Summary: Introduction. 1. European paradigm: Facebook case in the CJEU; 2. State of the art in Brazil; 3. Special Appeal N. 1,168,547: recognition of competing Brazilian competence in conflicts over internet jurisdiction; 4. Civil framework of the internet and the Direct Action of Constitutionality n. 51; 5. Law 13,709/2018: adequacy as an assumption of validity for international data transfer. Final considerations. Bibliographic references.
INTRODUCTION
Absolutely everything that we do on the internet is converted into algorithms, which are nothing more than logical, finite, and defined sequences of instructions that must be followed to execute our commands. And these “tasks” that we ask for - from the simplest (like typing any Google search topic into a toolbar) to the most complex (like financial transactions) - are stored, revealing our “digital footprints”. Unlike the “physical” world, where our actions are not always recorded, in the digital world nothing is lost. On the contrary, it is kept. In this world, nothing is past, because there is a continuous present, permanently accessible to our fingers.
In addition, not only has the digital world reduced the temporal dimension to a continuous present, but it has also made the world flat, with no geographical boundaries, because in any country in the world information can be posted, without major controls by nation-states.
It happens, however, that the global network is also a source of potential conflicts, whether in relation to transnational businesses, or because of misinformation, false, hateful or in any other way harmful information to the rights of a citizen. However, when this harmed person intends to judicially protect his rights, he will realize that he is not a citizen of the world, but of a certain national territory. And if the grievance he suffered is illegal in his own country, it may not be in the place where the conduct occurred.
These potential conflicts started to become more and more frequent as our immersion in the digital world grows. The appropriate solution for this type of dispute involves not only national legislative intervention, but mainly international treaties, to avoid that decisions taken by the judiciary of the country where the damage occurred may not be carried out, for example, in the locus where the company is headquartered.
The present essay intends to bring up aspects related to conflicts arising from the ubiquity of the internet, which claim mechanisms of transnationality of the jurisdiction and, consequently, the overcoming of the principle of adherence to the territory as one of the constitutive elements of this concept.
The article presents the paradigm case of the European Court of Justice of 6 October 2015, case C 362/14, in which Maximillian Schrems and Data Protection Commissioner are parties, with the intervener Digital Rights Ireland Ltd.
In the second part, it investigates the state of the art in Brazil, under three dimensions: “Recurso Especial” n. 1,168,547, which recognized the competing Brazilian competence in conflicts over internet jurisdiction; Constitutionality Direct Action n. 51 and the application of the so called Marco Civil da Internet; the adequacy of Law n. 13.709 / 2018 as an assumption of validity for the international transfer of data.
This essay uses, in the approach, the hypothetical-deductive method; in research, the typological and structuralist procedure; the topic-systematic interpretation, using exploratory and explanatory research techniques, substantially documentary (doctrine and case law).
1. EUROPEAN PARADIGM: FACEBOOK CASE IN THE CJEU
The Court of Justice of the European Union, on more than one occasion, ruled on matters of national jurisdiction, in the face of the phenomenon of data transnationality. The first judgment brought together two cases, under the numbers C-509/09 and C-161/103 (known as e-Date Advertising), dealt with the issue of the jurisdiction of the national courts to hear disputes over the violation of personality rights committed over the internet. There was reference, in the trial, to the Shevill case (tried on November 30, 1976), which involved a defamation case broadcasted by the traditional press, but with wide international diffusion. At that time, it was stated that “the attempt made by a defamatory publication to the honor, reputation and consideration of a natural or legal person manifests itself in the places where the publication is disclosed, when the victim is known there”. In the 2010 judgment, it was stated that the term “harmful act” used to establish jurisdiction, contained in article 45, paragraph 3, of Regulation (EC) N. 44, of 2001, in force at the time, should be interpreted as the “center of gravity of the conflict”, where are the interests of the person who suffered the damage to the right to personality, in short, where he is known.
