Nicolo Zingales Consulta MCI (30/04/2015)

Extraterritorial reach of the Marco Civil

A guide to the interpretation of article 11's key criteria
Introduction
Article 11 of the Marco Civil defines the scope of the obligations set forth by
Brazilian law with regard to the processing of personal or communications data:
In any process of collection, storage, retention and treating of personal data or communications data by
connection providers and Internet applications providers where at least one of these acts occurs in the national
territory, Brazilian law must be made mandatorily respected, including with regard to the rights to privacy, the
protection of personal data, and the secrecy of private communications and logs.

One of the key questions regarding the implementation of the Marco Civil is under
what circumstances this provision is applicable to undertakings operating outside
of the Brazilian territory. Article 11.1 qualifies a condition for the application of
the law in two different cases, the collection of data and the retention or treating of
communication data.
1st. The provisions aforementioned apply to data collected in national territory and to the content of
communications, in which at least one of the terminals is located in Brazil.

Further, article 11.2 clarifies the extent to which these scenarios would cover the
case of undertakings that do not have a base or establishment in Brazil:
2nd. The provisions aforementioned apply even if the activities are carried out by a legal person located abroad,
provided that it offers services to the Brazilian public or that at least one member of the same economic group is
established in Brazil.1

As a result, in order to be caught by the prescriptions of article 11 an undertaking

operating abroad should either: (1) be based or established in Brazil, or belong to
an economic group which features a member with its base or establishment in
Brazil; or (2) offer services to the Brazilian public, and (2b) collect data in Brazil
or communicate content relying on the utilization of at least one terminal located
in Brazilian soil.
1

Emphasis added

Nicolo Zingales Consulta MCI (30/04/2015)

Since the concept of terminal is well defined in the Marco Civil2, the key
questions that remain to be answered are (1) what is considered a basis or
establishment in the country; (2) when should a service be deemed as
offered to the Brazilian public; (3) when data is collected in Brazil; and (4)
what type of communication of content triggers Brazilian jurisdiction.
The present contribution will illustrate how the words in question should be
interpreted to ensure conformity with general principles of jurisdiction in
international law3, and how proposed changes to the framework for data protection
in the European Union are testament of the evolution of a mature understanding of
extraterritorial jurisdiction on the Internet.
1. General principles of international law
The notion of the jurisdiction (from Latin juris dicere) may be understood as the
power or authority of a State to choose the law applicable to a particular set of
facts. It has three different manifestations:
prescriptive jurisdiction, when it concerns the passing and implementation
of legislation;
adjudicative jurisdiction, when it concerns the determination of rights of
parties in an individual case;
enforcement jurisdiction, when it concerns measures taken to ensure
compliance with the law. Part of these measures deal with merely
investigative acts, which is why it has been argued that investigative
jurisdiction constitutes a different and additional category of jurisdiction4.

Terminal is defined by article 5.II as a computer or any device that connects to the internet.
Importantly, this contribution does not analyze conformity under the rules of private international law contained in
the Code of Civil Procedure (in particular, Art. 88 of Ley 5869/73), which lays down a broad test that would be
sufficient to justify assertion of jurisdiction under any interpretation of Art. 11 of the Marco Civil. The three
connecting factors under this test are: (1) the defendant is domiciled in Brazil; (2) the obligation is to be performed
in Brazil; or (3) the suit originates from a fact which occurred or an act which was performed in Brazil.
4
D. Svantesson, The extraterritoriality of EU data privacy law - its theoretical justification and its practical effect on
U.S. businesses. STAN J. INTL. L. 50(1), 53-117.
3

Nicolo Zingales Consulta MCI (30/04/2015)

The most fundamental basis for the assertion jurisdiction, rooted on the concept of
State sovereignty and the principle of non-intervention, is the territoriality
principle5: the State is entitled to regulate persons, facts and events within its own
territory6. While a strict reading of this provision requires the occurrence within the
territory of at least one element of the conduct under dispute, a more expansive
interpretation permits the arm of jurisdiction to be stretched so as to extend to acts
having an effect on the territory. This so called effect doctrine, most famously
developed in the context of US antitrust law7, is highly controversial in light of its
virtually unlimited reach in a global, interdependent economy 8 . Therefore, it
doesnt come as surprise that, in order to facilitate coordinated enforcement and
minimize tensions arising from the applications of the effects doctrine, United
States and Europe have signed cooperation agreements confining the application of
the effects doctrine to acts having direct, substantial and reasonably foreseeable
impact on consumers in another country. These agreements also direct
competition authorities to take into account the interests of other countries before
action is taken (so called negative comity) and to give full and sympathetic
consideration to another countrys request that it open or expand a law
enforcement proceeding in order to remedy conduct in its territory that is
substantially and adversely affecting the other countrys interests (so called
positive comity)9. Similar considerations of comity and mutual recognition are
incorporated into a number of laws having extraterritorial reach, requiring a
substantial connection with the territory as a restraint against potentially
controversial effects-based jurisdictional claims10.
Considering the problematic nature of effects-based jurisdiction, it is important to
bear in mind that it remains the exception: territorial sovereignty is the default rule.

