marco civil consultation extraterritoriality

Nicolo Zingales Consulta MCI (30/04/2015)

1

Extraterritorial reach of the Marco Civil A guide to the interpretation of article 11's key criteria

Introduction

Article 11 of the Marco Civil defines the scope of the obligations set forth by Brazilian law with regard to the processing of personal or communications data: In any process of collection, storage, retention and treating of personal data or communications data by connection providers and Internet applications providers where at least one of these acts occurs in the national territory, Brazilian law must be made mandatorily respected, including with regard to the rights to privacy, the protection of personal data, and the secrecy of private communications and logs.

One of the key questions regarding the implementation of the Marco Civil is under what circumstances this provision is applicable to undertakings operating outside of the Brazilian territory. Article 11.1 qualifies a condition for the application of the law in two different cases, the collection of data and the retention or treating of communication data. 1st. The provisions aforementioned apply to data collected in national territory and to the content of communications, in which at least one of the terminals is located in Brazil.

Further, article 11.2 clarifies the extent to which these scenarios would cover the case of undertakings that do not have a base or establishment in Brazil: 2nd. The provisions aforementioned apply even if the activities are carried out by a legal person located abroad, provided that it offers services to the Brazilian public or that at least one member of the same economic group is established in Brazil.1

As a result, in order to be caught by the prescriptions of article 11 an undertaking operating abroad should either: (1) be based or established in Brazil, or belong to an economic group which features a member with its base or establishment in Brazil; or (2) offer services to the Brazilian public, and (2b) collect data in Brazil or communicate content relying on the utilization of at least one terminal located in Brazilian soil.

1 Emphasis added


2

Since the concept of terminal is well defined in the Marco Civil2, the key questions that remain to be answered are (1) what is considered a basis or establishment in the country; (2) when should a service be deemed as offered to the Brazilian public; (3) when data is collected in Brazil; and (4) what type of communication of content triggers Brazilian jurisdiction. The present contribution will illustrate how the words in question should be interpreted to ensure conformity with general principles of jurisdiction in international law3, and how proposed changes to the framework for data protection in the European Union are testament of the evolution of a mature understanding of extraterritorial jurisdiction on the Internet.

1. General principles of international law

The notion of the jurisdiction (from Latin juris dicere) may be understood as the power or authority of a State to choose the law applicable to a particular set of facts. It has three different manifestations:

prescriptive jurisdiction, when it concerns the passing and implementation of legislation;

adjudicative jurisdiction, when it concerns the determination of rights of parties in an individual case;

enforcement jurisdiction, when it concerns measures taken to ensure compliance with the law. Part of these measures deal with merely investigative acts, which is why it has been argued that investigative jurisdiction constitutes a different and additional category of jurisdiction4.

2 Terminal is defined by article 5.II as a computer or any device that connects to the internet. 3 Importantly, this contribution does not analyze conformity under the rules of private international law contained in the Code of Civil Procedure (in particular, Art. 88 of Ley 5869/73), which lays down a broad test that would be sufficient to justify assertion of jurisdiction under any interpretation of Art. 11 of the Marco Civil. The three connecting factors under this test are: (1) the defendant is domiciled in Brazil; (2) the obligation is to be performed in Brazil; or (3) the suit originates from a fact which occurred or an act which was performed in Brazil. 4 D. Svantesson, The extraterritoriality of EU data privacy law - its theoretical justification and its practical effect on U.S. businesses. STAN J. INTL. L. 50(1), 53-117.


3

The most fundamental basis for the assertion jurisdiction, rooted on the concept of State sovereignty and the principle of non-intervention, is the territoriality principle5: the State is entitled to regulate persons, facts and events within its own territory6. While a strict reading of this provision requires the occurrence within the territory of at least one element of the conduct under dispute, a more expansive interpretation permits the arm of jurisdiction to be stretched so as to extend to acts having an effect on the territory. This so called effect doctrine, most famously developed in the context of US antitrust law7, is highly controversial in light of its virtually unlimited reach in a global, interdependent economy8. Therefore, it doesnt come as surprise that, in order to facilitate coordinated enforcement and minimize tensions arising from the applications of the effects doctrine, United States and Europe have signed cooperation agreements confining the application of the effects doctrine to acts having direct, substantial and reasonably foreseeable impact on consumers in another country. These agreements also direct competition authorities to take into account the interests of other countries before action is taken (so called negative comity) and to give full and sympathetic consideration to another countrys request that it open or expand a law enforcement proceeding in order to remedy conduct in its territory that is substantially and adversely affecting the other countrys interests (so called positive comity)9. Similar considerations of comity and mutual recognition are incorporated into a number of laws having extraterritorial reach, requiring a substantial connection with the territory as a restraint against potentially controversial effects-based jurisdictional claims10. Considering the problematic nature of effects-based jurisdiction, it is important to bear in mind that it remains the exception: territorial sovereignty is the default rule.

