Internet Ubiquity: Transnationality of Jurisdiction?

DOI: 10.19135/revista.consinter.00014.05

Received/Recebido 30.04.2021 – Approved/Aprovado 28.06.2021

Cíntia Teresinha Burhalde Mua[1]https://orcid.org/0000-0002-3478-1840

Eugênio Facchini Neto[2] – https://orcid.org/0000-0001-9978-886X

Abstract

The objective of this essay is to carry out a comparative study of the conflicts of jurisdiction resulting from litigations in the internet environment, taking as paradigms (1) the case of the European Court of Justice of 6 October 2015, case C 362/14; (2) Special Appeal n. 1,168,547, judged in February 2011, by the Brazilian Superior Court of Justice and (3) Direct Constitutionality Action N. 51, pending before the Supreme Federal Court of Brazil. Furthermore, it studies the adequacy, foreseen in the principiological catalog of Law 13.709/2018 as an assumption of validity for the international transfer of data. The anachronism of adherence to the territory as a criterion for defining jurisdiction, in such cases, is the work hypothesis. This essay uses, in the approach, the hypothetical-deductive method; in research, the typological and structuralist procedure; topic-systematic interpretation using exploratory and explanatory research techniques, instrumentally documentary (bibliographic and jurisprudential).

Keywords: internet; jurisdiction; ubiquity; transnationality.

Resumo

O objetivo deste ensaio é realizar estudo comparado dos conflitos de jurisdição decorrentes de litígios havidos no ambiente da internet, tendo por paradigmas (1) o caso do Tribunal de Justiça Europeu de 6 de outubro de 2015, processo C‑362/14; (2) o Recurso Especial n. 1.168.547, julgado em fevereiro de 2011, pelo Superior Tribunal de Justiça brasileiro e (3) a Ação Direta de Constitucionalidade n. 51, em tramitação perante o Supremo Tribunal Federal do Brasil. Ademais, estuda a adequação, prevista no catálogo principiológico da Lei 13.709/2018 como pressuposto de validade para a transferência internacional de dados. A anacronia da aderência ao território como critério definição da jurisdição, em tais casos, é a hipótese do trabalho. Este ensaio utiliza, na abordagem, o método hipotético-dedutivo; na investigação, o procedimento tipológico e estruturalista; interpretação tópico-sistemática valendo-se das técnicas de pesquisa exploratória e explicativa, instrumentalmente documental (bibliográfica e jurisprudencial).

Palavras-chave: internet; jurisdição; ubiquidade; transnacionalidade.

Summary: Introduction. 1. European paradigm: Facebook case in the CJEU; 2. State of the art in Brazil; 3. Special Appeal N. 1,168,547: recognition of competing Brazilian competence in conflicts over internet jurisdiction; 4. Civil framework of the internet and the Direct Action of Constitutionality n. 51; 5. Law 13,709/2018: adequacy as an assumption of validity for international data transfer. Final considerations. Bibliographic references.

Introduction

Absolutely everything that we do on the internet is converted into algorithms, which are nothing more than logical, finite, and defined sequences of instructions that must be followed to execute our commands. And these “tasks” that we ask for – from the simplest (like typing any Google search topic into a toolbar) to the most complex (like financial transactions) – are stored, revealing our “digital footprints”. Unlike the “physical” world, where our actions are not always recorded, in the digital world nothing is lost. On the contrary, it is kept. In this world, nothing is past, because there is a continuous present, permanently accessible to our fingers.

In addition, not only has the digital world reduced the temporal dimension to a continuous present, but it has also made the world flat, with no geographical boundaries, because in any country in the world information can be posted, without major controls by nation-states .

It happens, however, that the global network is also a source of potential conflicts, whether in relation to transnational businesses, or because of misinformation, false, hateful or in any other way harmful information to the rights of a citizen. However, when this harmed person intends to judicially protect his rights, he will realize that he is not a citizen of the world, but of a certain national territory. And if the grievance he suffered is illegal in his own country, it may not be in the place where the conduct occurred.

These potential conflicts started to become more and more frequent as our immersion in the digital world grows. The appropriate solution for this type of dispute involves not only national legislative intervention, but mainly international treaties, to avoid that decisions taken by the judiciary of the country where the damage occurred may not be carried out, for example, in the locus where the company is headquartered.

The present essay intends to bring up aspects related to conflicts arising from the ubiquity of the internet, which claim mechanisms of transnationality of the jurisdiction and, consequently, the overcoming of the principle of adherence to the territory as one of the constitutive elements of this concept.

The article presents the paradigm case of the European Court of Justice of 6 October 2015, case C 362/14, in which Maximillian Schrems and Data Protection Commissioner are parties, with the intervener Digital Rights Ireland Ltd.

In the second part, it investigates the state of the art in Brazil, under three dimensions: “Recurso Especial” n. 1,168,547, which recognized the competing Brazilian competence in conflicts over internet jurisdiction; Constitutionality Direct Action n. 51 and the application of the so called Marco Civil da Internet; the adequacy of Law n. 13.709 / 2018 as an assumption of validity for the international transfer of data.

This essay uses, in the approach, the hypothetical-deductive method; in research, the typological and structuralist procedure; the topic-systematic interpretation, using exploratory and explanatory research techniques, substantially documentary (doctrine and case law).

1. EUROPEAN PARADIGM: Facebook Case in the CJEU

The Court of Justice of the European Union, on more than one occasion, ruled on matters of national jurisdiction, in the face of the phenomenon of data transnationality. The first judgment brought together two cases, under the numbers C-509/09 and C-161/10[3] (known as e-Date Advertising), dealt with the issue of the jurisdiction of the national courts to hear disputes over the violation of personality rights committed over the internet. There was reference, in the trial, to the Shevill case (tried on November 30, 1976), which involved a defamation case broadcasted by the traditional press, but with wide international diffusion. At that time, it was stated that “the attempt made by a defamatory publication to the honor, reputation and consideration of a natural or legal person manifests itself in the places where the publication is disclosed, when the victim is known there”. In the 2010 judgment, it was stated that the term “harmful act” used to establish jurisdiction, contained in article 45, paragraph 3, of Regulation (EC) N. 44, of 2001, in force at the time, should be interpreted as the “center of gravity of the conflict”, where are the interests of the person who suffered the damage to the right to personality, in short, where he is known.

Another case was tried in 2010 (C – 292/10)[4], involving the unauthorized publication of photographs, and the judicial body of the victim’s home (Holland) was considered competent to judge the case, even though the domain of the site was located in Germany.

A third case of interest to the subject is number C-218/12[5], relating to a consumer contract, in which the supplier was French, but offered goods (used vehicles) to Germans residing in the border area. Due to a supervening dispute, brought in to provide guidance on the concurrent jurisdiction, the Court of Justice of the European Union decided that although the supplier establishment was located in France, as its activity was directed at German consumers, it was possible to recognize the German courts as competent for the analysis of the case[6].

But the most recent case, which we intend to analyze here, because it relates more closely to the subject specifically addressed here, is the judgment of the Court of Justice of the European Union (Grand Chamber), case C 362/14, rendered on 6 October 2015, in which Maximillian Schrems and Data Protection Commissioner are parties, with the intervener Digital Rights Ireland Ltd.

The case stemmed from a complaint lodged by Mr. Maximillian Schrems, an Austrian citizen, in the face of an act by the Data Protection Commission, which refused to investigate a previous complaint lodged by Mr. Schrems regarding the transfer to the United States of America, of the personal data of Facebook Ireland users and their conservation on servers located in that country, directly opposing European Community law[7].

Mr. Maximillian appealed to the Irish Supreme Court of Justice, based on the belief that there is no guarantee that his data will be processed according to European Community law standards. He demanded a ban on Facebook Ireland transferring his personal data to the USA.

Facebook Ireland opposed the request, as it was not supported by Decision 2000/5207[8] of the Council of the European Union on sending data to the USA[9].

Mr. Schrems’ complaint was admitted by the Irish justice system, forwarded to the Irish Supreme Court of Justice, which, in view of the Lisbon Treaty, referred it to the CJEU, which has the power to interpret European Union law.

