International Data Flows and State Boundaries

State and territory

The international system, since the seventeenth century, has been structured on the ideas of sovereignty of States and peoples, as well as on the exercise of power limited to a territory. The boundaries imply not only the states’ own affirmation, but also a mutual commitment of, as a rule, non-interference in the others. This division, however, is not – and can not be – hermetic. There is, therefore, the provision of specific mechanisms for harmonization, cooperation and extraterritorial expression.

In this context, domestic courts’ decisions and national laws apply, in principle, only within the territorial limits defined for the State to which they are bound. The legal basis of an obligation, or the decision that defines it, is restricted to the exercise of power, except by mechanisms that confer enforcement beyond the borders. There are treaties of mutual international, bilateral, regional and global cooperation, reciprocity agreements, as well as internal rules defined by law. These tools also translate into attempts by the State, limited to its territory, to reach facts, acts and people (individuals or companies), beyond it.

International data transfer

The Internet Era reveals an increasing need for expansion – if not overcoming – of frontiers for effective legal protection. International data flows increasingly intense, rapid and diverse are the subject of discussions that involve not only the elements of the State itself, but also its international relations, users’ rights on data protection, and market interests, which correspond to the transborder exercise of economic power.

Access by state authorities to data located by private companies on servers abroad is a topic that permeates discussions about the exercise of State power, the criteria and instruments that make feasible, for example, compliance with judicial orders. The enforcement of decisions beyond the territory is a sensitive theme of the economic, social and, ultimately, of the global legal order.

In Brazil, although art. 11 of the Civil Registry of Internet determine the application of Brazilian law to situations that deal with the collection, storage, and processing of data occurred in the country, compliance with decisions for data delivery did not receive specific rules. It is thus subject to general rules of internal law relating to the transnational process as well as to bilateral and regional treaties of mutual cooperation and in the context of Mercosur. The bill on personal data protection that has been negotiated in the National Congress since 2016 does not innovate by disciplining this aspect of international data transfer, leaving it to the “instruments of international law”.

The discussion in the United States

While it is a global governance issue, the debate over the enforcement of US decisions to obtain data stored on servers abroad has drawn attention. Large companies, such as Google and Microsoft, are faced with lawsuits in which, at the federal level, they discuss the delivery or non-delivery, based on US court orders, of data and information when they are stored in other countries.

The issue has already reached the US Supreme Court, through action involving Microsoft and the US Department of Justice. State authorities maintain the need to have access to the data, even if they are not territorially located in the country. As David Kravets describes, the question is whether the US has the right to data from servers abroad, under what circumstances and by which means. The Supreme Court, however, has not yet solved the case.

Another company that has been involved in legal battles over the issue is Google. Their more recent positions, however, have been interpreted as an acceptance of the fulfillment of orders involving this kind of data. This is because the company stopped challenging warrants on data delivery, in order to suggest a greater adherence to the compliance system, with the delivery of the required information or, at least, without appeals against the decisions. Despite this, there is still tension between the company and state actors, who accuse it of deliberately spreading the data around the world in order to challenge the legal warrants.

Compliance with decisions, as well as the need to reformulate the compliance law for business, are discussed in the US judiciary, but have not yet been pacified. The controversy is also found in attempts by other countries in order to access such data. It touches upon the essential contexts of the State, how it has come to the present day, the exercise of cross-border power and the non-interference of one sovereign State over another.

The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of the Institute for Research on Internet and Society.