5 C. Ryngaert, Jurisdiction in International Law (Oxford University Press, 2008), 29 6 U.Kohl, Jurisdiction and the Internet Regulatory Competence over Online Activity (Cambridge University Press, 2010) 7 See e.g., F. Hoffman-LaRoche, Ltd. v. Empagran, 542 U.S. 155, 124 S. Ct. 2359 (2004). To contrast with the European approach, focused on the place of implementation, see Joined Cases 89/85 et al., Wood Pulp, 1988 E.C.R. 5193, paras. 15-18; Eleanor M. Fox, Modernization of Effects Doctrine: From Hands Off to Hands Linked, 42 NYU JILP 159,160, 167, 174 (2009) 8 F. A. Mann, The Doctrine of Jurisdiction in International Law (1964) 111 Recueil des Cours de lAcadmie de Droit International 9, reprinted in F A Mann, Studies in International Law (Clarendon Press Oxford 2008) 1, 6 9 OECD, Competition Law & Policy Report 1999 on Positive Comity 10 See the examples made in J. Scott, Extraterritoriality and territorial extension in EU law, 62 AJCL (2014), 87


4

As the Permanent Court of Justice affirmed in the Lotus case11, the State is territorial in nature and therefore cannot exercise jurisdiction outside its territory in the absence of a permissive rule of international law to that effect. Although it can be quarreled the extent to which the concept of State today transcends physical boundaries in cyberspace, the rule still leaves room for jurisdiction outside the territory in relation to acts which have taken place abroad, and in respect to which a State can rely on a permissive rule of international law. One such rule is for example the universality principle, according to which a State may exercise jurisdiction with respect to certain crimes under international law in the interest of the international community. In these exceptional cases of conduct amounting to international crime, no link needs to be established between the State and the victim, the perpetrator or the territory in which the conduct takes place. Similarly, under the principle of personality, jurisdiction can be asserted by the State of nationality of the perpetrator (active personality principle) or of the victim (passive personality principle). Finally, under the protective principle, a State can intervene to protect itself from acts committed abroad that jeopardize its sovereignty. Such jurisdiction is traditionally limited to criminal law and serious violations that endanger the security of the State, although that is considered to include immigration, currency, and other economic offenses12. As a result, provided that a State has a colorable claim of jurisdiction under one of these principles, it is undisputed that it is entitled to regulate (and adjudicate) matter outside their territory. By contrast, where the claim under these principles is weak, and the effects theory dominates, extraterritorial assertion is likely to encounter opposition. Opposition can materialize even independently from the existence of conflicting claims of prescriptive jurisdiction, specifically when it comes to enforcement: under general public international law, in the absence of treaties that grant powers of extraterritorial enforcement jurisdiction to foreign

11 Case of the S.S. Lotus (France v. Turkey), Judgment No. 9 of 7 September 1927, P.C.I.J. Reports 1928, Series A. No. 10, at pp. 18-19. 12 I. Brownlie, Principles of Public International Law (7th ed Oxford University Press 2008)


5

agencies, it is unlawful for a state to capture or exercise control over the data or individuals located in the territory of another State, without the latter's consent13. Accordingly, broad extraterritorial statutes may lead to cases of empty jurisdiction, where a particular regime is foreseen for the treatment of a certain conduct, but it is not possible to enforce that regime in the absence of specific consent by the State in whose territory the conduct took place. Although conflicts between States can be largely minimized through dedicated cooperation agreements14 (for example the US- EU antitrust cooperation agreements, and various Mutual Legal Assistance Treaties), experience shows that extraterritorial enforcement generates adverse reactions in other jurisdictions, such as: diplomatic protests; non-recognition of laws, orders and judgments; legislative measures such as blocking statutes15 and claw-back statutes16; judicial measures such as injunctions; and the institution of international proceedings17.

