Professional Documents
Culture Documents
Personality and Data Protection Rights On The Internet: Marion Albers Ingo Wolfgang Sarlet Editors
Personality and Data Protection Rights On The Internet: Marion Albers Ingo Wolfgang Sarlet Editors
Marion Albers
Ingo Wolfgang Sarlet Editors
Personality and
Data Protection
Rights
on the Internet
Brazilian and German Approaches
Ius Gentium: Comparative Perspectives on Law
and Justice
Volume 96
Series Editors
Mortimer Sellers, University of Baltimore, Baltimore, MD, USA
James Maxeiner, University of Baltimore, Baltimore, MD, USA
Editorial Board
Myroslava Antonovych, Kyiv-Mohyla Academy, Kyiv, Ukraine
Nadia de Araújo, Pontifical Catholic University of Rio de Janeiro, Rio de Janeiro,
Brazil
Jasna Bakšic-Muftic, University of Sarajevo, Sarajevo, Bosnia and Herzegovina
David L. Carey Miller, University of Aberdeen, Aberdeen, UK
Loussia P. Musse Félix, University of Brasilia, Federal District, Brazil
Emanuel Gross, University of Haifa, Haifa, Israel
James E. Hickey Jr., Hofstra University, South Hempstead, NY, USA
Jan Klabbers, University of Helsinki, Helsinki, Finland
Cláudia Lima Marques, Federal University of Rio Grande do Sul, Porto Alegre,
Brazil
Aniceto Masferrer, University of Valencia, Valencia, Spain
Eric Millard, West Paris University, Nanterre Cedex, France
Gabriël A. Moens, Curtin University, Perth, Australia
Raul C. Pangalangan, University of the Philippines, Quezon City, Philippines
Ricardo Leite Pinto, Lusíada University of Lisbon, Lisboa, Portugal
Mizanur Rahman, University of Dhaka, Dhaka, Bangladesh
Keita Sato, Chuo University, Tokyo, Japan
Poonam Saxena, University of Delhi, New Delhi, India
Gerry Simpson, London School of Economics, London, UK
Eduard Somers, University of Ghent, Gent, Belgium
Xinqiang Sun, Shandong University, Shandong, China
Tadeusz Tomaszewski, Warsaw University, Warsaw, Poland
Jaap de Zwaan, Erasmus University Rotterdam, Rotterdam, The Netherlands
Ius Gentium is a book series which discusses the central questions of law and
justice from a comparative perspective. The books in this series collect the
contrasting and overlapping perspectives of lawyers, judges, philosophers and
scholars of law from the world’s many different jurisdictions for the purposes of
comparison, harmonisation, and the progressive development of law and legal
institutions. Each volume makes a new comparative study of an important area of
law. This book series continues the work of the well-known journal of the same
name and provides the basis for a better understanding of all areas of legal science.
The Ius Gentium series provides a valuable resource for lawyers, judges,
legislators, scholars, and both graduate students and researchers in globalisation,
comparative law, legal theory and legal practice. The series has a special focus on
the development of international legal standards and transnational legal
cooperation.
This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Contents
v
vi Contents
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
Editors and Contributors
vii
viii Editors and Contributors
Contributors
Anderson Schreiber Faculty of Law, Rio de Janeiro State University (UERJ), Rio
de Janeiro, Brazil
Wolfgang Schulz Leibniz-Institute for Media Research | Hans Bredow-Institut,
Hamburg, Germany
Raoul-Darius Veit University of Hamburg, Hamburg, Germany
Rafael A. F. Zanatta University of São Paulo, São Paulo, Brazil
Personality and Data Protection Rights
on the Internet: Introduction
Abstract This article gives a brief overview of the development of the Internet and
the rise of the onlife world. As a socio-technical arrangement, the Internet is both a
factor in and a product of modern society and comes together with fundamental social
change. The legal challenges emerging with the Internet involve fundamental issues
up to and including the question of what exactly the law is. They comprise cross-
sectional issues such as the declining relevance of the territorial borders of nation
states for applying and enforcing law. Last but not least, manifold legal questions in
particular areas arise. Legal answers must be Internet-specific to a certain extent, but
must also build on to or at least be coordinated with established legal solutions. As
communication on the Internet always includes datafication, among the pressing legal
problems is the handling of personal data and how to advance personality and data
protection rights. The contributions to this volume are dedicated to key questions,
ranging from the urgent need for transnational standards or convincing enforce-
ment mechanisms for regionally established data protection rights up to problems of
surveillance, forgetting on the Internet, regulation of intermediaries, anonymity, the
digital estate or algorithmic discrimination.
We are grateful for the support of the DAAD (Deutscher Akademischer Austauschdienst) and
CAPES (Comissão de Aperfeiçoamento de Pessoal de Ensino Superior) for the Academic Exchange
and Research PROBRAL Project ’Internet Regulation and Internet Rights’ conducted by the Pontif-
ical Catholic University Porto Alegre, Brazil (PUCRS) and the University of Hamburg (Germany)
and coordinated by us both. This book is one of the outcomes of this project. We would also like
to thank Matthew Harris and Sandra Lustig for their help and constructive comments during the
process of editing this article and several other contributions in this volume.
M. Albers
University of Hamburg, Hamburg, Germany
e-mail: marion.albers@uni-hamburg.de
I. W. Sarlet (B)
Pontifical Catholic University of Rio Grande do Sul–Law School (PUCRS), Porto Alegre, Brazil
the vision of a system of networked computers and things that operate relatively autonomously,
especially when it comes to data processing.
4 Cf., for example, the contributions in Leenes, van Brakel, Gutwirth and de Hert (2018) and
Matwyshyn (2019).
5 For this term see Mayer-Schönberger and Cukier (2013), pp. 23 f., 101.
6 Edward Snowden’s revelations about intelligence surveillance are a vivid example.
Personality and Data Protection Rights on the Internet … 3
2 Internet Regulation
The early days of the Internet gave rise to the idea that it is a law-free space.13 But
legal regulation has always existed in certain respects, for example with regard to the
establisment and operation of telecommunications infrastructures and networks. And
since the development of Web 2.0 and the increasing embeddedness of the Internet
in society, the extent of the need for regulation has become crystal clear. Just as
in “offline” cases, the law must guarantee legal frameworks and conflict resolution
in cases involving the Internet. This is why the Brazilian Marco Civil da Internet14
has attracted international attention.15 Looking at the features of the Internet and
the social arrangements made possible by it, legal regulation is facing numerous
unprecedented questions. On the one hand, novel approaches must be elaborated. On
the other hand, Internet cases do not require completely novel regulations in every
respect. Although the emerging legal issues may be Internet-specific to a certain
extent, they can at the same time build upon established legal solutions; they must
at least be coordinated with them. Consequently, the core of legal considerations
involves the questions whether, where, and to what extent particular cases are shaped
by features of the Internet in a legally relevant way, to what extent novel solutions
tailored to these characteristics are necessary, and what the relevant concepts could
be.
If we examine the challenges emerging with the Internet, we can, firstly, identify
fundamental and cross-sectional issues. From various points of view, the Internet
leads straight to the necessity to revisit the notion of “law.” Detailed fundamental
questions regarding how the law is to be understood present themselves when
decision-making processes are being driven by sophisticated software programs. In
addition, the problem of how to ensure normative requirements are observed in these
programs and decision-making processes must be solved as well. The ethical and
legal discussions on autonomously driven cars are an illustrative example. Turning
to the cross-sectional issues, it is particularly relevant due to the rise of the Internet
society that physical national borders are losing importance. Activities on the Internet
cross borders, whether in terms of the routes taken by the data packets transmitted
or in tems of server locations on the one hand and retrieval locations on the other.
Novel answers have to be developed concerning what criteria the applicability of
national or supranational law is based on and how to ensure the enforceability of the
applicable law. It is, among other things, in this context that the European Court of
13 Cf. Barlow (1996): “Governments of the Industrial World, you weary giants of flesh and steel,
I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to
leave us alone. You are not welcome among us. […] We are forming our own Social Contract”.
14 Lei no 12.965/2014.
15 On the Brazilian Marco Civil da Internet see, among others, Leite and Lemos (2014); Souza,
Lemos and Bottino (2018); and Del Masso, Abrusio and Florêncio Filho (2019).
Personality and Data Protection Rights on the Internet … 5
Justice’s key decision Google Spain and Google of 2014 has been discussed interna-
tionally.16 Other high-profile decisions address the question of the prerequisites that
must be met for the transfer of personal data from the European Union to the US; in
the opinion of the European Court of Justice, EU law establishes requirements that
neither the Safe Harbor Agreement nor its successor, the Privacy Shield Agreement,
have fulfilled.17
In addition to fundamental and cross-sectional issues, there are, secondly,
numerous novel legal questions in fields that are closely related to the Internet or
are particularly influenced by its features. At the infrastructure level, questions of
access of competing providers to networks or of net neutrality are discussed as well
as problems of IT security. At the level of Internet services, attention was initially
focused especially on the legal responsibility of providers for their own or user-
generated content. With the further development of the Internet, the list of questions
is becoming endless. They range from the the civil law and consumer protection
issues raised by e-commerce or a shareconomy to the regulation of public commu-
nication with regard to hate speech or the use of social bots for the purpose of
manipulating public opinion. How search engine, platform and social network oper-
ators should be regulated appropriately, among other things in the area of conflict
between freedom of expression and protection of personality rights, is the subject of
heated legal controversies.18 Models such as the German Network Enforcement Act
are attracting attention across the globe.19
Across all areas, new legal problems center on the handling of data. This is obvious,
because communication on the Internet always includes “datafication.” Here too, the
list of legal issues is exploding and broadly diversified. Important aspects concern
society’s dependence on the Internet infrastructure and the resulting vulnerability.
Hazards are to be countered by multi-layered protection measures against failures
or attacks. Processing and using data as a basis for information and knowledge must
also be addressed from a variety of perspectives. The constructions of social and indi-
vidual knowledge created by search engines may be influenced by the control of the
general terms and conditions search engine providers are using as well as by antitrust
or competition law requirements aiming for plurality. The catchword “governing
16 The ECJ has ruled that the search engine result lists produced by Google are within the scope of
application of the European Data Protection Directive because the search engine business model is
inseparably linked to the placement of advertising, so that the processing of personal data resulting
from a search is carried out within the framework of the marketing activities of the Spanish branch
of Google Inc. based in the USA, Judgment of the ECJ (Grand Chamber) of 13 May 2014, C-131/12,
available under curia.europa.eu, para 55 ff.
17 As for the Safe Harbor Agreement: Judgment of the ECJ (Grand Chamber) of 6 October 2015, C-
362/14; for the Privacy Shield Agreement: Judgment of the ECJ (Grand Chamber) of 16 July 2020,
C-311/18, both available under curia.europa.eu. See also more closely on enforcement mechanisms
with regard to the GDPR Veit (2022), in this volume.
18 Cf. Schreiber (2022), in this volume; Hartmann (2022), in this volume.
19 See more closely Schulz (2022), in this volume.
6 M. Albers and I. W. Sarlet
20 From the extensive discussions see, for example, Gillespie (2014), pp. 167 ff.; Ziewitz (2016),
pp. 5 ff. See also Mendes and Mattiuzzo (2022), in this volume.
21 On this issue differentiated and with critical remarks Determann (2018).
22 Sicari et al. (2018), pp. 60 ff.
23 See also the definition of Ferraris et al. (2013), p. 32.
24 More closely Elmer (2004); the contributions in: Hildebrandt and Gutwirth (2008); Schermer
ff.
26 Christl (2017).
27 Zuiderveen Borgesius and Poort (2017), pp. 347 ff., 521.
28 See Albers (2022), in this volume; Molinaro and Ruaro (2022), in this volume.
Personality and Data Protection Rights on the Internet … 7
There are numerous other issues to be addressed. The Internet and the social
arrangements it makes possible not only raise the problem of a “right to be forgot-
ten”29 but also of how to manage the problem of “digital assets” that persists in social
media accounts. Do we need new legal approaches to protect the rights of deceased
persons, or can we work with existing regulatory patterns?30 Among the difficult and
controversially discussed questions is also whether there must be a highly protected
right to anonymity on the Internet, or whether and under what conditions legislation
could introduce a duty for people to use their own birthname.31 And do data protec-
tion principles offer anticipatory or procedural standards for the design of relevant
algorithms that go beyond a control of results?32
Against this background, the contributions in this volume deal with the key ques-
tion of how personality and data protection rights on the Internet must be further
developed.33 New fundamental problems are addressed as well as cross-sectional
and specific issues.
A first fundamental problem is the urgent need for transnational standards for
personality and data protection rights on the one hand, while on the other hand it
seems to be difficult, if not impossible, to reach a consensus on such standards, given
the diverse legal cultures in the regions of the world. In the second contribution of
this volume, Markus Kotzur deals with the key research question of whether or not
certain personality or privacy rights and doctrinal figures such as the “duty to protect”
or the “horizontal dimension of fundamental rights,” which have been developed
at the level of international or European Union law—in particular by court deci-
sions—can be used to develop sufficiently universal standards for effective Internet
governance.34 He emphasizes that the problems of agreeing on overarching standards
reflect the deeper problem that there is no incontested conceptualization of “privacy”
and, in addition, Internet and social media have made it even more difficult to deter-
mine what “privacy” means. The traditional dichotomy between the private and the
public sphere, which has characterized the concept to a certain extent, however, has
always been only an ideal type. It is necessary to assume the existence of a spectrum
“composed of the in-betweens,” which diversifies into different constellations. At
the same time, we must acknowledge several dimensions of protection, above all,
besides rights of defense that are traditionally recognized also third-party effects and
29 On this topic Sarlet (2022), in this volume; Schimke (2022), in this volume.
30 See Bezerra Sales Sarlet (2022), in this volume; Heidrich (2022), in this volume.
31 As for the problems of anonymity on the Internet see Aftab (2022), in this volume; Michael
duties to protect. Markus Kotzur analyzes specific features of privacy protection both
within the state, here with regard to the German Basic Law [Constitution], as well as
beyond the state, looking at the European Convention of Human Rights (ECHR), the
Charter of Fundamental Rights of the European Union and Universal Public Law and
Human Rights Law. He highlights that, even though universal minimum standards
of protection can and have to be created, we should not disregard the importance of
the underlying legal fabric that concretizes the individual’s rights and the necessity
of “law-in-context studies” while carrying out comparative work.
Danilo Doneda and Rafael Zanatta approach Brazilian protection of personality
and data protection rights with a view to their historical roots.35 Nowadays, the Marco
Civil da Internet and the recent General Data Protection Law (LGPD) form the back-
bone of the Brazilian legal framework for the society in the digital era.36 However,
they do not cover only new topics such as net neutrality or intermediary liability
and are not only influenced by European models of data protection. In particular, the
provisions of the LGPD also refer to a previously existing fragmented set of Brazilian
legislation which was created over many years. This body of legislation has itself
often been inspired by European legal traditions, among others the Portuguese and
German legal traditions. The establishment of personality and data protection rights
was advanced by, for example, the Brazilian Civil Code, the Brazilian Constitution
of 1988, and consumer protection rules. Danilo Doneda and Rafael Zanatta high-
light that, on the one hand, it is always important to understand the links between
the doctrine and tradition of personality rights as well as of other already established
protective rules and new data protection legislation. On the other hand, it is necessary
to respond to new challenges raised by the Internet and to strive for harmonization
with international and transnational standards on data protection.
Just like Brazil, the Europan Union is constantly renewing its legal framework
for data protection in the light of an increasingly digitized society. Since the Charter
of Fundamental Rights of the European Union (CFR) came into effect in 2009, the
catalogue of fundamental rights offers, in addition to the right to respect for private
life in Article 7 CFR, a right to the protection of personal data in Article 8 CFR. Jörn
Reinhardt takes a closer look at this right,37 especially because challenges to the
protection of personal data arise not only from state action, but also from the inherent
logic of the data economy. He stresses that Article 8 CFR includes certain conditions
the processing of personal data must fulfill in order to be lawful, for example the
principle of purpose limitation. Nevertheless, the protected interests behind the “right
to the protection of personal data” remain insufficiently defined and must be further
specified, not least with a view to other freedoms. Since data protection cannot be
limited to one specific goal, the protection requirements vary. After having clarified
positive obligations and horizontal effects in the context of Article 8 CFR, Jörn
Reinhardt works out central standards for data processing in the digital economy.
These standards include consent and control, protective legislation built upon an
curia.europa.eu. For critical remarks see, for example, Masing (2017), esp. pp. 442 ff. For the
Brazilian discussion see Branco (2017), Sarlet and Ferreira Neto (2018) and Frajhof (2019).
10 M. Albers and I. W. Sarlet
an exceptional degree. And for this very reason, the problem is not new—it is a fine
example of the finding that legal responses to novel challenges must partly build upon
previous approaches and partly find new solutions. This is also confirmed by recent
judgments issued by the German FCC on the “right to be forgotten.”41 Regarding
Brazilian law, Ingo Sarlet addresses the potential foundations of a “right to be forgot-
ten” in the Brazilian constitutional system and partial legislative expressions as well
as its acknowledgment and protection by the Brazilian superior courts. He explains
that there are “offline” as well as “online”-cases. The right to be forgotten already
has a rich history, but the Internet raises questions of its own, not least because inter-
mediaries and algorithms enter the picture. Ingo Sarlet emphasizes that the “right to
be forgotten” covers a range of subjective positions, e.g., a right to data erasure, to
de-referencing, to a digital response, or to the suppression of identity. Differentiation
and balancing conflicting rights is as necessary as careful regulation by the legis-
lator.42 In her contribution focusing on EU and German law, Anna Schimke aims at
contextualizing the right to be forgotten in terms of the insights of social and cultural
sciences, in order to improve legal approaches. Forgetting on the Internet refers to a
collective dimension or to communication and to information and knowledge rather
than to data: particular knowledge about a person which could previously have been
lawfully acquired should no longer exist in a certain social context. A closer analysis
shows that cases involving such problems had already come up in the European and
German jurisdictions, as well as in Brazil, before the Internet entered the picture.
Anna Schimke emphasizes that they are dealt with in various fields of law, not only in
data protection law but also in press law. She proposes that the areas of application
of these fields of law be determined with a view to their characteristics and strengths
and with recourse to the so-called media privilege, which can be found in European
and German law and also in Brazilian law. This helps to reasonably elaborate the
right to be forgotten and the range of subjective positions and claims that can be
developed as differentiated in European and German law as Ingo Sarlet has worked
out for Brazilian law. Such an approach also helps to develop a convincingly fair
balance with counter-interests.43
The following articles turn more closely to questions concerning conflicts between
personality and data protection rights on the Internet and communication freedoms,
especially the freedom of expression. Carlos Affonso Pereira de Souza and Beatriz
Laus Marinho Nunes explain the significant and multifarious role freedom of expres-
sion was given in the Brazilian Marco Civil da Internet. The constitutional founda-
tions are already multifaceted and rich in content. Depending on the context in which
reference is made to freedom of expression in the Marco Civil da Internet, particular
facets and impacts come into play. This is substantiated with regard to the founda-
tions of Internet governance in Brazil, to the principles for regulating Internet use, in
particular as regards anonymous discourse, to the conditions for the full exercise of
41 Judgments of the FCC of 6 November 2019, 1 BvR 16/13 and 1 BvR 276/17, both also available
in English under www.bundesverfassungsgericht.de.
42 Sarlet (2022), in this volume.
43 Schimke (2022), in this volume.
Personality and Data Protection Rights on the Internet … 11
44 Affonso Pereira de Souza and Laus Marinho Nunes (2022), in this volume.
45 Schreiber (2022), in this volume.
46 Hartmann (2022), in this volume.
47 Schulz (2022), in this volume.
12 M. Albers and I. W. Sarlet
All these contributions addressing concrete challenges for personality and data
protection rights on the Internet show that legal solutions are and must be, at least
to a certain extent, embedded in the legal culture and the specific legal system of
a particular country. But what about the cross-border flow of data as an essential
characteristic of the Internet society?
In the last article of this volume, Raoul-Darius Veit analyzes the mechanisms
of the European General Data Protection Regulation which aim at ensuring that
data protection rights guaranteed in the European Union are also safeguarded on the
global Internet. The challenges being faced by data protection law in particular are
obvious. After having explained the jurisdiction of the ECJ which culminated in the
recent decision on the Privacy Shield Agreement,52 Raoul-Darius Veit explains the
external dimension of the EU data protection regime in detail. The effects doctrine
(Marktortprinzip) has direct extraterritorial effects, while the principles regulating
data transfer to third countries result in indirect extraterritorial effects. Their core is
the adequacy regime whose guidelines and flexibilities are worked out. Raoul-Darius
Veit highlights the finding that modern data protection laws need to be designed in
such a way that they are open to conflicting notions of privacy and political and
economic interests, while at the same time maintaining their normative claim.
References
Affonso Pereira de Souza C, Laus Marinho Nunes B (2022) Brazilian Internet Bill of Rights: the
five roles of freedom of expression. In: Albers M, Sarlet IW (eds) Personality and data protection
rights on the internet. Springer, Dordrecht, Heidelberg, New York, London (in this volume)
Aftab S (2022) Online anonymity—the Achilles’-heel of the Brazilian Marco Civil da Internet.
In: Albers M, Sarlet IW (eds) Personality and data protection rights on the internet. Springer,
Dordrecht, Heidelberg, New York, London (in this volume)
Albers M (2016a) Grundrechtsschutz und Innovationserfordernisse angesichts neuartiger Einblicke
und Eingriffe in das Gehirn. In: Lindner J (ed) Die neuronale Selbstbestimmung des Menschen:
Grundlagen und Gefährdungen. Nomos, Baden-Baden, pp 63–97
Albers M (2016b) A Complexidade da Proteção de Dados. Rev Brasiliera Direitos Fundamentais
Justiça 10(35):19–45
Albers M (2022) Surveillance and data protection rights: data retention and access to telecommuni-
cations data. In: Albers M, Sarlet IW (eds) Personality and data protection rights on the internet.
Springer, Dordrecht, Heidelberg, New York, London (in this volume)
Andresen M (2018) Von Cyborgs und Brainhacks: Der Schutz des technisierten Geistes. In: Albers
M, Katsivelas I (eds) Recht & Netz, Nomos, Baden-Baden, pp 491–518
Ashton K (1999) That “Internet of Things” Thing. RFID J. http://www.itrco.jp/libraries/RFIDjo
urnal-That%20Internet%20of%20Things%20Thing.pdf. Accessed 11 Jan. 2022
Barlow JP (1996) A declaration of the independence of cyberspace. https://www.eff.org/cybers
pace-independence. Accessed 11 Jan. 2022
Bosco F, Creemers N, Ferraris V, Guagnin D, Koops B-J (2015) Profiling technologies and funda-
mental rights and values: regulatory challenges and perspectives from European data protection
52Judgment of the ECJ (Grand Chamber) of 16 July 2020, C-311/18, available under
curia.europa.eu.
14 M. Albers and I. W. Sarlet
authorities. In: Gutwirth S, Leenes R, de Hert P (eds) Reforming European data protection law.
Springer, Dordrecht, Heidelberg, New York, London, pp 3–33
Branco S (2017) Memória e Esquecimento na Internet. Arquipélago Editoral Ltda, Porto Alegre
Christl W (2017) How companies use personal data against people. Automated disadvantage,
personalized persuasion, and the societal ramifications of the commercial use of personal infor-
mation. Working paper by cracked labs, https://crackedlabs.org/dl/CrackedLabs_Christl_Data
AgainstPeople.pdf. Accessed 11 Jan. 2022
Del Masso FD, Abrusio J, Florêncio Filho MA (2019) Marco Civil da Internet: Lei 12;965/2014.
Thomson Reuters do Brasil, Sâo Paulo
Determann L (2018) No one owns data. Hastings Law J 70(1):1–44
Doneda D, Zanatta RAF (2022) Personality rights in Brazilian data protection law: a historical
perspective. In: Albers M, Sarlet IW (eds) Personality and data protection rights on the internet.
Springer, Dordrecht, Heidelberg, New York, London (in this volume)
Elmer G (2004) Profiling machines: mapping the personal information economy. MIT Press,
Cambridge, MA
Ferraris V, Bosco F, Cafiero G, D’Angelo E, Suloyeva Y (2013) Defining profiling. Working paper
in the project protecting citizens’ rights fighting illicit profiling. http://www.unicri.it/special_t
opics/citizen_profiling/PROFILINGproject_WS1_definition_0208.pdf. Accessed 3 June 2020
Floridi L (2015) The onlife manifesto: being human in a hyperconnected era. Springer, Cham,
Heidelberg, New York, Dordrecht, London
Frajhof IZ (2019) O Direito ao Esquecimento na Internet: Conceito, Aplicação e Controvérsias.
Almedina, Coimbra
Fuchs C (2008) Internet and society: social theory in the information age. Routledge, New York
Gillespie T (2014) The relevance of algorithms. In: Gillespie T, Boczkowski P, Foot K (eds) Media
technologies. MIT Press, Cambridge MA, pp 167–193
Hartmann IA (2022) Self-regulation in online content platforms and the protection of personality
rights. In: Albers M, Sarlet IW (eds) Personality and data protection rights on the internet.
Springer, Dordrecht, Heidelberg, New York, London (in this volume)
Heidrich F (2022) The digital estate in the conflict between the right of inheritance and the protection
of personality rights. In: Albers M, Sarlet IW (eds) Personality and data protection rights on the
internet. Springer, Dordrecht, Heidelberg, New York, London (in this volume)
Hildebrandt M, Gutwirth S (eds) (2008) Profiling the European citizen: cross-disciplinary
perspectives. Springer, Dordrecht
Hildebrandt M (2016) Smart technologies and the end(s) of law: novel entanglements of law and
technology. Edward Elgar, Cheltenham and Northampton
Hinman LM (2008) Searching ethics: the role of search engines in the construction and distribution
of knowledge. In: Spink A, Zimmer M (eds) Web search: multidisciplinary perspectives. Springer,
Berlin, Heidelberg, pp 67–76
Introna LD, Nissenbaum H (2006) Shaping the web: why the politics of search engines matters. Inf
Soc 16(3):169–185
Koops B-J (2013a) On decision transparency, or how to enhance data protection after the computa-
tional turn. In: Hildebrandt M, de Vries K (eds) Privacy, due process and the computational turn:
the philosophy of law meets the philosophy of technology. Routledge, New York, pp 196–220
Koops B-J (2013b) Concerning “humans” and “human” rights. Human enhancement from the
perspective of fundamental rights. In: Koops B-J et al (eds) Engineering the human. Human
enhancement between fiction and fascination. Springer, Berlin, Heidelberg, pp 165–182
Katsivelas I (2018) Das Geschäft mit der Werbung: Finanzierungsmechanismen, personalisierte
Werbung und Adblocker. In: Albers M, Katsivelas I (eds) Recht & Netz, Nomos, Baden-Baden,
pp 207–248
Kotzur M (2022) Privacy protection in the world wide web—legal perspectives on accomplishing
a mission impossible. In: Albers M, Sarlet IW (eds) Personality and data protection rights on the
internet. Springer, Dordrecht, Heidelberg, New York, London (in this volume)
Personality and Data Protection Rights on the Internet … 15
Leenes R, van Brakel R, Gutwirth S, de Hert P (eds) (2018) Data protection and privacy: the internet
of bodies. Hart Publishing, Oxford
Leite GS, Lemos R (2014) Marco Civil da Internet. Atlas, São Paulo
Masing J (2017) Assessing the CJEU’s “Google decision”: a tentative first approach. In: Miller
RA (ed) Privacy and power: a translantic dialogue in the shadow of the NSA-affair. Cambridge
University Press, Cambridge, New York, pp 435–456
Mayer-Schönberger V, Cukier K (2013) Big Data: Die Revolution, die unser Leben verändern wird,
2nd edn. Redline, München
Matwyshyn AM (2019) The internet of bodies, 61 Wm. & Mary L. Rev. 77. https://scholarship.law.
wm.edu/wmlr/vol61/iss1/3. Accessed 11 Jan. 2022
Mendes LS, Mattiuzzo M (2022) Algorithms and discrimination: the case of credit scoring in Brazil.
In: Albers M, Sarlet IW (eds) Personality and data protection rights on the internet. Springer,
Dordrecht, Heidelberg, New York, London (in this volume)
Michael L (2022) The impact of jurisdiction and legislation on standards of anonymity on the
internet. In: Albers M, Sarlet IW (eds) Personality and data protection rights on the internet.
Springer, Dordrecht, Heidelberg, New York, London (in this volume)
Molinaro CA, Ruaro RL (2022) Privacy protection with regard to (tele-)communications surveil-
lance and data retention. In: Albers M, Sarlet IW (eds) Personality and data protection rights on
the internet. Springer, Dordrecht, Heidelberg, New York, London (in this volume)
O’Reilly T (2005) What is Web 2.0: design patterns and business models for the next generation of
software. https://www.oreilly.com/pub/a/web2/archive/what-is-web-20.html. Accessed 11 Jan.
2022
Pariser E (2011) The filter bubble: what the internet is hiding from you. Penguin, London, New
York
Reinhardt J (2022) Realizing the fundamental right to data protection in a digitized society. In: Albers
M, Sarlet IW (eds) Personality and data protection rights on the internet. Springer, Dordrecht,
Heidelberg, New York, London (in this volume)
Sarlet GBS (2022) Digital identity and the problem of digital inheritance: limits of the posthumous
protection of personality on the internet in Brazil. In: Albers M, Sarlet IW (eds) Personality and
data protection rights on the internet. Springer, Dordrecht, Heidelberg, New York, London (in
this volume)
Sarlet IW, Ferreira Neto A (2018) O Direito ao Esquecimento na Sociedade da Informação. Livraria
do Advogado Editora, Porto Alegre
Sarlet IW (2022) The protection of personality in the digital environment: an analysis in the light
of the so-called right to be forgotten in Brazil. In: Albers M, Sarlet IW (eds) Personality and data
protection rights on the internet. Springer, Dordrecht, Heidelberg, New York, London (in this
volume)
Schermer B (2013) Risks of profiling and the limits of data protection law. In: Custers B, Calders T,
Schermer B, Zarsky T (eds) Discrimination and privacy in the information society: data mining
and profiling in large databases. Springer, Berlin, Heidelberg, pp 137–152
Schimke A (2016) Vergessen als neue Kategorie im Recht. In: Autengruber A et al (eds) Zeit im
Recht—Recht in der Zeit. Jan Sramek, Wien, pp 87–104
Schimke A (2022) Forgetting as a social concept. Contextualizing the right to be forgotten. In: Albers
M, Sarlet IW (eds) Personality and data protection rights on the internet. Springer, Dordrecht,
Heidelberg, New York, London (in this volume)
Schreiber A (2020) Right to privacy and personal data protection in Brazilian law. In: Moura Vicente
D, de Vasconcelos Casimiro S (eds) Data protection in the internet. Springer Nature, Cham, pp
45–54
Schreiber A (2022) Civil rights framework of the internet (BCRFI; Marco Civil da Internet):
advance or setback? Civil liability for damage derived from content generated by third party.
In: Albers M, Sarlet IW (eds) Personality and data protection rights on the internet. Springer,
Dordrecht, Heidelberg, New York, London (in this volume)
16 M. Albers and I. W. Sarlet
Schulz W (2022) Regulating intermediaries to protect privacy online—the case of the German
NetzDG. In: Albers M, Sarlet IW (eds) Personality and data protection rights on the internet.
Springer, Dordrecht, Heidelberg, New York, London (in this volume)
Sicari S, Rizzardi A, Cappiello C, Miorandi D, Coen-Porisini A (2018) Toward data governance
in the Internet of Things. In: Yager RR, Pascual Espada J (eds) New advances in the Internet of
Things. Springer International Publishing, Cham, pp 59–74
Souza CA, Lemos R, Bottino C (2018) Marco Civil da Internet. Jurisprudência Comentada, Revista
dos Tribunais, São Paulo
Tavani H (2020) Search engines and ethics. Stanford Encycl Philos. https://plato.stanford.edu/ent
ries/ethics-search/. Accessed 11 Jan. 2022
Veit, RD (2022) Safeguarding regional data protection rights on the global internet—The European
approach under the GDPR. In: Albers M, Sarlet IW (eds) Personality and data protection rights
on the internet. Springer, Dordrecht, Heidelberg, New York, London (in this volume)
Ziewitz M (2016) Governing algorithms: myth, mess, and methods. Sci Technol Human Values
41:3–16
Zuiderveen Borgesius F, Poort J (2017) Online price discrimination and EU data privacy law. J
Consum Policy 40:347–366
Marion Albers Dr. iur, Full Professor of Public Law, Information and Communication
Law, Health Law and Legal Theory at Hamburg University. Principal Investigator in the
Brazilian/German CAPES/DAAD PROBRAL-Research Project “Internet Regulation and Internet
Rights”. Main areas of research: Fundamental Rights, Information and Internet Law, Data
Protection, Health Law and Biolaw, Police Law and Law of Intelligence Services, Legal Theory
and Sociology of Law. Selected Publications: Recht & Netz: Enwicklungslinien und Prob-
lemkomplexe, in: Marion Albers/Ioannis Katsivelas (eds.), Recht & Netz, Baden-Baden: Nomos,
2018, pp. 9–35; L’effet horizontal des droits fondamentaux dans le cadre d’une conception à
multi-niveaux, in: Thomas Hochmann/Jörn Reinhardt (dir.), L’effet horizontal des droits fonda-
mentaux, Editions Pedone, Paris, 2018, pp. 177–216; Biotechnologies and Human Dignity,
in: Dieter Grimm/Alexandra Kemmerer/Christoph Möllers (eds.), Human Dignity in Context,
München/Oxford/Baden-Baden: C. H. Beck/Hart/Nomos, 2018, pp. 509–559, also published
in Revista Direito Público, Vol. 15 (2018), pp. 9–49; A Complexidade da Proteção de Dados,
Revista Brasiliera de Direitos Fundamentais e Justiça, Belo Horizonte, ano 10, n. 35, 2016,
pp. 19–45.
Markus Kotzur
Abstract The paper aims at evaluating the power of law, in particular human rights
law, amongst the various instruments being recently discussed as means for effective
internet governance. Focusing on selected case law of the European Court of Justice
(ECJ) and the European Court of Human Rights (ECR), it discusses privacy rights, a
“right to be forgotten”, and a horizontal dimension of these rights as well as a duty to
protect these rights owed by the States and/or the International Community. The key
research question will be whether or not guarantees like these can—bottom-up—be
used to develop sufficiently universal standards for effective internet governance.
It is argued that regardless of the different levels of protection which the right to
privacy enjoys in different States and on the European/international plane, common
needs and dangers can be identified. Based upon them, universal minimum stan-
dards of protection can and have to be created. For a theoretical framing, the paper
finally addresses the so-called “public–private”-dichotomy and the rapid dynamics
it is facing in the age of the Internet.
M. Kotzur (B)
University of Hamburg, Hamburg, Germany
e-mail: markus.kotzur@uni-hamburg.de
provided by the safe harbour privacy principles and related frequently asked questions issued
by the US Department of Commerce.1
The 2015 request had been made in the context of proceedings between him and the
Irish Data Protection Commissioner. It concerned the latter’s refusal to investigate
a complaint made by the applicant regarding the fact that Facebook Ireland Ltd
transferred personal data of its users to the United States of America and kept it on
servers located in that country.2 From August 2011 on, Schrems had lodged before
the Irish Data Protection Commissioner 23 complaints against Facebook Ireland, one
of which finally gave rise to a reference for the aforementioned preliminary ruling.
What seemed to be a “mission impossible” turned out to become one of the most
far-reaching recent landmark decisions of the European Court of Justice. Schrems
won his case and the Court held that
Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of
24 October 1995 on the protection of individuals with regard to the processing of personal
data and on the free movement of such data as amended by Regulation (EC) No 1882/2003
of the European Parliament and of the Council of 29 September 2003, read in the light of
Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, must be
interpreted as meaning that a decision adopted pursuant to that provision, such as Commis-
sion Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46 on the adequacy of
the protection provided by the safe harbour privacy principles and related frequently asked
questions issued by the US Department of Commerce, by which the European Commis-
sion finds that a third country ensures an adequate level of protection, does not prevent a
supervisory authority of a Member State, within the meaning of Article 28 of that directive
as amended, from examining the claim of a person concerning the protection of his rights
and freedoms in regard to the processing of personal data relating to him which has been
transferred from a Member State to that third country when that person contends that the law
and practices in force in the third country do not ensure an adequate level of protection.3
An unlimited safe harbor-doctrine was history and data protection activists around
the globe had a new hero. His success made Maximilian Schrems even more active.
He has published two books on his legal proceedings against alleged infringements
of data protection. He has offered manifold lectures and has registered a number of
Internet websites such as blogs, online petitions as well as crowd-funding sites to
finance more upcoming legal proceedings against Facebook.4 He has furthermore
founded an association which seeks to uphold the fundamental right to data protection
and he has received various prizes. The little vs. big-story continued when Schrems,
by now a Robin Hood-like public figure defending private individuals against the
privacy-intrusive internet giants, has had assigned to him, by more than 25 000
people worldwide, claims to be brought in a class action against undertakings which
potentially endanger the fundamental right to privacy by their (online) activities.5
1 ECLI:EU:C:2015:650, para 1.
2 Ibidem, para 2.
3 Ibidem.
4 ECLI:EU:C:2018:37, para 12. Recently Schrems succeeded in another landmark decision:
Data Protection Commissioner versus Facebook Ireland Limited and Maximillian Schrems,
ECLI:EU:C:2020:559.
5 ECLI:EU:C:2018:37, para 14.
Privacy Protection in the World Wide Web—Legal Perspectives … 19
The Court, however, denied the option of a class action brought by a consumer in the
courts of the place where she or he is domiciled. Whilst, as usually in its jurisprudence,
taking individual (consumer) rights seriously,7 the Court did not want to go that far
and invent a judge-made class action-procedure that neither in the primary nor the
secondary law would find a sufficient legal basis. Even though such a cross-border
class-action, unifying thousands of European users against Facebook, will not take
place—at least not without the European law maker taking action,8 it would be quite
a misunderstanding to believe that Schrems completely lost his case. On the contrary,
the Court granted Schrems standing for a single action against Facebook in his home
country Austria even though Facebook is not an Austrian undertaking but has its
registered office in Ireland.9
What also is, apart from the specific legal questions, the underlying narrative of
the just described little vs. big-scenario? Even though the relevant debates date back
farther than 1890, when US-Supreme Court Justice Louis Brandeis famously penned
the since then so-called “right to privacy”,10 “in today’s society, privacy has become
more complex than simply physical interference. The birth of the World Wide Web
has created a new landscape for which current legal standards are inadequate.”11
The underlying narrative thus is a story of inadequacy and Schrems sees himself
as an advocate for all those being negatively affected by this inadequacy. It is an
inadequacy not limited to reactions new technologies provoke but it starts with the
inadequate, for sure ambiguous notion of privacy itself. As stated by A. M. Brumis,
“thanks to the Internet and social media, personal privacy has been revolutionized,
public figures and private figures are becoming increasingly difficult to discern, and
until changes in the law occur, privacy violations in an Internet environment are hard
to determine”. Brumis, however, additionally refers to a quote by W. Hartzog to make
her point: “The proper legal response to the issue of social media and privacy has
proven elusive because there is no fixed conceptualization of privacy”.12 Here, at
the very core of “privacy”—be it a real world phenomenon, a social attribution, a
incentive to do so.
9 ECLI:EU:C:2018:37, para 12; see also Die Zeit, online version, 25. 01. 2018, http://www.zeit.
de/digital/datenschutz/2018-01/maximilian-schrems-facebook-eugh-urteil-keine-sammelklage.
Accessed 11 Jan. 2022.
10 Brandeis (1890).
11 Brumis (2016), p. 1.
12 Hartzog (2013), pp. 50 at 51.
20 M. Kotzur
Our investigative journey on privacy has to also take into account the very opposite
thereof—the public space, the public sphere and, in a broader sense, “publicity”.
The differentiation between the spheres of the public and the private is among
the well-established fundamentals of Western constitutionalist respectively legal
thought.13 Anglo-American literature pointedly uses the concept of a “public–private
dichotomy”.14 Along with this strict separation come—oft-criticized, for instance
by “legal feminism”15 —typifying status attributions, in other words: clichés—and
the placing of behavioral expectations on the individual. Even if black-and-white
stereotypes consistently fall short, the fact alone that the constitutionalist school of
thought continues to permeate and, to a degree, dominate current discourse, warrants
its consideration. What does the separation of the private and public signify? The
public space is where the active citizen, the political citoyen, operates.16 This is
where s/he takes part in the shaping of the polity, does her/his part in the concretion
of the common good and does not avoid the public eye, on the contrary: it is within
the sphere of the democratic public that individuals’ political actions reverberate,
thereby preserving civil liberties. The private domain, in contrast, is the refuge of the
bourgeois. Protected by fundamental rights, it is here that s/he can be her/himself,
unimpeded by the state and unobserved by the public. Here s/he can be sure of her/his
freedom, the level of said freedom rising with the degree of intimacy. Readers prone
to a comparative legal approach find the phrase of a “right to privacy”,17 or—perhaps
even more illustrative—a “right to be let alone” in US Supreme Court rulings. In
his famous dissenting opinion in Eisenstadt, 405 U.S. p. 442, the aforementioned
Justice Brandeis cites the ruling Olmstead v. United States, 277 U.S. p. 438, 478
(1928): “The right to be let alone (is) the most comprehensive of rights and the right
most valued by civilized men.“18 The judicature of the German Bundesverfassungs-
gericht, differing from its US counterpart in many nuanced ways, but alike in its
general direction, has adopted an equally illustrative concept by coining the term
“Allgemeines Persönlichkeitsrecht”, or “general right to privacy”.19
The rigorous separation of the private and the public, of citoyen and bourgeois,
has in its black-and-white dichotomy always been an ideal type all times being over-
shadowed by many grey areas. The Internet age with its social networks has only
added new shades of grey. On the one hand, the individual ever more so fears total
surveillance by a technologically, if not quite all-powerful, certainly over-powering
state. The NSA scandal20 serves here as only one jarring example of an Orwellian
“big brother is watching you” reinvented.21 On the other hand does the same indi-
vidual knowingly publicize information of private, even intimate character via social
networks like Facebook and thereby relinquishes the constitutionally guaranteed
protection of privacy, often without properly considering the long-term effects of such
self-exposure.22 The dreaded “Big brother” State is joined by many not less dreadful
“little brothers and sisters” of the online-community (or rather communities). To
again quote A. M. Brumis:
First, the distinction between a public figure and private figure is becoming increasingly
difficult to decipher, due to the Internet and social media platforms: The Rosenbloom plurality
opinion, by Justice Brennan, expressed: Voluntarily or not, we are all ‘public’ men to some
degree. Justice Brennan’s words ring even more true in the digital age. (...) In the age of
microcelebrity-fame – along with its associated benefits and burdens – is distributed along a
spectrum, not according to a dichotomy. The Internet has turned what many would previous
deem “private figures” into what could now be argued as public figures.23
A dichotomy that never really was one turned into a spectrum that always will be
composed of the “in-betweens”, too. Such a development, both technology- and
behavior-driven, does not only lead to sustained effects on the changing percep-
tion of private and public space, it also causes a number of issues with regard to
the protection of fundamental rights within and beyond the state.24 The suprana-
tional dimension is of course evident, as the world-wide-web, due to its very struc-
ture, escapes the regulatory power of the nation state and calls for global internet-
governance.25 The protection of privacy and private sphere play a significant role
within such a governance scheme. Whether fundamental rights guarantees in polit-
ical multilevel systems26 spanning the national-constitutional, the regional-public-
law and universal-public-law level, serve as sufficiently effective protection mech-
anisms, becomes the pivotal question. The following tour d´horizon is neither able,
The basic topology here is conceivably complex. The protection of the individual
from the state or sovereign power—exercised both within and beyond the state—is
no longer the primary concern, but rather it is about the protection of the indi-
vidual from other private actors—discussed as the “third-party-effect” or “horizontal
dimension/horizontal effect” in German fundamental rights doctrine27 —and from
her/himself, the dogmatic keyword here being the “obligation or duty to protect”.28
This duty is also resembled in international human rights law.29 As outlined by
the Office of the High Commissioner in his 2005 “Principles and Guidelines for a
Human Rights Approach to Poverty Reduction”30 : “All human rights—economic,
civil, social, political and cultural—impose negative as well as positive obligations
on States, as is captured in the distinction between duties to respect, protect and
fulfill. The duty to respect requires the duty-bearer to refrain from interfering with
the enjoyment of any human right. The duty to protect requires the duty-bearer to
take measures to prevent violations of any human right by third parties. The duty
to fulfill requires the duty-bearer to adopt appropriate legislative, administrative and
other measures towards the full realization of human rights. Resource implications
of the obligations to respect and to protect are generally less significant than those
of implementing the obligation to fulfill, for which more pro-active and resource-
intensive measures may be required. Consequently, resource constraints may not
affect a State’s ability to respect and to protect human rights in the same extent as
its ability to fulfill human rights.” This holistic human rights concept only allows
resource-based excuses when it comes to the fulfillment aspect. Both, the respect for
and the active protection of human rights, constitute resource-neutral and far-reaching
obligations.
In the Internet context, the latter comes into play in a very specific manner:
as—see above—a duty to protect the individual—notwithstanding her/his autonomy
and self-responsibility—from herself/himself. The duty to protect gains all the more
importance since the vulnerable individual publicizes private information voluntarily
for a Human Rights Approach to Poverty Reduction, 2006, HR/PUB/06/12, pp. 47/48. See also De
Schutter (2014), p. 290.
Privacy Protection in the World Wide Web—Legal Perspectives … 23
and thereby not only potentially causes wholly unintended and unexpected conse-
quences, but gives away today—perhaps out of the spur of the moment, the inexpe-
rience of youth, or an adolescent urge for self-promotion—what shall be forgotten
tomorrow. Self-responsibility is limited when the future consequences of the actions
are hardly foreseeable in their full dimensions. Today’s innocent joke—the funny
semi-naked party picture of a drunken high school kid—can become the end of
tomorrow’s career—the former party kid now a public figure running for office and
being confronted with the “sins” of her/his past.31 Plenty are the examples of such
distressed public figures becoming an easy prey for the press. In the words of J.
Rosen: “Around the world citizens are experiencing the difficulty of living in a world
where the Web never forgets, where every blog and tweet and Facebook update
and MySpace picture about us is recorded forever in the digital cloud. This expe-
rience is leading to tangible harms, dignitary harms, as people are losing jobs and
promotions.”32
Whereas Rosen doubted that law was a good remedy for these harms,33 the ECJ
pursued a different path. In their Google ruling, the Luxemburg Judges established a
groundbreaking “right to be forgotten”34 or “right to oblivion” giving the concerned
individual’s privacy rights a stronger weight than the operator’s economic and the
general public’s information interests. The Court inter alia held that
in the light of the potential seriousness of that interference, it is clear that it cannot be justified
by merely the economic interest which the operator of such an engine has in that processing.
However, inasmuch as the removal of links from the list of results could, depending on the
information at issue, have effects upon the legitimate interest of internet users potentially
interested in having access to that information, in situations such as that at issue in the main
proceedings a fair balance should be sought in particular between that interest and the data
subject’s fundamental rights under Articles 7 and 8 of the Charter. Whilst it is true that the
data subject’s rights protected by those articles also override, as a general rule, that interest
of internet users, that balance may however depend, in specific cases, on the nature of the
information in question and its sensitivity for the data subject’s private life and on the interest
of the public in having that information, an interest which may vary, in particular, according
to the role played by the data subject in public life.35
More specifically turning to the “be forgotten” interest the Court continued:
31 One example is given by the case of Stacy Synder (Snyder v. Millersville Univ.), 2008 U.S.
Dist. LEXIS 97943 (E.D. Pa., Dec. 3, 2008), outlined by Rosen (2011), p. 345 at 346 as follows:
“She is the young woman who was about to graduate from teachers college, and days before her
graduation her employer, a public high school, discovered that she had posted on MySpace a posting
criticizing her supervising teacher and a picture of herself with a pirate’s hat and a plastic cup and
she had put the caption “drunken pirate” under it. The school concluded that she was behaving
in an unprofessional way and promoting underage drinking. Therefore, they did not allow her to
complete her student teaching practicum. As a result, her teachers college denied her a teaching
certificate”.
32 Rosen (2011), p. 345 at 345.
33 Ibidem.
34 ECJ, ECLI:EU:C:2014:317–Google/Spain; on this topic Schiedermair, in:
Lind/Reichel/Österdahl (eds.) (2015), p. 284 et seqq.; of further relevance in this context
again Rosen (2011), p. 345.
35 ECJ, ECLI:EU:C:2014:317, para 81.
24 M. Kotzur
As the data subject may, in the light of his fundamental rights under Articles 7 and 8 of the
Charter, request that the information in question no longer be made available to the general
public by its inclusion in such a list of results, it should be held, as follows in particular
from paragraph 81 of the present judgment, that those rights override, as a rule, not only the
economic interest of the operator of the search engine but also the interest of the general
public in finding that information upon a search relating to the data subject’s name. However,
that would not be the case if it appeared, for particular reasons, such as the role played by
the data subject in public life, that the interference with his fundamental rights is justified
by the preponderant interest of the general public in having, on account of inclusion in the
list of results, access to the information in question.36
The protection from private actors becomes particularly relevant, as it is the providers
behind social networks who, primarily driven by economic interests and protected
by economic rights, entice the individual to publicize private data. But obviously
these private parties, as just stated, act under fundamental rights protections of their
own, which is why we speak of multipolar fundamental rights relations,37 that in turn
necessitate complex, and at times over-complex weighting processes. Public infor-
mation interests and the protection thereof make the necessary balancing approach
even more intricate.38 Finally, another factor comes into play when dealing with
globally operating providers and networks which transcend national borders—and
that is the question of the ex-territorial application of basic and/or human rights guar-
antees.39 The question of effective judicial enforcement of these rights is yet another
problem, entirely.40 Facing all these challenges, a cross-border Internet governance
being defined as “the evolving policies and mechanisms under which the Internet
community’s many stakeholders make decisions about the development and use
of the Internet”41 becomes an urgent desideratum in global politics and in schol-
arly research as well. A multi-stakeholder approach seems to be without reasonable
alternative.
The general right to privacy after all provides a solid legal basis at the constitutional
law level. Looking for an explicit protection clause in the German Grundgesetz (GG),
36 Ibidem, para 97. And it is not only the ECJ dealing with a right to be forgotten. From a comparative
perspective see, e.g., Argentina. Here, the leading case about a “right to be forgotten” involves a pop
star called Virginia da Cunha: V. Sreeharsha, Google and Yahoo Win Appeal in Argentine Case,
N.Y.TIMES, Aug. 20, 2010, at B4. For further reference again Rosen (2011), p. 345 at 351. Cf. also
Sarlet (2022), in this volume; Schimke (2022), in this volume.
37 Karavas (2007), p. 81 et seqq.
38 See also Albers (2016), p. 19; id., in: Gutwirth/De Hert/Leenes (eds.) (2014), p. 213.
39 On the extra-territorial application of the right to privacy: Töpfer (2014), p. 31 et seqq.
40 Cf. with regard to this problem Veit (2022), in this volume.
41 https://www.nro.net/internet-governance/. Accessed 11 Jan. 2022.
Privacy Protection in the World Wide Web—Legal Perspectives … 25
however, would prove futile. Similar to the US constitution in its amendments, the
Grundgesetz does not go beyond traditional basic rights guarantees. From a joint
assessment of Article 1(1), the human dignity clause, and Article 2(1), the right to free
development of one’s personality, the Bundesverfassungsgericht (German Federal
Constitutional Court) has conceptualized such a right in the 1980s and spelled it out
later on in a number of cases42 : the right to your own likeness, the right to your own
name, the right to mandate the use of one’s personal data, which was coined as the
somewhat awkward-sounding “right to informational self-determination”,43 the right
of protection of reputation, among others.44 What is important here is the reference to
human dignity.45 It does not only highlight the close connection between the general
right to privacy and the right to free development of one’s personality, but also
renders any justification of infringement subject to a strict proportionality assess-
ment—which, admittedly, can be seen as a typical German approach. Comparing
the American notion of freedom and the German concept of dignity, E. J. Eberle
highlights the quintessential feature: “First, and most fundamentally, the German
constitution is anchored in the architectonic value of human dignity, meaning, at
least, that each person is valuable per se as an end in himself, which government and
fellow citizens must give due respect “.46 This “due respect” by the fellow citizens
in particular refers to the horizontal dimension of human dignity as a human right.
Eberle continues explaining:
The influence of the Kantian maxim, [a]ct so that you treat humanity, whether in your own
person or in that of another, always as an end and never as a means only is clear (although it
would be an overstatement to say the GG is simply Kantian), and this gives rise to a German
“constitution of dignity,” as compared to the American constitution of liberty. One obvious
difference between the two is that the German constitution is value-ordered around the norm
of dignity, whereas the American charter is value-neutral based on an idea of liberty rooted
in personal choice.
42 On this topic and with a particular focus on the internet: Leible/Kutschke (eds.) (2012).
43 Albers (2005a); id. (2005b), p. 537; id, in: Friedewald/Lamla/ Roßnagel (eds.) (2017), p. 11.
44 Firgt (2015).
45 Sarlet (2015); Häberle, in: Isenesee/Kirchhof (2004), § 2; Enders (1997).
46 Eberle (2008), p. 1 at p. 3.
26 M. Kotzur
Article 1(2) and (3), to a sphere beyond the state where the responsibility of German
sovereign power becomes ever-more remote. An extraterritorial horizontal effect of
Article 1(1) Basic Law might not be the most solid dogmatic ground to base effec-
tive Internet governance upon. Just a brief procedural side remark: Violations of the
general right to privacy, particularly in civil proceedings, are first to be raised before
the specialized courts. It follows that “regulation 1215/2012 on jurisdiction and the
recognition and enforcement of judgments in civil and commercial matters” plays a
decisive role in determining the place of jurisdiction on the EU level. This role shall
not be further discussed here, but it deserves mention, nevertheless. We, instead, shall
proceed to other options of privacy protection beyond the State.
As for the protection mechanisms at the European level, the ECHR shall be consid-
ered first. Article 8 ECHR takes center stage, here—it reads: “Everyone has the right
to respect for his private and family life, his home and his correspondence.” A right
to privacy becomes tangible here, based on the wording alone. The ECtHR views the
protection of personal data as a direct consequence of this right. This provision does
not, however, unfurl a direct third-party effect/horizontal effect on private actors, nor
is it explicitly grounded anywhere in the text of the ECHR. Therefore, as is the case in
national constitutional law, only an indirect third-party effect can be considered—not
a foreign concept to ECtHR jurisprudence, either. What is particularly interesting
with regards to the legal questions surrounding social networks, is the dogmatic
proximity of the third-party/horizontal effect and the above outlined duty/obligation
to protect. The Austrian scholar and judge at the Austrian Constitutional Court
Christoph Grabenwarter has carved this out, precisely:
The approach to a duty to protect advocated here – characterized by the victim-offender
relationship – also determines the relationship between a duty to protect and the horizontal
effect. Where the duty to protect applies to the legal relationship between private actors, the
indirect horizontal effect is satisfied through the fulfilment of the duties to protect. The state,
which, through civil laws and their enforcement ensures a balancing of interests as intended
by the ECHR, protects bearers of basic rights from infringements on behalf of private actors,
through means of criminal law (…), in so doing does not only fulfill its duty to protect. In
the process it also assumes all duties related to legal questions commonly discussed within
the dogmatic scope of the so-called effect. Problems of the third party effect are therefore
incorporated in the dogma of a duty to protect.47
This approach centered on the duty to protect as core principle for further dogmatic
development shall also be used with regard to the EU Charter of Fundamental Rights,
and within its scope of application. As the decidedly more modern and therefore more
advanced convention as compared to the ECHR, the Charter strikes a more discerned
balance with respect to its rights guarantees. It differentiates between “respect for
private and family life” in Article 7 and the explicit protection of personal data
in Article 8 of the Charter, the latter’s protective quality enhanced by Article 16
TFEU.48 In its already above discussed Facebook-ruling (Schrems v. Data Protec-
tion Commissioner),49 the ECJ holds that secondary legislation, “in so far as they
govern the processing of personal data liable to infringe fundamental freedoms and,
in particular, the right to respect for private life, must necessarily be interpreted in the
light of the fundamental rights guaranteed by the Charter of Fundamental Rights of
the European Union.”50 This decision, unlike the “right to be forgotten” in the also
above discussed Google-Case, did not pertain to the protection of an individual using
social networks from her/himself, but rather to the passing-on of sensible personal
data by the EU, here the Commission, to a third country.
Nevertheless, this ruling is not of lesser significance regarding the contouring of
a duty to protect. In this case the Commission had assumed that the data would be
transferred to a “safe harbour”, that would provide an adequate level of protection
for personal data. The ECJ does not question the concept of a “safe harbour” in
principle. It demands, however, that the level of safety of that harbour is verifiable
and is actually being inspected. Again a quote from the decision:
Whilst recourse by a third country to a system of self-certification is not in itself contrary to
the requirement laid down in Article 25(6) of Directive 95/46 that the third country concerned
must ensure an adequate level of protection ‘by reason of its domestic law or … international
commitments’, the reliability of such a system, in the light of that requirement, is founded
essentially on the establishment of effective detection and supervision mechanisms enabling
any infringements of the rules ensuring the protection of fundamental rights, in particular
the right to respect for private life and the right to protection of personal data, to be identified
and punished in practice.51
The transferring state is not allowed to pass along its responsibility to control data
safety, herein lies its very duty to protect. What follows from this for the protection
of personal data in social networks: here, too, must there be an ultimate account-
ability on behalf of the responsible sovereign for the protection of personal data.
This accountability-based duty, if necessary, goes as far as to protect the individual
from her/himself and also has an indirect horizontal effect on private actors with
respect to their relevant fundamental rights. In every conceivable constellation must
“the persons whose personal data is concerned have sufficient guarantees enabling
their data to be effectively protected against the risk of abuse and against any unlawful
access and use of that data. The need for such safeguards is all the greater where
Privacy Protection is not a foreign concept to universal public law either. Back in
1948, the UDHR as a resolution of the General Assembly, formulated only soft law
in Article 12: “No one shall be subjected to arbitrary interference with his privacy,
family, home or correspondence, nor to attacks upon his honour and reputation.
Everyone has the right to the protection of the law against such interference or
attacks.” Article 17 of the ICCPR transposes this protection into binding public inter-
national law, when reproducing Article 12 UDHR almost verbatim. Para 1 reads: “No
one shall be subjected to arbitrary or unlawful interference with his privacy, family,
home or correspondence, nor to unlawful attacks on his honour and reputation.” And
para 2 continues: “Everyone has the right to the protection of the law against such
interference or attacks.”
As clearly as these provisions bear out a consensus with respect to the protection
worthiness of the individual, at least in principle, it is equally clear that the manner
and scope of protection remains to a large degree subject to the cultural context. A
dogmatic fine-chiseling into the questions of universal protection worthiness and a
horizontal effect issue therefore proves futile (and perhaps is not even desirable). In
addition, the concept of what is private itself—this was the opening consideration—
is subject to dynamic cultural change. Recommendations for future research, as
outlined by A. M. Brumis, thus include:
exploring the overall implications of advancing technology on our personal privacy and right
to privacy, exploring the differences in terms and use across social media platforms to see
what impact these have on privacy expectations, exploring how self-disclosure throughout an
Internet landscape impacts an individual’s right to privacy, and exploring how government
plays a role in digital privacy laws. (…). These would be areas worth exploration, as each
relates to the future of digital privacy.54
This paper has emphasized and even appraised the virtue of forgetting.55 However,
what’s got law to do with it? Very little, might have been the answer of J. Rosen,
who rather and very pragmatically endorsed some kind of expiration date for online
54 Brumis (2016), p. 1.
55 Mayer-Schönberger (2009).
30 M. Kotzur
published private data.56 It’s all about politics, stupid, might have been A. Brumis
reply:
As the field of public relations becomes increasing technology-driven, the right to privacy
across digital platforms will continue to be an important concern for both organizations and
individual clients. Public relations practitioners must steer clear of crises, and privacy viola-
tions can certainly turn into a crisis situation if an organization allows consumer information
to get into the wrong hands, or fails to protect employees from digital data breaches. As
more organizations are interacting with stakeholders through the Internet and social media
platforms, public relations practitioners must take into account the legal aspects of privacy,
and how to interpret it in a digital environment. The inadequate legal standards that currently
exist for digital privacy has led to privacy policies that protect both consumers and organi-
zations as user information is collected. However, these policies are not consistent across
all social media platforms, nor consistent among all organizations. Therefore, public rela-
tions practitioners must be well informed in order to avoid privacy violations and in order to
protect clients and organizations from digital privacy breaches or government intrusion.57
Human rights instruments might provide a suitable solution. Finally, it is the ECJ’s
more “law-optimistic” attempt which offers a mean of legal protection by a newly
shaped “right to be forgotten”. What all these approaches share is the very notion
that we are “more public and more interconnected than ever”.58 As D. Lat and Z.
Shemtob remind us:
“In this day and age – of blogs, where our private misadventures can be written about at
length; of streaming video and YouTube, where said misadventures can be seen and heard
by total strangers; of Facebook, where “friends” can post pictures of us, against our will
(maybe we can “de-tag,” but we can’t remove); of full-body scanners at the airport Justice
Brennan’s59 words ring more true than ever, for better or worse”.
If we want to evaluate the power of law within possible internet governance schemes,
in particular the steering powers human rights could unfold, we first have to take
a comparative look at the concept of privacy as such. Only if we find a “pri-
vacy language” spoken and understood in different legal systems respectively legal
cultures we can go one decisive step further towards effective legal instruments.
Law comparison, however, is a difficult job. R. Hirschl’s recent study on compara-
tive constitutional law can be invoked as convincing witness.60 Rather than simply
being looking for a blueprint of fixed solutions—let’s do it as the others do!, the
comparative lawyer is in permanent search for a matrix that allows him to weigh,
to probe, and to critically reconsider her or his own arguments against the back-
ground of experiences that others have made or solutions that others have found.61
Just to copy-paste a rule stemming from another legal system or to restate a judg-
ment of a foreign Court has nothing to do with meaningful comparative work and
for sure will fall short of getting the whole “privacy picture” as displayed by so
many different legal cultures and privacy traditions around the globe. A simplistic
copy-paste would both misconceive the cultural heterogeneity of the legal world and
ignore a political community’s own legal identity as cultural identity.62 Without any
doubt, the public–private-distinction is at the very heart of this “identity”. Both appro-
priate and advisable comparative work may not limit itself to the idea of comparing
“the laws” (that is to say written norms, legal texts or, in particular given common
law systems,63 judgements) but it has, in a broader sense, to encompass a sensi-
tive comparison of cultures64 —in our case of “privacy cultures”. Whoever wants
to undertake the endeavor of a so-characterized holistic comparison65 must neces-
sarily leave the ivory tower of pure legal thought as well as the narrow world of
law-school-comparison often constraining itself to some rather fruitless semantic
exercises. A shift from comparative law stricto sensu to broadly shaped comparative
“law in context”-studies is the obvious consequence.66
An effective “right to be forgotten” concept has to be aware of these comparative
necessities. All the more so should global players take into account the perspective
of the “relevant others”. The United Nations are well aware of the privacy issue
and thus wrangling over new forms of internet governance. The Internet Governance
Forum founded in 2006 should be mentioned, in particular. It is improbable, however,
that global (legal) discourse would easily bring about globally uniform, binding and
comprehensive treaty regimes in the near future. All the more important is it that those
already powerful actors/stakeholders, within their capabilities, accept their share of
responsibility for the protection of privacy and enter into willing-to-learn-and-listen
worldwide discussions. The ECJ, with its two (quickly deemed historic) decisions
on Google and Facebook, has emphatically fulfilled its responsibility. The Court has
assumed the active position of a committed advocate dealing with the question of
what Internet governance should accomplish. This is certainly encouraging—also
for our Brazilian-German-Forum and for what could be described as “Civility in the
Digital Age”.67
(2000), pp. 163, 173 et seq.; furthermore Varga (ed.) (1992); Ehrmann (1976).
65 Hirschl (2014), at p. 13 suggests “that for historical, analytical, and methodological reasons,
maintaining the disciplinary divide between comparative constitutional law and other closely
relates disciplines that study various aspects of the same constitutional phenomena artificially and
unnecessarily limits our horizons”.
66 Ibidem at p. 151.
67 Weckerle (2013).
32 M. Kotzur
References
Schimke A (2022) Forgetting as a social concept. Contextualizing the right to be forgotten. In: Albers
M, Sarlet IW (eds) Personality and data protection rights on the internet. Springer, Dordrecht,
Heidelberg, New York, London (in this volume)
Singh MP (1985) German administrative law in a common law perspective. Springer, Berlin,
Heidelberg
Smend R (1933) Bürger und Bourgeois im deutschen Staatsrecht. In: ibid. (1968, 2nd ed)
Staatsrechtliche Abhandlungen, pp 309–325
Solove DJ (2007) The future of reputation: gossip, rumor, and privacy on the Internet. Yale University
Press, New Haven
Taraz D (2016) Das Grundrecht auf Gewährleistung der Vertraulichkeit und Integrität informa-
tionstechnischer Systeme und Gewährleistung digitaler Privatheit im grundrechtlichen Kontext:
Wegbereitung für eine digitale Privatsphäre? Verlag Dr. Kovač, Hamburg
Töpfer E (2014) Wie das Menschenrecht auf Privatheit in seiner Krise an Profil gewinnt, vorgänge.
Zeitschrift für Bürgerrechte und Gesellschaftspolitik, 53. Jahrgang, Nummer 206/207:31–41
Turner BS, Hamiliton P (eds) (1994) Citizenship: critical concepts. Routledge, London
Uerpmann-Wittzack R (2009) Internetvölkerrecht. AVR 47:261–283
Varga C (ed) (1992) Comparative legal culture. New York University Press, New York
Veit RD (2022) Safeguarding regional data protection rights on the global internet—The European
approach under the GDPR. In: Albers M, Sarlet IW (eds) Personality and data protection rights
on the Internet. Springer, Dordrecht, Heidelberg, New York, London (in this volume)
Voegeli-Wenzel J (2007) Internet Governance am Beispiel der Internet Corporation of Assigned
Names and Numbers (ICANN). GRUR Int.:807–816
Wahl R (2000) Staat-Souveränität-Verfassung. Festschrift für Helmut Quaritsch, edited by Dietrich
Murswiek/Ulrich Storost/Heinrich A. Wolff, Duncker & Humblot, Berlin, 2000. ISBN 3-428-
09623-1
Weckerle A (2013) Civility in the digital age: how companies and people can triumph over haters,
trolls, bullies and other jerks. Que Publishing, Indianapolis
Weiler JHH, Lockhart NJS (1995) ‘Taking rights seriously’ seriously: The European court and its
fundamental rights jurisprudence. CMLREV 32(2):579–627
Weintraub J, Kumar K (eds) (1997) Public and private in thought and practice: perspectives on a
grand dichotomy. University of Chicago Press, Chicago
Markus Kotzur Prof. Dr. Iur. (Universität Bayreuth), LL.M. (Duke University, NC, USA),
Professor for Public International and European Law, President of Europa-Kolleg Hamburg.
Main research areas: Global Constitutionalism, Global Governance, Human Rights Law,
EU-Institutions, European and National Constitutional Law. Selected Publications: European
Union Treaties. A Commentary (together with Rudolf Geiger and Daniel-Erasmus Khan),
C.H.Beck/Hart, Munich/Oxford 2015; Grenznachbarschaftliche Zusammenarbeit in Europa.
Der Beitrag von Article 24 Abs. 1a GG zu einer Lehre vom kooperativen Verfassungs- und
Verwaltungsstaat. Habilitationsschrift, Duncker & Humblot, Berlin 2004; Legal Cultures in
Comparative Perspective, in: M. P. Singh (Hrsg.), The Indian Year-Book of Comparative Law
2016, Oxford University Press, Oxford 2017, pp. 21–50; Solidarity as a Legal Concept, in: A.
Grimmel und S. M. Giang (Hrsg.), Solidarity in the European Union, Springer, Cham 2017,
pp. 37–45; Theorieelemente des internationalen Menschenrechtsschutzes. Das Beispiel der
Präambel des Internationalen Paktes über bürgerliche und politische Rechte, Berlin 2001.
Personality Rights in Brazilian Data
Protection Law: A Historical Perspective
Abstract This chapter traces the influence of personality rights and European legal
thought in the development of data protection law in Brazil. We argue that the
Brazilian Data Protection Law enacted in 2018 is grounded on a solid legal tradition
of civil law. In order to demonstrate this argument we trace how Brazilian lawyers
took advantage of European legal thought in the 20st century and how the concept
of personality rights was intellectually constructed. We also argue that personality
rights had an important role in legal struggles during the Brazilian civil-military
dictatorship (1964–1985). The chapter also presents new data about the history of
data protection in Brazil.
1 Introduction
The enactment of the first Brazilian data protection legislation in August 2018 was
the culmination of a process dating back to 2010, when earlier versions of its text were
submitted to public comments on the Internet. First conducted by the federal govern-
ment and later by the Brazilian parliament, the development of the text received
reasonable feedback from society following a path already taken by another piece
of legislation, the Internet Civil Rights Framework (known as the Marco Civil da
Internet 1 ). Both these statutes form the backbone of the Brazilian legal framework
for the information society, together with other legislation regarding issues ranging
from access to information to intellectual property.
D. Doneda
Public Law Institute of Brasília (IDP), Brasília, Brazil
R. A. F. Zanatta (B)
University of São Paulo, São Paulo, Brazil
1 Law 12.965 of 2014.
The particular kind of collaborative process which resulted in the General Data
Protection Law (known as LGPD2 ) and the Marco Civil made both of them partic-
ularly sensitive to some demands from society, which contributed to their final text.
However, while the Marco Civil was a brand-new framework built almost from
scratch and from references to specific topics—there was no other law of this kind,
combining privacy, net neutrality, and intermediary liability—, LGPD had a previ-
ously existing set of legal frameworks to relate to. Data protection is currently a
well-established legal subject and field in several other legal systems—particularly
the continental European legal system, from which the Brazilian one derives—with
its own set of concepts and standards which are much easier and more rational to
adapt to than to contrast.
In this sense, the process that resulted in LGPD took into consideration not merely
the need to include data protection concepts and standards in Brazilian law but also
the dialogue with current Brazilian legislation and legal tradition. We argue that the
rationale of data protection, which is the protection of citizens regarding the possible
effects of the processing of their data, is coherent with the tradition of personality
rights, already well-established in Brazilian law.3 We therefore aim to identify the
significance of personality rights in the shaping of the new legislation, in histor-
ical perspective, and to stress the intersection points between LGPD provisions and
personality rights, recognizing that the strength of this relationship is very important
for a complete and necessary translation of the dogmatics of data protection (fairly
new to the country’s legal tradition) into the Brazilian legal framework.
Personality rights play a key role in the structuring and shaping of the Brazilian data
protection framework. This section explores aspects of the history of Brazilian private
law, the influence of European legal thinking on Brazilian legal scholarship during
the nineteenth and twentieth centuries, and the challenges of protecting individuals
during the civil-military government (1964–1985). We argue that the constitution of
1988 was influenced by previous struggles for the right to privacy and the doctrine
of personality rights.
It is difficult and tricky to compare legal systems.4 Despite their similarities, the task
of comparing the Brazilian and the European systems must also take into account that
there is no complete singularity and uniformity in European Union law. However, it
might be useful to bring back Rodolfo Sacco’s methodological approach of “legal
formants”5 to discuss “hidden similarities” and “metalegal formants” present in the
Brazilian legal system. As advocated by Sacco, comparative approaches to legal
studies should focus not only on written law and explicit legal rules, but should aim
at “highlighting structural regularities that would otherwise pass unobserved.”6
Instead of speaking of legal rules, according to Sacco, “we must talk instead
of the rules of constitutions, legislatures, courts, and, indeed, of the scholars who
formulate legal doctrine.”7 By applying this methodology to personality rights and
personal data protection, this means that we should move beyond a mere description
of rules and the topography of law. We must evaluate the consistency of what is in
the code compared to what the courts apply (law in books vs. law in action) and the
legal formants, that is the living law, which is, in a sense, underground and barely
seen, and consists of statutory rules, the formulations of scholars (and their main
intellectual inspirations), and the decisions of judges. As argued by Sacco, a merely
topographic analysis of law (e.g. the differences between Codes or positive law) does
not take into account the deep structures of legal thinking, like the role of scholarship
in decision-making and the interplay between the knowledge produced by Court in
the process of ruling a hard case and the positive law.
One important feature of the Brazilian legal system is the adoption of the civil
law tradition and the codification of private law that culminated in the first Brazilian
Civil Code of 1916, which was highly influenced by the European legal tradition and
the work conducted by French, German, and Italian legal elites. Nevertheless, the
role and meaning of civil codes changed substantially during the twentieth century.
Judith Martins-Costa, writing in 1998, claimed that the Civil Code does not have
as a paradigm the structure of a “perfect model designed by the wise” capable of
predicting all kinds of fattispecie (an ensemble of factual elements that are governed
by a certain legal norm) and following sets of beliefs of nineteenth-century jurists.
The inspiration for contemporary civil codes, according to Martins-Costa, is clearly
the “open models” of constitutions, with the adoption of open clauses (clausulas
gerais). In any case, if we consider the historical development of Brazilian private
law, the influence of the “codification movement” proves to be strong. Caio Mario da
Silva Pereira, one of the leading private-law jurists in the twentieth century, stresses
the importance of the open model and, after recognizing the importance of the codi-
fications in Prussia, France, and Austria in the late eighteenth and early nineteenth
centuries in his work “Instituições de Direito Civil,” observed that “the establishment
of codified principles”8 allows law to evolve through systematic reasoning and legal
interpretation.
The Brazilian legal system was strongly influenced by the colonial Portuguese
legal model and the regulation of public and private life through the Ordenações. Even
after the Declaration of Independence in 1822, legal and political elites sustained the
enforcement of the Ordenações Filipinas and began considering the enactment of a
Civil Code.9 However, according to Caio Mario da Silva Pereira, the turning point
was the decision of the imperial government in 1855 to consolidate Brazilian civil
law. Augusto Teixeira de Freitas worked on this project from 1859 to 1867 and
delivered his draft of the Civil Code, strongly influenced by concepts developed in
German legal theory.10 This Draft was divided into a general part and a special one.
Dogmatics began to play a new role with the theoretical work Consolidação das
Leis Civis written by Teixeira de Freitas. In this influential work of dogmatics and
private law, Teixeira de Freitas made a clear distinction between direitos reais (legal
relationships among a person and a thing) and direitos pessoais (legal relationships
among people). Even if his framework did not reach what we would later identify as
personality rights, whose conceptualization was still at a very early stage at that time,
the notion of an obligation of satisfaction or compensation if personal rights were
violated or offended was to become the general concept that would be associated
with several legal instruments aimed to protect the individual.
It is not our goal to provide a history of personality rights in Brazil. We would
like to stress, instead, that personality rights were influenced by this dual movement:
the codification that started with Teixeira de Freitas and culminated with the Civil
Code of 1916 and the role of “legal dogmatics”11 in civil law, highly influenced by
German legal theory in the beginning, and later by Italian and French civil law.12
These elements are part of the Brazilian “legal formants” and must be considered in
any comparative analysis.
According to Orlando Gomes, Brazilian jurists such as Rubens Limongi França,
author of Direitos da Personalidade, took up the concept of “personality rights” in
the form proposed by legal theorist Otto von Gierke, who firmly believed that the
Roman distinction between private and public law could not be sustained, considering
that “private law, though it cares foremost for individual interests, must serve the
scholarship, a type of knowledge about concepts and structures of law aimed at decision-making
actors. “Legal dogmatics” is also explained by MacCormick: “What may be called normativist
approaches to jurisprudence, most notable among them the Pure Theory of Law of Hans Kelsen,
provide a theory of knowledge for legal dogmatics in this traditional style. Such theories seek
to expound the presuppositions behind the kind of descriptive statements of law, or descriptively
normative statements, which black letter lawyers expound. They also try to work out and account
for the internal logical and conceptual structures which give legal dogmatics a rational form.”
MacCormick and Weinberger (2013), p. 2.
12 Gomes (1966), pp. 39–48.
Personality Rights in Brazilian Data Protection Law … 39
common goal,” and that “public law, though it looks first to the whole, must be just
toward individuals.”13 Gierke defended the notion that private law should preserve
the “inviolable sphere of the individual” but also promote community. The idea about
“the social role that private law should play” strongly influenced Orlando Gomes. In
1889, Gierke defended the idea that “private law must use the means at its disposal
first and foremost to guarantee and protect the personalities of individual people,
to both acknowledge and limit the rights of personality (rights of the individual)
in their general and equal manifestation, in their condition as being members of a
community, with their unique eccentricities, and in their individually acquired or
otherwise attained development, to use civil obligations next to criminal sanctions to
vindicate rights where they are harmed, and to secure compensation and redress.”14
In his classic essay Direitos da Personalidade, Gomes agrees with Gierke and
claims that “personality rights are absolute, extrapatrimonial, non-transferable, non-
prescriptable, vital and necessary.”15 However, to Gomes, they are more than the
rights to life and freedom. They are “subjective private rights” aimed at the “develop-
ment and expansion of the physical and spiritual individuality of the human person.”16
In his essay, Gomes calls for an agenda of dogmatic studies on personality rights,
claiming that his peers “continue to live in the past century” and that it is the task of
the young generation to “demonstrate sensitivity for these issues.”
Personality rights were first introduced in Brazilian law as a concept associated
with “an ensemble of attributes particular to the human condition,” as professor San
Tiago Dantas said in his lectures in the 1940s,17 or special human manifestations
whose protection is necessary for the normal development of persons. Brazilian legal
tradition on personality rights turned out to reflect a strong influence from Italian
legal doctrine, mainly from Adriano De Cupis, who in 1950 formulated a concept
of personality rights as a set of rights whose absence would make legal personality
void of any concrete value; this concept is still widely mentioned and used. In other
words, its absence would make all other subjective rights practically useless for the
individual; in broad terms, for De Cupis, personality rights could mean a set of
essential rights.18 While these rights began to be observed in case law, basically due
to the development of cases regarding damages to image, honor, or other personality
rights,19 the debate continued in Brazilian private law.
In 1979, Fabio Maria de Mattia returned to the issue in his article Direitos
da personalidade and claimed that the Brazilian debate was highly influenced
by late nineteenth-century German legal theory—which created concepts such as
Personalitätsrechte and Persönlichkeitsrechte—and the experience of the Italian and
Portuguese civil codes. Mattia, clearly influenced by Orlando Gomes and Rubens
13 Gierke (2016), p. 6.
14 Gierke (2016), p. 7.
15 Gomes (1966), p. 42.
16 Gomes (1966), p. 43.
17 Santiago Dantas (2001).
18 De Cupis (1950).
19 Santos (1997).
40 D. Doneda and R. A. F. Zanatta
Limongi França, claimed that “personality rights are an autonomous category within
the subjective rights, considering that this autonomy comes from the essential char-
acter that they present because of the special character of their object and the
singularity of its content.”20 For Mattia, postwar constitutions such as the German
Grundgesetz, approved in May 1949, conceptualized dignity, stating that human
dignity must not be violated and that is the role of the state to protect it. Matta
mentions Article 2 of the German Constitution: “every person shall have the right to
free development of his personality insofar as he does not violate the rights of others
or offend against the constitutional order or the moral law.”
European law played a substantial role in the theoretical development of person-
ality rights in Brazil. It becomes easier to understand the influence of European legal
theory if one accepts the role of dogmatics and civil codes as part of the Brazilian
“legal formant.”
In 1975, the military government presented the project of a Unified Biometric Iden-
tification System (Registro Nacional de Pessoas Naturais—RENAPE) for the whole
country. This happened during the peak of Brazilian state interventionism when
industrial policy focused on technology and the rising “information economy.” The
military had created public firms such as Serpro (Serviço Federal de Processa-
mento de Dados) and wanted to invest in public policy projects that would generate
demand for these firms. The idea was to unify many different databases—Registro
Geral, Cadastro de Pessoa Física, and Inscrição no Instituto Nacional de Seguridade
Social29 —into one database with biometric information about all citizens. Providing
the data would be mandatory for all citizens, feeding the database of the public firm.
A group of sociologists, engineers, and computer scientists resisted and published
texts and manifestos against the biometric system in specialized magazines and jour-
nals. Professionals of other technology firms such as IBM also protested and claimed
that a Unified Biometric System was unsafe and potentially harmful. In 1977, these
activists turned to the French Data Protection Law as a model for Brazil. A few months
after the proposal of the French legislation, Brazilian Congressman José Faria Lima
(a liberal politician from a wealthy family based in São Paulo and from the govern-
ment’s political party, Arena), proposed a draft bill for a General Data Protection
Law.30 The draft bill stated that data collection processes required consent from citi-
zens. The draft bill also adopted a set of principles for the processing of personal
data both by the private and the public sector. It also proposed the creation of a Data
Protection Authority, following the model of the French Commission Nationale de
l’Informatique et des Libertés (CNIL). At almost the same time, Senator Nelson
Carneiro, from MPB, proposed a draft bill to the Senate on the “protection of
computer information.”31 Both draft bills were rejected by the National Congress.
In 1977, the liberal newspaper Estado de São Paulo published a series of articles
against the Registro Nacional de Pessoas Naturais (RENAPE). President Geisel and
the military defended the project and had the support of the Ministry of Justice.
Intellectuals and professionals from the tech sector criticized the project and used
specialized journals such as Revista Dados to mobilize against it. As argued by Estado
de São Paulo, the project “represented not only a threat to the citizen, in his privacy
and liberty, but also a threat to capitalism itself.”32 In the article “Threat to Privacy, the
Greatest Criticism of the Project,” sociologist Maria Tereza de Oliveira argued that
29 Registro Geral could be translated as General Identifier. It is a document provided by the Secre-
tariat of Security. Cadastro de Pessoa Física could be translated as Individual Registration and it
is used for fiscal purposes. INSS could be translated as Social Security Number and it is used for
labor law benefits and pension system.
30 Draft Bill PL 4.365, proposed in 1977.
31 Senate Draft Bill 96 of 1977.
32 ‘Em estudos, identidade única’, Estado de São Paulo, 09 September 1977, p. 18.
Personality Rights in Brazilian Data Protection Law … 43
the right to privacy was protected by Article 12 of the Universal Declaration of Human
Rights33 and that this international standard should be followed in Brazil.34 Oliveira
also argued that many European countries such as Belgium, Italy, and Germany
had opposed national registration similar to that proposed in Brazil. She argued
that huge databases about citizens conflicted with democratic values and generated
incentives for a less active society because of the chilling effects of control and
constant monitoring.
Writing in 1979 for Estado de São Paulo, Ethevaldo Siqueira also criticized the
military project and argued that “privacy involves all the forms of protection of
the individual, the person, his home, his family, his ideas, his lifestyle, his right to
isolate himself and escape from external interference.” For Siqueira, “there is no
public interest that can justify the systematic violation of human privacy.”35
The same year, René Ariel Dotti gave a speech about the right to privacy in Brazil at
the annual meeting of the Brazilian Bar Association. Based on the French legislation
and the work of Alan Westin in the United States, Dotti argued that “the atmosphere
of oppression was taking over the country, making use of advanced technology”.
For Dotti, RENAPE was to be prohibited just like a similar database was in Portugal
because it was, just like in Portugal, a national database that violated the fundamental
right of privacy of citizens. In his speech about the “normative treatment of private
life,” Dotti argued that Brazil was to use informatics to benefit citizens and that the
“right to privacy should be guaranteed by the constitution.”36 Also, Portugal and
Spain were to be inspirations for Brazil.
Despite the failed attempt of a General Data Protection Law in 1977, the discussion
about the right to privacy was strengthened and RENAPE was defeated. Nonetheless,
initiatives aiming to draw up a data protection framework in Brazil continued: Repre-
sentative Cristina Tavares (PMDB) presented Draft Bill 4646 in 1984 on the Right
to Privacy and Personal Databases, and representative José Jorge (PDS) presented
Draft Bill 4766, also in 1984, on the Right to Privacy and Access to Databases.
In the following years, after the military government had abandoned the RENAPE
project, the Constituinte began working on a new set of rights such as habeas data
(the right to know information about yourself held by a public official or department).
From 1986 to 1988, members of the Constituinte discussed the fundamental rights
of Brazilians and approved a new constitution, which stated that the “right to inti-
macy and private life” was a fundamental right. It also included an article about the
fundamental right of access to information, guaranteed by the writ of habeas data.
33 Article 12. No one shall be subjected to arbitrary interference with his privacy, family, home
or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the
protection of the law against such interference or attacks.
34 We thank Jacqueline Abreu (University of São Paulo Faculty of Law) for gathering data and
kindly sharing her research on the right to privacy in Brazil. She searched the archives of Estado
de São Paulo and found many articles and news items critical of the Registro Nacional de Pessoas
Naturais.
35 Siqueira (1979), p. 24.
36 Dotti (1980), pp. 145–155.
44 D. Doneda and R. A. F. Zanatta
These legal innovations formed the bedrock of the Brazilian system of data protec-
tion. During the 1990s and 2000s, this system evolved into a “patchwork model” of
different rules on data protection.37 In the 2010s, the Brazilian Congress finally
harmonized the normative system into a coherent General Data Protection Law. The
next section explores this transformation.
In the previous section, we explored the evolution of Brazilian private law and the
struggles to establish constitutional protections for data privacy. In this section, we
show that the normative system of personal data protection benefited from a complex
process of unifying a fragmented set of legislation that was created over 20 years.
We also argue that personality rights are clearly present in the Brazilian General
Protection Law.
After the constitutional reform of 1988, Brazil initiated its economic opening to
international markets and the construction of a “regulatory state”38 based on the
experience of the United States of America and many European and Latin Amer-
ican countries.39 The governments of Fernando Collor (1990–1992), Itamar Franco
(1993), and Fernando Henrique Cardoso (1994–2002) were dedicated to the recon-
struction of the Brazilian state, the creation of a strong internal market with interna-
tional standards of consumer rights (guaranteed by the Code of Consumer Defense
of 1990), and the creation of regulatory agencies with normative power. These agen-
cies were designed to regulate specific markets, promote competition, correct market
failures, and protect consumers.
The first law that dealt with issues of personal data protection after the constitu-
tion of 1988 was the Code of Consumer Defense (Federal Law 8.078/1990), which
includes a specific chapter on databases and profiles of consumers. The law states
that private firms are free to create consumer reports, profiles, and methodologies to
assess risks. However, consumers have the basic right to access information about
themselves. There is a basic right to retrieve information about what kinds of data are
37 Brazilian legal scholarship since the mid-2000s has pointed to the limits of this patchwork,
defending a comprehensive approach to personal data protection. See Doneda (2006). See also
Limberger (2007).
38 Prado (2012), pp. 300–326.
39 Dubash and Morgan (2012), pp. 261–281.
Personality Rights in Brazilian Data Protection Law … 45
used in these profiles and databases. There is also a right to have incorrect information
corrected and to delete data about payments of bills after five years.
The Law of Bank Secrecy (Complementary Law 105/2001) also imposed a series
of obligations on banks and financial institutions that work with their clients’ personal
data.40 The law says that consumers must consent to data collection processes and
that private firms have the obligation not to reveal (or not to share with third parties)
the personal data they possess.
Sharing of financial data is also covered by the Code of Consumer Protection. An
important case involving HSBC bank and decided by the Superior Court of Justice
in 2017 addressed the relationship between consent and bank secrecy.41 According
to the court, when people sign a credit card services agreement, they have the right
to choose whether or not to authorize their personal data and financial information
being provided to other companies, even if they are partners of the company admin-
istrating the credit card services agreement. For this reason, the imposition of the
authorization in an adhesion contract is considered abusive and violates the principles
of transparency and trust in consumer relations. In deciding the case, Justice Luis
Felipe Salomão pointed out that, among basic consumer rights, protection against
unfair terms in the provision of products and services is one of the most important
provisions of the Consumer Protection Code (CDC).42 By breaching the principles
of transparency and trust in consumer relations, Luis Felipe Salomão considered
it abusive if the credit card service does not offer the customer the possibility of
rejecting the sharing of data. For the Justice, the transfer of information, in addition
to making the client vulnerable, is not essential for the execution of the contracted
service.
Sector-based regulatory norms also guaranteed the right of consent for personal
data collection and a series of obligations for those who process these data.43 The
Telecommunications Act (Law 9.476/1997), for example, stated that consumers of
telecommunication services must consent to data collection processes. Telecom-
munication operators must also handle their customers’ personal data with care.
There is a breach of law, enforced by the Agência Nacional de Telecomunicações
(Federal Agency of Telecommunications), if this information is shared with third
parties without the customers’ consent. The same rule applies to the sectors of
energy (Agência Nacional de Energia Elétrica—Federal Agency of Electricity) and
supplementary health (Agência Nacional de Saúde—Federal Agency of Health), for
example.
In 2010, the company Oi S.A. started to map Internet access habits of users of the
Velox service without their consent. Called a Navegador, the program used for data
collection traced consumer profiles, which were then marketed to conduct targeted
40 Roque (2001).
41 Superior Court of Justice, Recurso Especial 1,348,523, ruled in September 2017, Justice Luis
Felipe Salomão, accessible under http://www.stj.jus.br. Accessed 11 Jan. 2022.
42 Scocuglia (2017), accessible under https://www.jota.info/justica/bancos-nao-podem-compartil
During Lula’s government (2003–2010), there was a turn in the national agenda.
Instead of focusing on market incentives, competition, and consumer welfare—tradi-
tional models of economic regulation—, the Brazilian government decided to focus
on the transformation of society caused by the Internet and a renewed agenda for
citizenship online.45
Backed by a partnership with the Open Government Partnership, coordinated by
the United States of America, Brazil discussed and enacted a Freedom of Information
Act (Law 12.527/2011). This law defines basic concepts of “personal data” and a set
of rights for citizens wanting to know about the performance of public officials or
to access information about the government. The Brazilian Freedom of Information
Act also defined a principle of consent for data sharing by public officials.
Finally, the “principle of consent” for the use of personal data on the Internet was
clearly established by the Internet Civil Rights Framework.46 This law, which was
legally constructed by a bottom-up procedure and considerable online participation,
defined basic rights for the use of the Internet in the country and has an entire
chapter on “basic rights of Internet users.” It says, in Article 7, that Internet users
have the right to clear information about how personal data are collected by Internet
Service Providers (ISPs) and Internet Application Providers (IAPs). It also says
that data collection and data processing must be grounded in “free, expressed, and
informed consent.” In other words, Internet users must be autonomous and must
agree with data processing before it happens. As argued by Laura Schertel Mendes
and Danilo Doneda, Marco Civil da Internet clearly affirms a “fundamental right of
data protection”47 and establishes the principle of consent as a foundational principle
for the application of the legislation.
Up until now, together with the Code of Consumer Defense, Marco Civil da
Internet has provided the legal basis for class actions and administrative procedures
focused on the violation of personal data protection on the Internet. In 2016, for
instance, the Brazilian Institute of Consumer Defense published a report on the
violations of Marco Civil in the “WhatsApp case” (the new terms of use imposed
by Facebook Inc. and the collection of metadata without clear user consent). The
institute argued that there was a violation of Article 7, VII, of Law 12.965/2014
because personal data was shared with “third parties” without clear, informed, and
expressed consent.48
Another important case was the class action of the Ministério Público Federal
(Brazilian Federal Public Prosecutor) against Microsoft in 2018 because of opt-out
mechanisms for data collection set by default in the Windows 10 operating system.
According to the federal prosecutors, the product violated Brazilian law because “it
collected personal data without clear and expressed consent from users, sentencing
to death the constitutional principles of dignity of the human person, the inviolability
of intimacy and private life, honor and image.”49
Until the enactment of the General Data Protection Law (Law 13.709/2018), both
Marco Civil da Internet and the Code of Consumer Defense provided a strong legal
basis for injunctions and collective redress.
During the early period of Dilma Rousseff’s government (2011–2016), Brazil enacted
an important piece of legislation on credit reporting which was inspired by the Credit
Reporting Act of 1976 in the United States. Brazilian Law 12.414/2011 established
a legal framework for “positive credit reporting,” that is, a reporting system that
monitors the payment behavior of consumers, the use of financial products, and the
probability that a particular person will fulfill his or her financial obligations.50
The structure of this system, the Cadastro Positivo, rests on three pillars: (i)
the basic right of consent (credit bureaus can only open a positive credit report if
the consumer understands what is going on and agrees), (ii) the right of control
(the consumer must have control over his or her data, with a set of basic rights
of access, modification, deletion, etc.), and (iii) the right of transparency and non-
harmful discrimination (consumers who suffer the consequences of a purely auto-
mated decision must have the right to a human analysis in order to diminish harmful
discrimination).51
As argued by Danilo Doneda and Laura Schertel Mendes in 2014, the Brazilian
Credit Reporting Law advanced personal data protection, making it an “autonomous
field”52 and detaching it from consumer protection and constitutional law. With
this new set of rights—mostly designed to ensure control, transparency, and non-
harmful discrimination—the Brazilian legal system approximated the European one.
Indeed, European Directive 46/95 and the draft version of the General Data Protection
Regulation (GDPR) inspired the rights of access, control, and transparency in the
Brazilian Credit Reporting Law.
This set of rights created by Law 12.414/2011 inspired the Ministry of Justice
to work on a draft version of a General Data Protection Law during Dilma
Rousseff’s government. There were two public consultations in a period of five
years and hundreds of contributions from experts, industry representatives, and
non-governmental organizations (Boff and Fortes 2014).53
In the next section, we will explore how the General Data Protection Law used
the legal background of these diverse laws and built something new in normative
terms, taking advantage of an established tradition of personality rights within the
Brazilian legal community.
Brazil’s first General Data Protection Law (LGPD) was enacted on August 14, 2018.54
The approved text has its origins in a proposal prepared by the Ministry of Justice in
2010 that went through years of official Internet debates (promoted by the ministry
in 2010 and 2015) as well as discussions with the government and stakeholders.55
The dynamics and conditions of the process which gave birth to the LGPD differ
in some relevant ways from what happened in other Latin American countries when
approving their own data protection legislation. Indeed, none of the data protection
laws previously enacted in Latin America had a concrete impact on the timing and
mood of the debate on the matter in Brazil, which was basically internal. This was the
case even though countries as close to Brazil as Argentina or Uruguay, all of which
are members of the commercial block Mercosul, enacted their legislation and went
further in order to obtain adequacy status from the European Commission or, in the
case of Uruguay, become a signatory of Convention 108 of the Council of Europe.
One exception to this almost isolationist approach, however, was the participation
of Brazil in a working group in Mercosul (SGT13, the working sub-group on elec-
tronic commerce and digital certification). The group, after being encouraged by the
Republic of Argentina to elaborate a legal data protection framework for the coun-
tries of Mercosul (at that time Argentina, Brazil, Paraguay, and Uruguay), discussed
the proposal for five years until the four countries signed a data protection regula-
tion in 2010 which was meant to be evaluated by the executive branch of Mercosul
(Grupo Mercado Comum) at a later date. Even though the document ended up being
neither analyzed nor enacted as Mercosul legislation, this was the first (preparatory)
official document endorsed by Brazilian representatives pointing to the need to estab-
lish an internal data protection framework for Brazil (the Mercosul document would
ideally, if enacted, drive the member countries to approve their own data protection
regulations in compliance with the Mercosul standard).
In 2016, the Data Protection Bill prepared by the Ministry of Justice was sent by
the government to the National Congress, and in 2018, the final text of Law 13.709
was unanimously approved both by the Chamber of Deputies and the Federal Senate.
The President of Republic, however, vetoed some provisions, most importantly the
creation of an autonomous Data Protection Authority (DPA), on the basis of formal
objections to the way the DPA was created.
The veto of the DPA was followed by an intense debate about its desirable nature
and shape. In the last days of his term of office, and following his own statement that
the DPA would be created before he left office, President Michel Temer issued the
executive law Medida Provisoria MP 869 of 2019 creating the Autoridade Nacional
de Proteção de Dados, a DPA with no formal independence from the government
and linked to the Presidency of the Republic. However, Congress had to deliberate
its creation and several changes this executive law made to the LGPD.
The Brazilian data protection framework usually does not refer to a fundamental
right to data protection present in the Constitution, as the current jurisprudence of STF
(Brazilian highest Constitutional Court) does not yet recognize a constitutional right
referring to personal data. That differs from the GDPR, which is strongly grounded in
the conceptualization of data protection as a fundamental right as enshrined in Article
8 of the Charter of Fundamental Rights of the European Union56 and recognized by
Recital 1 of the GDPR.
The lack of a literal provision in the Brazilian Constitution, however, was followed
by several expressions of references to fundamental rights and personality rights in
the LGPD, both in the formal sense (as fundamental references) and in the structural
sense (the use of personality right techniques).
In this sense, the presence of personality rights as the driving force for the protec-
tion of citizens by means of a series of provisions on the use of their personal data is
made exceptionally clear in the first article of LGPD, which not only mentions the
law’s aim to protect the fundamental rights of freedom and privacy, but also the free
development of the personality of natural persons. The notion of the free develop-
ment of personality is strictly linked to the theory of rights of personality in Brazilian
private law,57 and its mention stresses the fact that this model was the main LGPD
reference for translating the rationale of the tradition of data protection to Brazilian
law. Indeed, the “free development of personality”58 is mentioned twice in LGPD.
First, in Article 1,59 which defines the scope of the law. Second, in Article 2,60 when
mentioning the basis of data protection, together with human rights, dignity and the
exercise of citizenship.61
Article 2 is also a central article regarding the issue of personality rights in the
LGPD for another reason: it clearly mentions that most of grounds upon which the
disciplina of data protection is based are related to personality rights: the right to
privacy (Article 2, I), the inviolate intimacy, honor, and image (Article 2, IV), the
aforementioned Article 2, VII, but also expressions of fundamental rights strongly
related to personality rights such as freedom of expression, communication, and
opinion (Article 2, III), as well as the presence of the concept of informational self-
determination (Article 2, II), directly quoting the Recht auf informationelle Selbstbe-
stimmung from the 1983 ruling by the German Constitutional Court.62
In several places, the body of the LGPD demonstrates that some of its instruments
were shaped so that in situations where personality rights demand a major level of
protection, these rights should be particularly and inevitably considered. That is
the case, for example, for the general rule of verifying the feasibility of legitimate
interest as the basis for personal data processing, which may occur only if the rights
and freedoms of the data owner prevail—thus creating a concrete limit on the use
of legitimate interest grounded in the protection of the data owner (Article 7, IX).
Another clear example of protection of personality is the concept of sensitive data,
which demands a higher level of protection because there is a higher potential for
damage to the data owner. The LGPD went even further when it strictly forbade all
communications of health data for economic purposes (Article 11, § 4).
Some processual provisions in LGPD also strongly resonate with tools which are
commonly used to assure personality rights, and perhaps the most important of them
is the possibility given by Article 22 to use the available processual instruments,
whether individual or collective, broadly.
means, by a natural person or a legal entity of public or private law, with the purpose of protecting
the fundamental rights of freedom and privacy and the free development of the personality of the
natural person”.
60 Article 2 reads: “The discipline of personal data protection is grounded on the following: (…)
VII—human rights, free development of personality, dignity and exercise of citizenship by natural
persons”.
61 Rouvroy and Poullet (2009), pp. 45–76.
62 As to this right, cf. Albers (2005).
Personality Rights in Brazilian Data Protection Law … 51
5 Conclusion
Brazil lagged behind even multiple Latin American countries in introducing a General
Data Protection Law, doing so only in 2018. One of the reasons for the long duration
of this process was the novelty and even the complexity of some of the key tools and
concepts in the new legislation, many of them not yet present in Brazilian law, but
necessary to achieve harmonization with international and transnational standards
on data protection. One of the clear signs of it was, indeed, the vacatio legis period
established until the LGPD entered into force, which was originally 18 months, but
later expanded to 24 months, by Medida Provisória 869 of 2018—an uncommonly
long period by Brazilian legal standards.63
For the LGPD to fulfill its mission to provide Brazil with modern data protection
legislation in order to protect the individual, it will be important to recognize the
strong link between the new legislation and the doctrine and tradition of the rights
of personality, for at least three reasons.
First, as mentioned, the fact that the recognition of data protection as a fundamental
right is still a work in progress in Brazilian jurisprudence makes it essential to ensure
that data protection is strongly linked with the tradition of personality rights, assuring
that the protection of individuals in the face of the information society can use the
set of tools provided by private law to assure the data owners’ position regarding the
processing of their data.
Second, the bridging between personal data protection and personality rights
can avoid excessive “technicization” of the field of personal data protection within
the legal community. This process of “technicization” could transform personal
data protection into something similar to, for instance, telecommunication regu-
lation, making it a “small field” for a highly specialized group of lawyers basi-
cally concerned with compliance and economic regulation. That is not the case with
personal data protection, which is not only about economic regulation but essentially
about fundamental rights and personality rights.
Third, the Brazilian legal community was able to take advantage of its long tradi-
tion of personality rights, as explained in Part 2 of this chapter. By reshaping person-
ality rights into personal data protection—making it clear that personal data protec-
tion is about the free development of personality, informational self-determination,
and risk regulation—, Brazilian lawyers and scholars can think more clearly about this
new field of rights and obligations without abandoning a well-established tradition
and its humanistic character.
We do not need to abandon legal thinking from the past. We can use the best
that this legal thinking produced in private law to think about contemporary prob-
lems caused by information technology and the digitalization of society. This is the
challenge for the application of the General Data Protection Law.
63The LGPD, except articles 52–54, finally entered into force on September 18, 2020; the rules on
sanctions in articles 52–54 came into effect on August 1, 2021.