C. Ryngaert, Jurisdiction in International Law (Oxford University Press, 2008), 29

U.Kohl, Jurisdiction and the Internet Regulatory Competence over Online Activity (Cambridge University Press,
2010)
7
See e.g., F. Hoffman-LaRoche, Ltd. v. Empagran, 542 U.S. 155, 124 S. Ct. 2359 (2004). To contrast with the
European approach, focused on the place of implementation, see Joined Cases 89/85 et al., Wood Pulp, 1988
E.C.R. 5193, paras. 15-18; Eleanor M. Fox, Modernization of Effects Doctrine: From Hands Off to Hands
Linked, 42 NYU JILP 159,160, 167, 174 (2009)
8
F. A. Mann, The Doctrine of Jurisdiction in International Law (1964) 111 Recueil des Cours de lAcadmie de
Droit International 9, reprinted in F A Mann, Studies in International Law (Clarendon Press Oxford 2008) 1, 6
9
OECD, Competition Law & Policy Report 1999 on Positive Comity
10
See the examples made in J. Scott, Extraterritoriality and territorial extension in EU law, 62 AJCL (2014), 87
6

Nicolo Zingales Consulta MCI (30/04/2015)

As the Permanent Court of Justice affirmed in the Lotus case11, the State is
territorial in nature and therefore cannot exercise jurisdiction outside its territory in
the absence of a permissive rule of international law to that effect. Although it can
be quarreled the extent to which the concept of State today transcends physical
boundaries in cyberspace, the rule still leaves room for jurisdiction outside the
territory in relation to acts which have taken place abroad, and in respect to which
a State can rely on a permissive rule of international law.
One such rule is for example the universality principle, according to which a State
may exercise jurisdiction with respect to certain crimes under international law in
the interest of the international community. In these exceptional cases of conduct
amounting to international crime, no link needs to be established between the State
and the victim, the perpetrator or the territory in which the conduct takes place.
Similarly, under the principle of personality, jurisdiction can be asserted by the
State of nationality of the perpetrator (active personality principle) or of the victim
(passive personality principle). Finally, under the protective principle, a State can
intervene to protect itself from acts committed abroad that jeopardize its
sovereignty. Such jurisdiction is traditionally limited to criminal law and serious
violations that endanger the security of the State, although that is considered to
include immigration, currency, and other economic offenses12.
As a result, provided that a State has a colorable claim of jurisdiction under one of
these principles, it is undisputed that it is entitled to regulate (and adjudicate)
matter outside their territory. By contrast, where the claim under these principles
is weak, and the effects theory dominates, extraterritorial assertion is likely to
encounter opposition. Opposition can materialize even independently from the
existence of conflicting claims of prescriptive jurisdiction, specifically when it
comes to enforcement: under general public international law, in the absence of
treaties that grant powers of extraterritorial enforcement jurisdiction to foreign

11

Case of the S.S. Lotus (France v. Turkey), Judgment No. 9 of 7 September 1927, P.C.I.J. Reports 1928, Series
A. No. 10, at pp. 18-19.
12
I. Brownlie, Principles of Public International Law (7th ed Oxford University Press 2008)

Nicolo Zingales Consulta MCI (30/04/2015)

agencies, it is unlawful for a state to capture or exercise control over the data or
individuals located in the territory of another State, without the latter's consent13.
Accordingly, broad extraterritorial statutes may lead to cases of empty
jurisdiction, where a particular regime is foreseen for the treatment of a certain
conduct, but it is not possible to enforce that regime in the absence of specific
consent by the State in whose territory the conduct took place. Although conflicts
between States can be largely minimized through dedicated cooperation
agreements 14 (for example the US- EU antitrust cooperation agreements, and
various Mutual Legal Assistance Treaties), experience shows that extraterritorial
enforcement generates adverse reactions in other jurisdictions, such as: diplomatic
protests; non-recognition of laws, orders and judgments; legislative measures such
as blocking statutes15 and claw-back statutes 16; judicial measures such as
injunctions; and the institution of international proceedings17.

