Diego GualdaVinicius Venancio Costa and Matheus Perez Matsuno


The Third Panel of the Superior Court of Justice (STJ) upheld the decision of the TJ-SP to fine Microsoft Informática Ltda. $310,000 because the company did not provide access information to a specific user's email address. In this case, a director of a brazilian company in Brazil received through his corporate e-mail threats in English from an email account user offered by the provider (the connection provider is outside Brazil).

The threatened director filed a lawsuit against the company to provide the information that would allow him to find the author. The court of first instance granted in advance guardianship the requests of the author, determining the identification of the person responsible for the e-mail account under penalty of daily fine set at R $ 10 thousand. After the decision was not complied with, the execution of the daily fine, which was appealed by the ombudsman, began. The TJ-SP maintained the conviction. The company then filed a special appeal with the STJ challenging that the Brazilian Court was not competent to request the supply, because webmail had as provider the parent company located abroad.

The above case is just the latest in a discussion not yet fully addressed within the judiciary: whether it is legitimate to compel a subsidiary in Brazil to provide information from users who hire a service with another company of the economic group outside Brazil.

Dealing with the scope of Article 11 of the Civil Framework of the Internet (MCI), in this, as in other cases, the Supreme Court considered that there was no offense to the law. According to the court, any operation of personal data, records or communications by internet connection providers and applications that occurin Brazil makes Brazilian law applicable to the case, regardless of whether there is only one device located in the country or the activities carried out are company based abroad. Therefore, for the Supreme Court, there is no way to disagree that the domicile of the demand under discussion is Brazil.

A similar case was also cited in a question-of-order judgment involving Google Brazil and Google Inc.[1] in the criminal sphere, which forced Google Inc., a foreign company, to submit to Brazilian sovereignty in cases where its subsidiary (located in Brazil), Google Brazil, is referred to in proceedings. Thus, in the case under analysis, the STJ understood that the Brazilian provider is a representative and acts on behalf of its foreign parent company.

The objective of this article is to discuss some perspectives that have not been considered by the Supreme Court in these decisions, in addition to considering the relevance of the entry into force of Law No. 13,709/18 (General Law for the Protection of Personal Data − LGPD) and a recent decision of the Supreme Court recognizing the protection of personal data as a fundamental right.

A first point concerns the legitimacy of the passive pole in the process: should the company based in Brazil be responsible for the requests, considering the context of the right to data protection and the processing of data by the foreign company?

In ADIs 6,387, 6,388, 6,389, 6,390 and 6,393,[2] in a decision that suspended the effectiveness of Provisional Measure (MP) No. 954, the Supreme Federal Court (STF) recognized the confidentiality of data as an autonomous fundamental right, and consequently as a constitutional guarantee. It also noted the need for data sharing to take into account due process, not only in its formal dimension, but also substantive. In addition to procedural guarantees, the decision requiring sharing must be proportionate in the specific case, taking into account the fundamental rights of the data subject himself. Forcing the sharing of data between companies based in different countries, at risk of causing conflicts of jurisdiction and violation of foreign law to comply with a court decision in Brazil, is this a proportionate measure from the point of view of the protection of personal data? How can we consider the principles of adequacy and necessity in this context?

Regarding the substantive dimension of due process, it seems necessary to evaluate more accurately the implications of considering the Brazilian subsidiary responsible for obtaining and making available the personal data of a user who hires a company from the same group outside Brazil.

A second aspect is related to Article 11 of the MCI, which does not have the jurisdiction of Brazilian courts, so it is not a procedural rule, but material. That is, the article regulates a rule of application of Brazilian law in the specific case. In addition, it is possible to notice technical flaws in the interpretations of §1. The situation of the rule brought by law concerns the case in which an international application provider located outside Brazil carries out the processing of the personal data of a holder located in Brazil. It is for this reason that the article mentions that one of the terminals must be located in Brazil.

However, in the concrete case mentioned above and judged by the STJ, the relationship established between the controller and the holder of the personal data should be better understood and it is necessary to observe whether the concrete evidence indicates whether the person who made the communication object of the breach of confidentiality has any point of connection in Brazil. To illustrate, if a user based in a foreign country hires an international provider and sends an email to a user located in Brazil, the law applicable to the processing of foreign data (located outside Brazil) is not Brazilian law. This does not mean that the Brazilian justice does not have jurisdiction to investigate the case and even require the breach of data confidentiality. But Brazil cannot impose the application of its law on a relationship maintained between two parties (the foreign contractor of the service and the respective provider) without any concrete element of connection with the national territory. With the transmitter located outside Brazil, it would be necessary to observe the inapplicability of the standard due to the absence of the connection element (there is no terminal located in Brazil). Thus, the evaluation of the application of Article 11, §1, of the MCI should consider the condition of the person who has his data confidentiality decreed and not only the fact that he communicated with someone in the national territory. This important nuance seems to have been overconsidered by the Supreme Court.

In addition, Article 11 of the MCI exists to protect the processing of personal data of the data subjects. Its purpose is to ensure that foreign companies are obliged to protect the personal data of holders located in Brazil, according to the parameters of Brazilian law. That is why it sounds at least strange that the device is used as a foundation for breaking data confidentiality. Article 11 values precisely the observation of due process. Therefore, using it with the justification of enabling access to personal data of holders who have contracted services with foreign companies, in any aspect, can be seen as a misimage of their own purpose. Misstatement that only worsens in the face of the recognition of the protection of personal data as a fundamental right, according to the recent decision of the Supreme Court cited above. Thus, not only the Executive and Legislative Branches, but also the Judiciary, in the exercise of jurisdiction, need to carry strictly the principle of due process in its substantive dimension.

The protection of fundamental rights cannot be relativised by a procedural convenience. We need to consider the scope of data protection within the parameters defined by the LGPD and in accordance with the Federal Constitution. Taking these terms seriously means avoiding the temptation to follow procedural shortcuts that weaken the guarantees of rights.

[1] EDcl on Inq 784/DF, rel. Minister Laurita Vaz, Special Court, tried on 05/15/2013, DJe 08/28/2013

[2] "STF suspends data sharing of telephone users with IBGE" In SUPREME COURT. Available from: <http://www.stf.jus.br/portal/cms/verNoticiaDetalhe.asp?idConteudo=442902&caixaBusca=N.> Last accessed: 24 Mar. 2021.