52 D. Doneda and R. A. F. Zanatta
References
Rouvroy A, Poullet Y (2009) The right to informational self-determination and the value of self-
development: reassessing the importance of privacy for democracy. In: Gutwirth S, Poullet Y, De
Hert P (eds) Reinventing data protection? Springer, Dordrecht, pp 45–76
Sacco R (1991) Legal formants: a dynamic approach to comparative law (Installment I of II). Am
J Comp Law 39(1):1–34
Santiago Dantas F (2001) Programa de Direito Civil: teoria geral. Forense, Rio de Janeiro
Sarlet IW (2022) The protection of personality in the digital environment. An analysis in the light
of the so-called right to be forgotten in Brazil. In: Albers M, Sarlet IW (eds) Personality and data
protection rights on the internet. Springer, Dordrecht, Heidelberg, New York, London (in this
volume)
Schertel Mendes L (2014) Privacidade, proteção de dados e defesa do consumidor - Linhas gerais
de um novo direito fundamental. Saraiva, São Paulo
Tácito C (1959) O Abuso do poder administrativo no Brasil: conceito e remédios. Rev De Direito
Administrativo 56:1–28
Tepedino G (1999) A tutela da personalidade no ordenamento civil-constitucional brasileiro. In:
Temas de direito civil. Forense, Rio de Janeiro, pp 23–54
Trubek DM (1972) Toward a social theory of law: an essay on the study of law and development.
Yale Law J 82(1):1–50
Zanatta R (2016) Consentimento Forçado: uma avaliação sobre os novos termos de uso do WhatsApp
e as colisões com o Marco Civil da Internet. Instituto Brasileiro de Defesa do Consumidor, São
Paulo
Danilo Doneda Ph.D. in Civil Law (UERJ). Professor at IDP. Director at CEDIS/IDP (Center
of Studies in Internet and Society). Member of the advisory board of the United Nations Global
Pulse Privacy Group, the Project Children and Consumption (Instituto Alana) and Open Knowl-
edge Brasil. Previously served as General Coordinator at the Department of Consumer Protection
and Defence in the Ministry of Justice (Brazil). Visiting researcher at the Italian Data Protection
Authority (Rome, Italy), University of Camerino (Camerino, Italy) and at the Max Planck Institute
for Comparative and International Private Law (Hamburg, Germany). Part of his work is available
at www.doneda.net/.
Rafael A. F. Zanatta Director of the Research Association Data Privacy Brasil. PhD Candi-
date at the University of São Paulo. Main areas of research: Data Protection Rights, Collective
Rights, Data Commons, Legal Theory and Sociology of Law. Selected Publications: A Proteção
de Dados entre Leis, Códigos e Programação: os limites do Marco Civil da Internet, in: Newton
de Lucca/Adalberto Simão Filho/Cíntia Rosa Pereira (eds.) Direito e Internet III: Marco Civil
da Internet. São Paulo: Quartier Latin, 2015, pp. 447–470; Economias do Compartilhamento e o
Direito, Curitiba: Juruá, 2017; Dados, Vícios e Concorrência: repensando o jogo das economias
digitais, Revista Estudos Avançados, v. 33, n. 96, 2019, pp. 421–446 (with Ricardo Abramovay);
Proteção de dados pessoais e direito concorrencial: razões de aproximação e potencialidades de
pesquisa, Revista Fórum de Direito da Economia Digital, Belo Horizonte, v. 3, 2019, pp. 141–
170 (with Bruno Renzetti); Dados pessoais abertos: pilares dos novos mercados digitais, Direito
Público, v. 16, n. 90, 2019, pp. 155–178 (with Ricardo Abramovay).
Realizing the Fundamental Right to Data
Protection in a Digitized Society
Jörn Reinhardt
1 The General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament
and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data—GDPR), which came into force in May 2018,
was certainly a major landmark. However, the process of “modernizing” data protection legislation
is ongoing and concerns a variety of projects on the level of secondary EU law. In particular, data
protection and e-privacy aspects still need to be coordinated. The reform of the e-privacy directive
is not yet completed.
J. Reinhardt (B)
University of Bremen, Bremen, Germany
e-mail: joern.reinhardt@uni-bremen.de
1 Introduction
The European Union has been renewing its legal framework for data protection in
the light of an increasingly digitized and “datafied” society.1 As threats to privacy
evolved, the European Charter of Fundamental Rights (CFR) acknowledged data
protection as a fundamental right. The “right to the protection of personal data”
differs in its degree of abstraction from the other “freedoms” guaranteed under Title
II of the Charter. Although Article 8 CFR has been in force for almost twenty years
now, it still provokes a number of elementary questions concerning its interpretation
and understanding. What does the “right to the protection of personal data” actually
protect? Obviously, it is not the data itself, but rather individuals and their interests
and, on a more abstract level, the integrity of social practices. If this is the case, then
what is the relationship between the right to data protection and the other fundamental
rights provisions of the Charter, especially the right to privacy (Article 7 CFR)?
Apart from the questions concerning the understanding of the right as such, the
effects of the right to data protection vis-à-vis private actors often remain unclear.
According to Article 51 CFR, the provisions of the Charter address the institutions
and bodies of the European Union and the member states when implementing EU law.
However, challenges for the protection of personal information not only result from
state action, but also from the inherent logic of the data economy.2 The dominant
advertising business model that is shaping large parts of internet communication,
so-called “surveillance capitalism”, implies that personal data is being “harvested”
systematically and comprehensively.3 Big data technologies enable innovation and
technological progress in many areas, but also bring with them various dangers for
personal rights and can even threaten our understanding of equality and democratic
processes.4
This contribution explains the objectives and central components of the funda-
mental right to data protection and then turns to the regulatory implications for the
data economy. Obviously, not every fundamental rights issue of digitization can be
solved by means of data protection. Systemic undesirable developments such as
the accumulation of information power require approaches that extend way beyond
Article 8 CFR. Nevertheless, the protection of personal data remains a crucial aspect
for the digitized public sphere.
2 A digitized society not only produces data to an exponentially increasing extent, but reproduces
itself by means of this data and is particularly dependent on it (cf. Mayer-Schönberger and Cukier
2013). Therefore, digitization does not only refer to the technical process of “datafication”, i.e. of
converting analog aspects of the life-world into data and information. The concept also refers to the
social effects (Baecker 2018), p. 59. The process of digitization changes the texture of social life
and social practises. The transformative circumstances do not result from one technology alone, but
the combination of “radical” technologies and technological developments such as the internet of
things, augmented reality, machine learning and artificial intelligence (Greenfield 2017), p. 253.
3 Zuboff (2019), p. 128.
4 O’Neil (2016), p. 199.
Realizing the Fundamental Right to Data Protection … 57
Article 8(2) CFR authorizes the processing of personal data only if certain conditions
are met. It provides that personal data “must be processed fairly for specified purposes
and on the basis of the consent of the person concerned or some other legitimate basis
laid down by law”. While the open formulation in Article 8(1) CFR (“right of every
person to the protection of personal data concerning him or her”) does not yet suggest
a particular data protection concept, Sect. 2 introduces further requirements that any
processing activity has to fulfill in order to be lawful. Processing of personal data is
only possible on a legal basis if it is sufficiently specific as to the purposes for which
the data is collected, used, processed and shared. The need to specify the purpose of
data processing is a mechanism that is supposed to safeguard the rights of the data
subject. It has a restrictive aspect insofar as it requires limiting data processing to a
specified purpose (“principle of purpose limitation”).
Nevertheless, the goal and the purpose of data protection remain largely under-
determined. At the outset, the CJEU adopts a rather technical approach. According to
the Court’s jurisprudence, any operation performed upon data or information relating
to an identified or identifiable natural person is relevant in terms of Article 8 CFR.
While this is consistent with secondary law definitions, it has its difficulties. For
instance, there are data analysis technologies that make it possible to trace back
even supposedly anonymous data to a certain individual. Whether or not data or
information can be assigned to a natural person depends very much on the required
effort, the context and the respective information technology. Therefore, further
criteria are needed in order to assess whether data processing actually interferes
with fundamental rights positions or not. At least, when it comes to balancing the
conflicting fundamental rights positions and legal interests, one needs a substantive
account for why data protection is important. The debate about the goal and purpose of
data protection is as old as the concept itself and cannot be avoided.5 Unsurprisingly,
there are plenty of suggestions for interpretation. It goes without saying that data
is not protected for its own sake. Prominent reasons for data protection include
privacy and informational self-determination.6 In addition, there are systemic and
functional aspects such as trust.7 Here, the legal discourse enters seamlessly into
ethical, political, sociological, but also information technology arguments. This only
increases complexity.
The aim of the debates around the goal or purpose of data protection is to establish
a normative foundation for the fundamental right, conceptually and dogmatically.
Any explanation of the purpose of data protection, however, is reductionist if data
protection is limited to a single value or principle.8 This first became clear in view of
5 Cf. Albers (2005), p. 361 on the coherence and plausibility of specific paradigms.
6 Cf. Simitis (1987) detailed analysis of the “quest for a concept” of privacy and the difficulties that
arise for the concept of privacy in an information society.
7 Waldmann (2018), p. 77.
8 Albers (2017), p. 12. It is therefore not surprising that data protection does not serve one specific
the relationship between data protection and privacy, whereby the fundamental right
of data protection needed to be detached from privacy protection and the protection
of particular private information.9 In an increasingly digitized society, the handling
of personal data can jeopardize freedom in a broader sense. This is true, among other
things, for the integrity of media, communications and democratic processes as well
as legitimate expectations of privacy. Since data protection cannot be limited to one
specific goal, the protection requirements vary.
This is apparent in the Court’s jurisprudence: The CJEU emphasizes the close
connection between data protection and privacy (Articles 8 and 7 CFR), but under-
stands Article 8 CFR as an independent guarantee10 that is of equal importance for
the exercise of other freedoms, in particular freedom of communication.11
As already noted, the provisions of the Charter are addressed explicitly to the insti-
tutions and bodies of the European Union and to the member states when they are
implementing European Union law. Article 51(1) CFR does not mention private
parties. That does not mean, of course, that fundamental rights standards have no
implications for private individuals or companies. Fundamental rights not only serve
as guarantees against disproportionate state interventions, limiting state interferences
and guaranteeing negative freedom, but also entail positive obligations of aid and
protection. The Charter contains sufficient elements to substantiate such obligations.
In order to understand the implications of Article 8 CFR on the data economy, it is
important to recall these elements.
Fundamental rights in general and the right to data protection in particular not only
have a negative, but also a positive dimension. The concept of a fundamental right as
merely a negative freedom goes back to the distinction between “state” and “society”
developed in eighteenth century political thought.12 In the liberal tradition, funda-
mental rights were guarantees against government power. Consequently, freedom
was understood as “negative” freedom from state intervention. This understanding of
fundamental rights and the related concept of negative freedom encountered various
objections from the beginning. Above all, the understanding (and the scope and
content) of fundamental rights positions was changed by the realization that societal
self-regulation does not produce a fair balance of interests.
The same debate has taken place in the Information Age. Again, the understanding
of the function and the role of fundamental rights corresponds to certain models of
order in the digital sphere.13 At the beginning of the internet era, the idea resonated
that the internet was a functioning (public) sphere as long as it was shielded from
external interventions. The “Declaration of Independence of Cyberspace” declared
by activist J. P. Barlow at the World Economic Forum in Davos in 1996 made use
of a rather naïve notion of freedom: “Governments of the Industrial World, […] I
come from Cyberspace, the new home of Mind. On behalf of the future, I ask you
of the past to leave us alone.” It not only quickly became apparent that government
influence would persist, but that self-regulation can also have dysfunctional effects.
For instance, the exercise of fundamental freedoms by some can easily undermine the
freedom of others.14 This reality has become increasingly familiar in the wake of the
development of big data technologies and the “datafication” of everyday life. Because
many do not perceive the inherent restrictions on their freedom, their submission
is voluntary. The surveillance possibilities of control will become more and more
numerous. It is also not just about monitoring online behavior—with the Internet of
Things (which has become a veritable Internet of Everything) any expression of life
can potentially be tracked and followed.
In view of the accumulation of data and information by large tech companies and
the global character of the Internet, the private/public distinction and state-centred
concepts of fundamental rights have obvious limits.15 However, it would not be plau-
sible to transfer the traditional obligations of the state to private actors without adap-
tations.16 Beyond the few tech giants, the data economy is extremely heterogeneous.
Establishing direct obligations on the part of private companies does not necessarily
mean that the affected users and data subjects will enjoy stronger fundamental rights
protections. An extension of the effect of fundamental rights does not change the
fact that private parties themselves can invoke fundamental rights on behalf of the
latter. This does not mean, of course, that the level of protection against the big tech
companies must fall short of the obligations of public authority. With the respective
responsibilities of the private parties in question, the scope of fundamental rights obli-
gations can in fact be equivalent to the direct obligations of the state in comparable
constellations (or even more extensive).17 Special responsibility, however, requires a
corresponding justification. There are a number of criteria for assessing the “degree”
of fundamental rights obligations of private parties. Mere economic or social power
as such does not entail a special responsibility for fundamental rights. Fundamental
13 Cf. already Karavas (2007), p. 36. On the different types of “horizontality” see Frantziou (2019),
p. 37.
14 Goldsmiths and Wu (2006), p. 129.
15 Cf. also Kotzur (2022), in this volume.
16 Fischer-Lescano (2016), p. 163.
17 At least, this would be in line with the jurisprudence of the German Federal Constitutional Court
for private operators of public spaces (see, for further references, Hochmann and Reinhardt 2018).
60 J. Reinhardt
rights obligations extend to private actors inasmuch as these actors set the conditions
for the exercise of the fundamental freedoms of others.18
The straightforward legal obligations aside, human and fundamental rights are an
important element in the “self-constitutionalisation” of certain societal spheres. The
big tech companies are increasingly using fundamental rights standards as guidelines
for self-regulation. One prominent example is the evolution of community standards
for managing user-generated content on the big social networks and communication
platforms. Tech companies realize that they have obligations towards their users that
go beyond a mere contractual relationship. Due process guarantees, fundamental
rights or international human rights are touchstones in the formulation of community
standards.19
Whatever the specific function and character of the rights in question, the negative
dimension of fundamental rights and the protection against state intervention are
clearly not sufficient. Systemic dangers demand systemic responses. Article 8 CFR
was explicitly drafted as a “right to protection of personal data” and demands that the
level of protection as well as the respective instruments are adapted to the individual
risks.
The legal responsibility for realizing Article 8 CFR therefore falls to European legis-
lators as well as the data protection authorities and the courts, in particular the
European Court of Justice. Specifically in the area of data protection law, the legis-
lators regularly emphasize the need to effectively protect fundamental rights.20 The
declared aim of the GDPR is the protection of fundamental rights (Article 1 para
2 GDPR). In realizing fundamental rights, questions relating to the separation of
powers have to be taken into.21 One institutional consequence of the distinction
between negative and positive obligations is that the political legislature has a rather
broad scope for action. Positive obligations are not as determined as negative ones.
The legislator usually has a broad range of options for fulfilling fundamental rights
obligations. The rights of the Charter limit the scope of legislative decisions in two
ways. As a positive obligation, Article 8 CFR calls for a data protection concept that
is sufficiently effective. As negative obligations, the rights of the Charter ensure that
interventions in favor of privacy and data protection satisfy the justification require-
ments of the fundamental rights positions in question. Between these two poles,
there is considerable legislative leeway, which permits the legislator to react to the
The primacy of legislative decisions comes to an end, of course, when the legislature
operates with open and general norms. In such cases, responsibility almost inevitably
shifts to the courts.24 The CJEU is poised to take an active role. As the Google Spain
ruling shows, the court derives far-reaching requirements for the design of the legal
system from Articles 7 and 8 CFR. By creating “a right to be forgotten”,25 the court
actively interfered in the ongoing legislative process. Even though it is generally
compatible with the role of a high or supreme court to identify and counter systemic
problems,26 basic requirements have to be met. This includes taking into account the
multipolarity of fundamental rights relations. The protection of personal data vis-à-
vis private actors does not adhere to the same model concerning the justification of
state interferences with its strict proportionality test. It requires balancing the various
interests and rights positions. The balancing does not only involve the freedom of
information of search engine users on the one side and the privacy rights of those
affected on the other. It also involves the service provider and its overall role and
function in the communicative sphere. Concerns of fundamental data protection must
be seen, as the CJEU puts it, “with regard to its social function” and in relation to other
legal positions. They range from the information interests of users of search engines
and social media platforms and the interests of service providers in improving or
further developing their applications to the interest of rights holders in the use of
software to protect their works against copyright infringements and of homeowners
in the use of surveillance cameras against vandalism.
If the “multipolarity” of fundamental rights relations is not taken into account, the
results will be one-sided and possibly dysfunctional. This is not always reflected in
22 Another possibility for a court to respect its functional boundaries is to formulate general norma-
tive requirements and leave it up to legislators to implement them in secondary data protection law.
Similar strategies apply with respect to the member states. In the Ryneš case, the Court of Justice
did not itself carry out the balancing test, but left it to the referring Czech court to do so. CJEU,
11.12.2014, C-212/13, para 34. – Ryneš. Cf. also CJEU, 29.1.2008, C-275/06 – Promusicae as well
as CJEU, 9.3.2017, C-398/15 – Manni. This is one possible approach for preserving a certain diver-
sity in the European system of fundamental rights protection. Cf. for this debate Franzius (2015),
passim.
23 Howard (2015), p. 255.
24 Despite the comparatively tight data protection regulations in the non-public realm, the courts still
have considerable discretion in weighing the conflicting fundamental rights positions. Cf. CJEU,
13.5.2014, C-131/12 – Google Spain and CJEU, 11.12.2014, C-212/13 – Ryneš.
25 On this subject in detail Sarlet (2022), in this volume, and Schimke (2022), in this volume.
26 Cf. Albers (2012), p. 266.
62 J. Reinhardt
the Court’s methodological approach. In Google Spain, the CJEU proceeds in such a
way that data processing is initially seen as an interference in Articles 7 and 8 CFR.
This interference is then tested for proportionality.27 From this point of departure,
the Court concludes that the rights protected by Articles 7 and 8 CFR outweigh
conflicting interests.28 However, there is a difference between the level of secondary
data protection law and the level of fundamental rights which must be respected.
A change in methodology does not imply that intermediaries cannot be obliged to
protect privacy and personal data, but would shift the justification requirements.
In a recent decision, the CJEU refers to the case law of the European Court of
Human Rights (ECtHR) on press publications in order to balance the right to privacy
and the right to freedom of expression.29 The criteria which must be taken into
account are therefore, inter alia, contribution to a debate of public interest, the degree
of notoriety of the person affected, the subject of the news report, the prior conduct of
the person concerned, the content, form and consequences of the publication, and the
manner and circumstances in which the information was obtained and its veracity.30
The requirements of Article 8 CFR that apply to state interventions do not auto-
matically apply to the data processing by private parties. Data processing by public
authorities is subject to the precautionary principle, the need for a legal basis when
processing personal data and the requirements of purpose definition and purpose
limitation. At the same time, data processing by private companies clearly can have
severe implications not only for private individuals, but also for society as a whole.
“Processing” of personal data, however, is a fundamental operation in a digitized
society that ranges from individual street photographers and the surveillance cameras
of private homeowners to the big social media companies that not only design indi-
vidual services, but entire ecosystems in which they permanently observe users and
make them the subject of ongoing behavioral experiments.31 Given the heterogeneity
of the digital economy, the scope of the fundamental right to data protection cannot
be conceived in a uniform way. This is all the more the case as it remains unclear
whether the concepts of data protection against state interventions are useful to regu-
late the information economy as a whole. A regulatory concept that is sensible with
regard to state intervention is not necessarily sensible for the data economy in which
rights are to be given the same meaning and the same scope as the corresponding rights of the
Convention for the Protection of Human Rights and Fundamental Freedoms, signed at Rome on 4
November 1950 (ECHR). Article 7 CFR contains rights which correspond to those guaranteed by
Article 8(1) ECHR. The same applies for Article 11 CFR and Article 10 ECHR.
30 Ibid. para 66.
31 Zuboff (2019), p. 199.
Realizing the Fundamental Right to Data Protection … 63
the disclosure of personal data is no longer exceptional. The mere need for high
standards of protection does not mean that the concept of protection must be the
same.32
As we have seen, the fundamental rights obligations of private actors depend
very much on the context. Article 8 CFR contains broad principles that can limit
private autonomy and economic freedoms in various ways. The abstract principles
of the fundamental right to data protection can result in very different regulatory
approaches. While it is the task of the legislator to enact general data protection rules,
the Court of Justice must take account of the principles set out in Article 8 CFR when
applying secondary law in general and GDPR rules in particular.33 The fundamental
rights principles have a normative force and shape the understanding of various
data protection instruments as set out in the regulation. This not only concerns the
mechanism of consent (Sect. 4.1). The principles are also important for the question
to what extent the interests of the data subject can be objectified (Sect. 4.2). Important
decisions on processing personal data cannot be imposed entirely on the contracting
parties. Article 8 CFR demands a legal framework that distributes the opportunities
and risks of data use. Finally, they have consequences for the understanding of the
rights to information (Sect. 4.3) and the guarantee of data security (Sect. 4.4).
One important dimension of data protection as a fundamental right concerns the indi-
vidual’s control over personal data and information. However, the conceptualization
of data protection in terms of the aspect of control, especially individual control, has
notable limitations. One issue involves the role of consent as a legitimate ground
for the processing of personal data. Even though there is a long-standing critique,
especially from behavioral economics scholars, of the idea of data protection as
control, it still predominates.34 As Woodrow Hartzog recently put it with a view
to European secondary law: “an empire of data protection has been built around
the crumbling edifice of control”.35 Consent requirements are supposed to ensure a
self-determined handling of personal data. As an instrument of (informational) self-
determination, however, consent is as elementary as it is demanding.36 A conception
of informational self-determination that overestimates individual abilities can easily
have negative effects: “The idealisation of control in modern data protection regimes
32 Cf. Buchner (2006). European legislators have opted for a high degree of convergence of stan-
dards for data processing in the private and public sector. This does not mean, however, that a
fundamentally different concretization would not have been possible and that the legislator does
not have a far-reaching scope for shaping data protection in the private sector in a different manner.
Cf. Reinhardt (2017), p. 556. See also Marsch (2018), p. 269.
33 Unseld (2018), p. 181.
34 Cf. for further references Reinhardt (2017), p. 558.
35 Hartzog (2018), p. 425.
36 Cf. also the considerations of Schertel Mendes (2015), esp. p. 129 ff.
64 J. Reinhardt
like the GDPR and the ePrivacy Directive creates a pursuit that is actively harmful
and adversarial to safe and sustainable data practices. It deludes us about the efficacy
of rules and dooms future regulatory proposals to walk down the same, misguided
path”.37
In the digital economy, data processing by private companies often depends
on the consent of users. This is in line with Article 6 GDPR. Article 8 CFR,
however, demands a free consensus and protects as far as possible the conditions for
autonomous decision-making. In cases where there is an extreme imbalance of power,
for example, consent of the data subject is not an expression of self-determination.
If the negotiating positions of the contracting parties are so uneven that one side is in
fact able to dictate the terms of the contract, the conditions for contractual autonomy
are effectively undermined. This appears to be the case with the large social networks
because of their ‘hegemonic’ position. One dimension of Article 8 CFR is to secure
elementary conditions of autonomous decision-making with regard to personal data.
The GDPR takes this into account by laying down criteria for a freely given consent,
which, in turn, have to be interpreted in light of Article 8 CFR.38
In view of the limits of the consent mechanism, it may be in the interest of effective
data protection that the processing of certain categories of personal data is prohibited
from the outset, irrespective of possible consent. Article 8 CFR is a justification for
strong regulatory measures vis-à-vis exceptionally powerful companies and within
the context of structural power relations. Conversely, it is also within the purview of
the legislator to allow the processing of personal data without the consent of the data
subjects if the potential effects of the data processing are negligible. The positive
obligations of Article 8 CFR allow for the “objectification” of the interests of the
data subjects. At the same time, consent remains a component of self-determination.
Inherent to fundamental rights guarantees is the decision to what extent fundamental
freedoms are exercised and which restrictions are accepted for the sake of other
advantages. For example, the installation of the Facebook Research App,39 which
37 Ibid.
38 The GDPR defines consent in Article 4(11): “any freely given, specific, informed and unam-
biguous indication of the data subject’s wishes by which he or she […] signifies agreement to
the processing of personal data relating to him or her”. The further relevant provisions are Article
6(1) GDPR (consent as a lawful basis for processing personal data) and the prohibition of consent
bundling in Article 7(4) GDPR: “When assessing whether consent is freely given, utmost account
shall be taken of whether, inter alia, the performance of a contract, including the provision of a
service, is conditional on consent to the processing of personal data that is not necessary for the
performance of that contract”.
39 On Facebooks Research VPN see the TechCrunch report “Apple bans Facebook’s Research app
that paid users for data” (February 2019) available at: https://techcrunch.com/2019/01/30/apple-
bans-facebook-vpn/. Accessed 11 Jan. 2022.
Realizing the Fundamental Right to Data Protection … 65
paid users for allowing the company to track all of their online and phone activity, is
not per se in violation of Article 8 CFR. If there are no minors involved (which was
actually the case), an explicit consent is not in principle invalid.
Finally, Article 8 CFR requires the legislator to ensure the possibility of self-
determined decisions in the long term. This would be undermined, for example,
if service providers only allowed registration with the profile of the largest social
network. The obligation to allow a variety of verification options (including anony-
mous or pseudonymous profiles) does interfere with the economic freedoms of
service providers, but it is justified by the legislative responsibility to guarantee
the protection of personal data. Such provisions not only serve the purpose of data
protection, but they also take into account aspects of consumer protection and market
regulation. However, such legislation—like a right to data transferability - can indi-
rectly promote a data protection-friendly attitude. Article 8 CFR does not require
such provisions, but the positive obligation towards Article 8 CFR may justify the
restrictions on the economic freedom (Article 15 CFR) of the companies concerned.
The system of checks and balances that is required under Article 8(2) CFR includes
transparency in the handling of personal data. Article 8(2) CFR grants the data
subjects a right to information and rectification. The obligation of the data processing
bodies to provide information is intended to ensure that personal data are handled
in accordance with data protection law. The fundamental right to information and
rectification has no immediate effect on private companies. The extent to which the
right to information pursuant to Article 8(2) CFR applies to private companies must
be determined by the legislator. The GDPR defines information rights broadly and
only allows limited possibilities for refusing information.40 The right to information
is also secured by the guarantee of effective legal protection, Article 47 CFR. A
regulation that does not provide for the possibility of obtaining access to data relating
to a person by means of a legal remedy or of obtaining their correction or deletion
violates the right to effective judicial protection laid down in Article 47 CFR.41 An
effective protection of fundamental rights requires transparency in the data collection
activities, which often remain hidden from the user.
Another important element of Article 8 CFR are standards of data security. Although
Article 8 CFR is not explicit about data security requirements, the right to data protec-
tion is also understood by the Court as essentially a guarantee of data security. In
the Digital Rights case, the CJEU justifies the obligation to store telecommunication
metadata within the European Union, as otherwise an independent control of the
standards of data protection and data security could not be guaranteed.42 Article 8
CFR demands standards of data security and technical precautions to ensure effec-
tive protection against the unlawful handling, unauthorised access and misuse of
personal data. Compliance with technical standards to ensure data security is not
only a prerequisite for the proportionality of government intervention, but equally
important in the data economy. The necessary level of data security depends on the
type of data and information. Sensitive bank or credit card data must be secured by
other means than those used for consumer data that is less susceptible to misuse. The
importance which Article 8 CFR gives to aspects of data security is now safeguarded
by the GDPR through liability and sanction mechanisms.
5 Conclusion
Article 8 CFR not only establishes a negative right against state action, but has
regulatory implications for the digitized society as a whole. Article 8 CFR guarantees
the protection of personal data, regardless of whether they are processed by the
state or by non-state actors. Nevertheless, realizing the fundamental right to data
protection requires a differentiated approach. It has to consider the scope and function
of the fundamental right as well as the separation of powers. Article 8 CFR entails
positive obligations, on the part of legislators and the courts. While it is the task of
the legislator to create sufficiently effective and therefore sufficiently complex data
protection rules, it is for the courts to apply these rules in light of the data protection
principles. They both have to take into account that fundamental rights relations
between private parties are “multipolar” from the outset. The manifold interests in
“processing” data counterbalance the right to the protection of personal data. Article
8 CFR is not merely a subset of the right to privacy, but contains basic principles of
data protection that serve a variety of purposes. In addition to the protection of privacy
and personality rights, the protection of personal data is particularly important for
the exercise of fundamental freedoms and the integrity of communications.
42 CJEU, 8.4.2014, C-293/12 and C-594/12 – Digital Rights Ireland, para 68. This corresponds to a
right of the persons concerned to turn to the national supervisory authorities to protect these funda-
mental rights. CJEU, 6.10.2015,C-362/14 – Schrems, para 72. The national supervisory authorities
are competent to check whether a third country guarantees an adequate level of data protection,
cf. CJEU, 6.10.2015, C-362/14 – Schrems, para 58. For a detailed analysis of the Digital Rights
Ireland-Decision see Albers (2022), in this volume.
Realizing the Fundamental Right to Data Protection … 67
References
Reinhardt J (2019) Conflitos de direitos fundamentais entre atores privados. “Efeitos horizontais
indiretos” e pressupostos de proteção de direitos fundamentais. Direitos Fundamentais & Justiça
Sarlet IW (2022) The protection of personality in the digital environment: an analysis in the light
of the so-called right to be forgotten in Brazil. In: Albers M, Sarlet IW (eds) Personality and data
protection rights on the internet. Springer, Dordrecht, Heidelberg, New York, London (in this
volume)
Schertel Mendes L (2015) Schutz vor Informationsrisiken und Gewährleistung einer gehaltvollen
Zustimmung. Eine Analyse der Rechtmäßigkeit der Datenverarbeitung im Privatrecht. De
Gruyter, Berlin, Boston
Schimke A (2022) Forgetting as a social concept. Contextualizing the right to be forgotten. In: Albers
M, Sarlet IW (eds) Personality and data protection rights on the internet. Springer, Dordrecht,
Heidelberg, New York, London (in this volume)
Simitis S (1987) Reviewing privacy in an information society. Univ Pennsylvania Law Rev 135:707–
746
Unseld C (2018) Zur Bedeutung der Horizontalwirkung von EU-Grundrechten. Mohr Siebeck,
Tübingen
Veil W (2018) The GDPR: the emperor’s new clothes—On the structural shortcomings of both
the old and the new data protection law. Neue Zeitschrift für Verwaltungsrecht, pp 686–696.
Available at SSRN https://ssrn.com/abstract=3305056. Accessed 11 Jan. 2022
Waldmann AE (2018) Privacy as trust. Cambridge University Press, Cambridge
Zuboff S (2019) The age of surveillance capitalism: the fight for a human future at the new frontier
of power. Public Affairs, New York
Jörn Reinhardt Professor of Public Law at the University of Bremen (Germany). Main areas
of research: Constitutional Law, Fundamental Rights, Law of the Information Society, Legal
and Political Theory and Philosophy of Law. Selected Publications: „Recht auf Vergessen“ auf
Französisch, in: Datenschutz und Datensicherheit (44) 2020, pp. 361–364, https://doi.org/10.
1007/s11623-020-1284-2; Thomas Hochmann/Jörn Reinhardt (eds.), L’effet horizontal des droits
fondamentaux, Editions Pedone, Paris 2018; Konturen des europäischen Datenschutzgrundrechts.
Zu Gehalt und horizontaler Wirkung von Art. 8 GRCh, Archiv des öffentlichen Rechts (AöR)
142 (2017), pp. 528–565; Human Rights, Human Nature, and the Feasibility Issue, in: Marion
Albers/Thomas Hoffmann/Jörn Reinhardt (eds.), Human Rights and Human Nature, Springer,
Dordrecht/Heidelberg/London/New York 2014, pp. 137–158.
Surveillance and Data Protection Rights:
Data Retention and Access
to Telecommunications Data
Marion Albers
Abstract Communication on the Internet and in the onlife world are accompa-
nied by digitization and datafication which, in turn, open up increasing potential for
surveillance. This transformation of communication into data means that the Internet
facilitates unprecedented forms of mass surveillance. One illustrative example is that
states aim at imposing an obligation on Internet service providers to retain particular
data and make them, under certain circumstances, accessible to security agencies. In
Europe, data retention has been the subject of a strong protest movement and of an
ongoing public discourse on how to strike a balance between liberties and security
needs. This contribution discusses the notion and novel features of surveillance under
Internet conditions. Attention is also paid to protection needs and to interests and
rights safeguarding people against surveillance. The article then analyzes the series
of manifold and partly divergent decisions which the German Federal Constitutional
Court and the European Court of Justice have handed down on the regulations on data
retention. Although the courts have developed a spectrum of legal requirements and
defined a bundle of individual rights as well as demands for control and evaluation,
we must conclude that they are still struggling to deal with the challenges, protection
needs and specification of convincing legal frameworks. The surveillance potential
inherent to the Internet and datafication calls for many new approaches.
M. Albers (B)
University of Hamburg, Hamburg, Germany
e-mail: marion.albers@uni-hamburg.de
1 Introduction
Since the advent of the Internet era, an increasing part of everyday life has shifted
onto the digital level. The Internet is providing a global infrastructure which gives
rise to a wide range of electronic communications services and novel communication
structures. Not only have new ways of communication been established, such as e-
mail, messenger services or social media platforms, but by now everyday activities
such as information retrieval, banking or shopping can quickly be managed via the
Internet. The onlif e world1 comes hand in hand with digitization and “datafication”.2
These developments, in turn, are accompanied by increasing potential for and novel
dimensions of surveillance.
In the case of state and intelligence services, the revelations published in June
2013 by Edward Snowden in particular have demonstrated the extent of governmental
surveillance as well as the new methods of surveillance. He introduced the world
to the PRISM program which is used by the NSA to obtain access to the servers
of major technology companies as well as to several other programs operated by
the intelligence services of the US or other states, for example the British GCHQ.3
Knowledge of the extent and intensity of such surveillance practices has prompted
protests and human rights complaints by citizens.4 Beyond that, it has led to conflicts
between different states, especially when state representatives themselves were the
object of surveillance, initiated, among others, by Brazilian/German collaborations in
political arenas, and promoted or accelerated by various regulatory efforts.5 Covering
a spectrum of objectives and regulations, the Brazilian Law 12.965/14, the “Marco
Civil da Internet”, for example, was an entirely new approach to regulating the crucial
challenges posed by the Internet.6
The conditions prevalent on the Internet and the Snowden revelations also make it
clear that surveillance can no longer be understood through the metaphors that shaped
the post-twentieth century dictatorship period: a single all-knowing oppressive force
at the top of a pyramid as George Orwell depicted in the novel Nineteen Eighty-
Four.7 Instead, it extends to diverse fields and is ramified and recombined time and
again. Surveillance is literally ingrained into the fabric of the Internet. This is due
1 For this term see Floridi (2015); Hildebrandt (2016), pp. 1ff.
2 This term was introduced by Cukier and Mayer-Schönberger (2013), pp. 73ff.
3 Greenwald (2014); Harding (2014).
4 See, e. g., ECtHR (Grand Chamber), Judgment of May 25, 2021—Application no. 58170/13, Big
Brother Watch and Others v. the UK; no. 62322/14, Bureau of Investigative Journalism and Alice
Ross v. the UK; and no. 24960/15, 10 Human Rights Organisations and Others v. the UK, and
Judgment of May 25, 2021—Application no. 35252/08 Rättvisa v. Sweden; both available under
http://hudoc.echr.coe.int. See also the decision of the German FCC, Judgment of May 19, 2020, 1
BvR 2835/17, available at: http://www.bundesverfassungsgericht.de.
5 Cf. Bauman, Bigo, Esteves, Guild, Jabri, Lyon and Walker (2014), pp. 127ff.
6 Doneda and Zanatta (2022), Sect. 1 and 3.2; Molinaro and Ruaro (2022), Sect. 4, both in this
to socio-technical factors, not least to the fact that data is a source of commercial-
izable knowledge. Advances are continuously being made in technologies capable
of gathering, storing or analyzing huge amounts of data. Given that major telecom-
munications providers or intermediaries such as Google or Facebook hold dominant
market positions, they are the ones in control of vast data collections. App providers,
tracking companies or data brokers enter the picture as well.8 All these enterprises
rush into processing, aggregating, searching, cross-referencing and selling more or
less personalized data as long as no legal regulation prevents them from doing so.
More than ever before, private players are observing people, attitudes, behaviors or
communications and collecting, analyzing and using the data. Hence, the surveil-
lance scenarios relevant nowadays often encompass the interplay between the data
collections of private companies and the access requests of government agencies.9
The sector of telecommunications and telemedia is particularly illustrative here. But
there are numerous other areas: financial institutions and account data, airlines or
transport companies and mobility data, health services or biobanks and health data.
Advances achieved with the Internet of Things and the Internet of Bodies will open
up further fields as well.
This background explains why, at least in Europe, “data retention” has become a
major issue in ongoing debates about surveillance and the focus of a very powerful
protest movement. In the context of the former EU Data Retention Directive (EU-
DRD)10 and the relevant laws of the member states, the term involves the obligation
of particular providers to retain particular personal (meta)data generated in telecom-
munications for the purpose of enabling authorities at a later point in time to gain
access to and make use of these data.11 These measures are highly contested. Some
criticized them as mass surveillance without any particular cause or as the most
invasive instrument ever adopted by the EU in terms of how it invades privacy, its
the retention of data generated or processed in connection with the provision of publicly available
electronic communications services or of public communications networks and amending Directive
2002/58/EC, Official Journal L 105/54. In 2014, the European Court of Justice (ECJ) declared this
directive invalid, see Sect. 4.3.1 of this article.
11 There are fields other than telecommunications, e. g., the retention of passenger name records,
cf. ECJ (Grand Chamber), Opinion of July 26, 2017 – 1/15, curia.europa.eu, Vedaschi and Marino
Noberasco (2017), or the retention of banking data in order to keep them available for the purposes
of combating money laundering or financing of terrorism; see inter alia Milaj and Kaiser (2017).
Legally, each field has distinct characteristics of its own.
72 M. Albers
scale and the number of people it affects.12 Others argued that the temporary reten-
tion of metadata results in only minor intrusions or risks.13 The divergent points of
view indicate that there is a need to clarify the reasons for the normative protection
against surveillance in order to determine why, under what conditions, to what extent
and how people should be protected against what form of surveillance. Given how
the Internet has spread and the surveillance measures it has made possible, this is
urgently necessary across multiple sectors.
This article addresses questions of data retention, subsequent governmental access
to telecommunications data and extracting information from these data as one of the
best examples of the new possibilities of surveillance. Section 2 analyses the concept
of surveillance and protection needs as well as protected goods and individual rights.
Because surveillance should not be understood as a strictly homogeneous exercise,
more issues are affected than only those related to “privacy”. Section 3 deals with
breaking down data retention and subsequent data access into different elements
and identifying threats to freedom and regulatory options. Section 4 explains the
European and German legislation as well as the series of decisions of the European
Court of Justice and the Federal Constitutional Court. The last section centers on the
legal requirements developed through the network of courts and on remaining open
questions.
However, whether, how and to what extent surveillance is actually expanding depends
just as much or even more on other technological and societal developments. Surveil-
lance is framed and takes place within social contexts. And even if “key trends of
surveillance”15 are indicative of expansion, surveillance is not a homogeneous exer-
cise but appears in various manifestations and is uneven both in its penetration of
society and its consequences.16 Concepts and contexts have to be clarified, fields,
12 As an example of objections see European Data Protection Supervisor, “Opinion of the Euro-
pean Data Protection Supervisor on the Evaluation report from the Commission to the Council
and the European Parliament on the Data Retention Directive (Directive 2006/24/EC)“, 31
May 2011, https://edps.europa.eu/sites/default/files/publication/11-05-30_evaluation_report_drd_
en.pdf (accessed 11 Jan. 2022).
13 Cf., e. g., Schluckebier, Dissenting Opinion, Judgment of the FCC of March 2, 2010, 1 BvR
256/08, 263/08, and 586/08 (= BVerfGE 125, 260; available also in English at: www.bundesverfas
sungsgericht.de), paras 312ff. In connection with this judgment, see Sect. 4.2 of this article.
14 Bennett, Haggerty, Lyon and Steeves (2014), p. 6.
15 Bennett, Haggerty, Lyon and Steeves (2014), pp. 13ff.
16 Coleman and McCahill (2010), pp. 4ff., 8.
Surveillance and Data Protection Rights: Data Retention … 73
forms and methods must be differentiated and systematized, and the protection needs
have to be worked out more closely. Only then will it become clear what new chal-
lenges are being posed by the Internet, against what background the debates on data
retention are to be understood, and what problems are associated with this form of
surveillance.
“Surveillance Society” has always been one of the catchwords used to grasp an exten-
sion and intensification of surveillance against which people have to be protected.
Generally speaking, surveillance is a very broad term. An object is observed in
terms of a specified benchmark using certain methods, modes and instruments and
a comparison is made of the extent to which the behaviors, processes or outcomes
observed correspond to this benchmark as a reference or target value. The core
element of surveillance is the production of knowledge through observation, storage
and processing, analysis or evaluation and comparison. Surveillance never traces the
entire real picture, but selectively focuses on certain aspects instead. However, it
is often not possible in a “target-specific” manner, but is usually associated with a
range of events, i.e., more is observed than is strictly relevant to the actual surveil-
lance target. It is also important to take into account that surveillance is not limited
to watching or data collection but includes further data and information processing
extending from data storage and modification to analysis and use in decisions. Within
an abstract framework,17 its essential function lies in aligning the actual activities
and outcomes with the benchmark and exerting related influence on the object under
surveillance, on general conditions or on future activities or people’s behavior.18
Accordingly, surveillance results are the basis for decisions on the extent to which
corrective measures or sanctions are required, whether on an individual or an over-
arching level. Such decisions can be made later, in other contexts or by specialized
actors. Knowledge acquisition and decisions based on surveillance results may be
more or less closely linked to the preceding data processing and may differ depending
on actors and perspectives. Thus, surveillance is a process with several elements, but
it does not necessarily follow a linear course. Surveillance gains in effectiveness as
a result of the fact that persons under surveillance often adapt their behavior them-
selves. Regardless of later adjustments or sanctions, the production of knowledge
already changes the relationship between the persons involved in a positive or nega-
tive way. Beyond the processes of gathering and handling data, information and
knowledge, the surveillance methods or techniques employed and the modes chosen
17 In concrete contexts, the functions can be more specific and diverse. In asymmetrical relationships,
for example, surveillance is a means of constantly reproducing and stabilizing power relationships.
18 Cf. also the definition of Lyon (2007), p. 14: Surveillance is the “focused, systematic and routine
and use of data increases the need for further data in order to classify and under-
stand the original data. An essential characteristic of modern surveillance is also the
fact that techniques, codes and programs shape the data as well as data processing
and change the forms of knowledge acquisition. Surveillance is “dataveillance”23
and reconstructs parts of individuals from data trails as “data doubles”.24 In the end,
although to a certain extent limited by, e. g., the possibilities of anonymous communi-
cation and technically sophisticated encryption,25 the Internet and associated socio-
technological developments make surveillance of identified persons or of groups
and organizations or bulk surveillance possible to a degree unprecedented. A lot of
specific data is accumulated in numerous contexts—location data, travel data, finan-
cial data, electronic communications metadata or content data,26 and these data are
often informative in itself, but can also be compiled to create an in-depth profile. The
problem is on the one hand the range of the collection, linking and analysis options
and on the other hand the technically influenced selectivity of the results. Regarding
the modalities for carrying it out, surveillance is often invisible and intransparent,
not only in the data collection phase but more importantly also with regard to subse-
quent data processing. The use of artificial intelligence will significantly reinforce
this. We can also foresee that new surveillance technologies will “not only afford
a mediated gaze from a distance, but also acting, intervening, and pre-empting at a
distance”.27 Increasingly, surveillance is being and will continue to be carried out in
an interplay of different participants, in an “overlapping and entangled assemblage
of government and corporate watchers”.28 All these peculiarities can be found in
more or less pronounced form in data retention—and explain why it has become a
central paradigm of surveillance.
cation technologies enable the intensification of surveillant attention, providing the material condi-
tions for it to become continuous, pervasively distributed, and persistent. Those capabilities in turn
enable modulation: a set of processes in which the quality and content of surveillant attention can
be modified continually according to each subject’s behavior, sometimes in response to inputs from
the subject but according to logics that ultimately are outside of the subject’s control”.
28 Richards (2013), p. 1936.
76 M. Albers
precisely in specific contexts and if the social relationships that exist in the back-
ground as well as the various perspectives of the people involved are included, addi-
tional aspects enrich the picture. We can work out who should be protected under
what circumstances against what measures for what reason, and how surveillance
must therefore be regulated. Subjects of protection can be persons, groups or orga-
nizations, or the society (and, indirectly, its citizens). Protection can be directed
against the surveillance processes themselves and the associated knowledge acqui-
sition, against the surveillance methods and technologies, or against the mode of
surveillance, for example, whether it takes place overtly or covertly. The reasons for
protection are a variety of protection needs. These include, among other things, the
possibility for individuals to behave freely, feel confident, enjoy social recognition
and participate in shaping their social role.
When we look at the individual person under surveillance, the surveillance can
cause a wide range of adverse effects resulting from the information created, the
surveillance methods and technologies or the surveillance modes. As a consequence
of actual or assumed surveillance, social relations between observed and observing
persons inevitably change. An effect that is often emphasized is the adaptation of
observed persons to surveillance in their behavior or in their communications. This
already happens regularly through “internalized discipline”.29 Behavior or communi-
cations under surveillance conditions are different from what they would be without
surveillance. Free spheres may no longer be used “freely” and thus their protec-
tive function for selfhood as well as their social potential is restricted.30 The self-
perception of individuals as an autonomous individual may be questioned, in partic-
ular in cases of surveillance without cause, where individuals can no longer influence
whether they are subjected to surveillance or not through their own behavior.31 In
connection with feelings or emotions, surveillance can lead to social pressure, social
awkwardness and insecurity, shame or feelings of inferiority. Surveillance methods
such as the use of covert investigators may result in reductions in the level of trust the
person under surveillance builds in social relationships. In a similar way, surveillance
processes that are intransparent either due to their secrecy or to technical features
affect the reliability of expectations and the building of trust in the social environ-
ment, which to a certain extent are essential conditions of freedom.32 The social
29 Cf. with regard to Bentham’s prison-Panopticon Timan et al. (2017), p. 733: “the goal of surveil-
lance is to reform the individual (all aspects of the person), in order to create perfect and internalized
discipline and make punishment unnecessary”.
30 Cf. Cohen (2017), p. 459: “Subjectivity – and hence selfhood—exists in the gap between the
reality of social shaping and the experience of autonomous selfhood”; Richards (2013), pp. 1945ff.
with regard to “intellectual privacy”. See also Mitrou (2010), p. 138: “under pervasive surveillance,
individuals are inclined to make choices that conform to mainstream expectations”. See also the joint
partly concurring opinion of Judges Lemmens, Vehabović and Bošnjak, ECtHR (Grand Chamber),
Judgment of May 25, 2021—Application no. 58170/13 et al., Big Brother Watch and Others v. the
UK et al., http://hudoc.echr.coe.int, para 4-8.
31 Cf. Grimm (1991), p. 198.
32 Cf. Albers (2005), pp. 469ff.; see also Bennett, Haggerty, Lyon and Steeves (2014), p. 4: “Having
role of the person under surveillance is always altered by surveillance. This is also
true even when, as under the conditions brought about by the Internet and modern
surveillance techniques, the person under surveillance and the person carrying out
the surveillance or the different elements of surveillance processes are independent
of each other: People know that personal data and more and more such data are
being collected and combined, but the people carrying out the surveillance, their
knowledge and the resulting effects remain more or less abstract. Dealing with this
uncertainty even poses demanding challenges. Consequently, the assertion that the
mere collection or recording of data is not yet a problem and does no harm33 is not
true—it is precisely the unforeseeable possibilities of use and misuse and the unpre-
dictable effects that make it a problem. Surveillance always changes the social role
of the people carrying out the surveillance as well. Under certain circumstances, they
can use the knowledge acquired to influence social contexts in such a way that the
spectrum of behavioral possibilities of the person under surveillance is restricted or
altered.34 The knowledge acquired or simply the operating procedures of the surveil-
lance technologies installed may also entail discrimination and “social sorting” or
“sorting out” mechanisms. Such mechanisms, which limit the possibilities of affected
persons, place “the matter firmly in the social and not just the individual realm”.35
Surveillance, certain methods or modes, such as comprehensive secret surveil-
lance, can have negative effects not only on individuals or groups, but also on commu-
nication relations, social subsystems or society as a whole. The social conditions for
freedom may be affected.36 In numerous countries, Germany and Brazil included,
there are obvious examples of the social consequences of secret mass surveillance.
If we leave the traditional model of the national state conducting surveillance and
look at the global world of different states, detrimental effects range up to endanger-
ment of political action and national sovereignty, as has become clear in the wake of
Edward Snowden’s revelations.
Which factual effects a particular instance of surveillance may have and how
these effects are to be judged normatively are two different questions. The extent to
which certain adverse effects are undesirable in normative terms must be answered
in overarching contexts. If a person adapts his or her criminal behavior because of
the possibility that he or she could be observed and punished, this is desirable in
normative terms; in fact, such adaptations are among the functions of criminal law.
A need for protection can, however, be substantiated if, as a result of surveillance,
behavior the person being observed is at liberty to perform is adapted. One of the
well-known examples of undesirable chilling effects is that the surveillance by police
or intelligence authorities of political activity leads to individuals no longer engaging
in such activities in the future. Sorting decisions as a result of surveillance are also
33 Cf. Richards (2013), p. 1934, drawing attention to common assumptions in the USA.
34 Cf. also Richards (2013), pp. 1952ff.
35 Lyon (2003), p. 13.
36 In the context of surveillance and collection of data about individuals or groups, it must always
be kept in mind that the political regime can change, for instance from a democratic to a dictatorial
regime.
78 M. Albers
Human and fundamental rights may be applicable because the object of surveil-
lance is covered by their scope of protection: observed behavior such as expressions of
opinion or political demonstrations, private homes being searched, surveilled corre-
spondence or (tele)communication. For example, the guarantee of the inviolability
of telecommunications protects individuals against the surveillance of these. The
protection does not cease to apply because the fact that communication takes place
could be interpreted as a lack of expectation of privacy. Such an interpretation not
only falls short because the relevant communication is restricted to certain addressees
and is regularly not open to others. Above all, such an interpretation overlooks the
fact that the data and information in question are only created through communica-
tion.40 Human and fundamental rights can also take effect because of the effects of
surveillance: freedom of expression protects against surveillance which presumably
results in the suppression of expressions of opinion.
In addition, there is a need for protection not only from concrete surveillance,
but also at a more abstract level and in a preliminary stage where concrete rights
in regard to a particular surveillance regimen cannot yet be identified and acted
upon. Provided that we interpret the right to privacy, the right to data protection or
the guarantee of the inviolability of telecommunications in a complex way,41 they
are sufficiently abstract to be able to cover this preliminary stage. In addition to
these already established and advanced protected interests, completely new scopes
of protection are currently being developed against the background of the challenges
of the Internet: For example, the FCC has derived a “right to the guarantee of the
confidentiality and integrity of information technology systems” from Article 2 in
connection with Article 1 Basic Law42 and scholars emphasize that “a metaphorical
home 2.0 that protects an abstract space around persons”43 is necessary.
Human and fundamental rights are primarily directed against the state. On the one
hand, persons who are under surveillance are protected by particular guarantees. On
the other hand, companies such as access providers or intermediaries enjoy protection
through freedom of profession or freedom of enterprise and can assert rights of
defense if they are obliged to contribute to the surveillance or to cooperate with the
authorities.44 Beyond that, it is now recognized, albeit to varying extents in different
40 The guarantee of the inviolability of telecommunications does not protect privacy in the sense of
being left alone or in seclusion, but aims at the protection of communication and of participants as
communication partners.
41 For complex approaches to the right to privacy see, for example, Cohen (2017), p. 458: “The
condition of privacy is dynamic and best described as breathing room for socially situated subjects to
engage in the processes of boundary management through which they define and redefine themselves
as subjects. Rights to privacy are rights to the sociotechnical conditions that make the condition of
privacy possible.” For a complex concept of the right to data protection see Albers (2005), pp. 454ff.;
cf. also Marsch (2018), pp. 127ff. See as well Reinhardt (2022), in this volume.
42 Judgment of the FCC of February 27, 2008, 1 BvR 370/07 and 595/07, BVerfGE (Volume of the
decisions of the FCC) 120, 274, also available in English at: www.bundesverfassungsgericht.de.
43 Timan et al. (2017), p. 745; see also Koops (2014).
44 For an overview of the divergent roles and perspectives of companies see Determann (2017),
pp. 372ff.
80 M. Albers
legal cultures, that human and fundamental rights are also applicable in relations
between private individuals through doctrinal figures such as third-party effects or
the duty to protect, and thus protect people against surveillance by other private
individuals or companies. More complex models of the construction of protection
may have to be developed in cases where surveillance has to be understood in the
form of “private–public assemblages”, as is increasingly the case.
Furthermore, human and fundamental rights and their scope of protection prove to
be multi-layered because they include different dimensions of protection. Tradition-
ally, they are primarily oriented towards the defense against impairments. Increas-
ingly, however, there are also protective dimensions being worked out that oblige the
state to take action. This includes guarantees that the persons affected have a right
to know and therefore to be informed of the surveillance and its results, are able to
participate at appropriate points in the surveillance and decision processes or have
access to judicial review procedures. Regulatory requirements also emerge beyond
individual-oriented guarantees and rights.
A distinction must be made between the scopes of protection with their various
dimensions of protection and the claims which may be invoked. Under certain circum-
stances, protected persons can raise claims for defense against surveillance and for its
cessation. Since surveillance is a process with various elements using certain methods
and modes, such claims can already be differentiated in nature. For example, a claim
to refrain from data collection as such may be unfounded, but claims to refrain from
storage for the planned duration or to refrain from using collected personal data for
one of the intended purposes may be justified. Besides, there may also be acces-
sory claims. For example, surveillance and the respective collection and storage of
personal data may be permitted, but for this very reason accessory claims to data
security and precautionary safeguards may exist. Human and fundamental rights
provide rights to know, however, what exactly claims should include, at what point
in time they may be raised, and how detailed requested information can be needs to
be further elaborated. Looking at the influence of codes and software programs in
modern surveillance, for example, the extent to which claims to knowledge of the
functioning and operating mechanisms of algorithms can be asserted requires clari-
fication.45 Irrespective of questions of detail and the need for continuing advances,
the findings show that, in view of the different scopes of protection as well as their
different directions and dimensions, we have to work out a broadly diversified bundle
of rights.
3 Data Retention
45 Cf. for algorithms Schertel Mendes and Mattiuzzo (2022), in this volume.
Surveillance and Data Protection Rights: Data Retention … 81
fields. Generally defined, the term “data retention” describes the collection or preser-
vation of (personal) data, either for a purpose which is as yet undetermined or is more
extensive in content or time than is necessary for a particular primary purpose, with
the result that the data can later be accessed as a source of information in the event that
the need arises. In this general form, this does not yet say much. When we consider
the in principle unlimited data collection possibilities available under the conditions
of the Internet and modern storage technologies, however, it becomes obvious, that
“data retention” is anything but unproblematic, depending on the context.
In the Europe-wide debates, “data retention” is mainly linked to the preservation of
personal data generated in telecommunications and to the former EU DRD46 and the
relevant laws of the member states. Due to provisions resulting from the protection of
the secrecy of telecommunications, providers of telecommunication services may, in
principle, only process and store their clients’ personal and communication data for
the purposes of transmitting communications, handling interconnection payments
and invoices, marketing, and restricted other value-added services. As soon as the
data are no longer needed for these purposes they have to be deleted. If a criminal
investigation detects communication details only at a later date, they can no longer be
traced back. Against this background, accessory data retention rules oblige providers
to retain certain categories of data, so-called metadata, for a specific period of time
in order to enable security agencies to gain access to and make use of these data for
security purposes at a later point in time. This is the subject of the provisions of the
former EU DRD, and similar rules have been established in other countries.47
Several elements are characteristic here: First of all, there is the plurality of partici-
pants: private parties have data at their disposal to which state authorities seek access.
These data are not collected separately, but are generated in specific contexts in accor-
dance with the conditions and rules applicable in that context. The data is legitimately
stored for a certain period of time for particular purposes, in the case of telecommu-
nications companies primarily for billing purposes. Companies are then obliged to
store this data for longer than is necessary for the primary purposes, so that it can
be made available to the state security authorities for security purposes (secondary
purposes) under certain conditions.
A closer look at “data retention” reveals, firstly, that such a structural pattern can
be found in a number of fields other than telecommunications, in some cases with
certain modifications. In the banking sector, data relating to customers and money
transactions must be retained in order to keep them available for the purposes of
combating money laundering and financing of terrorism. Data that is generated in
the context of the Internet of Things or data that is collected in biobanks also arouse
the interest of security authorities. Secondly, there are a number of key points which
require closer attention: for example, whether all or only certain data that private
companies collect are involved and under what conditions and for what purposes
46 See n. 10.
47 Cf. for an overview on the broader “bulk “ collection of data Cate and Dempsey (2017). For the
rules in the Marco Civil da Internet and other Brazilian legislation see Molinaro and Ruaro (2022),
in this volume.
82 M. Albers
which security authorities have access to which data. Data retention proves to be a
fundamental issue of great importance in connection with surveillance. This is why
the former EU DRD and the national laws of the member states as well as the related
court decisions are the subject of extensive, often heated debate.
The EU DRD was prompted not least by terrorist attacks in Madrid and London and
entered into force from May 2006.48 It provided for retention obligations in the field
of telecommunications which derogated the system of protection established by the
Data Protection Directive49 and the ePrivacy Directive.50 As a general principle of
protection, personal data should be retained only for the period of time that is neces-
sary for specified, explicit and legitimate purposes of data processing which, for its
part, must be based on particular grounds of lawfulness.51 The ePrivacy-Directive,
with its focus on protecting the privacy and confidentiality of communications by
means of a publicly available electronic communications service and the related
traffic data, confirmed this principle with the result that, as a general rule, providers
had to erase or anonymize personal data where it was no longer needed for transmis-
sion, billing or other service purposes.52 Referring to the competency to harmonize
member states’ provisions with regard to the establishment and functioning of the
internal market,53 the EU DRD amended this protection system by introducing partic-
ular obligations of the providers of publicly available electronic communications
services—e.g., telephone services, e-mail services or Internet access services—or of
48 Concerning the context and the legislative process see Granger and Irion (2014), pp. 837 f.;
Zedner (2017), pp. 566ff.
49 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the
protection of individuals with regard to the processing of personal data and on the free movement of
such data, Official Journal L 281/31, meanwhile replaced by the General Data Protection Regulation
(GDPR, Regulation 679/2016/EU), Official Journal L 119/1.
50 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning
the processing of personal data and the protection of privacy in the electronic communications
sector, Official Journal L 201/37.
51 Articles 6(1b, e) and 7 Data Protection Directive, cf. also Articles 5(1b, e) and 6 GDPR.
52 More closely Articles 6 and 9 ePrivacy Directive.
53 The competences of the EU were contested, because the primary objective of the EU-DRD
appears to be the fight against crime but an overarching EU competence in this area does not exist.
This problem leads to some inconsistencies in the Directive. However, the ECJ did not object to
the use of the chosen competency, see judgment of the ECJ (Grand Chamber) of 10 February 2009,
C-301/06, available at curia.europa.eu.
Surveillance and Data Protection Rights: Data Retention … 83
public communications networks. Member states had to ensure that these providers
were obliged to retain certain data generated or processed by them for longer than
necessary for their business purposes, in order to ensure that these data were available
for the purpose of the investigation, detection and prosecution of serious criminal
offenses, as defined by each member state in its national law.54 In principle, a six-
month minimum storage period from the time of communication was set as well as
a maximum retention period of two years which, in special circumstances, could be
extended.55
Article 5(1) EU DRD specified a comprehensive catalog of categories of data
on communications of natural and legal persons as well as data on subscribers or
registered users stored beyond individual communications. However, Article 5(2)
EU DRD expressly prohibited the retention of data revealing the content of the
communication. The directive referred to so-called metadata. Depending on the
communication medium,56 the catalogue included
• data necessary to trace and identify the source and the destination of a commu-
nication, e.g., the calling and dialed telephone numbers as well as the name and
address of the subscriber or registered user, user ID(s) of communication partici-
pants as well as the name and address of the subscriber or registered user to whom
an Internet Protocol (IP) address, user ID or telephone number was allocated at
the time of the communication,
• data necessary for identifying the date, time and duration of a communication,
e.g., of the log-in and log-off of an Internet access service, together with the IP
address, whether dynamic or static,
• data necessary to identify the type of communication, i.e., the telephone or Internet
service used,
• data necessary to identify users’ communication equipment or what purports to
be their equipment, e.g., the calling and called telephone numbers, the IMSI or the
IMEI of the calling and of the called party and, in the case of pre-paid anonymous
services, the date and time of the initial activation of the service and the Cell ID
from which the service was activated,
• data necessary to identify the location of mobile communication equipment, e. g.,
the Cell ID at the start of the communication and data identifying the geographic
location of cells by reference to their Cell IDs during the period for which
communications data are retained.
Furthermore, the EU DRD required member states to make sure that the providers
respect, at minimum, certain data security principles related to retained data. Member
states also had to ensure that, in specific cases, this data and any other necessary
information relating to such data could be transmitted without undue delay to the
telephony.
84 M. Albers
competent authorities upon their request.57 The procedures to be followed and the
conditions to be fulfilled in order to gain access to retained data in accordance with,
for example the requirements of the principle of proportionality had to be defined by
each member state in its national law.
To implement the EU DRD into national law, member states had to adopt measures
that can be systematized into three complexes. Firstly, regulations had to ensure that
providers or network operators in the telecommunications sector retain the data
specified in Article 5(1) EU DRD and in doing so also observe data security require-
ments. Secondly, rules had to be added obliging the companies to provide these
data to competent security authorities under certain conditions. The third complex
consisted of regulations which allowed the authorities to request and receive the data
to be transferred and to use the data transferred for their own purposes.
In Germany, the DRD was implemented in 2008 by partly directive-implementing
and partly directive-exceeding provisions amending existing laws.58 In its former
version, § 113a of the Telecommunications Act (TKG) obliged the providers of
publicly accessible telecommunications services to store certain telecommunications
service data for a period of six months. The catalog of data corresponded to Article 5
(1) EU-DRD. The duty of storage essentially extended to all information that is neces-
sary in order to reconstruct who communicated or attempted to communicate with
whom, when, from where and for how long. Telecommunications service providers
that—like anonymization services—altered the data to be stored were required to
store the original and new data as well as the time at which these data were tran-
scribed.59 § 113a para 8 TKG emphasized that the contents of the communication
may not be stored. The data stored were to be deleted within one month of the end
of the storage period.60 As regards data security, the care generally necessary in the
area of telecommunications had to be observed.61
§ 113b TKG generally defined the purposes for which the telecommunications
companies were allowed to transmit stored data to public authorities. Three exclu-
sive purposes were enumerated: the prosecution of criminal offenses, the warding
off of substantial dangers to public security and the performance of intelligence
service tasks. Furthermore, and under less strict conditions, the use of these data was
permitted to identify Internet users to whom specific IP addresses had been assigned
in order to provide necessary customer and traffic data to authorities requesting these
data, e.g., for purposes of copyright protection in accordance with the relevant laws.62
57 Cf. Article 4 EU DRD. Details were left to the member states due to the limited competencies
of the European Union.
58 In particular: Gesetz zur Neuregelung der Telekommunikationsüberwachung und anderer
should be able to request information as to which subscriber the address belonged to.
Surveillance and Data Protection Rights: Data Retention … 85
Authorizations to access and use the data retained were to be put in concrete
terms by provisions of specific branches of law passed by, due to the German feder-
alist system, both the Federal Government and the Länder (states).63 The Federal
Government is competent for criminal procedural provisions and federal authori-
ties, e.g., the Federal Intelligence Service; the Länder are responsible for regulating
their police forces and intelligence services. Provisions for prosecution had been laid
down in § 100g of the Code of Criminal Procedure (StPO). This norm allowed the
criminal prosecution authorities to collect data stored by way of precaution pursuant
to § 113a TKG without the knowledge of the person concerned.64 The authorization
was limited insofar as data access and use were necessary for investigating the facts
of the case or determining the whereabouts of an accused person and only applied
to “offenses of considerable importance” and to offenses committed via telecom-
munications. Data collection could only be ordered by a judge, except in cases of
imminent danger.65 The court order was only to be directed against accused persons
or against persons of whom it must be assumed due to specific facts that they receive
or transmit specific messages directed to the accused or originating from this person
or that the accused uses their line. The order did not authorize the authorities to
directly access the data, but obliged the service providers to filter out and transmit
the data in a separate intermediate step in accordance with the requirements of the
order.
The German laws implementing the DRD triggered the largest mass constitutional
complaint in the history of the Federal Republic of Germany. Following several
preliminary injunctions, the Federal Constitutional Court (FCC) reached its principal
decision on March 2, 2010.66 The FCC had to identify the relevant fundamental rights
of the German constitution and to flesh out their scope of protection. Then it had
to deal with the constitutionality of the provisions of the TKG and the StPO. Here,
we can highlight three central questions: Is precautionary storage without cause
63 According to the requirements recognized under German law, in addition to the regulations that
allow a data controller, in this case a private company, to transmit data to the authorities, further
regulations are necessary that allow the authorities to query or receive the data (“double-door
model”). Cf. more closely Albers (2001), p. 334 f.; Gazeas (2014), p. 228f., 501ff.
64 The Code of Criminal Procedure provides for duties of ex post-notification of the persons affected
260 (with dissenting opinions of two judges), available also in English under www.bundesverfas
sungsgericht.de. This judgment developed several new considerations but also built on the Court’s
jurisdiction which had been developed since the census decision of 1983. See, e.g., FCC, Judgment
of July 14, 1999 – 1 BvR 2226/94 et al. = BVerfGE 100, 313; Judgment of March 3, 2004 – 1 BvR
2378/98 et al. = BVerfGE 109, 279; Decision of March 3, 2004 – 1 BvF 3/92 = BVerfGE 110, 33;
Judgment of February 27, 2008 – 1 BvR 370/07 et al. = BVerfGE 120, 274.
86 M. Albers
constitutional? Which requirements must the provisions meet? What is the situation
of the providers of telecommunications and anonymization services?
Art. 10 (1) Basic Law responds to the threats to freedom arising from the use of
telecommunications or telecommunications technology and the facilities of third
parties.
The [...] telecommunications secrecy shall be inviolable.
purposes see, e.g., FCC, Judgment of July 14, 1999 – 1 BvR 2226/94 et al. = BVerfGE 100, 313
(358).
70 This is settled case law, see, e.g., FCC, Decision of June 20, 1984 – 1 BvR 1494/78 = BVerfGE
67, 157 (172); Decision of March 25, 1992 – 1 BvR 1430/88 = BVerfGE 85, 386 (396).
Surveillance and Data Protection Rights: Data Retention … 87
less reliable degree of probability) about the individual activities and the social envi-
ronment of the persons, about their social or political affiliations and preferences, or
about internal influence structures and decision-making processes within groups.71
Moreover, the scope of protection of Article 10 Basic Law covers not only the
cognizance of telecommunications data but extends to the subsequent information
and data processing processes.72 This means that protection extends from the gath-
ering and storage of data to it being requested by authorities and any transmission of
data to its further storage for security purposes and its subsequent use. The “secrecy”
protection does not end as soon as data becomes known to providers or authori-
ties but continues to set constitutional criteria. Article 10 Basic Law thus offers the
guiding norm. Other fundamental rights, such as the freedom of the press, might
be referred to in order to strengthen its protection.73 However, the data retention
decision mentioned them only marginally.74
After having clarified the scope of protection of Article 10 Basic Law, the FCC
explained that the legal obligations of the telecommunications companies to retain
telecommunications data and transfer it to state authorities have to be regarded not
as an indirect, but as a direct infringement of the rights of those communicating. It
argued that service providers, without any margin of discretion being left to them in
this respect, would be used solely as auxiliaries for the performance of tasks by state
authorities, so that the storage of the data is legally accountable to the legislature as
a direct infringement.75 It corresponds to the refining of the scope of protection that
each legally regulated step of data processing—storage (§ 113a (1) TKG), request and
transmission (§ 113b TKG), further storage and subsequent use (§ 100g StPO)—is
an independent encroachment on Article 10 Basic Law.76 The constitutional review
dealt with these steps in a differentiated manner.
One of the core problems of the case was whether precautionary data retention
without cause as such could be constitutional at all. The complainants invoked
the famous census judgment of the FCC.77 In connection with the requirements
of purpose determination and purpose limitation established in this judgment, the
Court had laid down a strict prohibition, in the given case addressed to the state,
71 More closely: Judgment of the FCC of March 2, 2010, 1 BvR 256/08, 263/08, and 586/08, para
211. See also Tzanou (2017), p. 79, who highlights these considerations.
72 Leading decision in this respect: FCC, Judgment of July 14, 1999 – 1 BvR 2226/94 et al. =
of collecting and storing non-anonymous data “for indefinite or not yet definable
purposes”78 in the event that it should ever be needed for not yet specified future use.
However, the FCC delimited the data retention constellation to be assessed against
this strict prohibition. For the purpose of delimitation, it described this constellation
as “a precautionary storage of telecommunications traffic data without cause for
later transmission with cause to the authorities responsible for criminal prosecution
or warding off danger or to the intelligence services”.79 It did not consider such a
form of precautionary data retention to be absolutely incompatible with Article 10
Basic Law, but as only permissible in exceptional cases and subject to particularly
strict requirements.
The problem that the telecommunications traffic data had to be stored by the
service providers without cause for six months was discussed not as an independent
requirement for the determination of purpose80 but as part of the proportionality test.
The FCC affirmed the suitability even if it admitted that “such a storage of data
cannot ensure that all telecommunications connections can reliably be assigned to
specific users, and it may be possible for criminals to circumvent storage by using
Wi-Fi hotspots, Internet cafés, foreign Internet telephone services or prepaid mobile
telephones registered under a false name”.81 However, suitability “merely requires
that the attainment of the goal is facilitated”.82 The storage was also regarded as
necessary in the sense that there are no less drastic but similarly effective means.83
The main considerations dealt with the question of whether the storage is dispro-
portionate from the outset. The FCC classified the storage as a particularly serious
encroachment. Among the criteria relevant for this classification are the extent of
storage and the absence of cause as well as the far-reaching informative value of the
stored data. Even without recording the contents of the communication, conclusions
could be drawn on, for example, social or political affiliations and personal prefer-
ences, inclinations and weaknesses. This included connections which are engaged in
with an expectation of confidentiality. The persons concerned faced increased risk
of being exposed to further investigations without themselves having given occasion
for this and of being affected by an abuse of the data collected. The infringement
was given particular weight by the fact that the storage of telecommunications traffic
data without cause “is capable of creating a diffusely threatening feeling of being
78 See FCC, Judgment of December 15, 1983 – 1 BvR 209/83 et al., BVerfGE 65, 1, 46 and 47.
79 Judgment of the FCC of March 2, 2010, 1 BvR 256/08, 263/08, and 586/08, para 207.
80 Concerning the significance of purpose determination see Albers (2005), pp. 498ff.; von
consideration is settled case law and is rooted in the notion that legislation should have a margin
of assessment in this respect. This notion and the margin of assessment are the reference point for
the now widely acknowledged duty of legislation to establish evaluations by means of which the
accuracy of legislative assumptions at the time of the enactment of a law is later checked (duties of
legislation to observe developments and to improve the law if necessary).
83 Judgment of the FCC of March 2, 2010, 1 BvR 256/08, 263/08, and 586/08, para 208.
Surveillance and Data Protection Rights: Data Retention … 89
watched which can impair a free exercise of fundamental rights in many areas”.84
The aspect that “trust” is a central condition for the unbiased exercise of fundamental
rights had already been emphasized by the Court in its decision on the fundamental
right to the guarantee of the integrity and confidentiality of information technology
systems.85
Despite the severity of the encroachment, the Court did not consider precautionary
storage without cause of telecommunications traffic data to be absolutely prohibited
under constitutional law. Decisive for the justifiability was how the statutory frame-
work was shaped. Firstly, the storage without cause was not carried out directly by
the state, but through an obligation imposed on the private service providers. The
data is thus, the Court argued without mentioning the rather oligopolistic situation on
the market, not yet compiled during storage itself, but remain distributed over many
individual companies. The retrieval of the data by state authorities only took place
in a second step and was then carried out on a case-by-case basis in accordance with
legally defined criteria. “The formulation of the provisions giving permission for
retrieval and further use of the stored data may ensure”, the Court argues, “that the
storage is not made for purposes that are indefinite or cannot yet be determined”.86
The separation of storage and retrieval and their respective legal frameworks are
therefore at the heart of the Court’s argument. The Court pointed out that the storage
of telecommunications traffic data does not include the contents, is limited to six
months and is not directed towards total recording of all citizen’s activities but takes
up, in a manner that is still limited, the special significance of telecommunications
and responds to the specific potential danger associated with them, for instance,
that criminal offenses operating essentially on the Internet would escape observation
if telecommunications data were deleted. The Court added that the precautionary
storage of telecommunications traffic data without cause must remain an exception.
In particular, it must not “in interaction with other existing files, lead to virtually all
activities of the citizens being reconstructible”.87 Legislation aimed at precautionary
storing as comprehensively as possible all data useful for criminal prosecution or the
prevention of danger would from the outset be incompatible with the constitution.
The Court introduced a kind of “surveillance overall accounting” as a duty of the
legislator.88 It even associated the normative statement that the exercise of freedom
may not be recorded and registered in its entirety with the constitutional proviso with
regard to identity asserted in the Lisbon decision.89
Despite these latter restraints, the grounds of the data retention decision consider-
ably weaken the strict prohibition of precautionary collecting and storing of personal
data for indefinite or not yet definable purposes, which has been emphasized since
84 Judgment of the FCC of March 2. 2010, 1 BvR 256/08, 263/08, and 586/08, para 212.
85 FCC, Judgment of February 27, 2008 – 1 BvR 370/07 et al., para 181 et sqq. = BVerfGE 120,
274 (306ff.).
86 Judgment of the FCC of March 2, 2010, 1 BvR 256/08, 263/08, and 586/08, para 214.
87 Judgment of the FCC of March 2, 2010, 1 BvR 256/08, 263/08, and 586/08, para 218.
88 More closely Roßnagel (2010), pp. 1240f.
89 Cf. FCC, Judgment of March 2, 2010, 1 BvR 256/08, 263/08, and 586/08, para 218.
90 M. Albers
the census judgment. This prohibition follows from the principle of purpose limi-
tation. This principle requires not only that the purposes be determinable, but also
refers to the requirement that the data be necessary for the respective purposes. A
determination of the purpose would be useless without the correlate of necessity. It
is true that the purposes, if we follow the Court’s construction of “a precautionary
storage of telecommunications traffic data without cause for later transmission with
cause to the authorities responsible for criminal prosecution or warding off danger
or to the intelligence services”, might be described more closely with a view to the
permitted uses by the entitled authorities. This description, however, anticipates a
certain course of events from the first element of storage to the further elements of
access and use which are actually relatively separate from storage (the Court itself
has highlighted this as a condition influencing the assessment of constitutionality).
The problem arises that the necessity of the data for preventive, criminal procedural
or intelligence purposes is not certain at the time of storage. The service providers
only retain the data in the event that it proves to be necessary in the future. And
what is new about the storage duties at issue here is that the precautionary storage is
carried out without further criteria which support the prognosis of a later necessity
and which otherwise include, for example, indications or assumptions of danger or
suspicion because of assessments of situations, specific findings or previous conduct
of persons. It is precisely for this reason that the vast majority of data will prove
to be unnecessary. The lack of more detailed criteria for precautionary storage and
necessity prognosis gets, it might be thought, at the core issue of the prohibition of
precautionary storage of personal data for indefinite or not yet definable purposes. But
the FCC came to the conclusion that the chosen construction does not give rise to a
fundamental verdict of unconstitutionality.90 It then tried to set restrictions by means
of the above-mentioned “surveillance overall accounting”—which, however, faces
difficulties of operationalizing cumulative effects of surveillance measures—and by
means of a bundle of requirements which must be complied with for constitutionality
to be granted.
Based on the principles of legal certainty and definiteness regarding norms91 and of
proportionality, the FCC derived concrete and in part detailed constitutional require-
ments resulting in a network of dovetailed substantive and procedural precautions.
Innovative remarks concern aspects of data security, the scope of data use, trans-
parency, enforcement as well as control mechanisms and provisions ensuring eval-
uations. Also deserving special mention is the approach conceiving the individual
90 See also the comparison with Decision no. 1258 of the Romanian Constitutional Court of October
8, 2009 in: de Vries et al. (2013), pp. 13ff.
91 On the increasing importance of the principles of legal certainty and definiteness in the jurisdiction
of the FCC cf., for example, BVerfGE 110, 33 (53ff.); 113, 348 (375ff.).
Surveillance and Data Protection Rights: Data Retention … 91
elements as part of a coherent concept with the consequence that the constitution-
ality of certain elements depends on whether other elements have been formulated
in accordance with the constitution.
The precautionary storage of telecommunications traffic data without cause must
meet the requirements of the principle of proportionality. Considerations of suit-
ability and necessity as well as some of the aspects relevant to the balancing of
interests have already been advanced by the Court in its examination of whether the
contested data retention provisions could be constitutional at all: The data remain
distributed over several private providers and the storage is limited to six months and
to traffic or metadata which arise regularly in connection with the service and are
already temporarily stored for particular purposes. Beyond that, the Court empha-
sized that the severe encroachment constituted by such storage is only proportionate
in the narrow sense if a particularly high standard of data security by means of clear
and binding obligations on private service providers is guaranteed.92 This responsi-
bility on the part of the legislator to guarantee data security responds to the fact that
the risk of illegal access to data being attractive in view of its multifaceted informa-
tive value is high93 and that private service providers have only limited incentives
to guarantee data security on their own due to cost pressure. Data security require-
ments apply both to data retention and transmission, and effective safeguards are
also needed to ensure data deletion. The data security standard must be designed
dynamically: It must be based on the present state of development of the discussion
between technical experts—for example, by resorting to legal figures under ordi-
nary law such as the state of the art—and continuously incorporate new findings and
insights. Referring to the expert statements in the written submissions and in the oral
hearing of the proceedings before the Court, as examples the FCC named separate
storage of the data, fastidious coding, a secure access regime through more refined
use of for instance the “four-eye principle” and audit-proof recording of the access
to data and their deletion. In this respect, the requirements to be laid down are to be
specified either by sophisticated technical regulations, possibly graduated at various
levels of legislation, or in a general manner and then specified transparently by
binding individual decisions of the regulatory authorities addressed to the individual
companies. Constitutional law also requires monitoring that is comprehensible to the
public and involves the independent data protection officer and a balanced system of
sanctions which also attaches appropriate weight to violations of data security. The
FCC endeavored with these data security requirements to ensure that the data retained
is not used in any other way than for the intended security purposes and not beyond
the time stipulated. Finally, the constitutionality of the storage of the data depends on
the regulations on subsequent access and further use being designed in such a way
that they themselves meet the requirements of the principle of proportionality.94
92 Judgment of the FCC of March 2, 2010, 1 BvR 256/08, 263/08, and 586/08, para 221 et sqq.
93 Cf. Clarke (2015), p. 128: Data retention measures and huge volumes of highly sensitive data
result in a concentrated “honeypot” which attracts attacks.
94 Judgment of the FCC of March 2, 2010, 1 BvR 256/08, 263/08, and 586/08, para 226: “The
drafting of these provisions on use, in a manner that is not disproportionate, thus not only decides
92 M. Albers
The retrieval by security authorities, the transmission to them and their use of
telecommunications traffic data are also subject to a number of requirements. To begin
with, the legislator must provide for a fundamental prohibition of transmission for a
confined range of telecommunications connections relying on special confidentiality,
such as counseling over the phone in situations of emotional crisis.95 Apart from that,
because the analysis of retained data allows conclusions to be drawn that might pry
deeply into private lives and enable the creation of personality or movement profiles,
the use of retained data must be for the purpose of fulfilling tasks of paramount
importance related to the protection of legal interests. This must be reflected in the
statutory description of both the protected legal interests and the thresholds that
must be reached to enable the authorities to request and then to use the data. For
criminal prosecution, this means that the legislature must provide an exhaustive list
of the criminal offenses that are to apply here, either by having recourse to existing
lists or by creating a new one; a blanket clause or a mere reference to criminal
offenses of considerable significance is not sufficient. Furthermore, a retrieval of
the data requires at least the suspicion of a listed offense based on specific facts. In
the context of preventing danger, the use of the stored data may only be permitted
to ward off dangers to the life, limb or freedom of a person, to the existence or
security of the Federal Republic or of a Land or to ward off a danger to public
safety. The statutory norm must provide for the threshold of “actual evidence of a
concrete danger to the legal interests to be protected”.96 This means that specific
given facts support the prognosis that, without intervention, damage will occur with
reasonable probability in the foreseeable future. Considering the impairments for
citizens associated with the use of intelligence data, these requirements also expressly
apply to intelligence services, even though their tasks of informing the government
and therefore elucidating particular areas of activity are not solely linked to concrete
danger situations.97 Regarding procedural safeguards, the FCC required, except for
the intelligence services,98 the retrieval and transmission of the data to be subject to a
well-defined judge’s pre-emptive review,99 although Article 10 GG does not provide
for such a proviso.
The limitation to certain purposes, which reflect the outstandingly important tasks
of legal protection, must also be ensured after the data have been retrieved and
transferred to the authorities requesting it, and must be accompanied by procedural
safeguards. In particular, the data must be analyzed immediately after transmission
and deleted if it is irrelevant. The retrieving authorities may, however, forward the
already FCC, Judgment of February 27, 2008 – 1 BvR 370/07 et al., para 247 et sqq. = BVerfGE
120, 274 (328f.).
97 Judgment of the FCC of March 2, 2010, 1 BvR 256/08, 263/08, and 586/08, para 233.
98 In this respect, Article 10 (2) Basic Law permits the replacement of preemptive judicial
data to other bodies insofar as this is done to perform tasks for which access to
this data would also be directly permissible (the so-called “hypothetical substitute
intervention”).
The FCC also required the legislature to take effective precautions to ensure
transparency in the use of data. Secret use of data could only be considered if the
purpose of the investigation for which the data retrieval serves would otherwise be
thwarted. The legislature could assume this, in principle, in cases of warding off
danger and performing intelligence service tasks, but not in cases of criminal prose-
cution, where investigative measures are regularly carried out with the knowledge of
and in the presence of the suspect. If the data subject does not have to be informed
prior to querying or transmission of his or her data, the legislature must provide for
a duty of subsequently notifying him or her.100
Furthermore, it is constitutionally required that a legal protection procedure be
available to subsequently review the use of the data. Where persons affected had no
opportunity before the measure was carried out to defend themselves against the use
of their telecommunications traffic data, they must be given the possibility of subse-
quent judicial review. Finally, a legislative formulation that is not disproportionate
also requires effective sanctions for violations of rights, whether these are incor-
porated into the general structure of the law of criminal procedure or into current
liability law, or established by more extensive provisions.
For the indirect use of data for information pursuant to § 113 (1) TKG in the form of
a claim for information from service providers for the identification of IP addresses,
the FCC stipulated less strict requirements.101 In this case, the authorities are merely
given personal information on what owner was registered on the Internet with regard
to an IP address, and this owner is determined by the service providers by recourse
to data retained. The informative value of these data is limited. Nevertheless, the
respective rules influence the conditions of communication on the Internet and limit
its anonymity. The FCC explained that the legislature must ensure that information
may only be obtained on the basis of a sufficient initial suspicion or of a concrete
danger on the basis of facts and with a view to sufficiently weighty adverse effects
on a legal interest. There is no duty to provide for a judge’s pre-emptive review.
The person affected has, in principle, the right to learn that this anonymity has been
removed, and why.
Once it had worked out the requirements, the FCC reviewed the respective legal
regulations. Closer examination showed that the contested provisions did not satisfy
the developed constitutional requirements in key respects. They were incompatible
with Article 10(1) Basic Law as a whole.
100 Judgment of the FCC of March 2, 2010, 1 BvR 256/08, 263/08, and 586/08, paras 243 et sqq.
101 Judgment of the FCC of March 2, 2010, 1 BvR 256/08, 263/08, and 586/08, paras 254 et sqq.
Cf. also on easier access to traffic data in Brazilian regulations Molinaro and Ruaro (2022), in this
volume.
94 M. Albers
4.2.5 Results
The FCC did not consider the contested form of data retention to be unconstitutional
under all circumstances. The Court took the position that the constitutionality of this
“precautionary storage of telecommunications traffic data without cause for later
transmission with cause to the authorities responsible for criminal prosecution or
warding off danger or to the intelligence services” depends on how it is shaped by
legal regulations and whether sufficient limits are set at the numerous points that
can be identified. The challenged provisions did not meet the derived constitutional
requirements and therefore violated the guarantee of the inviolability of the secrecy of
telecommunications. As far as providers of telecommunications and anonymization
services are concerned, however, a violation of Article 12 Basic Law was rejected.
That means that the State is allowed to regulate the activity of anonymization services
in such a way that under certain legal conditions an identification of their users is
possible.
102 Judgment of the FCC of March 2, 2010, 1 BvR 256/08, 263/08, and 586/08, para 300 et sqq.
As long as the effects are not highly restrictive, the legislature has been granted wide discretion
concerning what burdens and measures to safeguard public interests, which are in need of regulation
as a result of commercial activities, it imposes on market players in order to integrate the associated
costs into market and market prices.
Surveillance and Data Protection Rights: Data Retention … 95
Not only in the member states, but also at the European level, the data retention
established by the former DRD has been the subject of controversial debates and
decisions by the highest courts.103 Acting on the request from the High Court of
Ireland for a preliminary ruling, in 2009 the ECJ reviewed whether the DRD was
covered by the powers of the European Union. The Court’s judgment argued that the
EU could draw on its competence to adopt measures with regard to the functioning
of the internal market.104 Questions concerning the compatibility of the DRD with
the fundamental rights of the EU Charter were decided in 2014 in response to a
request for a preliminary ruling from both the High Court of Ireland and the Austrian
Constitutional Court (“Digital Rights Ireland” judgment).105 In this judgment, the
ECJ declared the DRD invalid. In the light of the protection of fundamental rights as
developed in this judgment, two years later the focus was on what requirements the
ePrivacy Directive sets for existing or newly introduced data retention regulations in
the member states (“Tele2 Sverige” judgment).106 In its recent “Quadrature du Net
and Others” and “H. K.” judgments,107 the ECJ has developed a differentiated and
detailed approach establishing a bundle of interdependent requirements.
In its “Digital Rights Ireland” judgment, the ECJ initially examined which funda-
mental rights were applicable. The main focus was on Article 7 and Article 8
CFR.
Article 7 CFR Respect for private and family life
Everyone has the right to respect for his or her private and family life, home and
communications.
Art. 8 CFR Protection of personal data
(1) Everyone has the right to the protection of personal data concerning him or her.
103 For an overview of the discussions and decisions in member states see the contributions in Zubik
et al. (2021).
104 Judgment of the ECJ (Grand Chamber) of February 10, 2009, C-301/06, available at curia.eur
opa.eu.
105 Judgment of the ECJ (Grand Chamber) of April 8, 2014, C-293/12 and C-594/12, available at
curia.europa.eu.
106 Judgment of the ECJ (Grand Chamber) of December 21, 2016, C-203/15 and C-698/15 – Tele2
Sverige and Home Secretary v. Watson, available at curia.europa.eu. The joint requests for a prelimi-
nary ruling under Article 267 AEUV were made by the Administrative Court of Appeal in Stockholm
and the Court of Appeal (England & Wales) concerning the interpretation of Article 15 I of Directive
2002/58/EC read in the light of Articles 7 and 8 and Article 52 para 1 of the Charter of Fundamental
Rights of the European Union.
107 Judgments of the ECJ (Grand Chamber) of October 6, 2020, C-115/18, C-512/18 and C 520/18,
(2) Such data must be processed fairly for specified purposes and on the basis of the
consent of the person concerned or some other legitimate basis laid down by law. Everyone
has the right of access to data which has been collected concerning him or her, and the right
to have it rectified.
(3) Compliance with these rules shall be subject to control by an independent authority.
Art. 52 CFR Scope and interpretation
(1) Any limitation on the exercise of the rights and freedoms laid down by the Charter must
be provided for by law, respect their essence and, subject to the principle of proportionality,
limitations may be made to those rights and freedoms only if they are necessary and genuinely
meet objectives of general interest recognized by the Union or the need to protect the rights
and freedoms of others.
[...]
The areas of application of Article 7 CFR, which includes the right to respect for
private life and communications, and Article 8 CFR, which provides a separate
fundamental right to the protection of personal data, are not easily distinguishable
from each other.108 In its early decisions, the ECJ hardly distinguished these two
fundamental rights. The “Digital Rights Ireland” judgment is characterized by a
stronger distinction: From the point of view of the ECJ, Article 8 CFR provides
protection with regard to the processing of personal data in a way that is not restricted
to private life and establishes certain distinctive data protection requirements. Article
7 CFR, by contrast, protects private life substantively. This term is not defined, but
is concretized with a view to the data and their information content.
The Court observed that, first of all, the data to be retained would make it possible,
in particular, to know the identity of the person with whom a subscriber or registered
user had communicated and by what means, to identify the time of the communi-
cation as well as the place from which that communication took place and to know
the frequency of the communications between participants during a given period.
Those data, taken as a whole, would allow very precise conclusions to be drawn
about the private lives of persons whose data has been retained, such as the habits of
everyday life, permanent or temporary places of residence, daily or other movements,
the activities carried out, the social relationships of those persons and the social envi-
ronments frequented by them.109 The ECJ added that the retention of the data might
affect free and uninhibited communications behavior as it is safeguarded as freedom
of expression in Article 11 CFR.110 Furthermore, the fact “that data are retained and
subsequently used without the subscriber or registered user being informed is likely
108 Among other things, the background to the delimitation difficulties is that Article 52 para 3 CFR
assigns the same significance and coverage to the rights of the Charter as to the corresponding rights
of the ECHR. Data protection in the ECHR, however, is essentially guaranteed by Article 8 ECHR,
the right to respect for a person’s private life, because the ECHR does not include an explicit human
right to data protection.
109 Judgment of the ECJ (Grand Chamber) of April 8, 2014, C-293/12 and C-594/12, paras 27 and
56.
110 Judgment of the ECJ (Grand Chamber) of April 8, 2014, C-293/12 and C-594/12, para 28.
Surveillance and Data Protection Rights: Data Retention … 97
to generate in the minds of the persons concerned the feeling that their private lives
are the subject of constant surveillance.”111
The infringements of these rights were divided into relatively independent steps.
The obligation imposed on providers to retain the specified data for a certain period
of time112 constituted in itself an interference with Article 7 CFR. The access of
the competent national authorities to the data113 was regarded as a further intrusion.
Because the directive allowed the processing of personal data, Article 8 CFR was
also impaired. Similar to the FCC, the ECJ classified the intrusions as particularly
serious.
The essence of these fundamental rights which must be respected according to
Article 52(1) CFR was not adversely affected from the point of view of the Court.114
As far as Article 7 CFR was concerned, it argued that the DRD did not permit the
acquisition of knowledge of the content of the communications as such. As for Article
8 CFR, it pointed out that the DRD provided that certain principles of data protection
and data security must be observed.
The crucial point then was whether the principle of proportionality was complied
with. This principle requires that acts of the EU institutions be suitable for attaining
legitimate objectives and not exceed the limits of what is necessary and appropriate
in order to achieve those objectives.115 In some contradiction to the 2009 ruling,116
the ECJ acknowledged, when it examined compliance with the principle of propor-
tionality in the “Digital Rights Ireland”-judgment, that the material objective of the
DRD was to ensure that the data retained would be available for the purpose of the
investigation, detection and prosecution of serious crime and thus to contribute to
public security.117 This constituted an objective of general interest and because the
data at issue was deemed to be a valuable tool in the prevention of offenses and
the fight against crime, its retention was considered to be suitable for attaining the
objective.
But the ECJ raised the objection that the DRD did not lay down clear and precise
rules guaranteeing that the wide-ranging and particularly serious interference with
Articles 7 and 8 CFR is actually limited to what is strictly necessary. The Court
emphasized that the directive, firstly, covered all persons, all means of electronic
communication and traffic data without any differentiation, limitation or exception
111 Judgment of the ECJ (Grand Chamber) of April 8, 2014, C-293/12 and C-594/12, para 37.
112 Articles 3, 5 and 6 EU DRD.
113 Article 4 EU-DRD.
114 Judgment of the ECJ (Grand Chamber) of April 8, 2014, C-293/12 and C-594/12, paras 39 et
sqq.
115 The EU legislature’s has a margin of appreciation here, but the ECJ highlights that, where
interference with fundamental rights is at issue, the extent of the EU legislature’s discretion regarding
judicial review of compliance with those conditions may prove to be limited, depending on, in
particular, the area concerned, the nature of the right at issue, the nature and seriousness of the
interference and the object pursued by the interference.
116 See n. 104.
117 Judgment of the ECJ (Grand Chamber) of April 8, 2014, C-293/12 and C-594/12, paras 49 et
sqq.
98 M. Albers
being made in the light of the objective of fighting against serious crime. It explained
in more detail that the DRD did not require any relationship between the data whose
retention is provided for and a threat to public security. On the contrary, it applied to all
persons using electronic communications services and therefore even to persons for
whom there is no evidence suggesting that their conduct might have any connection
with serious crime. It did not provide for any precautions with a view to obligations
of professional secrecy.118 In particular, there were no restrictions of retention in
relation to data pertaining to a particular time period and/or a particular geographical
zone and/or to a circle of particular persons likely to be involved in a serious crime, or
to persons who could contribute, through the retention of their data, to the prevention,
detection or prosecution of serious offenses.119 Secondly, the Court also held that
the directive failed to provide for sufficient safeguards to ensure effective protection
of the data considering its vast quantity as well as its sensitive nature and the risk of
abuse. Instead, a particularly high level of protection and security should be applied
by the providers by means of technical and organizational measures.120 Thirdly, the
directive failed to confine the authorities’ access to the data and its subsequent use to
sufficiently serious criminal offenses121 and to lay down substantive and procedural
thresholds, for instance the requirement of a prior review of authorities’ requests
for access and use by a court or an independent administrative body.122 Fourthly, the
period of time for which data should be withheld was not sufficiently differentiated in
terms of categories of data and their possible usefulness for the purposes or according
to the persons concerned.123 That period was set at between a minimum of six months
and a maximum of 24 months without any objective criteria being discernible that
would have provided information on how to determine the period of retention. Finally,
the Court criticized that the DRD did not call for data to be retained within the EU
to ensure control by an independent authority.124
As a result of these considerations, the DRD was declared invalid. However, the
extent to which this judgment required what adjustments of member state laws was
(and is) not fully clear. Only the directive which obliged member states to introduce
data retention rules or to adapt their existing rules no longer exists. This does not
say anything about the extent to which such member state rules are allowed under
Union law. Against this background, there are a number of member states that have
maintained or, like Germany, reintroduced in an amended form their rules on data
118 Judgment of the ECJ (Grand Chamber) of April 8, 2014, C-293/12 and C-594/12, para 58.
119 Judgment of the ECJ (Grand Chamber) of April 8, 2014, C-293/12 and C-594/12, para 56 et
sqq.
120 Judgment of the ECJ (Grand Chamber) of April 8, 2014, C-293/12 and C-594/12, para 66 et
sqq.
121 Judgment of the ECJ (Grand Chamber) of April 8, 2014, C-293/12 and C-594/12, para 60 et sqq.
On the difficulties caused by the limited areas of competence of the EU, which also explain why the
DRD rules on access by security authorities do not go into detail, see Bignami (2007), pp. 238ff.
122 Judgment of the ECJ (Grand Chamber) of April 8, 2014, C-293/12 and C-594/12, para 62.
123 Judgment of the ECJ (Grand Chamber) of April 8, 2014, C-293/12 and C-594/12, para 63.
124 Judgment of the ECJ (Grand Chamber) of April 8, 2014, C-293/12 and C-594/12, para 68.
Surveillance and Data Protection Rights: Data Retention … 99
retention. With the nullification of the DRD, the compatibility of these rules with
Union law depends on the scope, the precautions and the limitations of the ePrivacy
Directive.125
Questions arising in the context of the ePrivacy Directive were the subject of the
“Tele2 Sverige” ruling handed down by the ECJ in December 2016.126 As a general
rule established in this directive, providers of publicly available electronic commu-
nications services are required to erase or anonymize personal data where it is no
longer needed for transmission, billing or other service purposes. However, Article
15 ePrivacy Directive states that member states may adopt legislative measures to
restrict the scope of the rights and obligations specified in this directive when such
restriction constitutes a necessary, appropriate and proportionate measure within a
democratic society to safeguard, inter alia, public security and the prevention, inves-
tigation, detection and prosecution of criminal offenses. Under these conditions and
in accordance with the general principles of Community law, legislative measures
providing for the retention of data for a limited period justified on particular grounds
are explicitly allowed.
The ECJ explained that the interpretation of Article 15 ePrivacy Directive leads
to the result that the contested national legislation on data retention falls within
the scope of EU law. From the point of view of the Court, this is true despite the
limited competence of the EU in the area of crime prevention and prosecution,
because Article 15 ePrivacy Directive expressly authorizes the member states to
adopt legislation permitting data retention only if certain restrictions are adhered
to.127 In this respect, the ECJ reaffirmed and specified the requirements it had already
set out in its “Digital Rights Ireland” decision.
Article 15 ePrivacy Directive must be interpreted in the light of the fundamental
rights guaranteed by the CFR, particularly in the light of Articles 7 and 8 CFR,
but also in the light of Article 11 CFR. As a result and in line with the “Digital
Rights Ireland” decision, it precludes national legislation which, for the purpose of
fighting crime, provides for the general and indiscriminate retention of all traffic
and location data of all subscribers and registered users related to all means of
electronic communication.128 However, the ECJ made further observations on the
paras 73ff.
128 Judgment of the ECJ (Grand Chamber) of December 21, 2016, C-203/15 and C-698/15, para
112.
100 M. Albers
conditions under which data retention rules are permitted. Beyond precise rules
governing the scope and application of such data retention measures and imposing
minimum safeguards, the retention of data must meet objective criteria that establish
a connection between the data to be retained and the objective pursued in the context
of prevention, investigation, detection and prosecution of serious crime. The national
legislation must be based on objective evidence which makes it possible to identify
a public whose data is likely to reveal a link, at least an indirect one, with serious
criminal offenses, and to contribute in one way or another to fighting serious crime or
to preventing a serious risk to public security.129 The Court explained more closely
that such limits might be set by using a geographical criterion where the competent
national authorities consider, on the basis of objective evidence, that in one or more
geographical areas, a high risk of preparation for or commission of such offenses
exists.130
The grounds for the “Tele2 Sverige” judgment, in conjunction with the previous
declaration of the invalidity of the DRD in the “Digital Rights” decision, required
adjustments to national legislation.131 However, the member states have not abol-
ished their data retention regulations, but have modified them, if at all. They have
argued that there is room for interpretation of the ECJ rulings and that they have
their own competences in the field of national security and public safety. As a result,
further cases have been and are pending before the ECJ and over time, its rulings are
turning toward more differentiated approaches. In a decision that centered solely on
the accessibility of data for security agencies, the ECJ has set lower requirements
for access to mere identification data132 —entirely in line with the FCC.133 The next
detailed leading decision on data retention, the “Quadrature du Net and Others”
judgment,134 dealt with the question of whether French and Belgian regulations
were compatible with European Union law. These regulations obliged electronic
129 Judgment of the ECJ (Grand Chamber) of December 21, 2016, C-203/15 and C-698/15, para
111.
130 Judgment of the ECJ (Grand Chamber) of December 21, 2016, C-203/15 and C-698/15, para
111.
131 For an overview, see the Eurojust report “Data retention regimes in Europe in light of the CJEU
ruling of December 21, 2016 in Joined Cases C-203/15 and C-698/15,” Council EU, Doc 10098/17;
and European Commission, Study on the retention of electronic communications non-content data
for law enforcement purposes: Final report, 2020.
132 Judgment of the ECJ (Grand Chamber) of October 2, 2018, C-207/16, paras 57 et sqq., available at
curia.europa.eu. The ECJ has explicitly excluded the question of whether the Spanish Ley 25/2007
de conservación de datos relativos a las comunicaciones electrónicas y a la redes públicas de
comunicaciones that provides for obligations to retain data in accordance with the invalid DRD is
consistent with the requirements laid down in Article 15(1) of Directive 2002/58.
133 See Sect. 4.2.3 of this article and n. 101.
134 Judgment of the ECJ (Grand Chamber) of October 6, 2020, C-115/18, C-512/18 and C 520/18,
available at curia.europa.eu.
Surveillance and Data Protection Rights: Data Retention … 101
135 Judgment of the ECJ (Grand Chamber) of October 6, 2020, C-115/18, C-512/18 and C 520/18,
paras 169 et sqq.
136 Judgment of the ECJ (Grand Chamber) of October 6, 2020, C-115/18, C-512/18 and C 520/18,
paras 91 et sqq. See also judgment of the ECJ (Grand Chamber) of October 6, 2020, C-623/17,—
Privacy International, available at curia.europa.eu, paras 34 et sqq.
137 Judgment of the ECJ (Grand Chamber) of October 6, 2020, C-115/18, C-512/18 and C 520/18,
para 137.