Another case was tried in 2010 (C - 292/10)4, involving the unauthorized publication of photographs, and the judicial body of the victim's home (Holland) was considered competent to judge the case, even though the domain of the site was located in Germany.
A third case of interest to the subject is number C-218/125, relating to a consumer contract, in which the supplier was French, but offered goods (used vehicles) to Germans residing in the border area. Due to a supervening dispute, brought in to provide guidance on the concurrent jurisdiction, the Court of Justice of the European Union decided that although the supplier establishment was located in France, as its activity was directed at German consumers, it was possible to recognize the German courts as competent for the analysis of the case6.
But the most recent case, which we intend to analyze here, because it relates more closely to the subject specifically addressed here, is the judgment of the Court of Justice of the European Union (Grand Chamber), case C 362/14, rendered on 6 October 2015, in which Maximillian Schrems and Data Protection Commissioner are parties, with the intervener Digital Rights Ireland Ltd.
The case stemmed from a complaint lodged by Mr. Maximillian Schrems, an Austrian citizen, in the face of an act by the Data Protection Commission, which refused to investigate a previous complaint lodged by Mr. Schrems regarding the transfer to the United States of America, of the personal data of Facebook Ireland users and their conservation on servers located in that country, directly opposing European Community law7.
Mr. Maximillian appealed to the Irish Supreme Court of Justice, based on the belief that there is no guarantee that his data will be processed according to European Community law standards. He demanded a ban on Facebook Ireland transferring his personal data to the USA.
Facebook Ireland opposed the request, as it was not supported by Decision 2000/52078 of the Council of the European Union on sending data to the USA9.
Mr. Schrems' complaint was admitted by the Irish justice system, forwarded to the Irish Supreme Court of Justice, which, in view of the Lisbon Treaty, referred it to the CJEU, which has the power to interpret European Union law.
The issue related to Articles 25 (6) and 28 of Directive 95/469, in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union. It sought to find out whether the Decision 2000/520 prevents the supervisory authorities of a Member State from examining requests for the protection of the rights and freedoms of an European citizen, related to the processing of personal data concerning him or her and which have been transferred from a Member State to a third country, when claiming that the law and practices in force in the latter do not ensure an adequate level of protection.
The CJEU judgement, recognizing the importance of data traffic for the development of international trade, was based on a seminal premise: to ensure that the State receiving the EU citizens exchanged data had the obligation to give it proper treatment.
On the other hand, even though it is certain that a decision of the European Commission, while not declared invalid by the CJEU, is valid, this fact does not prevent, neither limit, the right of petition and explanation of European citizens, regarding the processing of personal, sensitive or not.
Recognizing that the lack of recourse opportunity and ample and unrestricted access to personal data offends articles 7, 8 and 47 of the Constitution of Fundamental Rights of the European Union, the CJEU declared the invalidity of articles 1, 3 and 11 of Decision 2000/520. And because these provisions are inseparable from the rest of the Decision, it resolved to declare the total invalidity of Decision 2000/520.
It has been stressed that it is essential that States adopt an aligned stance to counter the growing dominance of certain companies that pose a risk to the protection of personal data, as they are present in almost the entire globe. Hence the need to create “effective control organisms and mechanisms that extend beyond their physical borders”10.
Now, we turn our focus to Brazilian situation.
2. STATE OF ART IN BRAZIL
Judicial discussions about the competence of the Brazilian judicial authority to hear cases involving issues of transnationality are still not very frequent.
