Author: Ericson M. Scorsim

The company Huawei has filed a lawsuit against the United States government due to the legislative ban contained in the National Defense Authorization Act (NDAA), which forbids the company from supplying telecommunication equipment to federal agencies. The law also bars federal loans for the purchase of such products.

The case was filed before a federal district court in Texas, against the United States Government, the U.S. General Services Administration Administrator, the Secretary of Labor, the Secretary of Health and Human Services, the Secretary of Education, the Secretary of Agriculture, the Secretary of Veterans Affairs, and the Acting Secretary of the Interior.

According to the complaint filed, the 2019 NDAA, more specifically its Section 889, is unconstitutional as it directly forbids federal authorities from signing procurement agreements with Huawei to purchase telecommunication equipment or federal or granting federal loans for such purpose.

In short, Section 889 is not only contrary to the economic interests of the United States and its citizens, and ineffective at advancing U.S. security interests, it is also contrary to the Constitution of the United States.

Injuries to the U.S Constitution

The first injury to the U.S Constitution is the violation of the Bill of Attainder Clause, which prohibited that legislature impose punishment, without hearing the other party or trial.

The second unconstitutionality relates to the violation of the Due Process Clause, that prohibited legislation that would single out particular persons or deprivations of liberty. In this case, the legislative act affects business freedom.

The third unconstitutionality is the violation of the principle of the separation of powers, as Congress must not act as prosecutor, judge, and enforcer of the sanction of prohibition against the company, without any evidence of it having business connections with the Chinese government, as well as of threats to cybersecurity.

The company also claims that Section 889 of the National Defense Authorization Act bars Huawei from doing business with the federal government even as to agencies that have no significant connection to defense, information security, or national security.

It further argues that the U.S. law causes significant damages to Huawei’s business by creating unfair conditions amongst competitors.

Thus, the U.S federal government may purchase telecommunication equipment from Nokia, Ericsson, and other competitors, but cannot purchase products from Huawei.

Finally, Huawei requests that Section 889 of the 2019 National Defense Authorization Act be declared unconstitutional, as it violates the Bill of Attainder Clause, the Due Process Clause of the Constitution’s Fifth Amendment, and the Constitution’s Vesting Clause and resulting separation of powers.

Artigo publicado no portal jurídico Migalhas Internacional em 15/03/2019

The Internet of Things, known as IoT, is a market trend in internet applications.

IoT is the infrastructure of physical or virtual connection between objects, mediated by devices, based on information and communication technologies. This network allows the collection, processing, treatment, and sharing of data referent to physical and/or virtual objects.¹

This article presents the challenges for regulating this matter in Brazil, stressing the public consultation held by Anatel in September 2018 on IoT-related issues.

Such public consultation dealt with issues related to the rating of IoT applications, licensing and award rules, use of the spectrum frequencies, taxation, and others, to be examined further on.

IoT Applications

There are IoT applications in houses and buildings. IoT products for smart homes – controlling temperature, lights, security, and energy consumption, such as Alexa, a virtual assistant sold by Amazon². In buildings, IoT applications are used for security, such as biometric control of entrance, as well as vehicle control in the garage.

In the industry, there are IoT projects for digitalization and robotization of factories, manufacturing of self-driving cars, etc. The so-called 4.0 Industry uses sensors with wireless networks to improve productivity in factories, control inventory conditions, monitor product transportation, as well as the environmental conditions of factories.

In the trade sector, IoT applications are used to monitor vehicle fleets, track containers in ports and ships, among others, control inventory in logistics distribution center, among other uses.

In agriculture, it is present in smart irrigation, controlling agricultural equipment, tracking plantations with drones, and monitoring climate conditions. IoT is also used to monitor cattle grazing.

IoT is present in the health sector allowing for remote monitoring of chronic patients, tracking high-cost medication, sensors can control the temperature of equipment such as surgical drills used in hip-replacement surgery, among other applications.

In the public sector, with have IoT projects for smart cities: public lighting networks with smart sensors, traffic-based traffic lights, etc.

In the financial industry, one of the applications of the Internet of Things is machine to machine communication. For example, electronic payment companies, through mobile apps, on small devices.

New business models for IoT applications that perform financial services through machine to machine communication require knowledge of the sectoral regulation adopted by Anatel (the Brazilian Telecommunications Regulatory Agency). This is because the business may rely on a virtual network of a mobile communications operator, or not. The IoT application’s business model may or may not use frequencies of the spectrum.

In other words, IoT applications rely on the telecommunications infrastructure network. Hence the need to examine the IoT business model to know if it may require a permit as an added-value service of the telecommunications network or authorization to the frequencies of the spectrum. Hence the regulatory role by Anatel in clarifying the regulatory framework applicable to IoT applications.

IoT: Security and Privacy Risks

The Internet of Things has the potential to collect the personal data of millions of people. There are possible risks to the security of personal data and privacy, with the remote monitoring of people’s consumption patterns, their location, behavior, preferences, and others by the technological devices.

Society must be aware of the hypervigilance risks caused by IoT networks, as well as the possible risks to digital freedom. Then, legislators can define in the proper laws the limits to IoT applications.

IoT Applications and the Demand for Connectivity Using the Telecommunications Infrastructure Network.

The Internet of Things requires digital communications networks infrastructure. It needs high-speed data transportation networks and access networks.

The 5G internet network, a high-speed network (the average speed is 10 Gbps, in comparison to the current 100 Mbps) is vital for IoT. This 5G network requires mobile telephony antennas and fiber optics, and cloud-based software solutions.

Challenges to the Regulation of IoT Applications.

In Brazil, IoT is not yet regulated.

The law must regulate the matter, through laws and decrees, along with self-regulatory measures by the companies that offer IoT devices.

In addition to regulation, the government must also provide incentives for the private sector to make investments in IoT network infrastructures.³

In Brazil, the Internet of Things is only mentioned in Decree No. 9.319/2018, that institutes the national digital transformation system.

This Decree deals with matters such as internet access and data transportation networks by mobile and landline broadband, the digital transformation of the economy, professional education and training, data-based economy, new business models.

Decree No. 9.319/2018 only mentions the following: “by recognizing the transformative potential of the Internet of Things applications, actions and incentives must be set to allow for the continuous evolution and dissemination of such devices and the associated technologies.

Anatel: Public Consultation on the Regulation of IoT Applications

Anatel recently opened Public Consultation No. 31, of September 2018, to reexamine the regulation to expand IoT applications.

The regulatory agency presented the following themes for assessment of regulatory impact: a) granting of IoT services based on new business models; b) rules for providing IoT services; c) the matter of taxation and licensing of IoT services; d) numbering to meet the demand of IoT devices (used to address and identify these devices in any network in the world); e) the cyber security of IoT devices (certification and approval of IoT devices); f) the spectrum band available for IoT (and, also, non-monetary bids for new frequencies; g) broadband infrastructure to support IoT services; h) domestic roaming agreements, given the offering of IoT services based on global connectivity providers.

Anatel mentions the National IoT Plan, and the IoT Chamber, established in the form of Decree No. 8.234/2014, as one of the grounds used to open the matter to public consultation. This Decree regulates Article 38 of Law No. 12.715/2012, which deals with the taxation of machine to machine communications. According to that norm, the Ministry of Communications (currently, the Ministry of Science, Technology, innovation, and Communication) will create a chamber to manage and monitor the development of machine to machine communication systems. Under this Decree, Anatel will regulate and monitor compliance with its provisions.

According to Anatel, the purpose of the IoT Chamber is manage and monitor the development of machine to machine communication, to apply Article 38 of Law No 12.715/2012, which deals with the taxation of machine to machine applications. Note that the law refers solely to the issue of taxation of IoT applications.

Still, according to Anatel, some Iot/M2M (machine to machine communication) business models do not fit the typical features of telecommunications services, as per the current regulations. Hence the need to adjust the regulation of IoT/M2M services.

The regulatory agency also points out the lack of flexibility of the regulation for personal mobile services (SMP), through virtual networks for IoT applications.

According to Anatel, some IoT applications use as support personal mobile telecommunication services.

Telecommunication services are regulated based on the obligation burden of providing communication between people, hence the requirements of consumer protection and quality.

However, such consumer and quality obligations from telecom regulations do not make sense for IoT applications. Thus, one of the possible paths is establishing a differentiated scheme for IoT applications, with the possibility of the matter being defined in contract.

Also, the Mobile Network Operator (MNO) registration model requires being bound to a provider at the origin. However, this requirement does not make sense for IoT applications. Amongst the alternatives is establishing a differentiated scheme for IoT applications, through virtual networks, based on personal mobile services.⁴

Discussion on the Legal Qualification of IoT Applications

There is a discussion on the legal qualification of the Internet of Things.

The tendency is to qualify it as an added-value service of the telecommunications network. The concept of added-value service is in Article 61 of the General Telecommunications Act. However, it is distinguished from the concept of telecommunications services, which traditionally comprehends landline and personal mobile telephony services.

So, if the Internet of Things is qualified as an added-value service, it may be subject to the ISS municipal service tax.

However, if IoT is qualified as a telecommunications service, it will be subject to the ICMS State sales tax.

Bills for Tax Exemption of Machine to Machine Communication to Promote the Development of IoT and Application Business Models

There are some bills to remove taxation from IoT stations.⁵ Such is the case of Bill No. 7.656/2017.

The bill grants to Anatel the power to define the concept of machine to machine communication to apply the rule of tax exemption of the Contribution to Promote Public Radio Broadcasting and Contribution for Development of the Cinema Industry.⁶

It’s hard delegating to the regulatory agency the definition of the concept of machine to machine communication for taxation purposes. The law must define this concept. This is required under the principle of strict legality. Otherwise, this leads to legal uncertainty in the practical application of the concept within the regulation of the Internet of Things, with the risk of judicialization of the matter.

