In a Public Class Action filed by the National Association of Citizenship and Consumer Defense -ANADEC against Bank HSBC, the Superior Court of Justice unanimously recognized that a standard form contract clause requiring customer to authorize the provision of his/her personal data and financial transactions to other companies is considered abusive and violates the principles of transparency and of trust in consumers´ relations.
That was also the understanding of the Lower Court, which sentenced HSBC to delete the clause considered abusive of its contracts prohibiting such bank to insert similar mandatory provisions. The Appeal Court of São Paulo upheld the decision.
In the Special Appeal, HSBC claimed that its standard form contracts require authorization for delivering non-confidential data, which would then not characterize any violation to the consumer’s privacy.
According to the Reporting Judge, Minister Luis Felipe Salomão, “is fully acceptable that the financial institution may require knowledge of certain consumer data in order to provide inter alia service-programming and analysis of costs and risks. On the other hand, this is not justified, for the viability of its services, the need for transfer of data received from the consumer to other institutions, regardless if those are credit protection companies”.
The Reporting Judge also highlighted the impacts of personal consumer data sharing without consent: “from the data exposure of your financial life, a big gap opens for various forms of meddling into the consumer’s life, knowledge of his/ her habits, monitoring his/her way of life, and how his/ her money is spent. That’s the reason for the quintessential need for the real and spontaneous consent arising from this exposure”.
As such, it was recognized that the conduct of the Bank aggravates the consumer’s vulnerability vis-à-vis the different suppliers of products and services, since the same cannot freely choose whether to share his/her personal data with third parties.
The Reporting Judge vote was based on Article 6, Section IV, of the Consumer Protection Code, which provides for basic consumer right protection against unfair terms, as well as on Ordinance 05/2002 of the Economic Law Office of the Ministry of Justice, which extends the list (not exhaustive) of unfair terms contained in Article 51 of the Consumer Protection Code, including the prohibition of a standard terms contract preventing consumers from expressing his/her opposition against the transfer to third parties, onerous or not, of the data provided to the supplier.
It is worth reminding that this case does not prevent financial institutions from sending customer data to credit protection entities, such as SPC and Serasa, since, in accordance with Supplementary Law 105/2001 (the Bank Secrecy Act) the sharing of database of non-compliant debtors with credit protection entities does not constitute a breach of bank secrecy.