138 Judgment of the ECJ (Grand Chamber) of October 6, 2020, C-115/18, C-512/18 and C 520/18,
concerned and the retention period adopted, to what is strictly necessary.139 Once
again, the ECJ highlighted that limits might be set using a geographical criterion or
criteria that are oriented to categories of persons whose data are likely to be relevant
for the specified purposes.140 It is essential that sufficiently clear substantive and
procedural conditions and safeguards exist. This applies to both storage by private
companies and possible access and use by state authorities. In comparison to the
preceding judgments, the ECJ differentiated more clearly between these steps of
data processing. Regulations governing the access of the competent authorities to
retained data as well as their use must not only ensure compliance with the specified
purposes but must also lay down further substantive and procedural conditions.141
For example, the authorities’ access to retained data have to be subject to a prior
review carried out by a court or by an independent administrative body.142
Under similar but adjusted conditions and safeguards, legislative measures that
provide for the general and indiscriminate retention of IP addresses assigned to the
source of an Internet connection are not precluded.143 In reviewing the measures
concerning the general and indiscriminate retention of data relating to the civil
identity of users of electronic communications systems, the Court arrived at lower
requirements.144
In a nutshell, data retention rules are not excluded, but are subject to a differentiated
classification and multilayered restrictive conditions. How these conditions are to be
understood in detail is controversial in the current general discussion.
In Germany, the legislator did not immediately adapt the provisions declared uncon-
stitutional by the FCC, but waited for the “Digital Rights” decision of the ECJ that
139 Judgment of the ECJ (Grand Chamber) of October 6, 2020, C-115/18, C-512/18 and C 520/18,
paras 140 et sqq.
140 Judgment of the ECJ (Grand Chamber) of October 6, 2020, C-115/18, C-512/18 and C 520/18,
520/18, para 176, and the subsequent decision of the ECJ (Grand Chamber) of March 2, 2021,
C-746/18,—H. K., para 49. See also judgment of the ECJ (Grand Chamber) of October 6, 2020,
C-623/17,—Privacy International: Article 15 ePrivacy Directive, read in the light of Articles 7, 8
and 11 CFR, must be interpreted as precluding national legislation enabling a State authority to
require providers of electronic communications services to carry out the general and indiscriminate
transmission of traffic and location data to the security and intelligence agencies for the purpose of
safeguarding national security.
142 More closely judgment of the ECJ (Grand Chamber) of March 2, 2021, C-746/18, para 51 et
sqq.
143 Judgment of the ECJ (Grand Chamber) of October 6, 2020, C-115/18, C-512/18 and C 520/18,
expressly concerned the compatibility of the DRD with European fundamental rights.
After this decision had been handed down, the German parliament approved laws
reintroducing data retention.145 The legislator claimed to comply with the require-
ments of both Germany’s FCC and the ECJ. The provisions were supposed to be
implemented by providers by July 1, 2017. Among other things, the range of data
permitted to be stored was reduced, e.g., e-mail services’ data was excluded, the
retention periods were differentiated into between four and ten weeks according
to data categories, protective measures for professional secrets were provided, the
provisions for data security were significantly tightened, the transmission thresholds
were raised, access and use for prosecution purposes were linked to a listed catalog
of criminal offenses, and various procedural safeguards were introduced. Regarding
the “Tele2 Sverige” decision of the ECJ, the German legislator saw no reason to
change the law already enacted.
However, constitutional complaints against this new law have once again been
submitted to the FCC.146 The administrative courts concerned with the data retention
obligations have delivered several preliminary and main rulings with the result that the
obligations are unlawful.147 They highlight, in particular, the fact that the requirement
to restrict in any suitable manner the circle of persons affected by data retention has
not been met.148 The Federal Administrative Court has referred this matter to the ECJ,
questioning whether national legislators are denied any possibility of establishing
data retention without cause in order to combat serious crime, even if they limit the
risks of personality profiling and provide strict data security and access rules. In the
meantime, an oral hearing before the ECJ has taken place, the Advocate General has
delivered his opinion in November 2021 and a new leading decision of the ECJ is
expected in 2022.149 In view of the existing legal uncertainties, the Federal Network
Agency has provisionally suspended the providers’ obligation to retain data.
In the pending main proceedings, the FCC is facing the task to assess the German
regulation against the background of EU law and the jurisdiction of the ECJ. This is
all the more challenging in view of the fact that EU legislation and, as we have seen,
the case law of the ECJ are developing dynamically. For several years, an ePrivacy
Regulation to replace the ePrivacy Directive has been the subject of fierce political
145 Gesetz zur Einführung einer Speicherpflicht und einer Höchstspeicherfrist für Verkehrsdaten, v.
10.12.2015, BGBl. I 2218.
146 1 BvR 141/16, 229/16, 2023/16 and 2683/16. Applications for interim measures have been
rejected twice by the FCC because of the complexity of the legal issues and as a result of a balancing
of consequences, as is usual in proceedings for interim relief, see FCC, Ruling of June 8, 2016, 1
BvQ 42/15, and ruling of March 26, 2017, 1 BvR 3156/15.
147 Adminstrative Court of Cologne, Ruling of January 25, 2017 - 9 L 1009/16; Higher Adminis-
trative Court of North Rhine-Westphalia, Ruling of June 22, 2017 – 13 B 238/17; Administrative
Court of Cologne, Judgment of April 20, 2018 – 9 K 3859/16.
148 Cf. Higher Administrative Court of North Rhine-Westphalia, Ruling of June 22, 2017 – 13 B
238/17, paras 80ff..; Administrative Court of Cologne, Judgment of April 20, 2018 – 9 K 3859/16,
paras 88ff.
149 Cf. the decision for referral to the ECJ: Federal Administrative Court, Ruling of September 25,
2019, 6 C 12/18. The opinion of Advocate General Campos Sánchez-Bordona has been delivered on
November 18, 2021; the cases are pending before the ECJ as joined Cases C-793/19 and C-794/19.
104 M. Albers
debate. The German legislative bodies are also considering a revision of the German
data retention regulations.
Data retention proves to be a good example of modern surveillance practices under the
conditions of the Internet and of needs for protection that arise as a result of this. It has
also become clear that such surveillance offers many elements which can be made use
of for regulation. It is necessary to break down the problem in more detail with respect
to a series of questions. Which data and which persons, enterprises or authorities are
involved? To what extent and for what primary purposes does data already accrue for
what period of time? How is the data collection and storage activity of enterprises
regulated in this respect? What about data security measures and protection against
misuse? What is the relationship between primary, secondary and possibly further
purposes? For what secondary purposes do which security authorities shall have
access to which data under what conditions and intervention thresholds and in what
form? Which control mechanisms already exist or should be implemented?
Data retention is also a good example of the interactions between courts, in
particular between national constitutional courts, ECJ and member states’ appellate
courts.150 Although the extent to which the FCC was to have jurisdiction to examine
the legal complaints was questionable, this Court fully reviewed the contested provi-
sions151 and opened up the avenue of a strategically important review of whether data
retention provisions conformed to fundamental rights. Its judgment, issued in 2010,
has developed the orientation effects in the proceedings before the ECJ which the
FCC may have expected in the case of such proceedings. This successful outcome
may have encouraged the FCC to assign to itself far-reaching judicial review powers
with regard to both national fundamental rights and the fundamental rights of the
Charter of the European Union in cases in which European Union law is being imple-
mented, as it did in its two decisions on the right to be forgotten.152 By comparison
with the data retention decisions, we can clearly see that the ECJ adopted some of
the considerations and requirements that the FCC had elaborated. In turn, by being in
some respects more critical than the FCC, the ECJ took advantage of the opportunity
150 See more closely for these interactions Slaughter (2004); Maduro (2009); Voßkuhle (2010);
Albers (2012). With regard to data retention: Zubik et al. (2021), pp. 229 ff.
151 This was initially justified succinctly by the fact that there is nothing to preclude an examination
on the basis of fundamental rights if the ECJ were to declare the directive null and void by way of a
preliminary ruling. Cf. Judgment of the FCC of March 2, 2010, 1 BvR 256/08, 263/08, and 586/08,
para 182. This reasoning can be challenged because its latter part is based solely on an assumption
and remains hypothetical, cf. Albers and Reinhardt (2010), p. 769.
152 Judgments of the FCC of November 6, 2019, 1 BvR 16/13 and 1 BvR 276/17. As to the right to
be forgotten, see Sarlet (2022), in this volume; and Schimke (2022), in this volume.
Surveillance and Data Protection Rights: Data Retention … 105
to distinguish itself as an even better fundamental rights Court.153 The role of the
non-constitutional national courts, which are no longer oriented solely to the highest
courts of their country, but—by requesting a preliminary ruling—also to the ECJ and
thus gain in their relative independence, should also be emphasized.
Now what are the key points that the Courts have worked out for data retention
as a paradigm for modern surveillance measures? Where do their approaches and
criteria resemble each other and where do they differ?
Both the FCC and the ECJ rightly point out that surveillance is a process with
several elements: It is not limited to data collection but includes further steps such
as storage over a period of time, access to data, its analysis and the translation
of acquired knowledge into decisions.154 The Courts break down this process to a
certain extent, assess relevant steps as an autonomous impairment of the relevant
fundamental rights and develop relatively independent legal requirements for each.
Thus, attention should be paid to the question of how the Courts deal with the problem
that frequently arises under the conditions of the Internet: The different steps of the
surveillance processes are more or less uncoupled from each other.155 In the case
of data retention discussed here, private companies collect and store the data, while
the security authorities access and use specific data at a later date under certain
conditions. Is the data retention in any way already surveillance in the sense of the
concept that we have fleshed out, even though it is possible that there is no access at
all by security authorities, but the data are, due to lack of relevance, deleted after the
storage period in an automated form? Is this really a matter of “mass surveillance”
by the state?
The legal assessment is facilitated by the fact that telecommunications are
protected by quite abstract guarantees that cover the entire process of communication
and handling of telecommunications data (Article 10 German Basic Law, Articles
7 and 8 EU-CFR). The FCC argues that the complainants contest an extension of
storage with regard to which service providers were obliged, solely as auxiliaries, to
carry out state tasks. Hence, the retention of the data is legally accountable to the state
and to be classified as an element of state surveillance with regard to all data held
available. However, the existing “private–public assemblage” and the uncoupling
of the individual steps of the surveillance still play a vital decisive role: Beside the
Court’s assessment of proportionality, they influence its view that the data retention
case is not a matter of storing non-anonymous data for indefinite or not yet defin-
able purposes or of bulk surveillance without cause, but “a precautionary storage of
telecommunications traffic data without cause for later transmission with cause”.156
The persuasiveness of the Court’s quite sophisticated considerations suffers from
the fact that such an approach does not properly address the new problem of datafi-
cation of all life circumstances and the broad mass surveillance potential inherent
153 Cf. also Kühling (2014); Granger and Irion (2014), pp. 844ff.
154 Cf. Sect. 2.1 of this article.
155 See Sect. 2.1 of this article.
156 Cf. Sect. 4.2.2 of this article.
106 M. Albers
therein.157 The FCC itself recognizes this and tries to counter it by requiring that
the precautionary storage of telecommunications traffic data without cause must
remain an exception and that the exercise of freedom may not be recorded and regis-
tered in its entirety. However, it does not become clear what the implementation and
operationalization of these vague remarks might look like.
The ECJ also emphasizes that there is a legal obligation imposed on providers to
retain the data. In the initial judgments, it does not differentiate as strongly as the
FCC between storage by private companies and possible use by state authorities.
This is due to the fact that the directive has set few standards for avoiding the risk of
abuse of the data during storage and confining the authorities’ access to the data.158
Against such a background, the bulk surveillance character of the established data
retention suggests itself. This explains the limitations called for by the ECJ: a link,
at least an indirect one, between the data to be retained and the objective pursued
in the context of fighting serious crimes.159 It upholds this in principle in the recent
judgments, although introducing some differentiations as well. The persuasiveness
of these considerations suffers from the fact that the proposed limitations, e. g.,
using geographical criteria, do not seem to be appropriate, but rather eclectic. Data
retention in the telecommunications sector aims at retaining data while its potential
link to criminal offenses can only be worked out at a later time, because only then
will the evidence for criminal offenses have been consolidated and the relevance
of certain data becomes evident. It is not as if the legislator were to refrain from
setting limits, although they could easily be provided for. The fact that the ECJ hints
at a compatibility of data retention with fundamental rights provided that particular
limits are set, which, however, do not capture the problem to be solved, is the reason
for the ongoing debates.
The next point that deserves attention concerns the description of the interests
protected. At the outset, both Courts remain relatively abstract, because they base
their decisions on broadly defined formal rights, namely the guarantee of the invi-
olability of telecommunications (Article 10 German Basic Law) and the protec-
tion of private life and data protection (Articles 7 and 8 CFR). In assessing the
intensity of the infringement and in the context of proportionality, however, they
specify the protected interests. Both Courts highlight the informative value of the
data retained.160 The influence that technologies can have on the format or selec-
tivity of data is not the main focus here; in other cases this will require appropriate
elaboration. The data retained makes it possible to create meaningful personality
and mobility profiles and draw conclusions with a more or less reliable degree of
probability about individual activities, social relationships, political affiliations and
preferences or decision-making processes within groups. The Courts add further
aspects that have been mentioned in the general discussions on the effects of surveil-
lance: The persons affected have not given any cause for being subject to surveillance
by security authorities. Such surveillance without cause and its quantitative range
as well as the details and quality of the data may result in the “diffusely threatening
feeling of being watched”161 or generate “in the minds of the persons concerned the
feeling that their private lives are the subject of constant surveillance”.162 The holders
of the pertinent fundamental rights are protected against others gaining knowledge
about them through the telecommunications surveillance in question and against
being subjected to surveillance. There may be technical tools for self-protection;
however, part of freedom is that individuals cannot be subjected to pressure to use
them and apart from this, at least the German legislator has imposed obligations on
access providers that make such self-protection more difficult.163 The Courts also
address the increased risk of being exposed to further investigations which subse-
quently turn out to be unfounded, as well as the increased risk of being affected by
abuse of the data collected. They emphasize that the effects they have mentioned can
have further detrimental consequences for the free exercise of fundamental rights
in many fields. The interests protected are described at a rather abstract preliminary
level covering a situation before specific infringements are definable and therefore
given particular weight in the balancing process. What matters in the first instance
is the possibilities offered by the data as well as the perspective of and impact on the
persons affected. The question is now whether these impairments can be regulated
and possibly excluded by means of an appropriate legal framework, as the FCC has
assumed in its decision.
The requirements for legal frameworks must once again respond to the fact that
surveillance is a multi-layered process with different steps in specific social contexts
and that the persons concerned are affected differently by the various forms, methods
and modes of surveillance. Both Courts derive a bundle of highly differentiated inter-
dependent requirements from fundamental rights with regard to the measures data
retention calls for, the individual rights to be acknowledged, control, and evaluation.
Considering the stages of surveillance via data retention, there are manifold refer-
ence points for regulation. Data retention is based on the fact that certain data already
exist and are stored. European telecommunications law is characterized by the fact
that particular regulatory requirements for telecommunications or telemedia services
determine which data is stored for how long, by which responsible data controller
and for what primary purpose. The data retention obligations then specify which data
is to be retained by which controller for how long, for what purposes, in what form
and under what conditions. The question of when access for secondary purposes is
legal also offers a variety of reference points for regulation: Under what conditions
do which security authorities have access to which data? The legislator must describe
in more detail the investigative purposes and the dangers or criminal offenses that
are supposed to legitimize access. It must also regulate which basis of facts and
161 Judgment of the FCC of March 2, 2010, 1 BvR 256/08, 263/08, and 586/08, para 212.
162 Judgment of the ECJ (Grand Chamber) of April 8, 2014, C-293/12 and C-594/12, para 37.
163 Section 4.2.4 of this article.
108 M. Albers
which degree of probability is required for the security authorities to predict that
such dangers are imminent or to assume that crimes have already been committed.
The retained data to which access is requested must be suitable and necessary for
further investigation. Each of these elements as well as their interplay can be assessed
against the background of fundamental rights standards and may or may not satisfy
the resulting requirements. For example, the FCC has set specific requirements for
the legislator to ensure data security on the part of service providers, which are
intended to ensure that the risks of abuse are reduced as far as possible. And in its
decision, the manifold restrictions to access by the security authorities were crucial.
In its recent judgments, the ECJ has also adopted a precise and detailed approach.
In addition, both Courts concluded that a list of different individual rights must
be established in the case of surveillance. This starts with claims that the contested
surveillance must be omitted. In case a general omission cannot be successfully
claimed, further rights arise. These include, for example, accessory claims to protec-
tive and data security measures, rights to information about surveillance and subse-
quent measures, rights to the establishment of appropriate controls, and rights to
judicial review.
A particularly important role has been given to an independent control of compli-
ance with the regulations. In the data retention procedures, both the FCC and the ECJ
highlight the need for a judge’s proviso or at least control by an independent authority
at central points in data processing, especially regarding the transfer of personal data
from the providers to the security authorities.164 They also emphasize that there must
be sufficient remedies for the individual to have a possible violation of his or her
rights examined through judicial review. As a result of analyses of surveillance on
the Internet, the need to establish independent oversight or controls beyond possible
violations of individual rights is also becoming increasingly clear.165
This overlaps to a certain extent with the requirement to establish evaluations.
Their aim is not to check the legality of behavior or to examine effectiveness. Against
the background of guaranteeing fundamental rights, evaluations rather have the func-
tion of checking whether the actual circumstances and developments correspond to
the forecasts and assumptions on which the legislature based the establishment of a
particular surveillance measure, for example data retention, and the shaping of its
regulation. In addition, an evaluation has the function of assessing what effects the
chosen legal regulations have, especially with regard to violations of constitutional
and fundamental rights. The purpose of the evaluation is to ensure that the experi-
ence gained from implementation is passed on to the legislature and provides the
basis for improvements. This is particularly important in the case of data retention or
other complex surveillance measures. Here, many questions of suitability, necessity,
164 Cf. Molinaro and Ruaro (2022), Sect. 4 in this volume (regarding the importance of control by
a judicial or independent administrative body in Brazilian law).
165 In its decision on the competencies of the Federal Intelligence Service for surveillance of
telecommunications abroad, the German FCC places particular emphasis on the establishment
of independent, comprehensive and multifarious controls beyond individual rights, see FCC, Judg-
ment of May 19, 2020, 1 BvR 2835/17, paras 272ff., available at http://www.bundesverfassungsg
ericht.de. See also Bos-Ollermann (2017), pp. 147ff.
Surveillance and Data Protection Rights: Data Retention … 109
As a result of the rise of the Internet and the onlife world, data collections of private
companies, data retention and subsequent governmental data access and use will
take on ever increasing importance as surveillance strategies. The forms surveillance
takes are impacted by digitization and by the Internet. In addition, technologies are
continuously being developed, particularly in the area of artificial intelligence, that
are capable of analyzing huge amounts of data.
Retention of data generated in telecommunications in order to enable security
agencies at a later point in time to gain access to and make use of this data for security
purposes is an illustrative example of how the Internet impacts the forms surveillance
takes and creates new challenges for fundamental rights. Prompted by mass protests
against bulk surveillance, the regulations on data retention have been brought before
the national courts and the ECJ. The courts are still struggling to describe protection
needs and to develop appropriate legal requirements. Even though a spectrum of legal
requirements and a bundle of individual rights as well as demands for oversight and
evaluation have been worked out in the leading decisions, we should not expect too
much from courts. Court proceedings and court decisions have institution-specific
limitations which mean that the questions that arise are always answered only on a
case-by-case basis, selectively and from the perspective of specified judicial reviews.
In court proceedings, the overarching societal situation with the constantly growing
number of surveillance measures and their combination is just as difficult to grasp
as the dynamic development of technical possibilities.167
The substantive discussion in this field is only in its early stages. We have to
deepen thinking about appropriate solutions to the surveillance potential inherent on
the Internet and in datafication.
References
Aftab S (2022), Online anonymity—the Achilles’-heel of the Brazilian Marco Civil da Internet.
In: Albers M, Sarlet IW (eds) Personality and data protection rights on the internet. Springer,
Dordrecht, Heidelberg, New York, London (in this volume)
166 Cf. Albers (2010a). See also more broadly Clarke (2015), pp. 129ff. Empirical studies are
complicated and rare; see, as an example, Max Planck Institut für ausländisches und internationales
Strafrecht (2011).
167 See also Koops et al. (2019), pp. 685ff (discusses whether the protection of privacy has to be
reframed).
110 M. Albers
Albers M (2001) Die Determination polizeilicher Tätigkeit in den Bereichen der Straftatenverhütung
und der Verfolgungsvorsorge. Duncker & Humblot, Berlin
Albers, M (2005) Informationelle Selbstbestimmung. Nomos, Baden-Baden.
Albers M (2010a) Funktionen, Entwicklungsstand und Probleme von Evaluationen im
Sicherheitsrecht. In: Albers M, Weinzierl R (eds) Menschenrechtliche Standards in der Sicher-
heitspolitik. Beiträge zur rechtsstaatsorientierten Evaluierung von Sicherheitsgesetzen. Nomos,
Baden-Baden, pp 25–54
Albers M (2010b) Grundrechtsschutz der Privatheit. Deutsches Verwaltungsblatt (DVBl):1061–
1069
Albers M (2012) Höchstrichterliche Rechtsfindung und Auslegung gerichtlicher Entscheidungen.
In: Grundsatzfragen der Rechtsetzung und Rechtsfindung, VVDStRL vol 71, pp 257–295
Albers M (2018) Recht & Netz: Entwicklungslinien und Problemkomplexe. In Albers M, Katsivelas
I (eds) Recht & Netz, Nomos, Baden-Baden, pp 9–35
Albers M, Reinhardt J (2010) Vorratsdatenspeicherung im Mehrebenensystem: Die Entscheidung
des BVerfG vom 2. 3. 2010. Zeitschrift für das juristische Studium (ZJS):767–774
Bauman Z, Bigo D, Esteves P, Guild E, Jabri V, Lyon D, Walker RBJ (2014) After Snowden:
rethinking the impact of surveillance. Int Polit Soc 8(2):121–144
Bennett CJ, Haggerty KD, Lyon D, Steeves V (2014) Transparent lives: surveillance in Canada. AU
Press, Edmonton
Bos-Ollermann H (2017) Mass surveillance and oversight. In: Cole DD, Fabbrini F, Schulhofer S
(eds) Surveillance, privacy and transatlantic relations. Hart Publishing, Oxford, Portland, Oregon,
pp 139–154
Cate FH, Dempsey JX (2017) Bulk collection: systematic government access to private-sector data.
Oxford University Press, New York
Clarke R (1988) Information technology and dataveillance. Commun ACM 31(5):498–512
Clarke R (2015) Data retention as mass surveillance: the need for an evaluative framework. Int Data
Priv Law 5(2):121–132
Cohen JE (2017) Surveillance versus privacy: effects and implications. In: Gray D, Henderson
SE (eds) the Cambridge handbook of surveillance law. Cambridge University Press, New
York/Cambridge, pp 455–469
Coleman R, McCahill M (2010) Surveillance and crime. Sage, London, Thousand Oaks, New Delhi,
Singapore
Cukier K, Mayer-Schönberger V (2013) Big data: a revolution that will transform how we live,
work, and think. Eamon Dolan, Houghton/Mifflin/Harcourt
Determann L (2017) Business responses to surveillance. In: Gray D, Henderson SE (eds) The
Cambridge handbook of surveillance law. Cambridge University Press, New York/Cambridge,
pp 372–391
de Vries K, Bellanova R, De Hert P, Gutwirth S (2013) The German constitutional court judgment
on data retention: proportionality overrides unlimited surveillance (doesn’t it?). In: Gutwirth S,
Poullet Y, De Hert P, Leenes R (eds) Computers, privacy and data protection: an element of
choice. Springer, Dordrecht, pp 3–23
Doneda D, Zanatta RAF (2022) Personality rights in Brazilian data protection law: a historical
perspective. In: Albers M, Sarlet IW (eds) Personality and data protection rights on the internet.
Springer, Dordrecht, Heidelberg, New York, London (in this volume)
Floridi L (ed) (2015) The Onlife Manifesto: being human in a hyperconnected era. Springer, Cham,
Heidelberg, New York, Dordrecht, London
Gazeas N (2014) Übermittlung nachrichtendienstlicher Erkenntnisse an Strafverfolgungsbehörden.
Duncker & Humblot, Berlin
Granger MP, Irion K (2014) The court of justice and the data retention directive in Digital Rights
Ireland. Telling off the EU legislator and teaching a lesson in privacy and data protection. EL
Rev 39:835–850
Greenwald G (2014) No place to hide: Edward Snowden, the NSA, and the U.S. Surveillance State.
Metropolitan Books, Henry Holt, New York.
Surveillance and Data Protection Rights: Data Retention … 111
Grimm D (1991) Verfassungsrechtliche Anmerkungen zum Thema Prävention. In: Grimm D, Die
Zukunft der Verfassung, Suhrkamp, Frankfurt a. M., pp 197–220
Harding L (2014) The Snowden files: the inside story of the world’s most wanted man. Vintage,
New York
Hildebrandt M (2016) Smart technologies and the end(s) of law. Edward Elgar, Chel-
tenham/Northampton
Katsivelas I (2018) Das Geschäft mit der Werbung: Finanzierungsmechanismen, personalisierte
Werbung und Adblocker. In: Albers M, Katsivelas I (eds) Recht & Netz, Nomos, Baden-Baden,
pp 207–248
Koops, B-J (2014) On legal boundaries, technologies, and collapsing dimensions of privacy (April
10, 2014). Politica e Società 3(2):247–264. Available at SSRN https://ssrn.com/abstract=258
1726. Accessed 11 Jan. 2022
Koops B-J, Newell BC, Škorvánek I (2019) Location tracking by police: the regulation of “tireless
and absolute surveillance”. 9 U.C. Irvine Law Rev 635–698
Kühling J (2014) Der Fall der Vorratsdatenspeicherungsrichtlinie und der Aufstieg des EuGH zum
Grundrechtsgericht. Neue Zeitschrift für Verwaltungsrecht (NVwZ) 681–685
Lachmayer K, Witzleb N (2014) The challenge to privacy from ever increasing state surveillance:
a comparative perspective. UNSW Law J 37(2):748–783
Lemos, R (2014) A bill of internet rights for Brazil. Available at https://www.accessnow.org/a-bill-
of-internet-rights-for-brazil/. Accessed 11 Jan. 2022
Lyon D (2003) Surveillance as social sorting. In Lyon D (ed) Surveillance as social sorting. Privacy,
risk, and digital discrimination. Routledge, London, New York, pp 13–30
Lyon D (2007) Surveillance studies: an overview. Polity Press, Cambridge/Malden
Maduro MP (2009) Courts and pluralism: essay on a theory of judicial adjudication in the context of
legal and constitutional pluralism. In: Dunoff JL, Trachtmann JP (eds) Ruling the world? Consti-
tutionalism, international law, and global governance. Cambridge University Press, Cambridge,
pp 356–380
Marsch N (2018) Das europäische Datenschutzgrundrecht: Grundlagen–Dimensionen–Verflech-
tungen. Mohr Siebeck, Tübingen
Max-Planck-Institut für ausländisches und internationales Strafrecht (2011) Schutzlücken durch
Wegfall der Vorratsdatenspeicherung? Eine Untersuchung zu Problemen der Gefahrenabwehr
und Strafverfolgung bei Fehlen gespeicherter Telekommunikationsverkehrsdaten. Gutachten im
Auftrag des Bundesamtes für Justiz, 2nd edn. Freiburg i.Br.
Milaj J, Kaiser C (2017) Retention of data in the new anti-money laundering directive—“need to
know” versus “nice to know.” Int Data Priv Law 7(2):115–125
Mitrou L (2010) The impact of communications data retention on fundamental rights and democ-
racy—the case of the EU data retention directive. In: Haggerty KD, Samatas M (eds) Surveillance
and democracy, pp 127–147
Molinaro CA, Ruaro RL (2022) Privacy protection with regard to (tele-)communications surveil-
lance and data retention. In: Albers M, Sarlet IW (eds) Personality and data protection rights on
the internet. Springer, Dordrecht, Heidelberg, New York, London (in this volume)
Orwell G (2008) Nineteen eighty-four. Penguin, London
Petersen JK (2012) Introduction to surveillance studies. CRC Press, Boca Raton
Poster M (1990) The mode of information: poststructuralism and social context, 2nd edn. University
of Chicago Press, Chicago
Reinhardt J (2022) Realizing the fundamental right to data protection in a digitized society. In: Albers
M, Sarlet IW (eds) Personality and data protection rights on the internet. Springer, Dordrecht,
Heidelberg, New York, London (in this volume)
Richards NM (2013) The dangers of surveillance. Harv Law Rev 126:1934–1965
Roßnagel A (2010) Die “Überwachungs-Gesamtrechnung”–Das BVerfG und die
Vorratsdatenspeicherung. Neue Juristische Wochenschrift (NJW) 1238–1242
Sarlet IW (2022) The protection of personality in the digital environment: an analysis in the light
of the so-called right to be forgotten in Brazil. In: Albers M, Sarlet IW (eds) Personality and data
112 M. Albers
protection rights on the internet. Springer, Dordrecht, Heidelberg, New York, London (in this
volume)
Schertel Mendes L, Mattiuzzo M (2022) Algorithms and discrimination: the case of credit scoring
in Brazil. In: Albers M, Sarlet IW (eds) Personality and data protection rights on the internet.
Springer, Dordrecht, Heidelberg, New York, London (in this volume)
Schimke A (2022) Forgetting as a social concept. Contextualizing the right to be forgotten. In: Albers
M, Sarlet IW (eds) Personality and data protection rights on the internet. Springer, Dordrecht,
Heidelberg, New York, London (in this volume)
Slaughter A-M (2004) A new world order. Princeton University Press, Princeton
Timan T, Galič M, Koops BJ (2017) Surveillance theory and its implications for law. In: Brownsword
R, Scotford E, Yeung K (eds) The Oxford handbook of law, regulation, and technology. Oxford
University Press, Oxford, pp 731–753
Tzanou M (2017) The fundamental right to data protection: normative value in the context of
counter-terrorism surveillance. Hart Publishing, Oxford, Portland
Vedaschi A, Marino Noberasco G (2017) From DRD to PNR: looking for a new balance between
privacy and security. In: Cole DD, Fabbrini F, Schulhofer S (eds) Surveillance, privacy and
transatlantic relations. Hart Publishing, Oxford, Portland, Oregon, pp 67–87
Veit RD (2022) Safeguarding regional data protection rights on the global internet—The European
approach under the GDPR. In: Albers M, Sarlet IW (eds) Personality and data protection rights
on the internet. Springer, Dordrecht, Heidelberg, New York, London (in this volume)
Voßkuhle A (2010) Der europäische Verfassungsgerichtsverbund. Neue Zeitschrift für Verwal-
tungsrecht (NVwZ) 1–8
Von Grafenstein M (2018) The principle of purpose limitation in data protection laws. Nomos,
Baden-Baden
Zedner L (2017) Why blanket surveillance is no security blanket: data retention in the United
Kingdom after the European data retention directive. In: Miller RA (ed) Privacy and power: a
translantic dialogue in the shadow of the NSA-affair. Cambridge University Press, Cambridge,
New York, pp 564–585
Zubik M, Podkowik J, Rybski R (2021) Judicial dialogue on data retention laws in Europe in the
digital age: concluding remarks. In: Zubik M, Podkowik J, Rybski R (eds) European constitutional
courts towards data retention laws. Springer, Cham, pp 229–249
Marion Albers Professor of Public Law, Information and Communication Law, Health Law
and Legal Theory at Hamburg University. Principal Investigator in the Brazilian/German
CAPES/DAAD PROBRAL-Research Project “Internet Regulation and Internet Rights”. Main
areas of research: Fundamental Rights, Information and Internet Law, Data Protection, Health
Law and Biolaw, Police Law and Law of Intelligence Services, Legal Theory and Sociology of
Law. Selected Publications: Recht & Netz: Enwicklungslinien und Problemkomplexe, in: Marion
Albers/Ioannis Katsivelas (eds.), Recht & Netz, Baden-Baden: Nomos, 2018, pp. 9–35; L’effet
horizontal des droits fondamentaux dans le cadre d’une conception à multi-niveaux, in: Thomas
Hochmann/Jörn Reinhardt (dir.), L’effet horizontal des droits fondamentaux, Editions Pedone,
Paris, 2018, pp. 177–216; Biotechnologies and Human Dignity, in: Dieter Grimm/Alexandra
Kemmerer/Christoph Möllers (eds.), Human Dignity in Context, München/Oxford/Baden-Baden:
C. H. Beck/Hart/Nomos, 2018, pp. 509–559, also published in Revista Direito Público, Vol. 15
(2018), pp. 9–49; A Complexidade da Proteção de Dados, Revista Brasiliera de Direitos Funda-
mentais e Justiça, Belo Horizonte, ano 10, n. 35, 2016, pp. 19–45.
Privacy Protection with Regard to (Tele-)
Communications Surveillance and Data
Retention
Abstract Law 12.965/2014 established the so-called Civil Framework for the
Internet. The principles of the law, especially the guarantee of net neutrality, freedom
of expression and privacy of users, have been established to maintain the openness
of the Internet. However, the Civil Framework for the Internet does not close the
debate on the Brazilian Internet regulation. Privacy and the protection of personal
data, for example, are protected by the General Law for the Protection of Personal
Data (LGPDP), Law 13.709 of August 14, 2018. In its Article 60, this Law amends
Law 12.965, of April 23, 2014, regarding the right of definitive deletion of personal
data, as well as the prohibition of storage of personal data which are excessive in rela-
tion to the purpose for which the data subject has given consent. The Brazilian Civil
Framework for the Internet establishes general principles, rights, and obligations for
the use of the Internet, as well as some relevant provisions on storage, use, treatment
and dissemination of data collected online. In addition, its Regulatory Act (Decree
8.771/2016) brought the first legal definition of personal data in its Article 14, letters
A and B. Other aspects of data privacy are still governed by general principles and
provisions on data protection and confidentiality in the Federal Constitution, in the
Brazilian Civil Code and in laws and regulations for other fields and types of relation-
ships (for example, financial institutions, health, consumers, telecommunications or
medical sector). This text studies the issues of privacy, data protection, and their
retention, given the rules of the Brazilian legal system, as established in the Civil
Framework of the Internet, following the general normative order. The methodology
uses bibliographic research in national and foreign doctrine, as well as legislation
C. A. Molinaro
formerly: Pontifical Catholic University of Rio Grande do Sul—Law School (PUCRS), Porto
Alegre, Brazil
R. L. Ruaro (B)
Pontifical Catholic University of Rio Grande do Sul—Law School (PUCRS), Porto Alegre, Brazil
e-mail: regina.ruaro@pucrs.br
and legal issues on what is pertinent to the subject and, to a lesser extent, for the
intended objectives.
1 Introduction
In recent years, with rapidly evolving technology and a more globalized culture,
the importance of privacy has become paramount. The legal protection of privacy
against these new technological threats is an essential point of discussion on all
planetary latitudes. Privacy and protection of personal data in an era of surveil-
lance, as well as the dissemination of technologies and its practices, covers several
interdependent and emerging issues surrounding the legal protection of privacy and
scientific-technological knowledge.1 However, absolute privacy is impossible in a
society where more and more people share personal information.
Modern information and communication technologies (ICT) have facilitated new
ways of communicating, distributing and collecting information. Moreover, they
induce socialization with previously unknown individuals, now new friends, and
also contribute to the formulation of advice, warnings and much more. Now we
can communicate directly in a way that was unthinkable a few decades ago. In
addition to the many advantages, new modes of communication have also created
risks, especially those associated with damages for violation of privacy rights and
misuse of personal data. It is worth remembering that the right to protection of
personal data results from the right to privacy, intimacy, and confidentiality.
The essay on this topic should expose how public or private information about
individuals are collected and processed, stored and maintained electronically or simi-
larly by public or private organs. The processing of personal data must be guided by
specific purposes and based on the consent of the data subject or on some legitimate
and legal basis that transcends this necessity. Moreover, everyone must have the right
to access personal data in the hands of a third party or oppose their processing, as
well as the right that the data are corrected or deleted. Legally, data protection is part
of the right to privacy, which is protected as a human (and fundamental) right, both in
the contemporary national constitutions and in international treaties and conventions.
This means that data protection principles already existed before the data protection
debate.2 The connection remains essential to this day. Even countries that do not
have separate legislative acts on data protection honor the right to data protection to
a certain extent, since almost all states have adhered to at least some conventions on
human rights.3
1 On the subject, notably for the US privacy protection system, refer to Donohue’s study (2016).
2 Cf. also with regard to personality rights in Brazilian law Doneda and Zanatta (2022), esp.
Section 3.2 and 3.3, in this volume.
3 A quick search on the website of “Constitute” (where the currently-in-force constitutions for
nearly every independent state in the world as well as some drafts and historical texts are covered)
developed by the authors of the Comparative Constitutions Project at the University of Texas at
Privacy Protection with Regard to (Tele-)Communications … 115
In the following, we will examine the threats that cyberspace represents for the
privacy of individuals, as well as the risks that surveillance technologies generate in
public spaces and digital communication. We will study media practices and privacy
frameworks in the fields of rights and digital management in the Brazilian legal
system, especially in the context of Internet regulation, where we will pay attention
to the study of chapters II and III of the Civil Framework for the Internet. We will
consider the problem generated by the retention of user data in the Brazilian system,
notably in Law 8,218, of August 29, 1991 (as amended by Provisional Measure 2158-
35 of August 24, 2001), in Law no. 12,850 of 2013 (Law on Criminal Organizations),
in Law no. 12,965 of 2014 (Civil Internet Framework), and in the Law 13,709 of
August 14, 2018. At the sub-statutory level, Resolutions 426 of 2005, 477 of 2007
and 614 of 2013 of the National Telecommunications Agency (ANATEL), applicable
to telephony and Internet providers, are relevant.
Austin, shows that 171 countries in the world include and guarantee by their constitutions the right
to privacy. See https://www.constituteproject.org/, search by subject. Accessed 11 Jan. 2022.
4 In a recent book, the investigative journalist Yasha Levine, examines the “private surveillance
business” that drives technology giants such as Google, Facebook and Amazon. He reveals how
these companies spy on their users and take advantage of that to provide (with obvious profits for
themselves) information to the military and intelligence services. Levine shows that the military
and Silicon Valley are effectively inseparable: Levine (2018).
116 C. A. Molinaro and R. L. Ruaro
• Anything, such as addresses or marks, written on the outside of a postal item (such
as a letter or package) that is in transmission;
• Tracking of online communication (including postal items and parcels);
• Telecommunications data generated whenever someone makes a phone call,
accesses the Internet or sends an e-mail.
In any way, it is indispensable—in the rule of law—to maintain democratic princi-
ples of access to the network, as well as security in the transmission and communica-
tion of data. Nonetheless, the war against terror may be the most common justification
for the emergence of the surveillance state, but it is not the only or the most important
reason.
The question is not whether we find ourselves in a surveillance state, but rather
what kind of surveillance state we are living in (?). So, do we have a government
without sufficient controls over public and private surveillance, or do we have a
government that protects individual dignity, freedom of expression and privacy rights,
reinvigorating the rule of law?
In the surveillance state, the government uses intelligence, spying, perspicacity
and data mining, collecting, altering, cleaning, modeling and analysis in order to
uncover the information needed to prevent potential threats, however, also to manage,
administer and provide social services. States of this type are a particular case of a
political unit founded under the so-called information society, states that attempt to
identify and resolve governance issues through the collection, compilation, analysis
and production of information.
In the ambiance of this state model, the breaking point between freedom and secu-
rity is privacy. This is particularly true because of the perplexity and the increasing
uncertainty of the threats of terrorism and the transgressions that occur on the Internet
(the ample space of cybercrime). These are facts that stimulated the restrictions (and
violations) of individual rights, affecting private life.5
Privacy is under permanent surveillance, arbitrary surveillance that threatens
human and fundamental rights (!). Surveillance is understood here in a broad sense,
as activity and mode of investigation, systematic and methodical, comprising the
surveillance of actions or communications of one or more institutions of any type or
people. A revival of the Benthamian Panopticon, more sophisticated and intrusive
(!). Alternatively, we can find a new vision of the same in the works of Foucault,6
where at least one or more particular activities, combined or not, are present, among
others, (a) behavioral surveillance, (b) communications surveillance, (c) data surveil-
lance (interception), (d) location surveillance and tracking, (e) body surveillance
(biometrics).
5 For these issues, we have well-founded and accurate literature, for example in English: Keller
(2017); in German: Reischl (2013); in Spanish: Rodríguez (2014); in Portuguese: Otero (2015).
6 For the subject, although in another critical approach, but by metaphor consult the doctoral thesis
held at the University of Twente, Netherlands, from 2007 to 2012 by Dorrestijn (2012), especially
Chap. 3 Technical mediation and subjectivation: Philosophy of technology after Foucault. Available
at: https://bit.ly/2FESCGM (permanent link). Accessed 11 Jan. 2022.
Privacy Protection with Regard to (Tele-)Communications … 117
Against this background and in the light of systematic intrusions into privacy
caused by invasive ICT innovations, do the democratic models of contemporary
western states provide a comprehensive system of fundamental and human rights?
The problem is not to affirm the existence of a system of rights, but rather to
uphold and enforce those rights regarding surveillance or espionage practiced by
such invasive technological innovations.7
Since September 11, 2001, when the United States declared war on terrorism, the
global democratic system has undergone substantial changes, leading to losses in
the enforcement of individual and collective rights, thereby undermining democratic
progress. This new reality has led to a negligence of the realization of rights and,
therefore, to a setback in the debate on these issues, both within the USA and in
the international order. Thus, we have lost the democratic gains of recent decades
because of the naive belief that intelligence agencies can somehow be more efficient
and effective when stepping away from democratic procedures. For the future, the
objective is to avoid a gap between two poles: efficiency and legality. The aim of
democratic states must be to guarantee intelligence services that are effective and
capable of operating within the limits of law, politics, and ethics.
The National Security Agency’s (NSA) spy reports revealed by former intelli-
gence agent Edward Snowden shocked not only Internet users but the entire interna-
tional community.8 The procedures of the intelligence agency contradicted political
agreements, violated international law, and threatened the privacy of governments,
corporations, and individuals. By mid-2013, when Snowden’s earliest information
came to light, WikiLeaks had already released significant leaks of sensitive data about
the actions of the U.S. and its allies in the Middle East and a monumental amount
of communications from U.S. diplomatic officials. In mid-2010, WikiLeaks had
7 From a Latin American perspective see the important contribution of LAVITS—Red Latinoamer-
icana de Vigilancia, Tecnología y Sociedad y de la Fundación Vía Libre (Latin American Surveil-
lance, Technology and Society Network and the Vía Libre Foundation) that resulted in the book
edited by Camilo Rios, ¿Nuevos paradigmas de vigilancia? Miradas desde América Latina. Memo-
rias del IV Simposio Internacional Lavits, Buenos Aires (2016). (New Paradigms of the Surveil-
lance? Views from Latin America. Memories of the IV International Lavits Symposium. Córdoba:
Fundación Vía Libre 2017), articulated in nine main areas: (1) Security doctrine and intelligence
services. (2) Surveillance, space and territory. (3) Identification and biometrics. (4) The seduction
of the number: decisions based on algorithms and Big Data. (5) New challenges in the protection of
personal data. (6) Corporate surveillance. (7) Cultural dimensions of surveillance. (8) Resistance
and counter-surveillance. (9) Art, surveillance and technology. Available online in: https://bit.ly/
2TZ91dc. Accessed 11 Jan. 2022.
8 As the scandal widened, BBC News looked at the leaks that brought US spying activities to light:
Edward Snowden: Leaks that exposed US spy programme, BBC News (US & Canada), 17 Jan
2014. Available online: http://www.bbc.com/news/world-us-canada-23123964. Accessed 11 Jan.
2022.
118 C. A. Molinaro and R. L. Ruaro
focused on identifying the threats that would probably destroy the state and the
democratic system.
Since intelligence is considered an activity that is often part of the administrative
and political structure of the state, we would like to address the question of why it is
necessary to control the intelligence activity. The answer to this question lies in the
fact that no state activity can be exempted from public control in order to ensure that
it is provided by legitimacy on the one hand and by cost-effectiveness, efficiency, and
effectiveness on the other. We emphasize: the legality of the intelligence activity must
be linked to compliance with the provisions of the constitutional, legal and regulatory
norms that are in force in the respective country, i.e., intelligence activity must be fully
subordinated to the laws and furthermore respect the individual rights of citizens.
The benefit lies in the appropriate relationship between the means available to the
agencies that administer and use public resources and the final product obtained:
intelligence.
We can find various types or forms of control so that we can integrate intelligence
activity into a real democracy. For example, we can adopt a non-partisan political
control held initially by the central political power itself to verify that the activities of
the intelligence activity respond appropriately to the needs of society. In addition to
political control, there can and must be a fundamentally professional control, carried
out by the head of the Intelligence Agency over the behavior of its subordinates as
well as the legitimacy and suitability of activities to the society’s interests.12
We can also envisage political control calling for zeal, objectivity, depth, prudence
and reserve in its realization and seeking to verify both the legitimacy and effec-
tiveness of intelligence activity, in the latter aspect an activity merely reactive,
episodic and responsive to contingencies; trying to continually influence the neces-
sary changes, making recommendations and stimulating appropriate behaviors and
attitudes within its sphere of competence. It also requires that political parties tran-
scend their interests. Moreover, we can also establish control over those activities of
the intelligence agencies that affect the privacy of citizens. Therefore, we must verify
that these activities have a sole purpose, invoked and authorized by the Authority,
for example, national security, and ensure that interference in the private sphere is
reduced to the minimum possible. This control also includes receiving complaints
from individuals for alleged damage caused by intelligence activity. This control is
exercized by different means, according to the laws of the countries, assuming the
necessity of authorization for intelligence agencies to carry out privacy invasions.13
12Important for this issue is the work organized by Born and Caparini (2007), pp. 217/236.
13Ugarte (2002a, b) A Procura de Legitimidade e Eficácia, pp. 40–62; Ugarte (2002a, b) Europa y
América Latina, una visión comparativa; Cepik, Ambros (2014), pp. 523–551. https://doi.org/10.
1080/02684527.2014.915176.
120 C. A. Molinaro and R. L. Ruaro
The Brazilian Federal Constitution of 1988 shapes the country’s legal-political profile
and is characterized by its rigid form, organizing a democratic state under the rule
of law in a federative republic. The Constitution of the Republic promotes and guar-
antees freedom of expression, freedom of the press, the right to information (Article
5th, IV, IX, and XIV; Article 220 of FC/1988), and the right to privacy (Article 5th,
X, FC/1988). Thus, the constitutional guarantee of freedom of expression, in all its
modalities, and privacy in all its dimensions are legal requirements and an impera-
tive associated with the protection of human and fundamental rights enshrined in the
Constitution. Similarly, most of the contemporary ‘Constitutional States’ embrace
these rights, the paramount feature of democratic regimes. When it comes to regu-
lating the Internet, Law 12.965/2014 was undoubtedly the turning point; the law has
been introduced by means of a collaborative method involving Brazilian civil society
and through a productive process of public consultation.14
Law 12.965, of April 23, 2014, known as the Civil Framework or “Brazilian
Civil Framework for the Internet” and known as the “Charter of Internet Rights”,
establishes principles, guarantees, rights and obligations for the use of the Internet
in Brazil. In its Chapter I—Preliminary Provision, Article 2, the law regulates the
use of the Internet in Brazil based on respect for freedom of expression, as well as
recognition of the scale and global nature of the network. It prioritizes the protection
of human and fundamental rights and the consistent development of personality and
the exercise of citizenship through digital media. It is also based on the protection
of plurality and diversity as well as the character of “openness” and “collaboration”.
It defends free enterprise, free competition, consumer protection and, not least, the
social purpose of the Global Net.
Among other legal principles applicable to the advancement and protection of the
use of information and communication technologies regulated in the Brazilian legal
system, the Civil Framework of the Internet establishes the following principles: the
guarantee of freedom of expression, communication and manifestation of thought
(as well as freedom of conscience or ideas), protection of privacy and protection of
personal data as well as the preservation and the guarantee of network neutrality.15
In Chapter II, entitled: “On the rights and guarantees of users”, among other priv-
ileges and civil liberties, Article 7 establishes that the full exercise of citizenship
finds substantial support in free access to the Internet. Therefore, it guarantees the
inviolability of intimacy and privacy, as well as their protection and compensation
for material or moral damages resulting from their violation and the confidentiality
14 The full text of the law can be consulted online on the website of the Presidency of the Republic of
Brazil, Civil House, Sub-head for Legal Affairs (http://bit.ly/1kxaoKm). An English version can be
obtained online on the Comitê Gestor da Internet no Brasil—CGI.br (Committee Website Internet
Manager in Brazil—CGI.br) (http://bit.ly/2FyKmZr). Accessed 11 Jan. 2022.
15 Law 12,965/2014, Article 3rd numbers I to IV. Regarding the Neutrality of the Network, see,
also, Decree 8,771, dated May 11, 2016, which regulates Law 12,965/2014, Chapter II, where are
the admitted hypotheses of data packet discrimination and internet traffic degradation. Available
online in: http://bit.ly/1TRNpKo. Accessed 11 Jan. 2022.
Privacy Protection with Regard to (Tele-)Communications … 121
16 In the United States of America, on the issue of network neutrality the Federal Communica-
tions Commission (FCC) has decided that fixed broadband will be reclassified as “information
service” and mobile Internet as “interconnection service”. Framed in this way, the two modalities
of connection leave the scope of the FCC and can be marketed in accordance with the market
interest. According to the Commission, infringements of network neutrality will be based on the
existing rules in antitrust and consumer law protection laws. What the FCC will do is increase the
demand for transparency. Operators will be required to inform: how they manage the network, the
performance of the network, and commercial terms of the service. According to the FCC, this helps
consumers to choose what works best for them and allows the persons, entrepreneurs and other small
businesses to get the information they need to innovate because they are the individual consumers,
not the government or its agencies that will elect the type and the nature of Internet access that is
best suited to their individual needs (for more information see the Website of FCC: https://www.fcc.
gov/, permanent link). The repeal of the guarantee to network neutrality is the highest point in the
series of regulatory flexibilities that the FCC has been doing during Donald Trump’s management
in the White House. The Commission has already loosened rules that prevented the concentration
of radio stations and TVs.
17 Law 12,965/2014, Article 7th numbers I to XIII. In the Brazilian literature see: Damásio and
Milagre (2014); Souza and Lemos (2016). In English see: Souza et al. (2017). Available online in:
http://bit.ly/2G87mMv. Accessed 11 Jan. 2022.
122 C. A. Molinaro and R. L. Ruaro
It is important to note that the “hard-core” of the Brazilian Civil Internet Frame-
work remains in Chapter II, Article 8, where the rights to privacy and freedom of
expression in communications are guaranteed as a prerequisite for the full exercise
of the right of access to the Internet. The legal provision implies that the respon-
sible providers must protect the records, personal data and private communications
of users, all with the aim of preserving the intimacy, privacy, honor, and image of
users. It should be remembered that, for the protection of intimacy and privacy, the
unauthorized disclosure of such information will only be released by judicial order,
except for the possibility of the administrative authorities to obtain the registration
data in accordance with the law. Non-compliance with these obligations entails the
application of the penalties provided for in Article 12 of Law 12,965/2014, in addi-
tion to the other penalties provided for by different legal rules that are applicable
regarding the nature and gravity of the violation and the damages resulting from it.
Sanctions also apply to any clause that prevents the user from obtaining the guarantee
of the inviolability of their data, privacy, and confidentiality, or that does not adopt the
Brazilian jurisdiction to propose possible legal actions aimed at the accountability
of providers.18
The Civil Framework of the Internet also extends to the user the rights of consumer
protection legislation. The affirmation of rights and the precise definition of what the
Internet represents for current social life seem to be very particular aspects for users,
which allows us to see that the Civil Framework has followed the option desired
by much of users and not that intended by the market. In this sense, the Frame-
work incorporates a demand of the citizen spirit and not the business style of the
markets. Chapter III is essential because it deals with Internet connection and appli-
cation options, being the most sensitive to the analysis considering that its wording
deals with the protection of records, personal data, and private communications, as
well as the liability for damages caused by content generated by third parties. The
chapter, as discussed above, also addresses another issue of concern on the subject:
net neutrality.19
Article 10 of Brazilian Internet-law stipulates that the retention and accessibility
of connection logs and access to Internet applications logs, as well as of personal
data and of the content of private communications, must be determined by the safe-
guarding of intimacy, private life, honor, and image of the persons directly or indi-
rectly involved. The provider responsible for the safekeeping of the data shall only be
obliged to make the records available, whether separately or associated with personal
data or other information that may contribute to the identification of the user or the
terminal, upon court order and in compliance with the provisions of the law. Further-
more, the content of private communications may only be made available by court
order, in the cases and in the manner established by law; however, the provision does
18 For a closer look see the well-articulated propositions in Comentários ao Marco Civil da Internet
(Comments on the Civil Framework of the Internet), from ABDET—Academia Brasileira de Direito
do Estado (BASEL—Brazilian Academy of State’s Law). Available online at: https://abdet.com.br/
site/wp-content/uploads/2015/02/MCI-ABDET..pdf. Accessed 11 Jan. 2022.
19 Footnote n. 15 and 16, retro.
Privacy Protection with Regard to (Tele-)Communications … 123
not prevent access to registration data that disclose personal qualification, affiliation
and address, in accordance with the law, by the administrative authorities that have
legal competence for their request. In addition, security and confidentiality measures
and procedures must be notified by the person responsible for the provision of services
and must meet the standards defined in the regulations, in compliance with rights to
confidentiality regarding business secrets which are also respected.
The Internet legal framework establishes the requirement to obligatorily respect
Brazilian legislation regarding the rights to privacy, the protection of personal data
and the confidentiality of private communications and records when collecting,
storing, retaining, and handling personal data or files. Article 11 states that in any
operation of collection, storage, retention, and treatment of personal data or commu-
nications data by connection providers and Internet applications providers where at
least one of these acts takes place in national territory, the rights to privacy, protection
of personal data and confidentiality of communications and private records must be
respected. Safeguarding is necessary for an environment dominated by transnational
corporations based in countries with very flexible rules if any such laws exist. In
this sense, the Brazilian Civil Framework guarantees a national forum for the solu-
tion of litigation, plus a guarantee to users in an eventual asymmetric dispute. The
law mentions civil, criminal and administrative sanctions, and defines four types of
penalties, which may apply individually or cumulatively. These are: (a) a warning,
indicating the deadline for the adoption of corrective measures; (b) a fine of up to
10% of the annual turnover of the economic group in the country; (c) the temporary
suspension of activities; and (d) the prohibition of operations in the country. The
law further states that it is the responsibility of the system administrator to maintain
records of connection, under a confidential, controlled environment, for one year, and
that this responsibility cannot be transferred to third parties.20 The measure inhibits
trade or data leakage, but legislation is flawed when it does not define sanctions in
case of noncompliance.
A question regarding the Civil Framework of the Internet is whether the law
guarantees the privacy of users. Can any law guarantee privacy? The answer is yes,
because it is prescribed by law, but can we effectively count on full application of
the law, or do we have (as in all peripheral countries) a legal enforcement deficit? It
would be naïve to think that the law would solve a set of complexities like this. Norms
arise when the consensus is distant, and ethical reflections have not been sufficient
to create an environment of equilibrium. The law prescribes conduct, but that does
not preclude its contempt or manipulation. In other words, the law is an important
starting point, but the establishment of a legal order on the Internet in Brazil (and in
the world) will depend on other efforts, also in the fields of education and culture.
However, Brazilian law responds positively to the question of whether instruments
are offered to citizens to safeguard their browsing and application data. Despite the
affirmative answer, some of these instruments are still weak.
20 See Article 13 of Brazilian Civil Framework, in particular, paragraph 6, which states that in
the application of the penalties for non-compliance “the nature and gravity of the infraction, the
damages resulting from it, any advantage obtained by the offender, the aggravating circumstances,
the offender’s history, and recidivism shall be considered”, (free translation of the law).
124 C. A. Molinaro and R. L. Ruaro
On March 24, 2015, the United Nations Human Rights Council supported the
establishment of a special rapporteur on privacy. The resolution,21 led by Brazil
and Germany and cosponsored by 46 states, including 10 other Latin American
countries, gives the right to privacy the recognition and international protection it
deserves. Why has data retention provoked such a strong reaction from digital secu-
rity experts?22 Does it matter whether citizens’ application records or IP addresses—
which can change with each new session—are catalogued? Such data, after all, is
often dismissed by government officials as meaningless. However, this informa-
tion may work more like pieces of a complicated jigsaw puzzle. Taken separately,
it may seem irrelevant; but when carefully collected and combined, it reveals our
online identities with surprising accuracy. Regarding telephone communications,
for example, information about who people call can be used to derive extraordinary
sensitive insights about them, such as the fact that someone has sought and received
treatment for specific medical conditions. The IP addresses collected by a web service
can even reveal whether two people spent the night in one place. The information
released by your phone can tell whether two people were close to each other and
that proximity could reveal whether a person attended a protest or betrayed his wife.
The consequences of data retention mandates are far-reaching, but one particularly
worrying result is the undermining of the right of journalists to refuse to provide
evidence to the authorities to protect the confidentiality of their sources. One of the
most persuasive arguments against data retention is the risk of accidental exposure
through leaks and hackers. Unauthorized access to logs can lead to sales of confi-
dential information, blackmail, or threats to public figures. They are a continuing
source of risk to all users because the user can never be sure that the records will not
be disclosed and used for criminal purposes.23
The origin of the data retention obligation in Brazil is in Article 11 of Law 8,218,
of August 29, 1991 (as amended by Provisional Measure 2,158-35, of August 24,
2001).24
In the infra-legal environment, the possibility of data retention is provided in the
Annex of the Resolution of the National Telecommunications Agency—ANATEL
426, of December 9, 2005 (Regulation of the Switched Fixed Telephone Service).
21 United Nations. General Assembly A/HRC/28/L.27 Distr.: Limited. 24 March 2015 (Original:
English). Available online at: https://bit.ly/2PjO0IZ (reduced URL, permanent link). Accessed 11
Jan. 2022.
22 Cf. also for the heated discussions in Germany and Europe Albers (2022), in this volume.
23 Rodriguez (2015). Available online at: https://bit.ly/2RomTAH, (reduced URL, permanent link).
the business and economic or financial activities, books or prepare documents of an accounting or
tax nature, are required to keep at the disposal of the Federal Revenue Service, the individual digital
files and systems, for the decadence period provided for in the tax legislation”, (free translation of
the law).
Privacy Protection with Regard to (Tele-)Communications … 125
Two years later, the Annex to ANATEL Resolution 477/07, which edits the Regula-
tion on Personal Mobile Service, determines in item XXII of Article 10: “to keep,
at the disposal of ANATEL and other interested parties, documents of fiscal nature,
which include information on the connections made and received, date, time and
duration of the call, as well as subscriber registration data, a minimum term of five
(5) years” […].25 On August 6, 2012, by the Annex of the Resolution ANATEL 614,
the providers of telephone services are obliged to provide data, allow access and
provide online access to applications, systems, resources and technological facilities
used by them for the collection, treatment and presentation of data, information and
other aspects (Article 38 of the Resolution).
On August 2, 2013, Law 12,850 is published which deals with the definition of the
criminal organization, providing for the form of the criminal investigation, and the
means of obtaining evidence, related criminal offenses and criminal proceedings. By
this law, access to registries, cadastral data, documents, and information is guaranteed
to the authorities, regardless of judicial authorization, only to the cadastral data of
the investigated that exclusively inform the personal qualification, the affiliation
and the address maintained by the Electoral Justice, telephone companies, financial
institutions, internet providers and credit card administrators. Likewise, the transport
companies will allow, for five years, direct and permanent access by the judge,
the Public Prosecutor’s Office or the police delegate to the reservation and travel
registration databases. In addition, fixed and mobile telephone concessionaires will,
for five years, keep records of the identification of the telephone numbers of origin
and destination of international, long-distance and local telephone calls.26
In the infra-legal plan, Annex I of ANATEL Resolution 614/13, which regulates
the Multimedia Communication Service, in its Article 53 requires Internet connec-
tivity providers to maintain connection records and subscriber registration data for at
least one year. By this Resolution, the definition of connection records is established
in Article 53. 4, XVII (set of information regarding the date and time of beginning and
end of an Internet connection, its duration and the IP address used by the terminal
for sending and receiving data packages, among others that allow identifying the
access terminal used). It should be noted that the shorter term may already indicate
the context of the discussion that existed in the discussion environment before the
enactment of Law 12,965/14 (Civil Framework of the Internet).
Article 10, paragraph 3 of the Civil Framework of the Internet, at least explicitly
states that the disclosure of Internet connection and access to applications records
may only be made by court order; this protection is repeated in Articles 13, paragraphs
5, and 15, paragraph 3. Article 22, in turn, outlines the purposes for which this may
occur, namely the creation of an “evidence basis in civil or criminal proceedings”,
and establishes the requirements to be met by the request of the “interested party”
for the granting of the judicial order: well-founded evidence of the occurrence of the
25 Copy of normative act at: https://bit.ly/29N0qX6, (reduced URL, permanent link). Accessed 11
Jan. 2022.
26 Law 12,850, of August 2, 2013, Article 17. Copy of normative act at: https://bit.ly/1MTFk42,
offense, reasoned justification of the usefulness of the records requested for purposes
of investigation or evidentiary instruction, and the period to which the records refer.27
Regarding the terms of access to registration data, in paragraph 3 of Article 10 the
Marco Civil provides, that the respect for the protection of personal data and private
communications guaranteed in the caput of the article “does not prevent access to
registration data informing about personal qualification, affiliation, and address, in
accordance with the law, by administrative authorities that have legal competence for
their request”. Regarding this provision, there is no clarity who these “administrative
authorities” are with the power to directly request registration data, thus enabling
several governmental authorities to claim this prerogative for themselves. Finally, the
breach of confidentiality of the content of electronic communications in possession
of Internet application providers (such as Google and Facebook) is also provided for
in the Civil Framework of the Internet, in Articles 7, III and 10, paragraph 2, which
clarify the need for a court order to do so. Contrary to what occurs for the provision
of records (Article 22), however, the law does not explicitly address the formal and
substantive requirements that must be met for a court order to be granted. This gives
rise to abuses and case-by-case applications.28
6 Conclusion
27 Antonialli et al. (2017), pp. 345–367. Available online at: https://bit.ly/2IIGar7 (reduced URL,
permanent link). Accessed 11 Jan. 2022.
28 Antonialli et al. (2017), pp. 345–367. Available online at: https://bit.ly/2IIGar7 (reduced URL,
between providers invading the lives of people and companies that have an interest in
obtaining personal data about individuals. Intrusion into the personal data of Internet
users through cookies or spreadsheets is a common practice. Tools for collecting data
are available in the IT-market.
Another issue is the relation between public and private. The espionage cases show
that the division between the public and the private sector is becoming increasingly
precarious. This is because the public sector uses the services of private companies to
succeed in global surveillance (for example, the international intelligence agencies
and the network giants like Google, Microsoft, Apple, and so many others have a
partnership for the invasion and intersection of people’s data, based on the argument
of national defense reasons).
Moreover, private companies provide this type of service to the public sector just
because it is more convenient to participate in the culture of state control than to
resist it. Thus, they become complicit in government control.
Are there sufficient means of protection in this intrusive environment? There is no
guarantee of privacy protection and “hiding” from surveillance networks (public and
private). However, some tools are available to improve possible protection levels,
such as the use of a VPN.
A VPN, virtual private network, is one of the main ways to ensure the privacy of
browsing.32 The VPN creates an encrypted tunnel between the user’s computer and
the VPN server. With this, the ISP does not have access to the data that is transmitted
in this tunnel—it only knows that the user has connected to a VPN server, at what
times and for how long, but does not have access to the contents of the VPN server. In
other words, a VPN helps to hide the IP of the user’s computer (the identity number
of each machine). When a user is downloading a file that is in Central Europe,
for example, the VPN shows that this file is being downloaded by an American-IP
machine—or from some other country of the user’s choice—thus hiding the exact
IP of the device, for example a computer located in Brazil.
However, the VPN may be of no use if the company that manages the network
maintains the information of its users and cooperates with government agencies. If
this company is required to disclose data from a specific user,33 it can quickly search
for the files of that user in the system and deliver them to the authorities. It is therefore
crucial to look for a VPN that does not include archive logs (records of activities
performed by a computer).34
Other tools can be more or less useful, such as the “Tor” browser.35 Developed as
a research project of the U.S. Navy, Tor has become a free project that helps protect
the location of Internet users. After installing the application on the computer, users
32 The choice of a secure VPN depends on different variables: whether or not the company maintains
user logs, how it behaves when requested to disclose data to governments and how the payment
method for the product is linked to each user’s account.
33 See for the regulation of anonymization services in the first version of German data retention
can access the Internet through “virtual tunnels” that do not allow anyone to intercept
their navigation or determine where they are located or what specific content they
have posted. Tor itself does not hide the user’s identity on the web, but provides a
tool/user interface that allows appropriate security. Tor is an Internet network protocol
designed to anonymize the data transmitted through it. Using Tor will make it difficult,
if not impossible, for any eavesdropper to see your webmail, search history, social
media posts, or other online activities. They will also not be able to tell in which
country you are using your IP address, which can be very valuable for journalists,
activists, business owners and others. When you run Tor, online data collectors such
as Google Ads and the little known but powerful Acxiom aggregator will not be able
to perform traffic analysis and collect data about your Internet habits. Theoretically,
surveillance organizations, such as the NSA, will also not be able to observe it.
CYPHR must also be mentioned. CYPHR is a simplified system of encrypted
messages that guarantees the security of the user’s conversation and has the policy
of not storing user records.36
As for browser extensions, HTTPS Everywhere37 is a free extension available
for the Mozilla Foundation Firefox browser. The extension allows the user to access
the secure version of all sites on the Internet, i.e., those that have the URL started
by HTTPS, and prevents information sent between the Internet user’s computer and
third parties from intercepting the server where the website is located.
The TOSBack38 alerts users about changes regarding the use of sites like Face-
book, Twitter, and others, which can change without notice. It is fundamental, for
example, to notice necessary changes, such as sharing user information from two
services held by the same company.
Finally, two tools deserve prominence, the SpiderOak, and ProtonMail. SpiderOak
is a kind of fortified cloud. The online storage service is similar in everything to
Dropbox or Google Drive, with the only difference that it includes enhanced security
measures to ensure the privacy of users. They take privacy seriously in such a way
that the company does not keep records of passwords. If somebody loses his or her
password, there is no way to log in without it. The same characteristics are present in
ProtonMail, an encrypted e-mail system with end-to-end technology. Messages are
stored on ProtonMail servers in an encrypted format and transmitted in an encoded
form between servers and user devices.39
Regardless of software and protection devices, measures must be taken to protect
privacy and its connectedness. There is no doubt, at present, that all over the planet,
at least some rights have been granted to users of the Internet, among them:
• Right to information: Organizations must be fully transparent about the use of
personal data;
• Right of access: Individuals should have the right to know exactly what
information is being processed, how and for what purpose;
• Right of rectification: Individuals should have the right to request a correction of
their data if it is inaccurate or incomplete;
• Right of elimination also known as the right to be forgotten: this refers to a person’s
right to request the deletion or removal of their data without the need for a specific
reason;
• Right to limit processing: It refers to a person’s right to exclude or suppress the
processing of their data;
• Right to transfer data: This allows individuals to retain and reuse their data for
their purposes;
• Right of defense: In some cases, individuals should have the right to oppose the
use of their data, as in the case of a company that uses personal data for direct
marketing, scientific and historical research, or for the fulfillment of a public
interest mission;
• Rights regarding automated decision-making: Profiling and automated decision-
making can be useful for data holders and organizations, providing benefits such
as greater efficiency and economy. However, such procedures require adequate
safeguards as they may pose significant risks to the rights of individuals and their
freedoms. Individuals may choose not to be subject to an automated decision if it
would result in undesired consequences.
References
Dorrestijn S (2012) The design of our own lives. Technical mediation and subjectivation after
Foucault, 3rd edn. Wöhrmann, Zutphen/Netherlands
Greenwald G (2014) No place to hide: Edward Snowden, the NSA, and the U.S. Surveillance State.
Metropolitan Books, New York
Guimaraes AG, Lins RD, Oliveira RC (2006) Segurança em Redes Privadas Virtuais – VPNs.
Brasport, Rio de Janeiro
Held G (2004) Virtual private networking: a construction, operation and utilization guide. Wiley,
New Jersey
Keller WW (2017) Democracy betrayed: the rise of the surveillance security state. Counterpoint,
Berkeley
Leleux C (2014) IRISS—increasing resilience in surveillance societies, FP7 European research
project, deliverable D6.1: civil protection in a European context, in a report on resilience in
“democratic” surveillance societies. In: Wright D, Rodrigues R (eds) European Commission,
FP7, IRISS: increasing resilience in surveillance societies deliverable, 6.1, part 2.1.7. IRISS,
Glasgow
Levine Y (2018) Surveillance valley: the secret military history of the internet. Public Affairs, New
York
Otero P (2015) A Democracia Totalitária do Estado totalitário à Sociedade totalitária. A influência
do totalitarismo na democracia do Século XXI, 2ª Reimpressão. Principia, Lisboa
Perlmutter B (2000) Virtual private networking: a view from the trenches. Prentice Hall PTR, New
Jersey
Reischl G (2013) Unter Kontrolle: Die fatalen Folgen der staatlichen Überwachung für Wirtschaft
und Gesellschaft. Redline Wirtschaft, München
Rios C (2016) ¿Nuevos paradigmas de vigilancia? Miradas desde América Latina. Memorias del
IV Simposio Internacional Lavits, Buenos Aires. https://descargas.vialibre.org.ar/libros/lavits/
Lavits2016_BsAs_Libro.pdf
Rodriguez K (2015) Privacy is a human right: data retention violates that right. Americas Quarterly
2015. Available online at: https://bit.ly/2RomTAH, (reduced URL, permanent link). Accessed 11
Jan. 2022
Rodríguez OT (2014) Seguridad del Estado y privacidad. Editorial Reus, Madrid
Schertel Mendes L, Mattiuzzo M (2022) Algorithms and discrimination: the case of credit scoring
in Brazil. In: Albers M, Sarlet IW (eds) Personality and data protection rights on the internet.
Springer, Dordrecht, Heidelberg, New York, London, in this volume
Souza CA, Lemos R (2016) Marco civil da internet: construção e aplicação. Juiz de Fora: Editar
Editora Associada Ltda.
Souza CA, Viola M, Lemos R (2017) Brazil’s internet bill of rights: a closer look. Juiz de Fora:
Editar Editora Associada Ltda. Licensed under creative commons 4.0, by Institute for Technology
and Society of Rio de Janeiro (ITS Rio). Available online in: http://bit.ly/2G87mMv, (reduced
URL, permanent link). Accessed 11 Jan. 2022
United Nations. General Assembly A/HRC/28/L.27 Distr.: Limited. 24 Mar 2015 (Original:
English). Available online at: https://bit.ly/2PjO0IZ, (reduced URL, permanent link). Accessed
11 Jan. 2022
Ugarte JM (2002a) Controle Público da Atividade de Inteligência: a Procura de Legitimidade e
Eficácia. In: Anais do Seminário Atividades de Inteligência no Brasil: Contribuições para a
Soberania e a Democracia. Congresso Nacional, Brasília
Ugarte JM (2002b) Control público de la actividad de inteligencia: Europa y América Latina,
una visión comparativa. In: Congresso Internacional Post-Globalización: Redefinición de la
Seguridad y la Defensa Regional en el Cono Sur, 2002, Anais. Buenos Aires, Centro de Estudios
Internacionales para el Desarrollo
132 C. A. Molinaro and R. L. Ruaro
Carlos Alberto Molinaro Doctor of Law, with mention of “European Doctor” by Pablo de
Olavide University, Spain. Former free researcher at the Centre of Social Studies of the Univer-
sity of Coimbra, Carlos III University, Université Catholique de Louvain and the Pablo de Olavide
University and former Professor of the Master’s and Doctorate Program at the Pontifical Catholic
University of Rio Grande do Sul—Law School. Main areas of research: Philosophy and Crit-
ical Theory of Law, Environmental Law, Constitutional Law. Selected Publications: Privacidade e
proteção de dados pessoais na sociedade digital. 1. ed. Porto Alegre: Editora FI, 2017 (in collab-
oration with Regina Linden Ruaro and J. F. Pinar Manas); Big data, machine learning e a preser-
vação ambiental: instrumentos tecnológicos em defesa do meio ambiente. Revista Veredas do
Direito, v. 15, p. 201, 2018 (in collaboration with Augusto Fontanive Leal); Fim da privacidade:
divulgação e negociação de dados pessoais (End of privacy: a disclosure and trading of personal
data), Economic Analysis of Law Review v. 10 n. 1, 2019 (in collaboration with Regina Linden
Ruaro).
Regina Línden Ruaro Professor and Associate Dean of the Law School of the Pontifical Catholic
University of Rio Grande do Sul. Retired Federal Attorney/AGU. Doctor in Law by the Univer-
sidad Complutense de Madrid. Post-doctoral internship at the Universidad San Pablo—Ceu de
Madrid. Composes the International Research Group “Data Protection and Access to Informa-
tion”. Invited Professor of the Master in Data Protection, Transparency and Access to Infor-
mation at Universidad San Pablo de Madrid-CEU of Spain. Honorary Member of the Interna-
tional Institute of State Law Studies—IEDE. He leads the Research Group registered with the
CNPq: Personal Data Protection and Fundamental Right of Access to Information in the Demo-
cratic State of Law. Selected Publications: Privacidade e proteção de dados pessoais na sociedade
digital. 1. ed. Porto Alegre: Editora FI, 2017 (in collaboration with Carlos Alberto Molinaro e J.
F. Pinar Manas); Fim da privacidade: divulgação e negociação de dados pessoais (End of privacy:
a disclosure and trading of personal data), Economic Analysis of Law Review. v. 10 n. 1, 2019
(in collaboration with Carlos Alberto Molinaro).
The Protection of Personality
in the Digital Environment
An Analysis in the Light of the So-Called Right to be
Forgotten in Brazil
Abstract Human dignity and personality rights are particularly vulnerable in the
so-called digital age due to the use of new information technologies. Thus, law needs
to respond effectively to deal with the new challenges represented by more impactful
and even newer ways of placing at risk and violating personality rights. This has led
to recognizing new expressions of these rights, as in the case, among others, of the
right to informational self-determination and, more recently, the so-called right to be
forgotten. In Brazil, the situation is not different, because the problems and challenges
generated by the use of the internet have taken on a global scale, so that the discussion
is not only about its recognition itself, but especially regarding the content and the
scope of the right to be forgotten. Hence, this debate is placed in an outstanding posi-
tion on the political and legal agenda. The present text, after describing how and for
what reason the right to be forgotten has been recognized as an implicit fundamental
right in the Brazilian constitutional system, tries to identify, present and evaluate
critically the way this right has been applied by the Superior Courts and afterwards
being to certain extend denied by the Federal Supreme Court (Supremo Tribunal
Federal) in a recent decision. Although in the cases that are not related to the internet
there are already decisions sheltering the right to be forgotten, some resistance is
still found with regard to the digital environment, especially in which concerns the
responsibility of search engine providers. In this context, the article seeks to show
the need to ensure, besides the right to deleting data—partly recognized by domestic
legislation—a right to deindexation vis-à-vis the search engine providers, so that
I thank the DAAD (Deutscher Akademischer Austauschdienst) and CAPES (Comissão de Aper-
feiçoamento de Pessoal de Ensino Superior) for the support granted to the Academic Exchange
and Research Project ‘Internet Regulation and Internet Rights’ (PROBRAL program) between
the Pontifical Catholic University Porto Alegre, Brazil (PUCRS) and the University of Hamburg
(Germany), coordinated by Professor Marion Albers (Hamburg) and me (PUCRS). I also thank the
Max-Planck Institute for Comparative and International Private Law, Hamburg, for the opportu-
nity to research the subject of this paper and the protection of personality rights on the Internet in
general during the period of January-February 2017 (as a Fellow with a Grant from the Institute)
and January-February 2018. This paper is one of the results linked to these projects.
I. W. Sarlet (B)
Pontifical Catholic University of Rio Grande do Sul—Law School (PUCRS), Porto Alegre, Brazil
the Brazilian legal system—except for its peculiarities—becomes aligned with the
decision of the Court of Justice of the European Union (CJEU) in the case of Google
versus the Spanish Data Protection Agency and Mario Costeja and the new General
Regulation of Data Protection for the European Union. However, a critical analysis
of the decisions of the Brazilian Superior Courts reveals that, as a rule, the criteria
applied in case-law, even being in part aligned with those managed by the CJEU,
have been used inconsistently and even contradictorily, lacking further improve-
ment and complementation, besides having to be adapted to the requirements of the
Constitution. In conclusion, it is advocated that because of the preferred position
of freedom of speech and information, recognizing a right to be forgotten must be
exceptional, besides complying with strict criteria established by the legislator and
being submitted to strict control as regards their constitutional legitimacy.
1 Introduction
Considering that the protection of the dignity of the human person and personality
rights represents—in the face of technological advances, especially in the field of
information technologies and those involving the internet environment—a central
problem for the political, economic and legal system, the discussion of the so-
called right ‘to be forgotten’—as happened in Europe and the USA—soon called
the attention also of Brazilian legal scholarship, case law and politics.
Although the problems related to the protection of human and fundamental rights
in this context have worldwide and transnational repercussions, going beyond the
territorial boundaries of the States and requiring compatible answers and solutions,
there are peculiarities that must be taken into account. For this reason, priority will be
given to a constitutionally adequate understanding, i. e. adapted to the peculiarities
of the Brazilian legal system, without neglecting some references to international
and foreign law when relevant to the comprehension, development and critique of
the evolution of the topic and its treatment in Brazil.
Before going any further, however, it is essential to make a brief note, even in
this introductory phase, regarding the origin, terminology and conceptualization of
the so-called right to be forgotten, aspects which in themselves are not the object of
consensus. Therefore, it is imperative to establish here a few semantic agreements
and premises that guide the subsequent considerations.
Both from the terminological and conceptual standpoint, the notion of a right to be
forgotten, known in German as Recht auf Vergessenwerden, despite its more recent
dissemination, is not in itself new. Some relatively old direct references are found,
be it in court decisions or in the literature.
Thus, for instance, in the sphere of case law, the notion of a right to be forgotten
is said to have been used in France in the well-known Landru Case (TGI—Tribunal
de Grand Instance Seine), judged on October 14th , 1965, and confirmed on appeal,
The Protection of Personality in the Digital Environment 135
but also in a decision dated April 20th , 1983, by the TGI Paris.1 In the literature, it is
useful to refer, likewise as an illustration, to the contributions of Agathe Lepage2 and
Théo Hassler,3 and mainly to the monographic work by Viktor Mayer-Schönberger,4
that greatly contributed to the dissemination of the term.
Even in Brazil, there are some earlier references to a right to be forgotten, in the
legal literature since the beginning of the Decade of 1990, but also in some judicial
decisions from 2012 and 2013, that will be presented and analyzed later.5
But it was the famous case Google versus the Spanish Data Protection Agency
and Mario Costeja judged by the (CJEU) on May 13th , 2014,6 that gave worldwide
notoriety to the so-called right to be forgotten although this right as such was not
mentioned in the decision.
On the other hand, independently of the direct mention of a right to be forgotten
in the aforementioned court cases, this notion has been traced back to other relevant
judicial precedents involving the conflict between freedom of speech and person-
ality rights as well as other constitutional goals and principles (e. g. democracy,
transparency). These precedents—as, for instance, in the Lebach case judged by the
Federal Constitutional Court of Germany in 1973—were utilized to provide the justi-
fication for recent cases acknowledging a right to be forgotten, also by the Brazilian
Judicial Power.7
As regards the legislative sphere of the normative regulation of a right to be
forgotten, it is impossible to ignore the mention of the document of the European
Union from November 2010, A Comprehensive Approach to Data Protection in the
European Union, which refers to the need to ensure a right to be forgotten and
even suggests a definition,8 as well as mention of the right to be forgotten in the
drafting of a new general regulation about data protection in the European Union of
March 2012. This provision was ultimately included in the European General Data
Protection Regulation approved in March 2016 (679/2016) that has come into force
will still receive special attention. See Brasil, Superior Tribunal de Justiça. Recurso Especial:
REsp 1334097/RJ, Justice-Rapporteur Luis Felipe Salomão, Fourth Panel, judged on May 28,
2013. https://scon.stj.jus.br/SCON/GetInteiroTeorDoAcordao?num_registro=201201449107&dt_
publicacao=10/09/2013. Accessed 11 Jan. 2022.
8 ‘… clarifying the so-called ‘right to be forgotten’, i.e. the right of individuals to have their data no
longer processed and deleted when they are no longer needed for legitimate purposes.’ It should,
however, be noted that this document—on the contrary of what is mentioned in some publications—
does not consist of a Directive or Regulation, but rather a kind of Letter of Intent in the form of a
communication of the European Commission to the European Parliament about the need for a new
and more effective regulation of the matter.
136 I. W. Sarlet
on May 25th , 2018.9 In Article 17, the new regulation contains a right to erasure of
data (expressly associated with a right to be forgotten) and establishes parameters
for its application.10
For these reasons it did not take long for the term right to be forgotten (although
technically not the most appropriate11 ) to be disseminated and widely used, becoming
incorporated into the current language, in the media, in the literature and in case law
in several countries and languages. Indeed, the figure of the right to be forgotten—
and the Brazilian case reveals this—has even been associated with situations that are
not always directly related to this object and where before and during a long time
there was even no mention of such a right. Despite this, it is necessary to have a
semantic agreement and, to avoid doubts about the object of our text, here too we
will use this terminology.
As to the content and justification of a right to be forgotten, although these are
arguments that are mostly shared by the different legal systems where this right has
gained visibility, here we will include, when timely, the arguments as to the founding
of the recognition and definition of the right to be forgotten and its object in Brazil.
Furthermore, the discussion on the recognition, content, limits and possibilities
of implementing the right to be forgotten, including a possible controversy about its
condition as a human and fundamental right, has become relevant in several contexts
and environments, partly requiring distinct approaches and solutions.
Thus if, regarding the recognition of the right to be forgotten in the conventional
cases that involve conflicts of the personality rights with the freedom of speech and
information, and even other rights, principles and relevant legal interests, generally
care is taken to consider and apply habitual solutions and possibly develop them, the
same does not occur in the internet environment.
Indeed, on the internet, as already mentioned partly, although the same values and
fundamental rights are involved, the context and its peculiarities have caused very
complex technical, legal (as well as economic, political, ethical, sociological and
even cultural) problems and challenges that are particularly difficult to solve. As an
illustration, it is sufficient to mention here the dissemination of access to the internet,
the almost instantaneousness of the information flow and its large-scale repercussion,
including at a global level, the difficulty of establishing an adequate regulation or of
effectively imposing the discourse of fundamental rights in this context.
9 See European Union, Regulation (EU) 2016/679 of the European Parliament and of the Council
of 27 April 2016 on the protection of natural persons with regard to the processing of personal data
and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection
Regulation) http://eur-lex.europa.eu/eli/reg/2016/679/oj. Accessed 11 Jan. 2022.
10 ‘Article 17 Right to erasure (‘right to be forgotten’) 1. The data subject shall have the right to
obtain from the controller the erasure of personal data concerning him or her without undue delay
and the controller shall have the obligation to erase personal data without undue delay where one
of the following grounds applies: ….’
11 It should be noted that, under the label of a right to be forgotten, what is at stake is—in tech-
nical terms—basically to assure individuals of a right to obtain the annulment, but also the non-
dissemination, and/or making it difficult to access particular pieces of information (as seen in the
requests for deindexation to search engine providers of the internet).
The Protection of Personality in the Digital Environment 137
12 Here we point to the references already made to the new Data Protection Regulation of the
European Union and to the case of Google vs. the Spanish Data Protection Agency and Mario
Costeja, judged by the CJEU.
13 See recently Weismantel (2017).
14 See pars pro toto Caro (2015).
15 See pars pro toto Dechenaud (2015).
16 See recently Martinelli (2017).
17 See especially Mayer-Schönberger (2009), as well as the recent article by Kelly and Satolam
(2017).
138 I. W. Sarlet
established in the sense of being textually and specifically expressed in the Federal
Constitution of 1988 (hereinafter FC).
Despite this, Brazilian legal scholarship doctrine and case law have begun to
recognize, especially (not only) from 2013 onwards, a right to be forgotten, even
with the status of a fundamental right, although some contrary positions.18 On the
other hand, there is no consensus about several points related to the right to be
forgotten, such as its content, limits and criteria for application.19
In this context, it is essential to take into account that the right to be forgotten
holds—at least according to the majority of the Brazilian literature—the double
condition of a fundamental right in the substantial and formal sense. This means
that (here in the substantial sense) the right to be forgotten must be founded in
certain superior values and principles and its relevance must be justified from a
philosophical and constitutional perspective, in order to be recognized and protected
as a fundamental right.20
On the other hand, its condition as a fundamental right in the formal sense corre-
sponds to the qualified legal regime of fundamental rights (precisely due to their
substantial fundamentality) in the FC, such as the prerogative of immediate appli-
cability and direct binding of state actors and even of private entities, but also its
condition as a substantial limit to the constitutional amendment power and its rein-
forced protection from restrictions imposed by the legislator, administrator, judicial
power and even by acts performed by private actors.21
From this perspective, as shown by the German experience, the acknowledgment
of a right to be forgotten is founded—from the constitutional perspective—in the
dignity of the human person, in the general clause of personality protection (or
rather, in the right to a free development of personality), besides being related to
and inferable from other special personality rights, such as the right to informational
self-determination, and the rights to a private life, honor and image.22 Furthermore,
it is widely recognized that the acknowledgment of a so-called right to be forgotten
is justified by the protection of personality in the face of potential abuses resulting
from the exercise of freedom of speech and information, not only, but especially in
the internet environment.
In a first approach—turning here to the material dimension of its fundamentality—
one must begin with the general and structuring fundamental principle of the dignity
of the human person, contained in Article 1, item III of FC, in the article that lists
the foundations of the Brazilian democracy and rule of law. This principle has also
assumed—in a practically settled manner in legal scholarship and case law—the
18 Mention should be made here of the view of Sarmento (2016), pp. 190–232.
19 Limiting ourselves here to the sphere of the Brazilian books dedicated specifically to the topic,
see Martinez (2014); Maldonado (2017); Carello (2017); Consalter (2017); Branco (2017), Sarlet
and Ferreira Neto (2018) and Frajhof (2019).
20 See, pars pro toto, Ferreira Neto (2016), pp. 278–323.
21 For the development of this point see, pars pro toto, Sarlet (2015).
22 See, pars por toto, Buchholtz (2015), pp. 127ff.
The Protection of Personality in the Digital Environment 139
23 In Brazilian law, see among others Tepedino (1999), pp. 44 ff.; de Andrade (2006), p. 101; de
Moraes (2003), pp. 117ff; Schreiber (2014), especially pp. 7ff.
24 See in this sense Solove (2011), pp. 15–30.
25 In this sense, precisely as regards the right to be forgotten, see Diesterhöft (2014), p. 150. It
should, however, be noted that the author refers to a more restricted dimension of what is called a
right to a new beginning, since he talks specifically of a “‘medial’” new beginning, emphasizing
the digital environment, which, from the perspective adopted here, sounds excessively limited.
26 Botelho (2017), p. 52.
27 See Rodotà (2014), pp. 41–42.
28 On this, see Albers and Schimke (2019). It should be pointed out that the authors share the
understanding that one must distinguish between different types of memory, viz. individual, social,
cultural and political, which will not be further discussed in the present text.
140 I. W. Sarlet
were not chosen will be forgotten for the current communication processes, so that,
basically and from an abstract perspective, one forgets as much as one remembers.29
Given the relevance of this aspect for the right to be forgotten, it should also be
recalled that on the internet environment information (and thus also ‘memory’)—can
be lost in several ways, namely, due to the fact that it was not stored, due to technical
damages or because it is not accessible by the available means.30 This, obviously,
should be considered when the content, limits and efficacy of the right to be forgotten
are defined.
On the other hand, one can see that the recognition of a right to be forgotten does
not entail attributing a subjective right in the sense of being able to oblige someone,
from the individual viewpoint, to forget something, which would be technically
impossible except by the coercive imposition of certain medical procedures, which,
besides being clearly illegitimate from the legal (and ethical) standpoint, would not
have the capacity to influence the sphere of collective memory. That is why—as
emphasized above—one should consider a process of social forgetting, which is
reflected on the individual level, but occurs through the possible suppression of
particular pieces of information and by making it difficult to access them. These
aspects, in turn, have a direct relationship with the problem of content, limits and
ways to implement the right to be forgotten.
Having said that and notwithstanding the fact that the right to be forgotten can
already be well anchored from the point of view of its justification and acknowledg-
ment, as a fundamental right implicit in human dignity and in the right to free devel-
opment of personality, this justification is reinforced by the possible and necessary
relationship between the right to be forgotten and some special personality rights,
be they expressly established, particularly the right to privacy (and intimacy), the
rights to honor and to one’s own image, or deduced as implicit and non-enumerated
rights by the Brazilian Federal Supreme Court (hereinafter FSC), like the rights to
informational self-determination or the right to a name and personal identity.
These special personality rights—except the right to informational self-
determination—were objects of express acknowledgment by the framers of the
FC and allow, especially in case of tension and even conflict with the freedom of
speech and information, to reinforce the justification for the inference of a right to
be forgotten as an implicit and necessary requirement for protection, especially in
relation to the personal and public exposure/confrontation with facts from the past—
whether one’s own or especially of third parties—of an offensive, embarrassing or
even inconvenient and untrue nature.
On the other hand, the right to informational self-determination, which, like in
other countries, is not directly enshrined in the FC, has been inferred from the prin-
ciple of the dignity of the human person as a general clause of personality protection,
from the right to inviolability of data communication enshrined in Article 5, item XII
of the FC (together with the confidentiality of correspondence and communications
by telephone).
It was only in May 2020, that the FSC, in a historical decision (ADI 6387, Jus-
tice-Rapporteur Rosa Weber), recognized an implicit autonomous fundamental right
to personal data protection, deduced from the principle of human dignity, the right to
a free development of personality, the right to informational self-determination and
the right to privacy. In October 2021, a Constitutional Amendment proposal (PEC
17/2019) was finally approved by the Brazilian National Congress, including a right
to personal data protection in the constitutional text (art. 5, LXXIX).
Furthermore, the right to informational self-determination is related to the right
to information and also to the instrument of habeas data, a constitutional action
instituted by Article 5, item LXXII of the FC, according to which ‘habeas data shall
be granted: (a) to ensure the knowledge of information related to the person of the
petitioner, contained in records or databases of government agencies or of agencies
of a public character; (b) for the correction of data, when the petitioner does not
prefer to do so through a confidential process, either judicial or administrative.’
In brief, the right to informational self-determination (originally recognized
through case law developed by the Federal Constitutional Court of Germany) estab-
lishes a link between the protection of personality in a broad sense and the protec-
tion of personal information, ensuring the individuals to decide themselves about
supplying, using and disseminating data (information) that concern them, although
not being an absolute right,31 which, however, will not be further developed here.
Moreover, although here we are dealing with a more specific aspect that refers
more directly to criminal law, it is cogent to invoke convict’s right to resocialization,
recognized by the FSC also as an implicit fundamental right, even if this acknowl-
edgment is previous and originally not associated with a right to be forgotten. In
its dimension connected to the right to be forgotten, the right to resocialization
implies ensuring that the convict has a real possibility of becoming reintegrated
into family and social life and not be constantly confronted with this fact. Here, in
turn, legal scholarship and case law have repeatedly invoked a precedent from the
Federal Constitutional Court of Germany, specifically the famous Lebach I case,
which will be the object of some attention in the critical evaluation of the Brazilian
court decisions.
Also in the criminal sphere, the FSC (and the SCJ and many decisions made in
the lower courts as well) has associated the right to be forgotten to the constitutional
prohibition of life sentence verdicts, in order to prevent, in some cases and given
the circumstances, the consideration as a bad record (to dose the sentence) of prior
convictions that were matters adjudged over five years ago.32
In brief, before continuing to present possible specific expressions of a right to
be forgotten in the sphere of ordinary legislation, it can be claimed that, taking
into account the elements presented, the reasons of those who refute the possibility
31 About this topic, in general terms, see especially Albers (2005). For a look at the most recent
evolution, see pars pro toto, Bull et al. (2016), and, focusing on the internet, Maisch (2015).
32 In this sense, for instance, Brasil, Supremo Tribunal Federal, Habeas Corpus: HC nº 126,315,
Beyond its (constitutional) qualification as a fundamental right, one can also find
(even long before the quarrel regarding the recognition of the right to be forgotten
as such) several rules at the underconstitutional level that correspond to some of
these pieces of information, besides being entitled to hold accountable the entities
responsible for maintaining and using data in an illegal way.
The Brazilian Civil Code (Law no. 10,406 of January 10th , 2002), particularly
in Articles 11, 12 and Articles 16 to 21, all contained in the chapter concerning the
personality rights, also offers support for the protection of certain aspects connected
to the right to be forgotten. Whereas Articles 11 and 12 establish general rules for the
protection of personality rights in general, in Articles 16 to 21 one can find specific
rules related to important aspects that also concern a right to be forgotten.
In Article 16, the Civil Code acknowledges that ‘every person has the right to
a name, which includes forename and surname.’ This right has been, despite the
absence of a specific provision in the FC, considered as a fundamental right, deduced
from the human dignity principle and the general clause of protection of personality.36
In the following, Articles 17 to 19 of the Civil Code define that (a) ‘a person’s name
cannot be used by another in publications or representations which expose them to
public contempt, even when there is no defamatory intention’ (Article 17); (b) ‘the
name of another cannot be used in commercial advertising without authorization’
(Article 18); (c) ‘the pseudonym adopted for lawful activities enjoys the protection
that is given to the name’ (Article 19).
In more general terms, Article 21 of the Civil Code provides that ‘the private life
of a natural person is inviolable, and the judge, at the request of the party concerned,
will adopt the necessary measures to prevent or make cease acts contrary to this rule.’
This rule, handled in harmony both with the constitutional framework and with other
legal provisions, can be a powerful instrument for the effectiveness of some aspects
related to the right to be forgotten. While the first part of Article 21 only reproduces,
at the ordinary legislative level, the right to privacy already enshrined in the FC, the
second part, however, assures the judicial protection of private life, being—at least
to a certain extend—applicable to the right to be forgotten.
Particularly controversial is the statement of Article 20 of the Civil Code: ‘Unless
authorized, or if necessary to the administration of justice or maintenance of public
order, the dissemination of written material, the transmission of words, or the publi-
cation, exhibition or use of a person’s image may be forbidden, at their behest and
without prejudice to the compensation, if appropriate, if their honor, good name or
respectability are affected, or if they are used for commercial purposes.’ In fact,
considering that the FC assures the freedom of speech without the need for any kind
of previous authorization, the constitutionality at least of part of Article 20’s content
has been strongly contested.
36 See as an illustration representing the orientation in constitutional case law the decision of the
SC in RE 454903/SP: ‘The right to a name is part of the concept of dignity of the human person
and expresses their identity, the origin of their ancestry, the acknowledgment of the family, which
is the reason why the state of affiliation is an inalienable right, because of the greater common
good to be protected, derived from the very binding force of the public order precepts that regu-
late the matter (Child and Adolescent Statute, Article 27)’. Brasil, Supremo Tribunal Federal,
Recurso Extraordinário: RE 454903/SP, Justice-Rapporteur Joaquim Barbosa, judged on Dec 7,
2009. https://jurisprudencia.stf.jus.br/pages/search/despacho125237/false. Accessed 12 Jan. 2022.
The Protection of Personality in the Digital Environment 145
Indeed, due to the existence of dissenting in precedents from lower courts, as well
because of major criticism by legal scholars, the FSC—in ADI 481537 (judgment
in 2015)—though it did not declare the unconstitutionality in itself of Article 20 of
the Civil Code, gave it an interpretation in accordance with the FC, in the sense of
interdicting the requirement of prior authorization by the person whose biography is
involved (or their representatives), for third parties to write biographies.
Furthermore, the Federal Statute no. 12,965 of April 23rd , 2014, the so-called
Marco Civil da Internet (the Civil Framework of the Internet [hereinafter CFI])
established a set of principles and provided for guarantees, rights and duties for the
use of the internet in Brazil. The CFI, even if it does not expressly mention a right
to be forgotten, contains important general guidelines and concrete rules that can be
applied directly or be reconstructed for the purpose of recognizing the need to accept
this individual legal claim in certain cases. The following provisions from the CFI,
if systematically interpreted, along with other legal provisions already listed, lead to
the conclusion that points to the existence of the right to be forgotten in national law,
besides regulating specific aspects of this fundamental right and thus being useful at
least partially for its implementation.
From this perspective, Article 2 of the CFI establishes, on the one hand, that
the ‘Internet use in Brazil is founded on the respect for freedom of speech,’ which
is the reason why its use should always guarantee and fulfill ‘the human rights,
the development of personality and the exercise of citizenship in digital media.’
On the other hand, Article 7 contains a catalog of rights and guarantees of internet
users that also involve the protection of personal data, privacy and informational
self-determination, and even reproduces constitutional provisions, besides rendering
them concrete by regulating various aspects that are correlated to them, in the internet
environment:
Internet access is essential for the exercise of citizenship, and the users have the following
rights:
I – inviolability of intimacy and privacy, protection and compensation for property or
moral damages resulting from its breach;
VII – no supply of personal data to third parties, including connection logs, and data of
access to internet applications, except by free, express and informed consent or in the cases
provided by law;
IX – express consent to the collection, use, storage and processing of personal data, which
should be highlighted in the contract terms;
X – definitive exclusion of personal data that have been provided to the particular internet
application, on request of the user, at the end of the relationship between the parties, except
in the cases of mandatory storage imposed in this law;
37 Brasil, Supremo Tribunal Federal, Ação Direta de Inconstitucionalidade: ADI 4815, -Rapporteur
Carmen Lúcia. En banc court, judged on June 10, 2015. https://redir.stf.jus.br/paginadorpub/pag
inador.jsp?docTP=TP&docID=10162709. Accessed 11 Jan. 2022. For non-Brazilian readers, it
should be explained that the procedure in which this matter was decided is called Direct Action
for the Declaration of Unconstitutionality (‘Ação Direta de Inconstitucionalidade’), which, within
the sphere of an abstract and concentrated control of rules, aims to declare the unconstitutionality
of a federal or state normative act or then, among other modalities of decision, to promote an
interpretation according to the Constitution.
146 I. W. Sarlet
On the other hand, though the current legislation does not expressly cover all
aspects of the right to be forgotten, there are now several law bills that provide for
and regulate a right to be forgotten but are still being discussed in the Brazilian
National Congress. It should be underlined that all the bills are directly related to the
internet environment, although not exclusively in all cases.
The Law Bill presented by Representative Jefferson Campos (Projeto de Lei—PL
2,712/2015) alters and complements the CFI by adding to Article 7 ‘the removal,
at the request of the party involved, of references to records about them in search
sites, social media or other sources of information on the internet, as long as there
is no current public interest in the dissemination of the information and that the
information does not refer to facts that are genuinely historical.’
In turn, Law Bill 1,676/2015, presented by Representative Veneziano Vital do
Rêgo, defines as a crime and punishes the act of filming, taking photographs or
recording people’s voices without permission or for non-licit purposes (with a prison
term of one to two years, besides a fine) and establishes a harsher punishment if
later this information is disseminated (two to four years). If the dissemination takes
place on the internet in any way (computer, internet or social media), the penalty will
be even higher, between four and six years in prison and a fine. The Law Bill even
aims at developing a definition for ‘right to be forgotten’ as the ‘expression of the
human dignity, representing the guarantee of dissociation of the name, image and
other aspects of the personality in relation to facts that, even if veridical, do not have,
or no longer have, public interest.’
Thus, relevant for the internet environment is the circumstance that the Law Bill
establishes that even true facts, if they are no longer in the public interest, may be
subject to protection and removal. Besides this, it provides for holders of the right to
be forgotten the right to demand, independently of judicial authorization, from the
media in general and also from the providers of content and search on the internet,
that they stop transmitting or exclude material or references that connect them to
unlawful facts or those that will besmirch their honor. It also obliges the social media
and search, as well as content providers, to create specific departments to deal with
the right to be forgotten and to give a well-founded answer in the case they do not
acknowledge the application of the right to be forgotten.
Moreover, the Law Bill 8,443/2017 provides that any citizen has the right to
demand from any mass media the removal of any information that is inappropriate
or detrimental to their image, honor and name. The right should be exercised through a
petition addressed to the specific media, mentioning the rights affected and describing
the harm caused by the dissemination of the information. In case of refusal, which
must be proved, the affected person is entitled to access the Judiciary. An especially
relevant aspect is that the bill does not ensure this right to holders of elective office and
public actors (v.g. judges, public attorneys, diplomats) who are being investigated
or sued or who have already been sentenced. Besides, if it is a public person, the
request must mandatorily be formulated through judicial proceedings.
More recently, in 2020, the Law Bill 4,418/20 has been submitted to the Na-
tional Congress, establishing and regulating the ‘right to be forgotten in criminal
law’. In general terms, the proposal assures the right to any convicted person to
148 I. W. Sarlet
not be cited by name or any other manner of identification, both in the criminal or
administrative justice system, after six years. Any person found not guilty will acquire
immediately the mentioned right, while those convicted by corruption or especially
heinous crimes will be able to exercise the right to be forgotten only twelve years
later. In the same year, another Law Bill – Projeto de Lei 4,306 – was submitted
to debate in the Brazilian National Congress in order to establish the ‘right to be
forgotten for children and adolescents’, punishing with imprisonment (from two up
to four years) anyone who shares data of children or adolescents who have been
victims or have witnessed crimes.