The public consultation held by Anatel registers the issue of the application of the licensing fees for stations (TF1 – fee for inspection of installation and TFF – fee for inspection of Operations) that may make the IoT/M2M business models unfeasible.

There is a discussion regarding the alternatives, in the sense of exempting or applying zero rates to the licensing fee of IoT/M2M terminals, waiving the licensing of such terminals or taxation based on a percentage of the revenue of the business and not by device.

The Issue of Net Neutrality

Another regulatory challenge is the issue of Net Neutrality, stated in the Internet Regulatory Framework. With the implementation of IoT networks, there will probably be a demand for flexibility of net neutrality. For example, the Internet of Things related to communication between vehicles, giving priority to ambulance services, is cited as one such demand for flexibility of net neutrality.

For example, in the United States, given the legal ambiguity of the Communication Act, there is a controversy regarding Internet neutrality. Initially, the Federal Communication Commission, during the Obama administration, qualified internet connection services as telecommunication services to guarantee the obligations regarding net neutrality. Later, in the Trump administration, the regulatory agency removed net neutrality.

In Brazil, however, the concept of net neutrality is defined in the Internet Regulatory Framework.

Frequencies of the Spectrum

Another issue related to the regulation of IoT applications is defining the range of the frequencies of the spectrum to be used, the licensed and unlicensed range, to be decided by Anatel. For example, the Internet of Things depends on wireless communication networks.

Privacy and Security Standards of IoT Applications

Another regulatory challenge of IoT is defining the privacy and security standards of the data collected through landline and mobile devices. Regulation is also vital to protect the personal data of users of IoT application.

In this regard, it must be highlighted that Brazil recently passed Law 13.709/2018 that deals with the protection of personal data, with rules for private companies and the public sector. There are also rules on the international transfer of personal data between companies.

If the IoT network’s architecture is not built correctly, there are severe risks to the security and privacy of the data transported by the networks. For security reasons, the digital identification of physical and virtual objects is essential.

International Scenario on Cyber Security and IoT

The matter of the Internet of Things is directly associated with the issue of cyber security.

In this regard, Anatel’s public consultation opened to the discussion on the issues of certification and approval of the IoT devices.

For example, the United States passed the Internet of Things (IoT) Cybersecurity Improvement Act of 2017.

This North American legislation holds the standards for IoT devices purchased by federal agencies. Thus, the suppliers and operators of IoT equipment (such as the design of the microchips used in machines and networks) for the USA government and its agencies must adjust to the cyber security guidelines.

Also, recently, California passed Senate Bill – SB 327 to protect the privacy of information in connected devices (IoT).

According to the California Bill, the manufacturer of connected devices must follow reasonable security standards, according to the following aspects: appropriate to the nature and function of the technological devices, appropriate to the information collected, stored, and transmitted; designed to protect the device and any information stored from unauthorized access, destruction, use, alteration or opening, among other rules. If the Governor of California sanctions the bill, it will come into effect in January 2020.

According to its critics, the bill is the first step, even if it contains superficial and incomplete definitions of security. The critics say that the bill does not indicate the security measures such as device certificate, code signature, and firmware safety audits, purchased from IoT suppliers that buy them from suppliers abroad. The bill also does not define liability in case of unauthorized access through coded encryption keys.⁷

Thus, the matter of the Internet of Things is directly associated with the issue of national cybersecurity in light of external threats. Cyber-attacks to public and private networks by hackers present challenges to national security.

Finally, in the United States, there are rules for IoT security set by the National Congress that must be followed by the industry. Over there, they are also debating whether there should be mandatory certification of IoT devices.

To better understand the context, the United States has adopted measures to prevent China from buying American technology companies (mobile phone and computer chip manufacturers). In addition to the issue of international competitiveness, there are allegations of risks to national security. The United States are concerned with the 5G network, specifically with it being dominated by foreign companies, overall Chinese companies. Hence the trade war between the United States and China in this cyber security realm.

The matter must be seen from the context of the big picture, as characterized by the trade war between the United States and China for technological leadership.

China has a program called Made in China 2025 with clear objectives to obtain its technological independence by manufacturing cell phone chips, robots, and the digitalization of its industry. Hence the international discussion around intellectual property, technology transfer, cyber security, etc.

Opportunities in IoT Applications

IoT holds tremendous opportunities for telecommunication companies, internet connection providers, and for the companies that explore this type of business. It creates demands for the creation of data centers and implementation for more networks of cellular antennas.⁸ There are even credit facilities for IoT startups through the Brazilian Development Bank – BNDES (via Finep).

IoT applications present challenges and opportunities for device manufacturers, network operators, and startups with new business models.

In sum, the regulation of the Internet of Things has significant repercussions in the present and near future.

_______________________

1 According to the International Telecommunications Union, the internet of things is: “a global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies (ICT).

2 Problems have been reported regarding the security and privacy of people due to the use of technological devices that can record all conversations held close to the equipment. There are even cases of baby monitors that monitor children and homes being hacked. Hence, in the United States, consumers are demanding security and privacy measures for IoT products. The United States Senate, through its Committee on Commerce, Science, and Transportation, held a public hearing on the matter of guarantees to protect consumers’ privacy. It called representatives of the companies AT&T, Amazon, Google, Twitter, Apple, and Charter. In sum, the technology companies support a federal bill to protect the consumers’ right to privacy, to avoid having the North American States passing laws on the same matter. Amazon’s representative gave a statement on Alexa, a cloud-based voice service. According to him, when Alexa is activated, the consumer is informed that the cloud-based audio streaming service is in operation; also, that the device can be turned off through Echo/Alexa’s microphone button; and, finally, that the Echo hardware and Alexa’s service were designed to allow control by the consumer.

3 Google has announced that it will invest USD 140 million to expand its datacenter in Chile. It is the first Google datacenter in Latin America that will operate as infrastructure to offer cloud computing services. According to the press, Chile was chosen given the favorable environment for foreign investments, a clear regulatory framework, and renewable energy sources.
Brazil lost the opportunity to attract this type of investment from a global company, that would create jobs and generate income in the country. This fact attests to Brazil’s delay in establishing a policy to promote investments in datacenters in Brazilian territory and, accordingly, to compete in the international market.
India, in its turn, has recently passed a law requiring foreign technology companies to store their users’ personal data in Indian territory. The law has an impact on companies such as Facebook, PayPal, Mastercard, and others.

4 Anatel, in July 2018, authorized the company Safra Telecomunicações to operate as a Mobile Virtual Network Operator (MVNO).

5 Article 38. The value of the Fee for Inspection of the Installation of Mobile Stations of Personal Mobile Services, Cellular Mobile Services or any other telecommunication service, as per Law No. 5.070, as amended, that integrate machine to machine communication systems, as defined in the regulation to be issued by the Executive Branch, is set at BRL 5.68. (Regulation) Sole paragraph. The Fee for Inspection of Operations will be paid annually, by March 31st, and its value corresponds to thirty-three percent of the Fee for Inspection of the Installation.

6 In its turn, Decree No. 8.234/2014, which regulates Article 38, of Law No. 12.715/2012, defines the following: “Article. 1. For the purpose of the provided in Article 38, of Law No. 12.715, of September 17, 2012, machine to machine communication systems are deemed to be the devices that use telecommunication networks to transmit data to remote applications, without human intervention, with the purpose of monitoring, measuring, and controlling the device, the environment around it, or the data systems connected thereto through such networks”.

7 The press recently announced a security breach by Amazon that allegedly leaked the access code to the company’s system.

8 Thecountry was due to its political stability, the regulatory framework to attract private investments and economic stability press recently published that Google is expanding its data center in Chile. The choice to invest in that .

Artigo publicado no portal jurídico Migalhas Internacional em 09/10/2018.

Brazil has passed Law 13,709/18 on personal data protection.

It contains rules for both the public and private sectors regarding the collection, processing, treatment, and sharing of personal data.

However, recently, the President of the Republic indicated several vetoes to the bill passed by the National Congress. Among these vetoes: the creation of a regulatory agency for personal data protection (Articles 55 to 59), the rules of data sharing by the public sector and private companies (Articles 23, item II, 26, item II, paragraph 1, and Article 28), sanctions of complete or partial suspension of the operation of the database and suspension of the exercise of personal data processing activity, and partial or complete prohibition of exercising any activities related to data processing (article 52, items VII, VIII, and IX). We shall examine these vetoes further on in this text.

The law on the protection of personal data is adapted to the context of the evolution of the technologies based on digital platforms, big data, artificial intelligence, machine learning.

The legislative regulation of this matter is critical because corporate self-regulation is not enough to resolve the complex issues related to personal data protection.

As an illustration of the above, we have the scandal between Facebook and the company Cambridge Analityca regarding the improper collection of the data of millions of users of that social network, as well as third-party personal data.

In the United States, there was also news about a lawsuit against Google due to the illegal monitoring of millions of iPhone and Android users. According to such lawsuit, Google does not disable the user’s location history. This business practice violates the privacy laws of the State of California, according to the plaintiff. This is a typical case related to the protection of personal data and privacy.

Also, the media often reports on the invasion of personal databases and the leak of such data, under the responsibility of public authorities and private companies.

In Brazil, for example, a security breach was reported in the E-Health application of the Ministry of Health, with the exposure of the personal data of thousands of Brazilians that use the Unified Public Health System (“SUS”), with the display of the patient’s medical information, medication use history, and appointments in the public health service.

This theme is inserted in the context of the risks of cyber-attacks by hackers, with threats to personal data security and privacy. Therefore, the law is intended to prevent this kind of abuse against the rights to personal data protection.

Personal data is information on your private life (ID, image, location, and health, among others), financial life (existence of bank or credit cards debts, etc.), among other aspects.