The issue related to Articles 25 (6) and 28 of Directive 95/469, in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union. It sought to find out whether the Decision 2000/520 prevents the supervisory authorities of a Member State from examining requests for the protection of the rights and freedoms of an European citizen, related to the processing of personal data concerning him or her and which have been transferred from a Member State to a third country, when claiming that the law and practices in force in the latter do not ensure an adequate level of protection.

The CJEU judgement, recognizing the importance of data traffic for the development of international trade, was based on a seminal premise: to ensure that the State receiving the EU citizens exchanged data had the obligation to give it proper treatment.

On the other hand, even though it is certain that a decision of the European Commission, while not declared invalid by the CJEU, is valid, this fact does not prevent, neither limit, the right of petition and explanation of European citizens, regarding the processing of personal, sensitive or not.

Recognizing that the lack of recourse opportunity and ample and unrestricted access to personal data offends articles 7, 8 and 47 of the Constitution of Fundamental Rights of the European Union, the CJEU declared the invalidity of articles 1, 3 and 11 of Decision 2000/520. And because these provisions are inseparable from the rest of the Decision, it resolved to declare the total invalidity of Decision 2000/520.

It has been stressed that it is essential that States adopt an aligned stance to counter the growing dominance of certain companies that pose a risk to the protection of personal data, as they are present in almost the entire globe. Hence the need to create “effective control organisms and mechanisms that extend beyond their physical borders”[10].

Now, we turn our focus to Brazilian situation.

2. STATE OF ART IN BRAZIL

Judicial discussions about the competence of the Brazilian judicial authority to hear cases involving issues of transnationality are still not very frequent.

But they do exist. As the judgment given in Civil Appeal n. 7006800596643, in April 2016, involving the question of the competence of the Brazilian courts to hear a case related to a posting made in Spain, offensive to the honor of a Brazilian woman, domiciled in Brazil, but residing in Italy at the time. In her defense, the defendant – Google Brazil – alleged that the request to exclude the offensive blog from the author violated the principle of territoriality, since the blog was created abroad. The claim was rejected, accepting Brazilian jurisdiction, since art. 88 of 1973 Civil Procedure Code, in force at the time the lawsuit was filed, claimed to be the competent Brazilian authority to prosecute and judge any actions against a defendant domiciled in Brazil, and its paragraph considers domiciled in Brazil a foreign legal entity that has an agency here. In addition, item III, of the same legal disposition, emphasized that the Brazilian judicial authority is competent when the fact has occurred or act has been practiced in Brazil. In that case, involving a defamatory information in the virtual world, there is no way to circumscribe the territorial limit of its repercussion. It was said that the author had a professional domicile in Brazil and here she also performed professional activities, a place where said offenses are harming her social and professional life. Thus, she was certainly protected by Brazilian law, and the case could be heard by the Brazilian courts, as was stated at the time[11].

The current Brazilian Civil Procedure Code, in Title II (On the limits of national jurisdiction and international cooperation), Chapter II (On the limits of national jurisdiction), provides for the matter. In articles 21 to 23, it provides for Brazilian concurrent jurisdiction, whereas art. 23 establishes the cases of exclusive jurisdiction of the Brazilian justice. Thus, art. 4, IV, of the LGPD must be interpreted in conjunction with such procedural provisions[12].

In the next part of the paper, we will examine three distinct aspects: after examining REsp 1,168,557, which recognized Brazilian competing jurisdiction in internet jurisdictional conflicts, we will examine ADC n. 51, involving artices of the Marco Civil da Internet, concluding with the analysis of aspects of the LGPD, in the part that indicates adequacy as an assumption of validity for the international transfer of data.

3. “RECURSO ESPECIAL” N. 1,168,547: recognition of Brazilian concurrence competence in conflicts of jurisdiction involving the internet.

Brazilian Superior Court of Justice has a consolidated understanding of the criteria for determining the concurrent competence of the Brazilian judicial authority, in disputes involving the world wide web[13]. From what can be seen from the reading of REsp 1,168,547[14], the parameters that allow to affirm the Brazilian jurisdiction are the following: (a) transnationality of the facts; (b) home of the plaintiff in the Brazilian territory; (c) an act that occurred abroad but was broadcasted over the internet; (d) effects felt in national territory.

In the present case, it was discussed the “possibility of an individual, domiciled in Brazil, to invoke Brazilian jurisdiction, in a case involving a service provision contract containing a forum clause in Spain.” More specifically, the plaintiff, realizing that his image is being used improperly through an electronic website published abroad, although naturally accessible through the world wide web, filed a lawsuit seeking compensation for material and moral damages.

Judging the case, the STJ understood that article 88 of the 1973 Code of Civil Procedure[15] admits Brazilian jurisdiction, concurrently with that of another country (company headquarters), in the case of civil damages resulting from international communication, over the internet, as in the case of the offended person is domiciled in Brazilian territory, because “it is in the locality where the injured person resides and works that the negative event will have the greatest repercussion.”

It also stipulated that such a rule of competence prevails even in the face of the election forum set out in the contract, because “the author is domiciled here and here is the place where there was access to the website where the information was conveyed, interpreting it as an act practiced in Brazil, applying to the hypothesis the provisions of article 88, III, of the CPC[16]“.

The Rapporteur, Justice Luis Felipe Salomão, raised an important question about the nature of cyberspace: whether it is a new place (with an impact on the definition of the concurrent jurisdiction) or a mere mental state resulting from the technological apparatus, to which the user connects. In any case, he added, it certainly is not “a refuge, a free zone, through which everything would be allowed without those actions giving rise to responsibilities.”

In this context, the Rapporteur continues, there is a loosening of the principle of adherence, “making Brazilian justice competent only for reasons of viability and effectiveness of the judicial provision”, in the light of the principle of the inafastability of jurisdiction, which “imposes on the State the obligation to resolve the disputes (…) with a view to achieving social peace “.

This orientation has been maintained, even after the advent of the Marco Civil da Internet[17], of the new Civil Procedure Code[18], and of the LGPD[19], as can be seen from the syllabus of the judgment proferred by the STJ a few months ago:

SPECIAL RESOURCE. INTERNET. JURISDICTION. DIGITAL SOVEREIGNTY. PREQUESTIONING. ABSENCE. NEGATIVE OF JURISDICTIONAL PROVISION. ABSENCE. CIVIL FRAMEWORK OF THE INTERNET. REACH. APPLICATION OF BRAZILIAN LEGISLATION. RELEVANCE OF NATIONAL JURISDICTION.

(…)

2. The purpose of the appeal is to determine the legal possibility of compelling a company based in Brazil, whose parent company has the necessary information to identify the authors of an illegal act.

3. In cross-border conflicts on the Internet, the responsible authority must act in a prudent, cautious and self-restrictive manner, recognizing that the territoriality of the jurisdiction remains the rule, the exception of which can only be admitted when, cumulatively, the following criteria are met: (i) strong legal grounds for merit, based on local and international law; (ii) proportionality between the measure and the desired end; and (iii) compliance with the procedures provided for in local and international laws.

4. When the alleged illegal activity has been practiced on the internet, regardless of the jurisdiction provided for in the service provision contract, even if abroad, the Brazilian judicial authority is competent if it is called upon to settle the conflict, as the plaintiff is domiciled here the place where there was access to the website where the information was conveyed, interpreting it as an act practiced in Brazil. Precedents.

5. It is a mistake to imagine that any application hosted outside Brazil cannot be achieved by national jurisdiction or that Brazilian laws are not applicable to its activities.

6. Brazilian law is applied whenever any operation to collect, store, store and process records, personal data or communications by connection providers and internet applications occurs in national territory, even if only one of the communication devices is in Brazil and even if the activities are carried out by a company with headquarters abroad.