If these bills (or one of them) are approved, it is evident that they may have a great
impact and practical consequences, besides giving rise to several legal problems,
even from a constitutional perspective, which will be the subject of our attention also
in the context of the general analysis and criticism to be made further on (Sect. 4).
40 Just to inform the non-Portuguese readers, the Superior Court of Justice (Superior Tribunal de
Justiça) is a high Federal Court and constitutes, along with the Superior Labor Court (Tribunal
Superior do Trabalho), the Superior Electoral Court (Tribunal Superior Eleitoral) and the Superior
Military Court (Tribunal Superior Militar) a kind of third instance of the judicial system. Specially
the SCJ gains importance for the right to be forgotten due to the fact that its competence embraces
the revision of lower courts decisions (federal and state courts) in order to assure the unity
and authority of national Law. In the case of the FSC, its importance derives from the fact that it acts
as a constitutional court, binding all other courts, including the SCJ and any Federal High Court. The
access to the FSC can be—based on the US-System—through judicial review (since every single
judge and any Court can declare the unconstitutionality of any peace of legislation), or through
mechanisms related to an objective, abstract and concentrated control of constitutionality.
41 For a presentation and analysis of lower Courts decisions (appeal level) see Carello (2017),
pp. 81–142.
The Protection of Personality in the Digital Environment 149
Furthermore, for the sake of an easier understanding and mainly to allow a broad
and comparative critical analysis, we shall not only follow the chronological order,
but also present separately the cases that concern the right to be forgotten in general
terms (offline) and the cases that refer to this right in the domain of the internet
(online). On the other hand, considering the limits of the present paper, we will
restrain ourselves from presenting those cases that could be considered the leading
ones in this matter.
The first two cases, both judged by the SCJ, were appreciated in the Special Appeals
(Recurso Especial) no. 1335153/RJ and no. 1334097/RJ (2013). In these two cases
judged on the same day, a few parameters were established for the acknowledgment
and respective legal consequences of a right to be forgotten in Brazil. However, oppo-
site conclusions were reached in each case, since one of them assured the protection
of this right, whereas in the other one prevalence was given to the freedom of infor-
mation and communication. This discrepancy does not necessarily prove to be a
contradiction, but already points to the fact that, like in other cases in which there
is a collision of rights, it is necessary to analyze the peculiarities of each case, the
weight of the rights involved, as well as the impact resulting from their greater or
lesser protection. This must be done through a balancing procedure aiming at estab-
lishing an adequate solution from the legal point of view. Whether the result of the
balancing undertaken by the court in each case was adequate will be discussed later
(Sect. 4).
In the first case, known as the ‘Aida Curi’ case (Resp. 1.335.153/RJ), family
members of Aida Curi, who was murdered in 1958 (this case became notorious at
the time when the murder was committed) sued Globo Comunicações e Participações
for broadcasting—without former permission—the TV-Program called Linha Direta,
reproducing and reconstituting, even as a documentary and decades later, the same
traumatic episode. They claimed that ‘old already healed wounds’ might be reopened
in public. The plaintiffs requested the acceptance of their claim that in this case ‘their
right to be forgotten’ should be recognized in order ‘to not have revived, against their
will, the pain that they had suffered at the time of Aida Curi’s death, and because of
the publicity given to the case decades earlier.’ They further requested compensation
for immaterial (moral) damages.
Analyzing the particularities of the case, the Court stated that
1. the victims of crimes and their families, theoretically, can also hold the right to
be forgotten insofar as they cannot be obliged to be subjected unnecessarily to
‘memories of past facts that caused them unforgettable wounds;’
150 I. W. Sarlet
2. the appropriate solution of the case requires balancing the potential historicity
of the narrated facts with the protection of the personality rights of the victim
and her relatives;
3. the crime entered the public domain and thus became a historical fact, which
must be accessible to the press and society. Besides, due to the broad dissem-
ination given to the fact at the time it happened, including the investigation
and trials, as well as the direct connection with the victim’s name, it would be
unfeasible to ‘portray the Aida Curi case without Aida Curi;’
4. considering the specific situation, a restriction of the freedom of the press
would be disproportionate compared to the discomfort generated by the remem-
brance of the facts by the victim’s family, particularly considering the long time
elapsed since the date of the events, which has the power of reducing, even
if not completely removing, the pain and shock caused by the facts and their
dissemination.
In the second decision, known as the case of the Candelária Slaughter (Chacina
da Candelária, Resp. no. 1.334.097/RJ), the scope of the lawsuit was to obtain a
civil compensation from Globo due to the broadcasting (in the same Linha Direta
program) of a documentary about the facts, the investigation and the trial before
courts. The plaintiff of the original claim fought for the acknowledgment of his right
to be forgotten, i. e. not be remembered against his will, because of criminal facts for
which he had been prosecuted and judged but acquitted. He also alleged the absence
of contemporaneity of the facts and that reopening ‘old wounds’ which had already
been overcome by him would have reawakened the suspicion of society regarding
his character. Considering the particularities of the case, the Court, recognizing the
plaintiff’s claim, argued that
1. even if the crimes reported were famous and historical and although the jour-
nalistic story was faithful to reality, the protection of the intimacy and privacy
of the convicted and the acquitted should prevail, since the ‘useful life of the
criminal information’ had already reached its end;
2. the acknowledgment of a right to be forgotten expresses ‘a cultural evolution of
society, conferring concreteness to a legal system that, between memory—which
is the connection with the past—and hope—which is the tie with the present—
made a clear option for the latter.’ Besides this, the right to be forgotten is a
‘right to hope, completely attuned with the legal and constitutional presumption
of the possibility of rehabilitation of the human person;’
3. the uncontested historicity of the facts must be concretely examined, affirming
the public and social interest, as long as the personal identification of those
involved is essential. Although it is a historical event and a symbol of the precar-
iousness of the State’s protection of children and adolescents, the documentary
could have portrayed the facts correctly without identifying, by name or by
image, those involved, particularly the appellee;
4. furthermore, allowing the dissemination of the name and image of the appellee,
even if acquitted (who even so would have reinforced his image as accused and
involved in the crime), would be the same as allowing a second violation of his
The Protection of Personality in the Digital Environment 151
dignity, since the very fact and its broad dissemination, including the name of
the appellee as a suspect, and also the police inquiry, at the time it took place
was already a national shaming.
Considering its specificities, there is a third decision from the SCJ worth
mentioning, although not being related to the internet environment. In this case,
decided in March 28th , 2020 (Recurso Especial—Special Appeal—Nr. 1.736.803/RJ,
Justice-Rapporteur Villas Bôas Cueva), a right to be forgotten was also recognized
by the Court, upholding the decision from the State Appeal Court Rio de Janeiro,
convicting—as it was the case from the first instance Judge—the defendant (an impor-
tant Magazine—Isto É) to pay for immaterial damages for exposing the private life
from one of the plaintiffs and her family, including children, in a report published in
October 2012.
According to the SCJ, the public interest should prevail when information
disclosed with respect to a notorious criminal fact are marked by historicity,
remaining current and relevant to collective memory, a situation not configured in
the case. The publication of a report with content exclusively limited to describing
routine habits and private facts from the life of a contemporary person convicted
of a crime and her family members constitutes an abuse of the right to inform and
infringes the right to privacy and the right to be forgotten.
Besides this, the SCJ argued that the media exploitation of personal data of an
egress of the criminal system is a violation of the constitutional principle of the
prohibition of life sentences, the right to rehabilitation and the right to return to
social life, guaranteed by the infra-constitutional legislation (criminal code, criminal
procedure code and the criminal penalty execution Act). The extension of the effects
of the conviction to third parties not related to the crime constitutes a transgression
of the principle of non-transferability of the penalty, enshrined in Article 5, XLV,
of the FC, being especially serious when affecting children or adolescents, who are
protected by Law, which ensures the right to integral protection and full development
in a healthy way.
On the other hand, it is of major importance that the SCJ, as well as the State
Courts, acknowledged that in face of evident social interest in preserving the historical
and collective memory of notorious crime, the plaintiff’s thesis that the right to be
forgotten implies a prohibition of any future broadcasting of journalistic articles
related to her criminal act, cannot be accepted for it clearly constitutes pre-censorship,
prohibited by the FC.
Particularly relevant for the discussion around the content and scope of a right to
be forgotten in Brazil is the fact that the FSC (after the Aida Curi case) acknowledged
the general repercussion of the discussion,42 since it would be possible to examine
42 Brasil, Supremo Tribunal Federal, Recurso Extraordinário com Agravo: ARE 833248 RG/RJ,
Justice-Rapporteur Dias Toffoli, judged on Feb 19, 2015. https://redir.stf.jus.br/paginadorpub/pag
inador.jsp?docTP=TP&docID=7810658. Accessed 12 Jan. 2022. It should be mentioned for the
better understanding of non-Brazilians that the FSC, by a qualified majority decision of its judges,
can accept the allegation of general repercussion (relevance and national character of the case and
a significant controversy and divergence in case law), which implies the suspension of all actions
152 I. W. Sarlet
that are going through the ordinary instances up to the definitive judgment of the case by the FSC,
when the decision begins to have general effects (erga omnes) and directly binds all of the bodies
and agents of the Judiciary.
43 For a summary presentation of the three currents, see Schreiber (2017a, b).
The Protection of Personality in the Digital Environment 153
the presentation of the jurisprudence of the SCJ related to the right to be forgotten
in the digital environment.
Even if the general repercussion of the topic was acknowledged based a case (Aida
Curi) that do not involve the internet, the discussion at the public hearing (in which
representatives of Google and Yahoo had the floor) and the FSC’s decision on the
merits also had a direct repercussion on the right to be forgotten online. Thus, taking
into account that as regards acknowledging a right to be forgotten on the Internet,
no final decision of the FSC has been recorded, and that a deeper evaluation of that
judgment will be undertaken considering both, the offline and online jurisprudence
and developments in general, the goal here is to analyze the main decisions taken by
the SCJ until the day the present text was concluded.
In this context it should be emphasized that the right to be forgotten on the internet
is not limited to the liability of the search engine providers and to a right to deindex-
ation. Indeed, taking into account the scope of the right to data erasure established
in the CFI, the right to be forgotten, at least in the Brazilian case where there is no
specific rule regarding the deindexation by search engine providers, is also relevant
as regards the providers of content, especially in the so-called social media, sharers
of videos and photographs, etc.
However, despite the recurrent judicial cases involving the liability of content
providers due to the non-erasure of all kinds of expressions considered untrue, incor-
rect, offensive to personality rights and even those defined as crimes, it is striking
that, at least in the cases of the SCJ about this subject, a right to be forgotten has not
been directly invoked. For this reason, our attention will not be given to these deci-
sions, but rather regarding those that referred to a right to be forgotten and dedicated
themselves to understanding and applying it.
Be as it may, simply not to completely ignore the point, it should be emphasized
that the dominant and consolidated case law of the SCJ44 can be summarized in the
following terms: (a) the providers of application and content, including the social
networks, are not objectively liable for the insertion of illegal information in the site
by third parties; (b) they cannot be obliged to perform prior control of the content of
information posted by the users; (c) however, when they are informed unequivocally
of its existence, they must remove it immediately, for not being considered respon-
sible for the damage caused; (d) they must maintain a minimally effective system
that allows the identification of users, whose efficacy will be checked case-by-case,
44In this sense, see Brasil, Superior Tribunal de Justiça, Recurso Especial: Resp. 1642560/SP,
Justice-Rapporteur Marco Aurélio Belizze, judged on Sept 12, 2017 and Resp.1629.255-MG,
Judge-Rapporteur Nancy Andrighi, judged on Aug 22, 2017. http://www.stj.jus.br/portal/site/STJ.
Accessed 11 Jan. 2022.
154 I. W. Sarlet
45 See, pars pro toto, Brasil, Superior Tribunal de Justiça. Recurso Especial: Resp 1642560-SP,
Justice-Rapporteur Marco Aurélio Belizze, judged on Sept 12, 2017. https://scon.stj.jus.br/SCON/
GetInteiroTeorDoAcordao?num_registro=201602427774&dt_publicacao=29/11/2017. Accessed
11 Jan. 2022.
46 See Brasil, Superior Tribunal de Justiça. Recurso Especial: Resp 1316921/RJ. Justice-
Rapporteur: Nancy Andrighi. Third Panel, judged on June 26, 2012. https://scon.stj.jus.br/SCON/
GetInteiroTeorDoAcordao?num_registro=201103079096&dt_publicacao=29/06/2012. Accessed
11 Jan. 2022.
The Protection of Personality in the Digital Environment 155
3. Given the subjective and arbitrary character involved in the decision to remove—
or not—links, results and pages vehiculating offensive (illicit) contents on the
internet, this margin of discretion cannot be delegated to the research provider;
4. The conflict between the protection of personality rights and the freedom of
speech and communication, especially in its collective dimension, should prevail
over the individual interests and greater weight should be attributed to the right
to information.
A second relevant decision was taken by the SCJ in the Special Appeal 407271/SP,
judged on November 21st, 2013.47 This was a case brought by a woman who was
dismissed by the company where she worked after a video was found in her corporate
e-mail with intimate scenes recorded on the premises of the company. This video was
posted on the internet, made available on Orkut and could be accessed through Google
search engines. The claimant sought to obtain the disconnection of all prejudicial
URLs from Google, the removal of any mention to her name from the Orkut site,
and to be given the information on all those responsible for publishing the message
that was offensive to her.
Already in the decision by the lower court judge, it was considered that there was
no way of removing all the pages that had posted the video, and the obligation was
converted into financial compensation for the damages caused. The SCJ, however,
refused the claimant’s request. Besides reiterating arguments used in the previous
case, the balancing undertaken by the Court was in favor of the freedom of informa-
tion, for the claimant’s request was legally impossible because it was unreasonable
in the specific case. Furthermore, mention was made of the claimant’s behavior as
being naive and offhand because she maintained videos with intimate images on her
electronic mail.
A third case was the Complaint (Reclamação) no. 5,072/Acre, judged on
December 11th , 2013,48 regarding the request of Google Brasil Internet to over-
rule the decision of the lower courts which condemned the appellant to pay moral
damages in favor of the defendant (a Judge), because his name was connected to
news about judges involved in practicing pedophilia.
During the judgment, there was an attempt to remove the fine imposed on the
claimant because it did not comply with the preliminary injunction that had ordered
it to remove from the internet records of the original page, as well as to suppress the
name of the original plaintiff and his association with the aforementioned matter, its
reproductions or all and any topic related to pedophilia from the search engines.
The outcoming of this judgment was again a victory of Google and the SCJ
overruled the decisions taken at the lower court level. The reasons invoked by the
SCJ in general replicated the arguments of previous decisions, so that here we limit
responsible for the content of the results of the searches carried out by the respective
users and cannot be obliged to eliminate results derived from searches based on a
given term or name. Besides, the SCJ considered (by a majority) that in Brazil there
is no specific legal provision imposing this responsibility on search engine providers,
which would also mean to entrust them with the function of a kind of digital censor.
If we consider all the judgments mentioned and related to the Internet, we can
see that the SCJ has been refusing the direct liability of search engine providers for
third party contents on the Internet and even not recognizing a right to be forgotten
as such in those cases.
This restrictive tendency seems to be experiencing a radical change, since the
SCJ recently decided (Resp. 1.660168/RJ, May 8th, 2018), by a tight majority (3
vs. 2), to affirm the responsibility of research providers for contents than can be
accessed through their search engines. In order to better understand the case and to
check all the arguments managed in the former decisions, identifying the criteria that
supported the judgment, we present the aspects of the case and the court’s reasoning.
The case is about judgment of the special appeal filed by the companies Google
Brasil Internet Ltda, Yahoo do Brasil Internet Ltda and Microsoft Informática Ltda
regarding a judgment at the level of appeal decided by the State Appeal Court Rio
de Janeiro, which, in turn, had overturned the low court Judge’s decision that did not
acknowledge a right to be forgotten of the plaintiff, who was a member of the State
Prosecution Office. The plaintiff wanted an injunction imposing the defendants to
install a keyword-based filter in order to avoid the association of the plaintiff’s name
to an alleged fraud occurred in 2007, on the occasion of a public contest (state exam)
to become a judge.
It should be noted that at that time the National Council of Justice carried out an
investigation, which, however, did not find enough evidence of the occurrence of a
wrongdoing or violation of the law. Nonetheless, even after that decision, the name
of the plaintiff continued to be indexed and associated with data related to the topic
‘fraud in competitive public examination for the bench.’ This led to the filing of the
suit based on the allegation that this affected the plaitiff’s privacy and image, due to
the fact that she already held another public office in the legal area.
As far as the reasons alleged are consistent, it should be mentioned that the low
court judge did not acknowledge the liability of Google as a search engine provider
by basically putting forth the arguments underscoring the guidance provided by the
SCJ until then. That decision was overruled by the State Appeal Court, arguing that
given the case’s circumstances, the personality rights of the then appellant should
prevail in order to avoid the circulation, for an unreasonable length of time, of news
that might have a negative repercussion on the present lives of individuals. Thus, the
State Appeal Court ordered the abovementioned research providers to install content
filters that would disassociate the name of the plaintiff from information and opinions
related to the alleged fraud, under penalty of a daily fine of R$3000.00 (about USD
800,00).
In the special appeal filed, the defendants (Google and others) alleged, basically,
(a) that the court’s decision involved a violation of provisions of the Civil Procedural
Code and of the Civil Code because it imposed a technically and legally unfeasible
158 I. W. Sarlet
obligation; (b) that the obligation imposed had no usefulness whatsoever, since the
disassociation of the appellee’s name of the search engines does not prevent the main-
tenance of stories in which her name is mentioned on the internet; (c) the application
of the SCJ’s reiterated view on the impossibility of holding the providers liable under
such conditions; (d) that the order determining the filtering of search results implies
censorship and violates the rights of consumers who use their search services.
Finally, already at the level of the special appeal judgment, the SCJ decided, by
a majority, to partially grant the appeal by reducing the amount of the fine. As far as
the reasons put forth by the Justices are concerned, it should be highlighted that the
Justice-Rapporteur, Nancy Andrigui, maintained in general terms the position upheld
at several previous decisions in which requests for the deindexation of contents posted
by third parties and accessed through search mechanisms provided by search engine
providers were denied. Agreeing with the Rapporteur’s opinion, Justice Ricardo
Villas Boas Cuêva claimed that the decision by the State Appeal Court Rio de Janeiro
had denied the effectiveness of Article 19 of the CFI, particularly because it had
issued a generic order without identifying in a clear and specific manner the content
considered harmful and enabling its location, which is the reason why the author of
the request for the exclusion of data should indicate the URL. Furthermore, according
to the legal provision cited, providers can only be held liable for contents posted by
third parties when, once notified, they do not take measures to make the material
considered harmful become unavailable.
Regarding the dissenting opinions, which finally prevailed, Justice Marco Aurélio
Belizze granted the appeal only partially by reducing the amount of the stipulated
fine. Regarding the acknowledgment of the right to be forgotten in the specific case
at hand, he upheld the decision by the State Court of Rio de Janeiro basically on
the following grounds: (a) there is no difference between the norms applicable in
Europe and in Brazil because in both cases what is at stake is the liability of search
engine providers (query mechanisms), which select and establish a hierarchy of
information based on algorithms independent of the content of the data to which
they provide access; (b) the CFI supports the measure taken by the State Court
Rio de Janeiro, although it is not explicitly provided for, which may be the case in
exceptional situations when the access to information produces a disproportionate
impact, particularly as regards interests of a private nature and even in the presence
of a collective interest, when a long period of time has elapsed since the occurrence
of the facts whose dissemination on the internet is seen as harmful; (c) in the specific
case, even after a period of two years had elapsed, the provider still indicated as the
most relevant piece of news associated with the plaintiff’s name the one related to
the public examination, and even after a whole decade that data is made available
as if there were no other later information on the issue available; (d) the plaintiff’s
request is specific in the sense that the indication of her name should no longer be
used as the exclusive criterion, unconnected from any other term, by relating it to
the mentioned fact that was detrimental to her personality rights; (e) insofar as that
result appears and is maintained by the site, this involves a feedback effect since the
user, when performing the research based on the plaintiff’s name and getting the link
to that particular piece of news, will access the content, which, in turn, will reinforce
The Protection of Personality in the Digital Environment 159
the automated system’s indication that that page is relevant; (f) the access to that
data is not prevented because the sources that disseminate it and even mention the
plaintiff’s name are still available on the internet; (g) the order to install filters aims
at avoiding that, by using the plaintiff’s name as an exclusive search criterion, the
information about an alleged case of fraud that took place more than ten years ago
be accessed first.
After the position taken by Justice Moura Ribeiro, who adhered to the dissenting
opinion, Justice Paulo Sanseverino had to deliver the tie-breaking opinion. He favored
the dissenting opinion by not granting the appeal based on the following reasons: (a)
the specific case, differently from those in which the content providers’ liability is
at stake, has to do with the right to avoid that, when the search is made by using the
query mechanisms of the search engine providers that refer only to the person’s name,
without any other binding criterion, the prioritized piece of information continues to
be, after so many years, the facts that impact the plaintiff’s rights; (b) for this reason,
as in the example of the case Google versus Mario Costeja González judged by the
European Union’s Court of Justice and considering the peculiarities of the specific
case, the right to information should not prevail due to the disproportionate impact
on the plaintiff’s personality rights.
In the light of the decisions mentioned here, it is necessary to make a critical
evaluation of them, which will be done in the next section.
4.1 Did the FSC Close the Door to the Right to be Forgotten?
The FSC’s decision from February 2021 was immediately followed by a huge contro-
versy and criticism.51 At one point, however, an almost absolute consensus can be
described, namely that the Court correctly rejected the application of the right to be
forgotten in the so-called Aida Curi case, due to its circumstances, already presented
and discussed to some extent in the decision from the SCJ (see 3.1).
The most important question that remains open and must be answered is
whether the judgment from the FSC, denying the right to be forgotten in the Aida
Curi case through a direct binding decision (a mandatory precedent for all other
Brazilian Judges and Courts) and with erga omnes efficacy, closed the door to future
developments, even those admitting some dimensions of that right.
The answer that has been gaining more and more supporters is positive, in the
sense that the door to the right to be forgotten remains open. In fact, closely examining
the Justices’ votes, a first remark that shall be made is that the Court underlined that
the right to be forgotten could not be accepted with the broadness and scope sustained
by the family members of Aida Curi. Besides this, the Justices argued that in case of
abuses of the right of freedom of speech and information and depending on which
other fundamental rights and constitutional principles and goods are affected and
how they are affected, in each specific case and considering the circumstances, it is
necessary to conduct a balancing approach in order to evaluate what kind of measures
are needed to solve the problem. Another aspect worth mentioning is that the Court
did not decide about the right to be forgotten on the internet domain, leaving the way
open in this regard, mainly concerning the so-called right to deindexation.
Despite the existence of other arguments sustained by the Justices and advocated
by the Court’s critics that could be presented and explored, the fact is that the FSC
denied the ‘label’ right to be forgotten, but not the possibility to recognize and apply,
under certain circumstances, some dimensions that have been associated with this
right. The first and probably most important dimension (or instrument) of a so-called
right to be forgotten online is the right to deindexation, which will be commented on
in the next segment.
52See Sarlet (2018). For further development of the topic (liability of research providers and
deindexation), see, among the literature available in Brazil, Gonçalves (2016).
The Protection of Personality in the Digital Environment 161
and regulate not only a right to be forgotten in general terms, but also a right to
deindexation vis-à-vis the search engine providers, create at least a solid prospect
that, if this is carried out, should lead to an effective change in the case-law of the
SCJ, reinforcing the for the moment isolated decision above mentioned, unless a
declaration of unconstitutionality by the FSC may take place.
Although solved the issue regarding the liability of search engine providers, other
questions still remain to be considered, as they have been only partly—and not always
adequately—dealt with in the above-mentioned decisions of the SCJ. These aspects
refer both to the internet domain and other cases involving a right to be forgotten.
However, it should be noted that in the case of the former there are peculiarities that
must be highlighted and analyzed in a particularly careful manner.
Considering that the right to be forgotten, as a specific and partly autonomous expres-
sion of the protection of personality in general terms and of various specific person-
ality rights, and that, as a rule, its recognition implies affecting other rights, principles
and legal interests of a constitutional stature (outstandingly freedom of speech and
information), the central theoretical and practical problems concern the determination
of its limits and of the criteria for applying it to specific cases.57
In this context, we can find that the right to be forgotten, as a fundamental right,
may cover a diversified range of subjective positions, each of them with its own object,
but that may possibly become cumulative.58 Indeed, the right to be forgotten may
primarily consist of a right to require the cancellation (erasure) of certain information
(data) vehiculated through the media, in general, and on the internet in particular.
This possibility, as already mentioned, is already provided for in Brazilian law, even
if to a limited extent, in the Consumer Protection Code and in the CFI.
Another alternative that was found particularly controversial in Brazil is to ensure
that the holder of the right has the prerogative of demanding from the search engine
providers that certain links of the respective search engines are deindexed. Like-
wise, the right to be forgotten may include the correction of information or even
the suppression of the identity of those who feel that they have been harmed. In
addition to such possibilities, there are the instruments of the right to reply and
compensation for damages caused by the dissemination of information considered
prejudicial, besides criminal liability (e. g. in the cases of verbal abuse, defamation
and slander), but they are mechanisms that do not imply directly the suppression or
difficulty to access information, although able to have a preventive and dissuading
effect in relation to new abuses. The right to reply (through an electronic form),
used in a proportional manner, has the advantage of providing a kind of communi-
cational adversarial proceeding, ensuring the possibility of supplying an alternative
view, whereas the resort to financial compensation and even punitive damages may
be useful in the sense of dissuading new violations of personality rights.
Likewise, taking seriously the duties of state protection of fundamental rights,
the range of alternatives is even larger, including—beyond the criminal and civil
liability—the regulation and guarantee by the State, e.g. of free competition among
the media and internet actors or the creation of judicial and extrajudicial procedural
mechanisms and guarantees. Thus, both from the point of view of the subjective and
the objective dimension (that interact and complement each other, but may also enter
a collision course), one can see that there may even be a cumulation of measures,
depending on the case (erasure, deindexation and civil and criminal liability, for
instance.)
This aspect is even more important when one notes that also the levels (the inten-
sity) of affectation of fundamental rights and other legal interests with a constitu-
tional stature are differentiated, which must be duly taken into account by the judicial
control of restrictions, especially as regards the proportionality criterion. Measuring
the legitimacy of the restriction must consider the nature and impacts of the restrictive
measure. From this perspective, besides the test of suitability—i. e. of the possibility
of achieving the intended result through this measure—it is necessary to assess the
alternatives available for this purpose and verify what is the respective impact, i. e.
the intensity of the restriction imposed according to what is indicated above. At least
in principle, the determination of data erasure and deindexation of the search engines
on the internet are weightier (from the point of view of the scope of restricting the
freedom of speech and information) than the suppression of the identity of those who
feel harmed or even rectification (depending on the case and scope) of information.
With a view to the previous considerations and the range of possibilities theoret-
ically available to implement the right to be forgotten, affirming the protection of
the personality vis-à-vis the freedom of speech and information, it is found that, as
a rule, the decisions of the SCJ do not give due attention to the problem of a careful
differentiation and assessment of these alternatives and their impact on the rights and
interests at stake in the context of a balancing criterion.
An exception occurs in the case of the Candelária Slaughter, in which it was
pointed out that in the disputed television program the identity of the plaintiff could
have been suppressed, rendering her protection compatible with the freedom of infor-
mation as regards an embarrassing public exposure. Moreover, the argument (used in
one of the cases involving Google) that with the deindexation of the search engines
one would be at the same time hindering access to the right to reply exercised by the
plaintiff may be a guideline that provide grounds to solve certain cases. The same
applies to the behavior of the one who felt harmed by the allegedly resulting losses,
although one may question whether this indeed should be considered in a judgment
issued by the SCJ.
164 I. W. Sarlet
However, although there are a few possible criteria to apply the right to be
forgotten, these are isolated arguments that, in our opinion, do not remove the need
for the substantial correctness of the criticism presented here.
Another point that should be emphasized is that in the decisions (especially in
those involving the internet), the nature of the act considered prejudicial—an exami-
nation that should be conjugated with that of the impact of the measures which imple-
ment the right to be forgotten—was not sufficiently taken into account, such as the
distinction between true and false information, and even those of an unlawful nature,
their more or less harmful character (i. e. damage intensity).
But there are yet other aspects to be emphasized and that concern the criteria for
a recognition of the right to be forgotten and its possibilities of being implemented.
As in the cases involving the internet this was not examined, it is necessary to refer
to the trials of the cases of Aida Curi and the Candelária Slaughter.
In both cases, it is noteworthy that the passage of time was invoked as a criterion,
but in a different sense. While in the Aida Curi case it was found that the long
time elapsed since the facts mitigated the pain and embarrassment caused by its
reconstitution, contributing to a verdict unfavorable to the plaintiffs, in the Candelária
Slaughter case the opposite occurred, as it was argued that the useful life of the
information about the investigation and criminal case had been exhausted.
Although the time lapse may be useful and relevant (but not exclusive) to the
criterion for the balancing approach, in both cases it was not necessarily employed
in the best possible manner. In the Aida Curi case, it can be objected that, given the
traumatic nature of the facts (murder and rape), no matter how much time has gone by,
the effects on the close family continue to be serious and their public remembrance
may potentiate them. In the Candelária Slaughter case, in turn, as the claimant had
been acquitted in the criminal case, the situation should not be confused with cases of
a criminal conviction verdict, because in this situation there are legal rules (as it is the
case in Brazil) interdicting the publication of criminal records, except for the use in
new criminal investigation and procedures. Besides this, the Candelaria Slaughter
case cannot be directly compared with the famous German Lebach case, where the
plaintiff had been convicted and was about to be released, and the reconstitution of
the crime by a TV program would compromise severely his resocialization.
Another argument employed by the SCJ concerns the historically relevant content
of the information and the public interest in its dissemination. In both cases, this
condition was affirmed, but, even so, in the Candelária Slaughter case, it did not
result in the denial of the claim, since here the alleged exhaustion of the informational
value and the embarrassment caused by the new dissemination of the facts ultimately
worked in favor of recognizing the request for compensation. It should be noted that
in both cases true facts were at stake, whose historical and informational value was
recognized, but the criterion of the time elapsed since the crimes occurred was valued
distinctly for reasons that do not seem sufficiently convincing.
In the cases concerning the internet environment, there are some peculiarities to
be considered. In the Xuxa case, the fact in itself—making the film showing sexual
relations with a 12-year-old minor—is true, but the imputation of pedophilia (taking
into account that it is a representation) became distorted, which was prejudicial to the
The Protection of Personality in the Digital Environment 165
image and professional activity of the plaintiff against Google. The accusation against
the judge who had been investigated for involvement in pedophilia was dismissed,
an aspect that was not recognized as relevant to justify the plaintiff’s request. On
the other hand, in the case of the employee dismissed because the videos that she
herself produced showed intimate scenes, although here the veracity of the facts
and authenticity of the videos was not challenged, in the balancing criterion greater
weight was given to the argument that it was the plaintiff herself who was careless and
therefore contributed to the dissemination of the material, an argument that makes
sense in this case and can be useful to solve similar ones. 59
Although the criteria of historical relevance and public interest in the information,
time lapse, exhaustion of the useful life of the criminal information have been used,
the decisions are weak as regards the individual justification of their weight in the
balancing and as regards their intrinsic consistency. On the other hand, the criterion
of veracity of the facts and the manner in which they are disseminated, the possible
offensive and unlawful content of the expressions, as well as the respective impact
on the fundamental rights of the person allegedly harmed practically were not the
object of analysis by the SCJ.
Still in this context, it seems timely to mention that one of the criticisms against
the right to be forgotten is that recognizing it—which, in our view, is demonstrated
especially in the cases of a right to the erasure of information or its deindexation
from the search engines—would imply compromising the collective memory and,
consequently, the potential annihilation of a right to memory and to historical truth.60
On the contrary, however, some people claim that the right to be forgotten does not
aim at erasing certain facts or wiping out or rewriting History, because one is only
dealing with the right to rise against a particular individual projection of themselves,
extracted from facts and their respective past evaluations, if it causes them relevant
current damage and have an impact on their personality rights.61
In our view, however, that reason only comes to the partial aid of both approaches.
As already mentioned, recognizing a right to be forgotten does not mean recognizing
a broad right to erasure of information. Rather, as this is a case of conflict with the
freedom of speech and information, and even of a right to memory, we are dealing with
a problem related to the content and limits of the fundamental rights involved. On the
other hand, it is also not completely correct to say that the right to be forgotten has no
connection to erasing facts or rewriting History, but only with impugning a particular
projection extracted from past facts and evaluations. Indeed, although the facts in
themselves cannot be erased, because it has become material, information (including
the mere depiction of facts) and certain evaluations can be the object, at least to a
certain extent, of an erasure, which does not eliminate the circumstance that was at
stake and—perhaps even preponderantly—is the insurgence against individualized
projections about someone.
62 On the problem of the power wielded by the large corporations and their impact on autonomy in
the digital environment, see, among so many others, Hoffmann-Riem (2017), pp. 121–142.
The Protection of Personality in the Digital Environment 167
For these reasons, also in the internet environment and of the media in general, one
cannot accept a sphere of action exempted from fundamental rights generating a kind
of immunity, what is much more dangerous the more powerful are the private actors.
That is why a strict control of the restrictions to fundamental rights, also in the sphere
of private relations, including in a preventive manner, is to be carried out also by the
Courts, paying attention primarily to legislative options, but watchful as regards their
possible unconstitutionality. In turn, this implies taking seriously the requirements of
the proportionality test, not only in the sense of forbidding an excessive intervention
(restriction) in the sphere of protection of the fundamental right affected, but also—as
a result of the duties to protect—in the sense of forbidding an insufficient protection
of one or some of the fundamental rights in question.63
In the case of the SCJ decisions regarding the right to be forgotten on the internet,
it appears to us that the mentioned aspects were not taken into account, at least
as regards the abyssal asymmetry between the parties involved and a necessary
compensatory correction in favor of the service users. Even if the SCJ denied the
liability of search engine providers because they are mere intermediaries, the fact is
that it still took a position about aspects connected to the merits of recognizing a right
to be forgotten. Besides, the SCJ—in the case of litigation involving providers of
content and of sharing—acknowledges a right to erasure of given contents, applying
in these situations the Consumer Protection Code and the Civil Framework of the
Internet, as already mentioned.
Under the circumstances presented, and to offer here a brief summary, it can be
said that, despite all the criticism of the decisions already advanced, the criteria used
by the SCJ (although, as a rule, not for the cases involving Google, because it did
not accept the latter’s liability), coincide in general terms with those adopted by the
CJEU in the case of Google Spain vs. Agencia Española de Protección de Datos
and Mario Costeja: (a) the nature of the information, particularly its character that is
sensitive to the private life of the person affected; (b) the public interest in access; (c)
the role that the person who feels harmed plays in public life; (d) the fact that—here
according to the European data protection regulation then in force—the data should
only continue to be accessible insofar as this is necessary for the purposes that led
to their collection and processing; (e) the non-determining character of the legality
or illegality of the content on the internet.64
Besides this, the SCJ—which is explained by the peculiarities of the case—empha-
sized the time factor, in the sense that the longer the time elapsed from the original
event that one should ‘forget’, the lower the impact on the rights of those involved, to
which the criterion of exhaustion of the informational value is added. In addition, the
possible contribution of the person allegedly affected by the circulation and exposure
of contents considered prejudicial was mentioned in one of the decisions, and this
is a criterion that may, depending on the specific case, contribute to an adequate
solution.
63 For the internet environment, see, pars pro toto, Schliesky et al. (2014), pp. 119ff.
64 See the summary by Holznagel and Hartmann (2016), p. 228.
168 I. W. Sarlet
Another noteworthy point concerns the SCJ’s decision of May 8th , 2018, which
for the first time acknowledged a right to the deindexation of search mechanisms. In
this case, as appropriately pointed out by Carlos Affonso Souza,65 the lack of indi-
cation of specific addresses (URLs) ended up imposing on the research providers a
duty of generic monitoring, which in turn also renders the effectiveness of the deci-
sion much more difficult. Furthermore, and again according to the critique made by
Carlos Affonso Souza, the installation of filters involves—depending on the criteria
used (with reference to the choice of certain keywords)—the risk of either reaching
a solution that does not meet the needs of the party that feels aggrieved (and in
whose favor the right to be forgotten has been acknowledged) because the filtering
is insufficient or—which in our view is more serious—of preventing the disclosure
and dissemination of lawful contents and even of contents of general interest.
Thus, in light of the above discussion as a whole, one can see that also in Brazil
there are many open polemical issues as well as a number of important criticisms that
can be levelled at the SCJ’s decisions regarding a right to be forgotten and especially
the criteria used to recognize it.
Even though it is not possible to further explore the topic, it is necessary to say a few
words about the problem of the effectiveness of a right to be forgotten, that covers
both the judicial protection and the extrajudicial means. In this sense, the Brazilian
procedural law already has a considerable collection of guarantees and instruments
available, which, although not targeted specifically at the right to be forgotten, is also
applicable to it.
A first guarantee that can be considered basically very robust, since it already
corresponds to a practice that is enshrined in the national territory (although with
major regional and local differences), is the right to broad judicial protection, guar-
anteed as a fundamental right in Article 5, XXXV, FC (‘the law shall not exclude
any injury or threat to a right from the consideration of the Judicial Power’). This
guarantee is complemented (Article 5, LXXIV) by the right to free legal aid for all
who show that they have insufficient funds to pay the expenses of litigation without
compromising their own sustenance and that of their family, a right that includes,
besides the costs of litigation proper, the waiver of the payment of lawyer’s fees
(unless there is a financial result if the case is won). Furthermore, the FC (Article
134) institutes a Public Legal Defense (at the federal and state level) ensuring that
private persons with a low income may have available a lawyer paid by the govern-
ment, be it as plaintiffs or defendants in a judicial case and even for consultative
purposes. It is clear that also the Public Defense offices are installed and structured
in a very heterogeneous manner and with greater or lesser deficiencies in human
65 Souza (2018).
The Protection of Personality in the Digital Environment 169
and material terms, but the system has meant a great advance and has ensured that
millions of people all over Brazil are served.
From the point of view of the procedural means available, the right to be forgotten
may be protected in any kind of proceeding, as long as the specificities of the case are
taken into account, including (the CFI also provides for this in Article 19, paragraph
3) before the Special Small Claims Court, through a more informal procedure and,
as a rule (up to a given limit as to the value involved in the case), without a need to
appoint a lawyer and without court fees.
Especially relevant for the case of data protection in general and the right to be
forgotten in particular is that the CFI established the court with jurisdiction based
on the place where the service is actually rendered. According to Article 8, sole
paragraph, item II, contractual clauses that in the adhesion contract do not contain the
alternative for the contractor to adopt the Brazilian jurisdiction to solve controversies
resulting from the service rendered in Brazil are void.
Besides this, Article 11 provides that
In any operation of gathering, storage, custody and treatment of records, personal data or
communications by connection and internet application providers in which at least one of
these acts occurs in national territory, the Brazilian law and the rights to privacy, protection
of personal data and the confidentiality of private communications and records must be
mandatorily respected.
This rule is applied also to the data collected on Brazilian territory (and to the
content of the communications) if at least one of the terminals is located in Brazil
(paragraph 1), even if the activities are performed by a company with its headquarters
abroad, as long as it offers some service to the Brazilian users or some member of
the same economic group keeps an establishment in Brazil.
With this, Brazilian legislation is, in general terms, aligned with the European
regulation and with the Google decision of the CJEU,66 ensuring the user in Brazil
(even if a foreigner) of direct access to legal protection, even if the immense difficulty
of making possible decisions prevail abroad is known.
It is more difficult to solve the problem of the possibility of a procedural
prohibitory injunction—which is even provided for by the CFI—and through the
use, by the judge, of their power to determine a variety of measures in a provisional
manner and even anticipating the effects of the judgment in certain cases, such as
provided for in the Brazilian Civil Procedural Code.67 This, for instance, would be
the case of a relief that, before the final decision, were to determine deindexation by
the search engines, the canceling (or suspension of exhibition) and/or rectification of
certain contents, as well as the imposition of economic sanctions. The same occurs
in the case of a final decision on the merits, at the level of its enforcement, since
also in this phase there is still controversy about the constitutional legitimacy of the
Concerning its recognition as a fundamental right in Brazil, it can be said that the
right to be forgotten has been accepted both in the literature and in various decisions
by the Brazilian SCJ. The FSC’s decision from February 2021, as already seen, did
not really close the door to at least some dimensions of that right, specially–but not
only–in re-gard to the internet domain. However, even if the the right to be forgotten
as such is in general recognized, this does not mean that its scope of protection and
its limits are uncontroversial, being distant from adequate and consistent treatment
by legislation, literature and judicial precedents.
Another aspect to be remembered is that although the Brazilian constitutional
and legal order covers diverse concrete expressions of the right to be forgotten,
there are still gaps to be fulfilled. Whereas from the point of view of procedural law
(including access to Justice) there is already a major investment by the legislator, the
same cannot be said about the content and limits of the right to be forgotten, either
from its subjective perspective or much less as regards the State’s duties of protection
and their implementation.
In the case of the law bills that are being discussed in the National Congress,
although a legal regulation of the right to be forgotten should be welcomed, covering
the digital world and including besides a right to demand cancellation of information,
a right to deindexation from the search engines, the content of these bills demand
careful evaluation. In general, the bills mention the prejudicial character of informa-
tion regarding the personality rights and the need for the petitioner to demonstrate
this condition. The absence of historical and public relevance as a criterion to recog-
nize (or not) in each specific case the right to be forgotten is also considered, as well
as the fact that if persons who are in public positions are at stake, the protection of
their personality rights (e. g. privacy, image, honor) is weaker than in other cases.
From the procedural point of view, there is a reference to a direct procedure of the
users vis-à-vis the Media, including the internet, and, in case of refusal—adapted to
the orientation of the SCJ— the need to obtain a court order to prevent or repair the
violation of the rights.
Another point to be mentioned is that as regards the action of the Judicial Power—
here examined based on the decisions of the Superior Courts—it is possible to identify
a still significant lack of coherence and consistency in decisions, especially as regards
the criteria used to recognize the right to be forgotten in specificcases and carry out
their balancing in the face of conflicting fundamental rights.
It must be recalled that, although the SCJ mentioned the criteria of time elapsed,
of the prejudicial character of information regarding the privacy, honor and image
of persons, of the absence of historical value, of the low informational relevance or
The Protection of Personality in the Digital Environment 171
its exhaustion and of the absence of public interest, no effort was found to deter-
mine precisely the content and scope of such references. Likewise, the nature of the
information was not taken into account, such as the fact of being or not true and
even its substantial lawfulness from a criminal point of view. The same can be said
about using the legal rules in force that are applicable to the right to be forgotten
(prohibition of disseminating criminal records, negative data on consumers, etc.).
Even the requirements of proportionality—which also presupposes the examination
of the intensity of the restrictions imposed on the colliding fundamental rights—were
not taken seriously.
In addition, the cases that do not involve the internet—but discussed criteria to
apply the right to be forgotten—concerned primarily the acknowledgment of a right
to compensation for the damage caused by the dissemination of facts considered prej-
udicial. There was no discussion of a right to prevent the dissemination, completely
or in part.
On the other hand, as regards to the right to be forgotten on the internet, the
cancellation and, in the case of search engine providers, deindexation from the search
engines should only be recognized with a strict evaluation of the peculiarities of the
specific case, always taking into account the impact of the media and the alternatives
available to ensure the protection of personality without ignoring the freedom of
speech and information, as well as other relevant criteria, which still—as was also
seen in the case of Brazil—await adequate development.
The same applies to the recognition of a right to rectify information, to an indem-
nification in the sphere of civil liability and, on a smaller scale, to a right to reply,
which cannot become a rule, since, in the case of a hypertrophied use, they also
represent a menace to the freedoms of speech and of information. In the case of the
right to reply on-line, however, like the forms made available to the user to request
erasure or deindexation, the use of an instrument of this kind would ensure—at a
lower cost—a flexible and effective means to counter the version considered incorrect
by the persons who felt that they had suffered damage.
Among the problems that involve the rights to canceling, rectifying and dein-
dexing (beyond the discussion about the various criteria for their acknowledgment
and application in the specific case), mention should be made of the relevant crit-
icism—already voiced regarding the decision of the CJEU in the Google case, but
also mentioned in decisions of the SCJ—that the solution of attributing to the search
engine providers and even (in the cases of cancellation) the providers of content and
sharing the prerogative of deciding which data to cancel or which links to deindex
may lead to a system of private censorship.68
Adopting—as already practiced by Google, among others—a model of online
forms available to the user (in this case the request can or not be accepted by the
provider)—limits, up to a certain point, the discretion of providers, but even so
the decision remains on the level of relations among private persons and entities,
attracting the objection that this would create a system of private censorship. A way of
getting around part of the problem would be to demand that the other party responsible
for posting the content considered prejudicial on the internet be summoned to be able
to impugn the request, thus ensuring the necessary adversarial proceeding. But even
here the issue of protecting the right of access to information by third parties and the
problem of a private censorship is not solved.69
In this context, it is necessary to make a few comments about one of the main
underlying issues concerning the solution of tensions and collisions between the
protection of personality and of a right to be forgotten, and the freedom of speech
and information. This issue refers to the adoption or not, by each legal system, of the
thesis regarding a preferential position of the freedom of speech and its respective
scope, an aspect that has found very variable responses in different legal systems.
In the case of Brazil, although from the strict perspective of the constitutional text
there is no way to advance without doubt the thesis of the preferential position of
freedom of speech as a requirement of the framers of the Constitution, including the
aspects highlighted by the recent FSC’S decision on the right to be forgotten70 .
However, when we examine the most recent case law of the FSC, as well as
the position of significant literature (despite the existence of significant dissenting
approaches), it can be concluded that the thesis of the preferred position of the
freedom of speech and information has prevailed.
This is also expressed as regards the right to be forgotten, as was shown in
already mentioned—and insufficiently justified—decisions of the SCJ involving the
liability of search engines on the internet (decisions in favor of Google), but does
not find support in all the decisions of the same Court involving the right to be
forgotten outside the digital domain, as occurred in the already mentioned case of
the Candelária Slaughter.
Among the cases judged by the FSC involving freedom of speech—although
not dealing with the right to be forgotten—one can mention the declaration of non-
reception, due to incompatibility with the FC, of the old Press Law elaborated during
the military regime, when Justice-Rapporteur Carlos Britto mentioned that freedom
of speech takes an almost absolute position and can only be the object of limitation
in the cases expressly established by the FC, specifically the right to compensation
69 It is true that Google, after the decision of the CJEU, besides taking in most of the requests for
deindexation, usually informs the users after the deindexation and erasure of the search results,
although, according to the CJEU, there is no legal obligation in this sense, nor even to ensure a
prior opportunity of expression and impugnation to the owner of the internet page (Holznagel and
Hartmann 2016), p. 228.
70 It should be noted that, at the same time as all and any form of censorship and the requirement for
a prior license to exercise freedom of expression are forbidden, the personality rights, specifically
the rights to privacy, intimacy, honor and image, were expressly characterized as inviolable rights,
which, in turn, was not expressly affirmed with regards to the freedom of expression. In fact,
according to Article 5, ‘IV—the expression of thought is free, and anonymity is forbidden; … IX—
the expression of intellectual, artistic, scientific, and communications activities is free, independently
of censorship or license; X—the privacy, private life, honor and image of persons are inviolable, and
the right to compensation for property or moral damages resulting from their violation is ensured;
….’
The Protection of Personality in the Digital Environment 173
and the right to reply.71 Likewise, two other cases deserve mention, the so-called
case of the ‘marijuana parade’, in which the SC decided that a public and collective
demonstration in favor of legalizing the consumption of marijuana could not be
criminally defined as an apology of crime,72 as well as the already mentioned case of
the unauthorized biographies, in which the FSC decided that it is unconstitutional to
require the prior authorization of the person about whom the biography was written.73
However, none of the cases named involved the dissemination of information or
expressions that were obviously untruthful or of a character that was intrinsically
offensive (verbal abuse, defamation and even slander), nor even situations in which
the so-called hate speech can be identified. Especially in the case of the latter, there
is no recent decision by the FSC, whose main precedent, from 2004, involving the
confirmation of the conviction for racism of an author and editor of a work that denied
the Jewish Holocaust during World War II, precisely does not support the thesis of
the preferred position of the freedom of speech, even if three Justices dissented.74
Nevertheless, as in the case of acknowledging a right to be forgotten, especially
as regards subjective positions that imply cancellation of data and/or a significant
difficulty of access to them, a particularly restrictive burden is being placed on the
freedoms of speech and information, and the guideline that measures restricting
rights should be interpreted restrictively and must be taken even more seriously.75
In other words, the acknowledgment of a right to be forgotten that involves the
aforementioned mechanisms (cancelling and/or deindexation) must be exceptional
and meet a set of criteria that should be strictly controlled in the different situations,
which—as already perceived—takes on a particularly relevant dimension on the
internet, where the possibility of people participating directly in the communication
and information processes essential for democracy is acutely expressed.
Thus, it cannot be just any expression that exposes aspects of private life that
will justify invoking and protecting the right to be forgotten. On the occasion of the
necessary balancing between personality rights and freedom of speech and informa-
tion, the argumentative burden to make personality rights prevail must be particularly
ADPF 187. Justice-Rapporteur: Celso de Mello, judged on June 15, 2011. https://redir.stf.jus.br/
paginadorpub/paginador.jsp?docTP=TP&docID=5956195. Accessed 12 Jan. 2022.
73 Brasil, Supremo Tribunal Federal, Ação Direta de Inconstitucionalidade: ADI 4815, Justice-
Rapporteur Carmen Lúcia. En banc court, judged on June 10, 2015. https://redir.stf.jus.br/pagina
dorpub/paginador.jsp?docTP=TP&docID=10162709. Accessed 11 Jan. 2022.
74 Brasil, Supremo Tribunal Federal, Habeas Corpus: HC nº 82424. Justice-Rapporteur Moreira
Alves, Rapporteur for Appellate Decision: Maurício Corrêa. En banc Court. Judged on Sept 17,
2003. https://redir.stf.jus.br/paginadorpub/paginador.jsp?docTP=AC&docID=79052. Accessed 11
Jan. 2022.
75 In this sense see Barroso (2007).
174 I. W. Sarlet
high, since if there is any doubt about the constitutional legitimacy of the restriction,
the freedom of speech must be privileged, a parameter that must never be forgotten.76
In view of this, it can be stated that, also in Brazil, the determination of the content
and scope of the so-called right to be forgotten is still in an embryonic phase and
requires careful reflection that will be able, on the academic level (where it must be
recognized that there are already noteworthy efforts) or—with particular emphasis—
in the political-legislative and judicial realm, to solve the related problems. In this
sense, besides the development of adequate parameters that are constitutionally legit-
imate and sufficiently safe and effective, it is imperative to maintain a focus on the
real possibilities of a right to be forgotten, given the peculiarities of the internet.
This points, among other aspects, to the problem of the effectiveness of the right
to be forgotten in the sense of the efficacy of decisions that may acknowledge it, both
from the strictly technical point of view and from the perspective of jurisdiction and
procedure, and can generate an incongruence between the objectives of recognizing
a right to be forgotten and the reality, as for instance, the difficulty in enforcing the
judicial decisions at the internal level and beyond the state borders.
From the technical point of view, we have already pointed out the fact that in the
cases of deindexation the information remains on the internet pages because they can
be accessed by using other research terms. If there is a search engine provider (or
even content provider) that operates in more than one country (which is precisely the
case of Google and Facebook, the most powerful and practically omnipresent ones),
even if a prohibition of access and/or deindexation is imposed in one State (or in the
case of the CJEU, in Europe), it is still possible to find the information somewhere
else.
Besides this, there is the problem—which is not exclusive to the conflicts that
involve the internet—of a competition process (including a conflict) of jurisdictions,
be it internally in the relations between the different States (v. g. the denial of a right
to be forgotten in one case and the recognition in another or the use of different
criteria), be it on the level of the relations between supranational courts (as in the
case of the CJEU), and the national courts.77
Further, no matter how much one promotes the development of the regulation at
the internal level of the States, it is necessary to have a transnational network for
cooperation involving State actors, international organizations and the large enter-
prises of the media in general and of the internet, around reasonable and feasible
agendas, covering both regulation and incentive to (and even a regulation of) a self-
regulation in this domain.78 Indeed, the creation of adequate regulatory frameworks
within the States will still be limited (just staying at the domestic level) without a
transnational regulatory structure, even if itself is also limited as to its scope and
efficacy. An example of new efforts is the case of the European Union with the new
regulation of data protection and its application beyond the European territory,79
especially as regards data transfer, which also obliges the recipient countries to take
measures that are consistent with the demands established by the regulation, if they
wish to maintain a number of transactions with the states that are part of the Union.
Likewise, given the globalization of the internet and the flow of data, the formation
of islands of stricter protection of personal data (including a regime that is more open
to the right to be forgotten) may result in major distortions and asymmetries, including
competitive disadvantages and those of an economic nature. Here it is enough to
illustrate it by recalling that firms move their head offices and even their affiliates
to escape stricter regulation as in the case of the European Union.80 These aspects,
in turn, likewise point out to the already mentioned problem of a transnational scale
regulation and the creation of schemes of international cooperation, as well as to the
problem of a competition and even conflict between jurisdictions.
Thus, closing this paper but leaving many windows and questions open, it can
be said that, despite the difficulties regarding its effectiveness in practical terms, in
Brazil, the right to be forgotten can and even must be acknowledged as an implicit
fundamental right, directly related to the protection of human dignity and personality
rights. However, it is mandatory that the content and limits of the right to be forgotten
must be submitted to careful regulation by the legislator, contemplating a right to
data erasure and to deindexation as well as other appropriate entitlements to assure
the possibility to protect personality rights—such as a right to a digital response, the
suppression of the harmed persons identity, etc.—and establishing criteria that are
constitutionally consistent and strict in their application.
Furthermore, it is expected from the Judicial Power, mainly the Superior Courts,
that they still embrace the right to be forgotten and, at the same time, strictly control
its application, especially as regards its impact on the freedom of speech and of
information, which must continue to occupy a preferred position. Especially the
FSC will play a decisive role in this context, because, among other open questions,
a specific ruling about the right to be forgotten on the internet and mainly a right
to deindexation is needed. The fact that, from the perspective of Law, with this
approach we will only be responding to a small part of the problems and challenges
that involve the protection of personality rights on the internet, does not appear to
us, like it has been the case in Europe and other countries, to be sufficient reason to
give up a right to be forgotten.
References
Hoffmann-Riem W (2017) Reclaim autonomy. Die Macht digitaler Konzerne. In: Augstein I (ed)
Reclaim autonomy. Selbstermächtigung in der digitalen Weltordnung. Suhrkamp, Frankfurt am
Main, pp 121–142
Hoffmann-Riem W, Ladeur KH, Trute HH (eds) (2013) Innovationsoffene Regulierung des
Internets. Nomos, Baden-Baden
Holznagel B, Hartmann S (2016) Das ‘Recht auf Vergessenwerden’ als Reaktion auf ein
grenzenloses Internet – Entgrenzung der Kommunikation und Gegenbewegung. MMR: 228–232
IDPC (2014) Online privacy and freedom of expression. Available via UNESCO HQ. https://une
sdoc.unesco.org/ark:/48223/pf0000230176?2=null&queryId=e57da636-9f6d-457f-ad53-65a
b7aa5986d. Accessed 11 Jan. 2022
Kelly MJ, Satolam D (2017) The right to be forgotten. Univ Ill Law Rev 1:1–65
Lepage A (2001) Droit á L’oubli: une jurisprudence tâtonnante. Recueil Dalloz:2079
Maisch MM (2015) Informationelle Selbstbestimmung in Netzwerken. Rechtsrahmen,
Gefährdungslagen und Schutzkonzepte am Beispiel von Cloud Computing und Facebook.
Duncker & Humblot, Berlin
Maldonado VN (2017) Direito ao Esquecimento. Novo Século, São Paulo
Martinelli S (2017) Diritto all’oblio e motori di ricerca. Giuffré, Milano
Martinez PD (2014) Direito ao Esquecimento: A proteção da Memória Individual na Sociedade da
Informação. Lúmen Juris, Rio de Janeiro
Mayer-Schönberger V (2009) Delete: the virtue of forgetting in the digital age. Princeton University
Press, Princeton
Nolte N (2014) Das Recht auf Vergessenwerden – mehr als nur ein Hype? NJW 67(31):2238–2242
Rodrigues Junior OL (2013) Brasil debate o direito ao esquecimento desde 1990. CONJUR –
Consultor Jurídico, coluna de Direito Comparado publicada em 27.11.2013. https://www.conjur.
com.br/. Accessed 11 Jan. 2022
Rodotà S (2014) Il Mondo nella rete. Quali i diritti, quali i vincoli. Laterza, Roma
Sarlet IW (2014) Direitos Fundamentais em espécie. In: Sarlet IW, Marinoni LG, Mitidiero D (eds)
Curso de Direito Constitucional. Revista dos Tribunais, São Paulo, p. 473ff
Sarlet IW (2015) A eficácia dos direitos fundamentais. Uma teoria geral dos direitos fundamentais
na perspectiva constitucional. Livraria do Advogado, Porto Alegre
Sarlet IW (2018) Vale a pena relembrar o que estamos fazendo com o direito ao esquecimento. Avail-
able via CONJUR. https://www.conjur.com.br/2018-jan-26/direitos-fundamentais-vale-pena-rel
embrar-fizemos-direito-esquecimento. Accessed 11 Jan. 2022
Sarlet IW, Ferreira Neto A (2018) O Direito ao Esquecimento na Sociedade da Informação, Livraria
do Advogado Editora, Porto Alegre
Sarmento D (2016) Liberdades Comunicativas e ‘Direito ao Esquecimento’ na ordem consti-
tucional brasileira. RBDC 7(1):190–232. https://rbdcivil.ibdcivil.org.br/rbdc/article/view/76/70.
Accessed 11 Jan. 2022
Schimke A (2022) Forgetting as a social concept. Contextualizing the right to be forgotten. In: Albers
M, Sarlet IW (eds) Personality and data protection rights on the internet. Springer, Dordrecht,
Heidelberg, New York, London (in this volume)
Schliesky U, Hoffmann C, Luch AD, Schulz SE, Borchers KC (2014) Schutzpflichten und
Drittwirkung im Internet. Das Grundgesetz im digitalen Zeitalter. Nomos, Baden-Baden
Schreiber A (2014) Direitos da Personalidade. Atlas, São Paulo
Schreiber A (2017a) Direito ao esquecimento: críticas e respostas. In: Jornal Carta Forense.
Available via Colunas. https://www.academia.edu/35814707/Direito_ao_Esquecimento_Cr%
C3%ADticas_e_Respostas_Carta_Forense_. Accessed 11 Jan. 2022
Schreiber A (2017b) As três correntes do direito ao esquecimento. In: JOTA. Available
via Artigos. https://www.jota.info/opiniao-e-analise/artigos/as-tres-correntes-do-direito-ao-esq
uecimento-18062017. Accessed 11 Jan. 2022
Solove D (2011) Speech, privacy and reputation on the internet. In: Nussbaum M, Levmore S (eds)
The offensive internet. Speech, privacy and reputation. Harvard University Press, Cambridge, pp
15–30
178 I. W. Sarlet
Souza CA (2018) Direito ao esquecimento: 5 pontos sobre a decisão do STJ, JOTA, 13.05.2018.
Available through https://www.jota.info/coberturas-especiais/liberdade-de-expressao/direito-ao-
esquecimento-decisao-do-stj-13052018. Accessed 11 Jan. 2022
Spindler G (2013) Datenschutz- und Persönlichkeitsrechte im Internet – der Rahmen für
Forschungsaufgaben und Reformbedarf. GRUR:996-1003
Stehmeier M, Schimke A (2014) Internet-Suchmaschinen und Datenschutz. Zugleich eine
Besprechung von EUGH C-131/12 Google Spain und Google. UFITA Archiv Für Urheber-Und
Medienrecht 3:661–682
Tepedino G (1999) Temas de Direito Civil. Renovar, Rio de Janeiro
Veit RD (2022) Safeguarding regional data protection rights on the global Internet—the European
approach under the GDPR. In: Albers M, Sarlet IW (eds) Personality and data protection rights
on the internet. Springer, Dordrecht, Heidelberg, New York, London, in this volume
Weismantel J (2017) Das ‘Recht auf Vergessenwerden’ im Internet nach dem ‘Google-Urteil’ des
EuGH – Begleitung eines offenen Prozesses. Duncker & Humblot, Berlin
Anna Schimke
Abstract This chapter contextualizes the debate on the right to be forgotten, taking
into account cultural and social science considerations of forgetting on the Internet.
On this basis, it is shown how forgetting in general and the right to be forgotten in
particular can be meaningfully constructed from a legal perspective. The right to be
forgotten as described in the present contribution can be located in various areas of
law, whereby data protection law and press law are of particular importance. The
chapter tries to clarify how the two areas can be appropriately related to each other in
the case of the right to be forgotten. Using the ‘media privilege’ is proposed as a kind
of coordination mechanism that applies the area of law best suited to the medium in
question. The aim of this approach is to arrive at the most differentiated standards
for assessing the legality of public statements on the Internet and also for applying
the right to be forgotten.
1 Introduction
Forgetting and the right to be forgotten have become buzzwords in the worldwide
public and academic discussions in recent years.1 The discussion was stimulated in
particular by the Google-Spain decision2 of the European Court of Justice (ECJ) and
has since been conducted internationally. Forgetting and the right to be forgotten are
put in relation to constellations in which data once put on the Internet is to ‘disappear’
again. The constellations under discussion generally have an international aspect
because of the global networking of data on the Internet. At the same time, the
A. Schimke (B)
University of Hamburg, Hamburg, Germany
e-mail: anna.mareile.schimke@uni-hamburg.de
1 There have been numerous publications worldwide. See for the Brazilian debate for example Sarlet
(2022), in this volume, Gonçalves (2020) and Blum (2013). In Europe, several doctoral projects
have been published: Gstrein (2016), Diesterhöft (2014); Weismantel (2017), Becker (2019). See
for a comparative perspective the contributions in Werro (2020).
2 ECJ, decision of 13.5.2014—C-131/12.
Rosen (2012). A good overview on that debate and its relationship to the European view is provided
by Bernal (2014).
7 Koreng and Feldmann (2012), p. 315.
Forgetting as a Social Concept. Contextualizing … 181
press law could be further developed in a way that reacts sensitively to new media
developments (Sect. 6).
For some years now, jurisprudence has increasingly been discussing “forgetting”,
with the main discussion contexts in Europe and in Germany being the right to
be forgotten under Article 17 of the General Data Protection Regulation (GDPR),8
the Google-Spain decision of the ECJ9 based on the EU data protection Directive
EC 95/46, which has meanwhile been replaced, and the online archive cases of
the German civil courts.10 Particularly for the German discussion, the rulings of
the Federal Constitutional Court Recht auf Vergessen 1 and Recht auf Vergessen 2,
concerning the constitutional dimension of the right to be forgotten in data protection
law as well as in press law, are of special importance.11 While Article 17 of the
GDPR provides for the right to erasure as well as certain information duties, the
Google-Spain decision deals with a right to erasure on the basis of the former data
protection directive and the question whether and to what extent it can also be asserted
against the results list of an Internet search engine.12 The online archive cases, in
contrast, concern claims for injunctive relief on the basis of the German Civil Code
(Bürgerliches Gesetzbuch, BGB) directed against radio stations and press publishers
making their reports permanently available on the Internet.13 Forgetting and the
right to be forgotten are thus located in the academic and public discussion about
the digitization of data and their networking. Even the mere mention of the word
“forgetting” in this context seems to have a special effect: in particular the decision of
the ECJ has detached the discussion from the European context and led to worldwide
disputes about the question of forgetting on the Internet.14 Some authors assume that
this effect is due to the anthropological connotations of the word “forgetting”: the
comparable to the droit à l’oubli in French law and the diritto al’oblio in Italian law. An overview
of the different traditions and their relationships to US approaches is given by Bernal (2014).
11 BVerfG, decision of 6.11.2019—1 BvR 16/13=NJW 2020, 300–314; BVerfG, decision of
debate Bernal (2014); a suggestion for a differentiated approach to the construction of the right to
be forgotten that is globally viable is made by Jones (2016); see for the German debate Weismantel
(2017), Diesterhöft (2014), and Stumpf (2017); Gstrein (2016) deals with the right to be forgotten
as a human right.
182 A. Schimke
term seems to have a special proximity to humans and their natural dispositions, for
which reason its reception and discussion are largely emotional and not objective.15
In fact, there is no agreement as to what exactly the right to be forgotten should
be: should it be anchored at the level of fundamental rights or only at the level of
simple law? In which field of law can it be found or can there be different rights
to be forgotten in different fields of law? What is the concept behind these rights?
What distinguishes the right to be forgotten from other rights—in particular, rights to
erasure? Despite numerous international discussions, these questions remain largely
unresolved. In many cases, forgetting is equated with deletion and/or refers to human
forgetting, which is to be achieved by deleting a database on the Internet.16 Those
who forget here are either “the Internet” itself by deleting data or the individuals
who derive information from the data and can no longer do so because a piece of
data has been deleted, so that it becomes more likely that the information in question
is subsequently forgotten.17 The importance of these rights to erasure is seen above
all in the fact that outdated information, which was once available on the Internet,
could reappear again and again.18 The Internet, according to the concise formula,
does not forget.19 With regard to the individual in his/her social relationships, many
authors think that as a consequence of this development, a new beginning is no
longer possible and he/she is thus limited in his/her personal development.20 Some
also point out that at an individual level, the freedom of decision would be reduced as
soon as too much information was permanently available.21 At the same time, various
points of criticism of the rights to erasure as an instrument for creating forgetting
on the Internet are mentioned. They include the difficulties in effectively enforcing
these limited rights worldwide,22 the question of whether it is even possible to delete
all data or copies of data23 and, above all, the accusation that the decisions about
deletion requests lie with private providers of social networks and other services
on the Internet, which ultimately results in a form of private censorship.24 This is
accompanied by a relatively broad discussion on the question of the responsibility
of intermediaries for the information generated in the context of their services.25
it becomes clear that this is not necessarily relevant from a constitutional perspective. See BVerfG,
decision of 6.11.2019—1 BvR 16/13=NJW 2020, 300–314, para 104 ff.
22 Spiecker genannt Döhmann (2014).
23 Spiecker genannt Döhmann (2014).
24 Arning et al. (2014), von Lewinski (2015), Rosen (2012).
25 See for an overview of different regulatory approaches van der Sloot (2015), Hofmann (2017).
Forgetting as a Social Concept. Contextualizing … 183
Thus, important questions of Internet regulation are bundled in the context of the
right to be forgotten. Nevertheless, the examples given indicate that it remains unclear
why we are talking about forgetting here. In order to be able to conduct a meaningful
international discussion about the problems associated with the right to be forgotten,
it is necessary to clarify the underlying concept as a common basis. Only in this
way is it possible to identify where the various legal systems provide for rights to
be forgotten and which problems arise from this in each case. The jurisprudential
discussion to date has done little to achieve such clarification.26 The Google ruling
of the ECJ was received not only by jurists, but was also taken up and reflected by
the cultural and social sciences. Examining this reflection can not only explain why
the term forgetting is so attractive, it can also help to identify the particularities of
the right to be forgotten in relation to other rights. It will be possible to meaningfully
describe the right to be forgotten as a legal concept on this basis.
In the cultural and social sciences, the legal discussion about the right to be forgotten
was received against the background of overarching concepts of memory.27 What
the various approaches have in common is that they understand memory neither as
a purely technical nor as a purely individual phenomenon. Rather, it is addressed
on the basis of different conceptions as a result of technical and supraindividual
developments.
Aleida Assmann distinguishes different forms of memory.28 In addition to indi-
vidual memory, she also identifies different concepts of collective memory in which
individuals are involved—for example through participation in memorial events—
but which are not embodied by individuals. Rather, they are artificial memories
that depend on media for their existence.29 Such media include inter alia language,
writing, photography, film, videos and other. Collective memory is not the same as
the media—it remains associated with a group as a carrier that uses the media for acts
of collective memory and forgetting. But the medium can also pre-structure the kind
26 Weismantel (2017), p. 134, offers a legal definition of the right to be forgotten. According to
this definition, the right to be forgotten is a right to deletion or isolation of personal data on the
Internet which should no longer be accessible because they are no longer relevant, either in modal
or in temporal terms (Weismantel (2017) p. 122). This definition, however, is less a definition of
the right to be forgotten but rather a description of the legal answer to the problem raised by the
Google-Spain decision. It therefore focuses too much on the constellation of an Internet search
engine, whereas the discussion on the right to be forgotten addresses more far-reaching aspects as
well. For a criticism of definitions that focus too strongly on the Internet constellations in general,
see also Sarlet (2022), Sect. 2.1, in this volume.
27 Assmann (2016), Esposito (2017).
28 Assmann (2010), p. 11.
29 Assmann (2010), p. 19.
184 A. Schimke
from other data elsewhere. Esposito assumes that an appropriate way to handle social
memory, which is characterized by algorithms that deal with data, has not yet been
found. She sees a first approach in the fact that the algorithms themselves must be
perceived as actors and the corresponding traditional concepts of distribution and
responsibility must be adapted.
The Google-Spain decision’s reception in the cultural and social sciences calls into
question the background assumptions that lie at the root of its reception in the legal
sciences. Thus, the initial finding that the Internet does not forget falls short. As a
technical fact, the Internet itself can neither remember nor forget. The constellations
of the right to be forgotten have no relation to individual forgetting. Rather, it is
always about the production of information in particular sub-publics. This concerns
a collective dimension of memory, as described by Assmann and Esposito. Both
believe that the deletion process cannot be equated with forgetting. Deletion only
takes place at a technical level (Assmann) or refers to the data level (Esposito).
However, forgetting is not located at the data level, but at the level of collective
identity (Assmann) or at the level of communication (Esposito). It is therefore more
related to information than to data. Hence, it is important for the legal treatment of
forgetting on the Internet to differentiate between data and information, as has long
been demanded for information law in general and data protection law in particular.47
Although it cannot be said that the Internet does not forget, the Internet has
helped to change the way people forget. Esposito points out the important role of
algorithms in this context. Algorithms have also become an important topic in law.48
If law, too, understands algorithms in communication as part of social memory, it
follows that the law must observe and evaluate the social consequences of generating
information algorithmically. This means, for example, that the protection of the right
to be forgotten cannot be seen across the board in terms of a loss of freedom of
decision. This assumption is based on the hypothesis that the Internet does not forget,
and it narrows the issue to a technical perspective. If the information level, and thus
the social context in which people forget, is included, it becomes necessary to ask
exactly why information should be forgotten in a certain context. In this respect, the
goods to be protected must be determined context-specifically.
Finally, the social science reception of the Google-Spain decision draws atten-
tion to a problem that has also been addressed by various courts: requesting that
information be forgotten can lead to the opposite effect, namely to increased remem-
brance. That is certainly correct and must be considered by the claimant. A right to
be forgotten can nevertheless have a meaningful scope. Esposito takes all contexts
of possible information generation into consideration. Legally, on the other hand, a
distinction is made according to the facts negotiated. And for this isolated, legally
constructed issue, it may make sense under certain circumstances that partial social
forgetting is realized through a claim to deletion. Many people are already helped
by the fact that certain hits are no longer displayed in the European Google search
results list. In any case, this applies inasmuch as the request for deletion is primarily
intended to prevent accidental discoveries.49
Legally, the right to be forgotten can also be described in more detail. The Google-
Spain decision as well as the online archive cases are characterized by a situation
that is classified as legal at one point in time and illegal at a later point in time. As
the European Court of Justice rightly emphasized in its Google-Spain ruling, this
change in the assessment of legality can have various reasons50 : in data protection
law, for example, consent to data processing can be revoked or new interests worthy
of protection on the part of the data subject—such as an interest in reintegration
into society—can be added during the process of weighing various concerns, which
results in a different legal assessment.
The right to be forgotten can therefore be understood as a generic term for claims
that are aimed at the fact that within a certain communication relationship, knowl-
edge about a person arising from the lawful generation of information should no
longer exist within a certain context, because at the present time it could only be
generated on the basis of unlawful information. The right to be forgotten therefore
concerns a change in the assessment of lawfulness within the temporal dimension of
communication.
49 This is also highlighted by the Federal Constitutional Court. S. BVerfG, decision of 6.11.2019—1
BvR 16/13=NJW 2020, 300–314, para 131.
50 ECJ, decision of 13.5.2014—C-131/12, para 72–75.
51 This also applies to the Brazilian legal situation. See in this respect Sarlet (2022), Sect 2.2, in
this volume.
52 BVerfG, decision of 5.6.1973—1 BvR 536/72=NJW 1973, p. 1226 (Lebach I); BVerfG, decision
of the documentary, this offender had served half of his prison sentence and was
planning to return to his hometown. He unsuccessfully sued for an injunction to stop
the broadcast. In its 1973 decision, the Federal Constitutional Court had to decide
whether the negative decisions of the civil courts infringed the plaintiff’s general
right of personality, which is derived from Article 2(1) of the German Basic Law
(Grundgesetz, GG) in conjunction with Article 1(1) GG. In its 1973 decision, the court
weighed the general right of personality of the person concerned, against freedom
of broadcasting (Article 5(1) GG). The court differentiated between reporting at
the time of the crime and later reporting. While it considered reporting of serious
criminal offenses at the time, including the perpetrator’s name, to be permissible in
principle, it held that later reporting was in any case inadmissible if it was likely to
cause the perpetrator significant new or additional impairment compared with the
information at the time of the crime, in particular jeopardizing his integration into
society (resocialization).53 In its 1999 decision, the court made it clear, restrictively,
that the general right of personality does not confer any entitlement to never being
confronted with the offense again.54 The decisions of the Federal Constitutional
Court clearly show that the assessment of legality can change over time with regard
to reporting. With a view to the constellation to be decided, the court also laid out clear
criteria as to when such a change in the assessment of legality may be appropriate
for constitutional reasons. In this respect, the decisions have set the standard for a
large number of civil proceedings involving reporting on criminal offenses.
Since broadcasters and newspaper publishers have also become active online, the
courts have been confronted with the question of the extent to which the developed
standards can also be applied to this constellation.55 The focus was and still is on
the question of whether old reports that have been placed in the companies’ online
archives can remain accessible there permanently and under which conditions this
could be permissible. With regard to the last point, the question becomes significant
to what extent the retrievability of the old reporting with the help of Internet search
engines affects the legal evaluation of the old reporting in the online archive. At
the level of the lower courts, no uniform case law has yet been established in this
respect.56 A constitutional complaint concerning this constellation has been decided
in 2019.57 The constitutional complaint concerns the Apollonia case, which is about
the coverage of a major German news magazine in the 1980s. It reported on the
murder trial against the complainant, who was accused and ultimately convicted
of shooting two people on the yacht Apollonia on the high seas. The plaintiff was
named in the reports. In 2002, the old, unchanged reports were placed in the journal’s
online archive and have been available there ever since. They can also be found by
entering the plaintiff’s name using Internet search engines. The reports explain the
circumstances of the crime and the proceedings in detail in a factual manner and use
the behavior of the plaintiff as an example of the consequences if otherwise relatively
inconspicuous people find themselves in extreme situations. The reports are marked
as old reports in the archive.
In its decision, the Constitutional Court points out that under the conditions of the
Internet, time gets a specific meaning in law. In the Lebach-decision, the court had to
compare two points in time, asking whether a new report on a specific past event is
admissible. Under the conditions of the Internet, old reports are permanently available
and can easily be recombined with other data. This poses a specific, legally relevant
danger for the personal development, protected by Article 2(1) in conjunction with
Article 1(1) GG. This right implies the possibility of change over time or—in other
words—the development of the person in time implies the chance of forgetting.58
According to the court, this is not only important for the personal freedom. Rather,
it benefits society as a whole by ensuring that its members freely communicate even
provocative or appellant positions.59 Therefore, the lawfulness judgment concerning
a publication online can also change over time: what might be justified in one moment
might not be justified anymore a few years later, considering the legally protected
interest of the involved person for a chance to change over time. On the other hand,
the press has a constitutionally protected interest to publish reports including the
names of the persons involved and to maintain an online archive in which these orig-
inal reports can be placed.60 This is also in public interest, because online archives
provide easy access to information and constitute an important source for journalistic
and historical research.61 The Constitutional Court sets standards for the weighing
process between the conflicting interests, which it divides into three sub-categories:
Procedural guidelines, criteria for the assessment of the time-factor and considera-
tions concerning the retrievability of the publication on the Internet.62 With respect
to the procedural aspects of the cases the court states that an obligation of the press
to permanently control the lawfulness of all publications in an online archive would
be incompatible with Article 5(1) GG. Inspection obligations can therefore only be
admissible in terms of notice-and-take-down procedures. Important aspects for the
lawfulness-judgment in time are inter alia the impact and the subject of the report
and the sequence of events in which the report can be classified. Finally, the extent
58 „Die Möglichkeit des Vergessens gehört zur Zeitlichkeit der Freiheit“ (BVerfG, decision of
6.11.2019—1 BvR 16/13=NJW 2020, 300–314, para 105).
59 BVerfG, decision of 6.11.2019—1 BvR 16/13=NJW 2020, 300–314, para 108.
60 BVerfG, decision of 6.11.2019—1 BvR 16/13=NJW 2020, 300–314, para 112.
61 BVerfG, decision of 6.11.2019—1 BvR 16/13=NJW 2020, 300–314, para 112 f.
62 See also for the following summary BVerfG, decision of 6.11.2019—1 BvR 16/13=NJW 2020,
of the negative impact for the personality right also depends on the retrievabilty of a
report on the Internet. Therefore, a default-setting that prevents search engines from
finding and listing the reports in name based searches could be one way to balance
the interests.
The civil courts now have to apply these constitutional standards. The relevant cases
are decided on the basis of press law. Its central elements are claims for damages, revo-
cation, correction, and injunctive relief from Section 823 (1) BGB or Section 1004
(1) BGB applied mutatis mutandis in connection with Section 823 (1) and/or (2)
BGB. As a rule, the various regulations presuppose that the person concerned is
claiming that his/her personality rights under civil law were violated by a statement
published in the media. Thus, they aim from the outset at influencing the knowledge
of the public. Personality rights under civil law are understood as framework rights
the concrete content and scope of which arise only in individual cases as a result
of a comprehensive consideration of conflicting interests.63 A characteristic of press
law is that the conflicting interests are essentially communication interests which
are protected by Article 5 GG. From the perspective of the person concerned, these
claims therefore presuppose that an infringement of personality rights has already
taken place or that its occurrence is at least imminent. Press law therefore applies a
model of ex-post regulation.64 Since weighing of interests is at the center of press
law, a highly differentiated case law has developed over time. In addition to an
approach geared to ex-post regulation and differentiated weighing standards, and in
contrast to data protection law, press law provides for a model of liability that can
reflect a graduated level of responsibility and, above all, take account of the inter-
ests involved in communication on the Internet via intermediaries (‘Störerhaftung’).
Thus, for example, intermediaries on the Internet can be sued for injunctive relief
only if they have not eliminated a violation of the law despite being aware of it. The
question of when an intermediary had or could have had the necessary knowledge
of the violation is dealt with by recurring to the legal construct of an infringement
of ‘reasonable inspection obligations’ (‘zumutbare Prüfpflichten’).65
results under German press law, using the legal construct of ‘reasonable inspection obligations’:
BGH, decision of 27.02.2018—VI ZR 489/16. Further details on the concept of being a ‘Störer’
are provided below in Sect. 4.3. However, this has been modified by now due to a new considera-
tion of the relationship between European and German law in this context. See BGH, decision of
27.7.2020—VI ZR 405/18. The Court now only applies Article 17 GDPR and the GDPR’s liability
regime.
Forgetting as a Social Concept. Contextualizing … 191
The right to be forgotten, understood as a right that concerns a change in the assess-
ment of lawfulness over time, exists in other areas of law besides press law. In
addition, and as the above-mentioned discussion contexts already indicate, another
important manifestation of the right to be forgotten can be found in data protection
law. There, multiple reasons for the change in the assessment of lawfulness can be
identified. In European law, for example, Article 6(1) GDPR provides for legal rules
that legitimate the processing of personal data.66 Article 6(1) GDPR links the lawful-
ness of data processing to certain criteria such as consent (a), entering into a contract
(b), compliance with a legal obligation (c), or the legitimate interest of the controller
(f) by stating that the processing must be necessary in order to fulfill these and other
criteria. As the ECJ pointed out in its Google-Spain decision, the necessity must be
given at all stages of processing.67 From this it follows that an instance of processing
can be lawful at one point in time because it is necessary for specific purposes then,
whereas that is no longer true at a later point in time—for example, because an
individual has withdrawn his or her consent in accordance with Article 7(3) GDPR
and the processing cannot be based on other provisions of Article 6 GDPR. Another
reason could be that the legitimate interest of the controller no longer outweighs the
interest of the data subject due to changes in the interests involved. For example,
on the part of the data subject, an interest in resocialization might be added after a
certain period of time. The criteria by which data protection law and press law assess
the lawfulness of an instance of processing that concerns a published statement can
overlap, as long as the relevant interests are similarly protected by the European
Charta of Fundamental Rights (CFR) and the GG. This is because, principally, the
GDPR being European law is being understood and applied in the light of the CFR
whereas press law is understood and applied in the light of the GG.68 In its Google-
decision the ECJ acknowledged that the time-factor might be one relevant factor for
the assessment of the lawfulness of a processing of personal data under European
data protection law.69
Once the processing becomes unlawful in data protection law for one of these
reasons, Article 17(1) GDPR provides for a right to deletion. When the right to
deletion is based on a change in the assessment of lawfulness, it can be identified as
a form of a right to be forgotten.70
66 A similar provision can be found in Article 7 of the Brazilian Data Protection Law. For a thorough
analysis of Art. 6 GDPR see Albers and Veit (2021).
67 ECJ, decision of 13.5.2014—C-131/12, para 93–95.
68 BVerG, decision of 6.11.2019—1 BvR 276/17=NJW 2020, 314–328, para 95; BVerfG, decision
can in certain constellations be a form of the right to be forgotten. In the German literature on
Article 17 GDPR, however, the right to be forgotten is generally identified in Article 17(2) GDPR,
192 A. Schimke
which provides for certain information duties once a right to deletion has been asserted. See inter
alia Herbst (2021), para 49.
71 See for the underlying concept Albers (2005) and Albers (2014). See for the understanding of the
BDSG as a framework for regulating data processing processes Albers (2012), p. 164. See for the
construction of the right for data protection as a fundamental right at the European level Reinhardt
(2022), in this volume. In its recent decision on the right to be forgotten, the Federal Constitutional
Court also tends to identify informational self-determination with framework-regulation. Neverthe-
less, its underlaying understanding is different and much more oriented towards an individual-rights
approach where the right to informational self-determination is relevant in situation of automated,
non-public data processing: BVerfG, decision of 6.11.2010—1 BvR 16/13=NJW 2020, 300–314,
para 83 ff.
72 However, the regulations serve their own goods and are not only preventive measures. See Franzius
(2015b), p. 266.
73 See for the different elements in detail Albers (2012), p. 181.
Forgetting as a Social Concept. Contextualizing … 193
of those affected, give them opportunities to influence and participate, and address
guarantee and control mechanisms.
Rules that affect system data protection are applied before the concrete processing
procedures. They concern the general conditions under which data processing takes
place and are to be designed in accordance with data protection objectives. Such rules
may relate, for example, to the administrative organization or the technical instal-
lation of data processing equipment. The goals to be achieved are specified by law
and concern, for example, data security or the use of pseudonymization options.74
Regulations concerning the development and design of communication and data
processing techniques come into force even earlier. They aim at technologies that
are developed in compliance with data protection regulations and that could be used
by public agencies or companies.75 A central component of data protection law is
the regulation and design of processing phases. Different processing phases—from
collection to transmission—can be distinguished and independent legal requirements
are linked to the individual phases, some of which also serve to establish a super-
ordinate relationship. Central to the regulation of processing phases, for example,
is the principle of purpose limitation, which achieves data processing procedures
that are relatively manageable for the person concerned.76 Phase regulation can also
include the principle of necessity, which binds the individual processing steps to a
purpose to be specified in more detail.77 Essentially, this also serves to structure the
processing phases and to identify the relevant contexts in which data is processed.
Data processing is therefore made more manageable through elements of phase regu-
lation, which, among other things, makes hazardous situations for protected goods
more foreseeable, to which independent regulations can then be applied. The duty
to inform the parties concerned serves, among other things, to make these elements
of objective regulation visible to the party concerned and thus to give him/her the
possibility of exerting influence on these processes via rights of participation and
influence.78 The rights of participation and influence under data protection law—
such as rights to deletion or correction—are thus related to data processing by the
processing body and aim to influence the knowledge of this body about the person
concerned. Finally, guarantee and control instruments such as data protection audits
or the establishment of independent data protection officers are intended to ensure
implementation and compliance with legal requirements.79
Even this cursory description of some structural elements of data protection law
makes apparent that data protection law provides regulations in essential parts which
are to structure processing contexts, and thus starts at a level that can be described
80 However, Article 6(1) f GDPR provides for the possibility of considering interests of third parties
within the weighing process. See in detail for the weighing process in Article 6(1) f GDPR Buchner
and Petri (2021), para 149–154.
81 Simitis (2018), p. 214.
82 Buchner and Petri (2021), para 148.
83 Article 9(1) GDPR reads as follows: “Processing of personal data revealing racial or ethnic
origin, political opinions, religious or philosophical beliefs, or trade union memberships, and
the processing of genetic data, biometric data for the purpose of uniquely identifying a natural
person, data concerning health or data concerning a natural person’s sex life or sexual orienta-
tion shall be prohibited.” Article 9(2) GDPR provides for exemptions from this general prohibi-
tion of processing special categories of data, but none of these exemptions is adapted to public
communication situations in old or new media.
84 This approach has been criticized in the legal literature. See inter alia Spindler (2012), p. 99.
Forgetting as a Social Concept. Contextualizing … 195
only by courts but also by a supervisory body. It is in this respect a law that aims at
a controlled flow of personal data.
Within press law, on the other hand, the legally protected interests of every side
involved in the weighing process must be identified. The burden of proof lies with the
person who wants content to be removed.85 Finally, the liability regime is stricter and
more nuanced: On the grounds of Section 1004 BGB a difference is made between
Täter and Störer. A Täter is someone who is immediately responsible for a rights
infringement, whereas a Störer can be any person who has intentionally caused a
rights infringement.86 Because this would go very far, the courts narrow down the
liability of the Störer: in order to be a Störer a person must have knowledge of
a rights infringement and must have violated reasonable inspection obligations.87
Another important difference between the application of the right to be forgotten
in data protection law and in press law is that data protection law is European law
and therefore falls under the jurisdiction of the European Court of Justice, whereas
press law as understood in this text is national law and falls under the jurisdiction of
the BGH. In terms of the fundamental rights that must be considered, it follows that
in data protection law European fundamental rights have to be taken into account,
whereas in press law the fundamental rights of the German Basic Law are applied.88 In
press law, no supervisory body is installed. The default-setting insofar is characterized
by a relatively uncontrolled flow of personal data.
Although data protection law and press law are characterized by different features and
are designed to govern different situations, they do overlap: whenever a (partly) public
statement is processed automatically and concerns a natural person, both regimes are
applicable. This concerns for example reporting on an identifiable natural person in
a newspaper, but also any statement about a natural person that is shared online in
social media or that is shown in the results list of an Internet search. Since in these
situations a change in the assessment of lawfulness might occur over time, the area
of overlap between data protection law and press law includes cases of the right to
be forgotten. These cases could, in other words, be decided on the grounds of press
85 See for claims on the grounds of Section 1004 BGB analogously in general Baldus (2017), para
307.
86 See for a brief explanation Spindler and Volkmann (2015), para 5–18.
87 Permanent case law. See for a decision with respect to Internet search engines BGH, decision of
forgotten: BVerfG, decisions of 6.11.2019—1 BvR 16/13, 1 BvR 276/17=NJW 2020, 300–314,
314–328. In these decisions the court also clarified that constitutional complaints can not only be
based on German fundamental rights but also on rights guaranteed in the CFR. An overview over
this aspect of the decisions is provided by Kühling (2020).
196 A. Schimke
law, on the grounds of data protection law, or both. Therefore, the question arises
as to how these areas of law relate to each other: if somebody feels offended by a
public statement concerning him or her, can he/she freely decide to sue the person
responsible for the statement (and/or for its dissemination) on the grounds of data
protection law (right to deletion) or on grounds of press law (right to injunctive
relief)? With respect to the legal consequences, both rights have the same effect89 :
the right to deletion is not directed towards the destruction of data. Rather it focuses
on the information that can be derived from the data by demanding that it should not
be possible to derive a certain piece of information from data in a specific context.
Therefore, destroying a specific piece of data, such as a statement on a social network,
might not suffice to comply with the deletion claim. In addition, it might be necessary
to ensure that the information cannot be derived from other data, such as the repetition
of the statement that has been deleted.90 Similarly, the right to an injunction aims
to ensure that the disputed statement is not repeated in the future. Because data
protection law is characterized by a default setting friendly to personality rights, it
would be prudent for the person concerned to sue the utterer/the mediator of the
utterance on the grounds of data protection law. However, in practice there seems
to be a lot of confusion with respect to the relationship of the two regimes.91 Some
claims are based on data protection law, and similar cases are based on press law.
Also the courts—which are actually required to consider every relevant legal aspect
of a case—sometimes apply data protection law, sometimes press law, and sometimes
both, without always being clear why they chose to do so.92 So far, therefore, it is
not clear how the two regimes relate to each other.93 As has just been explained,
it would be logical for data subjects to base their claims more on data protection
law in the future. In particular, this could lead to many cases about the admissibility
of statements on social media being decided on the basis of data protection law.
However, there are good reasons to be restrictive in the application of data protection
law in these contexts.
First of all, the structure of data protection law may not be adapted to these cases.
Data protection law has a bipolar structure focusing on the relationship between the
controller and the data subject. It assumes in principle that there is an asymmetry
of information between the two parties which must be remedied. This is shown,
for example, by the default setting of data protection law, which is friendlier to
personality rights than press law. Semi-public statements on the Internet, on the
other hand, are often located on a situation in which multiple interests are involved:
the utterer of a statement, the information mediator, the public, and the data subject.
decision of 23.6.2009, VI ZR 196/09; an example of the focus on press law is the autocomplete
decision of the BGH: BGH, decision of 14.5.2013, VI ZR 269/12; an example of the application
of both regimes is a recent BGH decision dealing with the results list of Internet search engines:
BGH, decision of 27.2.2018, VI ZR 489/16.
93 Lauber-Rönsberg (2014), p. 182.
Forgetting as a Social Concept. Contextualizing … 197
This kind of situation cannot be easily reflected in data protection law. The courts
have so far solved this problem by interpreting the data protection regulations under
consideration of the constitutionally guaranteed freedoms of communication. This
leads to the fact that data protection law and press law are assimilated in these cases:
the claims in both areas of law are in the end based on a weighing of interests.94
What is more, this balancing of interests is often not particularly context-sensitive
in the field of online media. One of the reasons for this is that assumptions about
the effect of a public statement are transferred from the mass media to the various
online media. An example is a case that was recently decided by the Regional Court
Saarbrücken (Landgericht Saarbrücken).95 The court had to decide on a claim for
injunctive relief on the basis of the BGB. The plaintiff wrote a private message via
Facebook to a well-known German actor often engaged in political discussions. The
message read: “You wanted to leave Germany, didn’t you? Why don’t you finally
keep your promise. Your understanding of democracy and your vocabulary disgust
me. With kind regards.”96 The defendant replied saying: “hey sweetie…! date!? just
the two of us? […]”.97 After replying to her, the defendant published a screenshot
of the conversation, including the plaintiff’s name, on his Facebook page, to which
over one million people have subscribed. This online conversation was commented
on and linked by third parties multiple times. Shortly after the publication by the
defendant, the plaintiff published a message in a closed network with twenty-five
thousand members who share—at least in tendency—her political opinion, telling
them about the actor’s publication of her message, including her name, and asking for
advice on how she should react. The message also stated that she was now receiving
a lot of insulting messages from the actor’s supporters.
The case was decided on the basis of press law. The court did not make clear why
it did not apply data protection law. In principle, data protection law would also have
been applicable since the publication of the data by the actor constituted automatic
processing of the plaintiff’s personal data, who therefore could have sued Facebook
and/or the actor on the basis of data protection law. Considering the conditions of
the claim on the basis of press law, the court focused on the question whether or
not the publication of the message infringed the personality right of the plaintiff
as enshrined in the BGB. After balancing the various interests involved, the court
concluded that the personality right was not infringed, although it was negatively
impacted by the defendant’s publication. A central argument was that the message
affected the plaintiff only in her ‘social sphere’ because its content concerned a polit-
ical discussion and not a private matter.98 Therefore, the level of protection on the
Ihr Demokratieverständnis und Ihr Wortschatz widern mich an. MFG “(cited according to LG
Saarbrücken, decision of 23.11.2017—4 O 328/17=ZUM-RD 2018, p.115).
97 „hey schnuffi…! Date!? nur wir beide? […]“ (cited according to LG Saarbrücken, decision of
side of the plaintiff is relatively low.99 Circumstances that touch the social sphere
can, according to the court, only be sanctioned if they have severe consequences for
the personality right.100 Examples of these kind of consequences are stigmatization,
social exclusion, or a pillory effect.101 According to the court, the publication of
the conversation by the defendant had led to the plaintiff being exposed as a private
person to a large public and thus also to the comments of the defendant’s Facebook
followers.102 In addition, mentioning her name served only to expose and ridicule the
plaintiff as a person.103 Thus a pillory effect occurred. In principle, the publication
of the message including the name would therefore be unlawful. However, the plain-
tiff herself ensured that her interests did not outweigh the communication interests
involved. She did so, in the argument of the court, by publishing the conversation
in the closed forum.104 According to the court, the plaintiff thereby showed that she
had no interest in her conversation with the actor remaining private.105 Otherwise she
would have chosen another way to discuss her concern about the actor’s publication
of her name and message.106 The court applied the doctrine of the deliberate opening
of the private sphere by the person him/herself (Selbstöffnung der Privatsphäre),
which the German civil courts developed for cases where somebody willingly told
the press something private. After this opening of the private sphere, the person in
question generally cannot claim that the information that can be interpreted on the
basis of this data is private.
The court took the specifics of the communication situation into account at many
points in the decision.107 However, it did not sufficiently adapt the standard of Selb-
stöffnung der Privatsphäre. The court presupposed that the public produced by the
plaintiff led to the fact that a cease-and-desist declaration by the defendant could
no longer assume a meaningful function—because the communication was already
public. The court therefore presupposed here that the public which the defendant
produced was to be equated with the public reached by the plaintiff. The decision
was therefore based on the idea of a relatively homogeneous public sphere. In fact,
the public spheres produced by the plaintiff and the defendant are very different.108
The plaintiff addressed a closed forum in which she expected that the readers of her
contribution would, in principle, be sympathetic to it. The defendant, on the other
should not be published with respect to its content (and not with respect to the publication of the
plaintiff’s name): LG Saarbrücken, decision of 23.11.2017—4 O 328/17=ZUM-RD 2018, p. 117
and p. 119.
108 Both public spheres are—as the reproduction of the communication by the plaintiff shows—
connected with each other, and content can quickly be switched back and forth between the two. This
Forgetting as a Social Concept. Contextualizing … 199
hand, addressed a public with a positive attitude towards him at the outset and that
was also networked with other public spheres in much more complex ways—such
as the public sphere of the classical mass media. If the defendant had to refrain from
spreading the message—i.e., delete his mail as a result—this could trigger a consid-
erable response by this public. This would mean, for example, that the defendant and
other celebrities were in principle not allowed to publish private messages without
anonymizing them. At the same time, it would have become clear that the messages
sent to the plaintiff from the actor’s fan community were sent because of an illegal
publication and were therefore not legitimate. All this could have contributed to the
development of a communication standard for communication by celebrities in social
networks that applies irrespective of whether the applicant makes the communication,
including her name, public in another forum.
As described above, the case would probably have been decided similarly if data
protection law had been applied. This is because data protection law in Germany is
brought in line with press law by way of constitutional interpretation. In this respect,
both data protection law and press law are not yet fully adapted to new communication
formats in the same way. There are good reasons why—in the future—they should no
longer be brought in line with each other, but should rather be developed in different
ways. The hypothesis to be developed further is that a more restrictive application of
data protection law in the area of new communication formats could help to better
exploit the strengths of both areas of law, and by doing so, help to ensure more
context-sensitive application of the two areas of law.
There are therefore two reasons for a more cautious application of data protection
law in the area of new communication formats: On the one hand, the structure of
data protection law is not geared to multipolar communication situations. On the
other, a more restrictive application of data protection law could contribute to the
development of more context-sensitive application of both data protection law and
press law. The media privilege that has long been known in data protection law can
be used to achieve this end.
The media privilege can be found in Article 85(2) GDPR, which reads as follows:
For processing carried out for journalistic purposes […] Member States shall provide for
exemptions or derogations from Chapter II (principles), Chapter III (rights of the data
subject), Chapter IV (controller and processor), Chapter V (transfer of personal data to
third countries or international organisations), Chapter VI (independent supervisory author-
ities), Chapter VII (cooperation and consistency) and Chapter IX (specific data processing
situations) if they are necessary to reconcile the right to the protection of personal data with
the freedom of expression and information.
Article 85(2) GDPR requires the Member States to provide for exceptions to
certain provisions of the GDPR which are applicable in principle if data are processed
for journalistic purposes and these exceptions are necessary in order to balance data
protection and communication interests. It is therefore up to the Member States to
assess which exceptions are appropriate in order to weigh communication interests
in the field of journalism against data protection interests. In this respect, European
law contains a regulatory mandate which constitutes a mandatory requirement as to
whether or not the exception should be made, but which grants the Member States a
margin of maneuver in the matter.109 It follows that the Member States provide for
such rules in their legal systems. In Germany, such regulations are enacted for the
press in the press laws of the German federal states, the Länder, (Landespressege-
setze) and for broadcasting in Section 57 of the Interstate Broadcasting Agree-
ment (Rundfunkstaatsvertrag), which also contains corresponding regulations for
the online platforms of the press and broadcasting.110 The preceding regulation at
the EU level was Article 9 of Directive 95/46 EC, which contained a regulation
comparable to Article 85(2) GDPR in view of the necessity to provide for exceptions
to data protection law in the context of journalistic activities.
The media privilege was introduced into data protection law with a view to journal-
istic activities in the mass media. It was based on the assumption that the application
of data protection law in the field of mass media journalism would lead to an excessive
restriction of journalistic activity. Examples include the rights of persons affected
by journalistic research, which would convey rights to information and correction to
the person affected by the research right from the start.111 In addition, frictions were
identified between the reporting of suspicions protected by the freedom of commu-
nication and the right to correct data processing under data protection law.112 Further
points that could hamper journalistic work include the documentation obligations
that data protection law imposes on the controller as well as the already described
default setting of data protection law that is friendly to the right of personality, which
can be seen, for example, in the distribution of the burden to provide evidence and the
rather broad understanding of liability. Against this background, the provisions on
the media privilege were and are understood as a reconciliation of interests between
data protection law and freedom of communication: in the field of journalistic activ-
ities in the mass media, data protection law per se is regarded as hostile to freedom
of communication; exceptions to data protection are therefore regarded as friendly
to freedom of communication.113
As for the right to be forgotten in these situations: inasmuch as the right to be
forgotten is based on press law and applied to reporting of mass media offline or in
online archives, the media privilege applies. However, if the right to be forgotten is
So far only a small fraction of the large number of possible online media cases has
been decided at the level of the highest courts. The decisions tend towards a rather
narrow understanding of media privilege. Jurisprudence at the level of the courts of
lower instance has already had to decide on a number of communication format,
without, however, reflecting deeply on the media privilege.
The media privilege can also play a useful role in the area of online media,
although it cannot be said that the application of data protection law per se brings
about excessive limitations of communication freedoms because the communication
formats are too versatile. Therefore, in the context of new media, the media privilege
cannot be understood as a form of reconciling interests. It can, however, serve a
different role with respect to online media. It can contribute to the application and
further development of data protection law and press law online in a way that is
appropriate to the subject matter. This can be achieved by a comparison of the two
areas of law: which area serves the medium and the personality rights in question
better and can therefore contribute to a communication situation online friendly to
media rights and personality rights? Therefore, the interpretation and application of
the media privilege should consider the structural features of data protection law and
press law and compare the effect of their application with respect to the medium
in question. The media privilege then applies the area of law that best suits the
respective communication situation. This means that the media privilege must be
understood as a kind of coordination mechanism between data protection law and
press law. The comparison of their structural features helps making aware of the
particular features of the two legal regimes and therefore helps identifying potential
of innovation with respect to new media within each regime. By doing so it also
serves to establish normative standards that consider the particular characteristics of
online communication situations.
Such an understanding presupposes, however, that the media privilege can be
interpreted in such a way that it also includes (partially) public statements in new
media. On the other hand, it presupposes that data protection law and press law
serve the same objects of protection in the areas where they overlap. If this is the
case, concrete criteria for the application of the media privilege as a mechanism of
coordination can be developed.