Currently, personal databases are a source of economic value to private companies. For the public sector, they are essential to the implementation of public policy in several areas, such as public health.

According to the law mentioned above, in its Article 5, sensitive personal data are those related to ethnic or racial origin, religious beliefs, political opinions, affiliations to trade unions or religious organizations, health-related data, genetic or biometric data, sexual orientation.

The foundations of the Brazilian Data Protection Act are laid out in its Article 2: the respect to privacy, informative self-determination, the freedom of expression, information, communication, and opinion, the sanctity of privacy, honor, and image, economic and technological development and innovation, free enterprise, free competition, and consumer protection, human rights, the free development of personality, dignity, and the exercise of citizenship by individuals, among other things.

The law is applicable to personal data processing operations, regardless through what means, the country of the processor’s headquarters, or where the data is located, provided that the processing operation take place in Brazilian territory, the purpose of the data processing activity is the offering or provision of goods or services or the processing of data of individuals located in Brazilian territory, or the personal data being processed was collected in Brazilian territory (article 3, item II and III. Also, the personal data whose subject is in Brazilian territory at the time of their collection will be deemed as having been collected in Brazil (art. 3, paragraph 1).

This Personal Data Protection Act impacts several companies from industries such as telecommunications, internet applications, such as social networks, search engines, video sharing websites, financial institutions, e-payment companies, startups in the technologies and government sector (govtech), digital marketing companies, hospitals, among others.

For example, in the financial sector, there is a trend towards the opening of banking data (open banking) to increase competition in that sector. So, if the Brazilian Central Bank regulates the issue appropriately, the traditional banks will have to share the account-holders’ personal information with credit and financing companies, such as the startups known as fintechs.

In the business realm, the application of this law creates demands for the hiring of executive professionals for database management. It also creates a need for the creation of compliance rules with the companies and the respective bodies of enforcement.

This federal law also applies to the public sector, containing rules on the sharing of personal data in databases administered by government agencies. Example: the data from people registered in the public health system.

The law, however, does not apply to personal data processing performed by an individual for private and non-economic purposes, carried out exclusively for artistic and journalistic, or academic purposes, or held for the sole purpose of public safety, national defense, data security, criminal investigation and repression activities, article 4.

In the context of international regulation, Europe has the General Data Protection Regulation (GDPR). Each European country has an agency that regulates personal data protection.

There are questions as to the application of the European legislation. Online advertising companies that use personal data such as the location of the users of applications on mobile phones are concerned with the compliance rules to be adopted. On the other hand, media companies are seeking alternatives to address the dispute with technology companies, focused on digital advertising.

The United States, in its turn, does not have a general personal data protection law. There, the Federal Commerce Commission, the American regulatory agency responsible for enforcing loyal trade practices between businesses and consumers, regulates the issue of consumers’ personal data and applies sanctions against potential abuses committed against consumer rights. For example, the Federal Commerce Commission has entered into several settlements with Google and Facebook concerning consumer privacy protection.

The law referenced above holds the requirements for personal data processing, upon consent by the data subject. In other words, the permission of the owner of the personal data is a condition for its valid use, according to the law.

According to the law under examination, in its article 5, item X, personal data processing is the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, elimination, information assessment or control, modification, communication, transfer, dissemination, or extraction of such data.

The principles of personal data processing activities laid down in Article 6 include: the purpose (identification of the legitimate and specific purpose informed to the owner), fitness (compatibility of the processing with the purposes informed to the subject), need (limiting the minimum processing required to achieve its purposes), free access (guarantees that the owners will have easy and free consults regarding the form and duration of the processing), data quality (assurance of precision, clarity, relevance, and updating of the data, as needed and to achieve the purpose of the processing), transparency (assurance of clear, precise, and accessible information to the owners on the performance of the processing, respecting business and industrial secrets”.

Personal data may be processed to comply with legal or regulatory obligations. For example, employees’ personal data, such as name, address, vacation periods, benefits, leaves, of mandatory registration before public authorities (known as e-social). Another example is the sharing of the personal data of users of telecommunications and internet services, between private companies and Anatel (the Brazilian Telecommunications Regulatory Agency) for the purpose of public policies on communications.

The public administration may also process personal data required to enforce public policies. Example: public taxation policies, by sharing the personal data of citizens for tax collection purposes.

Personal data processing is also allowed for credit protection. Example: the Brazilian Credit Protection System (Serasa and SPC), used in by the trade, industry, and service sectors.

Another permitted use is in the regular exercise of rights in lawsuits or administrative or arbitration proceedings. Given the current context of electronic proceedings, there is a demand for proper processing of personal data to protect rights before the Judiciary and/or the Public Administration.

Article 11 of the Law deals specifically with the processing of sensitive data.

For example, in this respect, the following rule is stated in Article 11, Paragraph 3: “The shared use or communication of sensitive personal data between controllers with the purpose of obtaining economic benefits may be subject to

prior authorization or regulation by national authorities, upon hearing the proper sectoral agencies.”

This legal provision may be applied, for example, by the Brazilian Agency of Supplementary Healthcare (“ANS”) to restrict the sharing of sensitive personal data, such as using personal data in medical records and clinical history that may be used by healthcare plans to check for pre-existing diseases.

The processing of the personal data of children and teenagers requires specific consent by one of their parents or legal guardians, as per Article 14, Paragraph 1. For example, children and teenagers will need one of their parent’s consent to have access to YouTube.

The data subject has the right to obtain confirmation of the existence of the processing of their data, access to their data, correction of incomplete, inaccurate and outdated data; and de-identification, blockage or erasure of unnecessary or excessive data, or of data processed in breach of the provisions of the law, portability of personal data to another product or service supplier, elimination of personal data treated with the data subject’s consent, as per article 9 of the law.

Regarding the processing of personal data by government, the law states that the shared use of personal data must be consistent with specific ends associated with the execution of public policies and duties by public bodies and entities, according to the personal data protection principles established in Article 6 of the law.

However, the government is forbidden from transferring personal data stored in databases under their management, or to which such entities may have access to private entities, except in those cases in which processing is outsourced to private entities, as per Article 6, Paragraph 1, item I. Sharing is also authorized in the case of legal provision and when the transfer of personal data is based on contracts, agreements or similar instruments.

But, according to the presidential veto, the cumulative requirement (legal and contractual provision) hinders Public Administration, because “several procedures related to the transfer of personal data are detailed in normative acts, such as the processing of the public servants’ payroll by private financial institutions, the collection of fees and taxes, and payment of social security benefits, among others”.

Also, in the event of public access to personal data, sharing is possible, within the limits of the law.

According to Law No. 13.709/18, in its article 5, item XVI, shared use of data is the disclosure, dissemination, international transfer, interconnection or shared processing of a database by public bodies or entities, when in fulfillment of their obligations, or among public agencies or entities and private entities, with specific authorization, for one or more classes of processing assigned by such public entities, or between private entities.

According to the presidential veto, the prohibition of sharing information identifying the personal data of the subject applying to have access to information hinders the functioning of the Public Administration.

The veto cites, as an example, the sharing of the Social Security database and the National Registry of Social Information. The veto claims the hindering of activities related to the administrative power of police, such as investigations within the National Financial System.

The disclosure and shared use of personal data between public entities and private entities require the data subject’s consent, except for the legal waivers of consent in the cases of shared data use, with extensive publicity, as per article 27 of the law.

However, according to the presidential veto, unrestricted communication or advertising of shared personal data use among government agencies can make hinder the regular exercise of some public actions of surveillance, control, and administrative police.

Under the law, the processing of personal data by notarial registry services must follow the rules applicable to the public sector. The bill also provides that these notarial and registry services must provide access the public administration with access to such data, by electronic means.

State-owned companies and quasi-public corporations which operate in a free competition environment will be bound by the same rules as those enjoyed by private entities. For example, public banks must follow the provisions of the law under examination.

There is a specific chapter on the international transfer of personal data, starting with Article 33. The international transfer of personal data will only be allowed to countries that afford a level of personal data protection equivalent to that of the law.

The international transfer is also allowed when the data controller offers sufficient guarantees of compliance with the general principles of protection and with the rights of the data subjects, presented on contractual clauses approved for a specific transfer. Likewise, when the international transfer of data is necessary for international judicial cooperation between public intelligence and investigation agencies, under international rules and laws. Or when the transfer of data is required for the protection of life or the physical safety of the data subject or a third party.

In the specific chapter on security and best practices for protecting data confidentiality, there is a provision on security incidents, in which case the data controller shall notify the competent public body within a reasonable term. If necessary, the relevant public body may order a broad disclosure of the fact in the media and/or measures to revert or mitigate the consequences of the damage.

There are also legal provisions on the liability and compensation for damages caused by personal data controllers and/or processors. The data controller and data processor are jointly and several liable for damages caused to the data subject and the cases of waiver of such legal liability, according to Article 42 of the law.

As for the supervision of the personal data processing activities, Article 52 provides several administrative sanctions to be imposed by the competent public body: warning, simple or daily fine up to 2% of the billing of the private legal entity, limited to BRL 50,000,000.00; publication of the violation after it has been adequately verified and confirmed; blockage of the personal data subject of the breach until its regularization; erasure of the personal data subject of the breach; total or partial suspension of operating databases, for a period not exceeding 6 months; suspension of personal data processing operations, for a period not exceeding 6 months; total or partial prohibition of data processing related activity.

The President of the Republic vetoed the sanctions of complete or partial suspension of the operation of the database, suspension of the exercise of personal data processing activity, and partial or complete prohibition of exercising any activities related to data processing.

According to the veto, these administrative penalties of suspension or prohibition of the operation/exercise of data processing activities can lead to “uncertainty for those responsible for this information, as well as make it impossible to use and process databases essential to various activities, such as those used by financial institutions, among others, which may jeopardize the stability of the National Financial System.”

