Privacy, compliance, and credit-risk professionals in Brazil have received important clarity on how far the “credit protection” legal basis under the LGPD can stretch. In a landmark decision issued on 25 March 2026, Brazil’s Superior Court of Justice (STJ) ruled in the case REsp 2.201.694/SP that credit protection justifies internal risk analysis but does not automatically allow credit bureaus to share identifiable consumer data with third parties without specific consent.
The case involved a consumer who challenged a credit bureau’s practice of sharing his name, CPF (taxpayer ID), address, phone number, and estimated income with external partners without his permission. The bureau argued that the LGPD’s credit protection provision provided broad authorization for such sharing. The STJ majority rejected that broad interpretation, drawing a clear boundary between internal processing and external data transfers.
Not All Credit Data Carries the Same Legal Weight
The ruling stands out for its clear distinction between different types of credit-related information. The court emphasized that not all “credit data” is legally equivalent, forcing the market to move away from treating everything under one umbrella.
– Credit scoring: Statistical models that generate risk probabilities can generally be used without consent, as long as principles of transparency, proportionality, and non-discrimination are respected.
– Credit history: Information from the Positive Credit Registry, which already operates under specific rules allowing automatic inclusion while protecting data subject rights.
– Identifiable registration data: This includes name, CPF, address, contact details, and estimated income. These elements directly identify the individual and cannot be shared with third parties based solely on the credit protection legal basis.
The STJ made it clear that treating these categories interchangeably is no longer acceptable under the LGPD.
Credit Protection Is a Valid Basis — But Not a Blank Check
The decision does not eliminate the credit protection legal basis under the LGPD. Organizations can still rely on it for internal activities such as building risk models, fraud detection, and portfolio management. However, the court ruled that this basis does not extend to sharing identifiable personal data with third parties like consulting firms or market intelligence companies.
Purpose, context, and scope matter. A legitimate purpose at the point of collection does not automatically justify downstream sharing. This represents a significant shift for many business models that previously assumed broad data circulation was permitted once the initial purpose was established.
Presumed Moral Damages Increase Litigation Risk
One of the most practical impacts of the ruling is the confirmation that unauthorized sharing of identifiable registration data gives rise to presumed moral damages. Data subjects do not need to prove financial loss or specific harm — the violation of their informational self-determination is enough to establish liability.
This lowers the threshold for civil lawsuits and opens the door to larger-scale litigation alongside potential administrative sanctions from the ANPD. Privacy teams should update their risk assessments accordingly.
Dissenting Opinion Highlights Economic Concerns
The decision was not unanimous. Dissenting justices warned that stricter consent requirements could reduce the quality and volume of available credit information. This, they argued, might lead to greater uncertainty for lenders, resulting in higher interest rates, stricter approval criteria, and reduced access to credit — even for responsible borrowers.
The majority acknowledged this tension but prioritized informational self-determination over unrestricted data flows in the credit market.
Practical Steps for Privacy and Credit Professionals
Organizations operating in Brazil’s credit ecosystem should act promptly to align with the ruling. Recommended actions include:
– Mapping all external data flows involving identifiable consumer registration data and verifying the legal basis for each transfer.
– Reviewing and strengthening consent mechanisms to ensure they are specific, granular, and properly documented.
– Updating vendor contracts and data processing agreements to remove assumptions of automatic sharing rights.
– Assessing legacy databases and shared datasets built under previous interpretations to determine necessary remediation steps.
– Incorporating privacy-by-design principles into system architecture and product development processes.
– Revising internal policies, risk registers, and insurance coverage to address the increased litigation exposure from presumed moral damages.
The ruling reinforces that effective privacy governance in the credit sector requires more than formal compliance checklists. It demands thoughtful process design, clear accountability between parties, and careful management of data circulation over time.
A Turning Point for Credit and Data Protection in Brazil
While the STJ decision does not end all debate on data sharing in the credit market, it marks a more mature phase in the application of the LGPD. It signals the end of treating credit protection as a universal justification for sharing identifiable personal data without consent.
For privacy professionals, credit bureaus, lenders, and data governance teams, the challenge ahead is to build systems that can responsibly balance effective credit risk management with genuine respect for informational self-determination. Those who proactively adapt their practices and architecture will be best positioned for the evolving regulatory landscape.