7. Special appeal partially known and, in this part, denied.

(REsp 1776418/SP, Rel. Justice NANCY ANDRIGHI, THIRD CLASS, tried on November 3r,, 2020, DJe November 19, 2020)

In the body of the judgment, the rapporteur highlighted a chapter of the decision[20] to address what she titled “Jurisdiction on the internet: digital sovereignty”. She started her reasoning by stating that

One of the biggest challenges facing internet regulation today lies in the compatibility between its cross-border nature and the exercise of digital sovereignty by states, with obvious implications for the exercise of state jurisdiction. This is not just a theoretical debate, since practical conflicts are covered, the resolution and consequences of which can have a major impact on the development of the Internet, on topics ranging from the protection of online rights to the preservation of its fundamental characteristics, such as openness, universality, and decentralization.

The criteria indicated in item 3 of the REsp judgment 1,776,418/SP were inspired by a doctrinal article by Professor Lucas Borges de Carvalho, who elucidates the three criteria as follows: “the first criterion highlights the need that the measure imposed finds expressed support in the current legislation, thus proving to be predictable and compatible with local and international normative parameters “. The proportionality principle “requires that the decision be based on factual and technical data (avoiding abstract assumptions and speculative reasons), in addition to being precise and directed specifically to repair the damage in question.” Finally, “compliance with legal procedures is also an important assumption for guaranteeing the legitimacy and predictability of decisions”[21].

We are now going to examine the ADC N. 51.

4. CIVIL FRAMEWORK OF THE INTERNET AND THE “AÇÃO DECLARATÓRIA DE CONSTITUCIONALIDADE” N. 51

The Legislative Diploma in dispute, Act 12.965/2014, inaugurated a paradigmatic change regarding the competence in transnational disputes, as well as the procedure for requesting information by the competent authorities.

Article 11 of Act 12,965/2014 (Marco Civil da Internet – MCI) is peremptory as to Brazilian jurisdiction, in any of the phases of collection, storage, storage and treatment of personal data, when at least one of these acts occurs in national territory[22]/[23].

The Marco Civil da Internet uses the criteria of territoriality (art. 11, caput and § 1) and the effects of the service (art. 11, § 2) for the definition of Brazilian jurisdiction, enabling the judicial authorities to request the information provided for in the article 11, § 3, regardless of international legal cooperation[24] (articles 26 and 27, CPC).

Within the scope of relations between Brazil and the United States of America, the Legal Aid Agreement in Criminal Matters (MLAT), signed in Brasilia, on October 14, 1997, was promulgated by Decree n. 3820/2001.

On this topic, it is essential to mention the processing of the “Ação Declaratória de Constitucionalidade” N. 51, in which the Federation of Information Technology Companies Associations – ASSESPRO – requires the declaration of constitutionality of Decree 3.810/2001[25]; of art. 237, item II, of the Civil Procedure Code (Law 13.105/2015); and articles 780 and 783 of the Criminal Procedure Code (Decree-Law 3,689/1941).

The main argument is that there are cases in which data controllers are subject exclusively to foreign legislation and, in the case of the United States of America, to the Stored Communications Act (SCA), which prohibits electronic communications service providers (Electronic Communication Service ECS) or Remote Computing Service (RCS) to make communications content available to foreign authorities. However, there are countless and long-standing requests for the availability of content from Brazilian judicial authorities directly to the controllers, which means noncompliance with the MLAT.

To understand the relevance of the demand, we mention some of the arguments that were presented at the ADC N. 51’s public hearing.

The ASSESPRO claimed that the application of Article 11 of the Marco Civil da Internet cannot ignore the sovereignty issues of the States involved.

The Department of Asset Recovery and International Legal Cooperation added that Article 17 MLAT is clear in establishing the reciprocity in the incorporation of national laws. So, conditioning the fulfillment of the order issued under the terms of Article 11, § 3, of the Law N. 12,965/2014, to parameters of the American domestic law, which are prior to the effectiveness of the Marco Civil da Internet, is equivalent to ignoring the latter, subordinating it to the American domestic law. In the same vein, a delegate of the Brazilian Federal Police said that the degree of demand of the so-called Probable Cause – as specified by the Stored Communications Act – would make any request for international legal cooperation unfeasible.

The Attorney-General invoked the provisions of article 12 of the Law of Introduction to the Norms of Brazilian Law – LINDB, and stressed that art. 11 of the Marco Civil da Internet “is in line with general national laws and international norms”, so much so that this same guideline – effects of services – is adopted by art. 18 of Budapest Convention on Cybercrime (in the process of ratification by Brazil); by the General Data Protection Regulation – GDPR, by the Brazilian General Data Protection Law, by the Cloud Act[26] and, equally, by the Proposal for Regulation of the European Parliament N. 2018/0108 (Electronic evidence)[27].

Certainly, the judgment of the merit of such ADC will bring important guidance to the topic we are analyzing[28].

It remains to analyze, now, the impact of the General Data Protection Law on the SUBJECT under analysis.

5. ACT 13.709/2018: adequacy as an assumption of validity for international data transfer

In 2018, our first general data protection law was enacted. The new Brazilian law (LGPD – Law 13,709/18, with 65 articles) is the result of a wide public debate (two public consultations and 13 public hearings), initiated in 2010 by the Ministry of Justice, suffering a certain acceleration due to the leakage of information by Edward Snowden, in 2013, showing the vulnerability of everyone, including heads of state. A second acceleration resulted from the approval by the European Union of its GDPR – General Data Protection Regulation[29].

Our law was largely inspired by European regulations, although there are important differences between both diplomas, not least because the GDPR is the result of a long history of protection of personal data at European level, with years in force of Directive 95/46 and inclusion of the right to data protection as a fundamental right in the EU Charter of Fundamental Rights. While the GDPR is composed of 173 recitals, which represent interpretive guidelines, and 99 articles, Brazilian law is made up of 65 articles, with no interpretive clue provided by the legislator. Despite the differences, there are also healthy convergences, such as the communion of the principles[30] that guide both laws, the ex-ante protection model, and the outstanding role of accountability in both regulatory models[31].

However, it cannot be imagined that, before the enactment of the LGPD, personal data were not protected in Brazil. On the contrary, previous rules already offered protection to certain data[32], although in a fragmented and sectorial way[33], as is the case of the Consumer Protection Code (Act n. 8,078/90), Public Archives Act (Act n. 8,159/91), Access to Information Act (Act N. 12,527/2011), Positive Registration Act (Act N. 12,414/2011), Marco Civil de Internet, among others. The importance of LGPD, however, consisted of providing a systematic treatment of the topic[34], offering an important principled basis, objectives and clear limits. There are healthy innovations, but also the consolidation of protective ideas that came from the previous period.

Among the main points that are of interest to this study, it is worth mentioning the clear intention of the legislator to guarantee an extraterritorial application, in order to better achieve its objective of protecting the personal data of its citizens. In fact, as will be seen, following the lines of European regulation, the LGPD will have extraterritorial application, that is, the duty to comply with its rules will surpass the geographic limits of the country. Any foreign company that, at least, has a branch in Brazil, or offers services to the national market and collects and processes data on natural persons located in the country will be subject to the new law.

In fact, the LGPD reinforces the legislative framework that favors the understanding of the extraterritoriality of the jurisdiction because of the intrinsic ubiquity of the internet.

Article 3, caput, of the epigraphed Law states that its application “extends to any treatment operation carried out by a natural person or by a legal person under public or private law, regardless of the medium, the country of its headquarters or the country where the data is located.”

The jurisdiction’s extraterritoriality, in case, is conditioned to the collection and/or processing of data in the national territory[35] or, even if these activities were carried out abroad, which relates to individuals located in the national territory, as is clear from the reading of §1 of the same article, which states that “personal data whose holder is at the time of collection is considered to be collected in the national territory.”

Article 5 of the LGPD deals with the authentic interpretation of the specific terminology contained in the legal standard, as, for instance:

XVI – shared use of data: communication, dissemination, international transfer, interconnection of personal data or shared treatment of personal databases by public bodies and entities in the fulfillment of their legal powers, or between these and private entities, reciprocally, with specific authorization, for one or more treatment modalities allowed by these public entities, or among private entities.

International data transfer is dealt with in chapter V, articles 33 to 36 of Act 13.709/2018, only being allowed, as the European GDPR advocates, when the recipient countries or international organizations “(…) provide a degree of adequate personal data protection” [36], when the transfer is necessary for international legal cooperation among public intelligence, investigation, and prosecution bodies, in accordance with the instruments of international law.