But they do exist. As the judgment given in Civil Appeal n. 7006800596643, in April 2016, involving the question of the competence of the Brazilian courts to hear a case related to a posting made in Spain, offensive to the honor of a Brazilian woman, domiciled in Brazil, but residing in Italy at the time. In her defense, the defendant - Google Brazil - alleged that the request to exclude the offensive blog from the author violated the principle of territoriality, since the blog was created abroad. The claim was rejected, accepting Brazilian jurisdiction, since art. 88 of 1973 Civil Procedure Code, in force at the time the lawsuit was filed, claimed to be the competent Brazilian authority to prosecute and judge any actions against a defendant domiciled in Brazil, and its paragraph considers domiciled in Brazil a foreign legal entity that has an agency here. In addition, item III, of the same legal disposition, emphasized that the Brazilian judicial authority is competent when the fact has occurred or act has been practiced in Brazil. In that case, involving a defamatory information in the virtual world, there is no way to circumscribe the territorial limit of its repercussion. It was said that the author had a professional domicile in Brazil and here she also performed professional activities, a place where said offenses are harming her social and professional life. Thus, she was certainly protected by Brazilian law, and the case could be heard by the Brazilian courts, as was stated at the time11.
The current Brazilian Civil Procedure Code, in Title II (On the limits of national jurisdiction and international cooperation), Chapter II (On the limits of national jurisdiction), provides for the matter. In articles 21 to 23, it provides for Brazilian concurrent jurisdiction, whereas art. 23 establishes the cases of exclusive jurisdiction of the Brazilian justice. Thus, art. 4, IV, of the LGPD must be interpreted in conjunction with such procedural provisions12.
In the next part of the paper, we will examine three distinct aspects: after examining REsp 1,168,557, which recognized Brazilian competing jurisdiction in internet jurisdictional conflicts, we will examine ADC n. 51, involving artices of the Marco Civil da Internet, concluding with the analysis of aspects of the LGPD, in the part that indicates adequacy as an assumption of validity for the international transfer of data.
3. “RECURSO ESPECIAL” N. 1,168,547: RECOGNITION OF BRAZILIAN CONCURRENCE COMPETENCE IN CONFLICTS OF JURISDICTION INVOLVING THE INTERNET.
Brazilian Superior Court of Justice has a consolidated understanding of the criteria for determining the concurrent competence of the Brazilian judicial authority, in disputes involving the world wide web13. From what can be seen from the reading of REsp 1,168,54714, the parameters that allow to affirm the Brazilian jurisdiction are the following: (a) transnationality of the facts; (b) home of the plaintiff in the Brazilian territory; (c) an act that occurred abroad but was broadcasted over the internet; (d) effects felt in national territory.
In the present case, it was discussed the “possibility of an individual, domiciled in Brazil, to invoke Brazilian jurisdiction, in a case involving a service provision contract containing a forum clause in Spain.” More specifically, the plaintiff, realizing that his image is being used improperly through an electronic website published abroad, although naturally accessible through the world wide web, filed a lawsuit seeking compensation for material and moral damages.
Judging the case, the STJ understood that article 88 of the 1973 Code of Civil Procedure15 admits Brazilian jurisdiction, concurrently with that of another country (company headquarters), in the case of civil damages resulting from international communication, over the internet, as in the case of the offended person is domiciled in Brazilian territory, because “it is in the locality where the injured person resides and works that the negative event will have the greatest repercussion.”
It also stipulated that such a rule of competence prevails even in the face of the election forum set out in the contract, because “the author is domiciled here and here is the place where there was access to the website where the information was conveyed, interpreting it as an act practiced in Brazil, applying to the hypothesis the provisions of article 88, III, of the CPC16“.
The Rapporteur, Justice Luis Felipe Salomão, raised an important question about the nature of cyberspace: whether it is a new place (with an impact on the definition of the concurrent jurisdiction) or a mere mental state resulting from the technological apparatus, to which the user connects. In any case, he added, it certainly is not “a refuge, a free zone, through which everything would be allowed without those actions giving rise to responsibilities.”
In this context, the Rapporteur continues, there is a loosening of the principle of adherence, “making Brazilian justice competent only for reasons of viability and effectiveness of the judicial provision”, in the light of the principle of the inafastability of jurisdiction, which “imposes on the State the obligation to resolve the disputes (...) with a view to achieving social peace “.