As described above, the decision of the BGH and the latest decision of the ECJ
follow a rather strict understanding of the media privilege. According to the BGH,
a certain threshold of editing must be reached, and this cannot occur when data
are processed automatically. In the German commentary literature on Article 85(2)
GDPR it is said that the threshold cannot be reached in cases of mere data collection
and dissemination.121 This line of argument is too strongly focused on a comparison to
activities of traditional mass media. If one takes into account the goal of protection of
Article 85(2) GDPR, it is possible to come to another conclusion. Article 85(2) GDPR
protects the process of opinion formation concerning opinions that are mediated to a
public and can therefore have a specific impact.122 The media privilege is supposed
to protect this process, which is supposed to be as free as possible. It is true that mass
media play an important role in this process. But it is also true that the dissemination
of opinions to a public is not only done by mass media. In fact, new media play
an increasingly important role within this process.123 And within these new media,
a lot of processing is done automatically. In other words: not the fact that data
is processed automatically is important but rather the impact of this process on the
level of public information.124 This is true, for example, of the results lists of Internet
search engines and Facebook’s timeline. Application of data protection law (and/or
press law) that is not context-sensitive would hinder the development of normative
standards for communication in the new media, as indicated by the example of the
actor’s publication of the private message as it was decided by the Regional Court
Saarbrücken.125 The lack of a suitable normative standard for communication in
new media has negative effects on the process of opinion formation and therefore
impacts the goal of protecting the media privilege. The protection objective of the
media privilege thus argues for the inclusion of new media in its scope of application.
What is more, the comparison with classical mass media was undertaken by the BGH,
and the BGH only argues on the basis of national law. Its understanding is therefore
not binding for the understanding of the European regulation in Article 85(2) GDPR.
At the European level, in contrast, there are two contradictory decisions: on the
one hand, the very broad understanding of ‘journalistic’ in the Satamedia decision
and a rather narrow understanding in the Google-Spain decision. The Satamedia
decision concerns the enterprise Satamedia, which wanted to disseminate information
concerning tax data previously published on government websites. These data had
been collected by another enterprise. Satamedia wanted to disseminate the collected
data via new communication channels. Here, no level of editing could be identified.
The decision dealt with the mere collection and dissemination of data; the court
concluded that this activity must be understood as ‘journalistic’ in the sense of Article
9 data protection Directive 95/46.126 The court linked the word ‘journalistic’ to the
fact that a piece of information was made public rather than to the circumstances of
how this happened (automatically or with a certain amount of editing). According
to this broad understanding, the media privilege can be applied to new media online
provided there is a communication situation in which a public is to be reached with the
122 The fact that a public is addressed by the publication is emphasized inter alia by Herb (2018)
para 13c.
123 A differentiated study focusing on the role of intermediaries in the process of opinion formation
127 This criterion also provides a possible differentiation between the word ‘opinion’ in Article 85(1)
1 GDPR—which says that the Member States should adapt their laws to the Regulation in the field
of the freedom of opinion—and Article 85(2) GDPR. Article 85(2) GDPR is in my understanding
geared towards communication situations where content is mediated to a (sub)-public, whereas
Article 85(1) GDPR focuses more on the content of a message and also includes situations where
content is transferred between two parties. See for the relationship between Article 85(1) GDPR and
Article 85(2) GDPR and the consequences the possible interpretations have for the relationship of
press law and data protection law in the field of pictures containing natural persons Lauber-Rönsberg
and Hartlaub (2017).
128 Similar Michel (2018), p. 837.
129 An overview is provided by Simitis (2014).
130 Simitis (2014), p. 205.
131 Albers (2005).
132 Simitis (2014), p. 208.
133 Trute (2003), Bull (2011), Britz (2010), Albers (2005).
134 Franzius (2015a), p. 263.
135 Albers (2005), p. 156.
Forgetting as a Social Concept. Contextualizing … 205
case, inter alia, for certain rating platforms. For outcomes that cannot be predicted,
however, the ex-post regulatory approach of press law could be more appropriate.
This applies, for example, for results lists of Internet search engines.
When data protection law is applied, all its possibilities should be exhausted.
For example, one could consider transferring the legal construct of the scientifi-
cally recognized mathematical-statistical method (Section 31 of the old BDSG) to
rating platforms. This could have the consequence that evaluations only become
visible when a sufficient number of evaluations have been submitted, so that the
result is statistically representative. One could also consider introducing a data
protection impact assessment (Article 35 GDPR) particularly for rating platforms
or rating features, or certificates for those rating platforms/rating features that are in
accordance with data protection law. Current data protection law does not provide
adequately for such regulations, but its further development in this direction would
be in line with its regulatory structure. And the media privilege as a coordination
mechanism could help to identify this innovative potential of data protection law. The
same applies for press law. With respect to the right to be forgotten and the frequent
accusations of private censorship, it would, for example, be particularly logical to
further develop the mechanisms of liability or to think about new institutions.141
7 Conclusion
The coordination mechanism outlined in this way can also be understood as a kind of
learning instrument for fields of law. The comparative interpretation and the presup-
posed separation of the fields of law should therefore not be understood too strictly.
In fact, press law and data protection law can both be understood as different but
related ways to structure and/or influence the processing of personal data and infor-
mation and therefore as different ways to realize the constitutional right to informa-
tional self-determination. At least from a constitutional perspective, the two areas are
therefore related.142 The question is what the realizations of this relationship should
look like. One possible way can be observed in the latest judgments in both areas:
the described adaptation and gradual assimilation of the two regimes to each other.
This text provides a different perspective by suggesting using the media privilege
as a mechanism of coordination between the two regimes. This includes a compar-
ative perspective and therefore a differentiation between them. The advantage of a
comparative approach is that the strengths of both areas can be identified and, as
a result, perhaps more differentiated standards can be achieved. In the case of the
protection law. This division is applied by the Federal Consitutional Court in its decisions on the
right to be forgotten. See particularly BVerfG, decision of 6.11.2019—1 BvR 16/13=NJW 2020.
300–314, para 82 ff.
141 Suggestions are made inter alia by Ladeur (2014).
142 Lauber-Rönsberg (2014), p. 1058 therefore classifies press law as a sub-category of data
protection law.
208 A. Schimke
right to be forgotten, it follows that different forms could develop in the different
areas, which react sensitively to their application context and whose prerequisites are
suitable to the context of application.143 This understanding has consequences for
the relationship of European law and national law in the fields of press law and data
protection law. Following a traditional understanding of the media privilege, press
law is conceived as national law, whereas data protection law is based on European
law. Using the media privilege as a mechanism of cooperation includes the extension
of its area of application. Since the media privilege is based on Article 85(2) GDPR
and therefore on European law, a connection to European law is given every time it
is applied. Therefore, the European fundamental rights have to be taken into account
and the jurisprudence of the ECJ has to be considered when the media privilege is
applied. This means that an understanding of the media privilege as a mechanism
of coordination between data protection and press law leads to an extended need for
cooperation between European law and national law in the field of press law. Further
questions therefore concern how this cooperation should and could be constructed
in the overlapping field of press law and data protection law, taking into account the
limited competences of the European Union in the field of speech regulation.144
References
143 From a different perspective Koops (2012) arrives at a comparable conclusion, saying that one
could differentiate between different rights to be forgotten (‘right to a clean slate’) in different legal
contexts. See especially Koops (2012), p. 22.
144 A general overview of the relationship between European law and the law of the Member States
Koops BJ (2012) Forgetting footprints, shunning shadows. A critical analysis of the “right to
be forgotten”. In: Big data practice. Tilburg Law School Legal Studies Research Paper Series,
08/2012, pp 229–256
Koreng A, Feldmann T (2012) Das “Recht auf Vergessen” Überlegungen zum Konflikt von
Datenschutz und Meinungsfreiheit. ZD, pp 311–315
Kühling J (2014) Die Rückkehr des Rechts: Verpflichtung von “Google & Co.” zum Datenschutz.
EuZW, pp 527–532
Kühling J (2020) Das “Recht auf Vergessenwerden” vor dem BVerfG – November(r)evolution für
die Grundrechtsarchitektur im Mehrebenensystem. NJW, pp 275–280
Lauber-Rönsberg A (2014) Internetveröffentlichungen und Medienprivileg. Verhältnis zwischen
datenschutz- und medienzivilrechtlichem Persönlichkeitsschutz. ZD, pp 177–182
Lauber-Rönsberg A, Hartlaub A (2017) Personenbildnisse im Spannungsfeld zwischen Äußerungs-
und Datenschutzrecht. NJW, pp 1057–1062
Ladeur KH (2009) Anmerkung. JZ, pp 966–968
Ladeur KH (2014) Cyber Courts. Private Rechtsprechung in den neuen Medien. Murmann, Hamburg
Ladeur KH (2018) Persönlichkeitsschutz und “Gegenschlag” auf Facebook – Anmerkung zu LG
Saarbrücken, Urteil vom 23.11.2017 – 4 = 328/17. ZUM-RD, pp 122–123
Ladeur KH (2020) Grundrechtsschutz im Mehrebenensystem durch das BVerfG, insbesondere der
Grundrechtsschutz der Betreiber von Suchmaschinen. WPR, pp 139–143
Martini M (2017) Algorithmen als Herausforderung für die Rechtsordnung. JZ, pp 1017–1072
Mayer-Schönberger V (2011) Delete. The virtue of forgetting in the digital age. Princeton University
Press, Princeton
Michel S (2018) Bewertungsportale und das Medienprivileg – Neue Impulse durch Art. 85 DSGVO?
ZUM, pp 836–843
Neunhoeffer F (2005) Das Presseprivileg im Datenschutzrecht. Mohr Siebeck, Tübingen
Nolte N (2011) Zum Recht auf Vergessen im Internet. ZRP, pp 236–240
Reinhardt J (2022) Realizing the fundamental right to data protection in a digitized society. In: Albers
M, Sarlet IW (eds) Personality and data protection rights on the Internet. Springer, Dordrecht,
Heidelberg, New York, London (in this volume)
Rosen J (2012) The right to be forgotten. Stanford Law Rev 64:88–92
Sarlet IW (2022) The protection of personality in the digital environment: an analysis in the light
of the so-called right to be forgotten in Brazil. In: Albers M, Sarlet IW (eds) Personality and data
protection rights on the Internet. Springer, Dordrecht, Heidelberg, New York, London (in this
volume)
Schmidt JH, Merten L, Hasebrink U, Petrich I, Rolfs A (2017) Zur Relevanz von Online-
Intermediären für die Meinungsbildung, Verlag Hans-Bredow-Institut (Arbeitspapiere des
Hans-Bredow-Institut Nr. 40), Hamburg
Simitis S (2014) § 1 Zweck und Anwendungsbereich des Gesetzes. In: Simitis S (ed) Bundesdaten-
schutzgesetz, 8th edn. Nomos, Baden-Baden
Spiecker genannt Döhmann I (2014) Steuerung im Datenschutzrecht. Ein Recht auf Vergessen
wider Vollzugsdefizite und Typisierung? Kritische Vierteljahresschrift für Gesetzgebung und
Rechtswissenschaft, pp 28–43
Spindler G (2012) Persönlichkeitsrecht und Datenschutz im Internet. NJW-Beil, pp 98–101
Spindler G, Volkmann C (2015) Störereigenschaft und Abgrenzung zu den Täter- und Teilnehmer-
formen. In: Spindler G, Schuster F (eds) Recht der elektronischen Medien. Kommentar, 3rd edn.
C.H. Beck, München, § 1004, para 9–18
Stehmeier M, Schimke A (2014) Internet-Suchmaschinen und Datenschutz, UFITA, pp 661–682
Stender-Vorwachs J, Lauber-Rönsberg A (2021) Art. 85, Verarbeitung und Freiheit der Mein-
ungsäußerung und Informationsfreiheit. In: Wolff HA, Brinck S (eds) BeckOK Datenschutzrecht,
38th edn. C.H. Beck, München
Stumpf F (2017) Das Recht auf Vergessenwerden. Das Google-Urteil des EuGH: Vorbote der
zweiten Chance im digitalen Zeitalter oder Ende der freien Kommunikation im Internet? Tectum
Verlag, Baden-Baden
Forgetting as a Social Concept. Contextualizing … 211
Anna Schimke Research fellow at the Chair for Public Law, Information and Communication
Law, Health Law and Legal Theory at Universität Hamburg. Main areas of research: Information
and Communication Law, Data Protection Law, Digital Memory and Law, Legal Theory. Selected
Publications: Internet-Suchmaschinen und Datenschutz. UFITA (2012): 661–683; Vergessen als
neue Kategorie im Recht. In: Autengruber M et.al. (eds.) Zeit im Recht – Recht in der Zeit, Jan
Sramek Verlag, Wien, 2016, pp. 87–104; Das Medienprivileg als Koordinationsmechanismus. In:
Albers M, Katsivelas I (eds.) Recht & Netz, Nomos, Baden-Baden, 2018, pp. 155–186; Rechtliche
Rahmenbedingungen der Veröffentlichung von Kinderfotos im Netz durch Eltern. NZFam (2019):
851–857.
Brazilian Internet Bill of Rights: The
Five Roles of Freedom of Expression
1 Introduction
C. A. P. de Souza
Rio de Janeiro State University (UERJ), Rio de Janeiro, Brazil
e-mail: caff@itsrio.org
B. L. M. Nunes (B)
Intellectual Property Specialist, Pontifical Catholic University of Rio de Janeiro (PUC), Rio de
Janeiro, Brazil
which establishes the rule for Internet application providers’ liability, begins with
the expression “to ensure freedom of expression and to prevent censorship”.
With regards to online copyright infringement, the Brazilian Internet Bill of Rights
in the second paragraph of Article 19 also states that the application of the liability
regime determined by it is dependent on a specific legal provision. Although this
wording conditions its application to a future legislation, it is important to point
out that, according to the provision, this new specific legislation should “respect the
freedom of expression and other guarantees provided for in Article 5 of the Brazilian
Federal Constitution”.
The present Article reviews the mentioned five references to freedom of expres-
sion in the Brazilian Internet Bill of Rights and seeks to address issues through
a practical approach, involving the protection designated by Law no. 12.965/14.
Although the field of application of this right is extensive, the understanding of how
it is protected is of clear relevance in order to ensure, in practical cases, the appli-
cation of legal provisions in response to the constant transformations presented by
modern communication and information technologies.
No other concept seems to have caused more adages, axioms, and entries in quoting
dictionaries than that of freedom. In its defense, in the course of history, some of
the most important political and social movements were on behalf of freedom of
expression, just as, also in the name of such a right, unspeakable atrocities were
committed.1 Because it is so close to human nature as to identify itself with the very
condition of men, grasping the concept of freedom is a complex task. Therefore,
and only for purposes of argumentation in this text, it can be said that freedom is
the absence of restrictions of a physical or moral order, and the subject’s will is not
subjected to that of others. Thus, through the lenses of its negative aspects, the idea
of freedom might be better understood for the narrow purposes of this Article.2
The subject’s will, however, may not be externalized. It is precisely for this reason
that it is important to emphasize that this internal dimension of freedom is not subject
to any legal restriction. On the other hand, it is in the act of the individual, in the
expression of his or her thought that the Law applies, ordering conduct and promoting
the appeasement of social relations. Knowing under what conditions the law protects
this expression is of ultimate relevance.
Through this perception, one could imagine that the presence of a judicial norm
necessarily implies in the curtailment of individual will, constituting a true prison of
free will. This notion was exposed, in literary terms, by Giuseppe Tomasi di Lampe-
dusa, author of the celebrated novel Gattopardo, in his poem La gioia e la legge, in
which the existence of law thwarts the feeling of happiness.3 However, the opposition
is not entirely appropriate, because along with its repressive function, which curtails
individual freedom, the law also—and above all—guarantees the fundamental rights
to the dignity of the human person.
This dual mission is present in the constitutional text, by protecting rights and
imposing duties and restrictions. Likewise, the Internet Bill of Rights, which is
substantive in terms of freedom of expression, explicitly emphasizes in its Article
6 that its validity is not only aimed at sanctioning conduct, as it would be expected
from criminal liberties gained using the network. So much so that the “nature of the
internet” itself is openly elevated to the level of the interpretive vector, as established
by Article 6:
Article 6. In interpreting this Law, the nature of the Internet, its particular uses and traditions,
and its importance in promoting human, economic, social, and cultural development must
be taken into account, in addition to the foundations, princi-ples, and objectives set forth
herein.
In this respect, a better understanding of the reasons that justify the publication of
the Brazilian Internet Bill of Rights point to the fact that regulating the relationships
waged through the Internet by means of its devices aim not only as way of orienting
conduct and emphasizing certain principles that should govern future regulations
on the Internet, but also ensuring that all freedoms that have been won through the
development of the Internet and information and communication technologies, are
not eroded by different interests.
In global forums on regulation and network governance, the expression “internet
freedom” is constantly repeated. Thus, it is important to clarify—and the Internet
Bill of Rights assists in this endeavor—that the freedom enjoyed on the Internet
does not exist because there is no law regulating the conduct therein undertaken,
on the contrary, it exists precisely because the laws currently projected or which
begin to take effect, as well as the interpretation of laws prior to the development
of the network, should seek to preserve the freedoms and liberties conquered by the
development of technology, always striving for the balance of rights involved in its
application.
Freedom itself can only be fully practiced by providing the Law with the means
necessary for its effectiveness. The repressive and protective function of the law has
been synthesized since Roman times, when the famous saying was coined: ubi lex,
ibi poena; ubi periculum, ibi lex.
For the Law, the human being, condemned to freedom,4 is free to act in the world
in the way that best suits him, as long as it does not violate legal prohibition. On
the other hand, it is the Law itself that will guarantee the exercise of this freedom,
protecting the different expressions of the right to freedom.
Among the various forms of expression of individual freedom, the Federal Consti-
tution confers broad treatment on freedom of thought and expression.
Freedom of thought and expression can both be characterized as intellectual
content freedom, having as a presupposition for their exercise the interaction
between individuals, with the scope of communicating the product of thought, more
specifically, their beliefs, knowledge, ideologies, political opinions and scientific
works.5
From a binomial thought, one can, for purely academic purposes, separate the
non-externalized thought from that already manifested. Thus, there is a division
between freedom of thought, defined in the right to freedom of opinion, even if it
is not manifested, and freedom of expression, through which the free expression of
thought is safeguarded.
Freedom of expression basically encompasses an individual right to the manifes-
tation of thought and creation. In addition to non-externalized thinking, freedom
of expression protects freedom of worship and religious organization, freedom
of intellectual, artistic, scientific and cultural expression, as well as freedom of
information.
Inner thought, not externalized by the individual, is protected by freedom of
opinion. When and if it is externalized, freedom of opinion will give way to freedom
of expression of thought. As Claudio Luiz Bueno de Godoy explains: “Thus the
opinion of the individual is formed, which, as an expression of freedom of thought,
already in its external aspect, has the right to propagate”.6
Freedom of opinion can be considered the starting point for all other kinds of
freedom of thought because it presents the individual with the possibility of adopting
the intellectual attitude that best suits him.
The Constitutional protection of freedom of opinion is contemplated in the initial
part of Article 5, section VI, of the Federal Constitution, according to which “freedom
of conscience and belief is irrefrangible”, as well as in the wording of Article
5, section VIII, which guarantees freedom of religious belief and philosophical
conviction.
The heading of Article 2 of the Internet Bill of Rights states that “the foundations
of Internet governance in Brazil are based on the respect for freedom of expres-
sion”. Soon after, it points to other fundamentals that, along with freedom of expres-
sion, play an essential role in determining the regulation of the network in Brazil.
Among the sections of the second Article, designated as fundamental rights are:
“human rights, the development of personality and the exercise of citizenship in
digital media” (Article 2, Section II), “plurality and diversity” (Article 2, Section
III), “free enterprise, free competition and consumer protection” (Article 2, Section
V) and the “social purpose of the network” (Article 2, Section VI).
A first question that arises from the reading of this provision is the reason for
which freedom of expression is prominently included in the wording of Law no.
12.965/14. Freedom of expression is predicted in Article 2 of the Internet Bill of
Rights as the basis for the discipline of the network, while the other grounds are
listed in the following subsections.
There are, in fact, technical and political reasons for this treatment of freedom of
expression. In political terms, the inclusion of freedom of expression, highlighted in
the main section of Article 2, meets the demand to promptly defend the legislation
as an important step to better ensure the expression of thought on the Internet.
The worldwide network of connected devices is often associated with the poten-
tializing forms of expression, breaking through blockages imposed by governments
or companies regarding other means of communication. Although this is a simplistic
view of the challenges that freedom of expression faces for its achievement on the
Internet—since the same network that enhances the free speech discourse can also be
an effective means for its curtailment—due to its global reach, there is a perception
that the Internet would be a territory for the free exercise of freedom of expression.
During the process that led to the approval of the Brazilian Internet Bill of Rights,
many were the criticisms directed to the bill for the simple fact that it sought to
establish parameters for the regulation of Internet use in the Country. As explained
in item 2 above, the mere existence of a law that deals with issues related to the
development of technology may be seen as a restriction on the allegedly existing
freedom because of the absence of a specific law.
The process of approving the Internet Bill of Rights, therefore had to circumvent
the natural distrust harbored by the technical community, which saw in the Internet
Bill of Rights—or in any law—an intrusion in the development of practices that are
transformed by the natural evolution of the network use.
In addition, components of a political-partisan nature joined the aforementioned
resistance, seeking to discredit the initiative of the bill as a Federal Government
maneuver to curtail speeches contrary to its interests in the network.
Thus, the emphasis given on freedom of expression in Article 2 undeniably has
a political component, trying to counter, in a single step, a part of the technical
Brazilian Internet Bill of Rights: The Five Roles of Freedom of Expression 219
9 See, among others: Bankston, McDiarmid and Sohn, Center for Democracy & Technology,
Shielding the Messengers: Protecting Platforms for Expression and Innovation, 2012, https://www.
cdt.org/files/pdfs/CDT-Intermediary-Liability-2012.pdf (accessed 11 Jan. 2022). For a list of cases
applying Article 230, see the compilation by EFF - Electronic Frontier Foundation, https://www.
eff.org/pt-br/issues/cda230 (accessed 11 Jan. 2022).
220 C. A. P. de Souza and B. L. M. Nunes
Article 3, section I, of Law no. 12.965/14 determines that the discipline of Internet
use in Brazil has as one of its principles the “guarantee of freedom of expres-
sion, communication and expression of thought, under the terms of the Federal
Constitution”.
According to the phrasing of Article 3, section I, freedom of expression, in addition
to constituting the foundation for Internet regulation in Brazil, is also one of the
principles that should govern said regulation. In the mentioned Article, the freedom of
expression guaranty will be carried out “in accordance with the Federal Constitution”,
thus attracting all the experience accumulated by decades of interpretation on the
constitutional provisions on the subject, especially Articles 5, Section IV and 220 of
the Brazilian Federal Constitution.
Once the constitutional discipline of freedom of expression has been incorporated
into the Internet Bill of Rights, a question arises with great evidence: the role played
by anonymity on the Internet and how to align its development with the constitutional
text that guarantees freedom of expression but prohibits anonymous speech.
To better understand this dilemma and how the constitutional text can be inter-
preted to enable the various ways of implementing anonymity on the Internet, it is
necessary to begin with the North American experience on the subject, since the
treatment given to anonymous discourse in the United States can offer significant
indications on the subject.
To align freedom of expression with other rights, the US Supreme Court jurispru-
dence has created several standards to measure whether, in a given situation, such
freedom should be curtailed.
Brazilian Internet Bill of Rights: The Five Roles of Freedom of Expression 221
One of the most-known standards is the so-called “clear and imminent danger”,
according to which constitutional restrictions imposed by legislation on freedom of
expression, if justified “by an evident public interest, threatened not by a dubious
and remote danger, but by an evident and imminent danger”.10
The criterion of clear and imminent danger was created according to a judicial
opinion proffered by Justice Oliver Wendell Holmes in Schenk v. Arizona, tried
in 1919. The case involved the distribution of pamphlets by mail carried by two
individuals, aimed at obstructing enlistment in the military during World War I. The
object of controversy: calling upon US citizens to resist the intimidation of enlistment.
This reflected the interest of a chosen minority of Wall Street in the United States’
participation in the conflict, as well as denied the right to send US soldiers “in order
to terrorize the citizens of other lands”.11
In his judicial opinion, Justice Holmes stated that “the most inflexible guarantee
of freedom of speech would not protect a man who falsely shouted ‘fire!’ in a theater,
thus causing panic… The question in each case is to know if words have been used
in circumstances and are of such a nature that they involve a clear and imminent
danger of producing the substantive evils that Congress has the right to prevent.”12
In the 1960s, during the period known as the Warren Court, freedom of expres-
sion was strongly protected, with the First Amendment achieving unprecedented
effectiveness, declaring the unconstitutionality of several legislative acts that unduly
restricted the freedom provided in that device.
Currently, the Supreme Court uses other standards to assess the convenience
of declaring a law unconstitutional for infringement of the First Amendment. The
protection of freedom of expression has been more intense for discourses of a political
nature—this is one of the existing debates considering freedom of expression and its
protection since the First Amendment is precisely that derived from the protection
of the so-called “anonymous discourse” and especially its protection on the Internet.
The District Court of Washington, for example, in its assessment of an anonymous
posting on the network, stated that “the internet is a true democratic forum for
communication. It allows the free exchange of ideas in an unprecedented way both in
speed and scale. For this reason, the constitutional rights of internet users, including
First Amendment protection to anonymous speech, should be carefully guarded”.13
The District Court of Northern California, while analyzing a case involving the
anonymous posting of criticism in a blog, highlighted that “people may interact by
pseudonyms or anonymously, as long as their acts do not implicate infringing the
10 Excerpt of Judge Rutledge decision proffered in the Thomas v. Collins case. Apud. Sarmento
(2002), p. 158.
11 According to the judicial opinion proffered by Wendell Holmes, transcribed in Capaldi (1984),
p. 51.
12 Rodrigues (1958), p. 148.
13 No. C01-453Z, 140 F. Supp. 2d 1088, Doe v. 2TheMart. Com Inc., Dist. Court, WD Washington.
law. The ability to express oneself without third parties being able to know details
about your identity can foster broad communication and a robust debate”.14
Precisely because of the strong constitutional protection conferred to the anony-
mous discourse, the United States Courts have created in the last fifteen years a series
of conditions so that the victim of offenses derived from anonymous comments can
judicially require the identification of the author of the injurious speech.
The necessary criteria for this identification to occur varies significantly. However,
the list of conditions imposed in the Dendrite Int’l v. Doe No. 3, Superior Court of New
Jersey, has gained special prominence and has been routinely applied for damages
caused over the Internet by anonymous postings.
According to the test resulting from the mentioned decision, the victim, in seeking
the identification of the author of an anonymous and damaging commentary, will have
to meet five conditions: (i) demonstrate that the victim agrees to the arraignment of
the author of the anonymous quotation; (ii) clearly indicates the expression of thought
that violates their rights; (iii) indicates that the Judiciary can analyze the case and that
the action against the anonymous author is viable; (iv) produces sufficient evidence
that may prima facie instruct the action; and (v) the Court shall measure the protection
of the anonymous discourse present in the First Amendment with the strength of the
arguments presented by the victim in the sense of revealing the identity of the author
of the anonymous and offensive discourse”.15
Thus, it is evidenced that in the American constitutional-tradition, anonymous
discourse is, as a rule, protected by the First Amendment, allowing the victim, in
specific situations, to seek the identification of its author and from that result, to
proceed with an indemnity action.
It is important to understand this experience on the subject so that one can compre-
hend to what extent the discipline of the theme in Brazil differs from the United States.
Although Brazil has no tradition of protecting anonymous discourse, it is necessary
to recognize the reasons why the constitutional protection of freedom of expression
has been tied to the prohibition of anonymity and how it can be fulfilled considering
the Internet.
14 185 F.R.D. 573, 578, Columbia Ins. Co. v. Seescandy.Com, N.D. Cal. Judgement 1999, accessible
under https://ilt.eff.org/Columbia_Ins._Co._v._Seescandy.html. Accessed 11 Jan. 2022.
15 No. 3, A-2774-00T3, Dendrite International, Inc. v. Doe. Judgement 11, July 2001, acces-
that according to Brazilian law, anonymous discourse should not be protected, thus
distancing itself from the American tradition.16
However, what would be the reason, in the Brazilian experience, for the protection
of freedom of expression not to include protection for anonymous discourse? At
the root of this precept, as explained by the most renowned commentators to the
constitutional text, is the concern in identifying the author of a manifestation of
thought so that he or she can answer for any abuse and damages eventually caused.
The ban on anonymity was not introduced into Brazilian law by the current
Constitution. Its inclusion follows from the Constitution of 1891, in its Articles
72, Section 12. Since then, this connection between anonymity and the need to hold
the perpetrator liable for damages caused by abuse in the expression of thought is
recurrent in doctrine and in national jurisprudence.
Accordingly, the Federal Supreme Court has already established that:
The constitutional veto to anonymity, as is known, seeks to prevent the consummation of
abuse in the exercise of freedom of expression, since, by requiring the identification of
who uses this extraordinary legal-political prerogative, essential to the very configuration of
the Democratic state of law, is ultimately aimed at enabling any excesses arising from the
practice of the right to free speech to be made accountable, a posteriori, both in the civil
sphere and in the criminal sphere.
(…)
It is evident, then, that the clause prohibiting anonymity - by enabling a posteriori,
the criminal and/or civil liability of the offender - is a constitutional measure designed to
discourage abusive expressions of thought, moral heritage of persons unjustly disrespected
in their sphere of dignity, regardless of the means used to convey contentious accusations.17
the author is a possibility in case any abuses are committed concerning the expression
of thought, therefore promoting liability.
(accessed 11 Jan. 2022). See: G. Sands, What to Know About the Worldwide Hacker Group
‘Anonymous’, ABC News, 2016, http://abcnews.go.com/US/worldwide-hacker-group-anonymous/
story?id=37761302 (accessed 11 Jan. 2022).
Brazilian Internet Bill of Rights: The Five Roles of Freedom of Expression 225
of the role that anonymity plays in the network, the anonymous group has been the
object of several studies on its controversial form of organization.25
During the protests that marked Brazil’s recent political history, the use of masks
by protesters sparked an intense debate over the contours of freedom of expression
in the country. Can protesters cover their faces with masks during a protest? How can
the State Department ensure that abuses committed during these demonstrations are
punished? Would it be better to ban the use of masks or simply to determine that any
masked person might be required to identify himself or herself to a police authority
for potential accountability?
This dilemma is evidence on how anonymity, driven by the natural behaviors of the
network, can have consequences that overflow the Internet. The group anonymous
chose the mask used by the Irish revolutionary Guy Fawkes (and popularized by
comics and films) as their symbol. The same mask nowadays can be seen in protests
and demonstrations around the world—from deputies in Poland, wearing the mask
as a form of protesting the vote on an intellectual property law,26 to their extensive
use in the protests of 2013 in Brazil.
Thus, technical, political, social and legal elements become confused in the mosaic
that reflects the relevant role that anonymity plays in the evolution of the many forms
of communication through the Internet.
The ban of the app “Secret” in Brazil, a case that occurred shortly after the approval
of the Brazilian Internet Bill of Rights, put into practice the debate on the role of
anonymity in the network and the constitutional protection of freedom of expression.
Available, at the time, in both the Apple Store and Google Play, it quickly gained
popularity since it allowed users to post brief comments without any immediate
identification of the message’s authorship.
The user of the application was only informed if the author of the message was
a “friend” or “friend of friend”. This information was obtained as soon as the user
authorized the application to access his/her Facebook friends or the contacts of their
mobile device. Most popular comments could still be viewed in the app through
the “Explore” section. In previous versions of the app, it was possible to upload
any photo to illustrate the message. While viewing a post, other users could like or
comment. There was no indication, either to the author of the message or to those
who comment, of the authorship of the original message or subsequent comments.
The application was subject to a Public Civil Action filed by the Public Prose-
cutor’s Office of the State of Espírito Santo, through its 26th Civil Prosecutor’s Office
of the City of Vitória. The suit, filed against Apple, Google and Microsoft, sought
to ban the application in Brazil because it understood that its operation violated the
constitutional seal of anonymity and provided offenses that violated the dignity of
the human person.
The 5th Circuit Court granted Apple and Google a preliminary injunction, deter-
mining that they should remove the application from their virtual stores and, within
ten days, erase the already installed applications of all mobile devices in the country.
Due to this measure, the company responsible for the app took steps to prevent
damages to third party rights’ from being committed. Therefore, the use of photos
was initially restricted for Brazilian users. The company also informed the press that
it would quickly remove all illicit publications, just as soon as it was notified by
the eventual victim. Such notification could be sent through a mechanism in the app
itself, available since its release.27
In examining the complaint filed by Google Brazil, the Court of Justice of Espírito
Santo understood that the measure that forced the companies Google, Apple and
Microsoft to erase the application from the mobile devices that had downloaded
it could not prosper. In his vote, the rapporteur mentioned that the invasion of an
extraneous computer device has been a crime in the country since the entry into
force of Law n°12.737/12 (known as the “Carolina Dieckmann Act”) and, therefore,
the Judiciary could not adopt such a measure.28
In addition to the debate on the possibility of removing content directly from
private mobile devices - a topic that grows in relevance at the same speed as digital
inclusion advances through the mobile Internet in the Country - it is relevant to
investigate whether the Secret app case falls within constitutional contours. This
analysis is made relevant by the diversity of Internet applications that, in various
ways, use anonymity (or at least its appearance or expectation) as an essential feature
of the tool.
The Secret app seems to integrate the extensive and complex set of applications
on the Internet that promote anonymity. By allowing users to post messages without
their immediate identification, the platform seemingly provides users an anonymous
use of their services. However, a closer look at how the application is used and
how providers respond to notifications about illegal content reveals a very different
perspective. Paradoxical as it may seem, what the application in question offers is
not the experience of full anonymity, but only an expectation of anonymity.
This conclusion is arrived upon from reading the application’s Privacy Policy,
which very clearly stated that the alleged anonymity is maintained only among users
of the service, ensuring the possibility not only of identifying who is the author of a
27 De Lucca, Secret want to colaborate with Brazilian Authorities, and in Brazil, IDG
Now, 03 September, 2014, http://web.archive.org/web/20160826072303/http://idgnow.com.
br/blog/circuito/2014/09/03/secret-quer-colaborar-com-as-autoridades-brasileiras-e-aqui-no-bra
sil/ (accessed 11 Jan. 2022).
28 Capelas, Espírito Santo’s Court of Justice retracts decision and goes releases the Secret appli-
message, but also sharing this information with authorities that will have the power
to order the company to disclose it for the purpose of investigating illicit activities.
The app’s Privacy Policy, in its June 11th, 2014 version, clarified that, even with
the alleged anonymity existing in the user interface, “it is still technically possible
for Secret to connect your Posts with your email address, phone number or other
personal information you have provided. This means that if a court or a competent
authority asks us to disclose your identity, we may be required to do so”.29
In addition to informing the competent authorities about the identifying data of
the author of harmful messages, Secret also provided the victim of damages caused
through its platform a tool for reporting illegal content.
Consider the aspects of such app: it was a tool that produced the expectation of
anonymity in an environment in which users interact. Additionally, it provided means
of identifying the author of messages sent via the app, promising to share such data
with the competent authorities if necessary, as well as promoting the withdrawal of
any content deemed harmful. With these aspects in mind, would the app fall under
the constitutional prohibition of anonymous speech?
By allowing the identification of the author of messages posted in their platform,
maintaining only the alleged anonymity among its users, brings to question whether
the Secret app ever created an anonymous environment. It seems more appropriate to
characterize the anonymity provided by the application as a relative one, or at best,
as a mere expectation of anonymity, which may be broken when the author of a
message violates the established terms of use or causes harm to others.
Furthermore, in additional evidence as to how the environment made available
by Secret does not fall into the constitutional prohibition to anonymity, it is possible
to state that the ratio of the constitutional precept is to avoid that the anonymous
discourse will encourage an abusive expression of the thought, allowing the author
of such manifestation to cower under the mantle of anonymity so as to evade eventual
liability.
Thus, by maintaining the possibility of identifying the author of any specific
message, by collaborating with the competent authorities for the identification of
the user responsible for the message, and by promoting a system of complaint and
removal of illegal content, it seems that the application has complied with the purpose
of the constitutional norm which protects freedom of expression, as determined in
Article 5, section IV.
As seen above, both doctrine and jurisprudence assert that the teleological inter-
pretation of the prohibition to anonymity present in the Constitution is to guarantee
liability. The Secret App has construed an environment that seeks to take advan-
tage of the freedom that the supposed anonymity confers, encouraging its users to
express their ideas and opinions freely, which goes back to the root of the protection
of anonymity in its American origin. At the same time, however, it stated that the
identification of the author of harmful messages would be possible, which seems to
be consistent with the ratio of the Brazilian constitutional precept.
It is worth recalling Francesco Ferrara’s lesson, that “every provision of law has
a scope to accomplish, whether to fulfill a certain function and purpose, for whose
achievement it was created. The rule rests on a legal basis, a ratio iuris, which
indicates its real understanding”.30
The purpose of the constitutional provision in denying anonymity would not
extend these effects to the use of the Secret application. In other words, the user
of the application is anonymous until the moment he or she abuses his or her
freedom of expression and causes damages to third parties, thus complying with
the constitutional mandate.
There is one last issue that can be drawn from the constitutional discipline on
freedom of expression and its connection with the Internet Bill of Rights: if appli-
cations that generate a mere expectation of anonymity can be made available in the
Country, what about those who actually offer a complete experience of anonymity,
not revealing the author of the message and not even retaining records about the use
of the service? For these tools it will be necessary to construct a new interpretation,
since the final analysis of the Constitution would only more directly protect those
applications that produce a mere expectation of anonymity for those who use the
platform, but not for the competent authorities to ascertain any damages caused.
In addition, it is also worth emphasizing that the Internet Bill of Rights obliges,
as provided in Article 15, Internet application providers, constituted as legal entities
and who carry out organized and professional activities for economic purposes, to
maintain the respective records of Internet application access, under secrecy, in a
controlled and secured environment, for a period of 6 (six) months, in accordance
with the regulations.
Thus, by generating an environment of apparent anonymity, but with the retention
of records in accordance to Article 15 of the Internet Bill of Rights, the application
providers could make available applications, for example, like Secret, in Brazil.
However, as we can see today, this issue is less complex when it comes to the
availability of tools that guarantee anonymity on the Internet.
Article 8 of the Brazilian Internet Bill of Rights establishes that the “protection of
the right to privacy and freedom of expression in communications is a necessary
condition for the full exercise of the right to Internet access”.
One of the core articles’, it dialogues with the process of creating access to the
Internet as a right and conditions its full exercise to the fact that, once you have access
to the Internet, the right to privacy and freedom of expression is also guaranteed.
The debate on the access to the Internet as a right, be it a human or fundamental
right, transcends the limits of this work. In a brief note, it can be said that the
discussion is currently polarized between those who understand that access to the
Internet would only be a means for the realization of real fundamental rights (such as
access to information and freedom of expression) while others recognize its character
as an autonomous human right.
A position which is widely remembered, but contrary to the recognition of access
to the Internet as a right is that defended by Vinton Cerf in an article published in
the New York Times.31 According to the author, access to the Internet should not be
considered a human right, because, like all technology, it is only a “rights enabler”;
a means and not an end in itself.
In the same article, Vinton Cerf states that technological progress derives from
achievements made by technicians and that it should be up to them to decide on
the path of technology, including ensuring that the Internet continues to enable the
exercise of human rights. This statement has a hidden recipient—the governments—
and can be read as a discourse for the technical self-regulation of the Internet. The idea
seems equally sympathetic and risky. The most obvious risk is its own radicalization,
leading to the understanding that the Internet, as a technical resource, should not be
the subject of political decisions.
This perception might lose sight of the fact that technology is not a given. Tech-
nology is not neutral, but rather the result of choices, of human decisions inherent
in its development process. It does not generate impacts on society, as something
external that moves and collides with society; on the contrary, it is a part of society.
Therefore, there are technologies more or less likely to generate certain behaviors.
As an example, the social networks and how their architecture suggests the effects
derived from its use. Networks that allow you to follow whomever you please are
more diversified and informative, stimulating criticism and the exchange of ideas.
Social networks that only allow their users to accompany the posting of friends,
on the other hand, can isolate the user in a true bubble of preferences, styles and
ideologies shared only by a small group of people who resemble each other.
The result of defending a strictly technical regulation of the Internet only removes
institutionalized political channels from the scene, because technology is the result
of choices, of decisions that are ultimately political. The Internet is thus a space
for the realization of rights, but whose construction is not only the responsibility
of the community of experts, but also of governments, companies, the third sector,
academia and, of course, the Internet user, who must be a participant and the purpose
of all network regulation.
The Brazilian Internet Bill of Rights is, in this regard, a good example of multi-
stakeholder construction involving the most diverse stakeholders in the regulation
of the network. Thus, essentially fundamental devices such as the one mentioned
in Article 8, make way to a more comprehensive understanding of what should be
understood as the full exercise of the right of access to the Internet and the prominent
role that freedom of expression operates in this scenario.
31Cerf, Internet Access Is Not a Human Right, New York Times, 4 January 2012, http://www.nyt
imes.com/2012/01/05/opinion/internet-access-is-not-a-human-right.html?_r=0, (accessed 11 Jan.
2022).
230 C. A. P. de Souza and B. L. M. Nunes
More specifically, by ensuring that the construction of the legal provision is plural,
so that different actors could contribute during the process of creating the Bill that
gave rise to the Brazilian Internet Bill of Rights, providing the Legislative Branch
with the necessary expertise to approve its final text, Law no. 12.965/14 appoints a
profitable direction to also understand how a multisectoral approach operates in the
definition of legal terms.
In other words, the composition of interests that mark the legislative process is
not only evident in specific devices that directly seek to achieve certain activities.
Quite the opposite, in core articles, such as Article 8, when stating that freedom of
expression is a condition for the full exercise of the right of access to the Internet,
the Internet Bill of Rights seeks to evidence a balance that affects all sectors.
The Internet Bill of Rights is very specific when it comes to Internet providers’
liability.32 Accordingly, Article 19 determines that:
Article 19 In order to ensure freedom of expression and prevent censorship, Internet applica-
tions providers may only be held civilly liable for damages resulting from content generated
by third parties if, after specific judicial order, the provider fails to take action to make the
content identified as offensive unavailable on its service by the stipulated deadline, subject
to the technical limitations of its service and any legal provisions to the contrary.
32 For a dicussion with a view to Article 19 of the Internet Bill of Rights cf. also Schreiber (2022),
in this volume. For a proposal to consider mechanisms of self-regulation Hartmann (2022), in this
volume. As to the German Network Enforcement Act see Schulz (2022), in this volume.
Brazilian Internet Bill of Rights: The Five Roles of Freedom of Expression 231
This was precisely the conclusion reached by the Supreme Court of Argentina
in addressing a case in which the plaintiff sought to hold Google accountable for
the constant results of its search mechanism. The following section reviews this
decision. Afterwards we turn to the provisions the Brazilian Internet Bill of Rights
as to understand how free speech in the Law is taken into account when designing a
liability regime for Internet providers.
On October 28, 2014, the Argentinean Federal Supreme Court of Justice issued
its decision on the case involving the Argentinian model and actress María Belén
Rodriguez.33 The case tackles the issue of the liability of web search providers derived
from the content listed on their databases. Rodriguez sought to hold search providers
liable associating her name to websites which held sexual and pornographic content
as well as for displaying unauthorized photos.
The model sued Google and Yahoo! in Argentina claiming that her rights to
privacy, image and honor would be violated with the availability of search results
that led to adult sites. She also argued that the use of thumbnails representing her
image violated the right to her own image. Although these contents had not been
generated by the search providers, the actress argued that their propagation by means
of the search engines made their access easier. In addition to the removal of the links
and images, compensation was sought for damages. The defendants were ordered to
pay damages for fault-based liability, in addition remove search results of an offensive
nature and implementing a system that would prevent damages from recurring in the
future.
The debate promoted by the Court focused on the role played by these providers
to promote access to knowledge and information, as well as the impact a decision
imposing the filtering of sites could have on the protection of freedom of expression.
On the other hand, it sought to understand how damages caused by the network could
be avoided without this implying in previous censorship. This is precisely what the
Brazilian Internet Bill of Rights suggests.
The first issue examined by the Supreme Court was whether search providers
could be subject to any form of strict liability, i.e. whether they could be held liable
for the content made available online regardless of any wrongful conduct on their
part. This type of liability is usually derived from the determination by the courts that
a certain activity endangers third parties’ rights. Thus, even without any notification,
either by the individual or by some competent authority, the provider would already
be liable. The court unanimously rejected this approach.
33Municoy, Argentinean Supreme Court Rules in Favor of Google and Yahoo on Civil
Liability of Search Engines in María Belén Rodriguez case, The Free Internet Project, 11
April 2014, http://thefreeinternetproject.org/blog/argentinean-supreme-court-rules-favor-google-
and-yahoo-civil-liability-search-engines-mar%C3%ADa (accessed 11 Jan. 2022).
232 C. A. P. de Souza and B. L. M. Nunes
In doing so, the court noted that search keys play a “key role in the global dissem-
ination of online content, facilitating the access and identification of relevant data for
billions of users”. Thus, the court held that there would be no prior duty of providers
to monitor their platform for potentially harmful content, since such an assessment
could be highly subjective.
However, what happens if the provider receives a notification from the victim
claiming that certain content is causing damages? Should the provider act to remove
the material? What if he fails to remove the content or even choose not to do so by
understanding that there is no harm in the claimed case?
The Court then considered that a private notification would not be sufficient to
generate liability. In its decision, the Argentinean Federal Supreme Court of Justice
questions the effects of creating a system in which anyone could notify the provider
and thereby see the content removed. Approaching a scenario of private censorship,
the Court stated that this result would ultimately deprive the Judiciary from acting
as a legitimate body to ascertain whether a material is lawful or unlawful.
According to the decision, only a court order or notification of a competent
authority would have the power to allow the provider the unequivocal knowledge
that a content is unlawful, and that action should be taken to remove it. However,
as an exception, the Court further considered that this rule could be dismissed in
cases of material whose illegality was patent, falling within the category of child
pornography, death threats, genocide and “deliberate harm to the honor” of a third
party.
Therefore, the general rule, according to the Argentinean decision, determines that
the search providers do not objectively respond for the content they index. They can
only be held liable if they fail to comply with a notice which provides unequivocal
knowledge of the unlawfulness of the material. The exception to this rule lies in
cases where the unlawfulness is patent. In such circumstances it is possible for an
individual, upon receiving a notification, may hold the provider liable if he does not
act to remove the material once notified.
If the Court was unanimous in gauging this regime of providers liability, the
same cannot be said regarding the question of the unauthorized use of the image
of the actress in the thumbnails in the search by images. Although most Justices
exempted providers from any liability regarding the thumbnails, two Supreme Court
justices defended the thesis that the Argentinean Intellectual Property Law would
not allow such use since it is not authorized and does not fall within the exceptions
to the law (such as the use without consent of the image of others for scientific,
academic or cultural purposes). According to Article 31 of Law no. 11.723: “Es
libre la publicación del retrato cuando se relacione con fines científicos, didácticos
y en general culturales, o con hechos o acontecimientos de interés público o que se
hubieran desarrollado en público”.
There was a divergence among the judges regarding the creation of means to
prevent harm from recurring in the future. The actress demanded that providers start
developing a filter to prevent the same illicit content from recurring and being found
once again through the search engines. This is an extremely delicate point, since
such filters are generally not accurate and may end up blocking much more than
Brazilian Internet Bill of Rights: The Five Roles of Freedom of Expression 233
understanding that application providers only answer for third party content if they fail to comply
with a court order. However, the Internet Bill of Rights distinguishes between connection providers
(those that provide access to the network) and application providers (such as search engines, hosting,
social networks, etc.). The former does not answer for the acts of their users (Article 18) and the
latter only answers if they do not comply with a court order (except for copyrights and “revenge
porn” material, pursuant to Articles 19 et seq.). Argentinean Federal Supreme Court of Justice
quoted Article 18 of the Internet Bill of Rights, which deals with connection providers, when in fact
it would be more appropriate to have quoted Article 19, which deals precisely with the application
providers, such as Google and Yahoo! by offering a key-word search service.
234 C. A. P. de Souza and B. L. M. Nunes
According to Darian Pavli, the Argentinean trial may establish conditions for the
construction of a third approach on intermediaries’ civil liability, positioning itself
among the extremes presented by the United States, which adopts a wide liability
exemption as a rule (and a notification and takedown system for copyright) and
Europe, which would allow a greater space for private notifications.37
A future concern is the exception provided by the court in cases of manifest
illegality, in which the rule could be dismissed, generating the providers’ liability
when failing to act after having unequivocal knowledge of the offensive material.
When providing examples of cases of manifest illegality as “deliberate injury to
honor” there remains the danger that judgment on the illegality of content posted
online is extremely subjective. Depending on how future decisions go, such openness
by the court could even make the exception a rule.
Article 19 of the Internet Bill of Rights determines that the liability of application
providers is of a fault-based nature, however, it does not derive from the noncom-
pliance of a private notification, but rather from the failure to comply with a judicial
court order that determines specific content as illicit.
The Judiciary was instated as the authority for deciding on the illegality of content
available online by the Internet Bill of Rights. Therefore, it resembles the estab-
lished by the Argentinean precedent, reducing the spectrum of private notifications.
However, it is worth highlighting that while the Argentinean decision allows for
greater exceptions, the Brazilian Internet Bill of Rights establishes specific excep-
tions in its text. Those are for cases involving copyright (Article 19, second paragraph)
and content classified as “revenge porn” (Article 21).38
The available case law in Brazil, prior to the Internet Bill of Rights, regarding
the Supreme Court’s position, established that application providers would be liable
if, after notified by the interested party, failed to comply, and remove the indicated
content. This liability system would apply to issues involving copyright infringement,
but also to any issue associated to different personality related rights, such as honor,
privacy, and image.39
37 Pavli, Case Watch: Top Argentine Court Blazes a Trail on Online Free Expression, Open
Society Foundations, 2014, https://www.opensocietyfoundations.org/voices/case-watch-top-argent
ine-court-blazes-trail-online-free-expression (accessed 11 Jan. 2022).
38 Spadaccini de Teffé, What is revenge porn and how can I protect myself?, Academia, https://www.
academia.edu/35886754/What_is_revenge_porn_and_how_can_I_protect_myself, (accessed 11
Jan. 2022).
39 See: Superior Court of Justice (STJ) – Special Appeal Nr. 1,193,764/SP, Reporter Justice Nany
Andrighi, 14.12.10; Superior Court of Justice (STJ) – Interlocutory Appeal in Special Appeal Nr.
1,309,891/MG, Reporter Justice Sidnei Beneti, 26.06.12.
Brazilian Internet Bill of Rights: The Five Roles of Freedom of Expression 235
The Internet Bill of Rights embraces a different position from that previously
established in the last few years. Among the many reasons for such an approach, the
most important one is related to the outstanding role played by freedom of expres-
sion according to the terms established by the Internet Bill of Rights. By recur-
rently mentioning freedom of expression, Law no. 12.965/14 ensures that a specific
protection is granted to the subject at hand.
The Internet is an unprecedented means of communication and information. If, on
the one hand, it is true that no new law is needed for each new form of expression that
may arise, the Internet has so profoundly innovated the ways through which one can
express his or herself that the Law cannot remain idle to its development. The delicate
task set out for the Brazilian Internet Bill of Rights is to achieve a balance between
the development of an environment in which freedom of expression is cultivated—
considering that the Internet easily both broadens and restricts speech—while, at the
same time, ensuring victims of undue content the necessary means for identifying
the author and removal of such content.
It is worth mentioning that the Internet Bill of Rights only conditions the liability
of application providers to the non-compliance with a judicial order. By doing so, it
honors the Judiciary as the legitimate branch with the power to distinguish between
legal and illegal content. However, this understanding in no way prevents providers
from determining their own rules and defining what may or may not be displayed
on their platforms. Therefore, upon receiving private notifications indicating that
a content is unlawful, the provider has the freedom to decide whether to keep the
content or remove it as per request.
This conclusion seems to offer a complex balance on the exercise of rights consid-
ering it relieves the pressure from the provider who would otherwise have to remove
each and every kind of content deemed unlawful, ultimately implicating freedom of
expression on the Internet. Nevertheless, the provider is not prevented from acting if
the material is contrary to the terms of use and other policies governing the operation
of his platform.
Thus, although the private notification cannot forcefully oblige the provider to
comply with a private notification, under the penalty of holding the provider liable,
it is a customary practice used for reporting the existence of potentially harmful
content on the Internet. Since there is no obligation for providers to consistently
monitor what is being shared online, the notification acts as an alert so that they can
verify the origin of an alleged damage caused.
Therefore, if they decide to remove the content because it is contrary to the terms
governing their platform, the providers are not violating the Internet Bill of Rights in
doing so, because Law no. 12.965/14 does not prohibit the withdrawal of content in
those terms. This is not to say that the provider cannot abuse its position and actively
filter or block content in ways that unduly restrict freedom of expression.
In these cases, it will be relevant to weigh the reasons that led to the blocking,
filtering or spontaneous removal of the content (did the provider seek to avoid
damages derived from that content?), with the impact that its implementation causes
to freedom of expression. Given that Article 19 exempts providers from liability, with
the aforementioned exceptions, providers must exercise the freedom of expression
236 C. A. P. de Souza and B. L. M. Nunes
as core to their activities and only take measures to filter, block or remove content in
cases which are supported by obvious and evident reasons.
Lastly, it is important to clarify that, if for most of the application providers the
Internet Bill of Rights innovates by ensuring that liability is only due when failing to
comply with a court order, a different treatment of the so-called “search providers”
has been established by case law. The Federal Supreme Court has determined that
Google, as a keyword search engine, will not be liable for content resulted from
searches carried out by its users.40
Xuxa Meneghel, a famous television presenter, sought to compel Google to
remove from search results the expression “xuxa pedófila” or any other expression
or phrase that associated her name with any criminal practice. The Superior Court
of Justice (STJ), however, dismissed such request:
6. Search providers are not required to remove from their system the results derived from
searching for a particular term or expression, or results that point to a specific photo or text,
regardless of the URL of the page where it is inserted.
7. It is not possible, under the pretext of hampering the propagation of illegal or offensive
content on the web, to suppress the community’s right to information. Having weighed the
rights involved and the potential risk of violation of each one of them, freedom of information
should be guaranteed, in accordance to Article 220, §1° of the Federal Constitution, especially
considering that the Internet represents today an important mass media vehicle.41
The second paragraph of Article 19 refers to the civil liability regime for copyright
infringement as follows:
Article 19, Section 2. This article will apply to violations of copyright and related rights
only when specific legislation to that effect is adopted; the legislation, when adopted, must
respect the freedom of expression and other guarantees provided for in Article 5 of the
Federal Constitution.
It is worth noting that the aforementioned Article states that the subject of copy-
right falls beyond the limits of the Internet Bill of Rights, recommending, never-
theless, that regardless of the solution applied it should “respect the freedom of
expression”.
40 See: Superior Court of Justice (STJ) – Special Appeal Nr. 1,316,921/RJ, Reporter Justice Nancy
Andrighi, 26.06.12.
41 See: Superior Court of Justice (STJ) – Special Appeal Nr. 1,316,921/RJ, Reporter Justice Nancy
Andrighi, 26.06.12.
Brazilian Internet Bill of Rights: The Five Roles of Freedom of Expression 237
This recommendation has its roots in a long debate about the exercise of copyright
and how its implementation in recent decades has given rise to a series of legisla-
tive changes, especially in the criminal field, seeking to consolidate a broad legal
apparatus to hold accountable those involved in copyright infringements.
Two movements emerge in this scenario: on the one hand, a growth in the debate
on piracy and on how copyright infringements must be treated in a rigorous way;
on the other hand, the understanding that not only copyright infringements should
be analyzed, but also the behavior of authors and copyright owners, since they may
abuse the exercise of this right.42
Therefore, a need arises to recognize the role that freedom of expression plays
in this debate and how the design of one or another form of copyright exercise can
impact the expression of thought.
By guaranteeing the author and the copyright holder the possibility of preventing
the unauthorized use of an intellectual creation, this evident right may collide with
other rights, and in particular with that of freedom of expression. The publication of
a critique, the access to documents for research, the creation of a parody, the citation
of artistic work, among several other situations, are examples in which the respect
to copyright and the expression of the thought becomes evident.
The second paragraph of Article 19, therefore, can be interpreted as an imposition,
meaning that whatever the solution found determining liability for damages caused
to copyright, it should refrain from adopting a system which ignores the expression of
thought. Freedom of expression, notwithstanding the solution applied, should always
be the core reference.
8 Conclusion
The five roles of freedom of expression in the Brazilian Internet Bill of Rights clearly
demonstrate the importance of this right to comprehend what Law no. 12.965/14
represents to the current legal system. Recognized internationally as a positive step
towards the protection of fundamental rights in the worldwide network of connected
devices, its future is challenged by the different interpretations of its principles and
foundations.
In this respect, the Internet Bill of Rights’ emphasis on freedom of expression
answers to both technical and political reasons. The established balance sought by
its implementation is complex and will depend upon the Judiciary Power to make
use of the almost seven years of academic research, activism in the network and
legislative work dedicated to its elaboration.
The Internet will certainly pose unimagined challenges for the application of the
Internet Bill of Rights. Another certainty is the perception that, regardless of what the
challenges will be, having freedom of expression as a guiding principle not only for
the interpretation and application of Law no. 12.965/2014, but for other existing laws
applicable to the Internet in our Country, is a step in the right direction. The goal is
to consolidate Brazil as a leader on Internet regulation based on human rights, which
positively differs from the temptations to curtail free speech. The same Internet that
promotes freedom, also restricts it. Thus, the future of Law no. 12.965/14 will be
better served by actively protecting freedom, liberties, and promoting rights.
References
Aftab S (2022), Online anonymity—the Achilles’-heel of the Brazilian Marco Civil da Internet.
In: Albers M, Sarlet IW (eds) Personality and data protection rights on the internet. Springer,
Dordrecht, Heidelberg, New York, London (in this volume)
Capaldi N (1984) Da Liberdade de Expressão: uma antologia de Stuart Mill a Marcuse. FGV, Rio
de Janeiro
Casanova L (1875) Del Diritto Costituzionale. Eugenio e Filipo Cammeli, Florença
Cerf V (2012) Internet access is not a human right. New York Times, 4 January 2012, http://www.
nytimes.com/2012/01/05/opinion/internet-access-is-not-a-human-right.html?_r=0. Accessed 11
Jan. 2022
Farias E (2004) Liberdade de expressão e comunicação—teoria e proteção constitucional. Revista
dos Tribunais, São Paulo
Ferrara F (1987) Interpretação e aplicação das leis. Saraiva, São Paulo
Godoy CLB (2001) A liberdade de imprensa e os direitos da personalidade, Atlas, São Paulo
Gonçalves NPS (2014) Liberdade de Expressão e Estado Democrático de Direito. In Clève, CM
(ed) Direito Constitucional Brasileiro, vol I. Revista dos Tribunais, São Paulo, pp 391–405
Hartmann IA (2022) Self-regulation in online content platforms and the protection of personality
rights. In: Albers M, Sarlet IW (eds) Personality and data protection rights on the internet.
Springer, Dordrecht, Heidelberg, New York, London (in this volume)
Haddad JG (2000) Liberdade de pensamento e direito à vida privada. Revista dos Tribunais, São
Paulo
Lemos R (2005) Direito, Tecnologia e Cultura. Editora FGV, Rio de Janeiro
Luño AEP (2002) Teoría del Derecho. Tecnos, Madrid
Marinoni LG, Mitidiero D, Sarlet IW (2014) Curso de direito constitucional, 3rd edn. Revista dos
Tribunais, São Paulo
Moraes A (2002) Constituição do Brasil interpretada. Atlas, São Paulo
Olson P (2014) We are anonymous: inside the hacker world of LulzSec, Anonymous, and the global
cyber insurgency. Back Bay Books, New York
Pavli D (2014) Case watch: top argentine court blazes a trail on online free expression. Open
society foundations. https://www.opensocietyfoundations.org/voices/case-watch-top-argentine-
court-blazes-trail-online-free-expression. Accessed 11 Jan. 2022
Pereira SCA (2013) Abuso do Direito nas Relações Privadas. Elsevier, Rio de Janeiro
Rodrigues LB (1958) A corte suprema e o direito constitucional Norte-Americano. Forense, Rio de
Janeiro
Sarmento D (2002) A ponderação de interesses na Constituição Federal. Lumen Juris, Rio de Janeiro
Sarmento D (2013) Comentário ao artigo 5º, IV. In Gomes Canotilho JJ, Mendes GF, Sarlet IW and
Streck LL (eds.) Comentários à constituição do Brasil, Saraiva/Almedina, São Paulo
Sartre JP (1970) L’Existentialisme est un humanisme. Nagel, Paris
Scalisi A (1990) Il valore della persona nel sistema e i nuovi diritti della personalittà, Giuffrè, Milão
Schreiber A (2022) Civil rights framework of the internet (BCRFI; Marco civil da internet): advance
or setback? Civil liability for damage derived from content generated by third party. In: Albers
M, Sarlet IW (eds) Personality and data protection rights on the internet. Springer, Dordrecht,
Heidelberg, New York, London (in this volume)
Brazilian Internet Bill of Rights: The Five Roles of Freedom of Expression 239
Schulz W (2022) Regulating intermediaries to protect privacy online—the case of the German
NetzDG. In: Albers M and Sarlet IW (eds) Personality and data protection rights on the internet.
Springer, Dordrecht, Heidelberg, New York, London (in this volume)
Silva JA (1999) Curso de direito constitucional positivo. Malheiros, São Paulo
Souza AR (2005) A função social dos direitos autorais. Faculdade de Direito de Campos, Campos
dos Goytacazes
Carlos Affonso Pereira de Souza Professor of Law at the State University of Rio de Janeiro
(UERJ). Director of the Institute for Technology and Society of Rio de Janeiro (ITS Rio). Main
areas of research: Internet governance and regulation. Selected Publications: O Futuro foi Repro-
gramado: como a tecnologia está transformando as leis, a política e os relacionamentos, Rio de
Janeiro: Obliq, 2018; Abuso do Direito nas Relações Privadas, Rio de Janeiro, Elsevier, 2013;
(Coord) Marco Civil da Internet: Jurisprudência comentada, São Paulo, Revista dos Tribunais,
2017.
Beatriz Laus Marinho Nunes Intellectual Property Specialist (PUC-Rio). Research Project: O
Impacto da Impressão 3D no Regime da Propriedade Intelectual e na Indústria da Moda, PUC-
Rio, 2019. Main areas of research: Intellectual Property, 3D Printing and Fashion Law. Free-
lance Translator, for articles and other documents both related and non-related to Intellectual
Property and Law. Selected Publications: (Coauthor) ‘Copyright Limitations in Brazil’, Rout-
ledge, upcoming, 2021, p.169-175; (Translator) ‘Statute of Limitations and International Arbitra-
tion’, CBAr, 2019; (Co-authorship) Marco Civil da Internet: Jurisprudência comentada, São Paulo,
Revista dos Tribunais, 2017.
Civil Rights Framework of the Internet
(BCRFI; Marco Civil da Internet):
Advance or Setback? Civil Liability
for Damage Derived from Content
Generated by Third Party
Anderson Schreiber
Abstract This article examines the controversies involving the clash between
personality rights in cyberspace and freedom of expression, especially in relation to
the new rules of the Brazilian Civil Rights Framework of the Internet (Law 12.695)
and its consequences to the problem of civil liability of Internet providers in connec-
tion with harmful content generated by third parties. The regime is extremely restric-
tive, which represents an undeniable setback when compared to the path that was
being trod by Brazilian case law on this matter. In this context, this article analyses
the “specific court order” requirement mentioned by Article 19 of the Civil Rights
Framework of the Internet to set the civil liability of Internet providers in contrast
to the general discipline of civil liability. The compatibility of Article 19 with the
Brazilian Constitution is also discussed, in light of the fundamental rights of the
human being in cyberspace.
1 Introduction
Iracema Cristina, psychologist of a large business company, had her name included
on a romantic date website. Next to her full name and actual business telephone
number, the website conveyed the following information about Iracema: “person
proposing to engage in affective and sexual activities in exchange for money”.1 To
get her name removed from the website, Iracema needed to file a lawsuit, in the scope
of which she affirmed, in a personal deposition, that she feared to lose her job on
account of the embarrassing exposure to which she was being submitted.
False profiles and other types of disclosure of untrue information may cause
irreparable damage to persons victimized by their use. The disclosure of false or
Scartezzini, 11.23. 04. Plaintiff’s name was changed to prevent her identification.
A. Schreiber (B)
Faculty of Law, Rio de Janeiro State University (UERJ), Rio de Janeiro, Brazil
e-mail: schreiber@schreiber.adv.br
defamatory information in the virtual universe produces quite real effects, spanning
from mere mistrust to the cooling down of professional and personal relationships,
covering, at times, more objective measures, such as losing a promotion or being
left behind in an interview, dismissal or even a breakdown in affective relationships.
Victims are frequently affected by the episode and start to be seen as careless, unin-
terested persons, even when they have contributed to the outcome. The argument
of the “there is some truth in it”, which is so common in Brazilian society, is not
easily dissipated and suppression of the false of defamatory content from the Internet
proves to be only the first step in a long path to be traveled by the victim in restoring
her reputation.
As if this were not enough, it is a first step, which meets enormous resistance.
Suppression of damaging information—even in cases which where they show to be
flagrantly untrue—it is a measure avoided by many companies which exploit the field
of social networks and of relationship sites. The case of Adriana Valença appears to
be emblematic. She saw true photos taken for a “book” end up in the network, in a
false profile created in Facebook, which, next to her cell phone number, contained
the information that Adriana was a “call girl”. Adriana started to receive telephone
calls from “customers” interested in hiring her alleged services and those who knew
her saw her with suspicion. She tried, in every way, to get the false content removed
from the air, by sending emails to the social network but affirms that she did not
even receive an answer. Her last resort was to go to Court, with all the costs and
expenditures involved.2
Such lawsuits, which could seem simple and even unnecessary at first glance, are
often converted into endless legal battles. The need to defend one’s honor frequently
meets a major obstacle, which ends up as an actual flag of contemporary society:
freedom of expression in the virtual universe.
2 Court of Justice of the State of São Paulo [TJSP]—Civil Appeal No. 0173842-
95.2012.8.26.0100/2014, Reporter Associate Justice Beretta da Silveira, j. 01.21.14. Check also
the article: Oliveira (2014). Plaintiff’s name was also changed here to prevent identification.
Civil Rights Framework of the Internet … 243
3 Accordingly, see Lévy (1999), p. 167: “Cyberspace, interconnection of the planet’s computers,
tends to become the main infrastructure of economic production, transaction and management. Soon,
it will be the main piece of international collective equipment of memory, though and communi-
cation. In short, in approximately tens of years, cyberspace, its virtual communities, reserves of
images, interactive simulations, its irresistible proliferation of texts and signs, will be the essential
mediator of humanity’s collective intelligence.”
4 Bauman (2008), p. 138.
5 Still in the author’s words: “In searching for successful self-identification, self-manipulative indi-
viduals maintain quite an instrumental relationship with their interlocutors. The latter are only
admitted to attest to the existence of the manipulator—or, more exactly, to allow manipulators to
make ‘their virtual counterparts’ face reality.” (Jauréguiberry (2004), p. 6).
6 Frank T (2004) Le Marché de Droit Divin. Paris, Lux, apud Bauman (2008), p. 138.
244 A. Schreiber
dissent travels in the direction of electronic warehouses, it is sterilized, neutralized and made
irrelevant (...) Real politics and virtual politics run in opposite directions, and the distance
between both grows in the proportion in which the self-sufficiency of each benefits from the
lack of the other’s company.7
Apart from this, these concerns of a more generic nature and abstract nature,
it seems undeniable that virtual communication frequently assumes a self-centered
character, which ends up, in many cases, leading to radicalizations and extremisms. In
the Brazilian scenario, for instance, the great volume of offensive pronouncements
(including cursing and other impolite behavior) that is present in social networks
cannot be disregarded. Nor should one ignore the role of virtual communication in
the exacerbation of the clashes, which surrounded the Brazilian presidential election
of 2014. In these election, especially in the second round, it ended up raised to levels
of real danger to aggression of the virtual pronouncements made by supporters of both
candidates—and even persons who appear to be little engaged in real life. In addition,
on the one hand, it is true that, one year before said elections, the social networks had
been praised as a locus of political mobilization, for having served as an important
instrument in the pronouncements of June 2013. On the other hand, it is also true
that such pronouncements were characterized precisely by the absence of defined
pleas, joining persons more around a general and diffuse feeling of dissatisfaction and
rebellion than properly around practical objectives to be achieved. Hence, perhaps
the involuntary association of these pronouncements with vandalism. It erupted from
them as a frankly minority, but constant, element (vandalism that, like every explosion
of violence, reflects the gross feeling that one does not succeed in “communicating” in
actual projects), and the general sensation that, at the end of the wave of mobilization,
“nothing happened”, “nothing changed”, given the absence of concrete perceptible
and safely expected consequences given the grandiosity of the jest upon which “the
giant woke up”. Mobilizations stopped so suddenly and abruptly as they started, as
if they had been “unplugged” or “disconnected” from the network, with the speed
typical of “clicks”. It confirms, in a certain way, the theory of Bauman, for whom “the
‘network’ seems, disturbingly, a sand dune blown by the wind and not a jobsite where
reliable social ties may be established”8 or—one should add—a political freedom
geared to obtaining actual transformations in society is exercised.
The problem is not summarized, however, to an absence of concrete effectiveness
of the talked about freedom of expression in the virtual universe, but it reaches the
very essence of freedom of expression, insofar as new forms of communication on the
Internet, if they apparently encourage the exercise of such freedom, in an increasing
measure also oppress it. This is not a paradox. Extremism and radicalism—derived
from the individualistic character that have been increasing in these new communi-
cation environments—often drift into verbal aggression, stigmatizing labeling and
hate speech which are scattered through the network. The idea that the Internet is a
space of the utmost freedom—immune, due to its absence of geographical base, to
regulatory or governmental controls—contributes, to a certain extent, to new forms
of oppression, such as virtual bullying and the so-called online hate speech, revealing
what has been called the “dark side” of social networks: their increasing role in the
propagation of hate.9
Given these new forms of oppression, there are those who acquiesce, saying that
the Internet is like that10 ; those who do not like it should keep distance from the
virtual world. Virtual abstinence, however, is not a concreted alternative for the new
generations, who are not restricted to using the social networks only for purposes
of predilection. The new generations needs to access them also to obtain utilities
that transcend leisure, such as, for instance, to have access to notices from class
representatives at school and university, or, also, to data from events geared to the
young audience, which, very often, are divulged exclusive via social networks. Virtual
abstinence is not a satisfactory solution insofar as, although less violent than virtual
aggression, it equally represents a form of exclusion and, therefore, annihilation of
freedom of expression, among other freedoms.
Therefore, the only way is to apply rules which ensure that freedom of expression
is not exercised against itself. As it has already been said in the past in relation to the
freedom to contract,11 freedom of expression is “autophagic”, to the effect that, in
any environment where there is not equality of forces, the freedom of expression of
the stronger tends to subjugate the freedom of expression of the weaker. In unequal
scenarios, the absence of rules does not normally result in greater freedom; on the
contrary, in mere semblance of freedom, to the extent that regulatory omission benefits
only those who, having greater economic and technical might, see themselves, finally,
free to pursue their own interests without needing to respect rules established in the
interest of society as a whole.
It is necessary to understand that the virtual environment, at least in its current
design, does not characterize a paradisiacal locus for meeting individuals prepared
to freely debate their ideas, but consists of, before anything else, a space of market
activity. As Marvin Ammori recalls, the members of the legal departments of compa-
nies such as Google and Twitter “have business reasons for supporting free expres-
sion.”12 Relationship sites and social networks are quite a successful business model,
which, under the appearance of almost distracted entertainment, hides an industry of
9 Clarke (2013).
10 An example of this attitude is in the regrettable decision of the 4th Panel of the Superior Court
of Justice—STJ, Special Appeal No. 844736/2009, Reporter Justice Honildo Amaral de Mello
Castro, 20.27.09, where it was concluded that sending spam after express request not to receive
it characterizes moral damage; it is up to the user to contract an antispam service (Justice Luis
Felipe Salomão was defeated, by a substantial vote). One of the Justices who accompanied the
prevailing understanding even affirmed: “Spam is something to which the Internet user is submitted.
At this point, I don’t see how we can untie use of the Internet from spam.” (‘4th Panel does not
recognize Non-Pecuniary Damage for sending erotic SPAM to an Internet user’, Superior Court
of Justice—November 03, 2009, https://scon.stj.jus.br/SCON/GetInteiroTeorDoAcordao?num_reg
istro=200600946957&dt_publicacao=02/09/2010. Accessed 11 Jan. 2022.
11 Roppo (1988), p. 38.
12 And concludes: “Indeed, all of these companies talk about their businesses in the language of
free speech. Google’s official mission is ‘to organize the world’s information and make it univer-
sally accessible and useful.’ WordPress.com’s corporate mission is to ‘democratize publishing.’
246 A. Schreiber
cyphers significantly higher than the traditional media itself. This is an aspect that
cannot be merely disregarded in debates involving the application of legal rules to
the virtual space.
The idea that the Internet must today be a space free from the application of
any kind of rule represents, today, an essentially romantic proposal.13 To keep the
Internet far from the boundaries of the Law means to deliver it to the command of the
market: its development will stop being guided by the legal rules to browse through
the flavor of the interests of big industry, which safely does not correspond to the
vision of the future of those who advocate uttermost freedom in the network.14 To
see the Law as an enemy of freedom is a deep methodological mistake, insofar as
only in a regulated environment can the exercise of freedom take place without fear
of abuse, which represents its own denial.
Let us go back to the case of Iracema Cristina, who feared losing her job due to
a false profile, which defamed her, or of Adriana Valença, who after being labeled
on the Internet as “call girl”, became seen as suspect in her closest social milieu.
The perception of the devastating impact that the transmission of material on a
certain person can produce in her real life is only one of the many circumstances
that confirm the need to apply legal rules to the virtual world. The Internet cannot
represent irresponsibility of life in society.
This understanding had already been noticed by Brazilian courts, before the enact-
ment of the Civil Rights Framework of the Internet, in a series of judicial proceedings
involving victims of content transmitted by third parties in social networks and rela-
tionship websites. To evaluate the treatment reserved to this matter by the Civil Rights
Framework of the Internet, it is essential to understand what the state of our case law
prior to enactment of the law was.
Facebook’s is to ‘give people the power to share and make the world more open and connected’.”
(Ammori (2014), p. 2260).
13 This Romanticism is well represented in the famous Declaration of Independence of Cyberspace,
written in 1996 by John Perry Barlow, who, among other points, affirmed: “We are creating a world
that all may enter without privilege or prejudice accorded by race, economic power, military force,
or station of birth. We are creating a world where anyone, anywhere may express his or her beliefs,
no matter how singular, without fear of being coerced into silence or conformity. Your legal concepts
of property, expression, identity, movement, and context do not apply to us. They are all based on
matter, and there is no matter here.” (Barlow (1996)).
14 In such respect, it is interesting to note how liberal thinkers, who defended the absence of
intervention of the State-norm on the Internet, started to denounce as a kind of “censure” the
norms created by the virtual communication companies and applied purely privately, without the
disclosure and transparency which characterize the state-legislative branch. See, on this instigating
theme, Heins (2014).
Civil Rights Framework of the Internet … 247
15 Accordingly, the 3rd Panel of the Superior Court of Justice—STJ had already decided, in 2012,
that: “The fact that the service provided by the provider of Internet service being free does not
depreciate the consumer relation, as the term ‘by remuneration’, contained in Article 3, §2, of the
CDC [Civil Law Code] must be interpreted broadly, so as to include the indirect gain of the supplier”
(Superior Court of Justice—Special Appeal No. 1308830/2012, Reporter Justice Nancy Andrighi,
05.08.12).
16 See, for illustration, Court of Justice of the State of Rio de Janeiro (TJRJ)—Civil Appeal No.
has grounds, as, in fact, it was done after submission of this appeal (...) so, if the defendant
is a person or entity of means, as it proved albeit late, to identify the offender, and did not do
so, it will answer for the latter’s anonymity, the duty to compensate the damage sustained
being clear.17
In another case of false profile, the victim, who, next to where her true telephone
number was displayed, was described as a woman “in her 40s, craving sex”. In this
case, the same Court of Justice of Rio de Janeiro went further, concluding that the
identification of the third party divulging the damaging content does not release from
liability the company, which owns the website:
The indication, by the defendant, of the user who promoted the inclusion of said false profile
does not remove his responsibility which, in the case, is objective. It is up to the supplier to
develop protection mechanisms with view to prevent fraud, especially when the occurrences,
as that described in these records, become frequent, removing from them the nature of act
of God.18
Generally, our courts had been considering that business companies, which
somehow create and operate social networks must be regarded liable for the damage
caused to the victims of damaging content. Not only because they provide, as an
aspect inherent to their activity, a space to spread messages of their users, but also
because they obtain economic gains from the direct or indirect exploitation of this
communicative space. In this sense, it is worth highlighting the tone attributed to the
matter by the Superior Court of Justice:
Those who make it technically feasible, those who benefit economically and, actively,
encourage the creation of communities and relationship pages on the internet are as respon-
sible for the control of eventual abuse and for the guarantee of the personality rights of
internet users and third parties as the very internet users who disseminate information which
is offensive to the most trivial values of life in community, whether it be real or virtual.19
17 Court of Justice of the State of Rio de Janeiro—Civil Appeal No. 2009.001.14165/2009, Reporter
Associate Justice Alexandre Câmara, 04.08.09. Excerpt extracted from the vote of Reporter,
accompanied by his peers.
18 Court of Justice of the State of Rio de Janeiro—Civil Appeal No. 2009.001.41528/2009, Reporter
Benjamin, 03.09.10. Note that the situation is analogous to what already happens outside the virtual
world, in the provision of services, which may be manipulated by third parties to generate damage
to users, as in the case of registration in the credit protection services for debt contracted with false
documents, a case which the STJ already decided to fall within the sphere of responsibility of the
contracting financial institution, even if only belatedly such institution becomes aware of such docu-
mental falsification of documents: “The action of persons without scruples specialized in acquiring
credit cards with the name and taxpayer identification number [CPF] of a deceased person to acquire
a credit card and use it until it is suspended for default on invoices has become commonplace. (…)
The credit card administrator which normally executes its contracts by phone or Internet, without
requiring the physical presence of the consumer who is the user of the credit card only becomes
aware of the fraud when it deflagrates the extrajudicial collection procedures. The case law of this
Court is settled to the effect that the undue indication of the name of consumer in credit protection
bodies produces non-pecuniary damages, generating the obligation to indemnify for those who
make the registration.” (Superior Court of Justice—Special Appeal No. 1.209.474/2013, Reporter
Justice Paulo de Tarso Sanseverino, 10.09.13).
Civil Rights Framework of the Internet … 249
Even the Courts judgement that gave prestige to the technical difficulty of diver-
sion of content posted on the social networks, did not conclude, for the most part,
in favor of the lack of liability of companies. On the contrary, they were favor of a
kind of conditioned liability, deflagrated only from the time when, informed about the
existence of the damaging material, the companies did not adopt measures to remove
the offensive material from its website. Check, in this direction, the following court
decision rendered by the 4th Civil Chamber of the Court of Justice of Rio de Janeiro
in another case, which deals with false profile in Orkut:
In the case in question, and in a first analysis, I share the understanding of the learned judge
to the effect of the impossibility of the host provider duly verifying the preview of the 40
million pages existing in Orkut. This is in a first analysis. However, if this is so, there is no
doubt that, when the exclusion of the profile is requested, the provider is obliged to exclude
it if it is false and offensive to the honor of who has been portrayed.20
In this cross-sectional way, the theory of notice and takedown began to go into
Brazilian reality. Inspired in the Digital Millennium Copyright Act, said theory
emerges from copyright law, to create a kind of exception of liability for violation
of copyright on the Internet, ensuring immunity to providers who readily complied
with the notification by the party offended to withdraw the improper material. With
the notification, the controversial duty of permanently monitoring the network is
transformed into a specific obligation to act, which could no longer be refused based
on the argument of practical unfeasibility of monitoring and which, if complied with,
would exempt the party notified from civil liability.21
The import of the theory of notice and takedown into the field of civil liability
for damage resulting from content generated by third party would represent, from a
certain angle, a split-up in the Brazilian civil liability system. The liable party would
only be considered as such if, after being informed, it would stop acting to prevent
perpetuation of the damage. This would be a kind of ex post civil liability, subse-
quent to the damage, geared to preventing the damage from being propagated. It is
evident that, in practice, such importing would mean that the damage sustained by
the victim during the period prior to the notification would remain not being reim-
bursed (or could only be reimbursed by the third party which generated the content,
almost always anonymous or, even when identified, not capable of being located or
incapable—legally or economically—of bearing the indemnity or technically inca-
pable of adopting any other measure which could mitigate the effects of the damage
sustained by the victim). The notice and takedown would establish, to this effect, a
kind of “immunity” of the owner of the website until the time of notification, leaving
20 Court of Justice of the State of Rio de Janeiro—Civil Appeal No. 2008.001.04540/2008, Reporter
Associate Justice Horácio dos Santos Ribeiro Neto, 25.03.08.
21 The Digital Millennium Copyright Act (Public Law No.: 105-304/1998) regulates in detail, in
its Title II (referred to as Online Copyright Infringement Liability Limitation), the procedure of
notification and counter-notification, in addition to measures, which must be followed by providers
to to be entitled to limitation of liability. See particularly Section 202, which brings substantial
modification to § 512 of Chap. 5 of Title 17 of the United States Code, compilation of federal rules
of a general and permanent nature.
250 A. Schreiber
without reparation at least part of the damage suffered by the victim,22 which could
raise allegations of affront to the principle of full reparation.
On the other hand, the practical effects of the import proved to be promising.
The immunity promised would at least encourage a more proactive behavior by the
owners of social networks, which would have, at the time of the notification, the
opportunity to evaluate the content posted by the third party and decide whether or
not adopting measures for its removal from the website (like what the majority of
such companies already do in relation to child pornography). It would contribute to a
healthier virtual environment, which respected the fundamental rights of the human
being, without the need to impose on the victim appealing to the Judiciary, which, in
addition to being costly, requires time incompatible with the quick diffusion of the
offensive content by the virtual world. This “stimulus” to a proactive performance
did not appear, however, exempt from controversies. In its homeland, the notice
and takedown is criticized by a kind of “chilling effect”, which its abusive use may
cause in the exercise of free expression.23 Such criticisms, however, are normally
linked to the notifications based on copyright protection, which, through their own
nature, end up exercising a defensive role by the entertainment industry, undermining
forms of artistic expression which are typical of the virtual environment, such as the
mélanges, sampling and pasting. In matter of protection of the fundamental rights
to the honor, privacy and image of the human persons, the argument of the “chilling
effect” of free expression is not only less usual, it is also less convincing, at least
in the largest portion of concrete cases, which involve unauthorized disclosure of
personal messages, discriminatory messages, incitation to hate, coarse cursing and
other situations in which the exercise of free expression proves to be clearly abusive.
In any case, the very mechanism of the notice and takedown, when adopted by
a legal order, must contain counter-caution to prevent it abusive use and ensure its
effective operation. In the United States, for instance, the notification must contain
minimum requirements (identification of the content that violates copyright, data
of the contact making the notification, etc.) and there are express provisions for
counter-notification by the alleged violator of copyrights, in addition to terms for the
22 Check, in this respect in particular, the prevailing vote in a court decision of the Court of Justice
of Rio de Janeiro, in which it was affirmed that the doctrine of the notice and takedown is diverted
from Brazilian legal tradition, for which “damage happens at the time of publication, the theory of
the learned prevailing vote that the plaintiff should first request the removal of the page not being
valid, as this mere step does not elide the loss already sustained. There is not in our Law an offense
which is not subject to indemnification” (Court of Justice of the State of Rio de Janeiro—Civil
Appeal No. 2008.001.56760/2008, Reporter Associate Justice Otávio Rodrigues, 12.03.08).
23 See https://lumendatabase.org/, official page of the Lumen Project, an initiative developed jointly
by the Electronic Frontier Foundation and prestigious American universities (Harvard, Stanford,
Berkeley etc.) with the declared objective of enlightening the public and preventing the legislation
of the United States (especially the system of notice and takedown) from being used abusively to
“cool off” the exercise of freedom of expression on the Internet. (Lumen is a Project of the Berkman
Klein Center for Internet & Society at Harvard University. [website], 2017, https://lumendatabase.
org/pages/about. Accessed 11 Jan. 2022.
Civil Rights Framework of the Internet … 251
activity of the site owner.24 The danger of a case law incorporation of the notice and
takedown in Brazil lays precisely on its “incorporation by half”. As it happens among
us, especially in matter of civil liability, the “idea” of the institution was incorporated
without previous understanding and consequent acceptance of its multiple aspects.25
The restricted space to a judge in a concrete case did not permit detailed development
of the institution and, thus, the notion of notice and takedown started to make its
way into our case law, always with the best of intentions, but in a somewhat risky
way. An essentially procedural mechanism started to appear in our judicial decisions
without a regulated procedure, without estimate of counter-notification and of the
other guarantees that surrounded it in its origin. It results in a deformed version
of the original doctrine, mainly supported on the argument of authority of the US
experience than properly on understanding of this experience and its adjustment to
the naturally diverse and peculiar Brazilian scenario.
The imminence of discussion of the Bill of Law of the Internet Civil Rights
Framework promised, however, to remove these risks. What one expected from the
Legislative Branch, at this time, was that it acted in an exempt and efficient way,
detailing the operation of the notice and takedown, so as to create an effective mech-
anism of conflict resolution for the Internet in Brazil. Unfortunately, what ended up
happening was exactly the opposite.
The wording of the provision already begins by showing to which side of the scales
its content leans in favor. In a section entitled “Civil Liability for Damages Arising
24 See .S. Code, Title 17, Chapter 5, Section 512, especially Section 512 (c) (3)—on the requirements
of the notice –; and Section 512 (g) (2) e (3)—on counter-notice and terms of activity.
25 On the issue, let one be allowed to refer to Schreiber (2014b), pp. 209–215 and 231–243.
252 A. Schreiber
from Content Generated by Third Parties”, Article 19 begins with an unusual affirma-
tion of purpose, which invokes the values of freedom of expression and prohibition
of censorship, that, abstractly, would advocate against the very idea of liability. The
whole discussion on liability arises exactly when the exercise of freedom of expres-
sion violates the victim’s fundamental rights, proving abusive—because contrary
to the very purpose of free expression—or illegitimate—because it affronts, with
pondering reasoning, the sphere of protection of other rights of equal hierarchy in
that concrete specific situation. The fundamental rights of the human person (honor,
privacy, image, among others) are also protected by the Brazilian Constitution, on
an axiological threshold not lower than free expression. Recalling only “one side of
the coin” already at the beginning of Article 19 represents bad legislative technique
and a concerning warning on what was about to come.
After its unusual beginning, Article 19 declares that the “provider of Internet
applications”—thus the Civil Rights Framework refers to that which offers a “set
of functionalities that can be accessed through a terminal connected to the Internet”
(Article 5, VII), yielding to the already mentioned terminology, which conceals the
proprietary aspect—“can only be subject to civil liability”—the word “only” already
revealing a restrictive perception of its civil liability – for “damages resulting from
content generated by third parties” if, “after an specific court order, it does not take
any steps to, within the framework of their service and within the time stated in the
order, make unavailable the content that was identified as being unlawful, unless
otherwise provided by law.”
Mention of a “court order” gives a death blow to all the inspiration of the notice
and takedown. As already emphasized, the legal limitation to civil liability of the so-
called “providers of applications” can only be justified as a stimulus to its proactive
activity, capable of preventing the spread of the damage regardless of the time and
cost necessary to file a lawsuit. If the victim of damage to its fundamental right needs
to resort to the Judiciary, claiming a judicial order, to be issued to the Company, then
Article 19 is entirely useless for the simple reason that the possibility of resorting to
the Judiciary always existed in Brazilian law and failure to comply with a court order,
regardless of any consideration on civil liability, constitutes the crime of disobedience
(Article 330 of the Brazilian Criminal Code).
Even worse: in the literal words of Article 19, noncompliance with a court order
becomes a necessary condition for holding the providers liable. In this context, filing
of a lawsuit fails to be a mere instrument of protection of the victim’s rights and of
obtaining reparation for their violation to become a sine qua non condition of the
civil liability. The victim, who before filed a lawsuit as its last resort, to obtain the
defendant’s liability, now needs to file the lawsuit and plead the issue of a specific
court order, so that, only then and only in the case of noncompliance with said
court order, the owner of the site or social network may be considered liable. In a
reality increasingly conscious of the cramming of the Judiciary Branch, Law 12.965
takes a different path than every single trend and transforms the judicialization of
the conflict into a measure necessary to the protection of the victim’s rights in the
virtual environment, environment in which, by its own speed and dynamism, judicial
remedies tend to be less efficient and, therefore, more criticized.
Civil Rights Framework of the Internet … 253
The truth is that, quite the contrary of protecting the victim with a more efficient
system of protection of its fundamental rights, Article 19 protects companies, which
operate the network, as it still requires that the legal order be “specific”—giving room
for allegations of lack of specificity, which would authorize noncompliance26 —and
restricts the need for compliance to measures that must be adopted “within the frame-
work of their service”—opening one more door to arguments which would exclude
the need for compliance with the legal order, with the aggravating circumstance
of making reference to technical questions, which, in this kind of legal action, the
defendants usually know in greater detail than the members of the Judiciary, as they
concern the meanderings of the very business developed by the company.
Perhaps in an effort to soften the flagrant setback, §3 of Article 19 declares that
“The compensation disputes for damages arising from content made available on the
Internet related to the honor, reputation or personality rights, as well as the removal
of related contents by Internet application providers, can be presented to special
small causes courts.” The consolation prize does not remove the inconvenience of
the imposition of appealing to the Judiciary to deflagrate the civil liability of the
“providers of applications”. Neither it represents an effective prize, to the extent that,
even before the publication of Law 12.965, the victims of harmful content already
relied on this possibility, sufficing that they did not indicate as value pleaded on
account of non-pecuniary damages an amount higher than the ceiling of the special
claims courts. However, this condition is almost irrelevant since, in Brazilian practice,
the indication of the amount of the non-pecuniary damage is rare, as the majority of
lawyers opt for leaving such measurement at the discretion of the judge, avoiding
the reflex of the value claimed on the calculation of the legal costs, and eventually of
adversarial fees. Therefore, §3 of Article 19 does not bring any benefit to the victims
of damage which had not been already available to them, in the scenario prior to
publication of the Civil Rights Framework of the Internet.
In short, for human persons users of the Internet who may be affected by content
damaging their fundamental rights, Article 19 does not bring any benefit. Quite
the contrary, it represents an obvious setback if compared to the paths which had
been followed by Brazilian case law on this matter. This is a rule that shields busi-
ness companies that operate Internet services, especially through social networks
and virtual communication spaces. Considering the international scenario, this rule
offers much more protection to the Internet industry than those from countries with
a long-standing tradition in the protection of business interests in the network, such
as the United States. From the perspective of legal technique, there is deep misrepre-
sentation of the mechanism of notice and takedown, which ends up sending conflicts
back to an already crammed Judiciary, distancing itself in such a way from that insti-
tute that it is impossible to understand how legal experts on Internet continue to talk
about the incorporation of notice and takedown by the Civil Rights Framework of
26 §1 of Article 19 expands even more this room for defense by affirming that the judicial order
mentioned in the main section of the provision “must include, under penalty of being null, clear
identification of the specific content identified as infringing, allowing the unquestionable location
of the material”.
254 A. Schreiber
the Internet. For Article 19, neither the notice suffices, nor will it lead to takedown,
because what the provision does is to create conditions and obstacles to effective
compliance with the legal order. The rule assures to the victims of damage less than
they already had by the general system of civil liability and hampers protection of
fundamental rights, moving steps back from the protection courts had already been
ensuring in this field.
The remaining question is the following: with all its flaws, is Article 19 of the
Civil Rights Framework of the Internet only a bad rule or is it unconstitutional? The
discussion is not simple from a technical-legal viewpoint, but a deep examination
leads to the conclusion of its unconstitutionality.
Law 12.965 affronts Article 5, X, of the Constitution of the Brazilian Republic. The
counterargument that the condition applies only to companies which own sites and
social networks, the victim conserving the right to claim reparation to the third party
which initially discloses the content, is almost fictional. As already emphasized,
identification of the third party itself depends on the activity of said companies
and, even when identification occurs, the chance of obtaining reparation is not only
reduced by recurrent circumstances in the virtual environment (lack of identification
of the location of the individual, lack of means by the user etc.), but also ends up
limiting itself to indemnifications in cash, when those companies have much more
effective technical means to prevent propagation of the damage (suppression of the
damaging content, unidentifying the victim, etc.).27
Therefore, Article 19 of Law 12.965 violates Article 5, X of the Brazilian Consti-
tution, which would suffice to conclude that it is unconstitutional. One can, however,
add to this element others which corroborate the divergence between Article 19 of
the Civil Rights Framework of the Internet and the constitutional text. For instance,
the prior requirement to file the lawsuit and issuance of a specific judicial order as
requirements for liability also violate item XXXV of Article 5,28 as the guarantee of
access to the Judiciary, in a substantial reading, consists of a right of the victim, never
a duty. By imposing the appeal to the Judiciary as an essential condition to repara-
tion of the sustained damage, Article 19 of Law 12.965 misrepresents the meaning
of Article 5, XXXV, affronting its substantial dimension.
The provision also violates the so-called “principle of prohibition to stepping
backwards”, to the extent that, by conditioning the protection of such rights to the
receipt of a “specific court order”, it retrocedes in relation to the degree of protection
which was already assured by Brazilian case law, which had been considering the
defendants liable for such damages if they did not act after any kind of communication
(extrajudicial, therefore, and, even, electronic).29 The reduction of the degree of
protection of fundamental rights finds an obstacle in said prohibition of stepping
backwards, a notion which has been broadly developed in the field of Public Law,30
but which also applies to Private Law, especially in the Brazilian legal experience,
which is progressively released from the old dichotomy between Public and Private
Law to find in the maximum fulfillment of constitutional values the north that unites
its legal system.31
disciplines electronic commerce, determined that “websites or other electronic means used to offer
or for conclusion of a consumption contract must make available, in a prominent place, and easy to
visualize: (…) II—physical address and email, and other information necessary to its location and
contact.”
30 Derbli (2007).
31 Tepedino (2004), pp. 1–22. Also, let it be consented to refer to Schreiber (2013).
256 A. Schreiber
The approval of the Civil Rights Framework of the Internet created the following
situation in Brazilian Law: if the content posted offends copyrights or connected
rights, the applications provider cannot invoke Article 19. Therefore, the general
rules of civil liability apply. According to them, liability is full—and not expressly
limited to the situations of lack of action after a specific judicial order—, and, at the
most, the provider may obtain a judicial interpretation, which, based on the case law
prior to publication of Law 12.965, establishes as the initial milestone of its liability
the time when, becoming aware by any means (extrajudicial notification, electronic
communication, etc.) of the content damaging to copyrights or connected rights, the
providers does not act to prevent the spread of the damage. In other words, with the
enactment of Law 12.965, the mechanism of protection of copyrights became simpler,
quicker and more efficient than that reserved to the protection of the fundamental
rights of the human being (honor, privacy, image, etc.), which becomes dependent,
for the very deflagration of civil liability, on resorting to the Judiciary and on the
issuance of a specific judicial order. Here, one has a true axiological inversion, to the
extent that the copyrights and connected rights—also, therefore, those of exclusively
property content—gain a stronger, faster, and more effective instrument of protection
than the fundamental rights of the human being, to which the Brazilian Constitution
attributes greater, if not hierarchical, at least axiological importance, as seen from the
express mention of the dignity of the human person as a foundation of the Republic
(Article 1, III, of the Brazilian Constitution). Such inversion affronts the Constitution,
resulting, unequivocally, in the unconstitutionality of Article 19 of the Civil Rights
Framework of the Internet.
Civil Rights Framework of the Internet … 257
In short, there are several ways which lead to the conclusion that Article 19 of the
Civil Rights Framework of the Internet does not consist only in a bad rule, but
instead in an unconstitutional provision, which is legally null. To save Article 19
from unconstitutionality, it would be necessary to interpret it in conformity with
the full protection of personality rights, assured in Article 5, X, of the Constitution.
Such interpretation could be achieved through a reading that approximates Article
19 of Law 12.965 to another provision of the Civil Rights Framework of the Internet;
namely, Article 21. In this rule, the legislator addressed a specific subject: publishing
of material containing “nudity or sexual activities of a private nature”.
Art. 21. The internet application provider that makes third party generated content available
shall be held secondarily liable for the breach of privacy arising from the disclosure of
images, videos and other materials containing nudity or sexual activities of a private nature,
without the authorization of the participants, when, after receipt of notice by the participant
or his/hers legal representative, refrains from removing, in a diligent manner, within its own
technical limitations, such content.
Scholars have been studying this provision under the nomenclature of “revenge
pornography”, following US sources. The labeling is improper, as the literal text
of the rule alludes to scenes of nudity and sex regardless of the reason of their
disclosure. The use of the American expression can be forgiven provided that it does
not lead to a restrictive interpretation of the rule. Strictly speaking, Article 21 is
not the epitome of legislative technique, containing its own dose of improprieties—
such as the equivocated use of the expression “secondarily”32 —, but it has the huge
advantage of having preserved the essential element of notice and takedown: the
extrajudicial nature of the notification.33
And if the protection of sexual intimacy of the individual, with the consequent
liability of the application provider for damage resulting from exposure of its nudity or
32 Civil liability here is not secondary, but proper and direct, because it derives from the absence
of activity of the provider after becoming aware of the fact. The use of the expression “secondary”
must be interpreted as mere reinforcement of the idea that the provider here is answering for the
content transmitted by a third party, but technically it is the own and direct liability, not secondary.
So that there is no doubt, it is not necessary for the victim to file a lawsuit or take any attitude in
relation to a third party—who, frequently, cannot even be identified. It may act directly against the
provider of applications who fails to make the content unavailable, whether to compel him to do
so, or to obtain proper reparation for damages resulting from exposure of the material in the period
spanning from the notification to effective removal.
33 Although he was not express with respect to the extrajudicial nature, the legislator alluded here to
mere “notification”; the interpreter shall not restrict the term to extrajudicial notifications, especially
if compared to the speech of Artcle 21 with that used in Article 19 of the same Federal Statute No.
12965/2014.
258 A. Schreiber
order that gave grounds to the unavailability”.34 What the Civil Rights Framework
of the Internet did not do—but could perfectly have done—was to consider remedies
other than the extreme measure of suppression, not as an alternative to the provider
of applications, but as an alternative to the victim him/herself, who, in certain cases,
may not have interest in suppressing the material; nor, let alone, in the whole polemics
which the suppression awakes in relation to free speech in the network.
Suppose, for instance, that somebody discloses in a social network image files
which portray a certain person in her childhood or as a teenager, in a certain embar-
rassing situation, all without authorization of the person portrayed. Suppression of the
material is not necessary to protect the honor of who was portrayed, but it is in his/her
interest to prevent the material from circulating accompanied by mention of his/her
name or identification of his/her face, as it is already frequent on social networks
such as Facebook and Instagram. What the victim is interested in obtaining here is
the absence of identification of her/his individuality, without necessarily intending
to suppress the material from the network, material which may, for instance, portray
other people, including the third party himself (one should think, for instance of a
photo of a costume party from high-school times). In cases such as that, the third
party has, in principle, the right to disclose the image, which (also) portrays him and
mere removal of identification of the victim can already be a sufficient measure to
protect his rights.
Another measure that the victim can be interested to put into practice is a simple
adjustment in the indexation of the material disclosed, so as to prevent it becoming
the main one or one of the main references linked to his identity. There is, also,
in some cases, interest in obtaining the largest contextualization of the material
published, with the addition of information that prevents interpretation of the event
portrayed separated from its original context. Contextualization is an instigating
remedy because, contrary to the others, it points to a solution which contains more,
not less information on the content transmitted.
Both removal of the victim’s identity in the content published by the third party
and appropriate indexation of this content in relation to the victim’s name, as well as
contextualization of the content published by the third party are measures which could
appear sufficient, in the eyes of the victim, to protect his rights. Additionally, such
measures perfectly conform with the best approach to the right to be forgotten, which
can be defined not as a right to “rewrite history”, of changing the facts or suppressing
content which may be published on the Internet, but, instead, as the right “not to be
followed for certain facts”; one avoids thus inappropriate identification of the human
person, which would violate its right to personal identity.35
34 “Article 20. (…) Sole Paragraph. When requested by the user, who provided the content made
unavailable, the provider of Internet applications that carries out this activity in an organized,
professional manner and for economic purposes, shall replace the content made unavailable for a
note of explanation or with the text of the court order that gave grounds to the unavailability of such
content.”
35 On the subject, let it be consented to refer to Schreiber (2014a), pp. 172–174.
Civil Rights Framework of the Internet … 261
The Civil Rights Framework of the Internet would have done well to mention such
remedies (unidentification, appropriate indexation, contextualization of the content,
etc.) as optional, at the discretion of the damaged party, but ended up by being
exclusively centered on the unavailability of the material, a remedy which is not
always desired by the victim and which may attract intense discussions about free
speech, discussions, which, notwithstanding their legitimacy, delay the protection of
the fundamental rights that could be effectuated by other less polemic means.
Although the whole set of problems of civil liability in Law 12.965 orbits around the
content of the third party, the question of own content still assumes legal relevance.
As it has been demonstrated by a succession of concrete facts, the individual who
transmits material in the network concerning himself (photographs, comments, etc.)
can also be a victim of damage resulting from unrestricted or out-of-context trans-
mission of this material or its use for purposes other than those who encouraged its
initial disclosure.