13 Consent can be derived from an applicable legal treaty, or specific. See Henrik W.K. Kaspersen, Council of Europe (draft) Discussion Paper Cybercrime and Internet Jurisdiction, available at http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/T-CY/2079_rep_Internet_Jurisdiction_rik1a%20_Mar09.pdf (accessed April 30th, 2015) See also Council of Europe Commissioner for Human Rights, The rule of law on the Internet and in the wider digital world, CommDH/IssuePaper(2014)1. This principle has also been recognized with regard to criminal matters by the International Law Commission (ILC): see International Law Commission, Report on the work of its fifty-eighth session (1 May to 9 June and 3 July to 11 August 2006), Amnex E, at 22 14 Cooperation agreements are an important tool to minimize the issue of inefficacy in extraterritorial investigations, which is now considered as one of the most problematic aspects of the current generation of Mutual Assistance Treaties. See Andrew K. Woods, Data Beyond Borders. Mutual Legal Assistance in the Internet Age (Global Network Initiative, January 2015), available at https://globalnetworkinitiative.org/sites/default/files/GNI%20MLAT%20Report.pdf (accessed April 30th, 2015). For an account of the problems caused to undertakings in that regard, see the International Chamber of Commerces Policy Statement, Using Mutual Legal Assistance Treaties (MLATs) To Improve Cross-Border Lawful Intercept Procedures, Document No. 373/512 (Sep. 12, 2012), available at http://www.iccwbo.org/Advocacy-Codes-and-Rules/Document-centre/2012/mlat/. (accessed April 30th, 2015)) 15 Blocking statues are statutes enacted with the specific purpose to limit the practical enforcement of the assertion of extraterritorial jurisdiction, by prohibiting or impeding prohibit compliance with discovery requests and/or enforcement of judgments emanating from foreign authorities. 16 Clawback statutes are statutes allowing the recovery of damages suffered as a result of the application of a particular law from a foreign country. See S. W. Chang, Extraterritorial Application Of U.S. Antitrust Laws To Other Pacific Countries: Proposed Bilateral Agreements For Resolving International Conflicts Within The Pacific Community, 16 HASTINGS INT'L & COMP. L. REV. 295 (1993) 298, 301; D. Devgun, Crossborder Joint Ventures: A Survey of International Antitrust Considerations, 21 WM. MITCHELL L. REV. 681 (1996), 704; Joseph E. Neuhaus, Power to Reverse Foreign Judgments: The British Clawback Statute Under International Law, 81 COLUM. L. REV. 1097 (1981). 17 ILC, Ibid., at 28.


6

In other words, international law merely provides a list of principles as ground for jurisdictional claims, but whether these principles are sufficient to give rise to a legitimate expectation of cooperation in foreign law enforcement is another matter. Absent specific cooperation agreements, cooperation will depend on the strength of the nexus between the harmful event and the invoking State - relative to both the requested State, and any other competing jurisdiction. For this reason, it is particularly important that the Marco Civil be interpreted in such a way that Brazilian law does not reach beyond what is generally considered a reasonable application of the various test of jurisdiction described above. To that end, the concluding section (4) will suggest a definition of the concepts of establishment and offering services drawing on the interpretation of the relevant provisions of data protection law in the European Union, where extensive discussions took place concerning the proper scope of jurisdiction for data protection on the Internet.