13

Consent can be derived from an applicable legal treaty, or specific. See Henrik W.K. Kaspersen, Council of
Europe
(draft)
Discussion
Paper
Cybercrime
and
Internet
Jurisdiction,
available
at
http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/TCY/2079_rep_Internet_Jurisdiction_rik1a%20_Mar09.pdf (accessed April 30th, 2015) See also Council of Europe
Commissioner for Human Rights, The rule of law on the Internet and in the wider digital world,
CommDH/IssuePaper(2014)1. This principle has also been recognized with regard to criminal matters by the
International Law Commission (ILC): see International Law Commission, Report on the work of its fifty-eighth
session (1 May to 9 June and 3 July to 11 August 2006), Amnex E, at 22
14
Cooperation agreements are an important tool to minimize the issue of inefficacy in extraterritorial investigations,
which is now considered as one of the most problematic aspects of the current generation of Mutual Assistance
Treaties. See Andrew K. Woods, Data Beyond Borders. Mutual Legal Assistance in the Internet Age (Global
Network
Initiative,
January
2015),
available
at
https://globalnetworkinitiative.org/sites/default/files/GNI%20MLAT%20Report.pdf (accessed April 30th, 2015). For
an account of the problems caused to undertakings in that regard, see the International Chamber of Commerces
Policy Statement, Using Mutual Legal Assistance Treaties (MLATs) To Improve Cross-Border Lawful Intercept
Procedures, Document No. 373/512 (Sep. 12, 2012), available at http://www.iccwbo.org/Advocacy-Codes-andRules/Document-centre/2012/mlat/. (accessed April 30th, 2015))
15
Blocking statues are statutes enacted with the specific purpose to limit the practical enforcement of the assertion
of extraterritorial jurisdiction, by prohibiting or impeding prohibit compliance with discovery requests and/or
enforcement of judgments emanating from foreign authorities.
16
Clawback statutes are statutes allowing the recovery of damages suffered as a result of the application of a
particular law from a foreign country. See S. W. Chang, Extraterritorial Application Of U.S. Antitrust Laws To
Other Pacific Countries: Proposed Bilateral Agreements For Resolving International Conflicts Within The Pacific
Community, 16 HASTINGS INT'L & COMP. L. REV. 295 (1993) 298, 301; D. Devgun, Crossborder Joint
Ventures: A Survey of International Antitrust Considerations, 21 WM. MITCHELL L. REV. 681 (1996), 704;
Joseph E. Neuhaus, Power to Reverse Foreign Judgments: The British Clawback Statute Under International Law,
81 COLUM. L. REV. 1097 (1981).
17
ILC, Ibid., at 28.

Nicolo Zingales Consulta MCI (30/04/2015)

In other words, international law merely provides a list of principles as ground for
jurisdictional claims, but whether these principles are sufficient to give rise to a
legitimate expectation of cooperation in foreign law enforcement is another matter.
Absent specific cooperation agreements, cooperation will depend on the strength of
the nexus between the harmful event and the invoking State - relative to both the
requested State, and any other competing jurisdiction. For this reason, it is
particularly important that the Marco Civil be interpreted in such a way that
Brazilian law does not reach beyond what is generally considered a reasonable
application of the various test of jurisdiction described above. To that end, the
concluding section (4) will suggest a definition of the concepts of establishment
and offering services drawing on the interpretation of the relevant provisions of
data protection law in the European Union, where extensive discussions took place
concerning the proper scope of jurisdiction for data protection on the Internet.
2. The evolution of the European standard: from the Data Protection
Directive to the proposed General Data Protection Regulation
2. 1 The Data Protection Directive (DPD)
Article 4 (1) of Directive 95/96/EC, which constitutes the founding document of
data protection law in the European Union, provides the following:
1. Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of
personal data where:
(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of
the Member State; when the same controller is established on the territory of several Member States, he must take
the necessary measures to ensure that each of these establishments complies with the obligations laid down by the
national law applicable;
(b) the controller is not established on the Member State's territory, but in a place where its national law applies by
virtue of international public law;
(c) the controller is not established on Community territory and, for purposes of processing personal data makes use
of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is
used only for purposes of transit through the territory of the Community.18

This article delineates two different connecting factors with a State's jurisdiction:
(a) the processing of personal data in the context of the place of establishment,
either in the national territory or where law of that State applies by virtue of public
18