Take for instance the case of the boy Nissim Ourfali. In order to celebrate his Bar
Mitzvah, his parents hired a company specialized in making films of celebrations. In
the film, the 13-year old boy appears as the protagonist of a comic version video clip in
Portuguese of the song “What makes you beautiful” of the group One Direction. The
video clip displays, always with a humoristic bias, photos of Nissim’s life, including
trips to Israel and Baleia Beach, in the coast of São Paulo. The film was posted
on the website of YouTube by members of the family of Nissim with the purpose
of making it accessible to distant friends and relatives. However, it was discovered
by the Internet users and became a fever in the virtual world, almost reaching an
awesome number of accesses. Discothèques in Rio de Janeiro and São Paulo started
to play that version of the song and the video clip became the purpose of parody in
the network, including editing with Silvio Santos and Bart Simpson in the role of
Nissim Ourfali.
Nissim’s family started to receive daily phone calls from companies and agencies
interested in exploiting his image. To preserve himself, Nissim, represented by his
parents, filed a lawsuit at the Court of Justice of São Paulo, against the company that
owned the YouTube website, requesting the removal of the video clip based on the
protection of this right of image and privacy. The first-degree judge dismissed the
request for prior relief, arguing that the material had been spontaneously put on the
website. Check the entire content of the decision:
From what I understand of the amendment to the complaint, the video in which plaintiff
participates was posted spontaneously on the public website for sharing videos, the ‘private’
mode not being an obstacle for all to see how many people have an account on said website
262 A. Schreiber
to access it. From then on, it seems that the video was disseminated on the internet, as
verified by research in Google by the author’s name, which returns nothing less than 790
entries relative to it (cf. print attached). In view of this, the technical possibility of removing
from the internet, from all the access paths which at this point were established to the
video in question is doubtful. It is certain that uncontrolled dissemination of the content is a
characteristic of the internet (which, perhaps due to the short amount of time of its existence,
a fair share of the users is not aware of). So it is that, although it comprises a human aspect, the
situation in which plaintiff finds himself, I do not see a plan of the possibility of establishing
an affirmative covenant, especially due to the open content as intended, for the defendant. It
is convenient to commence the adversary party system. Thus, I dismiss the request for prior
relief for the time being.36
a thoughtless and casual fact. Moreover, it was an undeniably free act, without the
formalities which the legal order requires to attract the obligational effect. In these
circumstances, one does not glimpse an interest that deserves protection opposed
to his right to preserve his image and privacy, already sufficiently exposed by the
equivocation of his family members, and not to remain forever “marked” by the
episode. What comes into play here is the already mentioned right to be forgotten,
in its virtual mode, an expression of the right to personal indemnity.
If there is a cost in the adoption of steps which are necessary to suppress the
material from the website, this cost can, in a more severe line, be attributed to the
website itself, which is subject to such risk by operating the communicative space.
These costs, in a more liberal line, can be attributed to the boys’ parents. Nevertheless,
while this can be discussed during the proceedings, the right to obtain the measures
of suppression proves to be as clear as it is urgent. To understand otherwise only
because the video was posted spontaneously by his family’s members is to submit
him, in his frail 13 years of age, to the binding force of a “contract”, which he never
signed and for which he received nothing. This binding force, in an extreme degree
of restriction, is not even admitted in business let alone in the distracted and non-
economic use of a site for sharing videos. If, even in the scope of contracts, one
admits breach of the obligational effect due to hardship resulting from unpredictable
and extraordinary facts, why a teenager who saw a comic film of his Bar Mitzvah
turn into a fever across Brazil cannot obtain measures intended to attenuate the huge
burden which he has been suffering from?
Cases such as that of Nissim Ourfali reveal that the problem of civil liability of the
so-called providers of applications by content posted on their sites is not limited to the
damage resulting from the content posted by third parties. The problem also covers
the question—more rare but no less delicate—of the unauthorized exploitation of
the content posted by the user himself. More specifically, it also covers the lack of
measures intended to prevent the diffusion of content which the user expressly no
longer wants to be exhibited on the site. The Civil Rights Framework of the Internet
does not contemplate the subject, suggesting that the provider can only be called
to act in the case of content posted by a third party. However, there is no reason to
eliminate its duty to act in those cases where the user himself “regrets” transmitting
the content and claims for the suppression of the material, so that its reproduction
on the same website be prevented. Here, the whole drama of free expression is not
presented, as the disclosing party itself wishes to see the video excluded from the
site.
Looking closely, the need to adopt technical measure to remove the undesired
content from the video integrates the business risk of companies which exploit
the informal nature of posting the content and encourage all the time its users to
transmit information, comments or private files (photos, videos, etc.). Even if one
could discuss on whom the cost of the measure falls—a question which could attract
different answers, according to the case, for instance, the degree of information trans-
264 A. Schreiber
mitted—, there is no doubt that the person who repents should have the right to claim
it, under penalty of acclaiming an obligational effect ad eternum, as an informal act
that, strictly, does not even qualify in light of the legal order as if it were a source of
obligation.
9 Conclusion
Article 19 of Law 12.965 allocates to the problem of civil liability of the so-called
providers of applications by content transmitted on one of their sites an extremely
restrictive relationship, which represents an undeniable setback in connection with
the path which was being trod by Brazilian case law on this matter. By conditioning
civil liability with noncompliance with the “specific court order”, said Article 19
promotes a dreadful hampered of protection of the rights of the Internet user, often
fundamental rights expressly protected by the Brazilian Constitution such as honor,
image ad privacy. It creates a real bubble of non liability, insofar as it restricts the
civil liability of business companies, which operate the sites where the damaging
content is transmitted. This position limits eventual claim to obtain reparation to
third parties”, almost always anonymous and whose identy and location can only be
known, in most cases, by those same business companies which the Brazilian Civil
Rights Framework for the Internet exempts from liability. Even when known, the third
parties have no technical or economic conditions to attenuate the propagation of the
damage, which is why the eventual liability has few or no practical consequence.
Worse than a misplaced rule, Article 19 must be considered as an unconstitutional
act, for violating different aspects of the Brazilian Constitution (Article 5, items X
and XXXV; Article 1, item III; among others). Not only does it restrict the protec-
tion of fundamental rights, setback in the protection which was already assured by
Brazilian courts, but it also promotes intolerable axiological inversion, by permitting
more favorable treatment to rights with patrimonial content (property copyrights, for
instance) than to personality rights, it being established that the constitutional order
addresses the latter with primacy.
The result of the unconstitutionality consists of restoration of the general disci-
pline of civil liability in relation to the content transmitted on the Internet, with the
possibility of the imputation of full liability of the so-called providers of applications
for damages sustained by the victim. This liability has no temporal limitation, from
the beginning of disclosure of the offensive material, whether based on the Consumer
Defense Code (Article 14), or based on Article 927 sole paragraph of the Civil Code.
The only salvation for Article 19 of the Civil Righs Framework of the Internet would
be the application of an interpretation in accordance with the Brazilian Constitution
(Article 5, item X), which, like what Article 21 of Law 12.965 already does, would
be satisfied with an extrajudicial notification to the provider. This extrajudicial noti-
fication would be considered the beginning of the civil liability in case of inertia in
the adoption of the measures necessary to the removal of the damaging content to its
website.
Civil Rights Framework of the Internet … 265
Business companies which operate sites and social networks have unarguably the
best technical conditions to adopt the steps necessary for reparation or attenuation
of the propagation of the damage. This damage transcends the mere question of
suppression of the material transmitted, but also cover measures, such as concealment
of the victim’s identification, adequate indexation of the material transmitted, its
contextualization, among other remedies, which would be capable, in many cases,
of protecting the victim without raising a risk to the freedom of expression of third
parties, which transmit the material considered damaging.
In any case, one has to be very cautious when invoking freedom of expression in the
virtual universe. It is unquestionably a fallacious argument, since the huge majority
of the actual cases involving requests for the suppression of damaging material in
Brazilian case law concerns information which is obviously false, evident offenses,
racist comments and other kinds of content. In this sense the argument, quite the
opposite of expressing the legitimate exercise of free expression, aim at cannibalizing
it, by intimidation, virtual bullying, online hate speech, and other virtual forms of
oppression.
References
Ammori M (2014) The “New” New York Times: free speech lawyering in the age of Google and
Twitter. Harv Law Rev 127(8):2259–2295
Barlow JP (1996) A declaration of the independence of cyberspace. In: Electronic Frontier
Foundation. https://www.eff.org/cyberspace-independence. Accessed 11 Jan. 2022
Bauman Z (2008) Vida para Consumo – A Transformação das Pessoas em Mercadorias. Zahar, Rio
de Janeiro
Clarke T (2013) Social media: the new frontline in the fight against hate speech. In: Minority
rights group international. http://minorityrights.org/2013/10/30/social-media-the-new-frontline-
in-the-fight-against-hate-speech/. Accessed 11 Jan. 2022
Derbli F (2007) O Princípio da Proibição de Retrocesso Social na Constituição de 1988. Renovar,
Rio de Janeiro
Heins M (2014) The brave new world of social media—how “terms of service” abridges free speech.
Harv Law Rev 127(8):325–330
Jauréguiberry F (2004) Hypermodernité et manipulation de soi. https://web.univ-pau.fr/RECHER
CHE/CIEH/documents/Hypermodernite_manipulation_de_soi.pdf. Acessed 12 Nov 2018
Lévy P (1999) Cibercultura. Editora 34, São Paulo
Oliveira M (2014) Fui motivo de piada na rua’ diz usuária que ganhou processo contra Facebook.
In JusBrasil. https://dellacellasouzaadvogados.jusbrasil.com.br/noticias/113852641/fui-motivo-
de-piada-na-rua-diz-usuaria-que-ganhou-processo-contra-facebook. Accessed 11 Jan. 2022
Roppo E (1988) O Contrato. Almedina, Coimbra
Schreiber A (2013) Direito Civil e Constituição. Atlas, São Paulo
Schreiber A (2014a) Direitos da Personalidade. Atlas, São Paulo
Schreiber A (2014b) Novos Paradigmas da Responsabilidade Civil. Atlas, São Paulo
Superior Court of Justice (2009) Quarta Turma não Reconhece Dano Moral por Envio de SPAM
Erótico a Internet usera. Accessed 31 Jan. 2018
Tepedino G (2004) Premissas Metodológicas para a Constitucionalização do Direito Civil. In:
Tepedino G (ed) Temas de Direito Civil. Renovar, Rio de Janeiro, pp 1–22
266 A. Schreiber
Anderson Schreiber Full Professor of Private Law at the State University of Rio de Janeiro
(UERJ). Professor at Fundação Getulio Vargas (FGV). Head of the Research Project “Law and
Media”. Main areas of research: Constitutional Rights in Private Relations, Torts, Contract Law
and Media Law. Selected Publications: Manual de Direito Civil Contemporâneo, São Paulo:
Saraiva, 2021 (4th edition); Equilíbrio Contratual e Dever de Renegociar, São Paulo: Saraiva,
2020 (2nd edition); A Proibição de Comportamento Contraditório: Tutela da Confiança e Venire
Contra Factum Proprium, São Paulo: Atlas, 2016 (4th edition); Novos Paradigmas da Respons-
abilidade Civil, São Paulo: Atlas, 2015 (6th edition); Direitos da Personalidade, São Paulo: Atlas,
2014 (3rd edition).
Self-regulation in Online Content
Platforms and the Protection
of Personality Rights
Ivar A. Hartmann
1 Introduction
John is very proud. He has just pulled an all-nighter editing a montage of pictures
and small videos of his best friends to share on online. He was careful to pick the
ones where the lighting is favorable and everyone is smiling or making a funny face.
As most teenagers their age, John and his friends produce an enormous amount of
media depicting themselves, so it takes a long time to choose the ones that make the
cut and their order or placement. Also like most teenagers today, John has the skills
and means to remix1 the pictures with videos and a background song. He sought out
to learn the basic functions of a video editing software recommended by a friend
and used it to give the montage a more professional feel. This includes inserting
1 Lessig (2009).
I. A. Hartmann (B)
Insper Learning Institution, São Paulo, Brazil
e-mail: ivarhartmann@insper.edu.br
Thanks to this system, every time John and other people create something new
using a song or part of a video that has been submitted to Content ID’s database,
Youtube will keep the new work automatically out of display—without any human
evaluation and bypassing an impartial judicial ruling on the matter. What is curious is
that “Shot me down” is originally from Nancy Sinatra. Guetta and Grey did the same
as John: used parts of the artistic creation of others in order to produce something new.
But when the video clip of Guetta and Grey’s version of shot me down was posted
on Youtube it was not prevented from being accessible by users. That is because
the rights holder of Guetta and Grey’s works negotiated with those of Sinatra’s. It
is remixing with a prior request for permission and payment of fees. While this
type of composition is protected by Content ID, amateur remixing is not. Google
adopted this system voluntarily. In most countries the law establishes that a company
playing the role of a content intermediary, such as a platform or social media, is not
responsible for copyright violations unless it was notified and failed to remove the
allegedly infringing material. In this case, Youtube ran John’s video through prior
analysis before making it available, which is very different from waiting until a rights
holder expresses their dissatisfaction with the amateur montage. Content ID is not
legally required.
Moreover, it generates a substantial cost to Google as it had to be first developed
and is later continuously tested and calibrated. There is also the hardware cost of pre-
processing billions of hours of video uploaded to Youtube. Above all, there is the cost
of decreasing revenue. The company makes money from advertising, which depends
on viewership. This, in turn, depends not only on the accessibility of each single
video, but on the perception of Youtube’s value as a content platform as a whole. The
network effect dictates that the more content and user interaction it hosts, the more
valuable it is to all users.4 This means that by barring amateurs remixes developed
by its uses, Youtube is acting in detriment to its own value as a platform.
Content ID is of course old news. Algorithms are now being proposed as a way to
fight other potentially unlawful content, including revenge porn.5 The application of
automatic filters for copyright violations exposes the high potential for false positives,
but content platforms6 are slowly being asked to play the role of judge when a much
more nuanced decision is required: distinguishing between speech that is legal and
that which constitutes hate speech or violates a person’s honor.
It turns out John’s motivational message was directed to white people. The phrases
used along the video were “white lives matter”, “Muslims are terrorists”, “blacks are
lazy”, “build the wall” and “white pride”. Taylor Swift’s song was chosen specifically
because of what John feels it represents for white supremacists.7 Could an algorithm
identify and bar or remove hate speech without censoring legal speech in the process?
In a time where so many people contribute to the public debate and seemingly
harmless cultural expressions can be hijacked by certain groups and made to mean
something their original creators never dreamed of,8 can a machine properly pick
apart illegal from outrageous but legal speech?
and consumers. The platform provides an open, participative infrastructure for these interactions and
sets governance conditions for them. The platform’s overarching purpose: to consummate matches
among users and facilitate the exchange of goods, services, or social currency”, see Parker et al.
(2016), p. 299.
7 Khal (2017).
8 Ellis (2017).
270 I. A. Hartmann
There are increasing incentives for private platforms to try and identify illegal
speech. The safe harbor provisions in European countries, as well as in other like the
United States and Brazil are slowly being eroded by court rulings and legislators,
creating new risks for content hosts.9 The German Netzwerkdurchsetzungsgesetz that
has come into force in 2017 is a good example. In contrast to the Brazilian option for
liability only after judicial notice, this new law forces private companies to arbitrate
speech and determine within 24 h if expression is “obviously illegal” after notice from
an offended party.10 Faced with this task, how long until private companies forsake
human manual detailed analysis and invest on quick and monumentally cheaper
software alternatives?
As the current scenario stands, there are increasing incentives to have social media
and other private content platforms use algorithms to identify illegal speech such
that John’s video would never even make it to anyone’s newsfeed on Facebook.
There are already some experiments, including by government funded research in
Germany11 and by major players such as Yahoo,12 but initial results are not always
completely satisfactory.13 Not all incentives to filter speech come from legal liability
risks, however, as many social media companies have “community standards” that
are more stringent on expression than the law they are required to apply.
Is this a kind of self-regulation? Do the characteristics of this type of practice
allow them to be classified under the traditional self-regulation categories? What is
unique about these experiments in the current rich context of the internet and artificial
intelligence that might defy traditional self-regulation theory? My goal is to answer
these questions with the purpose of providing a conceptual framework based not
only on self-regulation theory, but also aspects of the protection of personality rights
online, including possible avenues for the efficacy of fundamental rights in private
relationships. In the first part, I will present a summary of classic self-regulation
elements, bringing them together with the notion of code as law and the restraints
imposed by the constitutional protection of personality rights. In the second part, I
will retell John’s story from a different angle while detailing and better explaining
what is at stake, how the technology is used and what are the elements of the dynamic
between regulation by code and law in this context.
55210/https://www.research-in-germany.org/en/infoservice/newsletter/newsletter-2017/october-
2017/algorithms-to-combat-hate-speech-online.html. Accessed 11 Jan. 2022.
12 Reynolds (2016).
13 The initial results are unsurprisingly not perfect: “Consistent with previous work, we find that
certain terms are particularly useful for distinguishing between hate speech and offensive language.
While f*g, b*tch, and n*gga are used in both hate speech and offensive language, the terms f*ggot
and n*gger are generally associated with hate speech. Many of the tweets considered most hateful
contain multiple racial and homophobic slurs. While this allows us to easily identify some of the
more egregious instances of hate speech it means that we are more likely to misclassify hate speech
if it doesn’t contain any curse words or offensive terms.”, Davidson et al. (2017), p. 4.
Self-regulation in Online Content Platforms and the Protection … 271
14 “Institutions simplify the decision problem for economic actors, by imposing restraints on each
person’s conduct which render it substantially predictable to others.” MacKaay (2000), p. 82.
15 “Their virtue lies in the relative fixity they provide. But the fixity is also their weakness. At
the time of its creation, an institution may be chosen so as to provide generally the best trade-off
in the face of the circumstances of the moment. As circumstances change, institutions may come
to represent less than optimal trade-offs and yet their fixity prevents them from being instantly
adjusted. The benefit of fixity and predictability is bought at the risk of ill fit over time.” MacKaay
(2000), p. 83.
16 “[I]t is useful for purposes of behavioral law and economics analysis to view human actors
as departing from traditional economic assumptions in three distinct ways: human actors exhibit
bounded rationality, bounded willpower, and bounded self-interest.”, Jolls (2007), p. 10.
17 Stiglitz (2009), p. 13.
272 I. A. Hartmann
State plays the role of a private entity: as market creator, as market influencer, as market enhancer
and as market preserver. See Hockett and Omarova (2013), p. 5.
Self-regulation in Online Content Platforms and the Protection … 273
concrete cases—when it decides whether specific posts, pictures or videos fall into
the hate speech category, and the enforcement of these decisions—when it presses
the button to remove, demote or red flag content as illegal. In many online private
platforms, the user is therefore gradually becoming a rule-making and rule-enforcing
actor, as I have noted and described elsewhere,22 which is also a novel aspect of this
new type of self-regulation. Here, however, I intend to focus on describing the role
played by the private companies that host crowdsourced content.
Another novel element and one that is central to this model, is the style of enforce-
ment. John did not have a chance to disrespect the rule created and applied by Youtube
on copyrighted material. His videos will always be subjected to Content ID verifi-
cation and his compositions will always be censored when they include elements
from copyrighted songs or videos. John does not have the option to break the rule
of self-regulation and take the risk of potential subsequent punishment. There is no
adjudication procedure to evaluate whether the video was at odds with the rules that
govern Content ID. There is no established penalty for such an impossible act.
To understand the meaning of the way in which technology operates in this context
requires accepting that law and the market are not the only avenues to restrict human
behavior. As Lawrence Lessig explained when the World Wide Web was in its infancy,
there are four avenues.23 Law is the most obvious one, imposing constraints through
rules. Because they can be disrespected, it is necessary to determine and apply punish-
ments for lack of obedience. The market restricts as well: although law does not forbid
it, an elementary school teacher cannot own a private jet. The law of nature also limit
what we can do. No human being can fly because of the law of gravity. No one can
ignore it, so there is no need to set up procedures to resolve disputes on whether
gravity was properly followed.
The fourth avenue of regulation indicated by Lessig is similar to the laws of
nature in this sense. The laws of the virtual world are impossible to disrespect. It is
undeniable today that regulation has been enabled along the years by modifications
in the physical and logical structure of the internet. Lessig posits that this technical
plane, which he has called “code”, configured by engineers and programmers, is
exactly like a form of regulation, just like human written law. The architecture of the
virtual world defines what we can and cannot do while in it.
This guarantees ex ante control in the enforcement of norms, in as much as
the choices on code design define what the user actually is able and unable to do,
unlike prescribing what it may or may not do, legally.24 But moving away from state
controlled regulation implies abandoning democratic rule-making. Lessig thus alerts
to the possibility of code being used as an oppressive form of regulation by the state,
a hypothesis that suggests the need for even greater participation and leadership of
behavior, she need not threaten, or cajole, to inspire the change. She need only change the code-the
software that defines the terms upon which the individual gains access to the system, or uses assets
on the system”. Lessig (1996), p. 1407.
Self-regulation in Online Content Platforms and the Protection … 275
civil society actors in at least some of the regulatory layers.25 The inclusion of non-
public actors in the regulation of online behavior, as well as on policy decisions that
shape public and private internet institutions has been understood for years as the
field of internet governance,26 such that the idea of online regulation not coming from
state entities is not at all new. Quite to the contrary, the diversity of actors actually
holding the reigns of regulatory activity concerning internet conduct is increasingly
being emphasized within the internet governance arena.27
Tim Wu addresses the strength of code from a different perspective, acknowl-
edging the function described by Lessig, but proposing yet another one, which in a
certain way opposes the perfect control of ex ante (self)regulation. To Wu, code is
also an antiregulatory tool that can be wielded by certain groups to decrease the cost
of following the law and therefore generating an advantage.28 The groups that do not
wish to obey the law have two options: to change it or to avoid it. The first option is
political and requires great organizational capacity and economic power to perform
the necessary lobby in order to amend legislation. Those without economic power
or mobilization ability employ mechanism to bypass the law. Here “bypassing the
law” means to avoid doing what traditional law demands by imparting changes on
the law of code. It is crucial to note, however, that traditional laws can be violated
without being amended, while the laws of code and network architecture can only
ever be altered, but never merely disobeyed.29
Evidently, the number of people required to clandestinely reconfigure code in
order to disobey it is much lower than the number of people willing to (even if not
entirely capable of) disrespecting traditional laws. This asymmetry brings even more
complexity to the regulation by code, but at the same time, transparent changes in
the laws of code are even more decisive.
Only the state can produce and modify traditional laws. The laws of the natural
world are never subject to change. The laws of network architecture, on the other
hand, and its sub settings—such as social media—are created and altered many
times and unilaterally by private groups or companies like Google. In creating and
applying Content ID the company has profoundly affected people’s behavior vis-
à-vis the production of amateur remixes and artistic compositions. A software that
preemptively identifies and blocks hate speech would have the same effect. The
algorithm has an infinitely larger impact in the protection of musicians’ interests or
the fight against hate than any article or paragraph in traditional law.
25 “If cyberspace were to become this perfect technology of technology and democracy, then there
would be little reason to worry. But a perfect technology of control does not entail a perfect
technology of justice, and it is this that commends a continued check.” Lessig (1996) p. 1411.
26 Mueller et al. (2007), p. 250: “[M]ultistakeholder governance should be legitimized and main-
tained. This norm is a logical extension of principles relating to private networks and global scope.
The Internet is in effect a global confederation of network operators and users and should not be
regulated in a top-down manner via agreements among states alone.” See also Kleinwächter (2009),
p. 384.
27 Belli (2015).
28 Wu (2003), p. 682.
29 Lessig (2006), p. 7.
276 I. A. Hartmann
As with the internet in general, in the self-regulation model that I propose here
there is significant weight of private parties’—both large content platforms and
regular users—online conduct on the exercise of fundamental rights such as freedom
of expression, access to information, privacy, propriety and the free exercise of
economic activity. That is to say, in the arena of self-regulation mediated by code
the issue of the efficacy of fundamental rights in private relations takes center stage.
There are many questions that can illustrate this point. Has Youtube violated John’s
freedom of expression in automatically and voluntarily censoring his artistic expres-
sion? Would Youtube violate the right to intellectual property of musicians if it made
Content ID to be an optional tool for users as they upload video? Is Content ID as
currently applied in violation of the right to access information that Youtube viewers
have in relation to John’s montage? That same goes for future algorithmic solutions
to online hate speech and violations of personal honor. How strict is a company
required to be when designing and operating natural language processing software?
Are there limits to how much speech can be censored?
I believe personality rights and the protection afforded them by most constitutions
should come into play here. Judicial analysis of the merits of the content in posts,
videos and pictures online has proven not to be the best alternative for online content
thus far and it should not be considered as the first and foremost battleground in which
to answer the questions posed in the previous paragraph. As Jack Balkin noted long
ago, it is administrative law and not constitutional rights adjudication that provides
a more suitable and effective context for securing the old and new liberties critical to
the internet,30 which includes developing the tools for adequately protecting freedom
of expression and other informational personality rights online.
Self-regulation of online expression as described here implies the action of private
platforms engaging with users in order to make decentralized gatekeeping31 decisions
on the content that should be barred, demoted or obscured. Algorithms are deployed
in parallel to either make some of these judgement calls or merely enforce whatever
decision on content has already been made. As rule, any recourse to the Judiciary
is only adequate to the extent that it invites considerations on procedural fairness
instead of the traditional content analysis. The efficacy of constitutional protected
personality rights in private relations operates as criterion and boundaries for such
procedural review. In most cases, a judge should evaluate, for example, not whether
30 “Protecting free speech values in the digital age will be less and less a problem of constitutional
lawalthough these protections will remain quite important—and more and more a problem of
technology and administrative regulation.” Balkin (2009), p. 441.
31 Gatekeeping can be defined “as the process of controlling information as it moves through a gate.
Activities include, among others, selection, addition, withholding, display, channeling, shaping,
manipulation, repetition, timing, localization, integration, disregard, and deletion of informa-
tion.” Barzilai-Nahon (2008), p. 1496. More specifically, “[D]ecentralized gatekeeping consists of
numerous, microlevel interactions between individuals engaged in a particular collective endeavor.”
Shaw (2012), p. 357.
Self-regulation in Online Content Platforms and the Protection … 277
what A said about B classifies as damaging hate speech, but rather if a certain aspect
of the platforms architecture creates an imbalance between A and B in their capacity
to communicate. The following part of this article is dedicated to addressing this in
detail.
The development of fundamental rights theory in Brazil, including in the field of
efficacy among private parties, is strongly influenced by German law, either directly
or indirectly through Portuguese literature.32 The most basic aspect here that already
signs a departure from traditional American constitutional law is that constitutional
rights are not foreign to relationships between private parties such as the platform
and the user. Naturally, even in the United States the idea that private companies
such as Facebook and Google should be treated completely different from the state
for the purposes of freedom of speech or privacy protection is losing ground. But
a more pure or simplistic view of state action doctrine has been slowly suffering
revision regardless of the internet.33 I will not entertain here the merits of horizontal
efficacy, but rather discuss elements that would provide useful guidelines for the
judicial review of self-regulation efforts involving private content platforms, users
and speech. More specifically, is it possible to identify cases where a procedural
flaw in the self-regulation system is so severely at odds with personality rights that
it should be directly corrected by a judge?
Therefore, even if in Brazilian law many people defend a prima facie direct effi-
cacy of fundamental rights in private relations—which would shed some provocative
light on the Content ID example—I prefer to frame self-regulation as a context in
which direct and indirect efficacy coexist, in accordance with Ingo Sarlet’s view.34
It is therefore an issue of carefully selecting criteria to enable the implementation of
direct efficacy to a subset of cases.35
Daniel Sarmento offers a different understanding with regards to the prevalence
of indirect or direct efficacy, but also provides guidelines for the application of direct
efficacy to concrete cases. They are especially useful in the field of moderation of
speech in private platforms. First, material inequality, expressed in this context by the
gap between the power of Facebook and one of its users.36 There are many aspects in
which acknowledging a duty by online platforms to respect personality rights guides
legislative choices, by means of indirect efficacy, as well as isolated judicial review,
by means of direct efficacy. Among them, the one with the largest social impact is
certainly intermediary liability. The asymmetry of power between the single user
and the company that removes her post, often without any explanation, shows the
32 Pinto (2007); Canaris (2003). See also Andrade (1987), p. 245; Canotilho (2003), p. 1253; Sarlet
(2006), p. 398.
33 Mark Tushnet highlights the weaknesses of this theory such as, for example, the fact that it denies
that private parties could be bound by constitutional rights not because there is no basis for this in
constitutional text but because the goal is to avoid such positions to be construed by judges. Tushnet
(2007).
34 Sarlet (2007), p. 144.
35 Sarlet (2007), p. 134.
36 Sarmento (2010), p. 264.
278 I. A. Hartmann
37 “The ‘notice and take-down’ system, however, is flawed because it allows arbitrary removal of
content based on a simple complaint made by the interested person, without the necessary due
process of law. Furthermore, it is a system that condones censorship, temporary or permanent, or
else intimidates or restricts freedom of expression.” Mulholland (2017), p. 179.
38 Citing several case studies and research, see Seltzer (2010), p. 171. Seltzer advises against an
even worst scenario of strict liability: “Moreover, the chilling effect analysis indicates that over-
deterrence is a problem deeper than the DMCA notice-and-takedown regime; it is a problem endemic
to copyright law and its secondary liabilities. As copyright expands in scope, time, and breadth,
its erroneous application and the chill of secondary liability assume greater significance.” Seltzer
(2010), p. 227.
39 Sarmento (2010), p. 267.
40 Alexander (2016).
41 Sarmento (2010), p. 329.
42 This happened in 2011 (Lee 2011) and again in 2013, when the picture was actually posted in
the page of Brazil’s largest newspaper (Facebook Deletes Folha’s Post on Gay ’Kiss-in’, Folha de
Self-regulation in Online Content Platforms and the Protection … 279
respect the right to equality on a very basic level, in order to prevent hateful discrim-
ination, but also the right to freedom of expression. The Brazilian Constitution, for
example, could be interpreted to impose limits on social media companies’ sanitizing
censorship that casts a wide net over online daily interaction.
A fourth guideline is the extent to which the relationship between the private
parties has characteristics that place it closer to the public sphere.43 The case of
content platforms that host third party speech, there is a deep connection with
democratic practice in the public sphere which would favor direct efficacy binding
the administrators of social networks and other websites to the protection of the
fundamental right to freedom of expression.
Another possible solution is the adoption of direct efficacy of fundamental rights
in private relations only in as much as the protection of human dignity is concerned,
as Jörg Neuner proposes in German law.44 This is an example of the profitable
coexistence between direct and indirect efficacy, even if certain aspects of German
law do not translate entirely well into other national legal orders. In any event, it
seems relevant that there is a connection between the defining role that free speech,
image and privacy play in individual identity, on the one hand, and human dignity,
on the other.
We must however understand the parts filled by the state and different private
actors online. Lessig indicates that the internet was conceived by engineers and
academics who resented control, funded by the military, which had the goal of
creating a decentralized network. Its configuration, its code, as a result, was struc-
tured in a way that created the free and democratic environment of the early days
of the World Wide Web. However, once corporate interests were added to the equa-
tion, the code began to be altered to allow privileges to those with larger financial
resources.
The relationship between this fear and the efficacy of fundamental rights in
private relations lies in the fact that the state often stimulates, pressures or even
forces telecommunication companies, access providers and content providers, among
others, to perform changes in the code in detriment to basic liberties—while it
remains merely an indirect violator of freedom of access. In other cases compa-
nies who own intellectual property pressure social networks such as Youtube into
adopting architecture rules that protect copyrights even at the cost of basic levels of
free speech.
The complexity of problems associated with online self-regulation systems might
require a new model of constitutional rights’ efficacy to be applied to private relations.
Vagias Karavas brings bold contributions, enumerating several new contexts for the
protection of fundamental rights between private parties in the networked society
(Castells). He believes even the Claus-Wilhelm Canaris’ theory of protection duties
would result in a failed scenario where the state contemplates the individual as a mere
54 Hartmann (2015).
Self-regulation in Online Content Platforms and the Protection … 283
4 Conclusion
to sort out content. There are solutions for accountability, however.58 It is currently
impossible to avoid that software plays a role in making judgement calls about the
quality expression, including the protection of honor and hate speech. But it is not
impossible to prevent lack of accountability for the ways the private platforms design,
improve and operate algorithms.
One last example of an extremely popular topic should drive the point home.
The part played by users as moderators in a code-enforced self-regulation of content
system solves the problems of platforms when it is too risky for them to filter content,
as they are unsure of what criteria to employ or whether their action might have its
legitimacy questioned. Actively filtering themselves might bring political in addi-
tion to financial costs. That is the challenge of fake news for private social media
companies today. Self-regulation with users at the helm is the strategy adopted by
Facebook to tackle fake news. About figuring out what content to classify as fake
news, Mark Zuckerberg informed that.
We could try to make that decision ourselves, but that’s not something we’re comfortable with
(…) We considered asking outside experts, which would take the decision out of our hands
but would likely not solve the objectivity problem. We decided that having the community
determine which sources are broadly trusted would be most objective.59
Seen through the lenses of traditional legal concepts, this might look like an
example of regular outsourcing. What I propose is that it should be acknowledged
as a two-way relationship that is both necessary and efficient, especially because the
future of speech moderation is to be found on regulation and not on isolated judicial
review of millions of posts, pictures and videos. It seems this is the best way forward
in the fight against fake news. One of the few academic works already published in
the wake of the 2016 presidential election in the United States, concerning the legal
aspects of restricting fake news points to promising structural regulation solutions
instead leaving it all exclusively to courts,60
References
Alexander L (2016) Facebook’s censorship of Aboriginal bodies raises troubling ideas of ‘decency’.
Available via The Guardian 23 March 2016. https://www.theguardian.com/technology/2016/mar/
23/facebook-censorship-topless-aboriginal-women. Accessed 11 Jan. 2022
Andrade J (1987) Os direitos fundamentais na constituição portuguesa de 1976. Almedina, Coimbra
Annany M, Crawford K (2016) Seeing without knowing: limitations of the transparency ideal and
its application to algorithmic accountability. New Media Soc. https://doi.org/10.1177/146144481
6676645
tising networks, social media companies, and other Internet partners enact and enforce their own
restrictions relevant to the publication of fake news.” Klein and Wueller (2017), p. 10.
Self-regulation in Online Content Platforms and the Protection … 285
Balkin J (2004) Digital speech and democratic culture: a theory of freedom of expression for the
information society. New York Univ Law Rev 79(1):1–55
Balkin J (2009) The future of free expression in a digital age. Pepperdine Law Rev 36:427–444
Barzilai-Nahon K (2008) Toward a theory of network gatekeeping: a framework for exploring
information control. J Am Soc Inform Sci Technol 59:1493–1512
Belli L, Zingales N (eds) (2017) Platform regulations: how platforms are regulated and how they
regulate us. Official outcome of the UN IGF dynamic coalition on platform responsibility. Escola
de Direito do Rio de Janeiro da Fundação Getulio. Vargas, Rio de Janeiro
Belli L (2015) A heterostakeholder cooperation for sustainable internet policymaking. Internet
Policy Rev 4(2):1–21
Binenbojm G (2016) Poder de Polícia. Ordenação. Regulação. Transformações Político-jurídicas,
econômicas e institucionais do direito administrativo ordenador. Fórum, Belo Horizonte
Canaris CW (2003) Direitos fundamentais e direito privado. Almedina, Coimbra
Canotilho JJG (2003) Direito constitucional e teoria da constituição, 7th edn. Almedina, Coimbra
Davidson T et al (2017) Automated hate speech detection and the problem of offensive language. In:
Proceedings of the 11th international AAAI conference on web and social media (ICWSM-17).
https://arxiv.org/abs/1703.04009. Accessed 11 Jan. 2022
Diakopoulos N (2016) Accountability in algorithmic decision making. Commun ACM 59(2):56–62
Ellis E (2017) The alt-right’s newest ploy? Trolling with false symbols. Available via Wired 10 May
2017. https://www.wired.com/2017/05/alt-rights-newest-ploy-trolling-false-symbols/. Accessed
11 Jan. 2022
Hartmann IA (2015) Liberdade de Manifestação Política e Campanhas: É preciso atenção aos
algoritmos. In: Falcão J (ed) Reforma Eleitoral no Brasil. Civilização Brasileira, Rio de Janeiro
Hartmann IA (2017) Let the users be the filter? Crowdsourced filtering to avoid online intermediary
liability. J Oxford Centre Socio-Legal Stud 1:21–47
Hartmann IA (2020) A new framework for online content moderation. Comp Law Secur Rev
36:1–10
Hockett R, Omarova S (2013) “Private” means to “public” ends: governments as market actors.
Cornell Law School research paper no, pp 13–84. http://ssrn.com/abstract=2222444. Accessed
11 Jan. 2022
Jolls C (2007) Behavioral law and economics. Public law and legal theory paper no. 130. http://
ssrn.com/abstract=959177. Accessed 11 Jan. 2022
Karavas V (2007) Digitale Grundrechte. Elemente einer Verfassung des Informationsflusses im
Internet. Nomos, Baden-Baden
Khal (2017) Why do people keep connecting Taylor Swift’s new song to the alt-right? Complex 29
August 2017. http://www.complex.com/music/2017/08/why-do-people-keep-connecting-taylor-
swift-new-song-to-the-alt-right. Accessed 11 Jan. 2022
Klein D, Wueller J (2017) Fake news: a legal perspective. J Internet Law 20(10):6–12
Kleinwächter W (2009) Internet co-governance. Towards a multilayer multiplayer mechanism of
consultation, coordination and cooperation (M3C3) In: Mansell R (ed) The information society,
vol III (Democracy, governance and regulation). Routledge, London
Ladeur KH (2009) Der Staat der „Gesellschaft der Netzwerke“. Zur Notwendigkeit der Forten-
twicklung des Paradigmas des „Gewährleistungsstaates“. Der Staat 48(2):163–192
Lee A (2011) Facebook apologizes for censoring Gay Kiss photo. The Huffington Post 19 April
2011. https://www.huffpost.com/entry/facebook-gay-kiss_n_850941. Accessed 11 Jan. 2022
Lessig L (1996) The zones of cyberspace. Stanford Law Rev 48:1403–1411
Lessig L (1998) The new Chicago school. J Leg Stud 27(2):661–691
Lessig L (2006) Code. Version 2.0. Basic Books, New York
Lessig L (2009) Remix: making art and commerce thrive in the hybrid economy. Penguin Books,
London
MacKaay E (2000) History of law and economics. In: Bouckaert B, De Gheest G (eds) Encyclopedia
of law and economics, vol 1. Edward Elgar, Cheltenham, pp 65–117
286 I. A. Hartmann
Mueller M et al (2007) The internet and global governance: principles and norms for a new regime.
Glob Gov 13(2):237–254
Mulholland C (2017) Secondary liability of service providers in Brazil: the effect of the civil rights
framework. In: Dinwoodie G (ed) Secondary liability of internet service providers. Springer, New
York, pp 171–184
Neuner J (2007) A influência dos direitos fundamentais sobre o direito privado alemão. In: Sarlet
IW, Neuner J, Monteiro A (eds) Direitos fundamentais e direito privado. Uma perspectiva de
direito comparado. Almedina, Coimbra
Ogus A (1995) Rethinking self-regulation. Oxf J Leg Stud 15(1):97–108
Parker G, Van Alstyne M, Choudary S (2016) Platform revolution: how networked markets are
transforming the economy and how to make them work for you. W. W. Norton & Company, New
York
Pasquale F (2016) The black box society: the secret algorithms that control money and information.
Harvard University Press, Cambridge
Pereira J (2006) Apontamentos sobre a aplicação das normas de direito fundamental nas relações
jurídicas entre particulares. In: Barroso L (ed) A nova interpretação constitucional. Ponderação,
direitos fundamentais e relações privadas. Renovar, Rio de Janeiro
Pinto PM (2007) A influência dos direitos fundamentais sobre o direito privado português. In:
Sarlet IW, Neuner J, Monteiro A (eds) Direitos fundamentais e direito privado. Uma perspectiva
de direito comparado. Almedina, Coimbra
Reynolds M (2016) Yahoo’s anti-abuse AI can hunt out even the most devious online trolls. Available
via Wired 29 July 2016. http://www.wired.co.uk/article/yahoo-online-abuse-algorithm. Accessed
11 Jan. 2022
Sarlet IW (2005) Constituição e Proporcionalidade: o direito penal e os direitos fundamentais entre
proibição de excesso e de insuficiência. Boletim da Faculdade de Direito da Universidade de
Coimbra 81:325–386
Sarlet IW (2006) A eficácia dos direitos fundamentais, 6th edn. Livraria do Advogado, Porto Alegre
Sarlet IW (2007) A influência dos direitos fundamentais no direito privado: o caso brasileiro. In:
Sarlet IW, Neuner J, Monteiro A (eds) Direitos fundamentais e direito privado. Uma perspectiva
de direito comparado. Almedina, Coimbra
Sarmento D (2010) Direitos fundamentais e relações privadas, 2nd edn. Lumen Juris, Rio de Janeiro
Seltzer W (2010) Free speech unmoored in copyright’s safe harbor: chilling effects of the DMCA
on the first amendment. Harvard J Law Technol 24:171–232
Shaw A (2012) Centralized and decentralized gatekeeping in an open online collective. Polit Soc
40:349–388
Solon O (2017) Facebook asks users for nude photos in project to combat ‘revenge porn’. Available
via The Guardian, 7 November 2017. https://www.theguardian.com/technology/2017/nov/07/fac
ebook-revenge-porn-nude-photos. Accessed 11 Jan. 2022
Stiglitz J (2009) Regulation and failure. In: Moss D, Cisternino J (orgs) New perspectives on
regulation. The Tobin Project, Cambridge, pp 11–23
Teubner G (2004) Societal constitutionalism: alternatives to state-centered constitutional theory?
In: Joerges C, Sand IJ, Teubner G (eds) Constitutionalism and transnational governance. Hart
Publishing, Oxford, pp 3–28
Tiku N (2018) Facebook’s latest fix for fake news: ask users what they trust. Available via Wired 19
January 2018. https://www.wired.com/story/facebooks-latest-fix-for-fake-news-ask-users-what-
they-trust. Accessed 11 Jan. 2022
Tushnet M (2007) Weak courts, strong rights: judicial review and social welfare rights in comparative
constitutional law. Princeton University Press, Princeton
Wu T (2003) When code isn’t law. Virginia Law Rev 89:103–170
Self-regulation in Online Content Platforms and the Protection … 287
Ivar Alberto Martins Hartmann Associate Professor at Insper Learning Institution in São
Paulo. MSc (Pontifical Catholic University Rio Grande do Sul, Brazil—PUCRS), LL.M. (Harvard
Law School), Ph.D. (State University of Rio de Janeiro, Brazil—UERJ). Main areas of research:
Cyberlaw, Legal Data Science and Constitutional Law. Selected publications: A new frame-
work for online content moderation. Computer Law & Security Review, v. 36 (2020), pp. 1–
10; Combining Ad Libraries with Fact Checking to Increase Transparency of Misinformation. In
Karanicolas, Michael (ed). Tackling the “Fake” Without Harming the “News”. Wikimedia/Yale
Law School Initiative on Intermediaries and Information (2021), pp. 67–84; A Right to Free
Internet? On Internet Access and Social Rights. Journal of High Technology Law, v. XIII (2013),
pp. 297–429; Let the Users be the Filter? Crowdsourced Filtering to Avoid Online Intermediary
Liability. Journal of the Oxford Centre for Socio-Legal Studies, v. 2017 (2017), pp. 21–47; Timing
Control without Docket Control. Journal of Law and Courts, Spring (2017), pp. 105–140 (in
collaboration with Diego Werneck Arguelhes).
Regulating Intermediaries to Protect
Personality Rights Online—The Case
of the German NetzDG
Wolfgang Schulz
Abstract Along with the shift of communication to the internet, hate speech and
misinformation are also relocating to the Net. Germany has attempted to tackle
this problem by enacting the infamous Network Enforcement Act (Netzwerk-
durchsetzungsgesetz, or NetzDG), which targets online platforms instead of indi-
vidual speakers. After providing an overview of the specific challenges presented
by internet-based communication, this chapter discusses the NetzDG’s regulatory
concept. It then critically examines the NetzDG’s compatibility with the e-Commerce
Directive and its impact on fundamental rights, namely freedom of expression.
Based on the findings, the chapter discusses human-rights-friendly alternatives to
NetzDG-style platform regulation.
1 Introduction
With the shift of communication to the internet, conflicts between freedom of expres-
sion and personality rights are also relocating to the Net. This article examines the
peculiarities of online communication and poses the question of the role of inter-
mediaries in these conflicts, both de facto and legally. Using the German Network
Enforcement Act as an example, it considers the consequences of compelling inter-
mediaries to restrict speech. Finally, the paper discusses what a human-rights-friendly
solution might look like.
W. Schulz (B)
Leibniz-Institute for Media Research | Hans Bredow-Institut, Rothenbaumchaussee 36, 20148
Hamburg, Germany
e-mail: schulz@hiig.de
For lawyers—as opposed to politicians, from time to time—it is evident that what
is illegal offline is also illegal online. This is especially true for libel, defamation
and other privacy and personality rights infringements. Nevertheless, internet-based
communication is structurally different in ways that may lead to a reassessment of
existing rules and of the traditional means of implementing legal requirements.1 The
following attributes set online communication apart from offline communication:
Volume—The sheer number of cases can become a structural challenge. Face-
book, to take an example, stated that it makes over 100,000 content-related deci-
sions per month in the German version of Facebook alone.2 This means that the
suggestion of letting domestic courts decide on all content-related user-user or
user-platform conflicts must be ruled out as a solution.
Acceleration—While some content put on a social media platform might never be
read by anyone apart from the authors, some posts can go viral across platforms
and reach many people in a very short period of time.3 Therefore, governance
mechanisms have to come into effect quickly, before the content has been widely
distributed, since one can assume that after its distribution the content cannot be
located and addressed. There are currently no effective mechanisms to control
access to content after distribution.4
Observability—Online communication makes it easy for third parties or even for
the general public to observe communication among groups or between individ-
uals. This has made services like rating platforms possible but also poses distinct
challenges: observers may not know the contexts in which and the social rules
under which individuals or groups discuss. Many of society’s problems with the
internet in general and social media in particular result from the fact that previously
private and localized discussions, for instance at the pub or the dinner table, are
now visible to everyone, with all their exaggerations, polemics and stereotypes.
Persistence—It has become a popular saying that the internet never forgets. This
is true in the sense that at least so far, there is no technology that can ensure
that a piece of information can be deleted from all servers, wherever they are.
The so-called “right to be forgotten” is no more than a right to deletion that can
provide a data subject with a claim against a particular controller.5 However, while
search engines can help make the information in question far harder to find, this
information is not gone.
Attribution Problems—It can be hard to identify a speaker online, for instance
if one wants to file a claim against him or her. Even if there is a clear name policy,
this does not mean that the users are identifiable through their username in online
communication. Anonymity is common online, and many users state that the
option of not disclosing their real name is essential for many of the functions that
the internet fulfils for public communication.6 Often it is also unclear whether
other actors, like the platform providers, are claiming ownership of a piece of
information as well, making attribution difficult.
Weak Social Control—Coupled with the attribution problem is the aspect of
social control. Legal concepts like privacy and its protection depend for their
implementation largely on the internalization of relevant norms. Social norms and
social control make the main difference, not legal enforcement. Those mechanisms
might be weaker online, especially when the speakers do not know each other in
“real life”. There are studies that show that when people communicate in anony-
mous forums, they are more uninhibited—and ultimately more hurtful—than
usual.7
Jurisdiction Issues—As a global technical medium, the internet enables anyone
to access any content, at least in principle. Although people initially worried
about the internet being a legal vacuum, it has now become apparent that, to the
contrary, its main challenge is that legal regimes of all nation-states can apply at
the same time. Since legal systems frame privacy in different ways, there is a risk
of jurisdictional conflicts.8
These are only some important structural characteristics of online communica-
tion. Against this background, there are political initiatives to tackle the problem of
harmful content online, including content that infringes on the privacy of others. The
effects mentioned above make it unlikely that the problem can be solved by means
of traditional legal instruments, e.g. users suing each other in domestic courts. The
attention of policymakers has therefore turned to the actors that might solve the
problem in an easy way: the providers of the intermediary services, like social media
platform providers.9 These providers generally have mechanisms in place to assess
the conformity of content with their own community standards, they can act before
things go viral and they can respond even if the user who posted the content cannot
be identified.10 Addressing the intermediaries is supposedly the easy way.
This article focuses on approaches within the European Union, especially Germany.
Under Articles 12 to 14 of Directive 2000/31/EC (e-Commerce Directive), there is a
6 Especially emphasized by the German Federal Court (BGH) in its spickmich.de decision, BGH
23.06.2009 – VI ZR 196/08.
7 Cf. Pötzsch (2010).
8 For a comprehensive discourse on the topic, see Internet & Jurisdiction Policy Network (2018).
9 Cf. Schulz (2019), p. 9.
10 Balkin (2018a), p. 2019.
292 W. Schulz
limit to the liability of service providers for third-party content.11 The e-Commerce
Directive (Article 14) has led to the development of notice-and-takedown procedures,
but it does not regulate them in detail. Even though there are differences in scope
and concept, this can be seen as the European equivalent of section 230 of the
US Communications Decency Act.12 The Directive 2000/31/EC also establishes the
country of origin principle, which asserts that member states in which the service
does not originate do not have the competence to regulate the service for pursuits
that are covered by the Directive.
At the European level, the Commission has—against this background—so far
refrained from regulating intermediaries specifically but has opted to encourage
measures for self-regulation. In 2016, the Commission negotiated a Code of Conduct
on illegal online hate speech with big players of the IT industry, and it evaluates
compliance on a regular basis.13
The German government started with a similar approach, i.e. the Ministry of
Justice called on the industry to improve their complaints mechanisms. However,
the government declared in 2017 that they were not satisfied with the performance
of these self-regulatory efforts. According to the German Ministry of Justice, Face-
book in particular reacted too slowly to complaints while Twitter generally had low
response rates.14
Driven by fears that misinformation and hate messages could influence the
Bundestag15 election campaign in the autumn of 2017, the German government
hurriedly worked on a draft for the Network Enforcement Act (Netzwerkdurchset-
zungsgesetz, or NetzDG).16 Even though most experts advised against the approach
taken by this Act during a hearing at the judicial committee of the Bundestag, the
coalition used its majority to pass it before the summer recess in 2017.17 The NetzDG
came into effect on October 1, 2017, and has been fully applicable since January 1,
2018.
The NetzDG’s regulatory model has since been adopted by at least thirteen other
countries, according to a report published in 2019.18 In this sense, the German govern-
ment unintentionally created a blueprint for online censorship, which is used by both
democratic and authoritarian states.19
11 Implemented in Germany in section 8–10 TMG. Liability in such cases is contingent on the
service provider taking note of the unlawfulness of third-party content. For considerations on the
Brazilian legal situation see Schreiber (2022), in this volume.
12 Wang (2018), pp. 36–37.
13 The challenges of enforced self-regulation in terms of the rule of law principle and human rights
aspects cannot be discussed here. There is the obvious risk of states or supranational bodies like the
EU Commission trying to convince the industry to “voluntarily” implement measures that the state
could not legally enact.
14 Press release by the GMJ 2017.
15 The German Parliament.
16 Cf. Schulz (2019), pp. 10f.
17 Bundesgesetzblatt (BGBl.) Jahrgang 2017 Teil I Nr. 16, issued September 07 2017, 3352.
18 Mchangama and Fiss (2019).
19 Cf. Mchangama and Fiss (2019).
Regulating Intermediaries to Protect Personality Rights Online—The Case … 293
The Act defines the social networks that fall within its scope: some rules are applicable
only to big networks (based on the number of users in Germany), some to all. There is
no definition of hate speech or fake news; instead, the act refers to existing definitions
of criminal offences under the German Criminal Code. There is a long list of offences
covered by the Act, partly aiming to protect general rights and public safety, partly
safeguarding individuals’ rights, such as insult, slander and defamation (section 185–
189 German Criminal Code). The latter are the link to protecting privacy, which is
the main focus of this article.
The Act also specifies that the provider of a social network must maintain an
effective and transparent procedure for handling complaints over unlawful content.
This is the main obligation under the Act. While early draft versions of the Act
determined that providers would violate their obligations if they failed to deal with
individual cases properly, it is now the obligation of the platform providers to provide
a functioning complaints system.
The NetzDG specifies that a functioning complaints system shall provide the
following: providers have to ensure that they delete manifestly unlawful content
within 24 h after a complaint has been filed. When content is not manifestly unlawful
but still unlawful, deletion has to be achieved within seven days. The review period
may exceed seven days if more time is required for the decision-making process.
Providers may also make use of a system of self-regulation in this case, in order to
reduce “overblocking”.
The inclusion of an element of self-regulation follows a debate in the lawmaking
process in which critics suggested using a model of co-regulation from German minor
protection law, which is widely regarded as a success, as an alternative to the NetzDG
approach. Under this scheme, the providers can form a self-regulatory body that
takes on monitoring and sanctioning responsibilities. State-appointed supervisory
authority is shifting towards providers engaging in self-regulation.20 Lawmakers,
however, only included the above-mentioned notion of self-regulation but did not
build on the regulation established for minor protection. In March 2020, the Frei-
willige Selbstkontrolle Multimedia-Diensteanbieter (FSM) was accredited as a self-
regulatory body by the Federal Office of Justice and has made a number of content
decisions since then.21
Under the NetzDG, providers of social networks must immediately name a person
authorized to receive complaints in the Federal Republic of Germany as well as a
point of contact for law enforcement.
Providers of social networks that receive more than 100 complaints over unlawful
content per calendar year must also produce biannual German-language reports on
the handling of complaints.
The Federal Office of Justice, which is directly subordinated to the Ministry of
Justice, oversees the implementation of the Act. Breaches of the obligations under
sec. 2 para 1 or of the obligation to remove unlawful content can be punished with
a regulatory fine of up to fifty million euros.22 Fines can only be issued in cases
of systematic failure of the complaints handling system. The administrative offence
may be sanctioned even if it is not committed in the Federal Republic of Germany.
As of January 2020, the Federal Office of Justice reportedly initiated around 1300
procedures against social network providers based on violations with their NetzDG
obligations.23 Thus far, only Facebook was sanctioned with a fine of 2 million euros
in July 2019.24
Furthermore, the NetzDG establishes a right to disclosure: anyone whose general
personality rights have been violated by criminal offences covered by the Act will,
as a rule, be able to demand that the social network in question disclose details of
the person that committed the offence. Such entitlement to information is founded
on existing general principles of civil law, in particular on the principle of good
faith and the law of torts, within the bounds set by data protection rules. However,
prior to the NetzDG and the corresponding amendment of the German Telemedia
Act (TMG), the courts held that there was no legal basis under data protection law
to allow the operators of online platforms to disclose the subscriber information
(“Bestandsdaten”) of anonymous users.25 Injured parties therefore had to first lodge
a criminal complaint in order to find out the name and address of the perpetrator.
With the NetzDG, the right to disclosure can actually be asserted. Operators of
social networks are no longer restricted by data protection law and may disclose the
subscriber information of the infringer to the injured party under sec. 14 para 3 TMG.
In order to do so, however, a civil court with jurisdiction over the matter must have
ruled the disclosure to be permissible under sec. 14 para 4 TMG (judicial scrutiny
reservation).26
Building on the practical experience gained since the NetzDG entered into force,
the German parliament passed a bill to amend the Act in June 2021.27 Importantly,
the changes obligate providers of social networks to provide a more user-friendly
complaints mechanism under sec. 3b NetzDG. This requirement is not just formu-
lated for the types of unlawful content the NetzDG initially covered, but also extends
to removals of content for the violation of terms of service pursuant to sec. 3b
22 The fine complies with section 4 para 2 NetzDG: it refers to section 30 para 2 OWiG and hence
the fine can add up to 50 million euros.
23 Neuerer (2020).
24 Federal Ministry for Justice (2019); Facebook filed an appeal against the order.
25 Rixecker (2018), Rt. 318.
26 Whether this is helpful or not depends on what information the provider itself has, i.e. whether
para. 3 NetzDG. In its amended form, sec. 2 para. 2 NetzDG now also imposes
more stringent transparency reporting obligations on providers, including informa-
tion regarding the use of automated content moderation systems (no. 2), the results
of counter-notification procedures (no. 11 et seq.) and extended explanations on
the interpretation of terms of service and their compliance with German civil law
requirements (no. 16, no. 17).
Most of these amendments, such as improved transparency obligations, are
welcome.28 Nonetheless, the legislator failed to address more fundamental concerns
regarding the NetzDG; arguing that there was no evidence for overblocking, it left
the Act’s core regulatory approach untouched.
In a separate legislative package that was passed recently, the German Bundestag
even broadened the scope of unlawful content under the NetzDG by amending the
German Criminal Code.29 The new law also obligates social network providers to
report certain potentially criminal content to the Federal Criminal Police Office
(BKA), thus raising concerns regarding a chilling effect on online speech.30
Apart from the more formal points—including the notion that the federal state
in Germany lacks legislative competence to regulate the issue31 and the NetzDG
being invalid for an infringement of Article 5 para 1 (EU) 2015/1535 because crim-
inal offences and the concept of regulated self-regulation were added without re-
notification of the EU Commission32 —criticism of the NetzDG mainly refers to
violations of the e-Commerce Directive and to fundamental rights concerns.33 As
discussed above, the recent amendments of the NetzDG do not manage to alleviate
these concerns.
dissenting opinion see Roßnagel et al. (2017), p. 9, arguing that the law does not regulate content
but only substantiates sec.10 TMG, which is itself a (lawful) federal provision.
32 Member states must notify again a draft which has already been examined under the provisions of
Article 5 para 1 (EU) 2015/1535, if they make significant amendments to the draft in the following:
the third subparagraph of Article 5 para 1 specifies that amendments made to the text are considered
significant if they have the effect of altering its scope, shortening the timetable originally envisaged
for implementation, adding specifications or requirements, or making the latter more restrictive (cf.
CJEU in case C-433/05, Lars Sandström). Criminal offences protecting the state’s reputation were
removed (section 90, 90a, 90b StGB) and section 201a StGB was added on the recommendation
of the parliamentary committee on legal affairs on 28th June 2017, which can be regarded as a
“significant change” under Article 5 para 1 (EU) 2015/1535.
33 See the Statement by Digitale Gesellschaft e.V (2017), p. 3. See also the statements by BVDW
e.V (2017), pp. 1f, and OSCE (2017), pp. 8f, as well as Article 19 (2017), pp. 12ff and Global
Network Initiative (2017).
296 W. Schulz
The assessment of European Law focuses on the liability privilege under Article 14
e-Commerce Directive. According to Article 14, hosting services can incur liability
if the provider has positive knowledge of illegal content. It loses this privilege if
it does not react “expeditiously”. This leads to the question of whether member
states substantiate the term “expeditiously” when naming specific time frames, like
the German NetzDG demands, or whether they are deferring to the e-Commerce
Directive, which might have specifically opted not to give a rigid time frame.34
There is good reason to believe that Germany overstepped the mark because the
whole purpose of the directive is to harmonize cross-border service provision in
Europe. Introducing different time frames in different member states would obstruct
that aim.35
Even if member states were able to substantiate the time frame, under the e-
Commerce Directive the country of origin would be responsible for ensuring the
provider’s compliance with its legal framework. Other member states could only
enforce their regulation under the exemption clause of Article 3 para 4 e-Commerce
Directive. This exception is, however, restricted to individual cases and does not
allow member states to establish their jurisdiction “through the back door”.36
The obligation to name a domestic authorized recipient might also violate Article
3 e-Commerce Directive and hamper the freedom of establishment as laid down in
the EU treaties.37
and Political Rights (ICCPR), see Kaye (2017) and Article 19 (2017), pp. 5ff.
Regulating Intermediaries to Protect Personality Rights Online—The Case … 297
when they are implementing and applying Union law. Freedom of speech is
protected under Article 11 para 1 ChFR.
The National Constitution, here the Grundgesetz (GG, Basic Law)—all laws,
including the NetzDG, have to be in accordance with it. Freedom of speech is
protected under Article 5 para 1 GG.
These three spheres of human rights protection in Europe—national, suprana-
tional, and international—overlap and intertwine. This peculiar architecture makes
it difficult to grasp the relationship between the frameworks and the interplay between
the different courts.39 For instance, the normative hierarchy between the provisions
of the Basic Law and those of the ECHR does not automatically lead to the inap-
plicability of the latter in case of a potential conflict with the former; due to the
commitment of the—hierarchically superior—Basic Law to international treaties,
the fundamental rights of the Basic Law instead need to be interpreted in such a way
as to accommodate the guarantees of the ECHR to the largest extent possible.40
This analysis will not go into specifics regarding freedom of speech guarantees
under those fundamental rights systems but will only name points of criticism that
might be relevant in all legal assessments. The complexity of the analysis is also
increased by the fact that fundamental rights interests of various actors are involved:
(1) The “victim” offended by speech on the platform, which might or might not
also be the complainant,
(2) the provider of the social media platform,
(3) the author of illegal content that is taken down,
(4) the author of legal content that is (wrongly) taken down,
(5) the recipients of content.
The legal status of intermediaries like social media services under freedom of speech
protection is still unclear.41 They clearly enjoy freedom of speech protection for
their own statements on the platform, but whether the provision of the platform as
such and specific functions provided for the users are protected as well is heavily
debated.42 This especially pertains to the curation of social media content, such
as Facebook’s News Feed, since the editorial decisions taken by intermediaries
might also be protected. Furthermore, intermediaries enable or at least facilitate
the communication of others and might therefore indirectly fall within the scope of
free speech guarantees.43 The central question is therefore whether an establishment
been deemed liable for anonymous defamatory comments posted under an article on their website.
42 Schulz (2019), p. 15.
43 Schulz (2017), p. 375.
298 W. Schulz
44 See Ladeur and Gostomzyk (2017), pp. 32ff and 93f for an emphasis of (and an argument for the
violation of) the provider’s fundamental right to occupational freedom.
45 Cf. Reporter ohne Grenzen (2017), pp. 7f; Ladeur and Gostomzyk (2017), pp. 76f.
46 Cf. Schulz (2019), p. 12.
47 Steinlechner (2018).
48 For a more nuanced analysis based on platforms’ transparency reports see Gollatz et al. (2018)
decisions.
51 Jarass (2018), Rt. 7.
Regulating Intermediaries to Protect Personality Rights Online—The Case … 299
case. Furthermore, the providers lack information about the context, as well as the
necessary information-gathering tools, to make a proper assessment.52
Early versions of the draft contained a specific obligation to ensure that similar
content would not be uploaded again. This triggered fears of overblocking since the
most effective way of doing this is by using upload filters, which, at the current
state of development, fail to detect irony or critical reference to content.53 This part
of the draft has been removed, but the current legislation still requires that similar
content on the platform should be detected and removed, which again is best achieved
by automated systems that are as of yet not context-sensitive. Concerns therefore
remain that platforms will resort to (semi-)automated flagging systems that can have
a substantial impact on the final outcome of content removal decisions.54
If an encroachment on fundamental rights occurs and we seek to assess whether it
is justified, we have to perform a proportionality test. At least according to German
methodology, the first step of that test is to see whether the legislation follows a “legit-
imate aim”. While helping to enforce criminal law certainly constitutes a legitimate
aim, reducing the impact of criminal acts—as the NetzDG mainly does—might also
be legitimate. It is noteworthy, however, that the official explanatory memorandum
for the NetzDG begins by referring not to this aim, but rather to the need to maintain a
culture of political debate. This is understandable given the rise of right-wing populist
movements at the time the law was passed. However, the desire to protect political
culture, plausible as it is, does not suffice to limit human rights; it instead burdens
the NetzDG with the complexity of moral aspirations.55 It is not the responsibility
of the state to govern the style and civility of debate in society. However, if there
is indeed a structural risk to the freedom and openness of debate, state intervention
might be justified.
Another point of criticism is that the Federal Office of Justice has a crucial
role to play in the enforcement of the Act and reports directly to the Minister of
Justice, making it by no means politically independent.56 This is especially notable
in Germany, where the independence of the media system is firmly protected by
the Federal Constitutional Court, one of the reasons being the historical use of new
media during the Nazi dictatorship.57
These are only the broad lines of criticism, showing the structural problems
with this kind of regulation. It can thus already be said that trying to make use
of intermediaries might not be the silver bullet after all.58
of an interference with fundamental rights as any act by the state that makes the exercise of the
affected right impossible or substantially more difficult. Cf. Grabenwarter (2017), Rt.100.
63 Cf. Iqbal et al. (2018).
64 See. Dewey (2016) on how YouTube uses automated takedown measures and the complications
Privacy infringements are a special case since, at least in Germany, the constitution
demands a proper construction of the meaning of the statement in question. This in
turn requires, as mentioned before, an assessment of the context.65 It makes, to take
an example, a big difference for the legal assessment whether critical reflection or
irony is involved. Child pornography is one of the few examples for which no context
is conceivable that would justify publication.
A widely discussed case in Germany regards a selfie taken by a refugee with
Chancellor Angela Merkel. This picture was circulated by right-wing groups along
with the false statement that this particular refugee was involved in terrorist activities;
this post went viral. Much of the ensuing discussion about the case also used the
picture. As a result, using the indicator of this picture in connection with the word
“terrorist” would lead to the removal of many posts that critically examined the use
of the image by right-wing extremists.
In consequence, the state of the art in context detection thus becomes the
determining factor for an automated system to produce legally acceptable results.
Despite significant progress in the field of artificial intelligence, it appears that there
are currently no systems that can detect irony66 and critical references to illegal
content with sufficient certainty. Therefore, the legal assessment—especially the
proportionality of a measure—depends on the technological state of the art.
This is not unheard of, but legal requirements for content regulation are among
the rare cases for which it becomes relevant on a constitutional level. This has to be
taken into account when discussing a human-rights-compatible solution for privacy
challenges online.
65 This means, inter alia, that due to the importance of this right for a democratic society, where
different interpretations of a statement are equally possible, one must assume the one that is still
protected by freedom of speech. Cf. Grabenwarter (2017), Rt.139f. In Germany, the Federal Consti-
tutional Court has established a nuanced test system for assessing ambiguous statements, Order of
25 October 2005 – 1 BvR 1696/98—(see also Hochhuth (2006)).
66 Van Hee, Lefever and Hoste (2018).
302 W. Schulz
67Available at: https://rm.coe.int/1680790e14. (accessed 11 Jan. 2022). The author of this article
was the chairman of the Committee that drafted the Recommendation.
Regulating Intermediaries to Protect Personality Rights Online—The Case … 303
do not act expeditiously to restrict access to content or services as soon as they become
aware of their illegal nature, including through notice-based procedures. State authorities
should ensure that notice-based procedures are not designed in a manner that incentivises
the take-down of legal content, for example due to inappropriately short timeframes. Notices
should contain sufficient information for intermediaries to take appropriate measures. Notices
submitted by states should be based on their own assessment of the illegality of the notified
content, in accordance with international standards. Content restrictions should provide for
notice of such restriction being given to the content producer / issuer as early as possible,
unless this interferes with ongoing law-enforcement activities. Information should also be
made available to users seeking access to the content, in accordance with applicable data
protection laws.
This statement offers several valuable points, including the need to specify complaints
and the explicit mention of the time frame, which have been some of the main points
of criticism of the NetzDG approach.
5 Conclusions
The core of the legal assessment of measures taken by the state is the proportionality
test. The Council of Europe Recommendation already marks some consequences
of applying the test. Conflicts between privacy and freedom of communication are
especially delicate because of their sensitivity to context. Intermediaries do not have
the knowledge base to carry out a proper assessment and technical means are not yet
available. In consequence, measures that lead to an ad hoc assessment and/or to the
use of technology for content moderation will not meet the proportionality test and,
as a result, violate freedom of expression. The proportionality test should also guide
the regional scope of measures.68
This insight—which is bitter for the protection of privacy—can only be mitigated
by accompanying measures. One obvious measure might be to enhance the knowl-
edge of counter speech.69 This allows for a more “informed and nuanced approach
to identifying and limiting” hate speech, e.g. based on taxonomies of actors, types of
speech and types of harm.70 In political debates, this is sometimes used as an argu-
ment against regulation without actually getting into the issue. However, extensive
research on various practices and their effects exists.71
Furthermore, it can be in the best interest of intermediaries—and should be encour-
aged by lawmakers and courts alike—to design and implement instruments of dispute
68 In its Google Spain decision (C-131/12), the CJEU purposefully limited the deletion obligation
to the search results on European search queries, leaving open the possibility of still finding the
results when using, for example, Google.com.
69 See Benesch (2014).
70 Gagliadore et al. (2015), p. 5.
71 See for example the work of Susan Benesch, especially the Dangerous Speech Project, https://
resolution so that the conflicts can be brought back to their primary parties.72 Finally,
we will almost certainly witness the adaptation of social norms to the new means of
communication. When we realise that people do not attach so much significance to
an incidental statement on an online platform, this will reduce the actual harm done
by these instances of communication and consequently reduce the need for legal
action to protect privacy online.
References
Article 19 (2017) Germany: the act to improve enforcement of the law in social networks—
legal analysis. https://www.article19.org/wp-content/uploads/2017/09/170901-Legal-Analysis-
German-NetzDG-Act.pdf. Accessed 11 Jan. 2022
Balkin J (2018a) Free speech is a triangle. Columbia Law Rev 118:2011–2056
Balkin J (2018b) Free speech in the algorithmic society: big data, private governance, and new
school speech regulation. UCLA Law Rev 51:1149–1209
Benesch S (2014) Countering dangerous speech: new ideas for genocide prevention. https://www.
ushmm.org/m/pdfs/20140212-benesch-countering-dangerous-speech.pdf. Accessed 11 Jan.
2022
Bitkom (2017) Stellungnahme zum Regierungsentwurf NetzDG. https://www.bitkom.org/Bitkom/
Publikationen/Stellungnahme-zum-Regierungsentwurf-NetzDG.html. Accessed 11 Jan. 2022
Bundesverband Digitale Wirtschaft e.V. (2017) Stellungnahme zum Entwurf eines Gesetzes
zur Verbesserung der Rechtsdurchsetzung in sozialen Netzwerken des BMJV vom 14. März
2017. https://www.bmjv.de/SharedDocs/Gesetzgebungsverfahren/Stellungnahmen/2017/Dow
nloads/03302017_Stellungnahme_BVDW_RefE_NetzDG.pdf?__blob=publicationFile&v=2.
Accessed 11 Jan. 2022
Cheung A, Schulz W (2018) Reputation protection on online rating sites. Stanford Law Technol J
Dewey C (2016) How we’re unwittingly letting robots censor the web. https://www.washingto
npost.com/news/the-intersect/wp/2016/03/29/how-were-unwittingly-letting-robots-censor-the-
web/?noredirect=on&utm_term=.e1efcfb456a2. Accessed 11 Jan. 2022
Digitale Gesellschaft e.V. (2017) Stellungnahme zum Referentenentwurf des Bundesministeriums
der Justiz und für Verbraucherschutz für ein Gesetz zur Verbesserung der Rechtsdurchset-
zung in sozialen Netzwerken. https://digitalegesellschaft.de/wp-content/uploads/2017/03/Stellu
ngnahme_DigiGes_NetzDG.pdf. Accessed 11 Jan. 2022
Duarte N, Llansó E, Loup A (2018) Mixed messages? The limits of automated social media content
analysis. https://cdt.org/files/2017/12/FAT-conference-draft-2018.pdf. Accessed 11 Jan. 2022
Elkin-Koren N (2011) Mapping the frontiers of governance in social media. Draft paper prepared
for the 1st Berlin symposium on Internet and society, 25–27 October 2011
Federal Ministry for Justice (2019) Bundesamt für Justiz (BfJ) erlässt Bußgeldbescheid gegen Face-
book. https://www.bmjv.de/SharedDocs/Artikel/DE/2019/070319_Facebook.html. Accessed 11
Jan. 2022
Federrath H (2015) Geoblocking und die Möglichkeiten der Technik. ZUM 59(12):929–932
Gasser U, Schulz W (2015) Governance of online intermediaries—observations from a series
of National case studies. https://cyber.harvard.edu/publications/2015/online_intermediaries.
Accessed 11 Jan. 2022
72 For early encouragement of such ideas, see Lide (1996) and Perritt (2000). New perspectives cf.
Cheung and Schulz (2018). For the advantages of modes of self-regulation see Article 19 (2017),
p. 11. Cf. also for a proposal to establish self-regulation mechanisms through code Hartmann (2022),
in this volume.
Regulating Intermediaries to Protect Personality Rights Online—The Case … 305
Gagliadore I, Gal D, Alves T, Martinez G (2015) Countering online hate speech. http://unesdoc.
unesco.org/images/0023/002332/233231e.pdf. Accessed 11 Jan. 2022
German Bar Association DAV (2017) Stellungnahme des Deutschen Anwaltsvereins durch die
Ausschüsse Informationsrecht und Strafrecht – Regierungsentwurf des Bundesministeriums der
Justiz und für Verbraucherschutz – Entwurf eines Gesetzes zur Verbesserung der Rechtsdurch-
setzung in sozialen Netzwerken (Netzwerkdurchsetzungsgesetz – NetzDG). https://www.cr-onl
ine.de/DAV_SN_41-2017.pdf. Accessed 11 Jan. 2022
German Federal Ministry of Justice and Consumer Protection (2017) Löschung von strafbaren
Hasskommentaren durch soziale Netzwerke weiterhin nicht ausreichend. https://www.bmfsfj.de/
bmfsfj/aktuelles/presse/pressemitteilungen/loeschung-von-strafbaren-hasskommentaren-durch-
soziale-netzwerke-weiterhin-nicht-ausreichend-115300. Accessed 11 Jan. 2022
Global Network Initiative (2017) Proposed German legislation threatens free expression around
the world. https://globalnetworkinitiative.org/proposed-german-legislation-threatens-free-expres
sion-around-the-world/. Accessed 11 Jan. 2022
Goel S, Anderson A, Hofmann J, Watts D (2016) The structural virality of online diffusion. Manage
Sci 62(1)
Gollatz K, Riedl M, Pohlmann J (2018) Removals of online hate speech in numbers. https://www.
hiig.de/en/removals-of-online-hate-speech-numbers/. Accessed 11 Jan. 2022
Gorwa R, Binns R, Katzenbach K (2020) Algorithmic content moderation: technical and political
challenges in the automation of platform governance. Big Data Soc. https://doi.org/10.1177/205
3951719897945
Grabenwarter C (2017) Art. 5. In: Maunz, Dürig (eds) Grundgesetz-Kommentar. Beck, München
Hartmann IA (2022) Self-regulation in online content platforms and the protection of personality
rights. In: Albers M, Sarlet IW (eds) Personality and data protection rights on the Internet.
Springer, Dordrecht, Heidelberg, New York, London (in this volume)
Heldt A (2020) Germany is amending its online speech act NetzDG… but not only that. Internet
Policy Rev. https://policyreview.info/articles/news/germany-amending-its-online-speech-act-net
zdg-not-only/1464. Accessed 11 Jan. 2022
Heldt A (2019) Reading between the lines and the numbers: an analysis of the first NetzDG reports.
Internet Policy Rev 8(2)
Hochhuth M (2006) Kein Grundrecht auf üble Nachrede – Der Stolpe-Beschluss schützt das Personal
der Demokratie. NJW, pp 189–191
Internet & Jurisdiction Policy Network (2018) Data & jurisdiction work plan. https://www.intern
etjurisdiction.net/uploads/pdfs/Papers/Data-Jurisdiction-Work-Plan.pdf. Accessed 11 Jan. 2022
Iqbal F, Marrington A, Hung P, Yankson B (2018) A study of detecting child pornography on
smart phone. In: Conference paper for the international conference on network-based infor-
mation systems. https://www.researchgate.net/publication/319268051_A_Study_of_Detecting_
Child_Pornography_on_Smart_Phone. Accessed 11 Jan. 2022
Jarass H (2018) Art. 5. In: Jarass H, Pieroth B (eds) Grundgesetz Kommentar. Beck, München
Kaye D (2018) Report of the special Rapporteur on the promotion and protection of the right to
freedom of opinion and expression
Kaye D (2017) Open letter to the German Chancellor concerning the draft law “Netzwerkdurchset-
zungsgesetz” (OL-DEU-1-2017). http://www.ohchr.org/Documents/Issues/Opinion/Legislation/
OL-DEU-1-2017.pdf. Accessed 11 Jan. 2022
Köver C (2016) Facebook verrät, wie viele Hasskommentare es wirklich löscht. https://www.wired.
de/collection/life/facebook-verraet-wie-viele-hasskommentare-wirklich-geloescht-werden.
Accessed 11 Jan. 2022
Ladeur K-H, Gostomzyk T (2017) Gutachten zur Verfassungsmäßigkeit des Entwurfs eines Gesetzes
zur Verbesserung der Rechtsdurchsetzung in sozialen Netzwerken (Netzwerkdurchsetzungsge-
setz – NetzDG) i.d.F. vom 16. Mai 2017 – BT.Drs. 18/12356 – Erstattet auf Ansuchen des Bitkom.
https://www.cr-online.de/NetzDG-Gutachten-Gostomzyk-Ladeur.pdf. Accessed 11 Jan. 2022
Lee D (2017) Germany’s NetzDG and the threat to online free speech. https://law.yale.edu/mfia/
case-disclosed/germanys-netzdg-and-threat-online-free-speech. Accessed 11 Jan. 2022
306 W. Schulz
Wang J (2018) Regulating hosting ISPs’ responsibilities for copyright infringement. Springer,
Singapore
Wolfgang Schulz Professor of Media Law and Public Law including Theoretical Foundations.
Director of the Leibniz-Institute for Media Research | Hans-Bredow-Institut in Hamburg and
Director of the Alexander von Humboldt Institute for Internet and Society in Berlin. Chair
of the Expert Committee for Communication and Information of the German Commission for
UNESCO. Main areas of research: regulation of media content, questions concerning the legal
basis of new communication media, communication freedoms. Selected publications: Setting
Rules for 2.7 Billion. A (First) Look into Facebook’s Norm-Making System: Results of a Pilot
Study (together with Matthias C. Kettemann), Working Papers of the Hans-Bredow-Institut, 2020;
Künstliche Intelligenz, Intermediäre und Öffentlichkeit, Bericht an das BAKOM (together with
Stephan Dreyer), 2019; Kontrolle vorherrschender Meinungsmacht—Dekonstruktion eines medi-
enrechtlichen Schlüsselbegriffs, AfP 2017, pp. 373–379.
Online Anonymity—The Achilles’-Heel
of the Brazilian Marco Civil da Internet
Sohail Aftab
Abstract This article highlights the problem of interpreting the Brazilian constitu-
tional provision that prohibits online anonymity, and views it as in conflict with many
provisions of the Marco Civil da Internet (Law no.12.965/14) regarding protection
of private life, confidentiality of communication, and freedom of speech. It draws on
the reasoning of judges in cases related to the permissibility of mobile applications
for anonymous messages. The reasoning was either in favor of an absolute privilege
to free speech, including anonymous speech, disregarding its challenges for dignity-
related interests, or focused on the literal interpretation of the provision, favoring
full disclosure of the speaker in all circumstances to ensure liability in case of viola-
tion. This article also discusses the jurisprudence of the European Court of Human
Rights where anonymity is encouraged and, at the same time, dignitarian interests
are diligently protected through a complex balancing exercise. It further explores
the theoretical importance of anonymity being a value connected to the umbrella of
privacy rights. The empirical evidence from Pakistan shows that anonymity has a
great instrumental value that protects people from threats to their lives if their speech
or actions oppose the prevailing societal ethos. The lack of conclusive research-
findings connecting speech abuses with anonymity as well as the modern challenges
to anonymity in the online sphere are explored, with the conclusion that the case
for blanket prohibition of anonymity—as in the Brazilian constitution—is not very
strong.
1 Introduction
This article asserts that the blanket prohibition of anonymity in the Brazilian consti-
tution is an impediment to the objectives of the Marco Civil da Internet, which
grants historic digital rights to Brazilian citizens, including the right to privacy
S. Aftab (B)
Government of Pakistan, Islamabad, Pakistan
University of Hamburg, Hamburg, Germany
and the protection of private life. The controversy over the proper interpretation
of anonymity in the online world surfaces intermittently whenever the Brazilian
courts have to deal with encrypted Internet communication. In 2014, a judgment of a
trial court attracted much attention when the constitutional prohibition of anonymity
was invoked to block smartphone-messaging applications. Although the judgment
was soon overturned on appeal, neither the court of first instance nor the appeal
court judges could lay down elucidating principles for balancing various interests
linked to online anonymity. The judgments of both courts offered a unidirectional
and simplex conceptualization of anonymity, viewing it as an instrument to exploit
the right to free speech and to block the accountability arising from abuse of free
speech in the shape of attacking the privacy and dignity of others. To say that online
offensive speech such as defamation, cyberbullying, and hate speech is due solely to
the anonymous character of online interaction is only one side of the coin; this not
only ignores the privacy-related interests linked to anonymous online activities, but
also the variety of functions anonymity performs in the use of digital technologies.
In contrast to the Brazilian case, the regulation of anonymity in Europe and the
jurisprudence of the European Court of Human Rights present a balancing approach
rather than pushing for a blanket prohibition of encrypted channels for online
browsing. The scholarly literature shows that anonymity is ontologically linked to
the right to privacy and recognizes it as an essential condition for the free develop-
ment of personality. Furthermore, empirical research evidences the complexity of
the nature and functions of anonymous online communication. The precise correla-
tion of the causal effects of anonymity on the type of speech cannot be determined.
This plurality of functions is reflected in the European approach to anonymity regu-
lation where case law and legal instruments expressly recognize the importance of
anonymity for legitimate purposes.
Case studies from certain jurisdictions such as Pakistan strengthen the belief that
without anonymity, the self-expression of unconventional individuals seriously jeop-
ardizes their right to live a free life. In such circumstances, anonymity, pseudonymity,
and the use of encrypted devices and privacy-enhancing tools become crucial for
safeguarding them against profiling and surveillance.1
Based on the considerations of European Court of Human Rights’ jurisprudence,
the conceptual linkage of anonymity with privacy as well as its instrumental value,
the article proposes that Brazilian judges and policy makers must reconsider the
prevailing legal conception of anonymity. In order for the Marco Civil to fulfill
its privacy-related objectives, clear rules should be legislated setting criteria under
which the courts can order the disclosure of the identity of Internet users. Any legal
lacuna and uncertainty will result in the weakening of the expectations of privacy
while surfing the Internet and resultantly, the human rights’ commitment of Marco
Civil da Internet.
1 For a detailed account of the concept of surveillance and its regulation at the European level Albers
(2022), in this volume.
Online Anonymity—The Achilles’-Heel of the Brazilian Marco … 311
Known as the “Citizens’ Constitution”, the Constitution of Brazil grants many rights
to its citizens and dedicates no less than 78 sections of its Article 5 to expressly
elaborate these rights in a codified form. Item No. X of Article 5 states,2 “The privacy,
private life, honor and image of persons are inviolable, and the right to compensation
for property or moral damages resulting from their violation is ensured”. Item No.
XI declares that the home is “inviolable refuge of the individual, and no one may
enter therein without the consent of the dweller, except in the event of flagrante
delicto or disaster, or to give help, or, during the day, by court order”. Similarly,
the secrecy of correspondence, communication, and data is made inviolable.3 The
Brazilian constitution also recognizes the right to one’s data in Item No. LXXII which
provides for habeas data writ, “to ensure the knowledge of information related to the
person of the petitioner, contained in records or data banks of government agencies or
of agencies of a public character; b) for the correction of data, when the petitioner does
not prefer to do so through a confidential process, either judicial or administrative.”
In late 2021, a right to the protection of personal data, including those in digital
media, has been incorporated into the constitution, Article 5 LXXIX of the Brazilian
Federal Constitution.
The Brazilian Civil Code provides for personality rights (Article 11), their enforce-
ment mechanism in the shape of claiming damages in case of infringement (Article
12), and the right to image (Article 20), as well as the right to seek injunction from a
court to prevent violability of the private life of a natural person.4 Moreover, Brazil
is also a signatory of International Covenant on Civil and Political Rights (ICCPR)
and is bound by its international obligation to the privacy right protection.5
The protections available to private life, family, home, and communication should
be equally applied in the context of Internet-related activities. Cognizant of this fact,
Brazil has enacted an omnibus General Data Protection law (in Portuguese Lei Geral
de Proteção de Dados Pessoais-LGPD) which became effective with all its provisions
in August 2021.6 This law is greatly influenced by the European Union General Data
ference with his privacy, family, home or correspondence, nor to unlawful attacks on his honor
and reputation. 2. Everyone has the right to the protection of the law against such interference or
attacks.”
6 The enforcement of this law was initially planned for February 2020. It was postponed till August
2020 in order to grant a grace period to tech companies for adapting their systems with the new data
protection legal regime. Due to further delays and disputes, the LGPD finally entered into force on
September 18, 2020, with the exception of the sanctions in articles 52–54 which came into effect
on August 1, 2021.
312 S. Aftab
2.1 Marco Civil da Internet: The Magna Carta for the Digital
World
Brazil has received many accolades for the Civil Rights’ Framework for the Internet,
which is indigenously known as Marco Civil da Internet. It has been termed a Magna
Carta for cyberspace, a constitution for the Inetrnet, and “a hallmark, not only for
the Brazilian Internet, but also for the world’s democratic process”.10 The regulation
of three distinct but interdependent values, namely data privacy, net neutrality, and
freedom of expression, in a single document has an inherent holistic dimension that
has attracted worldwide attention.11 It has the potential to work as a model legal
framework for Latin American and other international jurisdictions as they can take
on Brazilian civil-law approach of dealing with the Internet in a comprehensive
manner with the perspective of fundamental rights.12 Even countries beyond Latin
America have considered following the Brazilian Internet regulatory approach.13
7 See for a comprehensive analysis of the influence of GDPR because of its effectiveness and
inherent international character Veit (2022), in this volume.
8 For details: Renato Leite Monteiro, “The new Brazilian General Data Protection Law-a detailed
nations that are interested in following Brazil’s footsteps, while other governments are already
launching their own online consultation processes for writing their versions of our Internet Bill
of Rights. In Europe, members of the Italian parliament have contacted the Internet Bill of
Online Anonymity—The Achilles’-Heel of the Brazilian Marco … 313
Marco Civil da Internet provides a broad array of rights to the users of digital
services. These rights include freedom of expression,14 protection of privacy, devel-
opment of personality, and data protection. Article 2 declares freedom of expres-
sion as the foundation of Internet discipline in Brazil, and Article 3 states that
freedom of expression, communication and thought, protection of privacy, personal
data protection, as well as preservation of network neutrality are the principles of
Internet governance in Brazil. The subsequent articles provide for inviolability of
the related interests such as secrecy of the flow of digital communication and the
data of private communication.15 Disclosure of Internet users’ personal data to third
parties is prohibited,16 and the principles of data subjects’ consent as well as purpose-
limitation are established by the legislation.17 Marco Civil reasserts the two pillars of
online communication: “The guarantee to the right to privacy and freedom of speech
in the communications is a condition for the full exercise of the right to access to the
Internet.”18
In spite of its innovative and pro-rights nature, the broad and open-ended language
has left some room for incomplete protection of Internet users’ privacy-related inter-
ests. The provisions for data retention such as keeping connections and log infor-
mation can be used for surveillance purposes.19 More importantly, because of the
lack of effective enforcement mechanism and its status as a non-substantive legal
instrument, the provisions of the framework are open to arbitrary judicial interpre-
tations and the discretion of individual judges. Marco Civil clearly sets out that its
principles do not exclude any other Brazilian law and international treaties that deal
with the same subject matter.20 This means that Marco Civil cannot be considered in
isolation and that any other legal instrument can jeopardize Internet-related liberties
of Brazilian citizens.21
In this context, the constitutional prohibition of anonymity needs to be highlighted.
Although external to the present law, it is connected to many of its provisions that
expressly guarantee the protection of privacy, private life, and sanctity of the confi-
dentiality of Internet communication in general. According to Article 5-IV of the
Rights rapporteur, the Brazilian Internet Steering Committee (CGI.br) as well as the Institute for
Technology & Society of Rio de Janeiro (ITS Rio) in order to explore a similar process.”
14 As to the roles of freedom of expression cf. Affonso Pereira de Souza and Laus Marinho Nunes
(2020), in this volume, and with a view to anonymity esp. Sects. 9.4.2 and 9.4.3.
15 Article 7 II and III.
16 Article 7 VII.
17 Article 7 VIII.
18 Article 8.
19 De Souza (2011), p. 521: “In any case scenario the fact that remain true is that whenever registra-
tion data (essentially name and billing address) and connexion [sic] data (IP address, time of access
and addresses visited) exists stored, there is a possibility to rebuild and trace a user whereabouts on
line with simple computer query. This scenario can easily be interpreted as a form of compulsory
registration to access the Internet, extinguishing in this way the anonymity of users”.
20 § 1 (sole paragraph) of Marco Civil da Internet.
21 Rossini et al. (2015), p. 21.
314 S. Aftab
The dilemma of conceptualizing anonymity became apparent a few months after the
promulgation of Marco Civil da Internet when the Fifth Civil Court in the district of
Vitória issued an injunction, banning mobile-messaging applications called Secret
and Cryptic. Secret was an Android and IOS-based messaging app which claimed to
be encrypted and ensured users that their communications were anonymous. Cryptic
was only available at the Windows online store and was advertised as providing
encrypted communication.
The case was initiated under the Public Class Action Law by the public prose-
cutor with the aim of requiring Apple Computer Brasil Ltda., Google Brasil Internet
Ltda., and Microsoft Informática Ltda. to remove both applications not only from
their online stores but also to remotely wipe them from users’ mobile devices who
had already installed them. The Court, while acknowledging the urgency of the
matter, granted the injunctions referring to the constitutional provision which forbids
anonymity. The reasons given in support of the injunctions are based on the idea
behind the legislators’ intention to impose a blanket ban on anonymous speech.
Judge Paulo Cesar De Carvalho observed that although freedom of thought is guaran-
teed in the constitution, the same constitutional provision guarantees privacy-related
rights along with the right to compensation if violated.24 The judgment highlights the
importance of free speech for democratic dispensation and development of person-
ality. However, such an ideal can only be achieved if the corresponding duty is not
ignored. He asserted:
To make such rights compatible with the freedom of expression, without previous censoring,
the Constitution adopted the model of freedom with responsibility, preventing anonymity.
Therefore, the prohibition of anonymity allows the responsibilization for any eventual offense
to the referred rights to personality, also constitutionally protected.25
22 As earlier stated, it remains to be seen as to what extent the new data protection law (LGPD) and
its subsequent interpretation by the judges are successful to overcome the existing ambiguity.
23 The judgments have been translated into English by Internet Lab and are available at the online
of persons [as] inviolable, and the right to compensation for property or moral damages resulting
from their violation is ensured”.
25 Case Number: 0028553-98.2014.8.08.0024.
Online Anonymity—The Achilles’-Heel of the Brazilian Marco … 315
Referring to Brazilian legal scholar Daniel Sarmento, the judge noted the justification
of the prohibition of anonymity as a requirement of identifying the speaker not only
for a system of “responsibilization” but also because the identity of the speaker is
important for the receiver to make a value-judgment about the expressed content. The
injunction for the removal of the Cryptic and Secret apps was issued on the basis of
apprehensions that being anonymous, the users’ speech could pose an eventual harm.
Awarding compensation to the aggrieved party in case of infringement of her right
to privacy, honor or image will become a challenge in case of anonymous speaker.
The Court declared the use of apps for anonymous communication a violation of the
constitutional provision prohibiting anonymity.
The addressees of the judgment, namely Apple, Microsoft, and Google, responded
to it in different ways. Apple and Microsoft removed Secret and Cryptic from their
stores, while Google did not remove Secret from its store and filed an appeal against
the judgment in the Court of Justice of the State of Espirito Santo. Microsoft later
filed an interlocutory appeal in the same court.
The Court of Justice, after considering various aspects of the trial court’s judgment,
repealed the injunction with a two-thirds majority vote.26 The appeal court judges
discussed the issue in a more detailed fashion and highlighted further aspects of the
issue that had been ignored in the initial adjudication. The judges also raised concerns
regarding the possible violation of the right to privacy in the process of deleting
applications already installed.27 However, the judgment still focused on the greater
possibility of identification through IP addresses during the use of messaging appli-
cations. Referring to Articles 15 and 19, which deal with the application providers’
liability to store application access logs and intermediaries’ liability for the third
party content, the judge relied on the possibility of identifying users through their IP
addresses.28 The issues relating to online anonymity, pseudonymity, cryptography,
and their relationship to the protection of personal data and privacy were not explored
sufficiently. “[A]lthough the anonymity figures as the very reason to be for the appli-
cation, I do not think there are doubts as to the possibility of identifying the user
yet, that the determinations contained in the contested decision seem to be technically unfeasible,
being able to give rise, even before a perfunctory analysis, to the violation of the right to privacy of
the users, as it imposes to the Appellant to establish a remote access to the devices of all citizens
who have installed the application in their respective smartphones, with the purpose to remove the
program from their devices.”
28 Marco Civil da Internet, Article 15: “The Internet application provider that is duly incorporated as
a legal entity and carry out their activities in an organized, professional and with economic purposes
must keep the application access logs, under confidentiality, in a controlled and safe environment,
for 6 months, as detailed in regulation.”; Article 19: “In order to ensure freedom of expression and
prevent censorship, the provider of Internet applications can only be subject to civil liability for
damages resulting from content generated by third parties if, after an specific court order, it does
not take any steps to, within the framework of their service and within the time stated in the order,
make unavailable the content that was identified as being unlawful, unless otherwise provided by
law.”
316 S. Aftab
through its IP address…”, with this observation, the judge voted in favor of repealing
the initial order.
Another appeals court judge, Samuel Meira Brasil Júnior, questioned the effec-
tiveness of identifying users through their IP addresses as provided by Marco Civil.
He declared that tracking users through their IP addresses was not a perfect solu-
tion because IP addresses track the flow of data from one system to another and do
not identify the actual user. In order to provide protection to users in a preemptive
manner, the judiciary can order the removal of the applications from smartphones
for an anticipated wrongdoing even if the law prohibits such removal of data. He
raised the question how it could be possible to allow such encrypted applications
when the Constitution expressly prohibits anonymity and rejected the submission of
identification of users through IP addresses as insufficient measure for reaching the
actual person. Based on such reasoning, the judge eventually denied the interlocutory
appeal against the lower court’s injunction.
Ronaldo Gonçalves De Sousa, third judge of the appeals court, however, presented
a freedom of speech approach, and called for its prioritization in almost all situations.
He rejected the court of first instance’s reasoning concerning “advanced protection”
as contradicting the Federal Constitutional Court’s tendency towards prioritization
of free speech over the threats to honor and privacy as well as the rejection of prior
censorship.29 The judgment also mentioned some of the positive uses of anony-
mous communication and suggested that, as there was no conclusive proof of abso-
lute anonymity, the ban was unnecessary. Before permitting the appeal, the judge
raised some pertinent questions with forceful analogies that indirectly highlight the
multiplicity of functions of anonymous communication.
Would it be the case, under the argument that the Constitution prohibits anonymity, of
impairing all social networks that give margin to manifestations that do not propitiate the
immediate and instantaneous identification of the interlocutor? It is reasonable to prevent
the use in Brazil of social networks like, for example, Facebook, YouTube, Twitter, Tumblr,
Qzone, WhatsApp, WeChat, Line, under the argument that its users could anonymously
make offensive posts to honor and privacy of determined individuals? Obviously not. This
would be like prohibiting the sale of a knife in virtue of the risk of somebody with bad
intentions using it to attempt against someone’s life. It would be like prohibiting the sales
of automobiles in virtue of the risk of somebody negligent offering risks to the other drivers
and to the pedestrians. What I mean to say is that the existence of potential damage of a tool
is not enough for the undiscriminated characterization of the founded concern of irreparable
damage or of difficult compensation in relation to its use.30
29 “Aside from the necessity of definitely breaking with a tradition of recurring attacks to the
expressive freedom, the STF assessed that without a context of satisfactory viability of the exercise
of freedom of speech, it would not even be possible to think on the entirety of all other rights once
it is precisely through the communication that we develop culturally and can recognize, search
and promote rights, as well as preserve and reaffirm democracy.” (STF. ADI 4.815 Rap. Minister
Carmen Lúcia. DJ. 10/06/2015). As referred to in the translated version of the judgement.
30 Continuation of the Judgement dated: 21/7/2015, Appeals Court Judge Ronaldo Gonçalves De
Sousa.
Online Anonymity—The Achilles’-Heel of the Brazilian Marco … 317
Although the judgment repealed the injunctions issued by the trial court, the interests
related to the right to privacy, private life, and personality development remained
unexplored during the entire process. The third judge justified anonymity on the
grounds of freedom of speech, suggesting that the protection of free speech even
includes “antagonistic manifestations” that must be admitted in ‘the free market of
ideas’.
The aftermath of the “Secret” case is less important as the mobile app was shut
down around the world.31 However, the courts missed the opportunity to streamline
the right to anonymous browsing as an aspect of the right to privacy and to lay down
basic principles for balancing exercises. The acceptance of anonymous speech under
the belief of prioritization of free speech over dignity and privacy is another extreme
and has the potential to leave personality rights unredressed in cases of abusive
speech. Similarly, the literal interpretation of the constitutional ban also has the
tendency to jeopardize the Internet-related fundamental rights guaranteed by Marco
Civil da Internet.32 The ban on anonymity provided by the constitution coupled
with the data retention provisions of Marco Civil has the potential to discourage
anonymous use and deprive citizens of their right to protection of private life as well
as free development of personality.
The issue of anonymity through encrypted messaging applications is a matter
of ongoing legal controversy between law enforcement agencies and WhatsApp-a
popular mobile messaging application. Various courts in Brazil imposed tempo-
rary bans on WhatsApp at least three times,33 apparently due to the failure on the
part of WhatsApp to provide the details of data transfer through its network.34 The
spokesperson of the Federal Police in Sergipe state explained that WhatsApp was
required to furnish the content of messages and other data such as geolocation for
investigative purposes.35 However, these actions were highly criticized as being
disproportionate, depriving more than 100 million people from using WhatsApp,
and were resultantly turned down by the Federal Supreme Court.36
for noncompliance with judicial requests for user data. 2. In December 2015, a judge from São
Bernardo do Campo determined the nationwide suspension of WhatsApp for noncompliance with
judicial requests for user data. 3. In April 2015, a judge from Lagarto determined the nationwide
block of WhatsApp for noncompliance with wiretap orders. http://bloqueios.info/en/timeline/. 4.
See also Freedom House report on Brazil “Freedom on the net-2019”, available at: https://freedo
mhouse.org/country/brazil/freedom-net/2019. Accessed 11 Jan. 2022.
34 See http://foreignpolicy.com/2015/12/17/why-did-brazil-block-whatsapp/. Accessed 11 Jan.
2022.
35 See http://www.independent.co.uk/life-style/gadgets-and-tech/news/whatsapp-banned-in-bra
zil-court-rules-app-must-go-down-for-72-hours-as-it-fights-government-over-a7010876.html.
Accessed 11 Jan. 2022.
36 See https://www.theguardian.com/world/2016/jul/19/whatsapp-ban-brazil-facebook. Accessed
11 Jan. 2022.
318 S. Aftab
An analysis of the legal regimes for online anonymity reveals that the European
jurisdiction has largely been successful in providing protection to the dignitarian
interests of its citizens despite the fact that it does not impose a complete ban on
anonymity.37 The language and interpretation of the relevant provisions (Article
8 and Article 10) of the European Convention on Human Rights (ECHR) present a
balanced image of how anonymous communication should be treated in terms of law.
The construction of the provisions regarding the protection of both private life and
freedom of expression provides an inbuilt foundation for the balancing exercise to be
performed by the European Court of Human Rights (ECtHR). According to Article 8,
the public authority must justify the interference with the right to respect for private
and family life, home, and correspondence. The justification must be according to
law, democratic principles, and “in the interest of national security, public safety or
the economic well-being of the country, for the prevention of disorder or crime, for
the protection of health or morals, or for the protection of the rights and freedoms
of others.”38 Similarly, Article 10 also provides the right to freedom of expression,
opinion and dissemination of information subject to legal formalities, conditions,
restrictions, or penalties.39
Other international law instruments such as the Universal Declaration of Human
Rights contain more or less similar provisions, but the European Court of Human
Rights (ECtHR) has developed a rich jurisprudence on conflicting interests as a
result of sophisticated balancing exercises. Such principles provide helpful guidance
for analysis and comparative studies. In particular, the notion of “private life” has
been broadly interpreted with the realization that it is not susceptible to exhaustive
definition, and enshrines the physical and psychological integrity of a person, personal
and social identity, gender identification, name, as well as sexual orientation.40 The
protection granted to private and family life encompasses the name of a person
and all the means of personal and family identification.41 More importantly, Article
37 Cf. for regulation of anonymous speech under German law and constitution Michael (2022), in
this volume.
38 Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms 1950
(ECHR).
39 Article 10 of ECHR: “1. Everyone has the right to freedom of expression. This right shall include
freedom to hold opinions and to receive and impart information and ideas without interference by
public authority and regardless of frontiers. This Article shall not prevent States from requiring
the licensing of broadcasting, television or cinema enterprises. 2. The exercise of these freedoms,
since it carries with it duties and responsibilities, may be subject to such formalities, conditions,
restrictions or penalties as are prescribed by law and are necessary in a democratic society, in the
interests of national security, territorial integrity or public safety, for the prevention of disorder or
crime, for the protection of health or morals, for the protection of the reputation or rights of others,
for preventing the disclosure of information received in confidence, or for maintaining the authority
and impartiality of the judiciary.”