This orientation has been maintained, even after the advent of the Marco Civil da Internet17, of the new Civil Procedure Code18, and of the LGPD19, as can be seen from the syllabus of the judgment proferred by the STJ a few months ago:
SPECIAL RESOURCE. INTERNET. JURISDICTION. DIGITAL SOVEREIGNTY. PREQUESTIONING. ABSENCE. NEGATIVE OF JURISDICTIONAL PROVISION. ABSENCE. CIVIL FRAMEWORK OF THE INTERNET. REACH. APPLICATION OF BRAZILIAN LEGISLATION. RELEVANCE OF NATIONAL JURISDICTION. (...)
2. The purpose of the appeal is to determine the legal possibility of compelling a company based in Brazil, whose parent company has the necessary information to identify the authors of an illegal act.
3. In cross-border conflicts on the Internet, the responsible authority must act in a prudent, cautious and self-restrictive manner, recognizing that the territoriality of the jurisdiction remains the rule, the exception of which can only be admitted when, cumulatively, the following criteria are met: (i) strong legal grounds for merit, based on local and international law; (ii) proportionality between the measure and the desired end; and (iii) compliance with the procedures provided for in local and international laws.
4. When the alleged illegal activity has been practiced on the internet, regardless of the jurisdiction provided for in the service provision contract, even if abroad, the Brazilian judicial authority is competent if it is called upon to settle the conflict, as the plaintiff is domiciled here the place where there was access to the website where the information was conveyed, interpreting it as an act practiced in Brazil. Precedents.
5. It is a mistake to imagine that any application hosted outside Brazil cannot be achieved by national jurisdiction or that Brazilian laws are not applicable to its activities.
6. Brazilian law is applied whenever any operation to collect, store, store and process records, personal data or communications by connection providers and internet applications occurs in national territory, even if only one of the communication devices is in Brazil and even if the activities are carried out by a company with headquarters abroad.
7. Special appeal partially known and, in this part, denied.
(REsp 1776418/SP, Rel. Justice NANCY ANDRIGHI, THIRD CLASS, tried on November 3 r, , 2020, DJe November 19, 2020)
In the body of the judgment, the rapporteur highlighted a chapter of the decision20 to address what she titled “Jurisdiction on the internet: digital sovereignty”. She started her reasoning by stating that
One of the biggest challenges facing internet regulation today lies in the compatibility between its cross-border nature and the exercise of digital sovereignty by states, with obvious implications for the exercise of state jurisdiction. This is not just a theoretical debate, since practical conflicts are covered, the resolution and consequences of which can have a major impact on the development of the Internet, on topics ranging from the protection of online rights to the preservation of its fundamental characteristics, such as openness, universality, and decentralization.
The criteria indicated in item 3 of the REsp judgment 1,776,418/SP were inspired by a doctrinal article by Professor Lucas Borges de Carvalho, who elucidates the three criteria as follows: “the first criterion highlights the need that the measure imposed finds expressed support in the current legislation, thus proving to be predictable and compatible with local and international normative parameters “. The proportionality principle “requires that the decision be based on factual and technical data (avoiding abstract assumptions and speculative reasons), in addition to being precise and directed specifically to repair the damage in question.” Finally, “compliance with legal procedures is also an important assumption for guaranteeing the legitimacy and predictability of decisions”21.
We are now going to examine the ADC N. 51.
4. CIVIL FRAMEWORK OF THE INTERNET AND THE “AÇÃO DECLARATÓRIA DE CONSTITUCIONALIDADE” N. 51
The Legislative Diploma in dispute, Act 12.965/2014, inaugurated a paradigmatic change regarding the competence in transnational disputes, as well as the procedure for requesting information by the competent authorities.