The law creates the National Data Protection Authority, a federal agency bound to the Ministry of Justice.

There is undoubtedly a need for an independent regulatory agency specialized in personal data protection. The specialization of the matter requires the creation of a regulatory agency. By the way, this is the European model, where each country has a regulatory agency for personal data protection.

However, the President of the Republic vetoed this provision that creates the regulatory agency for personal data protection, on the grounds of formal unconstitutionality, given a flaw of initiative in the matter, which is reserved for the Head of the Executive Branch.

According to media reports, the President of the Republic will submit a new bill or even a provisional measure to create of the National Data Protection Agency.

Note that the lack of regulatory agency undermines the effectiveness of the law and its enforcement.

It is clear that the absence of an independent authority to supervise the law will leave personal data unprotected.

Also, the law provides for the Personal Data and Privacy Protection Council (Articles 58 and 69).

However, these legal provisions have been vetoed by the President of the Republic.

Finally, Law N. 13.709/18 alters the Internet Regulatory Framework in two aspects.

On the one hand, it provides for the right of permanent deletion of the personal data provided by users to a particular internet application at the end of the relationship between the parties, except when the law requires mandatory storage of records.

On the other hand, there is the right to permanent deletion of personal data that are excessive in relation to the purpose for which consent was given by the data subject, notwithstanding the legal caveats.

“Law N. 13.709/18 will come into force in 2020, 18 months after its official publication” (Article 65). Therefore, there is a reasonable time for adjustment to the legal regulations.

In conclusion, there are several challenges for the effectiveness of the Brazilian Personal Data Protection Act. Among them, the veto to the creation of the National Agency for Personal Data Protection. The international best practices, as set out in the European model, is in the sense of the existence of independent and efficient regulatory agencies, committed to public interest. Hence the urgency in solving this severe problem regarding the lack of a regulatory agency for Personal Data Protection.

Publicado no portal jurídico Migalhas Internacional em 03/09/2018.

The Supreme Court of the United States ruled, in June, in the case Carpenter v. the United States, by majority vote, that government entities must obtain a warrant to access the data/information on the location and movement of suspects of crimes in FBI investigations, on cellphone networks.

The ruling that accepted to try this case before the Supreme Court, in the Certiorari to the United States Court of Appeals for the Sixth Circuit, presented the following issue:

“Whether the warrantless seizure and search of historical cell phone records revealing the location and movements of the cell phone user over the course of 127 days is permitted by the Fourth Amendment.”

Judge Robert cast the winning opinion, which was followed by Ginsburg, Breyer, Sotomayor, and Kagan. Justices Kennedy, Thomas, Alito, and Gorsuch cast the dissenting and defeated opinions.

The Court’s decision mentioned the fact that in the United States there are 396 million cellphone services accounts, within a universe of 326 million people.

The discussion revolved around the interpretation of the Fourth Amendment of the U.S. Constitution.

The American constitutional debate consists of examining whether the search and seizure of data/information on the physical movement of an individual through cell phone networks, requested by the authorities, require a warrant or not.

The issue is whether a third party (in this case, the cell phone companies), has the right to oppose the search of personal data/information.

It also involves the expectation of privacy before third parties (cellphone companies).

The majority opinion pointed out that technological innovations allow for the mass surveillance of the population. Hence the risks of technologies concerning the expectations of privacy of citizens, in violation of the fourth amendment.

By majority vote, the Supreme Court of the United States ruled that there is the expectation of privacy before third parties, namely the cellphone companies.

The U.S. Government invoked the Third-party Doctrine. According to this doctrine, the person has reduced expectation of privacy when information is shared with third parties.

As mentioned, the core issue is the expectation of privacy regarding the historical records on the location of an individual, by the recording of the movement of the respective users by the cellphone companies.

The majority opinion of the Supreme Court presented important considerations. According to the decision:

“The case before us involves the Government’s acquisition of wireless carrier cell-site records revealing the location of Carpenter’s cell phone whenever it made or received calls. This sort of digital data – personal location information maintained by a third party – does not fit neatly under existing precedents. Instead, requests for cell-site records lie at the intersection of two line of cases, both of which inform our understanding of the privacy interests at stake”.

The decision of the Supreme Court of the United States continues:

“Significantly, the Court reserved the question whether ‘different constitutional principles may be applicable’ if ‘twenty-four hour surveillance of any citizen of this country (were) possible.”

The decision also provides considerations on the issue of monitoring via GPS devices installed in vehicles, informing the whereabouts of people.

In this line, the majority opinion of the Court reads:

“A person does not surrender all Fourth Amendment protection by venturing into the public sphere. To the contrary, ‘what (one) seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected.

(…)

For that reason, ‘society’s expectation has been that law enforcement agents and others would not – and indeed, in the main, simply could not – secretly monitor and catalog every single movement of an individual’s car for a very long period.

Allowing government access to cell-site records contravenes that expectation. Although such records are generated for commercial purposes, that distinction does not negate Carpenter’s anticipation of privacy in his physical location over the course of 127 days provides an all-encompassing record of the holder’s whereabouts. As with GPS information, the time-stamped data provides an intimate window into a person’s life, revealing not only his particular movements, but through them is ‘familial, political, professional, religious, and sexual associations.’

(…)

Accordingly, when the government tracks the location of a cell phone, it achieves near-perfect surveillance, as if it had attached an ankle monitor to the phone’s user.”

(…)

Moreover, the retrospective quality of the data here gives police access to a category of information otherwise unknowable. In the past, attempts to reconstruct a person’s movements were limited by a dearth of records and the frailties of recollection. With access to CSLI, the Government can now travel back in time to retrace a person’s whereabouts, subject only to the retention policies of the wireless carriers, which currently maintain records for up to five years. Critically, because location information is continually logged for all the 400 million persons in the United States – not just those belonging to persons who might happen to come under investigation – this newfound tracking capacity runs against everyone”.

On the other hand, in the dissenting opinions, which were defeated, the Justices felt that cell phone companies have the right to the property of the users’ historical records.

According to Justice Kennedy’s opinion, the recordings obtained by the government belong to the cell phone companies. Still, according to him, the information on the movement history of the user’s mobile device is not private.

In his dissent, Justice Thomas claimed that the Telecommunications Act is insufficient, and does not grant to the plaintiff the right of ownership of the cell phone networks’ recordings.

Another dissenting opinion highlighted that the Fourth Amendment does not regulate all the methods through which the government can obtain evidence, for criminal investigation.

In sum, the core theme debated by the Supreme Court refers to the reasonable expectation of privacy concerning the data stored by third parties (cell phone companies).

The majority decision was based on a constitutional interpretation of the Fourth Amendment of the American Constitution concerning its purpose, extending the requirement for a warrant to obtain personal information, protecting the person’s expectation of privacy (information on the records of their personal location).

The dissenting opinion, which was defeated, was grounded on a more restrictive and literal interpretation of the Fourth Amendment.

Another issue discussed refers to the right of ownership of the data stored by the cell phone companies.

There are substantial interests at stake, such as the right to include, exclude, and control the use of personal data.

Thus, who owns the data stored through cell phone networks: the users or the phone companies?

According to one of the dissenting opinions, the Telecommunication Act refers solely to the user’s right to privacy of their confidential information concerning the phone company. Thus, the company has a duty to respect the right to privacy of the user’s personal information.

In his vote, Justice Thomas states that the American telephone law does not recognize the right of property of the users concerning the data stored by the telephone companies.

As for the discussion on the interpretation of the Stored Communications Act (the American law applicable to electronic communications), the investigative authority has to show that the information on the personal location obtained through cell phone networks is relevant to the ongoing investigation for it to be admitted as evidence in a criminal case. However, according to the winning decision, this statute is not the proper mechanism for obtaining access to the recordings of cell phones’ location history.

On the other hand, according to the dissenting opinion, the Stored Communication Act authorizes Courts to order that the recorded history be handed over, provided that the government show specific and substantiated facts that such evidence (the recordings) is relevant to the ongoing investigation.

This United States Supreme Court case is relevant from the point of view of the constitutional interpretation of the right to privacy, especially concerning the treatment of data collected, processed, and stored by private companies.

Note that the matter is broader than the case tried by the USA Supreme Court, which was related to the telephony industry (cell phone companies). The issue of the privacy of personal information also has repercussions on financial institutions, credit card companies, digital payment services, e-commerce, and others. Hence the relevance of the theme, with effects to millions of people.

Artigo publicado no portal jurídico Migalhas Internacional em 18/07/2018.

The case of the data leak of Facebook’s platform, in the episode with the company Cambridge Analytica, with global impact in several countries, including Brazil, poses interesting questions in the context of comparative law, from an economic (the company’s economic value), political (elections), and legal (applicable regulation) perspective, examined below.

From an economic perspective, there is the impact on Facebook’s market value, which lost billions of dollars (through the devaluation of their shares) due to the illegal capture of data from users and non-users of the internet application. This fact also reflects on their business model, as well as the privacy policy and the degree to which the platform is open to application developers (Apps). In other words, the access to personal data on the Facebook platform by third-party companies that collect data through internet applications.

In the electoral realm, the case is related to the influence of Facebook’s digital platform on the elections in several countries, especially in the United States. The core issue is the possibility of manipulating public opinion, as well as the electorate’s vote, through social media campaign’s, including by spreading fake news. Thus, the matter is directly related to the risks of democracy, through campaigns to mislead the public’s opinion, as well as taking the truth out of context.

From a legal perspective, the case has implications on the regulatory model most appropriate to internet applications, such as Facebook, which is controlled by a technology company. The discussion revolves around the extent of state regulation, along with self-regulatory measures by the internet application provider itself.

