguous. Generic consent bundled into terms of service or privacy policies will not suffice. Organisations need to determine at precisely which point in the consumer journey consent can be collected, how it will be recorded, and how withdrawal will be managed and honoured throughout the data chain.
Address legacy data. Databases built under the pre-ruling assumption that credit protection authorised broad sharing present a distinct and pressing compliance problem. Organisations must determine whether data collected and shared under that assumption can be legitimised retrospectively — through consent collection or identification of an alternative legal basis — or whether certain datasets must be restricted or deleted.
Elevate privacy by design from principle to practice. The ruling makes clear that privacy by design in the credit context is not primarily about security controls. It is about the architecture of data flows, the clarity of roles between data controllers and processors, and the governance structures that determine when and how identifiable data may move through the credit ecosystem. Technical and operational design decisions must now reflect these legal requirements from the outset.
Brazil Data Protection
REsp 2.201.694/SP does not resolve every tension in the relationship between Brazil data protection law and the credit bureau sector — it opens a more rigorous phase of that conversation. The era in which credit protection operated as a universal pass for data sharing is over. What follows requires something more demanding: governance models that can sustain both effective credit risk management and genuine respect for data subjects’ informational rights, simultaneously and by design.
For privacy professionals, that challenge is neither distant nor abstract. It is immediate, operational, and consequential.
