Cyberlaw: Brazilian Courts have jurisdiction in litigation involving infringements committed through internet services

Brazilian Courts have jurisdiction to decide disputes arising from illegal actions committed on the Internet even if the infringer is not a Brazilian resident and the internet service used to infringe is provided by a foreign Internet Service Provider (“ISP”) and is hosted on servers located abroad. This ruling was issued by the Third Chamber of the Superior Court of Justice (“STJ”) last November in the Proceedings REsp no. 1,745.657 – SP (2018/0062504-5).

This decision is relevant because it confirms the understanding that Brazilian Courts can assert jurisdiction to rule on cross-border conflicts over the Internet and that Brazilian law must be applied, even when the infringer and the ISP are domiciled abroad. Foreign ISP`s should, therefore, be aware that they could be subject to the jurisdiction of Brazilian Courts and Brazilian law, even though their servers are located outside Brazil and the service agreement is governed by foreign law. 

Moreover, while the dispute at hand involved a crime of threats, the same reasoning could apply to intellectual property rights infringements committed on the internet. Therefore, the decision is also pertinent for intellectual property rights holders domiciled in Brazil as it makes it easier for them to obtain information about online infringers of their rights, as it gives the possibility to request the Brazilian Judiciary to order foreign ISP’s to provide information about the users of their services performing illegal acts through such internet services, even though these services are contracted and provided abroad.

This case began with a legal action brought by a Brazilian citizen against Microsoft Informática Ltda, the Brazilian subsidiary of Microsoft Corporation, to obtain information about the holder of an Outlook e-mail account. Such Outlook e-mail account, a service provided by Microsoft, was used to threaten the plaintiff by sending electronic messages to his professional e-mail account.

The First Instance Court granted an injunction relief lifting the confidentiality of the account information and ordering Microsoft to inform any available data on the user of the e-mail account, the electronic record of the account creation and other log records (http log; webmail application log; SMTP server log for outgoing e-mails and connections; POP server log for incoming e-mails  and connections),  including IP address, dates and times of access, source logical port, referring to the accesses to the e-mail account and the respective phone numbers used in such connections.

Microsoft did not comply with the order and appealed this decision, initially to the Court of Justice of São Paulo and, afterwards, to the STJ, claiming that the Brazilian Courts lack jurisdiction to order Microsoft to provide available personal data relating to such e-mail account. According to Microsoft, since the threats were written in English and both the internet connection and the access to the respective e-mail account happened in the United States of America, such measures could only be ordered by an U.S. Court. 

Nevertheless, the STJ dismissed the appeal confirming the First Instance Court decision, explaining that (emphasis added):

“When the alleged illegal activity has been practiced on the Internet, regardless of the forum provided for in the service agreement, even if the agreement establishes the courts of other country, the Brazilian judicial authority is competent if required to solve the conflict, because the plaintiff is domiciled in Brazil, which is also where he accessed the electronic site where the information was transmitted, thus it must be considered as an act performed in Brazil”.

Thus, the Court confirmed the understanding from its previous precedents (REsp 1168547 / RJ, Fourth Chamber, Dje: 07/02/2011) ruling that the crimes committed on the Internet will be considered carried out in Brazil, for the purpose of attracting the jurisdiction of Brazilian Courts when the affected person is a Brazilian resident and the infringing act can be accessed in Brazil, that is, its effect takes place in Brazil. The STJ also noted that:

“In fact, it is a mistake to imagine that any application hosted outside Brazil cannot be reached by national jurisdiction or that Brazilian laws are not applicable to its activities. 

It is evident that, if there is an offense to Brazilian law through an application hosted abroad (for example, an offense against a Brazilian resident posted on a social network), a Brazilian Court may order such content to be removed from the Internet and that the personal data of the offender to be revealed to the victim. Otherwise, anyone could avoid being held responsible for harmful acts simply by storing such harmful information in distant countries”.

Regarding this type of cross-border conflicts on the internet, the STJ recognized that the territoriality of the jurisdiction remains the rule, but that, as in the present case, the exception must be admitted, although applied with caution, when the following criteria are all met: (i) strong grounds on the merit, based on local and international law; (ii) proportionality between the measure and the desired purpose; and (iii) compliance with the procedures provided for in local and international laws.

With regard to the applicability of the national law, the decision is based on article 11 of Law no. 12,965 of April 23, 2014, known as the Civil Rights Framework for the Internet (“Marco Civil da Internet”), according to which Brazilian law will be applicable whenever any operation of collection, storage and processing of records, personal data or communications by connection and internet application providers take place in national territory, even if only one of the communication devices is in Brazil and even if the activities are carried out by a company based abroad.

Therefore, the Court ruled that Brazilian law should apply to this case since the offended was domiciled in Brazil and has received the offensive messages in the country.

The Court dismissed the argument that the defendant company has not provided the service used by the offender because, while the defendant provides its services only in Brazil, it is a subsidiary of the Microsoft group, the responsible for the well-known service offered all around the world.

Concerning the argument that the e-mail account that sent the offensive messages was accessed from abroad, the Court stated that this fact has not been proven and that, even with such evidence, this would not be relevant considering that the electronic messages were received and read in the Brazilian territory, which is sufficient to attract Brazilian jurisdiction.  

Similarly, on the argument that obtaining the identification of the author of the messages would depend on the provision of information from internet access providers located outside the country, the STJ clarified that this information was not object of the claim. The ruling explains that the procedure for identifying the user of an e-mail service is divided into two parts: first, the information of the e-mail service provider (in this case, Microsoft); second, the information from the internet service provider. The case at hand concerns only the first part of the information, concerning exclusively the e-mail service provided by Microsoft. On this point, it is important to mention that the Court explained that, if the plaintiff had requested data from internet access providers located abroad, then it would have been necessary to request such information before foreign Courts.