2. The evolution of the European standard: from the Data Protection Directive to the proposed General Data Protection Regulation

2. 1 The Data Protection Directive (DPD)

Article 4 (1) of Directive 95/96/EC, which constitutes the founding document of data protection law in the European Union, provides the following: 1. Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where: (a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable; (b) the controller is not established on the Member State's territory, but in a place where its national law applies by virtue of international public law; (c) the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.18 This article delineates two different connecting factors with a State's jurisdiction: (a) the processing of personal data in the context of the place of establishment, either in the national territory or where law of that State applies by virtue of public 18 Emphasis added


7

international law (in particular, this refers to cases where international public law or international agreements determine the law applicable in an embassy or a consulate, or the law applicable to a ship or airplane)19; or (b) the making use of equipment in the national territory, unless it is for mere transit. The Article 29 Working Party, an advisory body which inter alia provides opinions on the interpretation of EU data protection rules, has addressed the meaning of each these requirements in depth. First, it referred to the interpretation of the European Court of Justice of place of establishment as requiring the permanent availability of "both human and technical resources necessary for the provision of particular services"20. This notion of establishment echoes Recital 19 of the Directive, according to which it implies the effective and real exercise of activity through stable arrangements and the legal form of such an establishment (...) is not the determining factor. For example, according to this criterion, the place of establishment of a company providing services via an Internet web site is not the place at which the technology supporting its web site is located or the place at which its web site is accessible, but the place where it pursues its activity. Opinion 179 also noted that the scope of interpretation of the connecting factors is influenced by the understanding of in the context of, and refers to three different factors for its determination: (i) the degree of involvement of the establishment(s) in the activities in the context of which personal data are processed; (ii) the nature of the activities as a secondary consideration and (iii) the goal of ensuring effective data protection in a simple and workable way. In other words, the factors indicated by the WP serve the aim of ensuring that the link between the establishment and the processing is not too tenuous, taking into account also the problem of potentially concurrent application of multiple legislations (in which case, the goal of effective and predictable data protection should lead to an application of the Directive). As to the making use of equipment criterion, Opinion 56 clarified that it implies some kind of activity of the controller and the clear intention of the controller to process personal data. This includes human and/or technical means, such as in 19 See WP 179, at 18. 20 Ibid, see footnote 18 and corresponding text


8

surveys or inquiries, and therefore has been deemed applicable to even incidental collection of personal data, including the mere placing of cookies on a EU user's web browser21. Because of the latitude of this test, the Article 29 WP warned about the problem of unenforceability (the above mentioned empty jurisdiction) and suggested limiting application of European law to those cases where it is necessary, where it makes sense and where there is a reasonable degree of enforceability having regard to the cross-frontier situation involved. More recently, in its Opinion 179 the same Working Party proposed a more "service oriented approach", based on active targeting of individuals, and focusing on factors such as language of the website, availability of delivery in a particular country, acceptance of EU-specific payment systems, and advertising in the language or for products and services available in the EU. It noted the correspondence of this proposed test with the case-law on the applicability of the e-commerce Directive 2000/3122, Regulation No 44/200123, and Directive 2001/2924

to cross-border situations. The same reasoning, in particular to limit the reach of the term making use of equipment for the purposes of article 4 of the Directive, was recently relied upon by Advocate General Jskinen in case C- 131/12, Google Spain v AEPD25.

2.2 General Data Protection Regulation (GDPR)

With Article 3 of the proposed General Data Protection Regulation, the EU legislators appear to have been receptive to some of the criticism regarding the breadth of the prescriptive jurisdiction enshrined in the DPD. According to this article: 21 Article 29 Working Party, Working document on determining the international application of EU data protection law to personal data processing on the Internet by non-EU based websites, WP 56, 30 May 2002, http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2002/wp56_en.pdf. (accessed April 30th, 2015) 22 See LOral and Others, and the e-commerce Directive 2000/31. 23 Council Regulation (EC) No 44/2001 of 22 December 2000 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (OJ 2001 L 12, p. 1), Joined Cases C 585/08 and C 144/09, Pammer and Hotel Alpenhof [2010] ECR I 12527, and Wintersteiger. 24 Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society (OJ 2001 L 167, p. 10) and Case C 5/11, Donner [2012] ECR I 0000. 25 The Court of Justice of the EU did not have to address this particular question since it established that the EU Data Protection Directive was applicable to Google Inc. on the basis of article 4.1 (a) of Directive 95/46, because the company processed personal data in the context of the activity carried out by Google Spain. For this reason, it was unnecessary to find jurisdiction under the making use of equipment criterion of article 4.1.


9

1. This Regulation applies to the processing of personal data in the context of the activities of an

establishment of a controller or a processor in the Union. 2. This Regulation applies to the processing of personal data of data subjects residing in the Union by a

controller not established in the Union, where the processing activities are related to: a. the offering of goods or services to such data subjects in the Union;

or b. the monitoring of their behaviour.