40 S and Marper v United Kingdom [2008] ECHR 1581. § 66.
41 S and Marper v United Kingdom [2008] ECHR 1581. § 66.
Online Anonymity—The Achilles’-Heel of the Brazilian Marco … 319
in BVerGE 65, 1, 43, as: “free decisions and action are possible only under certain circumstances.
If a person is unsure whether deviating behavior may be stored as information and used to his/her
disadvantage, he/she will try not to attract attention by such behavior and is no longer free to act
at will”, Professor Albers advocates extending the scope of fundamental rights to information and
data processing.
46 Rouvroy and Poullet (2009), p. 63.
47 Rouvroy and Poullet (2009), pp. 64–67.
320 S. Aftab
Adopted by the Committee of Minsters on 23 February 1999) (Recommendation No. II-2 and III-3).
51 Recommendation CM/Rec(2014)6 of the Committee of Ministers to member States on a Guide
of a lower court judgment. The lower court had made Delfi (an online news portal)
liable for the lack of action to diligently prevent harm to the reputation of others due
to defamatory, offensive, and threatening comments directed to the employees of a
shipping company. While asserting the importance of both the rights of free speech
and privacy provided in Articles 10 and 8 respectively, the court acknowledged that
there is a higher risk of harm to private life in the case of online communication.54
The ECtHR highlighted the importance of reputation as protected under Article 8,
stating that it requires seriousness and balancing with other rights, particularly the
free speech right under Article 10.55 ECtHR endorsed the stance of the Supreme
Court of Estonia regarding liability of action on the part of the Internet news portal,
as the speech was manifestly unlawful.56 The Court also examined whether Delfi
was the publisher of the users’ comments or only a technical facilitator. It endorsed
the findings of the Supreme Court that Delfi’s involvement in publicizing the users’
comments was “beyond that of a passive, purely technical service provider” and
that Delfi was liable for not preventing hate speech on its portal.57 On the issue of
disclosing the identity of anonymous commenters, the Court refrained from issuing
a general or blanket prohibition of anonymity rather acknowledged its importance
in an elaborated observation.
The Court observes that different degrees of anonymity are possible on the Internet. An
Internet user may be anonymous to the wider public while being identifiable by a service
provider through an account or contact data that may be either unverified or subject to some
kind of verification – ranging from limited verification (for example, through activation
of an account via an e-mail address or a social network account) to secure authentication,
be it by the use of national electronic identity cards or online banking authentication data
allowing rather more secure identification of the user. A service provider may also allow
an extensive degree of anonymity for its users, in which case the users are not required to
identify themselves at all and they may only be traceable – to a limited extent – through the
information retained by Internet access providers. The release of such information would
usually require an injunction by the investigative or judicial authorities and would be subject
to restrictive conditions. It may nevertheless be required in some cases in order to identify
and prosecute perpetrators.58
The Delfi case is more important for the determination of intermediaries’ liability in
cases where a third party uses forums for offensive speech; nevertheless, it also sheds
light on the protection of private life and human dignity in the online sphere. The
judgment confirms that there cannot be black-and-white answers to the normative
questions regarding online anonymity, and that they involve complicated balancing
exercises, taking the peculiarities of every case into account.
The ECtHR in K.U. v. Finland held the Government of Finland liable for violating
Article 8 because of its failure to formulate an effective legal regime to protect chil-
dren from Internet-related abuses.59 In this case, an anonymous person had posted
the personal details of a 12-year-old boy in the form of an advertisement on a dating
website, claiming that he was looking for another boy to establish intimate relation-
ships. The applicant’s father had complained to the Finish police and law enforce-
ment authorities for disclosure of the perpetrator to initiate legal action against him.
However, Finish authorities failed to reveal the identity of the accused. A law enforced
at that time prohibited ISPs from such disclosures, because it was providing complete
protection to anonymous speech. The ECtHR rejected the Government’s stance that
legal lacunae prevented it from prosecuting the child abuser and observed that effec-
tive steps had to be taken to identify and prosecute the person who had posted the
online advertisement. Such steps had not been taken by the Government of Finland,
which resulted in violation of the positive obligation under Article 8. The Court
observed:
Although freedom of expression and confidentiality of communications are primary consid-
erations and users of telecommunications and Internet services must have a guarantee that
their own privacy and freedom of expression will be respected, such guarantee cannot be
absolute and must yield on occasion to other legitimate imperatives, such as the prevention
of disorder or crime or the protection of the rights and freedoms of others. Without prejudice
to the question whether the conduct of the person who placed the offending advertisement on
the Internet can attract the protection of Articles 8 and 10, having regard to its reprehensible
nature, it is nonetheless the task of the legislator to provide the framework for reconciling
the various claims which compete for protection in this context.60
The European approach toward online anonymity reflects the recognition of multi-
plicity in the nature and functions of anonymous expression. Unlike the approach
adopted in the Secret case by Brazlian courts, the ECtHR refrained from issuing a
sweeping declaration in favor of the prioritization of free speech or apprehensions
of advance protection with regard to anonymous users. It is not possible to precisely
assign a particular positive or negative value to anonymity. Rather its function in each
particular case needs to be analyzed, which must follow a comprehensive balancing
exercise the ECtHR did in Delfi and K.U. cases. The following sections shall explore
further concepts and practical issues of anonymity.
decades, which does not mean that it was discovered only after the advent of the
Internet. It was very much present in the physical space long before cyberspace was
invented or even conceived.62 For instance, William Shakespeare is considered a
pseudonym and, if that is the case, nobody knows the identity of the actual author of
spectacular works of English literature.63 There are many instances where prominent
historical figures confronted the prevailing powers while remaining undercover to
escape reprisals and persecution. The role played by anonymity or pseudonymity
in challenging oppression, discrimination, and human rights’ violations, financial
corruption of big corporations, wrongdoings of the ruling elite, and misuse or abuse
of religious power by the clergy is generally acknowledged. Moreover, the protec-
tion of whistleblowers, both in public and corporate sectors, as well as the privi-
lege of confidentiality available to the source of journalistic enterprises enjoy legal
and constitutional recognition in many circumstances.64 In the recent past, we have
witnessed how various kinds of leaks played a crucial role in raising human rights’
awareness on the one hand and in agitating for transparency on the other. WikiLeaks
and the Panama Papers65 hit the headlines in this regard and are still making follow-
up appearances in the news worldwide.66 Due to these and many other reasons,
anonymity has its own support base particularly from American-based civil society
organizations advocating free speech and digital rights.67
The following section will explore the relationship of anonymity to the right to
privacy, its instrumental value for the protection of the right to life in Pakistan, its
effect on online behavior, as well as modern challenges faced by anonymity in the
Internet.
A review of the scholarly literature on the theoretical foundation of the right to privacy
shows that anonymity is closely associated with most conceptions of privacy.68 The
modern conception of privacy as a legal right was articulated by the scholarly work
62 See for details: Wallace (1999a, b), pp. 2–3. See also for variety of anonymous writings in
historical context: Barendt (2016) pp. 14–55.
63 Palme and Berglund (2002).
64 See for example Goodwin v. United Kingdom, 22 EHRR 123 Court European Court of Human
Rights (1996). The court held that the liability of journalists to reveal their source would seriously
hamper their functions as a watchdog of wrongdoings in society.
65 For details: https://panamapapers.icij.org/. Accessed 11 Jan. 2022.
66 Bastian Obermayer of Süddeutsche Zeitung has never disclosed the identity of his
source that transferred the data regarding thousands of offshore companies registered
in Panama. https://www.theguardian.com/news/2016/apr/16/panama-papers-inside-the-guardians-
investigation-into-offshore-secrets. Accessed 11 Jan. 2022.
67 For example, Electronic Frontiers Organizations and Article 19.
68 Solove (2008), pp. 12–38. Barendt (2016) pp. 12–13.
324 S. Aftab
of Warren and Brandeis.69 The article published in the Harvard Law Review, titled
“The right to privacy”, consolidated related interests and declared that all of them
belong to a constitutional right to be let alone. The key expressions used by Warren
and Brandeis for the elaboration of their concept of privacy provide for anonymity
as an important and integral aspect of inviolate personality. They advocated for the
sensitivity of “civilized man” to publicity and his desire to seek retreat from the world
through solitude. Basing their argument on the protection available to copyrights
where the expression of thoughts and emotions are embodied in a recorded form, they
proposed similar protection for “a general right to privacy for thoughts, emotions, and
sensations”, whether expressed in writing, or otherwise “in conduct, in conversation,
in attitudes, or in facial expression.”70 The same concept was supported by Edward
Bloustein in his “Answer to Dean Prosser”. According to Bloustein, identifying
somebody in a detailed manner, who was so far a face in the crowd, constitutes a
wrong even if the sketch is of a benign nature.71 The nature of the wrong in such
cases, according to Bloustine, is replacing personal anonymity or private life with
public display.
Privacy is sometimes conceptualized as the right to limit access to and to obtain
control over information related to oneself. These concepts of privacy include one’s
identity as the subject of limited access rights and the information to which one
has the right to control. A condition, ability, claim, or right to prevent others from
accessing the self enables people to define their own place in the social context in
terms of establishing and maintaining social relations.72 Ruth Gavison gives immense
importance to anonymity, which is one of the three elements of her conception of
privacy.73 Each of the three privacy-related elements of secrecy, anonymity, and
solitude denotes the extent to which a person is known, the subject of attention, or
physically accessed.74
The conception of privacy as control over private information is relevant to the
Internet communication and justifies the right to informational privacy. Alan Westin
defines privacy as “the claim of individuals, groups, or institutions to determine for
themselves when, how, and to what extent information about them is communicated
to others”.75 He regards anonymity as an important state of privacy, which is acquired
others and whose every need, thought, desire, fancy or gratification is subject to public scrutiny, has
been deprived of his individuality and human dignity. Such an individual merges with the mass.
His opinions, being public, tend never to be different; his aspirations, being known, tend always to
be conventionally accepted ones; his feelings, being openly exhibited, tend to lose their quality of
unique personal warmth and to become the feelings of every man. Such a being, although sentient,
is fungible; he is not an individual.”
72 Rachels (1975), pp. 323–333.
73 Gavison (1980), p. 428: “My conception of privacy as related to secrecy, anonymity, and
when a person feels free from identification and surveillance despite his presence in
a public place. Therefore, the core of many anonymous actions is human desire for
“public privacy”.76 Among many virtues of such informational self-determination,
the capability of human beings to decide for themselves without external strains is
fundamental.
The basic point is that each individual must, within the larger context of his culture, his status,
and his personal situation, make a continuous adjustment between his need for solitude and
companionship; for intimacy and general social intercourse; for anonymity and responsible
participation in society; for reserve and disclosure. A free society leaves this choice to the
individual, for this is the core of the “right of individual privacy”-the right of the individual
to decide for himself, with only extraordinary exceptions in the interests of society, when
and on what terms his acts should be revealed to the general public.77
The conceptual proximity of anonymity to the right to privacy increases the value of
anonymous online expression. The normative and jurisprudential discourses should
also include such diverse conceptualization. The expansive right to private life, in
particular, has enshrined the interest in anonymity, as can well be seen in the European
approach to regulating anonymity.
The importance of anonymity is generally accepted in such regimes that have political
and socio-cultural impediments in the way of self-expression and the free develop-
ment of personality. A few instances from the Islamic Republic of Pakistan shall
support Froomkin’s view that expressing oneself in a ‘wrong’ way can actually
endanger one’s life.
Pakistan is a South Asian country with a population of more than 200 million.
According to official figures, it has 83 million Internet-broadband, and 81 million
3G/4G subscribers.79 Nonetheless, the conservative outlook in the socio-cultural
dimension, as well as weak democratic values results in a grim human rights record.
Social, religious, and political realities characterize issues such as honor killing, mob
justice as a reaction to blasphemy allegations, as well as institutionalised restrictions
Qandeel Baloch (born in 1990) was a self-made social media celebrity who actively
used social media for her publicity without any external help from a sponsor, a
producer, or an advertising agency. In a short period, she succeeded in attracting
thousands of followers on Twitter, Facebook, and YouTube by posting her videos,
and commenting on socio-political issues and public figures in a frank and enter-
taining manner. In December 2013, she came to the limelight for the first time as
a participant in the Pakistani version of the Idol singing competition broadcast on
a private television channel,80 where the judges of the show pushed her out of the
stage because of her ‘coarse’ voice. The following years were eventful, when she
remained in the news-headlines because of various controversies. Her pictures and
videos with religio-political leaders, her style of dress- declared as “vulgar” and “un-
Islamic” by the media-caused occasional stirs in the media as well. In June 2016, she
orchestrated a relatively big storm in the electronic media when she broke the news
of her meeting with a prominent religious figure named Mufti Qavi, and posted the
video and pictures of the meeting.81 During this period, she was omnipresent in the
electronic and social media news.82
Perhaps she was at the peak of her modeling and acting career when a local news-
paper published a copy of her passport, revealing her real name (Fouzia Azeem) and
many intimate details regarding her past marriage, subsequent divorce, and pictures
of minor son in the custody of her former husband. Like her other sensational pres-
ence in the national media, this news also flashed for hours in the social and electronic
media. It is pertinent to note that the intimate details belonged to the period when
she was an ordinary person and not a celebrity. She used a fake identity because she
was aware of the consequences of remaining in the limelight beyond certain limits,
80 The format of the show is similar to many other Idols e.g. American Idol or Deutschland sucht
den Superstar.
81 He had an official position in the federal government as well. Consequently, Mufti Qawi was
removed from the position. Details of the meeting can be read at: https://images.dawn.com/news/
1175672. Accessed 11 Jan. 2022.
82 https://www.samaa.tv/social-buzz/2016/06/qandeel-baloch-selfies-with-mufti-qavi-go-viral/.
which she had already crossed. Media persons were also aware of the possible conse-
quences as they researched her village and tribe, whose dwellers were unaware of
her media-life.83
The disclosure of her actual identity drew an immense psychological impact on
her life. She was no longer a symbol of bravery and started worrying about her safety.
She not only implored for her safety in television interviews, but also submitted a
formal request to the Interior Minister for ensuring her security.84
Not a month had passed after the revelation of her actual identity when TV chan-
nels broadcast the breaking news of her murder, committed by her brother.85 He
surrendered to the police and confessed, saying that she was a “disgrace” to the
family. The Guardian reported that the brother had strangled her to death “after
being taunted by his friends over her behavior”.86 Many commentators stated that
had her identity remained undisclosed, she would be alive.87 This is a typical example
of how a person can express herself anonymously and how later identification can
entail life-threatening consequences.
The blasphemy law of Pakistan88 has a controversial role in the form of radicalizing
society through promoting and encouraging curbs on the freedom of expression. In
case of certain offences, it prescribes death sentence to the “blasphemer”. In most
83 As young women in Pakistani villages and tribal areas mostly observe veil very strictly and even
close relatives do not have an idea about their facial appearances.
84 https://www.dawn.com/news/1267709. Accessed 11 Jan. 2022.
85 She was killed during the night of 15 July, 2016.
86 https://www.theguardian.com/world/2016/jul/28/pakistani-model-qandeel-baloch-killed-by-bro
or defiling place of worship (Section 295); malicious acts intended to outrage religious feelings
(Section 195A); defiling of Holy Quran (Section 295B); use of derogatory remarks in respect of the
Holy Prophet (Section 295C); disturbing religious assembly (Section 296); trespassing on burial
places (Section 297); uttering words to wound religious feelings (Section 298); use of derogatory
remarks in respect of Muslims’ holy personages (Section 298A); misuse of epithets, descriptions
and titles etc. reserved for certain holy personages or places (Section 298 B); person of Qadiani
group etc., calling himself a Muslim or preaching or propagating his faith (Section 298C). The
punishment provided for these offences range from two years imprisonment to life imprisonment.
In case of Section 295C, the punishment is death sentence.
328 S. Aftab
cases, people do not wait for prosecuting the accused formally under blasphemy law
and resort to mob justice.89
In April 2017, Mashal Khan, a 23-year old Moscow Business School graduate
and a student of journalism was lynched by a frenzied mob inside a public sector
university. The mob consisted of university students of different disciplines. The
charges leveled against Mashal Khan were related to posting “blasphemous content”
on his Facebook page. The video footage showing people throwing stones on him
and chanting religious slogans went viral on social media. The allegations were,
however, turned to be false after his Facebook page was analyzed, and after media
spoke with his friends and relatives. It was revealed that he was an extra-ordinary
person, believing in human equality, and peace, and that he had a stern stance against
corruption in public institutions.90 However, his “liberal” views were unconventional
in a closed society and the people opposing him exploited those views to charge the
mob, alleging him of committing blasphemy on Facebook. Even after his murder,
many people were less sympathetic to him, held him responsible for what happened
and that “his way of thinking”91 was contradictory to so-called Islamic approach.92
The Chief Justice of Pakistan took a suo moto notice of the incident and assigned
the probe to a joint investigation team (JIT) of thirteen officials belonging to various
departments. The report of the JIT confirmed that no blasphemous content was found
on either his Facebook or Twitter account. The lynching was the result of a planned
strategy of the students’ political body and the university administration to retaliate
Mashal Khan’s media talk over financial irregularities in the university.93 More than
fifty persons were tried by the anti-terrorism court, which awarded various punish-
ments, ranging from death sentence to two years imprisonment. Those who were
released due to lack of evidence were given a “hero’s welcome” by the religious
parties of the area, and some of them announced on the stage set for them that they
were proud of killing a “blasphemer”.94
89 US State Department report on religious freedom in the country in 2015. Its Executive
Summery can be found at: https://2009-2017.state.gov/j/drl/rls/irf/religiousfreedom/index.htm#wra
pper. Accessed 11 Jan. 2022.
90 https://herald.dawn.com/news/1153981 (He was posthumously declared Herald’s person of the
announced through the loudspeakers of the mosques that nobody should attend the
funeral. His father has requested the Supreme Court of Pakistan to provide security
to his family as they are still feeling threatened by the religious zealots and oppo-
nents. For details: http://dailytimes.com.pk/islamabad/18-May-17/mashals-father-requests-sup
reme-court-to-transfer-trial-to-islamabad. Accessed 11 Jan. 2022.
93 https://tribune.com.pk/story/1427069/plot-get-rid-mashal-khan-hatched-month-murder-conclu
206091156178.html (Reza Khan, who has recently been abducted by ‘unknown men’ was popular
in the social media for his pro-peace stance on Indo-Pakistan relations. Enforced disappearances
not only result in silencing the victim but it has a chilling effect on the freedom of expression in
the society in general.). Accessed 11 Jan. 2022.
99 http://digitalrightsfoundation.pk/2017/04/. Accessed 11 Jan. 2022.
330 S. Aftab
and other militant groups; blasphemy laws, and the rights of religious minorities.
They are also critical of the growing military influence in political affairs. Although
all of them were freed after weeklong captivity and torture,100 the incident caused
chilling effects on social media users and the freedom of online speech.101
In an attempt to discourage any kind of online political discourse, the Federal
Minister for Interior Affairs met with Facebook Vice President for Global Policy
Joel Kaplan and urged him to close “fake accounts” in Pakistan. Facebook VP has
reportedly assented to the request.102 The compulsory disclosure of users’ actual
identity on Facebook would be another blow to the freedom of online expression in
Pakistan and a threat to the life of social media users.
The above instances strengthen the case against blanket prohibition on anonymity
and pseudonymity. In such a socio-political environment, if Internet users were forced
to use their real names for registration, they would not be able to exercise their right
of free development of personality along with the constellations of many associated
interests. The forces against anonymity usually argue in favor of the “civilizing effect”
of the full disclosure of identity and that anonymity creates a deindividuation effect
that makes people expression their views prone to abuse. The following section will
analyze the effect of anonymity on behavior.
154.
104 Davenport (2002), pp. 33–35.
Online Anonymity—The Achilles’-Heel of the Brazilian Marco … 331
have occurred.105 The evidence suggests that cybercriminals take advantage of the
anonymous feature of the Internet.106 It is believed that the limited traceability and
identification during online communication creates a feeling of immunity from the
law and social rules in the mind of anonymous users, who then resort to inappropriate
or illegal activities.
However, the results of various research studies do not present a clear view on the
exact link between anonymity and online behavior. The mere fact of being anonymous
does not induce anti-social behavior by itself, and the motivation to resort to such
behavior is more important.107 Conflicting conclusions of different research studies
on the issue suggest that, in order to understand the effect of anonymity on Computer
Mediated Communication (CMC), other factors such as motivational background,
objectives, and relevant values should be taken into consideration.108 Many people,
including Zuckerberg, view anonymity as an impediment to conforming to social
norms, yet anonymity can encourage a collective social sense, which could translate
into a very positive participation in the social, communal, and political spheres of
life.109 Thus, the uses of anonymity are very much context-specific. Many possibil-
ities could be found depending on the circumstances of each case. The contribution
of anonymity to crimes such as hate speech may not be that of a cause, it may merely
exacerbate tendencies that already existed at the time of blocking identification.110
Similarly, researchers have also challenged the traditional theories, based on the
concept of deindividuation, where anonymity takes away self-awareness, and which
results in negative outcomes in the shape of anti-normative behavior. Modern theories
such as social identity model of deindividuation effect (SIDE) suggest that specific
social circumstances are more important for determining the connection between
anonymity and anti-normative behavior.111
(SIDE) has challenged the view that anti-social behavior is a necessary result of anonymity or loss
of identity.”
111 Christopherson (2007), pp. 3050–51.
332 S. Aftab
against anonymity, arguing in favor of the “civilizing effect” of using the net with
one’s real identity.112
Internet anonymity is facing an existential challenge from many directions. Apart
from ideological opposition to anonymity, which takes it negatively per se, the prof-
itability in the disclosure of maximum information as well as many other techno-
logical, political, and self-induced reasons are responsible for the demise of online
anonymity.113 The public and political sensitivity toward security demands that every
untoward incidence must be prevented and that the perpetrators must be nabbed in
advance by sensing their pattern of Internet usage. This motive is prevalent all over the
world, particularly after the terror attacks of 9/11.114 The Snowden revelations have
alarmed privacy advocates who see no room for privacy in any part of the world.115
The self-created disclosure to social media sites such as Facebook and Twitter, in
the shape of interconnectivity between different websites and mobile applications,
sharing pictures, documents, and locations, as well as reacting to online posts in
certain ways through the tools these programs provide have made digital profiling
very easy for so-called data brokers. Due to these reasons, scholars present a skeptical
view on the question of whether anonymity can be saved or not. Michal Froomkin
is of the view that “for cellphones the game is fully lost”.116
Big data also poses a major challenge for users seeking to browse the Internet
anonymously and to keep their identities protected from government and commercial
actors. It is a fact that online activities have already generated immense amounts of
data.117
112 Randi Zuckerburg once said that online anonymity “must go away” https://www.huffingtonpost.
com/2011/07/27/randi-zuckerberg-anonymity-online_n_910892.html. Accessed 11 Jan. 2022.
113 Froomkin (2015), pp. 123–129.
114 Froomkin (2015), p. 124.
115 Froomkin (2015), p. 128: “We know from statistics that came out in the Snowden revelations
that as of May 2012, US security services and their allies had collected technical information on
about 70% of the cell phone networks in the world. They had data on 701 out of 985 known cell
phone networks. As for the physical undersea cables that move communications transnationally, it
is believed that every one of those cables has a tap attached to it, which is why some countries now
want to build their own undersea cables, which I interpret, perhaps cynically, to mean they want to
own the taps.” (References omitted).
116 Froomkin (2015), p. 131: “To protect identities in the cell phone world would take a whole new
hardware, a whole new architecture, and given the size and value of the installed base and the power
of incumbent carriers, one has to ask if this is even possible”.
117 Tucker, Has Big Data Made Anonymity Impossible? MIT Technology Review, 116.4 (July–
August 2013): “We’re well down this path already. The types of information we’ve thought of as
personal data in the past—our name, address, or credit card records—are already bought and sold
by data brokers like Acxiom, a company that holds an average of 1500 pieces of information on
more than 500 million consumers around the world. This was data that people put into the public
domain on a survey form or when they signed up for services such as TiVo.”
Online Anonymity—The Achilles’-Heel of the Brazilian Marco … 333
The challenges to anonymity suggest that its protection requires a favorable regu-
latory approach, which is ultimately dependent on a broader theoretical meaning
and conceptualization. To view anonymity in terms of its association with name of
the author becomes a limited conception in the online world. It does not sufficiently
protect the intended interests attached to anonymity because of the possibility of
unprecedented traceability.118 Identification from small random bits of information
or even from writing style and other patterns of behavior make the situation compli-
cated for a person who wants to surf the net namelessly. According to Nissenbaum,
“the value of anonymity lies not in the capacity to be unnamed, but in the possibility of
acting or participating while remaining out of reach, remaining unreachable”.119 She
therefore suggests a broader concept of anonymity, dissociating it from namelessness
and considering the “withholding the information or constellation of information”
that can be used to identify the person.120 Anonymity is also regarded in its broader
way as “a kind of relation between an anonymous person and others, where the
former is known only through a trait or traits which are not coordinatable with other
traits such as to enable identification of the person as a whole”.121 In such conceptu-
alization, anonymity has a social context and does not pre-suppose isolation of the
individual from his or her social environment or situation.
5 Conclusion
This article has attempted to highlight various conceptual and regulatory issues asso-
ciated with anonymous activities such as online communication and Internet surfing.
It has primarily focused on the issue of blanket prohibition of anonymous expression
of thought in the Brazilian constitution and argued that any literal interpretation of
this provision has the potential to impede the Marco Civil da Internet’s commitment
to safeguard private life and ensure online data protection. Similarly, the conceptu-
alization of anonymity by the courts that adjudicated the cases of mobile messaging
applications, namely Secret and Cryptic, could not take into account the complex
118 Nissenbaum (1999), p. 141: “We are targets of surveillance at just about every turn of our lives.
In transactions with retailers, mail-order companies, medical caregivers, day-care providers, and
even beauty parlors, information about us is collected, stored, analyzed, and sometimes shared.
Our presence on the planet, our notable features and momentous milestones, are dutifully recorded
by agencies of federal, state, and local government, including birth, marriage, divorce, property
ownership, drivers’ licenses, vehicle registration, moving violations, passage through computerized
toll roads and bridges, parenthood, and, finally, our demise. In the great store of information, we
are identified through name, street address, e-mail ad- dress, phone number, credit-card numbers,
social security number, passport number, level of education, and more; we are described by age,
hair color, eye color, height, quality of vision, purchases, credit-card activity, travel, employment
and rental history, real-estate transactions, change of address, ages and numbers of children, and
magazine subscriptions.”
119 Nissenbaum (1999), p. 142.
120 Nissenbaum (1999), pp. 142–143.
121 Wallace (1999a, b), p. 24.
334 S. Aftab
nature and functions of anonymity. The views of judges against anonymity focused
on the preemptive protection against abusive speech and cybercrimes, and they voted
in favor of its blanket prohibition. On the other hand, the judges who acknowledged
the positive dimensions of anonymity argued from the absolute freedom of speech
theory and called for the absorption of side effects of free speech in the shape of
privacy and dignitarian harms. As a comparative analysis, the legal approach of the
Council of Europe is presented where anonymous communication is not only lawful
but is encouraged in both offline and online platforms. Similarly, the value of private
life and personality rights has equal importance, and no interest can be inherently
superior to the other one. For these reasons, anonymity is regarded as a principle,
while the disclosure of identity is ordered as an exception when the objective is
to protect the interests related to Article 8 of the European Convention on Human
Rights. The European Court of Human Rights reminds all the national jurisdictions
of their positive obligation to make legal and regulatory arrangements to prevent the
violation of human dignity, private life, and personality development. The approach
and balancing exercise mentioned here could be a helpful guide for Brazil, which
should formulate comprehensive rules for the interpretation of relevant constitu-
tional and legal provisions. The judicial orders for disclosure and interpretation of
anonymity can thus be streamlined, and the unlimited discretion of the court would
not then result in legal uncertainty.
Furthermore, the conceptual connection of anonymity to the right to privacy
should be considered in interpretation of the legal instruments. To bestow an absolute
primacy to free speech pushes the balance to the other extreme, whereby significantly
important interests could go without appropriate remedy. The instrumental value of
anonymity is obvious as it comes to the rescue in jurisdictions such as Pakistan,
where there are many reprisals and violent reactions to self-expression. Anonymity
also deserves a sympathetic regulatory approach and a multifaceted complex concep-
tualization because of the ubiquitous sophisticated methods of online surveillance
and profiling.
The considerations presented here may help the Marco Civil da Internet
achieve its objectives of protecting private life as well as confidentiality of online
communication.
Online Anonymity—The Achilles’-Heel of the Brazilian Marco … 335
References
Affonso Pereira de Souza C, Laus Marinho Nunes B (2020) Brazilian Internet bill of rights: the
five roles of freedom of expression. In: Albers M, Sarlet IW (eds) Personality and data protection
rights on the Internet. Springer, Dordrecht, Heidelberg, New York, London (in this volume)
Albers M (2014) Realizing the complexity of data protection. In: Gutwirth S, Leenes R, Hert PD
(eds) Reloading data protection. Springer, Dordrecht, pp 213–235
Albers M (2022) Surveillance and data protection rights: data retention and access to telecommuni-
cations data. In: Albers M, Sarlet IW (eds) Personality and data protection rights on the Internet.
Springer, Dordrecht, Heidelberg, New York, London (in this volume)
Armstrong HL, Forde PJ (2003) Internet anonymity practices in computer crime. Inf Manag Comput
Secur 11(5):209–215
Barendt E (2016) Anonymous speech: literature, law and politics. Bloomsbury Publishing, London
Bloustein EP (1964) Privacy as an aspect of human dignity: an answer to Dean Prosser. NYUL Rev
39:962
Christopherson KM (2007) The positive and negative implications of anonymity in Internet social
interactions: “On the Internet, nobody knows you’re a dog.” Comput Hum Behav 23(6):3038–
3056
Chui R (2014) A multi-faceted approach to anonymity online: examining the relations between
anonymity and antisocial behavior. J Virtual Worlds Res 7(2)
Costa L (2012) A brief analysis of data protection law in Brazil. 28th Plenary meeting of the Consul-
tative Committee of the Convention for the Protection of Individuals with regard to Automatic
Processing of Personal Data [ETS No. 108] (T-PD). Council of Europe, June 2012. Available via
SSRN. https://ssrn.com/abstract=2087726. Accessed 11 Jan. 2022
Davenport D (2002) Anonymity on the Internet: why the price may be too high. Commun ACM
45(4)
De Souza CAP, Viola M, Lemos R (2015) Understanding Brazil’s Internet bill of rights ITS, Rio
de Janeiro
De Souza RM (2011–2012) The struggle over privacy, security, cyber-crimes and the civil rights
in the Brazilian law–a historical overview. In: Maria B, Eugenia A, Iglezakis I (eds) Values and
freedoms in modern information law and ethics, p 508. https://bottis.ihrc.gr/download.php?file=
downloads/articles_2012_07.pdf. Accessed 11 Jan. 2022
Doneda D, Mendes LS (2014) Data protection in Brazil: new developments and current challenges.
In: Gutwirth S, Leenes R, Hert PD (eds) Reloading data protection. Springer, Dordrecht, pp 3–20
Etzioni A (2008) The limits of privacy. Basic Books, New York
Froomkin AM (2015) From anonymity to identification. J Reg Self-Reg 1:121
Gavison R (1980) Privacy and the limits of law. Yale Law J 89(3):1421–1471
Martin JA, Fargo AL (2014) Anonymity as a legal right: where and why it matters. NCJL Tech
16:311
Michael L (2022) The impact of jurisdiction and legislation on standards of anonymity on the
Internet. In: Albers M, Sarlet IW (eds) Personality and data protection rights on the Internet.
Springer, Dordrecht, Heidelberg, New York, London (in this volume)
Nissenbaum H (1999) The meaning of anonymity in an information age. Inf Soc 15(2):141–144
Palme J, Berglund M (2002) Anonymity on the Internet. http://dsv.su.se/jpalme/society/anonymity.
pdf. Accessed 11 Jan. 2022
Prodriguez K, Pinho L (2015) Marco Civil da Internet: The Devil in the Detail. Electronic Fron-
tiers Foundation. https://www.eff.org/deeplinks/2015/02/marco-civil-devil-detail. Accessed 11
Jan. 2022
Rachels J (1975) Why privacy is important. Philos Public Aff 4(4):323–333
Rossini C, Cruz FB, Donedo D (2015) The strengths and weaknesses of the Brazilian Internet Bill
of Rights: examining a human rights framework for the Internet. The Centre for International
Governance, Innovation and the Royal Institute of International Affairs’. Paper Series No. 19
336 S. Aftab
Rouvroy A, Poullet Y (2009) The right to informational self-determination and the value of self-
development: reassessing the importance of privacy for democracy. In: Gutwirth S, Leenes R,
Hert PD (eds) Reloading data protection. Springer, Dordrecht, pp 45–76
Rowland D (2006) Griping, bitching and speaking your mind: defamation and free expression on
the Internet. Penn St L Rev 110:519
Saldías O (2014) Coded for export! The contextual dimension of the Brazilian Marco Civil Da
Internet. HIIG Discussion Paper Series No. 2014-06
Solove DJ (2008) Understanding privacy. Harvard University Press, Cambridge
Souza CA, Viola M et al (eds) (2017) Brazil’s Internet bill of rights: a closer look. Institute for
Technology and Society of Rio de Janeiro (ITS Rio)
Veit RD (2022) Safeguarding regional data protection rights on the global Internet—the European
approach under the GDPR. In: Albers M, Sarlet IW (eds) Personality and data protection rights
on the Internet. Springer, Dordrecht, Heidelberg, New York, London (in this volume)
Wallace JD (1999a) Nameless in cyberspace: anonymity on the Internet. Cato Institute
Wallace KA (1999b) Anonymity. Ethics Inf Technol 1(1):21–31
Warren SD, Brandeis LD (1890) The right to privacy. Harv Law Rev 15:193–220
Westin AF (1967) Privacy and freedom. Ig Publishing, New York
Sohail Aftab Central Superior Services (CSP Officer) of the Government of Pakistan and Director
in the Ministry of Information and Broadcasting, DAAD scholar and Doctoral candidate at
Hamburg University, Hamburg Germany. Main areas of research: Fundamental Rights, especially
Free Speech and Privacy, Constitutional Law and Jurisprudence, Law of Torts, Press, Broadcasting
Media, and Social Media Laws.
The Impact of Jurisdiction
and Legislation on Standards
of Anonymity on the Internet
Lothar Michael
1 Introduction
The Internet is a medium of communication that also makes it possible to express and
disseminate opinions anonymously. Anonymity is part of the essence of communica-
tion on the Internet. While the provision for and guarantee of anonymity is one of the
principles of a legal framework for the Internet, this does not necessarily mean that
anonymous and non-anonymous expressions of opinion are protected in the same
way.
The following example shows the potential for conflicts: Are doctors, teachers and
hotel operators able to defend themselves against anonymous criticism from online
evaluation portals? In this example we have to keep in mind three actors and their
interests: The critic, the provider of the online evaluation platform (review site) and
the assessed person (e.g. doctor, teacher, hotel operator). This will be discussed later.
The legal evaluation of anonymous expressions of opinion is a particularly inter-
esting question in a book of essays examining German and Brazilian perspectives. We
find two different approaches in Brazilian and German constitutional law to answer
the question, to what extent are each actor’s interests constitutionally protected.
Article 5, paragraph IV of the Brazilian Constitution forbids anonymous speech in
L. Michael (B)
Universität Düsseldorf, Düsseldorf, Germany
e-mail: Lothar.Michael@uni-duesseldorf.de
principle.1 That should give us food for thought. The text of Article 5 of the German
Basic Law, which concerns freedom of expression, does not distinguish between
anonymous and non-anonymous speech.2 One approach derives the principle of
anonymity on the Internet from the right to informational self-determination. The
right to informational self-determination was developed by the Federal Constitutional
Court3 and recognised as a fundamental right. It protects the right of individuals to
autonomously dispose of their personal data and is therefore central to data protection
in Germany. But we should keep in mind that the opportunity to express a view on
the Internet anonymously goes beyond the right to informational self-determination
and depends on the scope of freedom of expression.
The answers to the questions (1) whether anonymous and non-anonymous expres-
sions of opinion are protected in the same way and (2) how someone can defend them-
selves against anonymous expressions of opinion on the Internet, are very contro-
versial in Germany. This is in part because the laws regarding data protection on the
Internet are in need of interpretation due to ambiguity and incompleteness. One recent
example governing a similar issue is § 24 Federal Data Protection Act (Bundesdaten-
schutzgesetz n.F. (BDSG 2018)),4 which addresses the processing of personal data
by private parties for purposes other than which it was collected. This legislation
remains open to interpretation insofar as it refers to a balance of interests: Although
§ 24, para 1, no. 2 recognizes the need for private data processing when it “is neces-
sary for the establishment, exercise or defence of legal claims”, it makes the legal
permissibility of doing so subject to an assessment of the interests of the data subject.
Such processing will not be permissible if “the data subject has an overriding interest
in not having the data processed”.
The courts are therefore very influential in the formation of standards. In spite of
several good reasons for the courts to have this weighty authority, it also raises more
problematic issues since the Basic Laws themselves require further interpretation.
Not only are the legal problems and their non-constitutional law solutions changing;
fundamental rights are also interpreted dynamically in Germany. Of course, this is
disseminate his opinions in speech, writing and pictures, and to inform himself without hindrance
from generally accessible sources. … There shall be no censorship." Basic Law for the Federal
Republic of Germany, available at https://www.gesetze-im-internet.de/englisch_gg/. Accessed 11
Jan. 2022.
3 Federal Constitutional Court (BVerfG), Judgement of 15 December 1983 – 1 BvR 209/83,
BVerfGE 65, 1.
4 Gesetz zur Anpassung des Datenschutzrechts an die Verordnung (EU) 2016/679 und zur
in tension with constitutional law’s claim to permanence. The limits of the so-called
‘constitutional change’ (Verfassungswandel) are correspondingly controversial.5
The German Federal Court of Justice (Bundesgerichtshof, ‘BGH’) starts from the
premise that anonymous expressions of opinion enjoy the full protection of freedom
of expression.6 This approach has been widely discussed in the academic literature.7
The Court provides no justification for this premise and possible arguments in favour
of the premise8 are put to the test below. Article 5, paragraph IV of the Brazilian
Constitution gives reason to question the approach of the BGH and it is unclear which
way the German Federal Constitutional Court (Bundesverfassungsgericht) will rule
on this question.
The topic concerns key questions regarding the interpretation of fundamental
rights. In a digital world fundamental rights are to be interpreted dynamically.
The Federal Constitutional Court has actually advanced a dynamic interpretation
of fundamental rights with regard to the right to informational self-determination.9
But the informational self-determination of those who use the Internet is not the
only fundamental right that deserves attention in a digital world. It is time to put
the interpretation of other fundamental rights—here freedom of expression—in the
context of the Internet to the test. At the same time, further classical questions are
being raised: What effects do fundamental rights have between private individuals?
How dynamically should fundamental rights be interpreted? How strongly does the
interpretation of fundamental rights dominate the interpretation of the laws? How
strongly do constitutional courts influence the jurisprudence of civil courts?
Another fundamental question asks: What role does the legislature play and what
role should it play? In Germany, the legislature has not yet acted to protect personal
rights against anonymous evaluations in specific evaluation portals. It has, however,
passed particularly far-reaching laws regulating general social networks. The very
controversial Network Enforcement Act (NetzDG)10 came into force on October 1,
2017. This law aims to prevent the spread of hate speech in commercially operated
social networks. However, according to § 1, paragraph 1, sentence 3 NetzDG, the
law applies only to general platforms for the exchange of any content and not to the
case of a topic-specific evaluation portal as examined here. Moreover, according to
§ 1, paragraph 3 NetzDG, the law is only directed against criminal content, i.e. hate
(2010), p. 212; Kamp (2001), p. 210–218; Grewe and Schärdel (2008), p. 644; Schulze-Fielitz
(2013), zu Article 5 I, II, mn. 75.
8 Kersten (2017b), pp. 196–197.
9 Federal Constitutional Court (BVerfG), Judgement of 15 December 1983 – 1 BvR 209/83,
BVerfGE 65, 1; Judgement of 27 February 2008 – 1 BvR 370/07, BVerfGE 120, 274.
10 Netzwerkdurchsetzungsgesetz v. 1. September 2017, BGBl. I p. 3352.
340 L. Michael
speech. However, the portal operators must pursue all complaints according to this
law and not only those from persons who assert a violation of their own rights.
There are constitutional objections to this law. Its protection objective goes far
beyond the protection of individual rights. A regulation that comprehensively requires
the operators of social networks to delete illegal content runs the risk of also deleting
content that deserves the protection of freedom of expression (overblocking) in the
process of fulfilling its obligations. It is troubling that the law unilaterally punishes
underblocking, but not overblocking.11 It is to be feared that the algorithms used to
check (supposedly) illegal contributions cannot differentiate between satire worthy of
protection and unlawful insults. Nor does the law distinguish between anonymous and
named contributions. There are strong arguments that the NetzDG imposes excessive
restrictions on freedom of expression and is therefore unconstitutional. This does not
mean, however, that the legislature is not allowed to regulate this area at all.12
Opinions on the legal framework for anonymity on the Internet vary considerably.
This is also due to the fact that there are very different preconceptions about this topic.
Anonymity can be seen as a blessing or a curse. The individual need for anonymity
can vary greatly from person to person. Some people seek anonymity—be it in the
masses or in quiet solitude, some people suffer from anonymity and want to be
noticed as an individual by as many others as possible—be it in public or in private
life. Some people are very shy on stage while others absolutely enjoy appearing
in the spotlight. The need for anonymity can also vary greatly depending on the
situation. Typically, people who receive lots of individual attention in a professional
context, and are known to a more or less limited audience, long for privacy and
anonymity in their private lives. In contrast, the exact opposite phenomenon can be
observed among people whose professional activities are highly anonymous—these
people often strive for greater personal attention in their role as private individuals.
From a legal perspective, such needs for more or less anonymity cannot be assessed.
The interpretation of fundamental rights should be based on the self-image of the
individual and be open to situational differentiation.13 Fundamental rights protect
both extroverts who enjoy individual attention and people who prefer their privacy
and anonymity. At the same time, anonymity is a quantitative phenomenon.14 The
circle of those who recognize an individual can be relatively large or small.
Even if the phenomenon of anonymity has a very special role on the Internet,
anonymity is by no means a new phenomenon of the digital age. A relatively high
degree of anonymity has shaped the urban life of industrial societies for genera-
tions. Since law develops over time and reacts to developments, it is worth asking
about trends in development. There is even a view15 according to which the defining
characteristic of the Internet is that it increasingly endangers anonymity. The human
need for data protection and the development of the right to informational self-
determination,16 especially in Germany in the twentieth century, fit in with such a
basic assumption. In this context, the right to be forgotten postulated by the Court
of Justice of the European Union17 should also be mentioned. Today, the interest
in the confidentiality of personal data not only requires sufficient legal protection
against a surveillance state, but also increasingly raises the question of protection
against private actors. It is also true that the Internet—and in particular the mobile
Internet and the Internet of Things—creates possibilities for deanonymization and
identification.
It would, however, be an oversimplification to conclude that only the protection
of the anonymity of Internet users—if at all18 —is a legal need. Evaluation portals,
for example, also concern the personal rights and anonymity interests of those being
evaluated. Accordingly, we encounter the interest in anonymity on rating portals
in two ways: the anonymity of the evaluators and the anonymity of the evaluated
persons. These interests are opposed to each other and may conflict.
In this context, it is also important to consider the new dimensions that the Internet
has created in favour of anonymity. However, it should be noted that the Internet both
enables and endangers anonymity. Above all, the anonymity of the evaluated person
is endangered by the Internet in a new way. Even the very nature of a dimension
of anonymity of opinions is new. In the offline world, anonymity was primarily a
phenomenon of non-political privacy and of fear of communication in and with the
public. Those who wanted to make public and political statements in an industrial
society almost always did so personally and identifiably. The Internet, and particu-
larly the format of a rating portal, opens up the possibility for people to express their
opinion to the public without disclosing their identity. Although it is true that publi-
cations under a pseudonym existed in the past, these remained the exception and were
not a mass phenomenon of daily discourse. The Internet has increased the range of
communication, i.e. everyone can access it at any time from any location, and created
a platform for users to reveal their private lives or, even more problematically, the
personal data of third parties.
Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario
Costeja González, Case C-131/12.
18 But cf. Thiel (2016), pp. 19–22.
342 L. Michael
Considering online rating portals, the data protection interests of the different actors
are diametrically opposed. On the one hand, evaluators are interested in using the
portal without being tracked. On the other hand, people who are being evaluated
have an even keener interest in preventing third parties from putting information
about them on the Internet. In Germany, it is a fundamental right that everyone
shall be protected from the involuntary and other-directed creation of a personality
profile19 which is available on the web. Since even the voluntary, active Internet user
is protected from a personal profile being created, the law must also prevent third
parties from the unauthorized creation of such a profile for or about someone else.
Active Internet users leave a trail of their actions so that the consequences of their
activity can at least be traced back to them. In contrast, the dissemination of personal
information by third parties may also affect those who have not contributed to the
dissemination of their data on the Internet and could even affect somebody who
does not use the Internet. If the law protects people from themselves, then it must
also protect them from third parties. It is not plausible that the right to anonymity
of those who use the Internet voluntarily and actively outweighs the requirement
to protect those who did not even contribute to the dissemination of their data. This
interim outcome could change if other interests have priority. In particular, the right to
disseminate information could be given appropriate weight. Therefore, the question
of the protection given to anonymous expressions of opinion is central. But before
reaching this question, another point has to be clarified.
The interest of informational self-determination also weighs heavily when a
person’s profession is the subject of personal evaluations. In view of this constella-
tion, the Federal Court of Justice plainly refers to the “social sphere”, which includes
the working environment of doctors and teachers.20 Such a lack of protection would
be acceptable if such review portals were used only within the professional sphere. A
teacher, for example, has to accept that his students are talking about him. Teachers
must also accept that their students talk about them in their private environment. The
key point is that this private environment had a limited scope in the offline world.
For example, even if students talked about a teacher, the scope of those reached by
the student was limited to the immediate surroundings. Unlike a celebrity, a teacher
is a “familiar face” only in the community where the school is located. The work
of teachers and doctors, however, only concerns and addresses a rather small part of
the public. In the offline world teachers and doctors have the opportunity to separate
their private sphere from their professional sphere. The possibilities and dimensions
of communication through social media goes beyond the scope of this contribution.
19 Michael and Morlok (2019), mn. 432; Michael and Morlok (2016), p. 352.
20 Federal Court of Justice (BGH), Judgement of 23 June 2009 - VI ZR 196/08, BGHZ (Decisions of
the Federal Court of Justice) 181, 328 ff.—spickmich.de; Federal Court of Justice (BGH), Judgement
of 1 July 2014 - VI ZR 345/13, BGHZ 201, 380, mn. 9 ff.,—Ärztebewertung I; Federal Court of
Justice (BGH), Judgement of 1 March 2016, VI ZR 34/15, BGHZ 209, 139—jameda.de.
The Impact of Jurisdiction and Legislation on Standards … 343
There are good reasons why some teachers and doctors deliberately accept a longer
commute in order to clearly separate their working environment from their private
family life. This attitude corresponds to the basic human need for informational self-
determination, namely the autonomy to shape the image that others have of you and,
in doing so, to take up different roles. The right of personality is strongly impaired,
for example, if a doctor has to accept that anyone can, at any time, read about how
sensitive or unapproachable a patient experienced him to be. A bad rating affects
more than job competition. While a good or bad reputation was formerly limited to
a certain segment of the public, now it is transparent and generally accessible on
the web. The assessed person’s standing is not only available to “clients” but, for
example, also bank advisors and future employers. A public evaluation might even
influence private life, for instance when a potential partner finds the evaluation. Even
on holiday, a rated doctor cannot escape his reputation on the Internet.
Similar problems also show up in teacher evaluations. Let us imagine the example
of a teacher who has lost authority at his school. He gets doubly on the defensive when
his own children and friends can read details of this loss of authority on the Internet.
There are good reasons why people in a private context are very empathetic, and in
a professional context all the more unapproachable. There are also good reasons for
a person to leave the respective sphere in the dark about what qualities they have
in another role: Business leaders can be considered henpecked husbands and family
patriarchs can play subordinate roles at work. Most people attach great importance
to the separation of these spheres. Rating portals blur the spheres: firstly, they may be
accessible to everyone, and second, they contain information people’s personalities
that are of interest in both spheres. Evaluation portals typically contain statements
of personal impression such as empathy or trustworthiness that the assessing person
has of the assessed professional. The reason for this is that a layperson is best able
to assess personal characteristics. A patient, for example, cannot usually provide an
expert determination as to whether or not a specific medical treatment met the highest
professional standards. The patient can say, however, whether the doctor had a good
bedside manner. These problems only occur, however, if the evaluation portal is freely
accessible and it is a named individual who is evaluated. A completely different, less
problematic situation is the evaluation of institutions and companies—for example,
a rating portal for hotels.
Turning now to the normative analysis of protection of anonymity. The prin-
ciple of anonymity on the Internet is derived from the right to informational self-
determination. Regarding the right to anonymity on the Internet, several types of use
can be differentiated: Firstly, the sole viewing of information, secondly, the conclu-
sion of contracts, thirdly, communication, fourthly, the mobile Internet and fifthly,
the Internet of Things. Therefore, one has to examine the situation more closely to
determine which fundamental right(s) may protect a person who is anonymously
assessing others on the web. The following deals with the dimension of anonymous
communication, more precisely with expressions of opinion about persons, which in
turn impairs the anonymity of third parties.
The appeal to one’s own anonymity must not be a license to legally exclude the
protection against infringement of personal rights of third parties. There are also
344 L. Michael
factual reasons: The anonymity of the evaluators makes it difficult for the assessed
party to assert defence rights. This, in turn, exacerbates the problem: anyone who
does not have to expect to be held personally accountable for his comments has one
less reason to resist unacceptable comments.
In other words, the right to anonymity is to be understood as a negative defensive
right and not as a positive right to agitation. Opinions do not fall within the scope
of the right to anonymity. In any case, the right to anonymity on the Internet is not
affected if anonymous expressions of opinion are prohibited or deleted, but rather
may be affected when the author of an opinion is disclosed. In principle, the right to
anonymity on the Internet opens up the possibility of using the Internet anonymously.
However, there is no right to violate the rights of third parties on the Internet under
the cloak of anonymity. The right to anonymity does not say anything about the
extent to which Internet users can exercise other fundamental rights (e.g. freedom of
opinion and freedom of occupation) anonymously.
The right to anonymity on the Internet is in this respect comparable to the right
of association.21 Both rights give the individual opportunities to remain in the back-
ground as an individual and the possibility that his or her own interests may be
exercised by a different personality or anonymously. Freedom of association only
protects the institutional right to form an association. But what the association actu-
ally does is not protected by freedom of association, but only in the context of the
protection of fundamental rights, which are also due to the individual.
It follows that the question of the fundamental rights protection of anonymous
expressions of opinion is not only a matter of the interest in data protection, but
instead depends on whether and to what extent freedom of expression also includes
anonymous remarks.
The question of the appropriate level of protection for anonymous opinions has not
yet been satisfactorily resolved. It is certainly not out of the question that the level of
protection for freedom of expression is different for anonymous and non-anonymous
statements. The level of protection depends on two factors: First, the importance a
society attaches to the ability to exchange opinions in one form or another. Second,
the individual need for protection of a fundamental rights holder, which, for example,
is particularly high for minorities and vulnerable people.
The opportunity to express a view anonymously reduces inhibition thresholds,
which has positive and negative effects: On the one hand, any discourse is enriched
by the anonymous expression of unvarnished criticism and unpopular views that
would otherwise not have been expressed publicly due to, and in fear of, the expected
social pressure. Anonymity promotes passionate discussion by reducing inhibition
21 Michael and Morlok (2019), mn. 300; Michael and Morlok (2016), p. 274.
The Impact of Jurisdiction and Legislation on Standards … 345
thresholds which in turn encourages people to take part in the public discourse,
especially in a critical way. Thus, anonymity can avoid “chilling effects” and can
break the “spiral of silence”.22 In addition to protecting the individual interests of
those who would otherwise remain silent, supporting critical discourse is also of
social importance. There is a social interest in protecting even anonymous discourses
if the information that is disseminated is in turn of public interest. On the other hand,
there is an increased likelihood that untruths are spread and personal rights are
violated. In particular, the reduction of inhibition thresholds has the negative effect
of reinforcing negative behaviour.
The right to freedom of expression is content neutral.23 Under constitutional law,
the quality of the anonymous contribution is irrelevant. The fear that the level of
communication might also decrease through anonymity therefore does not go against
the protection of opinions that are expressed in this way.
In this context, the question of whether statements posted under a false identity
and, in particular, whether bots enjoy the protection of fundamental rights does not
need to be clarified. The fact that such contributions are intended to manipulate and
distort competition among opinions also argues against extending the protection of
fundamental rights to such statements. In Germany, the dissemination of objectively
false statements of fact is not protected by freedom of expression.24 The scope of
protection of freedom of expression is extended to claims of fact unless and until a
claim has been proven to be false. This also applies to contributions in assessment
portals: It often happens that evaluated doctors ask the portal operator to delete a
contribution because they doubt its authenticity, i.e. whether it is based on a real
patient’s experience in their office. According to a judgement of the Federal Court
of Justice,25 the portal operators are obliged in such cases to request the evaluator to
prove the truth of his assertions. Since rating portals usually only contain contribu-
tions that refer to concrete experiences, deception about the identity of the contributor
in these cases also implies deception about objective facts and for this reason alone
such contributions are not protected by freedom of expression.
Quite the contrary, the chance for a quantitatively wide distribution of online
discourse alone indicates that anonymous statements and their distribution ought to
be protected by freedom of expression. Thereby, the distribution of opinions has its
own weight. When considering online evaluation portals, the operator is another—
possibly not anonymous—holder of fundamental rights, who has to be taken into
consideration. The operator him- or herself may invoke his or her own rights. In
detail, this includes not only professional and entrepreneurial freedom but also the
freedom to spread the opinions of others without processing them before doing so.
The assessed person might furthermore invoke his or her rights against the operator.
jameda.de.
346 L. Michael
The operator might finally serve as a mediator between the assessed person and the
critic, perhaps even knowing and disclosing the critic’s name.
The Internet additionally creates a forum for direct discussion between citizens
without the interference of the press. In this regard, there are certain parallels to the
freedom to demonstrate. A discourse on the web can be considered as a digital town
square. There are parallels between political demonstrations and the discourse on
the Internet. Both open up opportunities for citizens to express themselves directly
beyond debates in parliament and discourses in the media, and, above all, to clearly
communicate messages of protest. Both are phenomena of a “swarm democracy”.26
Digital communication and in-person assemblies can even complement each other.
Today, calls for real world meetings can be made through social networks on the
Internet. From a legal point of view, the comparison of both phenomena is also
worthwhile. The legal standards are as controversial for flash mobs27 as for rating
portals.
It makes sense to compare the legal standards for public demonstrations and for
rating portals on the Internet.28 It is striking: German law forbids masks or any
other device aimed at obscuring a person’s identity during an assembly.29 Of course,
there are also critics30 who consider the authorities’ legally granted discretion to ban
masks and disguises during demonstrations to be a violation of the fundamental right
of freedom of assembly. It is true that the scope of protection of the fundamental
right to freedom of assembly also includes anonymous or disguised demonstrations.
It is also true that banning disguises requires constitutional justification and that a
blanket statutory requirement to show one’s face at public meetings would violate the
principle of proportionality. Lawmakers want to prevent violence and facilitate the
prosecution of criminal offenses. They accept the consequence that this regulation
may have a deterrent effect on peaceful protesters who fear social repression for their
views on certain matters. As on the Internet, it is also about the possibly disinhibitory
effects of anonymity.
What can we learn from this for the present context? On the one hand, there are
good reasons to protect anonymity. But on the other hand, there are equally important
reasons for limiting anonymity. The different reasons for and against anonymity
have to be weighed when searching for differentiated solutions. The content of such
differentiated solutions is a question of constitutional interpretation and a question
of law design, which means also designing the structure of fundamental rights by
law (‘Grundechtsausgestaltung’).31
pp. 198–200.
29 Jahn (1988), pp. 545–551.
30 Hoffmann-Riem (2011), p. 1152; Kersten (2017b), p. 199.
31 Häberle (2018), p. 126.
The Impact of Jurisdiction and Legislation on Standards … 347
For jurisprudence, three questions follow from this: First, what are the interests
involved and their respective values? These should be identified in order, if appro-
priate, to postulate their constitutional roots. Second, what are the legal instruments?
To what extent do the laws de lege lata comply with the interests and what instru-
ments de lege ferenda would be desirable? Finally, an institutional question needs to
be addressed: to what extent are courts allowed to fill gaps in legislation and correct
legislative deficits?
We should keep in mind two guidelines for the interpretation of fundamental rights:
The need for protection of vulnerable individuals and the personal responsibility
of the fundamental rights holders. The first of these guidelines argues in favour
of protecting opinions when they are anonymous. However, this does not neces-
sarily mean that anonymous statements should have the same level of protection
as non-anonymous statements.32 The ideal of an ‘open society’33 is shaped by the
commitment and courage of its citizens. In an ideal world, no one would be afraid
to disclose his non-compliance with the main stream. Constitutional law should
protect the right to openly and publicly express one’s personal views. Freedom of
opinion also protects, in principle, the right to speak about other people in a ruth-
lessly critical way. The right to informational self-determination does not extend to
prohibiting someone from criticizing you. But the liveliness of public discourse is
not just a matter of legal (non-)regulation. Whether one has the courage to reveal
his name and to show his face in the public controversy also depends on social and
economic circumstances. Beneficial circumstances include: representing a popular
opinion, enjoying a high social standing and economic independence.
Freedom of expression should also protect those who are actually disadvantaged
in this regard. Fundamental rights ask about the protection needs of individualists.
Fundamental rights protection is especially important for those who represent unpop-
ular views, who are themselves outsiders and who are economically dependent on
third parties.
Freedom of expression’s scope of protection must not be determined solely by the
ideal of the “citoyen”, who shows his political colours and stands up for his views.
Protection is not limited to the courageous, the personally independent or those who
can hope for encouragement and appreciation. In fact, freedom of expression espe-
cially protects the frail and timid who are hard hit by repressive measures as a result
of swimming against the stream. It would be an idealization of democracy to assume
that in a democratic society, a person who expresses his opinion will automatically
be appreciated for his openness. A frank person will in fact risk reprisals despite
their openness if their opinion is not shared by society at large. Since anonymity
also protects the weaker members of society, it helps to bridge the gap34 between
‘Bourgeois’ and ‘Citoyen’.
On this point, therefore, the conclusion has to be that the scope of protection of
freedom of expression also includes anonymous statements. However, the argument
that constitutional law should help to avoid chilling effects is neither exhausted by a
broad understanding of the scope of protection of freedom of expression, nor does it
argue in favour of protecting anonymous opinions with the same level of protection
as non-anonymous statements. On the contrary, the argument for avoiding chilling
effects speaks in favour of particularly protecting those courageous people who stand
up for provocative opinions with their names. In the context of protection of opinions,
statements that are not made anonymously therefore deserve a particularly high level
of protection. This has an effect on the weighing with counter-rights: It is more
reasonable to bear personal (non-anonymous) criticism than anonymous criticism.
A second guideline should be the starting point for restricting anonymity on the
Internet. Protection of freedom implies the principle that freedom corresponds to
responsibility. Lawful liberty is bound by the freedom of others. An exercise of
freedom which deprives others of the assertion of reciprocal rights cannot obtain
legal protection. Accordingly, fundamental rights only have relative effects. Those
who claim unrestricted freedom on the web have to ask themselves whether this
freedom is exercised at the expense of violating the rights of third parties.
Protecting anonymous expressions of opinion poses the risk that counterclaims
become devoid of purpose. This does not, however, exclude that anonymous expres-
sions of opinion are protected in general. Even though the protective scope of freedom
of expression covers anonymous statements, the relativity35 of the protection of
fundamental rights implies that the speaker’s anonymity is not absolutely but only
relatively ensured. The question is whether the protection of counterclaims can only
be invoked against the right to further disseminate an anonymous statement or if it
might even bring about a loss of anonymity. Put another way, does a person who
violates the rights of a third party through an anonymous statement need to expect
that the distribution of the statement will simply be stopped or that his or her identity
will be disclosed.
Neither anonymity or freedom of expression alone, nor their combination is per
se given priority. The positive impact that online portals have on the formation of
public opinion is also not protected limitlessly. This impact must instead be balanced
against the right of personality of the person being evaluated.
Eliminating anonymity must be the last resort (ultima ratio). Consideration of
fundamental rights requires that deterrent effects be avoided. The law must not funda-
mentally call into question the positive effects of disinhibition through anonymity. It
would be neither possible nor desirable to reverse the principle of anonymity on the
Internet as such. Rather, it is a matter of limiting the scope of anonymous activity
6 Proposed Solutions
The next question raised concerns the possibilities for non-constitutional law to
draw conclusions from the constitutional balance of interests. To make this as clear
as possible, we return to the example of the online evaluation portal. The legal
framework for online evaluation portals has to bring three constitutionally protected
interests into balance. First, the interest of the assessing person in remaining anony-
mous. He or she has a need to express and disseminate his or her opinion about a
service. A comprehensive evaluation is also in the public interest. According to the
principle of competition, rating portals can help to ensure that quality (or better: that
what their users consider quality-relevant) prevails. Secondly, the portal operator is
genuinely interested in spreading anonymously expressed opinions. The commercial
pursuit of such a platform also implicates economic interests. Finally, the assessed
person wants his or her right of personality to be protected. Economic interests are
also at stake for these people when their professional performance is assessed.
All these perspectives are relevant from a constitutional point of view. Hence,
all the conflicting interests have to be brought into practical concordance (“prak-
tische Konkordanz”36 ), meaning that all rights involved in the conflict are granted
the greatest possible effect.
For this purpose, the portal’s operator should be involved in the protection of
both the rights of the users and of the assessed persons. Theoretically, it would be
conceivable to apply various instruments of administrative law, criminal law and civil
law. It is conceivable to oblige the portal operator to prevent violations of privacy
rights and, if necessary, to block or delete contributions. Civil claims brought by the
assessed person may also be possible against the user and/or portal. This raises the
question of whether an assessed person can only dispute individual assessments or
whether he can demand to be completely removed from a portal with a preliminary
injunction. Criminal sanctions against the assessor are also possible, which may
require the anonymity of the assessor to be lifted. The latter also touches on the right
to informational self-determination. Finally, legal requirements may be placed on
the content and quality of the contributions in order to increase the objective value of
competition in a way that is as fair and neutral as possible and, in particular, excludes
untrue and inappropriate assessments.
For the purpose of criminal prosecution and claims for damages for violations
of the right of personality, the evaluated person must be entitled to learn about the
critic’s identity. The German law and jurisprudence only allows anonymity to be
lifted in cases of punishable statements.37 Even in this case, anonymity can only be
revoked by the prosecution and, through access to the files, revealed to the victim.
In practice, however, prosecutors are much too overworked to sufficiently prosecute
such crimes. There is also a law which makes it possible for copyright holders to be
told the identity of the person who anonymously infringed their rights. A legislative
initiative which the Federal Council (Bundesrat) launched in 2016 aimed at equating
personal rights and intellectual property. This initiative failed in the end, which
reflects an imbalance.38 Only the intellectual property, which is of importance for a
large business lobby, was regulated by the legislature on behalf of this lobby.
The German laws and the German courts do not adequately protect the personality
rights of the assessed persons. The right of personality should give the assessed person
the option to enjoin the portal operator from publishing any anonymous assessment
of individualized personal characteristics in freely accessible internet portals, even if
the assessment relates to a professional activity. This injunctive relief follows from
the equivalence of the personality rights of the evaluator and the evaluated person.
If the evaluators want to remain anonymous with their criticism on the Internet, they
cannot claim the right to name the criticized person. The Federal Court of Justice39
has seen this differently, arguing that this option would contradict the idea of freedom
of expression. In the opinion of the Court, public interest in information about medical
services and the free choice of a doctor outweigh a physician’s personality rights.
This argument must be rejected. The right of personality has to prevail in cases of
evaluations ad personam. The fact that expressions of opinion are also protected
when they are published anonymously is meaningful if the criticism refers only to
impersonal circumstances. For example, criticism concerning long waiting times
should be protected, but not criticism about a doctor’s lack of empathy. Injunctive
relief, which the assessed person is entitled to, can be sought against the portal
provider. In order to satisfy the injunction, the provider is neither obliged nor entitled
to reveal the anonymous critic’s identity. In case of doubt and if there are contested
facts, the infringed person can obtain an interlocutory injunction.
In a new decision,40 however, the Federal Court of Justice has relativized its
standards. Now, the weight of freedom of expression depends on whether the operator
of the rating portal occupies a position as a “neutral” information intermediary. A
portal is neutral if all locally competing physicians (professionals) are evaluated
in the same way. In this case, the operator of an assessment portal for physicians
in Germany offered a premium paid service that allowed physicians to supplement
their assessment page with pictures and information about their practice. In addition,
information about the (possibly better) assessments of competing physicians, which
was included on non-premium assessment pages, was replaced on the premium pages
37 Federal Court of Justice (BGH), Judgement of 1 July 2014 - VI ZR 345/13, BGHZ 201, 380,
mn. 9 ff.,—Ärztebewertung I; Federal Court of Justice (BGH), Judgement of 1 March 2016, VI ZR
34/15, BGHZ 209, 139—jameda.de.
38 Lauber-Rönsberg (2014), pp. 13–14.
39 BGH, Judgement of 23 September 2014 - VI ZR 358/13, BGHZ 202, 242.
40 BGH, Judgement of 20 February 2018 - VI ZR 30/17.
The Impact of Jurisdiction and Legislation on Standards … 351
with self-advertisement. The Federal Court of Justice found that the portal was not
acting as a neutral information intermediary and upheld the physician’s claim for
the deletion of all her data and reviews on the portal operator’s site. The practical
consequence of this decision, however, was not that information about the physician
was deleted. Rather, the portal operator responded immediately after the decision
was announced to change its practices so that they satisfied the Court’s neutrality
requirements. Thus, physicians must continue to tolerate anonymous assessments of
their activity on Internet portals.
The jurisprudence is thus more concerned with an objective improvement of the
neutrality and thus the information content of such evaluation portals than with
the protection of the doctors’ personal rights. The jurisprudence on the neutrality
obligation of the portal operators leads ultimately to an optimization of the interests
of the patients and the public interest in fair competition between medical services.
This approach is not sufficient to protect the personal rights of those assessed.
This deficit of individual legal protection also has objectively negative effects: The
exercise of those professions that are the subject of such public performance reviews
becomes less attractive if linked to becoming a public person. It is true that job profiles
change over time and that the law should not function to prevent such change. For
example, the social role of the doctor has changed from an unassailable authority
(“Herrgott in Weiß”) to a service provider of whom patients are critical. The law is
not intended to protect the factual unassailability of doctors, but, on the contrary, has
rightly contributed significantly to changing the doctor-patient relationship through
medical liability law. The law has also strengthened patients’ rights precisely in order
to counterbalance patients’ dependence on doctors. Only the law creates equality of
arms here. Anonymous evaluation portals have created a new imbalance whereby
doctors are subjected to personal accusations against which they are completely
defenceless. This should also be addressed by the law.
7 Quis Iudicabit?
The decisions of the Federal Court of Justice should not only be criticized in terms
of their content. Rather, the institutional question also arises as to whether it should
be the task of the supreme civil court to develop legal standards for the protection
of freedom of opinion, anonymity and personal rights on the Internet. Although the
German legal system has historically been shaped by written laws and not by case
law, standard setting is increasingly a function of both the courts and the legislature.
This has various causes: Here, Europeanisation and internationalisation play a
role, which are not only advanced by the executive branch and the legislative branch.
In Germany, however, the leading cause is the phenomenon of the constitutionalisa-
tion of the legal system, i.e. the derivation of the balance of interests from a weighing
of constitutional principles, in particular from fundamental rights. This, in turn, is
rooted not least in a strong constitutional jurisdiction. It is not the place here to
fundamentally question the limits of the legislative functions of the courts and in
352 L. Michael
41 Michael and Morlok (2019), mn. 481, 505; Michael and Morlok (2016), pp. 393–396, 407–412.
42 Jestaedt, Lepsius, Möllers, and Schönberger (2011), p. 159.
The Impact of Jurisdiction and Legislation on Standards … 353
References
Aftab S (2022) Online anonymity—The Achilles’-heel of the Brazilian Marco Civil da Internet.
In: Albers M, Sarlet IW (eds) Personality and data protection rights on the internet. Springer,
Dordrecht, Heidelberg, New York, London (in this volume)
Alexy R (1985) Theorie der Grundrechte. Nomos, Baden-Baden
Gomille C (2009) Prangerwirkung und Manipulationsgefahr bei Bewertungsforen im Internet.
Zeitschrift für Urheber- und Medienrecht 815–824
Gounalakis G, Klein C (2010) Zulässigkeit von personenbezogenen Bewertungsplattformen – Die
„Spickmich”-Entscheidung des BGH vom 23. 6. 2009. Neue Juristische Wochenschrift 566–571
Grewe H, Schärdel F (2008) Der digitale Pranger – Bewertungsportale im Internet. Multimedia und
Recht 644–650
Häberle P (2018) Fundamental rights in the welfare state. In: Kotzur M (ed) Peter Häberle on
constitutional theory. Nomos, Baden-Baden, pp 17–128
Hesse K (1999) Grundzüge des Verfassungsrechts der Bundesrepublik Deutschland, 20th edn. C.
F. Müller, Heidelberg
Hoffmann-Riem W (2011) Versammlungsfreiheit, § 106. In: Merten D, Papier HJ (eds) Handbuch
der Grundrechte (Band IV). C. F. Müller, Heidelberg, pp 1117–1212
Hong M (2018) The German network enforcement act and the presumption in favour of
freedom of speech. https://verfassungsblog.de/the-german-network-enforcement-act-and-the-pre
sumption-in-favour-of-freedom-of-speech/. Accessed 11 Jan. 2022
Jahn R (1988) Verfassungsrechtliche Probleme eines strafbewehrten Vermummungsverbots.
Juristenzeitung 545–551
43 “The Federal Constitutional Court shall rule on constitutional complaints, which may be filed by
any person alleging that one of his basic rights (…) has been infringed by public authority”.
44 “The Federal Supreme Court is responsible, mainly, for safeguarding the Constitution and it is
incumbent upon it: (…) to adjudicate, at extraordinary appeal level, cases decided in a sole or last
instance, when the appealed decision: a) is contrary to a provision of this Constitution; b) declares
the unconstitutionality of a treaty or a federal law (…)”.
354 L. Michael
Lothar Michael Professor of Public Law at Düsseldorf University. Main areas of research:
Fundamental Rights, Constitutional Theory, Administrative Law. Selected Publications: Grun-
drechte (with Martin Morlok), Baden-Banden: Nomos, 2019 (7th edition); Direitos Fundamen-
tais, tradução de de Sousa AF e Franco A. Savaiva, São Paolo: Saraiva 2016; Gleiches Recht der
Älteren auf gesellschaftliche Teilhabe, Baden-Baden, Nomos 2018; Die verfassungswandelnde
Gewalt, in: Rechtswissenschaft, Baden-Baden, Nomos 2014, pp. 426–480.
Digital Identity and the Problem
of Digital Inheritance
Limits of the Posthumous Protection of Personality on
the Internet in Brazil
Abstract Computers and information, data coding and handling systems are under-
stood as an extension of the human person, forging a web of unusual relations that
require a protection according to the model of the possibilities of appeals, i. e. a
protection that is multidimensional and compatible with less control and greater
scope in the regulation of risks. It is important to ensure the protection against risks
of material and immaterial damages, e.g. in cases of the creation of fake profiles,
violation of privacy, data retention and manipulation, stigmatization, discrimination
through registers etc. Personal data refers to all information of a personal char-
acter that are characterized by the possibility of identifying and determining the
data subject, whereas sensitive data are those that have to do with racial and ethnic
background, political, ideological and religious convictions, sexual preferences, data
about health, genetic and biometric data. The ensemble of these pieces of information
makes up the digital profiles or identities and has a political and, above all, economic
value, since they can become the raw material for the use of software that is directly
connected to the new forms of social control. Thus, data protection is, in sum, the
protection of the human person, mainly the protection of the free development of
his or her personality by guaranteeing informational self-determination, including
protection after their death. Digital inheritance is the set of data, digital assets which,
in sum, are digitized assets stored in the cloud. Considering that heritage involves
material and immaterial goods, the destination of the digital heritage of individuals
after their death becomes an urgent issue. This is, in principle, a conflict between the
enforcement of the fundamental right to inheritance and the guarantee of the right to
intimacy and privacy, which are essential to the exercise of personality rights. And
there is a demand for new forms of personality rights and inheritance rights that
encompass the notion of virtual personality and digital inheritance. Digital legacy,
This is the result of research developed in post-doctoral studies at the Pontifical Catholic University
of Rio Grande do Sul (PUCRS) and at the University of Hamburg, under the supervision of Professors
Carlos Alberto Molinaro and Marion Albers, and owes its realization particularly to the support and
granting of a scholarship by the Max Planck Institute of Hamburg.
G. B. S. Sarlet (B)
Pontifical Catholic University of Rio Grande do Sul—Law School (PUCRS), Porto Alegre, Rio
Grande do Sul, Brasil
i.e., the sum of rights, assets and obligations in the digital sphere that must be passed
to the heirs, is framed in a classification of goods that cannot by economically valued
and of goods that can be economically valued. The former would have a predomi-
nantly affective value and the rest an undeniable economic value due to the direct
possibility of their monetization. The concept of digital inheritance means that multi-
national companies will have to take steps to protect the personal data of their users.
Despite the civil framework for the Internet in Brazil, there are still some legisla-
tive gaps involving both personality and virtual inheritance. The approach to digital
inheritance issues must go through the data protection issue. As long as the virtual
personality persists, essential data will be protected using passwords, encryption,
etc. However, since there is no specific regulation in Brazil, the pure and simple
application of inheritance rights to the digital universe affects both the personality
rights sphere and some of the most valuable rights and principles guaranteed by the
Constitution.
1 General Context
The radical influence of technology on daily life is currently undeniable and even
determines the resignification of the concept of human being.1 On the one hand,
due to the extreme complexity that results from the use of technology, particularly
technology applied directly to life, i.e. biotechnology, some canons of Western civi-
lization have become completely obsolete. Due to the implications of the information
age in the lives of contemporary human beings, some canons, such as the idea of
death as a temporal marker of human finitude, or canons inherited, e.g. from Shake-
spearean literature, such as the idea of a crystallized identity, or even resulting from
the work of Kant such as the free, unhindered self-determination as a substrate of
subjectivity, have lost their primary condition for humankind. Among the most devas-
tating effects, the abyssal change undergone by the concept of privacy and economics
in the last few years should be recalled.2 On the other hand, concepts such as glob-
alization, virtualization and connectivity have been added to people’s lives and, as a
rule, become indispensable to perceive the current context.3
The popularization4 of information technology, in its turn, has borne revolutionary
fruits that permeate all the way from the quantity of data that are currently made
1 Jayme (1995), p. 9.
2 About all this, see Castells (2016), pp. 57–103.
3 Castells (2003), p. 43.
4 In the first decade of the twenty-first century, the number of people connected to the internet went
from 350 million to 2 billion. Moreover, in the same period, the number of people with mobile
phones went from 750 million to 5 billion. For 2025 it is expected that most of the world population
will have access to instantaneous information, and if the rate of growth of people connected to the
internet is maintained, on that date there will be 8 billion people online. Cf. Cohen, Schmidt (2014),
p. 15.
Digital Identity and the Problem of Digital Inheritance 357
available, the energy cost,5 the storage sites and security, the virtuality6 of social
relations to the velocity at which these data travel through the web and reach places
which had previously been unthinkable for human beings, besides the illusion of
neutrality that involves everyone in this process.7
Some consequences are already perceptible, while others point to a prognosis of
an abyssal devise in the history of humankind.8 Indeed, the revolution in the use of
information technology has caused profound changes in social relations, generating
political, economic,9 legal10 and existential11 effects.
There is an irrefutable mismatch between the parameters of comprehension and,
especially, of regulation in force and the current velocity and ephemeralness which are
characteristic of contemporary relations, especially after the advent of the internet.12
5 In 2011, the USA internet consumed an average of 2% of all the electricity produced worldwide.
The heat generated by the servers, active or not, requires compatible cooling, and, thus, it is estimated
that in 2020 in the USA consumption will rise to 140 billion kWH, 54% more. See Farinaccio (2016).
6 Agamben (2006), p. 35.
7 Neutrality refers to the principle that ensures that all the content transmitted by the computer web
should be treated in the same way, that is, should not suffer any kind of discrimination, be it for its
content, for its origin or for its destination. See, pars pro toto, Marsden (2010), p. 36.
8 Ramsay (2001), p. 45.
9 For a perception of the monetarization of the internet use, suffice it to recall that Microsoft in 2016
acquired LinkedIn, paying 26 million dollars for the company and especially for its professional
cadaster of 430 million users and 100 million visitors a month. The value represents 60 dollars per
user or 260 dollars per visitor a month, see The Economist (2016) LinkedUp. http://www.econom
ist.com/business/2016/06/18/linkedup. Accessed 11 Jan. 2022.
10 “Information Society—which is nothing more than a specific form of social organization, in which
the management, processing and transmission of information become the fundamental sources of
production and power, due to the new technological conditions that arose in this historical period.
The rise of this new society, therefore, brought about the need to rethink the role of the State in this
new context”, Leite (2016), p. 150.
11 Main characteristics of contemporaneity—a society structured in the form of a web, generating
infinite opportunities for control and surveillance depending radically on the information webs;
excessive volumes of information in comparison with the decrease of the production of knowledge;
hyperacceleration and hyperexposure—society of confession and intimacy, in which power was
replaced by attention and wealth can be translated by a person’s access to the sources of raw
material, namely, to information itself. The introduction of this information model altered the
cultural grammar of society radically, insofar as its structures were transformed and new behaviors
were generated, making those that were previously known more complex and, simultaneously,
initiating new conflicts that are not yet legally regulated because of their novelty. An immediate
consequence was the illusion that it was a completely neutral and, consequently, safe environment.
This situation caused a kind of displacement of a considerable group of people situated at the
margins of formal knowledge who, fascinated, give over their personal data, without much care,
including sensitive data, to reach the possibility of access to a simulacrum of digital citizenship and,
in this way, to feel included.
12 The virtual political sphere only reflects traditional politics and, in these terms, not all information
produces democracy, especially due to the volume, since access to the internet cannot ensure political
access and activity. Strictly speaking, digital democracy consists of an experience of the internet
and of its devices turned towards the potentiation of civil, active and responsible civil participation
in conducting public business.
358 G. B. S. Sarlet
Due to the fragilization of the previous paradigms,13 typical of this era, many chal-
lenges began to be imposed on all those who deal with sciences, particularly human
sciences and applied social sciences.
One of the main challenges to be met is the analysis of the Copernican revolution
imposed by augmented reality, by virtualization, by the personification of avatars,
by the invention of new symbolic exchanges, by the overexposure of private life
on the social networks, by the excess of information, particularly personal informa-
tion, by re-structuring commercial transactions and by the need for rapid and precise
responses that have no precedent in Western civilization and even actually deter-
mine the appeal for a new modality of juridification, i.e. challenges coming from
the impacts of identity digitalization and, consequently, a reshaping of personality
protection in the digital environment.
This article is the result of an investigation, based primarily on the Brazilian legal
system, about the posthumous protection of personality on the internet. It highlights
the problem of digital inheritance, a topic that includes unusual property-related
aspects14 and shows new outlines for personality rights. It aims to propose some
possibilities of constructing a theory of probate rights compatible with the principle
of the human person dignity, as well as with the spheres of freedom and private
autonomy, focusing on the Brazilian legal system as far as personality rights are
concerned.
For this purpose, it will start from the problem of digital identity and the protection
of personality on the internet. Then it will discuss the problem of the digital inheri-
tance, its consequences for the legal domain, especially the new outlines of probate
law because of the post mortem guarantee of personality rights, and the potential
solutions in case law, legal doctrine and the laws that have already been adopted or
are presently under construction in Brazil.
2 Digital Identity
Strictly speaking, the internet challenges time and space and even produces immor-
talities in cyberspace, besides changing peoples’ lives, both individually and
collectively. Currently, computers and systems of information, data encoding, and
processing are seen as an extension of the human person,15 forging a web of
relationships that need adequate protection.
deal with racial and ethnic origin, political, ideological and religious convictions,
sexual preferences, data on health, genetic data, and biometrical information25 .
The ensemble of this information makes up the digital profiles or identities and
has political and especially economic value. It is material and immaterial property
and can be employed as raw material for the use of software attached to new forms
of social control and the current modalities of immortalization.26
Digital identity27 is, thus, the result of the use of this category to facilitate the
clarification of the phenomenon of digitalization in a human being’s life, especially
about their singularization as a person, inside or outside the cybernetic environment.
It consists of a set of information transformed into bits or pixels that represent a
human person and can be used in the relationship with machines or with other users,
e.g. passwords, data on face recognition of the face, the voice, the iris, fingerprints.
Digital identity however, does not consist only of the spontaneously supplied data, but
also of the digital footprints or shadows, i.e. the history of all transactions performed
by the user28 that form the records of the sites and portals of access to the internet.
Proportionally to the use of the internet, the digital shadows or footprints include
images on surveillance cameras, banking transactions, telephone calls, medical data,
scanner copies and hospital exams, credit information, history of convictions, espe-
cially criminal,29 in other words, all the information that can be accessed in the
datacenters.
Data protection is, in brief, the protection of human persons in a version updated
to the demands of contemporaneity, especially regarding the protection of the free
development of their personality by ensuring their informational self-determination,
which necessarily includes post mortem protection. One of the main consequences
of this new cultural dimension is the production of digital property.30 In this way,
a demand for new outlines of personality rights and probate rights arises, namely,
outlines that will include the notion of virtual personality31 and digital inheritance.
The usual violations of personality rights, by means of global attacks or by the
isolated conduct of private persons, have included data theft, which represents, among
other cybernetic crimes, the theft of digital identity,32 the creation of false profiles
in social media, the theft of financial assets, and even, because of the lack of secure
25 Biometry is the anthropometric act of marking, according to the criteria of Alphonse Bertillon.
It is a general and subtle form of control by the State that allows prosecution.
26 Cha (2005). In this sense the view of Statement 531 of the VI Jornada de Direito Civil (6th
Meeting on Civil Law) promoted by the Council of the Federal Justice in March 2014 is relevant.
It says: “The protection of the human person dignity in information society includes the right to be
forgotten”.
27 Júlio (2005).
28 Bock (2017), pp. 370–417.
29 Molinaro and Sarlet (2013), p. 69.
30 Lima (2010), p. 95; Reis (2010), p. 95.
31 Oliveira (2002), pp. 121–143.
32 The so-called Streisand effect must be included in the analysis of the guarantee of the right to
data protection, since publicity about the damage may trigger many people’s curiosity, as occurred
in the case involving the actress Barbara Streisand.
Digital Identity and the Problem of Digital Inheritance 361
parameters, usurping personal data after the user’s death. Likewise, there are cases
of discrimination, inciting hatred, digital public shaming, revenge porn etc.
In general, there are two types of data usurpation: the use of already existing
accounts and profiles, and the creation of accounts or profiles based on stolen data,
which has become a very recent problem for the electoral system of many countries33
when surveying the intentions of votes.
It should be recalled that this is a behavior that directly affects, among others,
the fundamental right to intimacy enshrined in article 5, X of the FC/88, which, by
the way, was useful for the protection of personality, from which various rights and
guarantees are extracted, including the fundamental right to the free development
of personality. It should also be underscored that Brazilian civil law confirms the
inviolability of the private life of the natural person along the lines of article 21 of
the Brazilian Civil Code (BCC), also covering the protection of the deceased, as
provided by the sole paragraph of article 12 of the BCC, particularly as regards the
objective honor.
Digital inheritance is the composition of a set of data, of digital assets that, in brief,
are virtual goods that are usually kept on the internet. As property involves both
the material goods and the immaterial ones, the issue about the destination given to
the digital property of a person after he or she dies becomes imperative, especially
considering that the attribute of matter about the concept of property is an operational
rather than an essential construction.34
In brief, there is a profusion of concerns resulting from the concept of digital
death and its effects when there is a dearth of decisions about their digital property.
Basically, a conflict is revealed between applying the fundamental right to inheritance
and guaranteeing the right to the inviolability of communications, to intimacy and
to privacy, essential to exercising personality rights, insofar the person’s action on
the internet is basically connected to the intimate sphere in the composition of an
expression of personality which often is different from the one that is manifest to the
heirs.
33 Globo (2017).
34 Abreu (2003), pp. 30–45.
362 G. B. S. Sarlet
Traditionally, the digital legacy,35 i.e. the sum of rights, goods, assets and obligations
within the digital sphere that should be transmitted to the heirs is structured in a
classification of goods that are not susceptible to economic valuing and goods whose
value can be measured economically, in which the former have predominantly an
affective value, such as photographs that make up the documental memory, and the
others have an undeniable property value due to the direct possibility of monetary
conversion36 . As long as the data are stored in personal computers or on a USB-Stick,
their sharing along the lines of the current laws is unarguable.
Indeed, the problems lie in the regulation of the posthumous disposition of the
data stored in the cloud and in the management of digital accounts. Examples of this
are e-mail accounts, access to insurance portals, passwords and records of financial
transactions in internet banking, access to mileage and to the system of scores in sites,
online purchases and subscriptions, portal and blog maintenance, files and purchasing
of space in the cloud, digital counseling services, investments and statements of online
transactions in the stock exchange, credits in virtual coins such as bitcoins and others,
management of avatars, management of profiles in social networks, digital assets
on music and game platforms, management of accounts such as Twitter, LinkedIn,
Amazon, Skype, Netflix, YouTube, eBay, WhatsApp, Instagram etc.
The internet, insofar as it is a deterritorialized field of action for persons, is, in
general, averse to attempts at State regulation. It is claimed that the internet is a
free environment37 and, therefore, an arena of private autonomy. Currently private
entities38 are the main target of the modalities of regulation designed to implement
full digital democracy, whose essential core is the strengthening of the human person
as an active subject through the expression of free informed consent of its participants.
Thus, a virtual will would be the best option, especially because of the legal gaps,
although it is not yet commonly used, above all in Brazil. On the other hand, the
simple-minded solution of the use of passwords by third parties for the cases of
access to accounts or to profiles is, to say the least, inappropriate, since, besides
the many conflicts regarding family and probate law, it represents a crime of false
identity defined as such in article 307 of the Brazilian Criminal Code.39
By the way, the concept of digital inheritance, because of its complexity and novel
character, generally implies a new way of articulation of the transnational companies
regarding the protection of the personal data of their users.
and some control, it is interesting to see the shape of the manifesto of cyberspace independence.
Barlow (1996).
38 Sarmento (2006), p. 34.
39 Article 307 of the Brazilian Criminal Code: “To attribute to oneself or to a third party a false
identity to obtain advantage for oneself or another, or to cause damage to somebody else”.
Digital Identity and the Problem of Digital Inheritance 363
40 See Alexander (2016), pp. 301–308, and more closely with a detailed analysis of the courts’
decisions and the German legal situation Heidrich (2022), in this volume.
41 The requests for information regarding the account of a deceased person should be sent to the
following e-mail address: msrecord@microsoft.com or to the physical address: Next ofkin, One
Microsoft Way, Redmond, WA 98,052.
42 Apple (2018).
364 G. B. S. Sarlet
into a memorial.43 Twitter offers the possibility of removing photos and files of
deceased persons if their death is confirmed. Microsoft enables access to the content
of e-mail accounts (Hotmail, Outlook and Live) by the representative of the deceased
user, requiring a court order for this. Amazon, for instance, does not accept the transfer
of licenses to third parties, alleging that this is not a purchase, but rather a service, a
license for use, and in this situation, it acts by ignoring consumer protection.44 The
data storage service in the cloud, Dropbox45 , allows access to the data and to the files
after the user’s death by petition if it is proved that the petitioner has a court order.
Finally, the ambiguity of using copyright for e-mail accounts should be underscored,
since the use of the great majority of them is perceived as a license to use a service,
which expires when the user dies.
Ultimately, one can observe a general tendency to adopt the DAP trust system
(Digital Asset Trust) which allows the customer to designate a person or a company46
to access and manage their files in case of death or severe disability.
Outstanding, due to its relevance for discernment in this topic, is the act of consent
as a gnoseological process in which all information about relevance, adequacy,
purpose, time of collection, storage, treatment and transmission of data obtained must
be previously clarified to enable production, renunciation, alteration, use, cession and
availability or refusal of the internet user, that is, in clear, precise, appropriate and
sufficient language. Thus, it is important to ensure protection against risks of material
and immaterial damages, e.g. creation of false profiles, violation of privacy, reten-
tion and manipulation of data, stigmatization, discrimination by means of cadasters,
etc.47 In fact this is the starting point for the idea of virtual testament, that is, an
expression of freedom presupposing the ample, correct and precise information.
According to Beviláqua, inheritance is the totality of the goods that someone leaves
when they die and that are acquired by the heirs.48 Inheriting is to succeed to the
ownership of property according to article 91 of the Brazilian Civil Code (henceforth
43 Instagram (2017).
44 UN Resolution 39/248, April 9, 1985, establishes the guarantee of consumer protection as a duty
of all member States.
45 Dropbox (2017).
46 As an example, see Perpetual Websites. Available via internet. http://web.archive.org/web/201
BCC), i.e. it is circumscribed to the legal relations endowed with an economic value,
since the personality rights are, as a rule, non-transmissible49 .
As a direct result of the fundamental right to private property, the right to inheri-
tance is enshrined in article 5, XXX of the FC/88. The law of probate and succession,
a consequence of the corollary of private autonomy, results from the verification of
the real or presumptive death of a natural person according to article 6 of the BCC.
It exists to preserve private property, and, in terms of its social function, it mainly
addresses family maintenance,50 and it should be underscored that there is also a
right to inheritance about obligations contracted by the deceased.
If there is no express provision to the contrary, the transmissibility of property to
the heirs is instantaneous, due to the principle of saisine enshrined in article 1784 of
the BCC. The main effects of applying the legal fiction originating in the institute of
saisine51 are: opening the inheritance with the real or presumed death of the person
and immediate attribution both of possession and property of the inheritance to the
heirs, who then have ad causam legitimacy, especially due to the faculty of protecting
the inheritance against attacks by third parties. It consists of a subjective mutation,
and, thus, the goods are transferred just as they were in the previous possession. The
application of saisine, which since its medieval inception has referred exclusively
to the property aspects of inheritance, must obviously be relativized for the sake of
protection of the personality rights of the deceased person.
The law establishes in article 1845 of the BCC the list of necessary heirs, since the
Brazilian lawgiver limited the freedom to dispose of the goods insofar as it protected
the legitime (see articles 1845 and 1846 of the BCC).
Article 80 of the same legislative text, in accordance with what was previously
underscored, considers an immovable good the right to open succession, and, empha-
sizing this guarantee, it is considered that the transmission occurs at the time when
the probate is opened, and not when the inventory is opened, at the time of the small-
estate probate or at the time of the partition proper. Likewise, because of the principle
of indivisibility of the inheritance and its regulation on the lines of a co-ownership
extracted from article 1791 of the BCC, any of the co-heirs can claim the inheritance
against a third party. Further about this aspect, mention should be made of what is
provided for in article 1825 of the BCC, which establishes that the action of peti-
tioning for the inheritance, even if exerted by only one of the heirs, may include all
the hereditary assets. It should also be mentioned that, according to articles 1793–
1795, the heir cannot cede any asset by themselves, unless there is a court order and
under strict observance of the right of preference of the other heirs.
Succession,52 therefore, is distinguished in an intestate and a testate succession,
which refers to the act of disposition of the last will, according to articles 1786 and
1788 of the BCC. Article 227, paragraph 6 of the FC/88 innovated by establishing
the equality between the offspring and by generating isonomic effects on the order of
succession of article 1829 of the BCC of 2002 and providing that it should be done
by classes that exclude each other, consisting of a preferred order. Thus, even if there
is the hypothesis of an estate in abeyance, in which the period of five years is used to
transmit the legacy to the public property, the Brazilian civil law considers only the
heirs by intestacy, testamentary heirs or optional heirs, highlighting the possibility
of exclusion due to unworthiness (article 1814) or disinheritance (articles 1961 and
1964).
From article 1847 of the BCC it is inferred that calculating the legitimate inheri-
tance must consider half the total value of the assets that exist at the time the probate
is started, after the debts and funeral expenses are deducted and the values of the
assets subject to collation are added. After transmission of the inheritance, thus, each
of the heirs must confirm the acquisition, accepting it or refusing it by waiver. Both
acceptance and waiver have retroactive effects.53 A partial acceptance or waiver is
not admissible in Brazilian law. Waiver, provided for in articles 1,804 and 1,805
of the BCC, is a potestative right that is performed in a unilateral, irreversible and
solemn legal transaction undertaken by means of a public instrument, which is not
dependent on ratification and is distinguished as express and as translational waiver,
which is applicable only when there is a finding of full capacity, agreement of the
spouse, save in cases of a regime of full separation of property, and insofar as it does
not cause losses to the creditors.
It is relevant to underscore that only if there are no necessary heirs can the testator
dispose of the assets in full. According to articles 1857 to 1859 of the BCC, a will is
a strictly personal legal transaction and an act of last will that cannot be restricted to
values or property but must be extended to existential matters.54 It can be used, for
instance, to acknowledge children, to forgive the unworthy heir, for last directives
of the will on the lines of the living will, for appointment of a guardian, exemption
from collation of assets that were previously donated. The validity of the will is,
consequently, conditioned to obeying the elements intrinsic to legal transactions, i.e.
the testator’s capacity, the spontaneity of the statement of will, the lawfulness of the
object, respect for limits and for formal elements etc.55 .
It was not the New Code of Civil Procedure (henceforth NCCP) that relevantly
changed the regulation of inheritance neighter the probate proceeding in the national
legislation when it came into force. In general, the most prominent change occurred
due to the impossibility of opening the inventory ex officio. It included the possibility
of processing and elucidating the partition through a public deed to record the goods
and survey assets when there is no will, agreement and capacity of the parties. It
established the venue of the domicile of the deceased, regardless of the place of death,
and, in case the domicile is not certain, that of the real estate must be recognized.
If there are multiple domiciles, any of them can be established. It should be also
explained that any of the parties with standing and likewise the parties interested in
the property may request that proceedings be started. There is also the possibility that
injunction be granted, which, in brief, provided the anticipation of use and fruition
of goods according to articles 647–649 of the NCCP and to article 2017 of the BCC,
which outlined the principles that rule the act of partition.
It is congruent to clarify the content of articles 664, 665 and 667 of the NCCP to
understand the institute of small-estate probate in its common and summary modal-
ities. The common one is limited to the value of 1000 minimum wages of the inher-
itance, but there is a new provision for its application in cases in which there is
agreement between the parties and likewise of the Prosecution Office, even if inter-
ests of minors are involved. Regardless of values, the summary small-estate probate
occurs when the parties are competent and there is no litigation. Conveniently, the
lawmaker provided the court order as a substitute for probate in small conveyances
of money that should not be more than approximately R$ 10,000.00 (ten thousand
real) according to Law 6858 of 1980.
It is undeniable that, despite efforts to produce the Brazilian Civil Rights Frame-
work for the Internet and what can be inferred from the content of the constitutional
text, civil law and consumer law, Law of Access to Information and the consti-
tutional enshrinement of the institute of Habeas Data, there are still many voids
regarding issues involving both the posthumous dimension of the personality and
digital inheritance.
The fact is that the approach to the problem of digital inheritance necessarily
hinges on the matter of data protection56 and the latter still lacks specific regulation
in Brazil, despite the general guarantee of protection of fundamental rights and
personality rights, especially by the recent legislation (Federal Act N. 13.709/2018),
that did not include a solution for this problem. By the way, this law is only in effect
since recently.
This is in fact a topic correlated with protection extracted both from the Consumer
Protection Code (henceforth CPC) and from the BCC against the existence of abusive
contractual clauses to which both statutes confer ex tunc nullity. Thus, it is the
Prosecution Office, civil organizations and state bodies, through public civil action,
that must require nullity, besides those who suffered losses, who should do it through
individual actions.
In this way, the protection circumscribed to adhesion contracts, a common
modality in the digital world, is reaffirmed, and it is emphasized that this involves a
presumption of absolute vulnerability. It is also relevant to reaffirm the provision for
an interpretation that is more beneficial to those who adhere in cases of ambiguity
or contradiction, which can be inferred from article 423 of the CPC, besides what
56 Rodotà (2006).
368 G. B. S. Sarlet
is provided for in article 47 of the same statute and in item VI of article 170 of the
FC/88, which deals with consumer protection.
Thus, despite the normative basis that were once established, insofar as in Brazil
there is lack of a specific legislation for cases of digital inheritance, the pure and
simple application of rights of probate in the field of the digital universe, besides not
attaining the specificities of the topic, would involve both the sphere of the personality
rights and some of the most valuable constitutionally ensured rights and principles57 .
In this sense, as to the disposition of the digital property and considering its novel
character,58 the modality of virtual will arises, aimed, but not exclusively, at the
disposition of the existential aspects. It consists of a statement of the will of a natural
person in full enjoyment of their capacities and full exercise of their autonomy, whose
object is an authorization or a total or partial restriction of the management of the
assets that make up the digital property considering the future impossibility of doing
it because of death or potential disability.
The adaptation of this consequence of the institute of a will to digital reality
is noteworthy because of its obligatory relationship with the right to freedom of
personal development, with informational self-determination and with other funda-
mental rights that are enshrined in the FC/88. As regards the transmissibility of goods
that can be obtained in money, it is important to highlight the wording of article 82
of the BCC on the concept of personal property in connection with what is inferred
from article 83 of the same statute as long as it deals with the energies that have an
economic value and therefore involves the due application of the rights of probate
property.
It is relevant to explain the approach between the virtual testament, a term
commonly more used by legal scholarship, and the idea of a digital codicil that
would be very appropriate for existential situations. According to article 1881 of the
BCC, it consists in an act of last will through which a person establishes special
provisions regarding their burial and/or the legacy of low value personal property.
The problem that remains is the real impossibility of quantifying the moneta-
rization of certain digital files and, thus, of establishing the definitive boundary
between the two modalities that make up the digital property, especially consid-
ering the dynamics of the virtual world itself, which constantly alters the traditional
form of measuring real values and of monetarization. As an example of the tenuous
boundary of the protection of property and of personality, one can point out the use of
the technology for identification by radiofrequency, known as RFID, currently used
by subcutaneously implanting microchips to facilitate the tracking and use of data
that range from personal, biometric, and banking information to some passwords to
access sites and accounts59 .
Here it is appropriate to underscore the content of the law bills that seek to regu-
late this matter: PL 4099/2012 and its appendix, PL 4847/2012.60 Along the lines
of the latter, Chapter 2-A would be added: “Article 1797-A. Digital inheritance is
granted as the intangible content of the deceased, everything that can be stored or
accumulated in a virtual space, under the following conditions: passwords; social
networks; internet accounts; any virtual and digital good and service owned by the
deceased. Article 1797-B. If the deceased, being capable of making a will, has not
done so, the inheritance will be transmitted to the legitimate heirs.
Article 1797-C. The heir must: (a) transform it into a memorial, restricting access
to friends; (b) erase all of the user’s data, or; (c) remove the account of the former
user.” Meanwhile, PL 4099/2012, currently pending in the Federal Senate, tries to
exclusively ensure the heirs of the transmission of all digital contents and goods, as
well as access to the content stored in e-mail accounts and social networks owned
by the deceased. In accordance with this intention, only a sole paragraph would be
included in the article: “Article 1788. […] Sole paragraph. The heirs will receive all
the contents of digital accounts or files owned by the deceased.”
However, it should be added, that the Brazilian Federal Senate filed both law bills
on December 2018. Besides this, the provisions and the protection of both law bills
were really insufficient, above all because of the lack of a broad discussion of the
topic in Brazil and the fact that they did not encompass the totality of the problem,
especially in terms of facing the idea of non-temporality brought by the internet and
its repercussions, not only in the legal sphere, but particularly as regards the limits
of factual applicability and real efficacy.
It is evident that, if death occurs, one cannot immediately replace the ownership
of digital property without affecting or even violating the dignity and likewise the
personality rights of the deceased, particularly their rights to intimacy and to privacy.
Thus, it becomes clear that a systematic interpretation is the exegetic modality that is
particularly ideal to establish guidelines for a judicial solution in the sphere of digital
law, taking as central nexus the provisions of the FC/88 to build constellations created
based on the rules, legal scholarship and precedents related to the topic.