The adoption of the geographic model[37] reflects the European parameterization in the scope of data protection in Brazil. But there are variants to consider.

Initially, it is considered that each of the items of article 33 of the LGPD contains an independent authorizing circumstance for international data transfer, contrary to what is provided for in article 44 of the GDPR, which establishes a generic guideline, consistent with the guarantee of not compromising the level of protection of personal data provided by the regulation.

In this context, Marques and De Aquino[38] maintain that if there was consent (item, VIII, of article 33 of the LGDP[39]), international data transfer would be possible, regardless of the commitment to the appropriate treatment of the information at the destination, provided for in item I of article 33 of the LGPD.

The question, in our opinion, deserves another approach.

Firstly, it is important to remember that we are faced with the relevant weight of a human and fundamental right to data protection[40], a fundamentality that is explicit in European Community law – resulting from Article 8 of the Constitution of Fundamental Rights of the European Union – and implicit in our law – as a result of the dignity of the human person, the free development of personality and privacy[41].

Secundus, because, in addition to the fundamental human right[42] to data protection, informative self-determination, in its twofold dimension – individual and collective –, fulfills the “fundamental right to guarantee the reliability and integrity of technical-informational systems”[43].

Thirdly, because, in the case of international data transfers involving operations with member countries of the European Union, any relativization of the data protection right will not be allowed, according to the general principle established by article 44 of the GDPR[44].

Finally, because the statement now criticized does not prevail in the light of the LGPD’s topic-systematic interpretation, with immediate repercussion on the transnationality of the jurisdiction.

In fact, article art. 2 of Act 12.709/2018 recommends the fundamentals of the processing of personal data, among them, informative self-determination (item II), consumer protection (item VI) and respect for human rights, the free development of personality, the dignity of human person (item VII). In turn, Article 6 of the LGPD predicts that good faith and the principles it deals with should govern any activity relating to the processing of personal data.

The range of principles envisaged by the LGPD[45] intertwines in a movement of continuous and circular reciprocal reinforcement. Accordingly, v. g., the purpose, adequacy, and necessity of processing personal data must act accordingly in the same data processing operation.

In addition, among the rights of the data subject, listed in article 18 of Act 13,709/2018, there is the right to petition to the controller (§1º), including through a consumer protection agency (§8º), which incorporates to LGPD, reinforcing its provisions, the entire protective range of the Consumer Protection Code.

Article 42 et seq. of the LGPD prescribe the parameters of the civil liability of the controller or operator, due to the activity of processing personal data. Article 44 of the same legal diploma asserts that the processing of personal data will be irregular when it fails to comply with the legislation or when it does not provide the security that the data subject can expect, considering the relevant circumstances, including:

I – the way in which it is carried out;

II – the result and the risks that are reasonably expected from it;

III – the techniques for processing personal data available at the time it was carried out.

Single paragraph. The controller or the operator is responsible for the damages resulting from the breach of data security, which, when failing to adopt the security measures provided for in art. 46 of this Law, give cause to the damage.

It is time to finish.

Final considerations

The European Court of Justice (Grand Chamber) paradigm, case C 362/14, of 6 October 2015, previously analyzed, shed light on the problem posed in this essay, especially in view of the great thematic, teleological, and operational relevance between the LGPD and the GDPR.

On the other hand, the STJ went well in recognizing the concurrent Brazilian jurisdiction in conflicts over internet jurisdiction, according to the criteria established in REsp 1,168,547, namely: (a) transnationality of the facts; (b) home of the plaintiff in the Brazilian territory; (c) an act that occurred abroad but was broadcasted over the internet; (d) effects felt on Brazilian soil.

In this context, despite the high complexity of the stir brought up in ADC N. 51, we understand that, dogmatically, the criterion of the effects of data processing, provided for in article 11, § 2, of the Marco Civil da Internet, defines the rule of jurisdiction and not of mere application of Brazilian law to the case. In this step, in parallel with the current International Cooperation Agreements (MLAT) and in the process of accession (Budapest Convention), there is legitimacy in the request for information, pursuant to article 11, § 3, of Law 12.965/2014, in addition to the instruments provided for in articles 27 and 28 of the Civil Procedure Code.

However, with regard to the effectiveness of prescriptive, adjudicatory or enforceable jurisdiction in terms of data protection, there is still a long way to go, because foreign companies that provide services in Brazil or whose effects are felt here, continue to act with stratagems delaying the fulfillment of judicial requests, taking advantage of the fragmentation of regulation and the absence of a binding decision on the subject, which is expected to come to light with the result of ADC N. 51.

Furthermore, there is an indeclinability of the adequacy of the processing of personal data (article 33, I of the LGPD), a sine qua non condition for legitimacy and lawfulness of international transfer, under penalty of strict civil liability of the controllers and operators, under the terms of article 42 of the LPGD .

BIBLIOGRAPHIC REFERENCES

ANASTÁCIO, Kimberly de Aguiar, “Transnacionalidade na rede: introdução à governança da internet e ao net mundial” in BERTINI, Fabrício, POLIDO, Pasquot, DOS ANJOS, Lucas Costa (Org.), Marco civil e governança da internet: diálogos entre o doméstico e o global, Belo Horizonte, 2016, p. 224 to 246, available at <https://irisbh.com.br/wp-content/uploads/2016/09/Marco-Civil-e-Governança-da-Internet-diogos-entre-o-doméstico-eo-global. Pdf>, accessed on 10.03.2020.

ANTUNES, Laila Damascena et al., Jurisdição e conflitos de lei na era digital: quadro político-normativo de regulação na internet, Belo Horizonte, 2017, available at: http://bit.ly/2DUZ2zz>, accessed on 10.02.2020.

BERMAN, Paul Schiff, “The globalization of jurisdiction,” University of Pennsylvania Law Review, p. 311-545, 2002, available at: https://scholarship.law.upenn.edu/cgi/viewcontent.cgi?article=3208&con text=penn_law_review>, accessed on 5.10.2020.

BIAZATTI, Bruno et al, Transferência Internacional de Dados no PL 5276/16, Belo Horizonte, 2017, available athttps://irisbh.com.br/wp-content/uploads/2017/05/Transfer%C3%AAncia-internacional – de-data-in-the-Bill-of-Law-5.2762016.pdf>, accessed on 9/27/2020.

BIAZATTI, Bruno, VILELA, Pedro, Jurisdiction and internet: International Jurisdiction of State Courts and Internet Litigation, Belo Horizonte, 2018, available athttps://irisbh.com.br/wp-content/uploads /2018/02/Jurisdicao – e-internet-Compet% C3% International-Court-of-State-Courts-and-Lit% C3% ADgios-de-Internet.pdf>, accessed on 10/15/2020.

BIONI, Bruno R, MENDES, Laura Schertel, “Regulamento Europeu de Proteção de Dados Pessoais e a lei Geral brasileira de Proteção de Dados: mapeando convergências na direção de um nível de equivalência” in TEPEDINO, Gustavo, FRAZÃO, Ana, OLIVA, Milena Donato (Coord.), Lei Geral de Proteção de Dados – e suas repercussões no Direito brasileiro, 2. ed. São Paulo, Ed. Revista dos Tribunais/Thompson Reuters Brasil, 2020.

BRANDÃO, Luíza Couto Chaves, SILVA, Anna Flávia Moreira, BALDIN, Larissa Ferrassini, “A internet e os limites da competência internacional: perspectivas jurisprudenciais e a superação dos princípios tradicionais” in BERTINI, Fabrício. POLIDO, Pasquot, DOS ANJOS, Lucas Costa, Marco civil e governança da internet: diálogos entre o doméstico e o global, Belo Horizonte, 2016, available at https://irisbh.com.br/wp-content/uploads/2016/09/Marco-Civil-e-Governança-da-Internet-diálogos-entre-o-doméstico-e-o-global.pdf, accessed on 10.03.2020.