Another legal aspect relates to the domestic laws of each country, examined below. In particular, the sectoral regulatory model for internet applications, as well as self-regulatory measures.

Thus, it is important to consider the greater context of the current regulations around the world on the protection of personal data, as well as the right of access to personal information by national authorities and foreign governments, in the cases allowed by law.

In February 2018, the United States passed the Cloud Act, which holds rules for the use of data collected overseas.

The United Kingdom, in its turn, passed the Data Protection Bill in January past, which legislates on the protection of personal data, with rules on the international transfer of data to other countries, as well as rules on data access by intelligence services.

This upcoming May, in the European Union, the Regulation of the European Parliament and Council on the protection of people and treatment of personal data will come into effect.

In Brazil, the Public Prosecutor’s Office of the Federal District has opened an investigation to verify if the personal data of Brazilians was unduly captured in the Facebook and Cambridge Analytica episode.

Brazil, however, unlike other countries, does not have a specific law on the protection of personal data; there is not even an agency to regulate this matter.

We will now examine the Facebook case (illegal collection of personal data), as well as it repercussion in different countries.

Artigo publicado no portal jurídico Migalhas Internacional em 11/04/2018.

This article presents a comparative analysis between jurisdiction in Brazil and in the USA in two relevant cases given their impact on internet application and technology companies.

On one hand, in Brazil, the technology companies that provide internet application services (such as Google, Facebook, Youtube, etc.) and have headquarters abroad, face issues regarding the interpretation of the Brazilian laws, especially as to the compliance with court orders to submit the contents of private communications stored in their servers.

On the other hand, in the USA, North American technology companies also face issues such as the requisitioning of email content from these service providers, whereas the content of the private communications are stored in servers abroad.

In Brazil, a Direct Motion of Unconstitutionality was filed before the Brazilian Supreme Court under number 51/2017, for the constitutional review of Decree No. 3810/2001 that enacted the Mutual Legal Assistance Treaty between Brazil and the United States, examined below.

In the USA, there is the case United States versus Microsoft, in progress before the USA Supreme Court. The case debates whether email services providers, which have the control over their users personal data, have the legal obligation to disclose the content of electronic communication, even if the material is stored in servers located outside of the USA.

The Federation of the Associations of Information Technology Companies (“ASSESPRO NACIONAL”) filed a declaratory motion of constitutionality (Adcon No. 51/2017 to have Federal Decree No. 3.810/2001 declared constitutional. This Federal Decree enacted the Mutual Legal Assistance Treaty in Criminal Procedures between Brazil and the United States of America.  Under this legal statute, a letter of request must be issued in cooperation processes between Brazilian and USA authorities in matters of criminal investigation, prosecution, and crime prevention.

According to the technology company association that filed the motion, many Brazilian courts are not applying the said Decree. That is why the Association filed the direct motion of constitutionality, as it is the proper legal instrument to review the constitutionality of the decree and, thus, its practical application by the Brazilian Courts. The only case in which the Decree should not apply is if it is found to be unconstitutional, which has not yet been declared by the Brazilian courts.

What is happening is that the technology companies with headquarters in the USA that provide internet application services (such as email, social media, digital advertising, etc.) in Brazil are being mandated by the courts to submit the contents of private communications between their users. If they fail to comply with such court orders, the internet application providers are held civilly liable, with the application of severe fines, and criminally liable for the crime of contempt of court.

They argue that internet application providers headquartered in the United States are subject to the laws of that country. In this regard, the laws of the USA impose strict limits to the delivery by internet application providers of the contents of private communications between their users (such as emails).

The argument presented in the case ADCON No. 51 is that, by failing to apply Decree No. 3810/2001, the Brazilian courts are violating the constitutional principles of sovereignty, confidentiality of private communication, the due process of law, equality, and free enterprise.

The Plaintiff also claims that the Brazilian Internet Regulatory Framework does not exclude the application of international treaties to which Brazil is party to. In the present case, the Mutual Legal Assistance Treaty, in the form of Decree No. 3810/2001, is deemed to be a formal law, as it has been received by the Brazilian legal system.

Facebook joined the action as amicus curiae (ADCON No. 51).  It claims that its activities are subject to the Electronic Communications Privacy Act.  This North American law forbids the disclosure of the content of private communications stored by the electronic communications services providers, notwithstanding the exceptions set in the law itself.

According to the company Facebook Brasil, it does not have managerial control over the data of the company Facebook Inc., based in the United States. Facebook Brasil only voluntarily provides information to Brazilian authorities in case of emergency (risk of death and/or severe bodily harm to a person). Therefore, Facebook Inc. is governed by the United States laws, as is headquartered in that country.

It also claims that the contents of private communications cannot be directly provided to Brazilian authorities, except with a court warrant issued by a U.S Court. According to the company, U.S law does not allow internet application providers to disclose the content of private communications directly due to a Brazilian court order, otherwise the company may be held liable for violation of the U.S law.

Another question is if it is possible to extend the application of Brazilian laws and the Brazilian jurisdiction to companies with headquarters abroad and, respectively, given the sovereignty of the foreign State.

In sum, the case portrayed in ADCON No. 51 is interesting as it deals with the constitutional principles of sovereignty, independence of States, international cooperation, principle of territoriality of jurisdiction, due process of law, and the rights to communication and to privacy of communication.

As for the United States of America, the case of United States V. Microsoft Corporation  is in progress before the American Supreme Court. This case regards the possibility of the United States government obtaining, through court orders, the contents of private communications, such as emails, stored in computers/servers/datacenters located outside of that country.

The original case refers to a drug-trafficking criminal investigation, in which the Government requested an order for Microsoft to disclose email information. Microsoft refused to deliver the content of the email, claiming that it changed the email storage location to Ireland, and that the Stored Communications Act cannot be applied outside of U.S territory.

Here is an excerpt from the original brief filed by Microsoft before the U.S Supreme Court: “Whether a United States provider of email services must comply with a probable-cause based warrant issued under 18 U.S.C 2703 by making disclosure in the United States of electronic communications within that provider’s control, even if the provider has decided to store that material abroad”. According to the U.S government, grounded on 18 US.C 2703, authorities from that county may require electronic communication providers to disclose the content of communications.

In contrast, Microsoft claims that the American law on electronic communications is applicable only to acts committed within U.S territory. It argues that the Stored Communication Act focuses on protecting the safety of private communications, hence the trust that users have that the electronic communications providers safely store the content of their communications in electronic servers.  It also claims that it offers services such as MSN, Hotmail, and Outlook, storing thousands of user emails in data centers located in over 40 countries.

According to Microsoft, the U.S. Congress did not signal that the Stored Communications Act should be applied outside of U.S territory. Thus, a order to copy and import communications stored in foreign territory is an illegal and extraterritorial application of the Stored Communications Act.

Also, according to Microsoft, the Stored Communications Act comprehends solely communications stored in the United States, as the focus of the statute is to protect electronic communications stored and avoid the disclosure of private communications. So, the focus on the disclosure of electronic communications is contrary to the original intent of the American legislators.

The conclusion: “For now, the presumption against extraterritoriality limits the SCA, and the warrant issued under it, to communications stored on U.S. soil”. Moreover, the U.S Congress may update the Stored Communications Act, considering the conflict between the application of the law and international relations with other countries, the privacy of citizens, and the competitiveness of the technological industry.

The European Union, the United Kingdom, New Zealand and Ireland have requested participation in the case United States x Microsoft by filing an amicus curiae brief.

So, as an illustration of the above, the European Union claims that the proper procedure would be to consider the internal laws of the European Community in relation to the protection of personal data, especially in relation to data stored in its territory. The European regulation contains specific rules on the transfer of personal data between countries, especially in relation to non-European countries.

The Brazilian NGO InternetLab, connected to Fundação Getúlio Vargas, filed a petition as amicus curiae in the United States v. Microsoft Corporation case . It claims that Brazil is one of the largest internet markets. U.S. technology companies such as Facebook, Youtube, Google, and Microsoft have millions of users in Brazil. It also claims that the Brazilian laws related to internet application providers is strictly enforced, despite the American electronic communications law that forbids the delivery of private communications content by electronic communications providers.

The NGO also alleged that the Mutual Legal Assistance Treaty between Brazil and the United States, in the form of Decree No. 3810/2011, is the best legal alternative to solve the conflict between the Brazilian and American laws and jurisdictions, and to apply the laws most appropriate to the case, respecting the sovereignty of each country, the due process of law, and the privacy of the users of internet applications.

Another argument presented by InternetLab is that the Internet Regulatory Framework prevents the disclosure of private communications, guaranteeing the users’ right to privacy. Thus, U.S technology companies cannot be forced to directly provide the contents of private communications without a court order from a U.S court.  The brief claims that the Brazilian Internet Regulatory Framework offers protection similar to the one purported by the United States Stored Communication Act.

Further, it claims that in the case of the Stored Communications Act (SCA), there is a conflict between two jurisdictions, so the court order has extraterritorial application.

Hence the question posed by InternetLab to the United States Supreme Court, as amicus curiae: “Whether a United States provider of email services must comply with a probable-cause-based warrant issued under 18 U.S.C § 2703 by making disclosure in the United States of electronic communications within that provider’s control, even if the provider has decided to store that material abroad”.

In this case, the application of two laws on electronic communications puts the internet application provider in a situation of conflict in light of different obligations in each jurisdiction: the United States and Brazil. Hence the need for a solution that grants legal certainty in the application of the law, given the conflict between international laws and jurisdictions, within the realm of the internet.

The conclusion: “This Court should affirm the judgment of the Second Circuit of Appeals and hold that the warrant issued to Microsoft in this matter was an improper extraterritorial application of 18 U.S.C §2703 (b) (1) (A)”.