Article 11 of Act 12,965/2014 (Marco Civil da Internet - MCI) is peremptory as to Brazilian jurisdiction, in any of the phases of collection, storage, storage and treatment of personal data, when at least one of these acts occurs in national territory22/23.
The Marco Civil da Internet uses the criteria of territoriality (art. 11, caput and § 1) and the effects of the service (art. 11, § 2) for the definition of Brazilian jurisdiction, enabling the judicial authorities to request the information provided for in the article 11, § 3, regardless of international legal cooperation24 (articles 26 and 27, CPC).
Within the scope of relations between Brazil and the United States of America, the Legal Aid Agreement in Criminal Matters (MLAT), signed in Brasilia, on October 14, 1997, was promulgated by Decree n. 3820/2001.
On this topic, it is essential to mention the processing of the “Ação Declaratória de Constitucionalidade” N. 51, in which the Federation of Information Technology Companies Associations - ASSESPRO - requires the declaration of constitutionality of Decree 3.810/200125; of art. 237, item II, of the Civil Procedure Code (Law 13.105/2015); and articles 780 and 783 of the Criminal Procedure Code (Decree-Law 3,689/1941).
The main argument is that there are cases in which data controllers are subject exclusively to foreign legislation and, in the case of the United States of America, to the Stored Communications Act (SCA), which prohibits electronic communications service providers (Electronic Communication Service ECS) or Remote Computing Service (RCS) to make communications content available to foreign authorities. However, there are countless and long-standing requests for the availability of content from Brazilian judicial authorities directly to the controllers, which means noncompliance with the MLAT.
To understand the relevance of the demand, we mention some of the arguments that were presented at the ADC N. 51's public hearing.
The ASSESPRO claimed that the application of Article 11 of the Marco Civil da Internet cannot ignore the sovereignty issues of the States involved.
The Department of Asset Recovery and International Legal Cooperation added that Article 17 MLAT is clear in establishing the reciprocity in the incorporation of national laws. So, conditioning the fulfillment of the order issued under the terms of Article 11, § 3, of the Law N. 12,965/2014, to parameters of the American domestic law, which are prior to the effectiveness of the Marco Civil da Internet, is equivalent to ignoring the latter, subordinating it to the American domestic law. In the same vein, a delegate of the Brazilian Federal Police said that the degree of demand of the so-called Probable Cause - as specified by the Stored Communications Act - would make any request for international legal cooperation unfeasible.
The Attorney-General invoked the provisions of article 12 of the Law of Introduction to the Norms of Brazilian Law - LINDB, and stressed that art. 11 of the Marco Civil da Internet “is in line with general national laws and international norms”, so much so that this same guideline - effects of services - is adopted by art. 18 of Budapest Convention on Cybercrime (in the process of ratification by Brazil); by the General Data Protection Regulation - GDPR, by the Brazilian General Data Protection Law, by the Cloud Act26 and, equally, by the Proposal for Regulation of the European Parliament N. 2018/0108 (Electronic evidence)27.
Certainly, the judgment of the merit of such ADC will bring important guidance to the topic we are analyzing.
It remains to analyze, now, the impact of the General Data Protection Law on the SUBJECT under analysis.
5. ACT 13.709/2018: ADEQUACY AS AN ASSUMPTION OF VALIDITY FOR INTERNATIONAL DATA TRANSFER
In 2018, our first general data protection law was enacted. The new Brazilian law (LGPD - Law 13,709/18, with 65 articles) is the result of a wide public debate (two public consultations and 13 public hearings), initiated in 2010 by the Ministry of Justice, suffering a certain acceleration due to the leakage of information by Edward Snowden, in 2013, showing the vulnerability of everyone, including heads of state. A second acceleration resulted from the approval by the European Union of its GDPR - General Data Protection Regulation29.