CARVALHO, Angelo Gamba Prata de, “Transferência internacional de dados na Lei Geral de Proteção de Dados – Força normativa e efetividade diante do cenário transnacional” in TEPEDINO, Gustavo, FRAZÃO, Ana, OLIVA, Milena Donato (Coord.), Lei Geral de Proteção de Dados – e suas repercussões no Direito Brasileiro, 2. ed., São Paulo, Ed. Revista dos Tribunais/Thompson Reuters Brasil, 2020.

CARVALHO, Lucas Borges de, “Soberania digital: legitimidade e eficácia da aplicação da lei na internet”, Revista Brasileira de Direito, Passo Fundo, v. 14, n. 2, p. 213-235, set. 2018, disponível em https://seer.imed.edu.br/index.php/revistadedireito/article/view/2183, accessed on 24 abr. 2021

COLOMBO, Cristiano; FACCHINI NETO, Eugênio, “Violação dos direitos de personalidade no meio ambiente digital: a influência da jurisprudência europeia na fixação da jurisdição/competência dos tribunais brasileiros”, Civilistica.com, a. 8., n. 1, 2019, p. 1-25.

CUEVA, Ricardo Villas Bôas, “A proteção de dados pessoais na jurisprudência do Superior Tribunal de Justiça” in TEPEDINO, Gustavo, FRAZÃO, Ana, OLIVA, Milena Donato (Coord.). Lei Geral de Proteção de Dados – e suas repercussões no Direito brasileiro, 2. ed., São Paulo, Ed. Revista dos Tribunais/Thompson Reuters Brasil, 2020, p. 83-96

DOLINGER, Jacob, Direito Internacional Privado: parte geral, 8th ed., Rio de Janeiro, Renovar, 2005.

DONEDA, Danilo, “O direito fundamental à proteção de dados pessoais” in MARTINS, Guilherme Magalhães, LONGHI, João Victor Rozatti (Coord.). Direito Digital – Direito Privado e Internet, 3. ed., Current, Revised and expanded, Indaiatuba, Ed. Foco, 2020,

DONEDA, Danilo, “Panorama histórico da proteção de dados pessoais” in MENDES, Laura Schertel, DONEDA, Danilo, SARLET, Ingo Wolfgang, RODRIGUES JR., Otavio Luiz, BIONI, Bruno Ricardo (Coord.), Tratado de proteção de dados pessoais, Rio de Janeiro, Forense, 2021.

FRAJHOF, Isabella Z. and SOMBRA, Thiago Luís, “A transferência internacional de dados pessoais” in MULHOLLAND, Caitlin (Org.), A LGPD e o novo marco normativo no Brasil, Porto Alegre, Archipelago, 2020.

FRAZÃO, Ana, CARVALHO, Angelo G. Prata de, “Os gigantes da internet e a apropriação e exploração de dados pessoais; direitos fundamentais e direito ao esquecimento digital” in VERONESE, Alexandrew et al (Org.), A efetividade do direito em face do poder dos gigantes da internet: diálogos acadêmicos entre o Brasil e a França, Belo Horizonte, Fórum, 2018, v. I.

GEIST, Michael, Is there a there there? Toward greater certainty for internet jurisdiction, available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=266932, accessed on 9.02.2020.

GONÇALVES, Victor Hugo Pereira, Marco Civil da Internet Comentado, 1ed., São Paulo, Atlas, 2017.

KURTZ, Lahis, CARMO, Paloma, VIEIRA, Victor, Perfil dos litígios envolvendo a internet no Brasil: grupos econômicos e jurisdição, Belo Horizonte, 2019, available at: https://irisbh.com.br/wp-content/uploads/ 2019/01/Profile-of-lit% C3% ADgios-involving-the-internet-in-Brazil-groups-econ% C3% B4micos-e-jurisdi% C3% A7% C3% A3o-IRIS.pdf, accessed on 10.10.2020.

LEONARDI, Marcel, “Transferência internacional de dados pessoais” in TEPEDINO, Gustavo, FRAZÃO, Ana, OLIVA, Milena Donato (Coord.), Lei Geral de Proteção de Dados – e suas repercussões no Direito brasileiro, 2. ed., São Paulo, Ed. Revista dos Tribunais/Thompson Reuters Brasil, 2020.

MARQUES, Mascarenhas Fernanda, DE AQUINO, Theófilo Miguel, “O regime da transferência internacional de dados na LGPD: delineando as opções regulatórias em jogo” in DONEDA, Danilo et al (Coord.), Tratado de Proteção de Dados, Rio de Janeiro, Forense, 2020.

MATOS, Ana Carla Harmatiuk, RUZYK, Carlos Eduardo Pianovski, “Diálogos entre a Lei Geral de Proteção de Dados e a Lei de Acesso à Informação” in TEPEDINO, Gustavo, FRAZÃO, Ana, OLIVA, Milena Donato (Coord.), Lei Geral de Proteção de Dados – e suas repercussões no Direito brasileiro, 2. ed., São Paulo, Ed. Revista dos Tribunais /Thompson Reuters Brasil, 2020.

MENDES, Laura Schertel, RODRIGUES JÚNIOR, Otavio Luiz, FONSECA, Gabriel Campos Soares da. “O Supremo Tribunal Federal e a proteção constitucional dos dados pessoais: rumo a um direito fundamental autônomo” in MENDES, Laura Schertel, DONEDA, Danilo, SARLET, Ingo Wolfgang, RODRIGUES JR., Otavio Luiz, BIONI, Bruno Ricardo (Coord.), Tratado de Proteção de Dados, Rio de Janeiro, Forense, 2021.

MONTEIRO, Renato Leite. “Lei Geral de Proteção de Dados do Brasil: análise contextual detalhada”, Jota, 14.07.2018, available at https://www.jota.info/paywall?redirect_to=//www.jota.info/opiniao-e-analise/colunas/agenda-da-privácia-e-da-protecao – de-data/lgpd-analise-detailed-14072018, accessed on 12/22/2020.

OLIVEIRA, Davi Teófilo Nunes et al, A Internet e suas repercussões sobre a Cooperação Jurídica Internacional: estudo preliminar sobre o tema no Brasil, Belo Horizonte, 2018, available at https://irisbh.com.br/wp-content/uploads/ 2018/11/A-internet-and-its-repercussions% C3% B5es-on-coopera% C3% A7% C3% A3o-jur% C3% ADdica-internacional.pdf, accessed on 10.12.2020.

PEREIRA, Alexandre Dias, “O tribunal competente em casos da Internet”, Revista Jurídica Portucalense, n. 16, 2014, available at: http://hdl.handle.net/11328/1260, accessed on 9/21/2020 .

PEREIRA, Alexandre Libório Dias, Jurisdição na internet segundo o regulamento 44/2001 (e as alternativas extrajudiciais e tecnológicas), available at https://core.ac.uk/download/pdf/43581156.pdf, accessed on 9/15/2020.

_______, “A jurisdição na internet segundo o regulamento 442001”, Bulletin of the Faculty of Law University of Coimbra, v. LXXVII, 2001, available at https://core.ac.uk/download/pdf/43581156.pdf, accessed on 10.10.2020.

_______, “O tribunal competente em casos da Internet segundo o acórdão “eDate Advertising” do Tribunal de Justiça da União Europeia”, Revista Jurídica Portucalense, n. 16/2014, p. 1/21, available at http://repositorio.uportu.pt/xmlui/handle/11328/1260, accessed 9.10.2020.

PIRES, Hindenburgo Francisco, “Estados nacionais, soberania e regulação da internet”, Revista Electrónica de Geografía y Ciencias Sociales, Universidad de Barcelona, v. XVI, n. 418 (63), November 1, 2012, available at http://www.ub.edu/geocrit/sn/sn-418/sn-418-63.htm, accessed on 9/20/2020.

POLIDO, Fabrício Bertini Pasquot et al, Sigilo online, investigações criminais e cooperação internacional: contribuições para a ADC 51/2017, Belo Horizonte, 2018, available at https://irisbh.com.br/wp-content/uploads/2018/ 08/Sigilo-online-investigates% C3% A7% C3% B5es-criminal-e-coopera, accessed on 9/23/2020.