It must be said that the importance of this case lies in the fact that the ruling by the United States Supreme Court may have repercussions in Brazil, specifically on internet application providers that operate herein, even if headquartered abroad.

It is our opinion that Brazil, within the realm of international cooperation between jurisdictions in a case relevant to internet applications, should also participate in the United States x Microsoft soft case as amicus curiae, such as the European Union, Ireland, and New Zealand have done, given the possible repercussion of the ruling of the United States Supreme Court on the interpretation of its law that will impact technology companies that operate globally.

_____________

1 See STF (Brazilian Supreme Court), case Adcon 51, Plaintiff: Federação das Associações das Empresas Brasileiras de Tecnologia da Informação.

2 This is provided in the U.S Stored Communications Act (“SCA”), which forbids electronic communication providers operating under USA jurisdiction to disclose the communications of their respective users, notwithstanding the legal exceptions.

3 Supreme Court of the United States. United States of America v. Microsoft Corporation. On writ of certiorari to the second circuit Court of Appeals. Brief of InternetLab Law and Technology Center as amicus curiae in support of respondent.

4 See: 18 U.S. Code § 2703 – Required disclosure of customer communications or records. A governmental entity may require the disclosure by a provider of electronic communication service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for on hundred and eighty days or less, only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State Court), issued using State warrant procedures) by a court of competent jurisdiction. A governmental entity may require the disclosure by a provider of electronic communications services of the contents of a wire or electronic communication that has been in a electronic storage in an electronic communications system for more on hundred and eighty days by the means available under subsection (b) of this section”.

5 Supreme Court of the United States. United States of America v. Microsoft Corporation. On writ of certiorari to the second circuit Court of Appeals. Brief of InternetLab Law and Technology Center as amicus curiae in support of respondent.

6 Under this aspect of the U.S electronic communications statute, Google was sentenced to pay a fine of USD 8,5 million in a class action filed by users, under the argument that the provider violated the users’ right to privacy, before third parties.

Publicado no Portal Jurídico Migalhas em 02/02/2018

http://www.migalhas.com/HotTopics/63,MI273592,61044-Brazil+and+the+United+States+of+America+Jurisdiction+and+the

The Federation of the Associations of Information Technology Companies (“ASSESPRO NACIONAL”) filed a declaratory motion of constitutionality (Adcon No. 51) of Decree No. 3.810/2011. This Federal Decree enacted the Mutual Legal Assistance Treaty in Criminal Procedures between Brazil and the United States of America.¹

Technology companies claim that the Brazilian judicial authorities are not applying this Decree, as they request evidence, data, and information directly from the technology companies that have their data are stored in data centers located in the USA, without going through the procedure of issuing letters of request from the Court. The Decree states that the Court must issue a letter of request to solicit documents, evidence, and information located in foreign countries.

This failure of the Brazilian Courts to apply Decree No. 3,810/2011 creates serious problems for technology companies that work in the social network segment, as well as for the providers of internet applications.

And, if these companies do not comply with the court orders requesting documents/data, they may be penalized with heavy fines. There is also a risk of criminal investigation/prosecution related to the crime of disobedience, including the risk of arresting the manager of the company.

Private Communications: The Constitutional Protection of the Fundamental Right to Privacy of Communications

The Brazilian Constitution holds solid guarantees related to private communications. It is worth noting the guarantee of data secrecy, except in the case of breach of secrecy of communication, for the purposes of criminal investigation or prosecution.²So the lower laws (the Brazilian Civil Procedure Code, the Criminal Procedure Code, and the Internet Regulatory Framework) must be interpreted under the perspective of maximizing the effects of this constitutional guarantee with regard to obtaining evidence, information, and data from internet application companies.

The Brazilian Civil Procedure Code and the Brazilian Criminal Procedure Code: International Cooperation in Jurisdictional Exercise

The Brazilian Civil Procedure Code provides that a letter of request will be issued to the foreign court so that it may perform the international legal assistance act related to the case in progress before the Brazilian Courts (Article 237, item II.

The Brazilian Criminal Procedure Code, in its turn, states that the provisions of that statute apply to the ratification of foreign criminal sentences and the issuance and compliance with letters of request for summons, inquiries, and other procedures required for criminal prosecution” (Article 780 Article 783 of the Brazilian Criminal Procedure Code also provides that the letters of request will be sent by the respective judge to the Head of the Department of Justice, to request its enforcement, through diplomatic channels, by the proper foreign authorities.

So Decree 3810/2001 that deals with the Mutual Legal Assistance Treaty between Brazil and the USA is set within this statutory context.

Decree No. 3810/2011: Status of Law

The federal decree under examination is formally a law, hence its effectiveness on Brazilian judicial authorities. It is an act that incorporated the international treaty between Brazil and the USA into the Brazilian legal system. The simplified procedure for requesting data, information, and documents provides for the issuance of letters of request by the Courts, to be enforced with the cooperation of diplomatic agents.³

Internet Application Providers: The Internet Regulatory Framework

According to the Internet Regulatory Framework (Article 10, Paragraph 1) and the decree that regulates it, registration data and access records must be submitted by internet application providers upon proper request by the Brazilian authorities, regardless of any international treaties on the matter. However, regarding the content of private communications, there is no legal authorization for direct request thereof by the Brazilian Courts. It is worth highlighting that internet application providers have a different legal regime than internet connection providers, as per distinction in the Internet Regulatory Framework.

Internet Application Providers’ Business Model

Internet application companies, such as Google, Facebook, WhatsApp, Twitter, etc, which store and collect private communications exchanged by Brazilians, do not usually have data centers in Brazilian territory. They merely use the local infrastructure of the telecommunications network. However, the contents of the private communications are stored in data centers abroad.

The location of the data center is part of the business model of internet application providers, due to economic and strategic reasons, as well as data security and network architecture.

So any Brazilian law that tries to oblige these companies to build data centers in Brazil in order to offer such internet applications may have its constitutionality question, especially given the constitutional guarantee of free enterprise.

In this regard, we must point out how essential the protection of privacy and of the secrecy of private communications is, as they are integral to the business models of technology companies that provide internet applications. The assurance that personal data and the content of private communications will be kept safe and secure is essential to the business models of these technology companies. Their market value depends on proper protection of the private communications of their users and the expectation and trust placed by the user on the protection of the secrecy of such private communications.

Brazilian Sovereignty: Self-delimitation due to Mutual Legal Assistance Treaty

In the present case, as Brazil has signed the Treaty for Mutual Legal Assistance in Criminal Cases with the USA, that contemplates the issuance of letters of request by the Judiciary, then Brazil must comply with this international treaty, in the form of Decree No. 3810/2001, while it is in effect in the Brazilian legal system.

However, the Brazilian Courts (including the Superior Court of Justice) are denying the application of Decree No. 3810/2001, under the argument of the principle of national sovereignty.⁴ If the effectiveness of the Decree is not certain, then the best legal solution is to have its unconstitutionality declared by the Courts.

It seems that the argument of violation of the sovereignty principle is not enough to justify the failure to apply the federal decree and impose undue burdens to foreign technology companies with headquarters abroad. Much to the contrary, this type of interpretation of the law results in an offense to the sovereignty of the foreign country that is responsible for requesting evidence, data, and information from the companies located in their territory.

Legal Security and the Due Process of Law: the Procedure for Letters of Request for the Purpose of Gathering Evidence in a Police Investigation or Criminal Prosecution.

The direct request by Brazilian Courts of evidence/information for the purposes of criminal investigation or prosecution from internet application providers, without the issuance of a formal letter of request by the Court, violates the principles of the due process of law and of legal security.

The reason is that the Brazilian law defines how cooperation between the Brazilian and foreign jurisdictions should work, in its Decree No. 3810/2001, so the Brazilian authorities are bound to the enforcement of the Brazilian law.

Admissibility of Evidence

According to the Brazilian Constitution, evidence must be properly produced for it to be admissible, for the purposes of criminal investigation. The Constitution expressly states the evidence obtained by unlawful means are not admissible (Article 5, item LVI.

Thus, if Decree No. 3810/2001 is not applied when evidence is gathered from foreign technology companies with headquarters abroad, there is the risk of annulment of that evidence.

Conclusion

In sum, the declaratory motion of the constitutionality pf Decree No. 3810/2001 that approved the International Legal Assistance Treaty between Brazil and the USA, which is now in course before the Brazilian Supreme Court, illustrates the complexity of issues related to the exercise of jurisdiction in Brazil, as well as the enforcement of Brazilian law with regard to the internet and internet application providers with headquarters abroad.

We highlight the international cooperation between the Brazilian and North American courts, for the enforcement of Brazilian laws in the compliance of court orders related to police investigation or criminal prosecutions (gathering of data/evidence), related to internet application users of foreign technology companies located abroad.

_______________

1 The Mutual Legal Assistance Treaty between Brazil and the USA, under the terms of Decree No. 3810/2100 comprehends the following measures: depositions or witness statements; provision of documents, records, and assets; location or identification of people or assets; delivery of documents; transfer of people in custody to give testimony; executing search and seizure warrants; assistance related to the freezing and forfeiture of assets; restitution, fines, etc.

2 Brazilian Constitution, Article 5, item XII.

3 See: Ericson M. Scorsim. Communications Law. Telecommunications, Internet, Broadcast Media, and Pay TV. Author’s Edition. Curitiba: Amazon, 2016.

4 Cases that the Superior Court of Justice failed to apply Decree No. 3810/2001, RMS 44892/SP, 2010, reported by Justice Ribeiro Dantas, tried on April 5, 2016; RMS 466685/MG, reported by Justice Leopoldo de Arruda Raposo, published on April 6, 2015.