Our law was largely inspired by European regulations, although there are important differences between both diplomas, not least because the GDPR is the result of a long history of protection of personal data at European level, with years in force of Directive 95/46 and inclusion of the right to data protection as a fundamental right in the EU Charter of Fundamental Rights. While the GDPR is composed of 173 recitals, which represent interpretive guidelines, and 99 articles, Brazilian law is made up of 65 articles, with no interpretive clue provided by the legislator. Despite the differences, there are also healthy convergences, such as the communion of the principles30 that guide both laws, the ex-ante protection model, and the outstanding role of accountability in both regulatory models31 6.
However, it cannot be imagined that, before the enactment of the LGPD, personal data were not protected in Brazil. On the contrary, previous rules already offered protection to certain data32, although in a fragmented and sectorial way33, as is the case of the Consumer Protection Code (Act n. 8,078/90), Public Archives Act (Act n. 8,159/91), Access to Information Act (Act N. 12,527/2011), Positive Registration Act (Act N. 12,414/2011), Marco Civil de Internet, among others. The importance of LGPD, however, consisted of providing a systematic treatment of the topic34, offering an important principled basis, objectives and clear limits. There are healthy innovations, but also the consolidation of protective ideas that came from the previous period.
Among the main points that are of interest to this study, it is worth mentioning the clear intention of the legislator to guarantee an extraterritorial application, in order to better achieve its objective of protecting the personal data of its citizens. In fact, as will be seen, following the lines of European regulation, the LGPD will have extraterritorial application, that is, the duty to comply with its rules will surpass the geographic limits of the country. Any foreign company that, at least, has a branch in Brazil, or offers services to the national market and collects and processes data on natural persons located in the country will be subject to the new law.
In fact, the LGPD reinforces the legislative framework that favors the understanding of the extraterritoriality of the jurisdiction because of the intrinsic ubiquity of the internet.
Article 3, caput, of the epigraphed Law states that its application “extends to any treatment operation carried out by a natural person or by a legal person under public or private law, regardless of the medium, the country of its headquarters or the country where the data is located.”
The jurisdiction's extraterritoriality, in case, is conditioned to the collection and/or processing of data in the national territory35 or, even if these activities were carried out abroad, which relates to individuals located in the national territory, as is clear from the reading of §1 of the same article, which states that “personal data whose holder is at the time of collection is considered to be collected in the national territory.”
Article 5 of the LGPD deals with the authentic interpretation of the specific terminology contained in the legal standard, as, for instance:
XVI - shared use of data: communication, dissemination, international transfer, interconnection of personal data or shared treatment of personal databases by public bodies and entities in the fulfillment of their legal powers, or between these and private entities, reciprocally, with specific authorization, for one or more treatment modalities allowed by these public entities, or among private entities.
International data transfer is dealt with in chapter V, articles 33 to 36 of Act 13.709/2018, only being allowed, as the European GDPR advocates, when the recipient countries or international organizations “(...) provide a degree of adequate personal data protection”36, when the transfer is necessary for international legal cooperation among public intelligence, investigation, and prosecution bodies, in accordance with the instruments of international law.
The adoption of the geographic model37 reflects the European parameterization in the scope of data protection in Brazil. But there are variants to consider.
Initially, it is considered that each of the items of article 33 of the LGPD contains an independent authorizing circumstance for international data transfer, contrary to what is provided for in article 44 of the GDPR, which establishes a generic guideline, consistent with the guarantee of not compromising the level of protection of personal data provided by the regulation.
In this context, Marques and De Aquino38 maintain that if there was consent (item, VIII, of article 33 of the LGDP39), international data transfer would be possible, regardless of the commitment to the appropriate treatment of the information at the destination, provided for in item I of article 33 of the LGPD.
The question, in our opinion, deserves another approach.
Firstly, it is important to remember that we are faced with the relevant weight of a human and fundamental right to data protection40, a fundamentality that is explicit in European Community law - resulting from Article 8 of the Constitution of Fundamental Rights of the European Union - and implicit in our law - as a result of the dignity of the human person, the free development of personality and privacy41.