POLIDO, Fabrício Bertini Pasquot, Governança das Redes e o Marco Civil da Internet: Liberdades, Privacidade e Democracia, Belo Horizonte, UFMG, 2015, available at https://irisbh.com.br/wp-conttransference ent/uploads/2016/08/Anais-do-I-Semina% CC% 81rio-sobre-Governanc% CC% A7a-das-Redes-eo-Marco-Civil-da-Internet.pdf, accessed on 09/23/2020.

_______,DA SILVA, Lucas Sávio Oliveira, “Contratos Internacionais Eletrônicos e o Direito Brasileiro: entre a insuficiência normativa doméstica e as soluções globais”, Sequence Magazine, n. 75, p. 157-188, Florianópolis, abr. 2017, available at https://irisbh.com.br/wp-content/uploads/2017/05/38186-168960-1-PB.pdf, accessed on 9/29/2020.

POLIDO, Fabrício, ANJOS, Lucas, BRANDÃO, Luíza (Org.), Anais do III Seminário Governança das Redes (recurso eletrônico): políticas, internet e sociedade, Belo Horizonte, 2018, available at https://irisbh.com.br/wp-content/uploads/2017/09/Anais-do-II-Semin%C3%A1rio-Governan%C3%A7a-das-Redes.pdf, accessed on 10.05.2020.

_______,Governança Global da Internet, Conflito de Leis e Jurisdição, Belo Horizonte, 2018, available at https://irisbh.com.br/wp-content/uploads/2018.06.Governanca_global_da_internet_IRIS.pdf, accessed on 9/21/2020.

_______, “Seminário Governança das Redes e o Marco Civil da Internet” in Governança das Redes e o Marco Civil da Internet: globalização, tecnologias e conectividade, Belo Horizonte, 2017, available at https://irisbh.com.br/wp – content/uploads/2017/09/Anais-do-II-Semin% C3% A1rio-Governan% C3% A7a-das-Redes.pdf, accessed 9/29/2020.

ROQUE, Andre Vasconcelos, BAPTISTA, Bernardo Barreto, ROCHA, Henrique de Moraes Fleury, “A tutela processual dos dados pessoais na LGPD” in TEPEDINO, Gustavo, FRAZÃO, Ana, OLIVA, Milena Donato (Coord.), Lei Geral de Proteção de Dados – e suas repercussões no Direito brasileiro, 2. ed., São Paulo, Ed. Revista dos Tribunais/Thompson Reuters Brasil, 2020.

SARLET, Ingo W., “Fundamentos constitucionais: O direito fundamental à proteção de dados” in DONEDA, Danilo et al (Coord.), Tratado de Proteção de Dados, Rio de Janeiro, Forense, 2020, p. 21/59.

SOLOVE, Daniel J., “Introduction: Privacy Self-Management and the Consent Dilemma”, Harvard Law Review, v. 126 (2013).

SOUSA, Devilson Rocha, ILHA, Jônatas Michels, O julgamento do caso facebook pelo tribunal de justiça da união europeia e sua importância para o avanço na proteção da proteção de dados: uma visão a partir dos direitos fundamentais, available at https://online.unisc.br/acadnet/anais/index.p hp/sidspp/article/view/19595, accessed 09/20/2020.

STEIN, Allan R, “Frontiers of Jurisdiction: From Isolation to Connectedness” University of Chicago Legal, v. 2001, article 11, available: http://chicagounbound.uchicago.edu/uclf/vol2001/iss1/11, accessed on 20.09.2020.

TOMASEVICIUS FILHO, Eduardo, “Marco Civil da Internet: uma lei sem conteúdo normativo”, Estudos Avançados, v. 30, n.86, São Paulo, Jan./Apr. 2016, available at https://www.scielo. br/scielo.php?script=sci_arttext&pid=S0103-40142016000100269, accessed on 9/18/2020.

VERONESE, Alexandre, “Transferências internacionais de dados pessoais: o debate transatlântico norte e sua repercussão na América Latina e no Brasil” in TEPEDINO, Gustavo, FRAZÃO, Ana, OLIVA, Milena Donato (Coord.), Lei Geral de Proteção de Dados – e suas repercussões no Direito brasileiro, 2. ed., São Paulo, Ed. Revista dos Tribunais/Thompson Reuters Brasil, 2020.

VITAL, Danilo. Gilmar, “Pandemia não atenua, mas reforça necessidade de proteção de dados”, CONJUR, May 7, 2020, available at https://www.conjur.com.br/2020-mai-07/pandemia-reforca-necessidade – protecao-data-gilmar, accessed on 12/21/2020.

WILSKE, Stephan, SCHILLER, Teresa, “International Jurisdiction in Cyberspace: Which states may regulate the Internet”, Federal Communications Law Journal, v. 50, p. 117/180, 1997, available at: https://core.ac.uk/download/pdf/232658295.pdf, accessed 9/29/2020.

ZANETI JR, Hermes, RODRIGUES, Marco Antônio, Cooperação Internacional, Salvador, JusPODIVM, 2019.

Notas de Rodapé

[1] Doctoral student in Law at the PUCRS. Master in State Law Institutions (PUCRS, 2006). Specialist in National and International Environmental Law (UFRGS, 2015). Specialist in Civil Procedural Law (PUCRS, 1998). Judge of Law since 1998. Professor and researcher at the ENFAM, author of books and legal articles; cintia.mua@edu.pucrs.br

[2] Doctor in Comparative Law, from Università Degli Studi di Firenze, Master in Civil Law from University of São Paulo’ Law School (1986). Full professor of master’s and doctorate courses in Law at PUCRS. Judge in the Superior Court of Justice of the State of Rio Grande do Sul, Brazil., eugenio.facchini@pucrs.br

[3] Available at <http://euricando/legal-content/PT/TXT/?qid=1490735790332&uri=CELEX:62009CA0509>, accessed 23.04.2021.

[4] Available at <http://euricando/legal-content/PT/TXT/?qid=1490735881940&uri=CELEX:62010CA0292>, accessed on 23.04.2021.

[5] Available at <http://euricando/legal-content/PT/TXT/?qd=1490735937071&uri=CELEX:62012CA0218>, accessed on 23.04.2021.

[6] On these cases, see COLOMBO, Cristiano, FACCHINI NETO, Eugênio, “Violação dos direitos de personalidade no meio ambiente digital: a influência da jurisprudência europeia na fixação da jurisdição/competência dos tribunais brasileiros”, Civilistica.com, a. 8., n. 1, 2019, p. 13/15.

[7] As stated in the judgment: (…)According to the terms of this contract, the personal data of the users of that social network, even if residing in the European Union, would be transferred to servers belonging to Facebook Inc., as already mentioned, with headquarters in the USA, where they would be subject to treatment, either by manual or automated means. Such treatment would include the collection, registration, organization, structuring, conservation, alteration, retrieval, consultation, use, dissemination by transmission, diffusion, comparison, interconnection, limitation, deletion, among others, of all data obtained by the social network. “

[8] As stated in the section: “The decision of the commission, of July 26, 2000, pursuant to Directive 95/46/EC of the European Parliament and of the Council deals with the level of protection ensured by the principles of” safe harbor “and the respective most frequently asked questions issued by the United States Department of Commerce. In short, it seeks to impose limits and minimum conditions for the processing of data when carrying out commercial operations. “

[9] Urges to note that it is stated in the decision that, in 2013, the European Commission sent a Communication to Parliament and the European Council, with the title “Restoring confidence in the flow of data between the European Union and the USA”(…) It should be clarified that the “safe harbor” model – Safe Harbor Agreement – is no longer in effect, having been replaced by Privacy Shield – on these issues, which concern the adequate level of protection for personal data, v. LEONARDI, Marcel, “Transferência internacional de dados pessoais” in TEPEDINO, Gustavo, FRAZÃO, Ana, OLIVA, Milena Donato (Coord.), Lei Geral de Proteção de Dados – e suas repercussões no Direito brasileiro, 2. ed. São Paulo, Ed. Revista dos Tribunais/Thompson Reuters Brasil, 2020, p. 292, as well as VERONESE, Alexandre, “Transferências internacionais de dados pessoais: o debate transatlântico norte e sua repercussão na América Latina e no Brasil” in TEPEDINO, Gustavo; FRAZÃO, Ana, OLIVA, Milena Donato (Coord.), Lei Geral de Proteção de Dados – e suas repercussões no Direito brasileiro, 2. ed. São Paulo, Ed. Revista dos Tribunais/Thompson Reuters Brasil, 2020, p. 697-703.