Artigo publicado no Portal Jurídico Migalhas Internacional em 11/01/2018.

http://www.migalhas.com/HotTopics/63,MI272273,41046-Mutual+Legal+Assistance+Treaty+between+the+Brazilian+and+North

In the United States of America, the decision on the flexibility of net neutrality is on the agenda of the Federal Communications Commission, under the leadership of the Republican Ajit Pai. According to the President of the FCC: “President Trump and Congress have appropriately invalidated one part of the Obama-era plan for regulating the Internet. Those flawed privacy rules, which never went into effect, were designed to benefit one group of favored companies, not online consumers”.[1]

The purpose of the new regulatory policy of the FCC is to reinstate broadband internet services classification as an information service and not as telecommunications services (common carriers). Classifying internet connection services as common carrier leads to obligations to third parties, especially the guarantee of equal competition.  Thus, with the FCC regulation in force, there are rules preventing broadband providers from blocking or slowing down broadband internet connection services. If the regulatory change is passed by the FCC, internet access services providers will have more freedom to set prices, for the purposes of compensation for the use of the telecommunications’ infrastructure network. The new regulatory policy would be especially created to pass transparency rules for internet connection providers, to know which websites or applications pay an additional value for high-speed streaming, and the monitoring of net neutrality would be done by the Federal Trade Commission. 

The FCC Fact Sheet – Restoring Internet Freedom claims that the current regulation does not encourage new investments in the telecommunications’ infrastructure network.[2]  If the new regulation is passed, telecommunication services’ operators such as Comcast, Verizon and AT&T would be able to determine which online websites their clients can consume, as well as block or favor the traffic of certain contents.

This potential change to internet regulation in the USA resulted in a debate on net neutrality in Brazil. The highlight here is the internet of things phenomenon (digital communication between machines) as an argument for reviewing the Brazilian Internet Regulatory Framework.

Here are some considerations on this debate on net neutrality being held in the USA and Brazil.  Internet regulation deeply affects telecommunications companies, internet access providers, internet applications providers, the new business models of technology companies, and online content providers. Therefore, this regulation impacts different markets within the internet platform. It has a particular impact on the entertainment, audiovisual, and commercial advertisement markets.

From an economic perspective, the core issue of the controversy is broadband internet consumption and its pricing: who should foot the bill and how much should that bill be. Should consumption be measured and priced accordingly, so that the more bandwidth consumed, the greater the payment? For example, major video consumers (movies, sitcoms, television programs) would pay more for bandwidth consumption. The alternatives to the regulatory treatment of the issue are: ensure market freedom, that is, the companies negotiate freely, through commercial agreements, on the payment for data packet traffic; or the sector’s regulation, preserving net neutrality.   

In Brazil, internet connection services are not telecommunications services. It is an added-value service to the telecommunications network, as determined in the General Telecommunications Act, Article 61, paragraph (1).

Here in Brazil, unlike in the USA, net neutrality is legislated by a law, the Internet Regulatory Framework. The issue in the USA was regulated through mere interpretation of the law by the Federal Communications Commission. Because of this, the classification of internet access services as a telecommunications service is being questioned in court.

According to the international press, Netflix has entered into a business agreement with one of the owners of telecommunications networks to ensure the flow of data traffic related to its audiovisual content. 

In Brazil, the principle of net neutrality stated in the Internet Regulatory Framework ensures equal treatment in the transportation of data packets between users. That law forbids internet access providers from discriminating data packet traffic. This ensures that the internet environment remains favorable to innovative business models, based on the digital economy.

Without net neutrality, there are greater risks to new digital enterprises and the potential for higher prices to be charged by the owners of the infrastructure networks from internet application providers and the consumers. 

If the principle of net neutrality, expressly stated in the Internet Regulatory Framework, is revoked or modified, there are serious risks to the digital business environment, as well as a cost increase to internet application consumers.

The internet of things, based on the communication between machines, with significant market potential, is a future trend that deserves proper attention by Brazilian legislators. Thus, considering this new reality, the Internet Regulatory Framework may need adjustments. 

To ensure legal certainty in investments in the internet of things, any changes to the Internet Regulatory Framework should be done through a bill.

Decree No. 8771/2016, that regulates the Internet Regulatory Framework, is assertive regarding the exceptional nature of any discrimination or degradation of internet traffic, due to technical requirements essential to the provision of the application’s services or prioritization of emergency services.

Under this argument related to the internet of things, one must know if devices such as automobiles and traffic lights can be connected, as this would be reason enough to be characterized as emergency services prioritization, in this case related to urban traffic, an exceptional case for the flexibility of the net neutrality principle, under the terms of the Decree that regulates the Internet Regulatory Framework. Anyhow, one must only interpret the decrees in accordance with the law, without creating exceptions not stated therein.   

There is another issued to examined. At first glance, there seems to be now legal prohibition to the provision of free data traffic on social networks.  Thus, this business practice does not harm net neutrality, as it does not harm consumers, much less the internet applications providers.

Note that there are similarities and differences in how net neutrality is dealt in Brazil and in the USA. The similarity is due to the greater purpose of ensuring net neutrality to guarantee that it is accessible by all. The difference is in the fact that net neutrality in the USA exists only in a regulatory act by the Federal Communications Commission. Here in Brazil, net neutrality is supported by an actual law, namely, the Internet Regulatory Framework.

Within the Brazilian context, the National Telecommunications Agency (ANATEL) has the power to monitor compliance with the principle of net neutrality, as defined in the Internet Regulatory Framework and the Decree that regulates it. In the USA, however, the FCC created the norm by interpreting the North American laws on this industry.

In sum, the Brazilian Internet Regulatory Framework and the Decree that regulates it represent significant and progressive historical landmarks for Brazilian Law.

Changes to the regulation of the internet to adjust and update it to new demands are possible, of course, by enactment of a new bill. ANATEL, as the regulatory agency of this industry, cannot decide on the matter without proper legal grounds, given the principle of strict legality present in Brazilian Law, unlike law in the USA. The changes to the regulatory policy of net neutrality that may occur in the USA does not necessarily imply changes here in Brazil. Perhaps this matter deserves more reflection and debate within our country. 

---

[1]See: FCC.

[2] FCC Fact Sheet. Restoring Internet Freedom, Declaratory, Report and Ordem, WC Docket n. 17-108.

The US Senate Judiciary Subcommittee on Crime and Terrorism, on October 31, 2017, held a public hearing with the legal representatives of the technology companies Facebook, Google, and Twitter regarding the influence of the Russian government, through third parties, on the 2016 USA Presidential elections.

According to the debates held by the US Senate and the news broadcast by the expert media, the Russian actions were carried out through the purchase of advertisement on Facebook and Google, as well as the creation of fake profiles and the use of robots to spread fake content that stimulated hate speech among the North American voters, causing a divide in the electorate.

For example, there was the sponsoring of controversial content related to racism, immigrants, and guns.  Another accusation was of the hacking of emails and the leak of private and confidential information from the presidential candidate Hillary Clinton. 

The USA senators were seeking solutions for the problem of the influence of Russian government on the elections in the USA. The discussion revolved around the manipulation of democracy and the risks to national security due to the abuse in the use of social networks during the presidential elections. 

The legal representatives of Google, Facebook, and Twitter publicly acknowledged the Russian influence on the USA presidential election.

The technology companies stated that they are adopting transparency measures regarding advertisements on their social media networks. They presented some measures for self-regulation of social media, such as verifying users’ accounts. They showed themselves willing to cooperate with the US Congress to improve the legislation applicable to social media. They also said that they are making investments in intelligence to detect terrorist threats and hate speech on social media networks.

One of the legal representatives mentioned the law passed by the State of California, known as the California Disclose Act, with rules on the transparency of paid ads in digital advertising related to politics, with the identification of the financiers and donors of electoral campaigns. 

The relevance of this theme raised in the USA, from a legal standpoint, involves the regulation of technological platforms such as social media networks and search engines on the Internet. 

Social media and search engines are technology companies that do not produce content, as stated by their legal representatives. Thus, they are not subject to the laws that apply to traditional media: newspapers, magazines, television, and radio. The classical legislation holds mechanisms to balance out the democratic game and electoral disputes, in particular ensuring equal conditions in elections, with rules on the financing of electoral campaigns. 

In any democracy, there are rules to protect the free flow of information and the dissemination of truthful information.  However, in the United States, the misrepresentation of information or fake content was used to manipulate public opinion in the 2016 presidential elections, under foreign influence. Thus, the vulnerability of democracy given the abuse of the technological platforms, and the need for adequate measures to hold accountable the technology companies that have global impact.  

Apparently, the core issue of the public debate is to know if the self-regulation by the technology companies that own these platforms, known as social media networks, is suffice from a democratic perspective. In other words, can the public trust solely on the responsibility of the Big Techs: Google, Facebook and Twitter? 

Or, is it necessary to have new sectoral regulation of social media with rules to avoid abuses of these platforms, and to improve the rules of transparency related to the purchase of ads on social media?

In the latter case, the fundamental need is to balance the tension between legislative regulation of the technology companies and the risk of censorship of the freedom of expression of the users of these platforms. 

First, given the constitutional guarantees of free enterprise, can the government regulate technological platforms?

Second, if this regulation of social media and search engines is possible under the USA Constitution, what is the proper weighted measure between freedom of expression and the protection of democracy?

The business model of these USA technology companies, especially given their market value, is based on the number of users connected to each platform. The greater the number of users of the technological platform, the greater economic value of the company. 

But, although the business model is protected under the guarantee of free enterprise, it is clear that any legislative limitations to the freedom of the technology companies’ business model may be passed to protect other relevant constitutional assets, such as the democratic principle, and to prevent the commitment of unlawful or criminal acts on social media, as well as threats to national security, such as terrorist threats. 

In sum, the matter related to Facebook, Google, and Twitter is on the regulatory frontier between the law and new technologies. It requires an in-depth debate to perceive the best regulatory alternatives to defend democracy. 