Emphasis added

Nicolo Zingales Consulta MCI (30/04/2015)

international law (in particular, this refers to cases where international public law
or international agreements determine the law applicable in an embassy or a
consulate, or the law applicable to a ship or airplane)19; or (b) the making use of
equipment in the national territory, unless it is for mere transit.
The Article 29 Working Party, an advisory body which inter alia provides opinions
on the interpretation of EU data protection rules, has addressed the meaning of
each these requirements in depth.
First, it referred to the interpretation of the European Court of Justice of place of
establishment as requiring the permanent availability of "both human and
technical resources necessary for the provision of particular services"20 . This
notion of establishment echoes Recital 19 of the Directive, according to which it
implies the effective and real exercise of activity through stable arrangements and
the legal form of such an establishment (...) is not the determining factor. For
example, according to this criterion, the place of establishment of a company
providing services via an Internet web site is not the place at which the
technology supporting its web site is located or the place at which its web site is
accessible, but the place where it pursues its activity. Opinion 179 also noted that
the scope of interpretation of the connecting factors is influenced by the
understanding of in the context of, and refers to three different factors for its
determination: (i) the degree of involvement of the establishment(s) in the
activities in the context of which personal data are processed; (ii) the nature of the
activities as a secondary consideration and (iii) the goal of ensuring effective data
protection in a simple and workable way. In other words, the factors indicated by
the WP serve the aim of ensuring that the link between the establishment and the
processing is not too tenuous, taking into account also the problem of potentially
concurrent application of multiple legislations (in which case, the goal of effective
and predictable data protection should lead to an application of the Directive).
As to the making use of equipment criterion, Opinion 56 clarified that it implies
some kind of activity of the controller and the clear intention of the controller to
process personal data. This includes human and/or technical means, such as in
19
20

See WP 179, at 18.

Ibid, see footnote 18 and corresponding text

Nicolo Zingales Consulta MCI (30/04/2015)

surveys or inquiries, and therefore has been deemed applicable to even incidental
collection of personal data, including the mere placing of cookies on a EU user's
web browser21. Because of the latitude of this test, the Article 29 WP warned about
the problem of unenforceability (the above mentioned empty jurisdiction) and
suggested limiting application of European law to those cases where it is
necessary, where it makes sense and where there is a reasonable degree of
enforceability having regard to the cross-frontier situation involved. More
recently, in its Opinion 179 the same Working Party proposed a more "service
oriented approach", based on active targeting of individuals, and focusing on
factors such as language of the website, availability of delivery in a particular
country, acceptance of EU-specific payment systems, and advertising in the
language or for products and services available in the EU. It noted the
correspondence of this proposed test with the case-law on the applicability of the ecommerce Directive 2000/3122, Regulation No 44/200123, and Directive 2001/2924
to cross-border situations. The same reasoning, in particular to limit the reach of
the term making use of equipment for the purposes of article 4 of the Directive,
was recently relied upon by Advocate General Jskinen in case C- 131/12, Google
Spain v AEPD25.
2.2 General Data Protection Regulation (GDPR)
With Article 3 of the proposed General Data Protection Regulation, the EU
legislators appear to have been receptive to some of the criticism regarding the
breadth of the prescriptive jurisdiction enshrined in the DPD. According to this
article:
21

Article 29 Working Party, Working document on determining the international application of EU data protection
law to personal data processing on the Internet by non-EU based websites, WP 56, 30 May 2002,
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2002/wp56_en.pdf. (accessed April 30th, 2015)
22
See LOral and Others, and the e-commerce Directive 2000/31.
23
Council Regulation (EC) No 44/2001 of 22 December 2000 on jurisdiction and the recognition and enforcement
of judgments in civil and commercial matters (OJ 2001 L 12, p. 1), Joined Cases C 585/08 and C 144/09, Pammer
and Hotel Alpenhof [2010] ECR I 12527, and Wintersteiger.
24
Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of
certain aspects of copyright and related rights in the information society (OJ 2001 L 167, p. 10) and Case C 5/11,
Donner [2012] ECR I 0000.
25
The Court of Justice of the EU did not have to address this particular question since it established that the EU
Data Protection Directive was applicable to Google Inc. on the basis of article 4.1 (a) of Directive 95/46, because the
company processed personal data in the context of the activity carried out by Google Spain. For this reason, it was
unnecessary to find jurisdiction under the making use of equipment criterion of article 4.1.

Nicolo Zingales Consulta MCI (30/04/2015)

1.
2.

3.