[10] SOUSA, Devilson Rocha, ILHA, Jônatas Michels, O julgamento do caso Facebook pelo Tribunal de Justiça da União europeia e sua importância para o avanço na proteção da proteção de dados: uma visão a partir dos direitos fundamentais, available at <https://online.unisc.br/acadnet/anais/ index.php/sidspp/article/view/19595>, accessed on 20.09.2020.

[11] For further clarification, part of the official syllabus is reproduced: ACTION FOR INDEMNIFICATION FOR MORAL DAMAGES. GOOGLE BRASIL INTERNET LTDA. CREATION OF DEFAMATORY BLOG ON GOOGLE SPAIN. POSSIBILITY OF CLAIM TO THE BRAZILIAN GOOGLE BRANCH. COMPETENCE OF BRAZILIAN JUSTICE. (…). In the case of defamatory information contained in the virtual world, which knows no borders, there is no way to limit the scope of this information and, consequently, the territorial limit of its repercussion. In this case, the damage had repercussions in Brazil, where the author also has a (professional) domicile. COMPETENCE OF BRAZILIAN JUSTICE affirmed, due to the provisions of art. 88 of CPC/73, applicable to the case. Once the jurisdiction of the motherland is affirmed, it is possible to determine the removal of content from a website created in the Spanish branch of GOOGLE. Less than a month ago, the civil plenary session of the Spanish Supreme Court following the guidance of the emblematic judgment of the Court of Justice of the European Union, in May 2014, affirmed the competence of the Spanish justice for a similar situation. In other words, the understanding was adopted that it is not required that the citizen who has violated his fundamental right due to the improper publication of data on the world wide web, should move his claim against the North American headquarters of GOOGLE or against the national branches of the giant corporation. To understand otherwise would make the protection of fundamental rights extremely expensive and unbearably slow, practically making such protection impossible in practice, which, in order to be efficient, depends on quick solutions. The different national branches of GOOGLE, although they may have different legal personality, evidently integrate the same giant corporation, and maintain easy contacts with each other. As the product they work with knows no borders, being situated in a flat and unlimited world, the potential risk that content posted in one country violates fundamental rights of citizens domiciled in another must be absorbed by the corporation itself. It certainly has agile communication channels among its various national branches, being able to effectively comply with judicial orders for the removal of such content. (…) (Civil Appeal n. 70068005966, Ninth Civil Chamber, Court of Justice of Rio Grande do Sul State, Rapporteur: Des. Eugênio Facchini Neto, Judged on 04/27/2016).

[12] On this systematic interpretation of LGPD in the light of CPC/2015, see ROQUE, Andre Vasconcelos, BAPTISTA, Bernardo Barreto, ROCHA, Henrique de Moraes Fleury, “A tutela processual dos dados pessoais na LGPD” in TEPEDINO, Gustavo, FRAZÃO, Ana, OLIVA, Milena Donato (Coord.), Lei Geral de Proteção de Dados – e suas repercussões no Direito brasileiro, 2. ed. São Paulo, Ed. Revista dos Tribunais/Thompson Reuters Brasil, 2020, p. 739/740.

[13] As noted by DOLINGER, Jacob, Direito Internacional Privado: parte geral, 8th ed., Rio de Janeiro, Renovar, 2005, there is a lack of jurisprudence in this case.

[14] Judged in February 2011; therefore, before the effectiveness of the Marco Civil da Internet (Act n. 12,965/2014).

[15] Corresponding to article 21 of the current CPC.

[16] Equivalent to Article 21, III, 2015 CPC.

[17] Act n. 12,965/2014.

[18] Act n. 13,105/2015.

[19] General Data Protection Act, n. 13,709/2018.

[20] Specifically, n. IV

[21] CARVALHO, Lucas Borges de, “Soberania digital: legitimidade e eficácia da aplicação da lei na internet”, Revista Brasileira de Direito, Passo Fundo, v. 14, n. 2, p. 213-235, set. 2018, available at <https://seer.imed.edu.br/index.php/revistadedireito/article/view/2183>, accessed 24 apr. 2021. The excerpts cited are on p. 232/233.

[22] Article 11, Paragraphs 1 to 3.

[23] Whose sanctions for non-compliance are conveyed by art. 12, verbis: Without prejudice to other civil, criminal or administrative sanctions, violations of the rules provided for in articles 10 and 11 are subject, as the case may be, to the following sanctions, applied in an isolated or cumulative manner.

[24] On the subject, see for all: ZANETI JR, Hermes, RODRIGUES, Marco Antônio, International Cooperation, Salvador, JusPODIVM, 2019.

[25] That promulgated the Agreement on Judicial-Criminal Assistance between the Government of the Federative Republic of Brazil and the Government of the United States of America (Mutual Legal Assistance Treaty), MLAT.

[26] According to the document The Purpose and Impact of the CLOUD Act, available at <https://www.jus tice.gov/dag/page/file/1153436/download>, access: 21.04.2021.

[27] Available at <https://www.europarl.europa.eu/RegData/etudes/BRIE/2021/690522/EPRS_BRI(2021) 690522_EN.pdf>, accessed 21.04.2021.

[28] This type of litigation ends up occurring in all countries, central or peripheral, as can be seen with the arrival in the United States Supreme Court of the United States v. Microsoft Corp. case, in 2017, originated from the United States Court of Appeals for the Second Circuit. The case involved a discussion about the possibility of the American government obtaining access to the content of information stored by the Microsoft branch abroad (Ireland, in this case). The government maintained that the judges could, based on the Stored Communications Act, request, by means of a simple search and seizure order, the delivery of said information, even if stored outside its jurisdiction. The immediate interest of the American government, in that case, was to obtain an exchange copy of e-mails from those investigated for drug trafficking to the United States. In February 2018, the Supreme Court heard the arguments from the parties and amici curiae. However, before announcing its trial – which was impaired – the US Congress approved the Cloud Act, changing the Stored Communications Act, and expressly stipulating that providers would be required to present, when requested, the data existing in their servers, wherever they are stored. There is no doubt that “this modification accentuates the problem of extraterritoriality, ignores any and all treaties that the United States has eventually entered into under other sovereignties over international data transfer and may encourage other countries to adopt the same stance, weakening the protection of privacy and personal data of individuals “ – in these terms, FRAJHOF, Isabella Z. and SOMBRA, Thiago Luís,” A transferência internacional de dados pessoais”in MULHOLLAND, Caitlin (Org.), A LGPD e o novo marco normativo no Brasil, Porto Alegre, Arquipélago, Porto Alegre, Archipelago, 2020, p. 270.

[29] About this topic: DONEDA, Danilo, “Panorama histórico da proteção de dados pessoais” in MENDES, Laura Schertel, DONEDA, Danilo, SARLET, Ingo Wolfgang, RODRIGUES JR., Otavio Luiz, BIONI, Bruno Ricardo (Coord.), Tratado de Proteção de Dados Pessoais, Rio de Janeiro, Forense, 2021, p. 15/18.

[30] BIONI, Bruno R .; MENDES, Laura Schertel, “Regulamento Europeu de Proteção de Dados e a Lei Geral brasileira de Proteção de Dados: mapeando convergências na direção de um nível de equivalência” in TEPEDINO, Gustavo, FRAZÃO, Ana, OLIVA, Milena Donato (Coord.), Lei Geral de Proteção de Dados – e suas repercussões no Direito Brasileiro, 2. ed. São Paulo, Ed. Revista dos Tribunais/Thompson Reuters Brasil, 2020, p. 800. in SOLOVE, Daniel J., Introduction: Privacy Self-Management and the Consent Dilemma, Harvard Law Review, v. 126 (2013), p. 1,882.