This debate on self-regulation and sectoral legislative regulation that is being held in the USA is also necessary here in Brazil, given the perspective of the elections, limits and transparency of digital publicity, national security, consumer privacy and protection.    

______________

*Ericson M. Scorsim is a lawyer specializing in Communications Law at Meister Scorsim Advocacia.

Artigo publicado no portal jurídico Migalhas Internacional em 27/11/2017.

Ericson M. Scorsim

AT&T, a telecommunications company, and Time Warner, a Pay TV programming licensing company, both with headquarters in the United States, required the approval of their merger before CADE, in Brazil.

The purchase by AT&T of Time Warner is taking place in several countries, with repercussions also in Brazil. In Brazil, Time Warner licenses programming channels and Sky is a Pay TV company.

CADE voted unanimously to approve the economic concentration related to the purchase by AT&T of the Time Warner company, grounded on Brazil’s Antitrust Act (Law 12.529/11, article 88).

Another reason given to justify the interference of CADE, in this case, was the General Telecommunications Act that holds an express rule on CADE’s power to examine economic concentration acts in the telecommunications industry, as per article 7, §1, §2 and §3.

The Brazilian Antitrust Authority understood that the corporate acquisition between AT&T and Time Warner does not pose significant risks to competition in the Pay TV market. The competitive analysis examined the licensing/programming markets (upstream market) and the Pay TV services distribution/operation market (downstream market). Thus, the possibility of economic concentration in the Pay TV market under the perspective of Antitrust Law.

Moreover, Reporting Commissioner, Gilvandro Araújo, presented some considerations on the evolution of audiovisual content distribution and production technologies, after the creation of OTT (Over-The-Top) companies, such as Netflix, Amazon, Apple TV, and others.

The Reporting Commissioner also suggested, in his vote, that the legal prohibition of vertical integration between Pay TV segments, established in the Conditioned Access Audiovisual Communication Services Act should be revoked given the evolution of the technologies in that industry.

Commissioner Cristiane Alkin Junqueira Schmidt also suggested that the sectoral regulation should be updated to hold a more flexible rule on the limits between Pay TV channels’ programmers and the Pay TV services’ operators; she also recommended that the corporate transaction under examination be approved without restrictions.

However, the Reporting Commissioner set some conditions in his vote to control the economic concentration, which we will now examine.

One of the obligations is for AT&T to keep Sky Brasil and the Time Warner channel programmers as separate legal entities, each with their own administrative and governance structure.

Another obligation is to offer Time Warner’s programming channels to non-affiliated packers and providers of pay-tv with all the programming channels licensed to Sky, upon non-discriminatory conditions. That is, the Time Warner Pay TV channels must be offered to their Pay TV competitors upon non-discriminatory conditions between the economic agents.

In this regard, the parties committed to the appointment of an independent consultant, responsible for helping CADE to monitor the compliance with the obligations assumed in the agreement signed with CADE for the approval of the merger transaction.

They also established that any conflicts between the channel programmers or the Pay TV services providers not affiliated with AT&T or Sky and the latter will be solved through arbitration.

The Reporting Commissioner’s vote concludes:

“Thus, in my opinion, the approval of this Transaction by CADE does not mean the recognition of the lawfulness of the integration under Article 5 of the Conditioned Access Audiovisual Communication Services Act. If the Agencies claim that such provision has been violated, this will not offend the administrative res judicata formed by CADE’s decision.”

In this respect, it is important to highlight an enlightening excerpt from the vote given by Commissioner Alexandre Barreto de Souza:

“Another key issue seen in this Act of Concentration was the intertwining of antitrust issues with issues of other government agencies. In this sense, the Technical Notes issued by both the National Telecommunications Agency (ANATEL) and the National Agency of Cinema (ANCINE) indicated that the transaction presents evidence of a violation of Article 5 of Law 12,485, of September 12, 2011 (the Conditioned Access Audiovisual Communication Services Act).

It is important to make it clear that the actions of CADE in this Act of Concentration was limited to the antitrust aspects only, without the examination of issues belonging to the jurisdiction of other regulatory agencies.

I also point out that the proposed remedies seek precisely to solve any antitrust problems of the transaction. ANATEL and ANCINE will examine any issues outside the realm of antitrust norms, including possible violations of the Conditioned Access Audiovisual Communication Services Act. Thus, I stress that this merger under examination will require the authorization by the aforementioned agencies for its consummation, according to the respective legal responsibilities of each one.

CADE’s decision on Merger No. 08700.001390/2017-14 reads: “The Plenary unanimously examined and approved the merger, conditioning it to the execution and fulfillment of a Merger Control Agreement (ACC, in its acronym in Portuguese), in accordance with the vote by the Reporting Commissioner.”

At first, CADE understood that the merger between AT&T and Time Warner in the programming and pay-TV operation markets can go through under the perspective of the Brazilian antitrust legislation. However, as remedies to such merger in the Pay TV market, it imposed the conditions mentioned above, to be fulfilled under the Merger Control Agreement.

Subsequently, ANATEL, through its Antitrust Department, must now examine the case under the perspective of the sectoral legislation, in particular, the Conditioned Access Audiovisual Communication Services Act, Law 12.485/11 (Article 5).¹

The focal point is the legal interpretation that ANATEL will give to Article 5 of Law 12485/11, that deals with the limit to the structural division between telecommunications companies and audiovisual content distribution and licensing companies in the Pay TV market.²

There are two possible solutions in the interpretation of the sectoral legislation by ANATEL in the exercise of its legal jurisdiction, regarding the regulation of the audiovisual communication sector.

First, ANATEL may approve the acquisition of Time Warner by AT&T, understanding that it does not violate the Brazilian laws on Pay TV, as there is no offense to Article 5 of said law, which deals with the structural separation between the Pay TV package distribution, programming, and licensing market and the operation of Pay TV services.

Second, in theory, ANATEL may order the structural separation between the telecommunications companies and the Pay TV programming, distribution, and licensing companies, given the possible legal prohibition of vertical integration between the Pay TV distribution, packaging, and programming segments and the Pay TV operations, as per Article 5 of Law 12.485/11. However, in this case, there must be actual evidence that the corporate transaction violates the respective sectoral law.

Therefore, it is possible, in theory, for ANATEL to acknowledge the unlawfulness of the acquisition of Time Warner by AT&T, ordering AT&T to sell the company Sky Brasil to possible interested parties. If Sky is to be sold, such corporate transaction will also have to be submitted to examination by CADE, to verify the lawfulness of such transaction.

On the other hand, we highlight that the aforementioned Article 5 of Law No. 12.485/2011 is the subject of a dispute regarding its legality, in Motions of Unconstitutionality filed before the Brazilian Supreme Court³. However, Reporting Justice Fux voted for the constitutionality of the said legal provision⁴. This case is still pending the final decision on its merit by the Supreme Court, as the trial of the respective motions of unconstitutionality has been suspended. For now, the presumption is of the constitutionality of Article 5 of Law 12.485/11.

Only the Brazilian Congress has the power to pass a law revoking said limit to the corporate interest held by companies in the Pay TV licensing, programming, and distribution segments.

Note that ANCINE also has a say in the matter. Under the terms of the respective law, ANCINE has the power to regulate and monitor the programming and packaging activities.

Note that ANATEL holds the regulatory jurisdiction to interpret Law 12.485/11, as per Article 29, sole paragraph of said law: “Anatel will regulate and inspect the distribution activity.”

Anyhow, ANATEL and ANCINE must coordinate their understanding of the interpretation of the said law, otherwise, there will be conflicts in its legal interpretation, in detriment of legal security in the application of the law.

There is a possible risk of judicialization of the case on the interpretation of the sectoral regulation of the Pay TV market, related to the decisions issued by CADE, ANATEL, and ANCINE, which may decide against the Time Warner’s acquisition by AT&T. Nevertheless, this could lead to the questioning of ANATEL’s jurisdiction to order the sale of the company Sky Brasil, as this type of obligation falls more naturally under the jurisdiction of CADE.

In sum, as well defined by the Brazilian Antitrust Authority (CADE), the acquisition by AT&T, a telecommunications company, of the Time Warner company, which operates in the Pay TV programming market, involves an antitrust matter (requiring the application of Law No. 12,529/2011), as well as the issue of sectoral regulation (interpretation of Article 5 of the Conditioned Access Audiovisual Communication Services Act, Law 12.485/11).

ANATEL and ANCINE will soon issue their opinions on this interesting case related to the interpretation of the Brazilian audiovisual communication law.

____________

1 According to Law 12.485/11.

2 “Article 5. The total and voting capital of sound and sound and image broadcast concessionaires and permittees and producers and programmers with headquarters in Brazil cannot be controlled or belong to collective interest telecommunications companies above the limit of fifty percent, and they must not directly explore such services.

3 On these legal limits to corporate concentration in the Pay Tv services operation and programming markets, See: Scorsim. Ericson M. Communications Law. Telecommunications. Internet. Broadcast TV and Pay TV. Curitiba: Edited by the Author, 2017, Amazon.

4 See: Adis 4.679, 4.759. 4.747 and 4.923 (Motions of Unconstitutionality before the Brazilian Supreme Court).

5 The following Justices accompanied the vote of the Reporting Justice: the recently deceased Teori Zavascki, Rosa Weber, and Edson Fachin. See: Scorsim. Ericson M. Communications Law Themes in the Case Law of the Brazilian Supreme Court. Curitiba: Author’s Edition, 2017. Amazon.

Artigo publicado em 20/11/2017 no Portal Jurídico Migalhas.

http://www.migalhas.com/HotTopics/63,MI269344,81042-CADE+is+examining+the+ATT+and+Time+Warner+Economic+concentration+deal