This Regulation applies to the processing of personal data in the context

of the activities of an
establishment of a controller or a processor in the Union.
This
Regulation applies to the processing of personal data of data subjects residing in the Union by a
controller not established in the Union, where the
processing activities are related to:
a.
the offering of goods or services to such data subjects in the Union;
or
b.
the monitoring of their behaviour.
This
Regulation applies to the processing of personal data by a controller not established in the Union,
but in a place where
the national law of a Member State applies by
virtue
of
public
international law.26

In particular, the criterion of making use of equipment has been replaced by the
concept of offering of goods and services or the alternative monitoring of
behavior, thereby causing a shift from a territoriality principle to a combination of
a passive personality principle (monitoring of behavior of European users) and an
effects principle (the direct and foreseeable effect in EU territory). While it has
been argued that the word monitoring is unfortunate as it is not sufficiently
linked to the privacy risks of individuals, which are present only in case of
profiling2728, the key question will concern the extent to which jurisdiction is
based on a genuine link between the acts and their effects. Despite of the degree of
uncertainty that a case-by-case application of this principle is inevitably going to
generate, it is likely that a purposive interpretation of the current formulation will
be able to accommodate the principles and case-law previously indicated by the
Article 29 WP, so as to prevent the assertion of broad jurisdiction which may give
rise to diplomatic, legislative and/or judicial responses from other countries.

26

Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individual with
Regard to the Processing of Personal Data and on the Free Movement of Such Data
(General Data Protection
Regulation), at 41, COM(2012) 11 final - 2012/0011(COD) (Jan. 25, 2012) (emphasis added), available at
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri-COM:2012: 0011:FIN:EN:PDF.
27
P. Schwartz, EU Privacy and the Cloud: Consent and Jurisdiction Under the Proposed Regulation , Privacy &
Security Law Report, 12 PVLR 718, 04/29/2013
28
That is, automated processing of personal data intended to analyse or predict the personality or certain personal
aspects relating to a natural person, in particular the analysis and prediction of the persons health, economic
situation, performance at work, personal preferences or interests, reliability or behaviour, location or movements:
see Article 29 Working Party, Advice paper on essential elements of a definition and a provision on profiling within
the EU General Data Protection Regulation.

Nicolo Zingales Consulta MCI (30/04/2015)

4. Conclusion
In conclusion, it is suggested that:
o International principles of jurisdiction, and in particular the effects
doctrine and the passive personality principle, are sufficient to justify
the application of provisions of Brazilian data protection law to
undertakings operating outside of Brazil.
o However, a broad interpretation of the scope of application of Article
11 of the Marco Civil may generate problems of unenforceability
and possible tensions with the countries which claim to have a
stronger jurisdictional link with the regulated undertakings.
o Therefore, the concepts of establishment and offering services
should be interpreted in such a way as to minimize such problems and
tensions, taking into account the significant regulatory burden they are
likely to generate.
o In this regard, the evolution of European data protection law
illustrates the gradual rejection of omni-comprehensive notions of
establishment (including a narrow understanding of processing in
the context of the activities of an establishment), and a replacement
of the notion of making use of equipment (something that can be
analogized with the link to one terminal used by Article 11 of the
Marco Civil) with a more service-oriented test, implemented
through the concept of offering services. The remaining and
alternative criterion of monitoring behavior, which may be seen as
the functional equivalent of collect data in art. 11 of the Marco
Civil23, leaves significant room for diverging interpretation: does the
mere placing of a cookie on the browser amount to monitoring? Is
the processing of aggregate or anonymized traffic data sufficiently
generic to escape the definition? Critics have already called for the
revision of this particular aspect of the bill due to the remoteness of
the link between the activity and any potential harm to the data
subject.

10

Nicolo Zingales Consulta MCI (30/04/2015)

o In line with the above, it is suggested that the following

interpretation for the purposes of article 11 of the Marco Civil:
(a) basis or establishment should be interpreted as a place with the
permanent availability of both human and technical resources
necessary for the provision of particular services, considering also
the proximity of the link between these services and the activities
in the context of which data is being processed;
(b) offer services should be interpreted as actively targeting a
particular population (the Brazilian public), for instance because
of : (i) use of Brazilian currency or language. (ii) listing of telephone
numbers with Brazilian country-code; (iii) marketing or advertising
focused on Brazilian consumers' characteristics, including
international delivery and keywords advertising or paying for other
country specific referencing services; (iv) use of a Brazilian top-level
domain.
(c) collect data should be interpreted as referring to operations of
profiling, thereby excluding activities that do not involve a
likelihood of potential harm for Brazilian users.
(d) content of communications should be interpreted as referring
to content that is likely to be harmful to the rights of Brazilian
users, so as to prevent the extension of the Marco Civil to
situations with insufficient territorial nexus.

11