[31] BIONI, Bruno R., MENDES, Laura Schertel. “Regulamento Europeu de Proteção de Dados e a Lei Geral brasileira de Proteção de Dados: mapeando convergências na direção de um nível de equivalência” in TEPEDINO, Gustavo, FRAZÃO, Ana, OLIVA, Milena Donato (Coord.), Lei Geral de Proteção de Dados – e suas repercussões no Direito brasileiro, 2. ed., São Paulo, Ed. Revista dos Tribunais/Thompson Reuters Brasil, 2020, p. 797 and 799.

[32] Renato Leite Monteiro says that “the country already had more than 40 rules that directly and indirectly dealt with the protection of privacy and personal data”. “Lei Geral de Proteção de Dados do Brasil: análise contextual detalhada”, Jota, 14.07.2018, available at <https://www.jota.info/paywall?redire ct_to=//www.jota.info/opiniao-e-analise/colunas/data-privacy-and-data-protection-agenda/lgpd-analysis-detailed-14072018>, accessed 12/19/2020.

[33] Without forgetting that the jurisprudence already anticipated some data protection, based on updated interpretations of the legal and constitutional provisions in force. Thus, for example, in the STJ, in 1995, Min. Ruy Rosado, when reporting REsp 22.337-8/RS, already mentioned the principle of informative self-determination. In 2001, when judging REsp 306.570/SP, Min. Eliana Calmon acknowledged that “the taxpayer or the bank account holder has the right to privacy in relation to their personal data”. In 2010, Min. Luiz Felipe Salomão, when reporting REsp 1,168,547/RJ, affirmed the existence of a new concept of privacy. These judgments were selected and commented on by CUEVA, Ricardo Villas Bôas, “A proteção de dados pessoais na jurisprudência do Superior Tribunal de Justiça” in TEPEDINO, Gustavo, FRAZÃO, Ana; OLIVA, Milena Donato (Coord.). Lei Geral de Proteção de Dados – e suas repercussões no Direito brasileiro, 2. ed., São Paulo, Ed. Revista dos Tribunais/Thompson Reuters Brasil, 2020, p. 83-96, p. 86/87.

[34] LGPD will have a transversal, multisectoral (…)”in a manner similar to the European regulation will have extraterritorial application, that is, the duty of conformity will exceed the geographic limits of the country. Any foreign company that, at least, has a branch in Brazil, or offers services to the national market and collects and processes data on natural persons located in the country will be subject to the new law “ – in these terms, MONTEIRO, Renato Leite. “Lei Geral de Proteção de Dados do Brasil: análise contextual detalhada”. Jota, 14.07.2018, available at <https://www.jota.info/paywall?redirect_to=//www.jota.info/opiniao-e-analise/colunas/agenda-da-privácia-e-da-protecao – de-data/lgpd-analysis-detailed-14072018>, accessed on 22.12.2020.

[35] Except for the exception provided for in item IV of art. 4 of Act 13.709/2018.

[36] The normative content of which is specified in article 34 of the LGPD, verbis: The level of data protection of the foreign country or the international body mentioned in item I of the caput of art. 33 of this Act will be evaluated by the national authority, which will take into account: I – the general and sectoral rules of the legislation in force in the country of destination or in the international body; II – the nature of the data; III – observance of the general principles of protection of personal data and rights of the holders provided for in this Law; IV – the adoption of security measures provided for in regulations; V – the existence of judicial and institutional guarantees for the respect of personal data protection rights; and VI – other specific circumstances related to the transfer.

[37] MARQUES, Mascarenhas Fernanda, DE AQUINO, Theófilo Miguel, “O regime da transferência internacional de dados na LGPD: delineando as opções regulatórias em jogo” in MENDES, Laura Schertel et al (Coord.), Tratado de Proteção de Dados, Rio de Janeiro, Forense, 2020, p. 299/318.

[38] ob. cit., p. 309.

[39] Art. 33. (…) VIII – when the holder has provided his specific and highlighted consent for the transfer, with prior information on the international character of the operation, clearly distinguishing it from other purposes;

[40] It is worth mentioning, as SARLET, Ingo W. teaches, that human and fundamental rights are not synonymous. The former finds their seats in international conventions; the second, seat (explicit or implicit) in the constitutional charter of each state. SARLET, Ingo W., “Fundamentos constitucionais: O direito fundamental à proteção de dados” in DONEDA, Danilo et al (Coord.), Tratado de Proteção de Dados, Rio de Janeiro, Forense, 2020, p. 21/59

[41] As SARLET maintains, ob. cit., p. 28/29. In the same sense – from the fundamental right to the protection of personal data, even without express provision in our constitutional charter. In the same sense: DONEDA, Danilo “Direito Digital – Direito Privado e Internet” in MARTINS, Guilherme Magalhães; LONGHI, João Victor Rozatti (Coord.). Direito Digital – Direito Privado e Internet, 3. ed., Current., Revised and expanded, Indaiatuba, Ed. Foco, 2020, p. 44, MENDES, Laura Schertel, RODRIGUES JÚNIOR, Otavio Luiz, FONSECA, Gabriel Campos Soares da. “O Supremo Tribunal Federal e a proteção constitucional dos dados pessoais: rumo a um direito fundamental autônomo” in MENDES, Laura Schertel, DONEDA, Danilo, SARLET, Ingo Wolfgang, RODRIGUES JR., Otavio Luiz, BIONI, Bruno Ricardo (Coord.), Tratado de proteção de dados pessoais, Rio de Janeiro, Forense, 2021, p. 68; as well as FRAZÃO, Ana, CARVALHO, Angelo G. Prata de. “Os gigantes da internet e a apropriação e exploração de dados pessoais; direitos fundamentais e direito ao esquecimento digital “in VERONESE, Alexandrew et al (Org.), A efetividade do direito em face do poder dos gigantes da internet: diálogos acadêmicos entre o Brasil e a França, Belo Horizonte, Fórum, 2018, v. I, p. 310,, and also MATOS, Ana Carla Harmatiuk, RUZYK, Carlos Eduardo Pianovski, “Diálogos entre a Lei Geral de Proteção de Dados e a Lei de Acesso à Informação Diálogos entre a Lei Geral de Proteção de Dados e a Lei de Acesso à Informação” in TEPEDINO, Gustavo, FRAZÃO, Ana, OLIVA, Milena Donato (Coord. ), Lei Geral de Proteção de Dados – e suas repercussões no Direito brasileiro, 2. ed., São Paulo, Ed. Revista dos Tribunais/Thompson Reuters Brasil, 2020, p. 196 and 197. This view has also found an echo in the jurisprudence, including that of the STF, as can be seen from the paradigmatic judgments of May 6 and 7, 2020, involving Provisional Measure n. 954/2020, Min. Gilmar Mendes (ADI 6.389) in VITAL, Danilo. “Pandemia não atenua, mas reforça necessidade de proteção de dados”, CONJUR, May 7, 2020, available at <https://www.conjur.com.br/2020-mai-07/pandemia-reforca-necessidade-protecao – data-gilmar>, accessed on 21/12.2020.

[42] According to “(…) the guidance adopted by the UN Commission on Human Rights, interpreting the scope of article 17 of the International Covenant on Civil and Political Rights (…)” SARLET, ob. cit., p. 28.

[43] SARLET, ob. cit., p. 33/4

[44] Article 44. However, the concern of experts regarding the effectiveness of Brazilian regulations cannot be underestimated, since it is verified that “the European continent articulates as a whole to guarantee the health of its data protection regulation with respect to cross-border flows, including signing agreements with the United States for the effective safeguarding of European citizens’ data, while the Brazilian diploma comes to light without any hint of preliminary arrangements to guarantee the effectiveness of Brazilian law “ – in these terms, CARVALHO, Angelo Gamba Prata de, “Transferência internacional de dados na Lei Geral de Proteção de Dados – Força normativa e efetividade diante do cenário transnacional” in TEPEDINO, Gustavo, FRAZÃO, Ana, OLIVA, Milena Donato (Coord.), Lei Geral de Proteção de Dados – e suas repercussões no Direito brasileiro, 2. ed., São Paulo, Ed. Revista dos Tribunais/Thompson Reuters Brasil, 2020, p. 632.

[45] Article 6o, I to X.