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where the national law of a Member State applies by virtue of public international law.26

In particular, the criterion of making use of equipment has been replaced by the concept of offering of goods and services or the alternative monitoring of behavior, thereby causing a shift from a territoriality principle to a combination of a passive personality principle (monitoring of behavior of European users) and an effects principle (the direct and foreseeable effect in EU territory). While it has been argued that the word monitoring is unfortunate as it is not sufficiently linked to the privacy risks of individuals, which are present only in case of profiling2728, the key question will concern the extent to which jurisdiction is based on a genuine link between the acts and their effects. Despite of the degree of uncertainty that a case-by-case application of this principle is inevitably going to generate, it is likely that a purposive interpretation of the current formulation will be able to accommodate the principles and case-law previously indicated by the Article 29 WP, so as to prevent the assertion of broad jurisdiction which may give rise to diplomatic, legislative and/or judicial responses from other countries.

26 Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individual with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), at 41, COM(2012) 11 final - 2012/0011(COD) (Jan. 25, 2012) (emphasis added), available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri-COM:2012: 0011:FIN:EN:PDF. 27 P. Schwartz, EU Privacy and the Cloud: Consent and Jurisdiction Under the Proposed Regulation , Privacy & Security Law Report, 12 PVLR 718, 04/29/2013 28 That is, automated processing of personal data intended to analyse or predict the personality or certain personal aspects relating to a natural person, in particular the analysis and prediction of the persons health, economic situation, performance at work, personal preferences or interests, reliability or behaviour, location or movements: see Article 29 Working Party, Advice paper on essential elements of a definition and a provision on profiling within the EU General Data Protection Regulation.


10

4. Conclusion

In conclusion, it is suggested that: o International principles of jurisdiction, and in particular the effects

doctrine and the passive personality principle, are sufficient to justify the application of provisions of Brazilian data protection law to undertakings operating outside of Brazil.

o However, a broad interpretation of the scope of application of Article 11 of the Marco Civil may generate problems of unenforceability and possible tensions with the countries which claim to have a stronger jurisdictional link with the regulated undertakings.

o Therefore, the concepts of establishment and offering services should be interpreted in such a way as to minimize such problems and tensions, taking into account the significant regulatory burden they are likely to generate.

o In this regard, the evolution of European data protection law illustrates the gradual rejection of omni-comprehensive notions of establishment (including a narrow understanding of processing in the context of the activities of an establishment), and a replacement of the notion of making use of equipment (something that can be analogized with the link to one terminal used by Article 11 of the Marco Civil) with a more service-oriented test, implemented through the concept of offering services. The remaining and alternative criterion of monitoring behavior, which may be seen as the functional equivalent of collect data in art. 11 of the Marco Civil23, leaves significant room for diverging interpretation: does the mere placing of a cookie on the browser amount to monitoring? Is the processing of aggregate or anonymized traffic data sufficiently generic to escape the definition? Critics have already called for the revision of this particular aspect of the bill due to the remoteness of the link between the activity and any potential harm to the data subject.


11

o In line with the above, it is suggested that the following interpretation for the purposes of article 11 of the Marco Civil:

(a) basis or establishment should be interpreted as a place with the permanent availability of both human and technical resources necessary for the provision of particular services, considering also the proximity of the link between these services and the activities in the context of which data is being processed;

(b) offer services should be interpreted as actively targeting a particular population (the Brazilian public), for instance because of : (i) use of Brazilian currency or language. (ii) listing of telephone numbers with Brazilian country-code; (iii) marketing or advertising focused on Brazilian consumers' characteristics, including international delivery and keywords advertising or paying for other country specific referencing services; (iv) use of a Brazilian top-level domain.

(c) collect data should be interpreted as referring to operations of profiling, thereby excluding activities that do not involve a likelihood of potential harm for Brazilian users.

(d) content of communications should be interpreted as referring to content that is likely to be harmful to the rights of Brazilian users, so as to prevent the extension of the Marco Civil to situations with insufficient territorial nexus.

marco civil consultation extraterritoriality

Documents