Secundus, because, in addition to the fundamental human right42 to data protection, informative self-determination, in its twofold dimension - individual and collective -, fulfills the “fundamental right to guarantee the reliability and integrity of technical-informational systems”43.
Thirdly, because, in the case of international data transfers involving operations with member countries of the European Union, any relativization of the data protection right will not be allowed, according to the general principle established by article 44 of the GDPR44.
Finally, because the statement now criticized does not prevail in the light of the LGPD's topic-systematic interpretation, with immediate repercussion on the transnationality of the jurisdiction.
In fact, article art. 2 of Act 12.709/2018 recommends the fundamentals of the processing of personal data, among them, informative self-determination (item II), consumer protection (item VI) and respect for human rights, the free development of personality, the dignity of human person (item VII). In turn, Article 6 of the LGPD predicts that good faith and the principles it deals with should govern any activity relating to the processing of personal data.
The range of principles envisaged by the LGPD45 intertwines in a movement of continuous and circular reciprocal reinforcement. Accordingly, v. g., the purpose, adequacy, and necessity of processing personal data must act accordingly in the same data processing operation.
In addition, among the rights of the data subject, listed in article 18 of Act 13,709/2018, there is the right to petition to the controller (§1º), including through a consumer protection agency (§8º), which incorporates to LGPD, reinforcing its provisions, the entire protective range of the Consumer Protection Code.
Article 42 et seq. of the LGPD prescribe the parameters of the civil liability of the controller or operator, due to the activity of processing personal data. Article 44 of the same legal diploma asserts that the processing of personal data will be irregular when it fails to comply with the legislation or when it does not provide the security that the data subject can expect, considering the relevant circumstances, including:
I - the way in which it is carried out;
II - the result and the risks that are reasonably expected from it;
III - the techniques for processing personal data available at the time it was carried out.
Single paragraph. The controller or the operator is responsible for the damages resulting from the breach of data security, which, when failing to adopt the security measures provided for in art. 46 of this Law, give cause to the damage.
It is time to finish.
FINAL CONSIDERATIONS
The European Court of Justice (Grand Chamber) paradigm, case C 362/14, of 6 October 2015, previously analyzed, shed light on the problem posed in this essay, especially in view of the great thematic, teleological, and operational relevance between the LGPD and the GDPR.
On the other hand, the STJ went well in recognizing the concurrent Brazilian jurisdiction in conflicts over internet jurisdiction, according to the criteria established in REsp 1,168,547, namely: (a) transnationality of the facts; (b) home of the plaintiff in the Brazilian territory; (c) an act that occurred abroad but was broadcasted over the internet; (d) effects felt on Brazilian soil.
In this context, despite the high complexity of the stir brought up in ADC N. 51, we understand that, dogmatically, the criterion of the effects of data processing, provided for in article 11, § 2, of the Marco Civil da Internet, defines the rule of jurisdiction and not of mere application of Brazilian law to the case. In this step, in parallel with the current International Cooperation Agreements (MLAT) and in the process of accession (Budapest Convention), there is legitimacy in the request for information, pursuant to article 11, § 3, of Law 12.965/2014, in addition to the instruments provided for in articles 27 and 28 of the Civil Procedure Code.
However, with regard to the effectiveness of prescriptive, adjudicatory or enforceable jurisdiction in terms of data protection, there is still a long way to go, because foreign companies that provide services in Brazil or whose effects are felt here, continue to act with stratagems delaying the fulfillment of judicial requests, taking advantage of the fragmentation of regulation and the absence of a binding decision on the subject, which is expected to come to light with the result of ADC N. 51.
Furthermore, there is an indeclinability of the adequacy of the processing of personal data (article 33, I of the LGPD), a sine qua non condition for legitimacy and lawfulness of international transfer, under penalty of strict civil liability of the controllers and operators, under the terms of article 42 of the LPGD .