The enactment of the FC/88 was auspicious for the protection of personality rights
especially due to the absence of restrictions to the rights and guarantees provided in
the constitutional text and due to the compatibility with the rules that make up the
protection of human rights. On the other hand, the BCC, going against the legisla-
tive tendency, instead of creating an opportunity for full and in this sense dialec-
tical protection, followed the pattern that prioritizes a list of rights of defense and,
therefore, does not reach the level of protection implied by current demands.61
It is important to emphasize the protection to the personality guaranteed by
Brazilian law, even after death, according to article 12 of the BCC, mainly because
it allows modeling parameters of balancing.62 The Superior Court of Justice, in an
emblematic trial about the protection of the honor and the image of the world famous
soccer player Garrincha, stated that “the image and honor of someone who dies still
deserves protection, as they are not nobody’s things, because they remain eternally
remembered in the memories as immortal goods that are prolonged well beyond life
and are even above it”.63
Despite the criticism of the restrictive and confusing character of what is inferred
from articles 12, 20 and 21 of the BCC, as well as the incongruence with the charac-
teristic of non-transmissibility that is recognized to the personality rights, there is an
undeniable need to create a protection that will be compatible with the constitution
and, thus, cover the protection not only of the image and objective honor, but above
all the privacy64 of the deceased.65 The BCC doesn’t contemplate specifically the
post mortem protection of personality in the internet. There is still a lack of case
law, and the outstanding paradigm is a decision from the State Appeal Court of Mato
Grosso, stating that the Facebook profile should be extinguished under a penalty of
a daily fine, for being demonstrated a violation of personality rights.
of this law, besides the foundations, principles and objectives provided, the nature,
uses and habits of the internet will be considered, as well as its importance for the
promotion of human, economic, social and cultural development. From the content
of article 7 one can infer the rules on moral and material damages in case of viola-
tion of intimacy and private life, as well as on the confidentiality of the flow of
communications and stored communications. It provides for the right to not supply
personal data to third parties by consent of the user, to definitively exclude personal
data supplied for a specific application on the internet, the publicity and clarity of
potential policies of use of connection and application providers. Articles 10 and 11
structure the basis to guarantee the right to data protection in Brazil, referring to the
regulation issued by Decree 8771/16.
In general, the user is assured, among others, of the following rights66 :—inviola-
bility of intimacy and private life, their protection and indemnification for material or
moral damage resulting from their violation in internet domains, save by court order,
as required by the law;—inviolability and confidentiality of their private communica-
tions and personal data that they may have supplied to a given internet application at
their request, at the end of the relationship among the parties, save for the hypotheses
of mandatory holding of records provided for in this law; holding and making avail-
able records of connection and access to internet applications dealt with in this law,
as well as data to preserve the intimacy of the private life, honor and image of the
parties directly or indirectly involved.
Strictly speaking, the General Law on the Protection of Personal Data and the
provisory measure that created the National Data Protection Authority do not directly
address the problem of digital inheritance. This legislation has entered into force
only recently, but this legislative experience, as a result of the influence of the Euro-
pean Regulation (GDPR), is becoming more and more decisive for the creation and
formatation of guidelines and solutions related to protection of fundamental rights
in the internet environment.
4 Final Considerations
Considering the former considerations, one could say that a fundamental aspect
concerning the regulation of personality rights protection related to digital inheritance
is to verify the insufficient level of effectiveness of the current legislation in Brazil.
It is thus necessary to consolidate a new legal framework for fundamental rights,
particularly for the personality rights considering the peculiarities of digital and the
virtual world, but not breaking with the regulation and main principles that apply
to the analogical world. In this field there is a need for a posthumous protection
of the personality offering solutions to handle, for instance, with the breakdown of
chronological time by the internet and other aspects already presented.
the centrality of the protection of the human person have been accessed by Judges and
Courts in several decisions developing some quite interesting and consistent criteria
and strengthening at least in part the personality rights protection in the internet.
References
Dias MB (2008) Manual das Sucessões, 5th edn. Revista dos Tribunais, São Paulo
Doneda D (2006) Da privacidade à proteção de dados pessoais. Renovar, Rio de Janeiro
Dropbox (2017) Política de privacidade do Dropbox. Available via internet. https://www.dropbox.
com/pt_BR/privacy. Accessed 11 Jan. 2022
254813. Accessed 5 Dec. 2017
Dwings L (2015) The right to be forgotten. Action Intell Prop 9(J45):67:45–80
Farinaccio R (2016) Afinal, quanta energia elétrica a internet utiliza para funcionar? In: Tecmundo.
Available via internet. https://www.tecmundo.com.br/internet/104589-quanta-energia-eletrica-
internet-utiliza-funcionar.htm. Accessed 11 Jan. 2022
Fena L, Jennings C (2000) Priv@cidade.com: como preservar sua intimidade na era da internet.
Futura, São Paulo
Globo O (2017) Perfil falso usou fotos de brasileiro para influenciar eleição dos EUA. Available via
internet. https://oglobo.globo.com/mundo/perfil-falso-usou-fotos-de-brasileiro-para-influenciar-
eleicao-dos-eua-21821791. Accessed 11 Jan. 2022
Habermas J (2001) Moral consequences and communicative action. MIT, Cambridge, MA
Heidrich F (2022) The digital estate in the conflict between the right of inheritance and the protection
of personality rights. In: Albers M, Sarlet IW (eds) Personality and data protection rights on the
internet. Springer, Dordrecht, Heidelberg, New York, London (in this volume)
Hironaka G, Pereira R (2004) Direito das Sucessões e o novo Código Civil. Del Rey, Belo Horizonte
Hironaka G (2011) Morrer e suceder: passado e presente da transmissão sucessória concorrencial.
Revista dos Tribunais, São Paulo
Hoffmann C, Luch AD, Schulz SE, Borchers KC (2015) Die digitale Dimension der Grundrechte:
Das Grundgesetz im digitalen Zeitalter. Nomos, Baden-Baden
Instagram (2017) Relatar a conta de uma pessoa falecida para transformar em memorial no
Instagram.
Jayme E (1995) Identité culturelle et integration: le droit international privé postmoderne. Recueil
des Cours, vol 251. Nihoff: Brill, Boston, MA
Júlio B (2005) Identidade e interação social em comunicação mediada por computador. Universidade
Nova de Lisboa. Available via internet. http://www.bocc.ubi.pt/pag/julio-bruno-identidade-intera
ccao-social.pdf. Accessed 11 Jan. 2022
Lévy P (2002) Ciberdemocracia. Instituto Piaget, Lisboa
Lima I (2018) Herança digital: direitos sucessórios de bens armazenados virtualmente. Available
via internet. http://bdm.unb.br/handle/10483/6799. Accessed 11 Jan. 2022
Lippmann E (2013) Testamento vital: o direito à dignidade. Matrix, São Paulo
Marsden CT (2010) Net neutrality: towards a co-regulatory solution. Bloomsbury Academic,
London
Meyer J (2011) Identität und virtuelle Identität natürlicher Personen im Internet. Nomos, Baden-
Baden
Miranda P (1966) Tratado de direito privado: parte especial, 2nd edn. Borsoi, Rio de Janeiro
Molinaro CA, Sarlet IW (2013) A sociedade em rede, internet e Estado de vigilância: algumas
aproximações. Revista Da AJURIS, Porto Alegre 40:132
Moraes MC (2003) Danos à pessoa humana—uma leitura civil-constitucional dos danos morais.
Renovar, Rio de Janeiro
Morato AC (2012) Quadro geral dos direitos de personalidade. Revista da Faculdade de Direito da
Universidade de São Paulo, São Paulo, 106/107
Negroponte N (2009) Vida digital. Companhia das Letras, São Paulo
Norris P (2001) Digital divide: civic engagement, information poverty, and the internet worldwide.
Cambridge University Press, Cambridge
Oliveira VC (2002) Comunicação, identidade e mobilização social na era da informação. Revista
Fronteiras—Estudos Midiáticos, São Leopoldo, 4, 2
Pereira CM (2012) Instituições de direito civil: direito das sucessões, 19th edn, vol 6. Forense, Rio
de Janeiro
Digital Identity and the Problem of Digital Inheritance 375
Ramsay I (2001) Consumer protection in the era of informational capitalism. In: Wilhelmsson T,
Tuominem S, Tuomoca H (eds) Consumer Law in the Information Society. Kluwer, Boston
Rizardo A (2011) Direito das sucessões, 6th edn. Forense, Rio de Janeiro
Reis C (2010) Dano moral, 5th edn. Forense, Rio de Janeiro
Rodotà S (2006) La conservación de los datos de tráfico en las comunicaciones electrónicas. In:
Segundo Congreso sobre Internet, derecho y política: análisis y prospectiva [monográfico en
línea], IDP, Derecho y Política, 3 UOC. Available via internet. https://www.raco.cat/index.php/
IDP/article/download/49964/50870/. Accessed 11 Jan. 2022
Rohrmann CA (2005) Curso de Direito Virtual. Del Rey, Belo Horizonte
Santos B (2016) Apesar de expansão, acesso à internet no Brasil ainda é baixo. Avail-
able via internet. https://exame.abril.com.br/brasil/apesar-de-expansao-acesso-a-internet-no-bra
sil-ainda-e-baixo/. Accessed 11 Jan. 2022
Sarlet IW (2018) Direitos Fundamentais em espécie. In: Sarlet IW, Marinoni LG and Mitidiero D
(2018) Curso de Direito Constitucional, 7th edn. Saraiva, São Paulo
Sarlet IW (2013) Do caso Lebach ao caso Google versus Agência espanhola de proteção de
dados. Available via internet. https://www.conjur.com.br/2015-jun-05/direitos-fundamentais-leb
ach-google-vs-agencia-espanhola-protecao-dados-mario-gonzalez. Accessed 11 Jan. 2022
Sarmento D (2006) Direitos fundamentais e relações privadas, 2nd edn. Lumen Juris, Rio de Janeiro
Schreiber A (2018) Os Direitos da Personalidade e o Código Civil de 2002. Available via
internet. http://www.andersonschreiber.com.br/downloads/os_direitos_da_personalidade_e_o_c
odigo_civil_de_2002.pdf. Accessed 11 Jan. 2022
Tepedino G (2004) A tutela da personalidade no ordenamento civil-constitucional brasileiro. Temas
de Direito Civil, 3rd edn. Renovar, Rio de Janeiro, pp 23–58
Gabrielle Bezerra Sales Sarlet Dr. Iur. (University of Augsburg, Germany), Master’s Degree
and Bachelor of Laws from the Federal University of Ceará (UFC). Professor of the Graduation
Program in Law (LLM-PHD) at the Pontifical Catholic University Rio Grande do Sul, Brazil—
PUCRS). Main areas of research: Constitutional Law, Human and Fundamental Rights in the
Digital Domain, Bioethics, Digital Law, Neuroscience, Literature and Law. Selected Publications:
Überzählige Embryonen in der Reproduktionsmedizin: Ein Rechtsvergleich zwischen Deutsch-
land und Brasilien, Schriften zum Bio-, Gesundheits- und Medizinrecht Band 13, Baden-Baden,
Nomos, 2013; Notas sobre a identidade digital e o problema da herança digital: uma análise
jurídica acerca dos limites da proteção póstuma dos direitos da personalidade na internet no
ordenamento jurídico, Revista de Direito Civil Contemporâneo, Vol. 17 (2018), pp. 17–33.
The Digital Estate in the Conflict
Between the Right of Inheritance
and the Protection of Personality Rights
Felix Heidrich
The author wishes to thank Dr. Ralph Zimmermann and Prof. Dr. Marion Albers for their valuable
support.
F. Heidrich (B)
Leipzig University and Federal Administrative Court, Leipzig, Germany
e-mail: felix.heidrich@uni-leipzig.de
1 Introduction
In 2017 approximately 771 billion e-mails were sent in Germany. In May of the same
year the social network Facebook had approximately 30 million users throughout the
country. In all, 45.9% of the population used social network services at least once a
month. And the relevant numbers will increase in the future.1 Every individual leaves
a vast majority of data throughout his or her life and in an era of progressive digi-
talisation more and more data is stored digitally on the servers of Internet providers
all over the world. Over time, the almost unlimited storage capacity inevitably raises
one serious question: “[…] [W]hat happens to these ‘digital footprints’ after death
[translated by the author]?”2 Heirs may have a considerable interest in accessing
this data. The “digital estate” leads to a conflict between the right of inheritance
and the protection of personality rights, which is being discussed intensively and
controversially worldwide and as well in Germany.3
As in many other countries, the German statutory regulations do not include
specific provisions regulating the succession to data.4 Internet providers follow
their own—mostly different—paths5 when dealing with the accounts and data of
deceased users.6 Neither the judiciary nor legal scholars have so far reached a clear
and satisfying conclusion concerning the legal treatment of digital estates.7 This is
reflected to a particular extent in the 2017 appeal decision of the Higher Regional
Court (Kammergericht, KG) Berlin8 that reversed a decision of the Regional Court
1 Concerning e-mail usage: Statista, ‘Dossier E-Mail Nutzung’, Statista, [website], 2018, https://
de.statista.com/statistik/studie/id/24350/dokument/e-mail-nutzung-statista-dossier/, (accessed 11
Jan. 2022), p. 14; concerning social networks: Statista, ‘Dossier Soziale Netzwerke’, Statista,
[website], 2017, https://de.statista.com/statistik/studie/id/11852/dokument/soziale-netzwerke-sta
tista-dossier/, (accessed 11 Jan. 2022), pp. 11, 13.
2 Hohenstein (2018), p. 5.
3 See with a view to Brazil Bezerra Sales Sarlet (2022), in this volume.
4 See also for the Brazilian situation Bezerra Sales Sarlet (2022), in this volume. The situation is
different in several states of the U.S., where provisions on the “digital footprint” exist; see Raude
(2017), p. 434 with reference to Seidler (2016), pp. 10 f.
5 Specified by Brisch and Müller-ter Jung (2013), pp. 447 f. as well as, on the basis of minor cases,
user in life choose to have the account permanently deleted. Google provides an inactive account
manager to let users in life choose at which time the account will be considered inactive and what will
happen to the existing account data: granting trusted contacts access or deletion. GMX deactivates
the account after six months without login. If not reactivated within another six months, the account
is deleted. Heirs may have the account deleted by submitting a death certificate. If they want to have
access to the account, they have to present a certificate of inheritance.
7 Hohenstein (2018), p. 5.
8 KG Berlin, 21 U 9/16, Judgment of 31 May 2017, Zeitschrift für Erbrecht und Vermögensnachfolge,
bundesgerichtshof.de.
11 CDU, CSU, and SPD (eds.), Ein neuer Aufbruch für Europa. Eine neue Dynamik für Deutschland.
Ein neuer Zusammenhalt für unser Land. Koalitionsvertrag zwischen CDU, CSU und SPD, https://
www.spdfraktion.de/system/files/documents/koalitionsvertrag_2018-2021_bund.pdf, (accessed 11
Jan. 2022), p. 131, lines 6175 f.
12 The authors use the term “digital property”, which includes “user accounts” and “data stocks”.
13 Justizministerkonferenz (ed.), Bericht der Arbeitsgruppe “Digitaler Neustart” der Konferenz der
Justizministerinnen und Justizminister der Länder vom 15. Mai 2017, https://www.justiz.nrw.de/JM/
schwerpunkte/digitaler_neustart/zt_bericht_arbeitsgruppe/bericht_ag_dig_neustart.pdf, (accessed
11 Jan. 2022), p. 349.
14 Proposal for a Regulation of the European Parliament and of the Council concerning the respect
for private life and the protection of personal data in electronic communications and repealing
Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), COM(2017) 10
final.
15 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),
Official Journal L 119/1.
16 DAV (ed.), Pressemitteilung 6/2018.
17 Bock (2017), p. 371.
380 F. Heidrich
This article outlines the debate concerning digital estates in Germany18 from
a constitutional perspective. The main issues when dealing with access to digital
account data involve the relationship between the right of inheritance and the protec-
tion of the secrecy of telecommunications. Both dimensions enjoy protection under
German constitutional law. Because of the sheer volume of Internet service providers
all over the world who make use of a large variety of user contract types, aspects
of international private law and the drafting of contracts related to general terms
and conditions (AGB) are not covered below. Furthermore, the following reflections
focus on e-mail and social network accounts. In a first step the concept of a “digital
estate” will be the subject of detailed consideration (16.2). After a short summary
of the German judicature, focussing on the recent decision of the Federal Court of
Justice (16.3), it will be shown that digital estates enjoy protection under the funda-
mental right of inheritance (16.4), and neither the secrecy of telecommunications
(16.5.1) nor data protection (16.5.2) in favour of the testator’s communication part-
ners create obstacles to the heirs’ right to access the testator’s digital account data.
In the conclusion and outlook (16.6) section, I answer the question of the necessity
of a future statutory rule, and sketch out perspectives for digital estates.
18 The issues raised by digital estates have for a long time neither been addressed by legal scholars,
see Herzog (2013), p. 3745, nor seem to have been of interest to particular users; see Martini (2012),
p. 1145, which has been illustrated by the lack of related provisions in wills, contracts of inheritance
and health care proxies. See, again, Herzog (2013), p. 3745.
19 Raude (2017), p. 434. See also Bezerra Sales Sarlet (2022), in this volume.
20 Alexander (2016), p. 302; Gloser (2016a), p. 12; Hohenstein (2018), p. 7.
21 Alexander (2016), p. 302.
22 Raude (2017), p. 434.
23 Pruns (2013), p. 3161.
24 Salomon (2016), p. 325.
25 Bräutigam (2013), p. 93.
The Digital Estate in the Conflict Between the Right of Inheritance … 381
including all of his or her electronic data [translated by the author]”26 seems to be
prevailing among legal scholars. Due to the identical quality and form of all digital
data there is a need to include also data located on the testator’s storage media.27 The
“digital silhouette, becoming more and more the pars pro toto of human personality
[translated by the author]”,28 is not revealed solely by e-mail or social network
accounts, but also through locally (such as on hard drives, pen drives, SIM cards or
smartphone memory) stored content or content stored online (such as in clouds).
In systematic terms, the rights and legal relations involved in digital estates may
be divided into three groups.29 Firstly: rights to data stored on storage media with the
testator (“offline data”). Secondly: rights to data stored on foreign servers (“online
data”) as well as contractual relationships between the testator and Internet providers.
Thirdly, here not specified: other legal relations concerning the digital space and not
primarily directed at the usage of an information technology system.30
Currently there is a great deal of debate on the legal classification of data according
to civil law.31 Because of their lack of corporeality data cannot be considered things.32
A considerable number of legal scholars oppose the idea of an independent “property
right” concerning data.33 Consequently, other criteria—depending on the storage
location of the data—have to be developed.34
Offline data, stored on local storage media with the testator (first group) become
corporeal at the moment of storage.35
Access to online data on foreign servers (second group) is specifically granted
by account-based user contracts (with regard to e-mail, social network or cloud
accounts).36 Accounts themselves are neither corporeal objects nor subject to intel-
lectual property rights.37 The relationship between user and provider is of a contrac-
tual38 nature, albeit often with elements of different contract types.39 The contractual
relationship grants a substantive right to access the particular account data as well as
(2016), p. 74.
33 Bock (2017), p. 380 with fn. 80; concerning e-mails, again, Seidler (2016), p. 74.
34 Bock (2017), p. 380, p. 414.
35 Alexander (2016), p. 302; Bock (2017), p. 380; Herzog (2013), p. 3749.
36 Alexander (2016), p. 303; Kunz (2017), § 1922 BGB mn. 618 f.
37 Bock (2017), p. 377.
38 On particular applicable contract types Bock (2017), pp. 377 f.; on the typological classification
of e-mail and social network contracts Seidler (2016), pp. 62 ff., 129 ff.; with regard to contracts
with the social network Facebook LG Berlin, 20 O 172/15, Judgment of 17 December 2015, p. 190;
KG Berlin, 21 U 9/16, Judgment of 31 May 2017, p. 387; left open by Federal Court of Justice, III
ZR 183/17, Judgment of 12 July 2018, accessible under http://www.bundesgerichtshof.de, mn. 19.
39 Bock (2017), p. 377.
382 F. Heidrich
a right to information about the password.40 Online data—as well as offline data—
may be subject to intellectual property rights (such as copyright concerning photos
and videos).41 The relationship to access and host providers is contractual42 to the
same extent as the one to DENIC regarding ownership and the right to use a certain
domain name.43
The legal transactions of the third group relate to the exchange of corporeal
objects or the provision of services in the offline world.44 In this regard the account-
based user contract (such as with an online shop or a payment service provider)
has to be distinguished from the contract concluded through the account (such as a
purchase agreement, a contract for the management of the affairs of another, or a
giro contract).45
The article will, however, focus on aspects of the second group: online data in
e-mail and social network accounts as well as the underlying account contract.
The proceedings before German courts mentioned above also concerned only certain
aspects and legal problems related to digital estates. The three decisions nevertheless
are important for the most prominent questions discussed in that context, which the
present article also deals with.
A mother sued the social network Facebook for unrestricted access to the entire
user account and related account data (especially messages stored within the account)
of her daughter, who died on 3 December 2012 at the age of 15 for as yet unknown
reasons after she was hit by a metro train. The plaintiff hoped to obtain information
from the communication content about a possible suicide of her daughter as well as
to avert a claim for damages asserted by the metro driver. Although the daughter had
handed over her access data to her parents, the mother was not able to access the
communication content. After a third person had informed Facebook about the death,
the account was memorialised by the provider. This meant that only registered friends
of the deceased had continued access. After a login by the parents only a notification
about the memorialisation appeared; further access was denied.
The Federal Court of Justice has now clarified that the contractual right to be
granted access to the account of the testator and all data contained therein is heritable
according to the principle of universal succession enshrined in § 1922(1) German
Civil Code (BGB). None of the postmortal protection of the deceased’s person-
ality rights, the secrecy of telecommunications, provisions on data protection, or the
general right of personality in favour of the testator’s communication partners would
be an obstacle to inheritance.46 With that said the Federal Court of Justice opposed
the decision of the KG Berlin that left the aspect of inheritability explicitly open47
and confirmed the ruling of the LG Berlin.48
Similarly to the previous instances the Federal Court of Justice identified neither
the general terms and conditions of Facebook49 nor the nature of the user contract50
as obstacles to the inheritability of the right to be granted access. Not the contractual
obligations of the social network provider, but rather the content added by the users
are of a personal nature.51 The contractual obligations would merely be account-
related.52 Following the inferior courts, the Federal Court of Justice ruled that a strict
differentiation between personal data on the one hand and asset-related data on the
other, as partly argued by legal scholars,53 would be neither possible in practice nor
inherent in German inheritance law.54 A different treatment of digital and analogue
estates would lead to inappropriate results and could not be justified.55 Since right
holders, normally the next of kin, might exercise only defensive rights and rights of
revocation towards third persons rather than claiming access to the testator’s digital
estate, the postmortal protection of the testator’s personality rights does not exclude
inheritability either.56
According to the Federal Court of Justice the protection of the secrecy of telecom-
munications in favour of the testator’s communication partners that was extensively
46 Federal Court of Justice, III ZR 183/17, Judgment of 12 July 2018, accessible under http://www.
bundesgerichtshof.de, mn. 17 ff.
47 KG Berlin, 21 U 9/16, Judgment of 31 May 2017, pp. 387 ff.
48 LG Berlin, 20 O 172/15, Judgment of 17 December 2015, pp. 190 ff.
49 Federal Court of Justice, III ZR 183/17, Judgment of 12 July 2018, accessible under http://www.
discussed by the KG Berlin, does not prevent the right of access to the testator’s
digital account data.57 While the KG Berlin argued that § 88(3) Telecommunications
Act (TKG) would render the plaintiff’s right of access unenforceable, the Federal
Court of Justice, in turn, found that granting access to digital account content would
not violate the provision, since heirs could “in any case” not be qualified as “other
persons” in the sense of § 88(3) s. 1 TKG.58 § 88(3) TKG provides that service
providers shall be prohibited from procuring for themselves or other persons any
information regarding the content or detailed circumstances of telecommunications
beyond that necessary for the commercial provision of telecommunications services,
unless provided for by the TKG or any other legal provision with explicit reference
to telecommunications traffic. The KG Berlin previously argued that heirs are, from
a naturalistic point of view, different natural persons from the testator and that the
passing on of account data to the heirs would not remain within the limits of what
is necessary for the commercial provision of telecommunication services. Because
of the lack of any other legal provision that permits the passing on of digital account
data, the secrecy of telecommunications would be an obstacle to the right of access.59
In the Federal Court of Justice’s view, heirs would themselves become participants
in the telecommunications process by entering into the contractual relationship of
the testator with the service provider according to § 1922(1) BGB.60 Furthermore, a
treatment different from letter mail would be unreasonable.61
The GDPR, applicable since 25 May 2018, would also, to the extent that it is
applicable to the case at all, not prevent the granting of access, since passing on
digital account data would fall under Article 6(1) lit. b) var. 1 and Article 6(1) lit. f)
GDPR.62
To the extent that the selected rights and legal positions concerning digital estates
are covered by the protection of fundamental rights, these constitutional implications
must be taken into account when applying and interpreting provisions on protection
of the secrecy of telecommunications that could be an obstacle to the heirs’ right to
access the testator’s digital account data.
57 Federal Court of Justice, III ZR 183/17, Judgment of 12 July 2018, accessible under http://www.
bundesgerichtshof.de, mn. 54 ff.
58 Federal Court of Justice, III ZR 183/17, Judgment of 12 July 2018, accessible under http://www.
63 Federal Constitutional Court (FCC), 1 BvR 513/78, Order of 16 October 1984, Decisions of the
Federal Constitutional Court (BVerfGE) 67, 329, 340; 1 BvR 720/90, Order of 14 December 1994,
BVerfGE 91, 346, 358; 1 BvR 1644/00 and 1 BvR 188/03, Order of 19 April 2005, BVerfGE 112,
332, 348, accessible under http://www.bverfg.de, mn. 62; established jurisprudence.
64 FCC, 1 BvR 412/65 and 1 BvR 524/65, Order of 1 December 1965, BVerfGE 19, 202, 206; 1
BvR 810/70, 1 BvR 57/73 and 1 BvR 147/76, Order of 8 December 1976, BVerfGE 44, 1, 17; 1 BvR
513/78, Order of 16 October 1984, BVerfGE 67, 329, 340; 1 BvR 720/90, Order of 14 December
1994, BVerfGE 91, 346, 360; 1 BvR 2161/94, Order of 19 January 1999, BVerfGE 99, 341, 351,
accessible under http://www.bverfg.de, mn. 43; 1 BvR 1644/00 and 1 BvR 188/03, Order of 19
April 2005, BVerfGE 112, 332, 348, accessible under http://www.bverfg.de, mn. 62.
65 FCC, 1 BvR 2161/94, Order of 19 January 1999, BVerfGE 99, 341, 351, accessible under http://
June 1970, Decisions of the Federal Administrative Court (BVerwGE) 35, 278, 286 f.
68 FCC, 1 BvR 513/78, Order of 16 October 1984, BVerfGE 67, 329, 340; 1 BvF 1/01 and 1 BvF
2/01, Judgment of 17 July 2002, BVerfGE 105, 313, 355, accessible under http://www.bverfg.de,
mn. 118; 1 BvR 1644/00 and 1 BvR 188/03, Order of 19 April 2005, BVerfGE 112, 332, 348,
accessible under http://www.bverfg.de, mn. 62; established jurisprudence.
69 Wieland (2013), Article 14 GG mn. 78; Epping (2019), mn. 458.
70 Epping (2019). mn. 443.
386 F. Heidrich
ownership position. […] The entirety of the laws in accordance with the constitution
determining the content of property thus constitute the subject-matter and scope of
the protection of continuing property use/ownership rights granted by Article 14(1)
s. 1 GG [translated by the author].”71
This means that legal positions inheritable according to statutory law at a particular
time also enjoy protection under Article 14(1) s. 1 alt. 2 GG.72 As a consequence,
legal positions and contractual relationships involved in digital estates, which are
inheritable under German inheritance law, form part of the constitutionally protected
right of inheritance.
71 FCC, 1 BvL 77/78, Order of 15 July 1981, BVerfGE 58, 300, 336.
72 Epping (2019), mn. 443.
73 Kunz (2017), § 1922 BGB mn. 25.
74 Leipold (2020), Einleitung mn. 54.
75 Hohenstein (2018), p. 7; Leipold (2020), § 1922 BGB mn. 33.; Steiner and Holzer (2015), p. 262.
76 Kunz (2017), § 1922 BGB mn. 63.
77 Alexander (2016), p. 304; Herzog (2013), p. 3747; Klas and Möhrke-Sobolewski (2015), p. 3473;
to the inclusion of valueless positions as well as to the exclusion of ones with monetary
value.80 For this reason the assets concept of § 1922(1) BGB only constitutes the
framework, which permits treating legal positions and relationships with monetary
value as principally inheritable: monetary value might be evidence of inheritability,
but in a case-by-case review other indicators also have to be considered.81
Rights in rem in moveables constitute heritable assets just like contractual rela-
tionships including their principal, ancillary and alternative claims.82 Nevertheless
some positions with asset value83 are excluded from inheritability or inheritability is
made conditional on a legal transaction.84 Furthermore the real or assumed will of
the testator can be an obstacle to the inheritability of legal positions and relations.85
Positions with asset value can be excluded from inheritability if they are personal to a
special degree, especially when serving the testator’s personal purposes or individual
needs or being for other reasons closely related to him or her.86 Especially the latter
criterion was subject to much debate about the inheritability of online data and the
relevant account contracts, since a digital estate often comprises private messages,
videos, photos or the like.
80 Kunz (2017), § 1922 BGB mn. 70; with the same conclusion Müller-Christmann (2020), § 1922
BGB mn. 24; Leipold (2020), § 1922 BGB mn. 19.
81 Kunz (2017), § 1922 BGB mn. 73.
82 Detailed Herzog (2013), p. 3747; see Leipold (2020), § 1922 BGB mn. 21, 25; Pruns (2013),
p. 3163.
83 Herzog (2013), p. 3747.
84 Kunz (2017), § 1922 BGB mn. 72.
85 Herzog (2013), p. 3748.
86 Müller-Christmann (2020), § 1922 BGB mn. 24.
87 Detailed Herzog (2018), pp. 475 f.
88 Ludyga (2018), p. 3; see Bräutigam (2019), nach § 1922 BGB mn. 7; Herzog (2013), p. 3749;
Hoeren (2005), p. 2114; Hohenstein (2018), p. 8; Steiner and Holzer (2015), p. 262.
89 Herzog (2018), p. 476.
388 F. Heidrich
By contrast, in the case of data stored on foreign servers, testators neither own nor
are in possession of the storage media. Both these legal positions cannot be passed on
to the heirs according to § 1922(1) BGB. But since the usage of the respective storage
space is based on a contractual relationship between the testator and the provider, the
contract itself, including the rights to access, change and delete all data stored within
the account, pass to the heirs according to the principle of universal succession. To the
extent that these data are subject to the intellectual property rights of third persons,
there is no difference from offline data.90 Some legal scholars, however, challenge
the principles concerning online data, with respect to both particular contractual
relationships and specific types of data. The following sections will discuss further
why the objections are not convincing.
The inheritability of social network contracts is challenged by the view that argues
that any particular contractual relationship has a mainly personal character.91 The
personal character of the principal contractual obligation (Hauptleistungspflicht) is
decisive.92 The obligor could have an interest worthy of protection only in connection
with a particular person, with the result that an arbitrary change in the identity of the
obligee could be unreasonable.93
However, the principal contractual obligations of the provider are limited to
granting access to the different functions and to providing communication content
for registered users.94 The personalisation is performed by the users, and does not
have any effect on the (principal contractual) obligations of the provider. The person-
alised profile merely pools the functions available for the particular user and serves
as an organisational framework (zur “Ordnung der Verhältnisse “).95 Since the range
of functions offered by the provider always remains the same, it is almost impos-
sible to argue that the provider’s obligation would be changed in its content if the
contracting partner changed and that there would be a need to protect the interests of
providers.96 Consequently, social network contracts and particularly e-mail service
contracts have no personal character that prevents inheritability.97
In the context of potential personal contractual relationships, the issue whether legal
positions qualify as non-inheritable because providers make use of a particular trust
on the part of their users is often discussed.98 But relevant confidentiality provisions
from the “analogous” world cannot be used in favour of digital estates, as it already
lacks a special bipolar bond of trust between providers and users.99 Admittedly,
particular user accounts often contain personal data, but the users do not store them
in the account in order to share them with the provider—comparable to a doctor or
priest—but rather to share them with other users. In terms of the unity of the legal
system, these findings correspond to the legislature’s assessment within German
criminal law: Internet providers are not subject to criminal sanctions according to
§ 203(5) German Criminal Code100 (StGB) and—in turn—do not enjoy the right to
refuse to give evidence according to § 53 German Code of Criminal Procedure101
(StPO).102 Furthermore, the contractual obligation to provide users with messages
and other content is from the outset account-related and not restricted to a certain
individual.103 The providers cannot ensure that the person logged in is identical to
the designated recipient of a message or other content. There is always a risk—
similar to analogous means of communication—that third persons in possession of
the respective login data (or the key to the letterbox) will take note of messages or
other content.104
of 31 May 2017, pp. 388 f.; Federal Court of Justice, III ZR 183/17, Judgment of 12 July 2018,
accessible under http://www.bundesgerichtshof.de, mn. 39 ff.; Bock (2017), p. 386; Herzog (2013),
p. 3749; Klas and Möhrke-Sobolewski (2015), p. 3477; Kunz (2017), § 1922 BGB mn. 630 f.;
different view Martini (2012), p. 1150.
100 The provision sanctions the disclosure of a secret of another person after the death of that
person. Offenders can only be members of certain groups of professionals or persons, such as
lawyers, notaries, doctors, representatives, public officials, or publicly appointed experts, who are
formally obliged by law to conscientiously fulfil their duties, etc.
101 According to this provision, a person may refuse to testify on professional grounds. The purpose
is to protect the bond of trust between certain professions, such as clergymen, lawyers, notaries,
doctors, representatives and employees of press and broadcasting corporations, and the people who
seek their help.
102 Explicitly LG Berlin, 20 O 172/15, Judgment of 17 December 2015, p. 191.
103 Federal Court of Justice, III ZR 183/17, Judgment of 12 July 2018, accessible under http://www.
Some legal scholars, who, together with the majority, recognise that user contracts105
between the testator and a provider principally descend to the heirs,106 nevertheless
argue that it is necessary to distinguish the account-related user contract from the
data contained in the account.107 The background to this view is that the principally
asset-related user contract is subject to the principle of universal succession, while
specific account content—even if characterised as asset-related—shall—due to its
personal character in individual cases—not belong to the heirs but to the next of
kin as the testator’s right holders.108 The contractual right of the heirs to be granted
access to the testator’s account content would thus not include personal data of the
testator.109 According to another view, the passing on of this data is excluded as long
as the testator in life did not rule otherwise.110 Both views are based on considerations
concerning the postmortal protection of the testator’s personality rights.111 The first
one builds on the presumption that e-mails exclusively concerning non-pecuniary
positions of the general right of personality (such as love e-mails) are relevant for
the memory of the deceased and may affect his or her personality rights even after
death.112 The latter points out that the concentration of digital data within an account
allows for the creation of comprehensive personality profiles and that the absence of
protection of these data after death may impose a restriction on the free development
of the testator’s personality in life.113
In line with the vast majority of legal scholars,114 such a distinction between
asset-related and personal data and their different legal treatment has to be rejected
for practical and legal reasons.
105 The classification of the contract’s legal nature is not undisputed but plays a minor role for
inheritability; see Raude (2017), p. 435; Federal Court of Justice, III ZR 183/17, Judgment of 12
July 2018, accessible under http://www.bundesgerichtshof.de, mn. 19.
106 Bräutigam (2019), nach § 1922 BGB mn. 8; Herzog (2013), p. 3749; Hoeren (2005), p. 2114;
Ludyga (2018), p. 3; Müller-Christmann (2020), § 1922 BGB mn. 101; Pruns (2013), pp. 3166
f.; Steiner and Holzer (2015), p. 263; LG Berlin, 20 O 172/15, Judgment of 17 December 2015,
pp. 190 ff.
107 Hoeren (2005), p. 2114.
108 Hoeren (2005), p. 2114.
109 Hoeren (2005), p. 2114.
110 Martini (2012), p. 1152.
111 Steiner and Holzer (2015), p. 262.
112 Hoeren (2005), p. 2114.
113 Martini (2012), pp. 1149 ff. with reference to Federal Court of Justice, I ZR 44/66, Judgment
of 20 March 1968, Decisions of the Federal Court of Justice (BGHZ) 50, 133, 139.
114 Stated by KG Berlin, 21 U 9/16, Judgment of 31 May 2017, p. 389 while leaving the question
open; see also LG Berlin, 20 O 172/15, Judgment of 17 December 2015, p. 191; Federal Court
of Justice, III ZR 183/17, Judgment of 12 July 2018, accessible under http://www.bundesgerichtsh
of.de, mn. 47 ff.
The Digital Estate in the Conflict Between the Right of Inheritance … 391
According to both views, restriction of the right to access digital account content
requires a previous examination of the data according to its personal content. To avoid
escalating dispute on the character of particular data, a clear identification of the data
as personal or asset-related is necessary. Such a distinction is, however, practically
impossible.115 This results from the fact that accounts often contain asset-related as
well as personal data, and even individual data may feature both asset-related and
personal elements.116
The question who could legally undertake such an examination also remains unan-
swered.117 Even if providers were not legally excluded by § 88(3) TKG118 or §§ 91 ff.
TKG,119 it would at least entail an unreasonable amount of effort.120 Furthermore, it
is questionable whether Internet providers, who cannot even guarantee the effective
protection of the personal data of living persons, should become “guardians of the
[testator’s] postmortal protection of personality rights [translated by the author]”.121
Probate courts would also be unable to cope with this task.122
By contrast, the testator’s right holders123 cannot rely on a legal basis for the
provision of account content.124 The state’s duty to protect human dignity deriving
from Article 1(1) s. 2 GG calls for postmortal protection of the testator’s personality
rights that outlasts his or her death.125 This right to protection, however, is not inher-
itable, nor does it descend to the testator’s right holders. The latter merely exercise
the right in trust on behalf of the testator without being subject to the right them-
selves.126 Consequently, right holders can only exercise defensive rights and rights
of revocation,127 but no pecuniary rights.128 For this reason, right holders do not
115 LG Berlin, 20 O 172/15, Judgment of 17 December 2015, p. 191 following Solmecke, Köbrich
and Schmitt (2015), p. 291; Federal Court of Justice, III ZR 183/17, Judgment of 12 July 2018,
accessible under http://www.bundesgerichtshof.de, mn. 51.
116 Bock (2017), p. 392; Martini (2012), p. 1152; Federal Court of Justice, III ZR 183/17, Judgment
who, nevertheless, admits the increased effort as well as the need for generalised decisions by the
respective Internet providers.
121 Alexander (2016), p. 305; likewise Bock (2017), p. 392.
122 Bock (2017), p. 392.
123 The testator may in life informally appoint right holders. According to the respective construction
of a will these may be heirs or close relatives, see Bock (2017), p. 390.
124 Gloser (2016a), p. 17; Herzog (2013), p. 3748, 3750; Ludyga (2018), p. 5.
125 FCC, 1 BvR 435/68, Order of 24 February 1971, BVerfGE 30, 173, 194.
126 Kunz (2017), § 1922 BGB mn. 302.
127 Federal Court of Justice, I ZR 44/66, Judgment of 20 March 1968, BGHZ 50, 133, 137; I ZR
135/87, Judgment of 8 June 1989, BGHZ 107, 384; Leipold (2020), § 1922 BGB mn. 158 f.
128 Kunz (2017), § 1922 BGB mn. 302.
392 F. Heidrich
need to obtain knowledge of personal account content;129 they must only take note
of the usage of such data in a way that constitutes a violation of the testator’s human
dignity.130
It could be argued that asset-related data stocks would be “infected” by personal
content, with the effect that heirs would be denied access to all digital account data.131
But this would lead to the creation of huge amounts of orphaned data that would, as
a consequence, be attributed to the particular Internet provider as a kind of “de facto
heritage” and could be analysed and used indefinitely.132 Furthermore, such a result
could not be justified by the postmortal protection of the testator’s personality rights.
The different treatment of asset-related and personal account content just outlined
seems to be barred for another reason, too: The legal position subject to inheritance
does not consist of the individual data sets stored in the account but of the right of
access to the entirety of data based on the user contract with the Internet provider
that has been passed on to the heirs according to § 1922(1) BGB.133
Not least, German inheritance law contains provisions that serve as an indica-
tion that the law does not distinguish between asset-related and personal legal posi-
tions.134 Such a differentiation is alien to the “analogous” estate. There is no objective
reason135 for the different treatment of letters and diaries on the one hand and e-mails
as well as Facebook messages on the other hand.136
129 The Federal Court of Justice, III ZR 183/17, Judgment of 12 July 2018, accessible under http://
www.bundesgerichtshof.de, mn. 53, is content with stating that the postmortal protection of person-
ality rights does not establish a right of close relatives to access personal account data superior to
inheritance law.
130 Correctly emphasised by KG Berlin, 21 U 9/16, Judgment of 31 May 2017, pp. 389 f.;
right holders.
132 Mackenrodt (2017), pp. 541 f., who, however, takes the reasoning of the KG Berlin according
The inheritability of legal positions concerning digital estates is also not excluded due
to the application of data protection law in favour of the testator. Neither national
(Federal Data Protection Act [BDSG],137 §§ 91 ff. TKG, §§ 11 ff. Teleservices
Act [TMG]) nor European Union law encompasses data protection of deceased
persons.138
For instance, the recitals 27, 158 and 160 of the GDPR exclude data of deceased
persons from the scope of application of the regulation. The GDPR leaves the protec-
tion of these data to the discretion of the Member States. The German legisla-
ture has not yet—also against the backdrop of the right to be forgotten (Article
17 GDPR)—taken action in that direction.139
As much as postmortal data protection may be desirable,140 it is not necessary
according to constitutional law.141 As long as the legislature remains inactive in
protecting the data of deceased persons, there will be no interference with digital
estates.
4.3 Consequences
According to § 1922(1) BGB, user contracts with the provider of e-mail and social
network services are inheritable. As a result, the contractual right to access all data
contained in the account falls within the scope of protection of Article 14(1) s. 1 alt.
2 GG. The constitutional protection of digital estates therefore needs to be balanced
against the protection of the secrecy of telecommunications.
Notwithstanding the above, the exclusion of inheritability may be subject to
contractual agreements.142 To the extent that such agreements are contained in the
providers’ general terms and conditions, problems arise with respect to their incorpo-
ration into the contract, as well as with respect to the test of reasonableness according
to § 307 BGB.143 Nevertheless, these aspects will not be discussed further.
137 For a different view, Martini (2012), p. 1148; Spilker (2015), p. 58.
138 Bock (2017), pp. 398 f., 401; Ludyga (2018), p. 5.
139 Bock (2017), p. 401.
140 In this direction Alexander (2016), p. 307; Hohenstein (2018), p. 9.
141 For a different view, Martini (2012), pp. 1148 ff.; Spilker (2015), p. 58.
142 See Alexander (2016), p. 306; Bock (2017), pp. 411 ff.; Mackenrodt (2018), pp. 43 ff.; Raude
(2017), p. 437; Seidler (2016), pp. 143 ff.; LG Berlin, 20 O 172/15, Judgment of 17 December
2015, pp. 191 f.; KG Berlin, 21 U 9/16, Judgment of 31 May 2017, p. 388.
143 See Federal Court of Justice, III ZR 183/17, Judgment of 12 July 2018, accessible under http://
The provision of e-mail and social network content by the respective service providers
falls within the scope of protection of Article 10(1) GG. Due to the principle of
speciality, the right to informational self-determination (enshrined in Article 2(1)
GG in conjunction with Article 1(1) GG) is inapplicable.144 Furthermore, the right
to the guarantee of the confidentiality and integrity of information technology systems
(enshrined in Article 2(1) GG in conjunction with Article 1(1) GG, too) is subsidiary
to Article 10 GG and the right to informational self-determination.145
144 FCC, 1 BvR 330/96 and 1 BvR 348/99, Judgment of 12 March 2003, BVerfGE 107, 299, 312,
accessible under http://www.bverfg.de, mn. 43; 1 BvR 668/04, Judgment of 27 July 2005, BVerfGE
113, 348, 364, accessible under http://www.bverfg.de, mn. 79; 2 BvR 902/06, Order of 16 June
2009, BVerfGE 124, 43, 56, accessible under http://www.bverfg.de, mn. 49; 1 BvR 256/08, 1 BvR
263/08 and 1 BvR 586/08, Judgment of 2 March 2010, BVerfGE 125, 260, 310, accessible under
http://www.bverfg.de, mn. 191.
145 2 BvR 902/06, Order of 16 June 2009, BVerfGE 124, 43, 57, accessible under http://www.bve
sible under http://www.bverfg.de, mn. 19; 2 BvR 2099/04, Judgment of 2 March 2006, BVerfGE
115, 166, 182 f., accessible under http://www.bverfg.de, mn. 67.
151 FCC, 1 BvR 370/07 and 1 BvR 595/07, Judgment of 27 February 2008, BVerfGE 120, 274, 307,
accessible under http://www.bverfg.de, mn. 183; 2 BvR 902/06, Order of 16 June 2009, BVerfGE
124, 43, 54, accessible under http://www.bverfg.de, mn. 43.
152 Hermes (2013), Article 10 GG mn. 38 with reference to FCC, 2 BvR 2099/04, Judgment of 2
March 2006, BVerfGE 115, 166, 181 ff., accessible under http://www.bverfg.de, mn. 62 ff.; 2 BvR
902/06, Order of 16 June 2009, BVerfGE 124, 43, 56, accessible under http://www.bverfg.de, mn.
48.
153 FCC, 2 BvR 902/06, Order of 16 June 2009, BVerfGE 124, 43, 54 f., accessible under http://
The core of the debate on the exclusion of inheritability in accordance with the
secrecy of telecommunications is the application and interpretation of § 88(3) s.
1 TKG. While the KG Berlin interpreted the provision strictly in the sense of the
secrecy of telecommunications,159 the Federal Court of Justice made clear that §
88(3) s. 1 TKG does not exclude the heirs’ right to access the testator’s digital
account content,160 and thus ensured practical concordance in the individual case.
The application of § 88(3) TKG on the heirs’ right of access that was ultimately
left open by the Federal Court of Justice161 nevertheless meets the requirements
set out by constitutional law. The view that considers e-mail162 and social network
providers163 as service providers in the sense of § 88(2) TKG is convincing. Even
TKG mn. 13; Säcker (2013), § 3 TKG mn. 65; Seidler (2016), p. 112; VG Köln, 21 K 450/15,
Judgment of 11 November 2015, Kommunikation & Recht, vol. 19, no. 2, 2016, pp. 141 ff. The
legislature undertook the same classification, see BT-Drs. 16/3078, p. 13. See Biermann (2018),
mn. 38; Deusch (2014), p. 6, for implicitly consenting views; see Martini (2012), p. 1148 for a
different view.
163 Detailed KG Berlin, 21 U 9/16, Judgment of 31 May 2017, pp. 390 f.; see LG Berlin, 20 O
172/15, Judgment of 17 December 2015, p. 192; Raude (2017), p. 437; differentiating between
The Digital Estate in the Conflict Between the Right of Inheritance … 397
though these providers do not convey signals themselves, they are attributed the
conveyance performed by a third party (such as an access provider), since they de
facto appropriate the conveyance for their own purposes.164 Consequently, not only
web-based e-mail services such as Gmail165 but also social network services qualify
as telecommunication services in the sense of the TKG. This view takes into account
the constitutional protection mandate of Article 10(1) GG, as the confidentiality of
digital communication content is shielded from dangers emanating from the providers
of telecommunications services. The users cannot establish who in the course of
the specific communication process is responsible for performing which particular
services. Nevertheless, during the whole time the same dangers exist. To the extent
that users regard e-mail service providers as the only ones providing services, the
latter have to ensure appropriate protection for the communication content entrusted
to them.
The application of § 88(3) TKG is not excluded from the time a user takes notice
of a message within his or her account, since the danger of influence caused by the
third party assigned with the transmission persists until the message has entered the
(exclusive) sphere of the recipient.166
Finally, the application of § 88(3) TKG is not excluded because all communication
partners167 would have consented to the passing on of the account content to the
heirs.168 At least the assumption that the testator’s communication partners would
have consented is subject to strong doubts.169
e-mail-like communication via instant messengers and content shared with a limited number of
users on one hand, and content available to the general public on the other hand Deusch (2014),
p. 6; id. (2017), p. 399; see Seidler (2016), pp. 138 f. for a different view; dissenting with respect
to the material scope of Article 10 GG Schenke (2019), Article 10 GG mn. 43; left open by Federal
Court of Justice, III ZR 183/17, Judgment of 12 July 2018, accessible under http://www.bundesger
ichtshof.de, mn. 56.
164 VG Köln, 21 K 450/15, Judgment of 11 November 2015, p. 144.
165 The Federal Network Agency (BNetzA) classified the Internet-based e-mail service Gmail as
a telecommunications service and bound Google to register the service. The Administrative Court
(VG) Köln dismissed the lawsuit of Google. The Higher Administrative Court (OVG) Münster
suspended the appeal proceedings on 26 February 2018 to refer to the ECJ according to Article 267
TFEU for a preliminary ruling, i.a., whether Article 2 lit. c) Directive 2002/21/EC of the European
Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic
communications networks and services (Framework Directive)—the European Union law basis of
§ 3 Nr. 24 TKG – also applies to web-based e-mail services, see OVG Münster, 13 A 17/16, Order
of 26 February 2018, Kommunikation & Recht, vol. 21, no. 5, 2018, pp. 348 ff.
166 Klesczewski (2013), § 88 TKG mn. 13; Mayen (2018), § 88 TKG mn. 23; id. (2018), pp. 467 f.;
Munz (2015), § 88 TKG mn. 12; LG Berlin, 20 O 172/15, Judgment of 17 December 2015, p. 92.
167 Detailed Hermes (2013), Article 10 GG mn. 58; see also Mayen (2018), p. 469.
168 Biermann (2018), mn. 44; Bock (2017), p. 408; Solmecke, Köbrich and Schmitt (2015), p. 292;
KG Berlin, 21 U 9/16, Judgment of 31 May 2017, pp. 396 ff.; left open by LG Berlin, 20 O 172/15,
Judgment of 17 December 2015, p. 192; Federal Court of Justice, III ZR 183/17, Judgment of 12
July 2018, accessible under http://www.bundesgerichtshof.de.
169 See for different arguments Bock (2013), § 88 TKG mn. 44; Mayen (2018), § 88 TKG mn. 52;
id. (2018), p. 469; Klesczewski (2013), § 88 TKG mn. 35; KG Berlin, 21 U 9/16, Judgment of 31
May 2017, p. 397.
398 F. Heidrich
(2016), p. 115, p. 120; Steiner and Holzer (2015), p. 264; Federal Court of Justice, III ZR 183/17,
Judgment of 12 July 2018, accessible under http://www.bundesgerichtshof.de.
175 Biermann (2018), mn. 40.
The Digital Estate in the Conflict Between the Right of Inheritance … 399
According to the latter perspective, the right of inheritance and the secrecy of
telecommunications are balanced according to the principle of practical concor-
dance on a case-by-case basis.176 This means that the legal positions protected by
constitutional law are related to each other in such a way that every position is given
effect. The principle of unity of the constitution calls for limitations of all positions
concerned in a way that gives effect to all of them to the broadest possible extent.
The particular limitations must, in turn, be proportionate in the individual case.177
This cannot be accomplished by confining the scope of protection of the secrecy
of telecommunications to the transmission process until an e-mail or other message
reaches the account of the testator,178 but by elevating the heirs to participants in
the communication process by means of § 1922(1) BGB, with the result that they
themselves enjoy protection under the secrecy of telecommunications.179 Hence, on
the one hand the scope of protection of Article 14(1) s. 1 alt. 2 GG in favour of
the heirs remains completely unaffected, while the secrecy of telecommunications in
favour of the communication partners of the testator on the other hand—in the light of
the Federal Constitutional Court’s jurisprudence on the temporal scope of protection
of Article 10(1) GG with regard to e-mails180 —will not be impermissibly confined in
its scope. As to the rest, the level of protection will not be disproportionally limited
either. In particular, the secrecy of telecommunications will not completely make way
for the right of inheritance.181 The limitation regarding the access of heirs to accounts
of the testator covers a personally as well as materially predefined area. Apart from
this, digital communications remain entirely protected. Alternatives maintaining the
full protection of the secrecy of telecommunications are not available.
In the final analysis, this interpretation also does not conflict with the objec-
tive of § 88(3) TKG. § 88(3) s. 1 TKG aims at the realisation of the legislature’s
duty to protect the secrecy of telecommunications enshrined in Article 10(1) GG182
and hence a defence against access by third parties.183 The communication partners
themselves are no danger to the secrecy of telecommunications, since they enjoy joint
176 On the necessity to balance the conflicting fundamental rights positions in accordance with the
principle of practical concordance, partly without any further explanation Brisch and Müller-ter
Jung (2013), pp. 450 f.; Herzog (2013), p. 3751; Klas and Möhrke-Sobolewski (2015), pp. 3477 f.;
Solmecke, Köbrich and Schmitt (2015), p. 291. On the legislator’s task of balancing the conflicting
fundamental rights positions in accordance with the principle of practical concordance, Mayen
(2013), p. 78.
177 Hesse (1995), mn. 72.
178 For a different view, Bock (2017), p. 409. Drawing a comparison to letters Brisch and Müller-ter
194 Biermann (2018), mn. 43; Deusch and Eggendorfer (2017), pp. 97 f.; Mayen (2013), pp. 81 f.;
Mayen (2018), pp. 470 f.; Kuntz (2016), p. 191; KG Berlin, 21 U 9/16, Judgment of 31 May 2017,
p. 394. Left open by Federal Court of Justice, III ZR 183/17, Judgment of 12 July 2018, accessible
under http://www.bundesgerichtshof.de.
195 Ludyga (2018), p. 6; Pruns (2014), pp. 2178 f.; Steiner and Holzer (2015), p. 264; LG Berlin,
20 O 172/15, Judgment of 17 December 2015, pp. 192 f.; with the same conclusion Bock (2017),
pp. 410 f.
196 Bock (2013), § 88 TKG mn. 26; Klesczewski (2013), § 88 TKG mn. 23.
197 Bock (2013), § 88 TKG mn. 26; Heun (2018), § 88 TKG mn. 33; Mayen (2018), § 88 TKG mn.
74; Munz (2015), § 88 TKG mn. 15. Narrower Klesczewski (2013), § 88 TKG mn. 25.
198 Biermann (2018), mn. 43.
199 Bock (2017), p. 410.
200 Mayen (2018), pp. 470 f.
201 KG Berlin, 21 U 9/16, Judgment of 31 May 2017, p. 393.
402 F. Heidrich
5.1.3 Consequences
In the light of the newly applicable GDPR, the Federal Court of Justice has intensively
examined the concerns of communication partners with respect to data protection.202
Nevertheless this does not lead to a different evaluation either. Regardless of whether
the GDPR is applicable in a particular case,203 the provision of digital account data to
heirs can be justified according to Article 6(1) lit. (b) var. 1 GDPR as well as Article
6(1) lit. f) GDPR.204
The recent decision of the Federal Court of Justice on digital estates gave answers to
some, but by no means all vital questions concerning this topic. The core statement of
the entire proceedings was, however, clear: Heirs are entitled to access digital account
content of the testator. The present article has shown that this result is in agreement
with the perspective of German constitutional law. In accordance with the assessment
provided by the Justice Ministers’ Conference, there is no need for further statutory
regulation. According to the latest news it is also doubtful whether the legislature
will take action—as implied by the coalition agreement—in that direction.205
202 Federal Court of Justice, III ZR 183/17, Judgment of 12 July 2018, accessible under http://www.
bundesgerichtshof.de, mn. 68–93.
203 Left open by Federal Court of Justice, III ZR 183/17, Judgment of 12 July 2018, accessible
It remains to be seen how Internet providers will develop their practices in the
future. To avoid uncertainties or dispute it is advisable for people to make arrange-
ments for their own digital estates.206 Corresponding information campaigns could
support the public in that regard and thus seem likely to be helpful. Nevertheless,
courts will also have to deal with various aspects of digital estates in the future.
References
Bezerra Sales Sarlet G (2022) Digital identity and the problem of digital inheritance. Limits of
the posthumous protection of personality on the internet in Brazil. In: Albers M, Sarlet IW (eds)
Personality and data protection rights on the internet. Springer, Dordrecht, Heidelberg, New York,
London (in this volume)
Biermann B (2018) Digitaler Nachlass. In: Scherer S (ed) Münchener Anwalts Handbuch Erbrecht,
5th edn. C.H.Beck, München, pp 1952–1980
Bock M (2013) § 88 TKG. In: Geppert M, Schütz R (eds) Beck’scher TKG-Kommentar, 4th edn.
C.H.Beck, München
Bock M (2017) Juristische Implikationen des digitalen Nachlasses. Archiv für die civilistische
Praxis 217(3):371–417
Bräutigam P (2013) Der digitale Nachlass—empirischer Befund und Fragestellung. In: DAV
(ed) Stellungnahme Nr. 34/2013 durch die Ausschüsse Erbrecht, Informationsrecht und Verfas-
sungsrecht zum Digitalen Nachlass, pp 16–29. https://anwaltverein.de/files/anwaltverein.de/dow
nloads/newsroom/stellungnahmen/2013/SN-DAV34-13.pdf, (accessed 11 Jan. 2022)
Bräutigam P (2013) Glossar. In: DAV (ed) Stellungnahme Nr. 34/2013 durch die Auss-
chüsse Erbrecht, Informationsrecht und Verfassungsrecht zum Digitalen Nachlass, pp 93–
98. https://anwaltverein.de/de/newsroom/id-2013-34?file=files/anwaltverein.de/downloads/new
sroom/stellungnahmen/2013/SN-DAV34-13.pdf, (accessed 11 Jan. 2022)
Bräutigam P (2019) Nach § 1922 BGB. Anhang. Digitaler Nachlass. In: Burandt W, Rojahn D (eds)
Erbrecht, 3rd edn. C.H.Beck, München.
Brisch K, Müller-ter Jung M (2013) Digitaler Nachlass—Das Schicksal von E-Mail- und De-Mail-
Accounts sowie Mediencenter-Inhalten. Anforderungen an Internet-Provider nach dem Tode des
Account-Inhabers. Computer und Recht 29(7):446–455
Chr A (2016) Digitaler Nachlass als Rechtsproblem? Überlegungen aus persönlichkeitsrechtlicher,
datenschutzrechtlicher und vertragsrechtlicher Sicht. Kommunikation und Recht 19(5):301–307
Chr S, Köbrich T, Schmitt R (2015) Der digitale Nachlass—haben Erben einen Auskunftsanspruch?
Überblick über den rechtssicheren Umgang mit den Daten von Verstorbenen. Multimedia und
Recht 18(5):291–295
Depenheuer O, Froese J (2018) Art. 14 GG. In: Huber PM, Voßkuhle A (eds) Grundgesetz, vol 1,
7th edn. C.H.Beck, München
Deusch F (2014) Digitales Sterben: Das Erbe im Web 2.0. Zeitschrift für Erbrecht und Vermögen-
snachfolge 21(1):2–8
Deusch F, Eggendorfer T (2017) Das Fernmeldegeheimnis im Spannungsfeld aktueller Kommu-
nikationstechnologien. Kommunikation and Recht 20(2):93–99
Deusch F (2017) Anmerkung zu KG Berlin, 21 U 9/16, Judgment of 31 May 2017. Zeitschrift für
Erbrecht und Vermögensnachfolge 24(7):399–400
Epping V (2019) Grundrechte, 8th edn. Springer, Berlin
206On that matter Gloser (2016b), pp. 101 ff.; Salomon (2016), pp. 328 ff.; Steiner and Holzer
(2015), pp. 265 f.
404 F. Heidrich
Felix Heidrich Research Assistant at Leipzig University, Referent at the Federal Administra-
tive Court in Leipzig. Main areas of research: Fundamental Rights, Administrative Law, Euro-
pean Union Law. Selected Publications: Ein (Bären-)Dienst an der Europäischen Demokratie? Zur
Aufhebung der Drei-Prozent-Sperrklausel im Europawahlrecht, Zeitschrift für Europarechtliche
Studien, Vol. 17 (2014), pp. 259–272 (together with Markus Kotzur); “Freitage für das
Weltklima”, Sächsische Verwaltungsblätter, Vol. 28 (2020), pp. 157–165.
Algorithms and Discrimination: The
Case of Credit Scoring in Brazil
Abstract The chapter aims at analyzing how the current debate on algorithmic
discrimination is reflected in the case of credit scoring in Brazil. Firstly, it discusses
the concepts of algorithm and algorithmic discrimination and explains why such
concepts are particularly meaningful in a data-driven economy. It presents how Big
Data, combined with algorithms, has fundamentally altered some decision-making
process in our everyday lives, and turns to one application in particular—credit
scoring—to discuss how this may pose challenges for Brazilian law, especially
regarding the risk of discriminatory outcomes. After analyzing the currently evolving
normative data protection framework in Brazil—including the new General Data
Protection Act—the chapter discusses whether the existing or suggested legal tools
are sufficient to deal with the challenges of automated decision-making processes
and their potential asymmetric outcomes. The last Section is focused on presenting
policy proposals for dealing with credit scoring and discrimination by presenting
the literature on algorithmic governance as well as some of the main disagreements
among specialists, highlighting the debates on the limits of transparency as a viable
policy proposal. Finally, it turns to the challenges of anti-discriminations proposals
when applied to credit scoring in Brazil.
1 Introduction
L. S. Mendes (B)
University of Brasília (UnB), Brasília, Brazil
e-mail: laura.schertel@unb.br
M. Mattiuzzo (B)
University of São Paulo, São Paulo, Brazil
e-mail: marcela.mattiuzzo@usp.br
plays a prominent role in high-risk sectors, such as the credit and private insurance
industries. But its relevance is also increasing in other industries. In a nutshell, infor-
mation and data processing in the private sector proves to be a means of simplifying
economic decisions and increasing efficiency in an environment characterized by
information deficits.
Technological development has made important contributions here: Not only is it
possible to collect and process more information for risk assessment than ever before,
but this assessment can be quantified by a score—or a prognosis of future behavior
of an individual. This score is created through an automated procedure, in which
the existing data is incorporated into an algorithm and the individuals are assigned
to a specific risk category. Recent developments in information technology—which
could be summarized under the now famous term “Big Data”—provide even more
incentives for making use of forecasts in the private sector, as they allow more
information to be processed and new correlations between data and future behavior
to emerge.
In the credit report and credit score business, automatizing decision-making
processes was at first seen as a means to overcome the well-known biases and
discriminatory tendencies ingrained in individuals, companies and public entities.
Nevertheless, it soon became clear that the statistical method, which supposedly
received objective data as inputs and therefore should generate objective results as
outputs could, in many circumstances, reproduce the existing biases and lead to
more of the same discrimination. That is because, firstly, causation and correla-
tion can often be predefined by the individuals (data controllers), who transmit the
same biases already present in old-fashioned decision-making to the algorithm. If
one believes women to be overall ill-suited for some kinds of jobs—say, being a
mechanical engineer—and this person designs an algorithm that internalizes such
logic, regardless of the quality of the input, the output may present the same biases
of the designer. Secondly, even if the algorithm is programmed to identify its own
correlations by collecting raw existing data—which should eliminate the problem of
direct bias transfer—it could still reproduce discriminatory correlations present in
such data. In other words, algorithms could learn discriminatory patterns present in
society and normatively replicate them as “objective truth”. Even if the algorithm’s
designer is not biased towards men for mechanical engineering jobs, if there are
enough datapoints that suggest gender to be a significant variable to determine such
fitness—say, there are more men than women engineers—the output could reproduce
the existing discriminatory conditions.1
Furthermore, since algorithms rely to a great extent on statistical discrimina-
tion, that is, differentiating individuals based on probabilistic group characteristics,
it becomes paramount to fully comprehend whether the processes and criteria used
to classify individuals are correct, fair, transparent and, ultimately, legitimate. A
question to be answered in that regard is the following: did all the individuals who
1Barocas and Selbst (2016). The authors identify five mechanisms by which data mining’s ill effects
may occur, and go deeper into clarifying why these discriminatory outcomes emerge.
Algorithms and Discrimination: The Case of Credit Scoring … 409
possess the same characteristics, and are substantially similar, receive parallel treat-
ment? Seen in this light, it is clear how the claim for equal treatment and against
potential discriminatory behavior has become an important issue in the context of
algorithmic based decision making.
In this chapter, we aim at analyzing how the current debate on algorithmic discrim-
ination is reflected in the case of credit scoring, especially in regard to the Brazilian
legal scenario. To do so, we have dedicated Sect. 2 to setting out parameters and
establishing definitions which will be useful throughout the text. That section is
mainly concerned with broadly defining both algorithms and algorithmic discrim-
ination, and explaining why such concepts are particularly meaningful in what we
refer to as a Big Data (or data-driven) economy. It presents how Big Data, combined
with algorithms, has fundamentally altered some decision-making processes in our
everyday lives, and turns to one application in particular—credit scoring—to discuss
how this may pose challenges for Brazilian law, especially regarding the risk of
discriminatory outcomes.
Section 3 will analyze the currently evolving normative data protection framework
in Brazil and how it applies to our discussed topic. Our goal is, firstly, to highlight how
the reform of the Brazilian Credit Report Act brought algorithmic based decision-
making to the heart of the debate and, secondly, to discuss whether the existing
legal tools are sufficient to deal with the challenges of automated decision-making
processes and their potential asymmetric outcomes.
Section 4, lastly, is focused on presenting policy proposals for dealing with credit
scoring and discrimination. We do so by presenting the literature on algorithmic
governance and the discussions set out in this arena, as well as some of the main
disagreements among specialists, highlighting the debates on the limits of trans-
parency as a viable policy proposal. Finally, we turn to the challenges of anti-
discrimination proposals when applied to credit scoring in Brazil. We do not aim
to exhaust the debate, nor to provide definitive answers for all the many questions
that surround algorithmic discrimination in credit scoring, but to provide a roadmap
of the debate.
Before delving deeper into the credit scoring discussion, we present in this section an
overview of the themes that will later prove essential to the debate on policy proposals
for algorithmic discrimination. Firstly, we describe what an algorithm is—and, more
specifically, what a computer algorithm is. Secondly, we tackle why this concept
is particularly relevant in our data-driven economy. Thirdly, we clarify what makes
algorithmic discrimination peculiar, present a preliminary typology of potential kinds
of discrimination and analyze how credit scoring fits into this scenario.
410 L. S. Mendes and M. Mattiuzzo
An algorithm is often described as a set of steps and instructions that determines how
something should be done. It can be absolutely anything, and in no way is this concept
dependent on the use of modern computer power. One can conceive of an algorithm to
get dressed, an algorithm to get the bus to work, to execute a recipe, and endless other
tasks, for an algorithm is nothing but a formula in which tasks are put in a specific
order. Though this is a correct description, it fails to provide sufficient information for
the purposes of this chapter. We will therefore adopt Thomas Corden’s explanation,
who is careful enough to point out that there is a difference between any given
algorithm and those—a subset of which we discuss here—that run on computers.
Computers, unlike humans, do not understand the meaning of “sufficient”, “almost”,
“bad” or any other word that implies a subjective evaluation of the world around us.
That is why an algorithm that tells your smartphone to change the brightness on its
screen whenever there is “almost no battery left” would be useless. A computer can
interpret percentages, but it will not be able to determine what “almost no battery”
means, unless someone tells it so. As Corden puts it, “You might be able to tolerate
it when an algorithm is imprecisely described, but a computer cannot. (…) So a
computer algorithm is a set of steps to accomplish a task that is described precisely
enough that a computer can run it”.2
It is also important to note that the goal of algorithms as they are currently used
today and as we intend to discuss here is mainly to solve problems and help people,
companies and governmental authorities to make decisions. When you look for flights
from São Paulo to Berlin, you want answers to your question. More so, you want
to find the correct answer to that question. Here, again, we run into a nuance of
algorithms: the program will only be as good as the information (or input) provided
for it, and it will be correct whenever it uses such information according to its
specifications. When looking for the “best” flight from São Paulo to Berlin, the
algorithm will need to know whether by “best” we mean “shortest”, or “cheaper”.
If the algorithm is programmed to find the shortest route, in terms of kilometers
traveled, it may think the time spent in an airport waiting for a connecting flight is
irrelevant, and thus provide us with an answer that though incorrect according to our
preferences is correct from the standpoint of the program. The issue here is not with
the algorithm, but with the input provided and with the alignment of our expectations
and the program’s goal.
In this sense, it becomes clear that a fundamental goal of algorithms is to
make forecasts by means of probability. Though algorithms cannot provide accu-
rate answers to all questions, they can analyze inputs and provide well-informed
guesses. If the amount and quality of data points available to the algorithm is suffi-
cient, the guess can be ever closer to predicting the real outcome. Let us take the
example of dice throwing. For any given dice, one can safely assume the probability
of it providing a result equal to 5 is of one in every six chances. That is true because
if we randomly roll a dice for an infinite number of times, there is an equal chance
2 Cormen (2013), p. 1.
Algorithms and Discrimination: The Case of Credit Scoring … 411
of each face of the dice coming up as a result, and the number 5 is only present in
one of the faces. Though that is true of any ideal imaginary dice, it is less so for a
particular dice. That is, real-world dice can be rigged. If a clever player adds a rigged
dice to the game, what is the probability of that dice turning the number 5? To answer
the question, we must observe successive throws. After we reach a certain number
of throws, say 200, we will have sufficient information to predict, with more or less
accuracy, what the result of subsequent throws will be.
It is important to stress that the higher the incentives for the economic use of data
processing through algorithms as a basis for decision-making and the more readily
available and cheaper the technologies that make it possible, the more urgent the
discussion on the consequences of such procedures for individuals and its associated
risks.
Algorithms need one basic input to provide us with relevant answers: data. What
has lead to the exponential growth in their use and impact onto our lives is the ever
increasing amount of information available in the form of data. The term “Big Data”
has been coined to convey this phenomenon.3 As Mayer-Schönberger and Cukier
put it, Big Data is not just about size, but especially about “the ability to render into
data many aspects of the world that have never been quantified before”.4 With the
internet and the development of computing power, virtually all information can now
be turned into data, from DNA sequencing to car engines functioning. The creation
and complexification of algorithms walk hand in hand with this process.
The most important function of Big Data is producing forecasts on the basis of
numerous data and information: from climatic disasters to economic crises, from
the outbreak of an epidemic to the winner of a sports championship, from buyers’
behavior to customers’ solvency. Thus, Big Data analysis can be used to make fore-
casts of general facts about the economy, nature or politics as well as about individual
behavior. For the topic covered here, the latter function is of main interest, as it relies
on personal data to generate information and knowledge about the behavior of the
individual, providing the basis for economic decisions. A Big Data analysis can there-
fore directly affect the life of the individual—and can cause discriminatory outcomes
that impact her life in particular.
According to Mayer-Schönberger and Cukier, there is no precise definition for Big
Data, but it can be characterized by three tendencies. Firstly, the quantity of data and
information. Big Data analysis not only gathers more data than ever before, rather it
attempts to collect all the data and information for a particular situation, not merely
a sample—as they put it, in Big Data, n = all. Secondly, due to the large amount
of information available, the data can be inaccurate. As the scale increases, so do
the chances of error. The third property of Big Data is finding correlations instead
3 There is much discussion on whether this term is appropriate and what it in fact means. Boyd and
Crawford present a good summary of it: “Big Data is notable not because of its size, but because of
its relationality to other data. Due to efforts to mine and aggregate data, Big Data is fundamental
networked. Its value comes from the patterns that can be derived by making connections between
pieces of data, about an individual, about individuals in relation to others, about groups of people,
or simply about the structure of information itself”. Boyd and Crawford (2011), pp. 1–2.
4 Mayer-Schönberger and Cukier (2014).
412 L. S. Mendes and M. Mattiuzzo
Big Data has opened the possibility of ever greater use of correlations since the
amount of proxies one can work with have exponentially increased. A famous
example is the development of Google Flu Trends, a tool Google publicized in 2008
as an attempt to predict the spread of the influenza virus in different regions of the
United States, and later the world, taking as input the search queries of users. As
explained by the developers of this tool in a paper published by Nature, “because
the relative frequency of certain queries is highly correlated with the percentage of
physician visits in which a patient presents with influenza-like symptoms, we can
accurately estimate the current level of weekly influenza activity in each region of
the United States, with a reporting lag of about one day.”7 Naturally, there is no cause
5 As Nate Silver has rightly stated, the search for correlations is embedded in a complex context in
which prejudice and subjective assumptions are reflected; this means that even statistical methods
are not completely objective. See Silver (2012).
6 Mayer-Schönberger and Cukier (2014), p. 53.
7 Ginsberg et al. (2009).
Algorithms and Discrimination: The Case of Credit Scoring … 413
and effect between typing search terms on your computer and contracting the flu,
but this correlation served as a proxy for the spread of the disease.
After a run of several years providing results that helped authorities fight and
prevent the disease, Flu Trends faced issues that eventually lead to its termination. In
early 2013, the system was providing inaccurate results and claiming the likelihood
of flu in some regions within the US was almost twice than that reported by the
Center for Diseases Control (CDC).8 The problems encountered by Google were later
examined by several authors, most notably by Lazer et al. in an article at Science.9
The researchers point to two issues that lead to Flu Trends’ downfall: (i) big data
hubris and (ii) algorithm dynamics. In regard to (i), they call attention to the fact that
the data-driven economy has led many to entirely substitute traditional approaches
to research by “big data alternatives”. In their words, this is problematic because the
data produced by Google and used by tools such as Flu Trends bears no particular
attention to validity and reliability, both of which are essential for scientific analysis.10
Concerning (ii), the authors point to the constant alterations made by engineers to
the search algorithm and by users on how they approach search as cause for some of
the wrong measurements.11
The case of Flu Trends has much to teach us, and though it is unclear what the
central issue with the algorithm was, it is clear it had something to do with what
is called in statistics a spurious correlation. A correlation is spurious whenever it
indicates causation where cause and effect do not exist. Simply put, it is a correlation
that shows two variables influencing each other, when in fact they simply present
similar patterns.12 Tyler Vigen has famously dedicated an entire book to spurious
correlations, aimed at showing how one can be fooled by similarly slopping graphs.
Examples presented by him include the number of people who drowned by falling
into a pool and the number of films Nicolas Cage appeared in from 1999 to 2009—
there is a 66.6% correlation between both—and the per capita cheese consumption
in the US, which correlates at a 94.71% rate with the number of people who died by
becoming tangled in their bedsheets from 2000 till 2009.
8 Butler (2013).
9 Lazer et al. (2014), pp. 1203–1205.
10 Lazer et al. (2014), p. 1203. “Elsewhere, we have asserted that there are enormous scientific
possibilities in big data (9–11). However, quantity of data does not mean that one can ignore
foundational issues of measurement and construct validity and reliability and dependencies among
data (12). The core challenge is that most big data that have received popular attention are not the
output of instruments designed to produce valid and reliable data amenable for scientific analysis”.
11 Lazer et al. (2014), p. 1204: “In improving its service to customers, Google is also changing the
data generating process. Modifications to the search algorithm are presumably implemented so as
to support Google’s business model—for example, in part, by providing users useful information
quickly and, in part, to promote more advertising revenue. Recommended searches, usually based
on what others have searched, will increase the relative magnitude of certain searches. Because GFT
uses the relative prevalence of search terms in its model, improvements in the search algorithm can
adversely affect GFT’s estimates”.
12 Beware Spurious Correlations, Harvard Business Review (2015). Available via https://hbr.org/
All the topics presented here acquire one more layer of complexity once we
consider the recent developments of computer science in the field of artificial intelli-
gence (AI). AI is interested in the development of “smart” machines, be them robots,
cars, computers, and whatnot. A field within AI called machine learning (ML) is of
particular interest to computer scientists, and has developed quickly over the past
decade. ML is mainly concerned with giving machines the ability to learn by them-
selves given inputs provided by humans. As Pedro Domingos very clearly stated,
ML changes the rules of the game because:
Every algorithm has an input and an output: the data goes into the computer, the algorithm
does what it will with it, and out comes the result. Machine learning turns this around: in
goes the data and the desired result and out comes the algorithm that turns one into the other.
Learning algorithms – also known as learners – are algorithms that make other algorithms.
With machine learning, computers write their own programs, so we don’t have to.13
As the rise of ML emphasizes, another pressing issue with algorithms is not the substi-
tution of causation for correlation, but the opacity of algorithms in their decision-
making processes. The problem acquires more relevance given that algorithmic
solutions have been largely adopted by both private and public sectors.14
Perhaps the most famous case of public algorithmic use is that of COMPAS.
COMPAS stands for Correctional Offender Management Profiling for Alternative
Sanctions. It is a tool originally intended to provide jail management with “critical
inmate management information”, everything running from mental health screening
to gang tracking. As equivant,15 the owner of COMPAS, states the tool works by way
of a 9-level decision tree model, that classifies inmates in a risk spectrum ranging
from one till nine, nine being the highest and one being the lowest. Though COMPAS
was originally designed for jail monitoring, it has been used for other purposes in the
United States, namely for recidivism risk assessment.16 One case in which COMPAS
was used for such purpose was that of Eric Loomis in the state of Wisconsin. In 2013,
Loomis was accused of eluding the police in the city of La Crosse, after driving a car
used in a shooting. He had been previously convicted of third-degree sexual assault,
and, after an assessment by COMPAS, was ruled to be of high risk of committing
another crime, thus sentenced to a six-year sentence.
Loomis’ lawyers appealed the sentence, claiming the defense had no access to the
risk assessment carried out by COMPAS, given its proprietary nature, even though
such result was expressly taken into consideration by the judge in his decision.
The case reached the Supreme Court of Wisconsin, which maintained the judge’s
decision, stating that COMPAS was not the only reason the decision was based upon.
13 Domingos (2015), p. 6.
14 Though here, given the nature of credit scoring, we will be largely concerned with analyzing
private repercussions.
15 As of January 9, 2017, Court View Justice Solutions Inc., Constellation Justice Systems Inc., and
A writ of certiorari was later brought forward and denied by the Supreme Court, but
the case nonetheless highlights the importance of algorithms by public authorities.
Another example is that of CrimeRadar,17 a tool designed in Brazil aimed at
predicting crime rates and patterns in the city of Rio de Janeiro. To this day, we have
no knowledge of it being used by public authorities to fight crime but that certainly
is a trend elsewhere—algorithms such as PredPol18 are in use by police in several
American states and have changed the way in which police departments operate.
On the private side, examples are likewise vast, if not more numerous. One field
in which algorithms thrive is recruitment. As noted by the Wall Street Journal,19
companies such as Unilever are eliminating traditional resume-driven processes and
instead relying on software to select its candidates for job offers. The goal expressly
stated by the company was to diversify the pool of applicants. Danieli, Hillis and
Luca, clarify why the use of algorithms is this field is so attractive:
To see the close relationship between algorithms and hiring, consider the simple fact that
hiring is essentially a prediction problem. When a manager reads through resumes of job
applicants, she is implicitly trying to predict which applicants will perform well in the job and
which won’t. Sales organizations are trying to predict which sales associates will successfully
close deals. School districts are trying to predict which teachers will bring a classroom to
life. Police departments are trying to predict which officers will keep a neighborhood safe.20
Also, using algorithmic systems leads to extremely consistent results and help firms
save a considerable amount of money—the business of hiring is very time and money
consuming. It is certainly true humans are biased and have been known to apply those
biases in recruitment.21 In this sense, using algorithms to select candidates has the
potential to hinder discrimination. However, the more we rely on such tools, the
harder it becomes for unfit candidates to enter the market, and even for them to
understand what precisely makes their applications less attractive than others. That
was the case of Peter Lane, a History graduate from Cardiff University who after
applying for over 50 positions and going through at least 15 interviews, had no
offers on his hands, nor any helpful feedback on how to approach his next attempts.
His interactions were mostly which machines, and even his interviews were video-
based.22
Another example is the case of Kyle Behm, who had trouble finding a job after
being diagnosed with bipolar disorder even though he had almost perfect SAT scores.
17 A pop-up on CrimeRadar’s website says, before you are allowed to use the tool: “The probability
estimates featured in the FUTURE function of this app are based on a predictive algorithm. As
such, the accuracy of such information is subject to various uncertainties, and it is strongly advised
that users do not rely exclusively on this function for decision-making purposes”.
18 For more information on PredPol, see: http://www.predpol.com. Accessed 11 Jan. 2022.
19 Gee (2017).
20 Danieli et al. (2016).
21 To mention but one example, a study from Northwestern university, conducted by Lincoln Quil-
lian, showed that between 1990 and 2015, white applicants received 36% more callbacks than black
applicants, and 24% more callbacks than latinos.
22 Finley (2018).
416 L. S. Mendes and M. Mattiuzzo
Behm brought a suit against seven companies for their use of a personality test devel-
oped by the workforce management company Kronos. Given these not so successful
stories, some of the companies that have adopted automated hiring appear to be
changing their practices, according to Cathy O’Neil, but that remains a topic to be
watched.23
As the case of hiring makes clear, lack of clarity proves to be a serious concern
once we talk about the legal consequences of algorithmic discrimination. Firstly
because, if the algorithm is opaque, it is challenging to affirm discrimination did in
fact occur; secondly because it can be hard to prevent it; thirdly because algorithms,
if carelessly maneuvered, may reinforce rather than fight discriminatory outcomes.
If statistical discrimination has endogenous proxies, and the learner algorithm uses
such proxies for creating its program, we may feedback-loop discrimination into the
system.
In this new economy filled with Big Data processing algorithms that establish
correlations among the most varied bits of information in order to provide us with
answers for our questions, many issues arise. Here, we will focus on one, the possi-
bility of results yielded by algorithms being discriminatory. The rest of this chapter
will be devoted to clarifying what we understand algorithmic discrimination to be
and to dwelling on one specific application of algorithms in the data-driven economy:
credit scoring. As we shall see, this is one field of application where group profiling
can (and has already) lead to unwanted results.
23 O’Neil (2018).
Algorithms and Discrimination: The Case of Credit Scoring … 417
characteristics of a person are disregarded, and that person is seen solely as the
member of a larger parlor of people.
According to Schauer, one of the problems of the concept of prejudice—and we
claim his use of prejudice is equal to our use of discrimination—is our linguistic
application of the word. To him, we create confusion for we use the same word to
describe different circumstances.
Schauer explains the problem by delving deeper into the concept of generalization.
According to him, there are two main types of generalizations, the sound and the
unsound. Sound generalizations can be (i) universal—the famous example used by
Socrates in explaining syllogism, “All humans are mortal”, meaning the entirety of
the human race does one day die, is a universal generalization in the sense that it
holds true for 100% of cases; and (ii) nonuniversal—meaning the generalization does
not intend to describe the entirety of a group, but rather a feature shared by most
individuals in that group. When one says “Brazilians have European heritage”, it
is clear the sentence does not apply to all Brazilians and that some people born in
Brazil may in fact not have European roots. But the generalization is still sound and
useful if it holds for most cases, as research has proven.24
Owing to our linguistic use, Schauer adds a third and final group of sound gener-
alizations to the mix, that of generalizations which are not universal, nor describe a
feature shared by most members of a group, but that “accurately portrays the members
of the class as having a greater prevalence of some trait than has some larger class of
which the group is ordinarily taken to be a part, even though the trait appears in less
than a majority of the members of both groups”.25 He uses the following example to
clarify what he means by this category of generalization: when one claims “bulldogs
have bad hips”, it certainly does not mean all bulldogs have hip problems, and it
also does not mean most bulldogs have hips problems, it simply means that bull-
dogs, when compared to the larger class of dogs, tend to have hip problems more
frequently than other breads. This use of a generalization is statistically sound so
long as bulldogs do in fact have bad hips in a larger proportion than most dogs. In
short, this third category of generalization relies heavily on a comparative dimension.
Unsound generalizations, for their turn, fail in fulfilling the above standards. If
one claims “Aries are impulsive”, for example, it is quite easy to verify that (i) this is
not a universal characteristic—not all people born between March 21 and April 20
are impulsive, (ii) there is no evidence that these people are any more impulsive than
those born in other periods of the year, and (iii) describing someone as impulsive
is not predictive of that person being a Aries, or vice versa. A well-known unsound
generalization in Law are the studies by Cesare Lombroso on the “criminal man”.
Lombroso was an Italian physician and founder of the Italian school of positivist
criminology. His studies were devoted to proving how criminals were born this way
and how certain physical characteristics could help identify criminality. His research
concluded that the criminal individual congregated some traits, such as excessively
long arms, asymmetric cranium and face etc. To this day, there is no concrete evidence
Lombroso was right and the fact a person possesses long arms is in no way predictive
of whether that person will commit or has already committed a crime.
Going back to prejudice, Schauer states that we use the term prejudice in referring
to two different scenarios. We describe something as prejudicial when a statement
relies on unsound statistical generalizations, but also when it relies on statistically
sound and non-universal generalizations. In this sense, to say Aries are impulsive is
as prejudicial as claiming that male drivers have a higher risk of being involved in car
accidents, even though there is no evidence to support the first statement, and there
is evidence to support the second, since the higher percentage of male drivers that
causes car accidents is a statistically proven fact.26 That is so because we attribute
to the word “prejudice” a negative connotation, and thus are not comfortable with
applying it to the second scenario, so long as it is not true that all men are less cautious
when driving cars. As Schauer puts it, “all human beings (…) deserve to be treated
as individuals and not simply as members of a group, so the argument goes, and
actuarial decisions about human beings are in most instances morally wrong”.27
The problem with this line of thought is actuarial decisions (or discrimination)
about human beings are extremely common in any legal system, and often times
indispensable. Whenever the law states that only people above a certain age limit are
allowed to vote, or to drink alcoholic beverages, we make an actuarial decision about
human beings. There certainly are different individuals that at the age of 15 would be
able to cast a vote, or exercise sufficient discretion to drink alcohol responsibly, but
we ignore that possibility in the name of other values. The same goes for determining
the speed limit in a highway. Naturally, different individuals are able to drive safely
at different speeds, but we take a value—often times statistically tested—according
to which the number of accidents falls to levels considered acceptable. It is worth
noting that some people may still not be able to drive as safely as others under the
limits that currently exist, but we as a society decide this risk is bearable. Actuarial
decisions, moreover, are not limited to the law. We constantly apply that same logic to
countless other daily situations: we choose to board a plane despite knowing there are
risks associated with it, we decide to apply exams so people can attend universities,
colleges or schools, despite knowing they are unable to account for all cognitive
abilities and end up leaving many talented applicants out.
Other than understanding discrimination as a common feature of our legal
systems—and of life in general, another important clarification lay in better under-
standing what precisely is statistical discrimination (SD). SD is an economic theory,
whose origins are attributed to Kenneth Arrow and Edmund Phelps,28 that tries
to explain how inequality can be an issue even when individuals are not actively
engaging in racial, gender or other forms of discrimination.29 They claim that is so
26 See: https://www.oxera.com/wp-content/uploads/media/oxera_library/the-use-of-gender-in-ins
urance-pricing.pdf. Accessed 11 Jan. 2022.
27 Schauer (2006), p. 19.
28 Phelps (1972); Arrow (1973).
29 In opposition to such form of discrimination, the economic literature identifies what is called
book, he claims some individuals have a “taste” for discrimination and as such includes in the utility
function of such individuals a “coefficient for discrimination”, representing such preference.
30 Goodman and Bryce (2016), p. 3.
31 Moro (2009).
32 This result is what is usually referred to as a feedback loop. A feedback occurs when the output of
a system—say an algorithm—is fed back into the system as an input. In other words, a given effect of
the system returns as its cause. The result of less women being hired returns to the decision-making
system as an input for the decision-maker and thus reinforces the conclusions it creates.
420 L. S. Mendes and M. Mattiuzzo
33 Such incorrect classification can be due to spurious correlations, but not necessarily. Curiously,
the problem can also run from the fact that the algorithmic system does not have enough information
on the individual, and as such classifies her given the information it possesses.
34 Hurley and Adebayo (2016).
35 As mentioned earlier, traits used in decision-making can be endogenous or exogenous. Our claim
is that, when the characteristic under consideration has endogenous effects, it will always lead
to discrimination. If however the trait is exogenous, despite being sensitive, the result may not
be discriminatory. An example would be the already mentioned higher propensity of young male
drivers to get involved in car accidents when compared to young female drivers. Gender may be
a sensitive characteristic, but in this case it is neither endogenous nor singles-out a historically
discriminated-against group.
36 Imagine that instead of singling-out young male drivers statistically accurate data demonstrated
young female Muslims are more prone to get involved in car accidents. Let us also assume this is
an exogenous variable. We believe the problem here lies in the targeted population. That is to say
that, in the view we defend here, if the data showed young male protestants in the United States,
or young catholic males in Brazil, were the group more prone to be involved in car accidents and
therefore subjected to higher insurance the result would not be discriminatory. As will be seen in
Sect. 4, this is a very significant observation for public policy proposals.
Algorithms and Discrimination: The Case of Credit Scoring … 421
37 In Schauer’s view, the problem in this case is not with discrimination per se but rather with
exclusion. The same holds true if we imagine the example on footnote 26 referring to health and
not car insurance. It would be less clear that young males should pay more than young females for
coverage, even though the group of young males is by no means a historically impaired group. The
reason, Schauer argues, does not run from discrimination, but rather from a sense of exclusion from
access to a facility that helps fulfill an essential right: the right to healthcare.
38 FTC (2012).
39 Buchner (2006).
40 Britz (2007).
422 L. S. Mendes and M. Mattiuzzo
this practice can in some cases raise questions of individual justice and unequal treat-
ment. Statistical discrimination allows for a differentiated treatment to be performed
on the basis of a personal characteristic, since this characteristic is, according to statis-
tical assumptions, a property relevant for the decision-making. Since the property
one is looking for is usually hard to measure (credibility, solvency, labor productivity
etc.), a “proxy feature” is used that stands for this main feature.
The problem of injustice due to generalization arises for the person who proves
to be an atypical case: Although she carries the proxy characteristic, she does not
show the other expected qualities of the group. An example is the use of a customer’s
address as part of a credit score analysis, if it is assumed that characteristics relating
to the client’s assets can be derived from her place of residence. Therefore, it is
possible that merely living in a “poor” area means a negative rating in a scoring
procedure without further examination of the actual solvency and assets of the credit
applicant.
Another problem that raises equality considerations arises from the differentiated
treatment based on classical discriminatory and stereotyping characteristics, such
as nationality, gender, age, or sexual identity (third category). On the one hand,
these characteristics are closely related to the personality kernel, proving to be virtu-
ally invariable. On the other hand, these features stand for historical differences in
treatment and group stereotyping. Moreover, their application as a basis for decision-
making can cause accumulation effects, i.e. the discrimination of certain groups in
society can be intensified.
Here the need for protection differs from discrimination by generalization, since
it is not simply a violation running from the miscategorization of the “atypical”
person; rather, all persons in the group are affected. That is because discrimination
based on sensitive information may be, and often times is, statistically sound. This
use of discriminatory characteristics is mainly to be found in the insurance sector,
where nationality and gender, for example, may be used as negative criteria in credit
risk assessment.
Under the fourth type of discrimination—discrimination through inadequate
correlation—different constellations are conceivable in which the nature and rele-
vance of the data are important for the decision. This category comprises cases in
which the nature of the information materially does not do justice to the purpose of
the decision-making process, for example if the credit information is required for
purposes totally unrelated to the customer’s solvency. An example is the case where
car insurers calculate the customer’s accident risk based on her credit history, as
there is no factual or causal relationship between the two set of data. In addition,
the information must also provide unambiguous conclusions about the assessed item
rather than just a suspicion, as in the case of a rent warning file, in which people are
given a negative rating simply because they have been looking for a home for a long
time.
While types 1 and 3 of the discrimination forms described are objective and require
only the use of inadequate data (inaccurate or sensitive information) and the harmful
result for the individual, types 2 and 4 of discrimination (respectively, discrimination
by generalization and by inadequate correlation) are more difficult to identify, since
Algorithms and Discrimination: The Case of Credit Scoring … 423
not any generalization nor every inadequate correlation will lead to discriminatory
outputs. This will depend on a proportionality and compatibility test, in which the
reasoning of the need to use such types of data must be compared to the effects on
life of the individual.41
Germany has experienced that credit bureaus may have economic incentives to
consider the exercise of a person’s right as a negative criterion. It is known that credit
bureaus negatively assessed information regarding the exercise of the right to access
one’s own credit score. While in the view of the data subject she is only exercising
her right of access, from the point of view of the credit bureaus it is assumed that
those who demand information about their creditworthiness have an increased risk
of default. This practice was considered abusive and was prohibited in the German
Data Protection Law (§ 6 para. 3 BDSG—previous version).
Credit reports are commonly described as black boxes, as their results are difficult
to understand. The scoring procedure is criticized for being incomprehensible to the
individual, since she normally receives no information about the internal structure
of the algorithm. She also does not know what precisely influences her score. It is
obvious that the lack of transparency has an influence on the error rate of the loan
information since the procedure can not be controlled either by the person concerned
or by the supervisory authority. The same applies to insurance companies’ warning
systems, which are also characterized by low transparency: what data flows into these
systems, how these data influence the insurance contract, whose data is stored there
and how it can be saved, is often times not public knowledge.
We must also worry about discrimination with regard to the due process of the
decision-making, when the individual is not given the opportunity to present the
details of his case. When the normally complex personal decision-making process
is replaced by automatic data processing, is essential to guarantee the possibility of
participation of the affected person.
Data protection in Brazil has recently undergone a very significant change, with the
approval of the Brazilian General Data Protection Act.42 Even before that, however,
the country already counted with an important data protection framework, which
comprises privacy rights provided in the Brazilian Constitution and several statutes
dealing directly with personal data, such as the Consumer Protection Code, the
41 A study from the Institute for Technology & Society of Rio de Janeiro (ITS Rio) has analyzed
how segmentation can affect vulnerable groups in a disproportionate way, indicating a criteria to
the lack of proportionality and compatibility between the data used in the analysis and the results
for the person’s life (ITS, p. 5).
42 English non-official version available at: https://www.pnm.adv.br/wp-content/uploads/2018/08/
Credit Information Act and the Marco Civil da Internet (Brazilian Internet Rights
Framework).
The Brazilian Constitution directly addresses matters regarding information by
providing for the fundamental rights of freedom of expression43 and access to infor-
mation and transparency.44 It also acknowledges the inviolability of private life and
privacy45 and of telephonic, telegraphic and data communications,46 as well as estab-
lishes the home as the inviolable refuge of the individual.47 Furthermore, it meanwhile
also includes a right to personal data protection as well as it provides for the writ of
habeas data,48 which aims to provide citizens with a way to access and correct data
about themselves held by public entities and third parties.
Since the challenges of data processing in the data-driven economy are always
varying, the concept of privacy and the instruments for its protection have also under-
gone constant development. As in other parts of the world, these transformations can
be seen in the Brazilian Data Protection Framework and in results both from courts
decisions and from legislative modifications.
In 2018 Brazil approved its first General Data Protection Act (Law n. 13,709/2018
or GDPA) after a very long period of legislative debate, several different bills and
numerous difficulties. Some articles of Bill 53/2018, which became the new Act, were
vetoed by the Presidency, more importantly those concerning the creation of the Data
Protection Authority. In late 2018, however, an Executive Order later converted into
law inserted articles 55-A to 55-L into the GDPA, effectively allowing for the creation
of the Autoridade Nacional de Proteção de Dados Pessoais (ANPD). Although the
Act’s vacatio legis had been extended—the law came into force in September 2020—
article 55-A clearly established that the authority could have started its activities. In
fact, however, the ANPD only initiated its enforcement actions in November 2020.
Moreover, because the Act has been in force for a very short period of time, it is
unclear how precisely its dispositions will be applied. Still, it is worth mentioning
that some of its provisions will be directly applicable to automated decisions, namely
articles 20 and 21:
Article 20. The data subject has the right to request review of decisions taken solely on
the bases of automated processing of personal data that affects her/his interests, including
decisions intended to define her/his personal, professional, consumer or credit profile or
aspects of her/his personality.
§1 Whenever requested to do so, the controller shall provide clear and adequate information
regarding the criteria and procedures used for an automated decision, subject to commercial
and industrial secrecy.
Article 21. Personal data concerning the regular exercise of rights by the data subject cannot
be used to her/his detriment.
As the provision states, decisions based on solely automated processing that somehow
affect individuals’ interests may be subject to review. What is not yet clear, however,
is what the definition for “solely automated” will be, as well as the degree of review
that will be required for the provision to be considered fulfilled. It is also worth
mentioning that originally article 20 stated that such review had to be carried out
by a natural person, but that provision was later excluded from the law. In that
context, one must inquire precisely which degree of review will suffice to fulfill this
requirement. It is equally unclear whether decisions based primarily, but not only, on
automated means will also be somehow subjected to the legislation, and if so, how.
Furthermore, the Law establishes a role of principles, which can directly influence
the debate regarding algorithm discrimination:
Article 6 Activities of processing of personal data shall be done in good faith and be subject
to the following principles:
I – purpose: processing done for legitimate, specific and explicit purposes of which the
data subject is informed, with no possibility of subsequent processing that is incompatible
with these purposes;
II – suitability: compatibility of the processing with the purposes communicated to the
data subject, in accordance with the context of the processing;
III - necessity: limitation of the processing to the minimum necessary to achieve its
purposes, covering data that are relevant, proportional and non-excessive in relation to
the purposes of the data processing;
V – quality of the data: guarantee to the data subjects of the accuracy, clarity, relevancy
and updating of the data, in accordance with the need and for achieving the purpose of
the processing;
VI – transparency: guarantee to the data subjects of clear, precise and easily accessible
information about the carrying out of the processing and the respective processing agents,
subject to commercial and industrial secrecy;
VIII – prevention: adoption of measures to prevent the occurrence of damages due to the
processing of personal data;
IX – nondiscrimination: impossibility of carrying out the processing for unlawful or
abusive discriminatory purposes; and
X – accountability: demonstration by the agent of the adoption of measures which are
efficient and capable of proving the compliance with the rules of personal data protection,
including the efficacy of such measures.
426 L. S. Mendes and M. Mattiuzzo
Article 43 of the Consumer Protection Code provides for specific rights and safe-
guards regarding personal information stored in databases, specifically: (a) a right of
access to all of such personal information; (b) the principle regarding data quality,
according to which all stored data shall be objective, accurate and presented in a
comprehensible language; (c) a right to be notified, through written communication,
before the storage of any negative personal information is carried out; (d) a right of
rectification of any inaccurate data that is being stored and (e) the principle regarding
time storage limitation which establishes the maximum of five years for the storage
of negative personal information. According to Antonio Herman Benjamin, who
worked on the drafting of the Consumer Protection Bill, Article 43 was inspired by
the U.S. Fair Credit Reporting Act.50
Combined with the general clause of strict stability disposed on Article 6, VI,
and Article 14 of the Consumer Protection Code, these data protection standards
assume great relevance, since consumers may register their complaints against credit
information databases operators at the Public Consumer Protection Bodies,51 which
will handle the individual complaints through an extra-judicial conciliation proce-
dure, and because the Brazilian judicial system has a variety of small claims courts,
which facilitate consumer litigation and forego the need for hiring a lawyer. In fact,
courts have already recognized a right to compensation, for instance, when negative
personal data about a consumer is stored without prior notification, as long as the
consumer has not had any prior register at these databases.52
Finally, it is important to note how the concept of “consumer” put forward by
the Brazilian Consumer Protection Code—which allows for application in a variety
of scenarios beyond the strict contractual relation between consumers and traders—
gains relevance in this context.53 A consumer can direct damage claims to the firm
with which she has a contract, as well as exercise the rights to correction and disclo-
sure against the party responsible for a database. For this reason, the data protection
norms of the Consumer Code have had a much broader application by advancing
beyond contractual consumer relations.54 However, in spite of the relevance of this
norm to credit information databases, it does not apply to the processing of borrowers’
payment histories (“positive information”) nor does it yield any approach concerning
automatized decisions and their boundaries.
The fact that the Consumer Protection Code did not address issues involving the
processing of positive credit information resulted in a scenario of legal uncertainty.
Therefore, the Credit Information Act—Law 12.414 of 2011—emerged to regu-
late credit information systems, especially borrowers’ payment histories. The norm
furnishes detailed regulation concerning credit information databases, establishing
a legal framework that simultaneously encourages data flow and protects personal
data. As mentioned, the recent passing of the General Data Protection Act adds a
layer of complexity to the debate and reconciling all normative diplomas may prove
a challenge.
Law 12.414 of 2011 was reformed by Bill 441/2017. The Credit Information
Act lays a variety of rules ranging from the creation of a payment history to the
establishment of responsibilities in case of damages. It determines, for example,
when a payment history can be created (Article 4), what information can be stored
52 https://ww2.stj.jus.br/docs_internet/revista/eletronica/stj-revista-sumulas-2013_35_capSumu
la385.pdf; http://www.stj.jus.br/sites/STJ/default/pt_BR/Comunica%C3%A7%C3%A3o/noticias/
Not%C3%ADcias/STJ-define-tese-em-repetitivo-sobre-inscri%C3%A7%C3%A3o-em-cadastro-
de-inadimplentes. Accessed 11 Jan. 2022.
53 The conceptualization of consumer in the Code comprises four definitions: (a) according to the
standard definition, consumer is any physical person or corporate entity who acquires or uses a
product or service as a final user (Article 2°): (b) consumer is also a collectivity of persons who
participate in consumer relations (Article 2, § 2°); (c) consumer is, furthermore, anyone who has
suffered damages caused by a commercial activity (Article 17) and (d) any person who is exposed
to a commercial practice, such as advertising or databases is also considered a consumer (Article
29). In: Marques (2011), pp. 385–386.
54 Tepedino (1999), pp. 199–216.
428 L. S. Mendes and M. Mattiuzzo
(Article 3, §2 and §3), what are the rights of the data subject (Article 5), what are
the duties of the data processor (Article 6), who supervises the databases (Article
17) and who is liable in case of damages (Article 16). Many of its norms correspond
to the principles provided in Convention 108 of the Council of Europe and in the
European Directive 95/46/EC, but it can also be said that the Credit Information Act
corresponds to a typical U.S. regulation on credit reporting.
Consumer consent was the touchstone of the Credit Information Act, as provided
by the previous version of Article 4. Thereby the law confered the consumer the
prerogative over the creation, transfer and cancellation of her credit history. That is
no longer the case. With the reform, the Act now allows the credit scoring companies
to create profiles, and establishes an opt-out model, should the consumer wish her
data to be deleted. According to Article 5, consumers shall obtain the cancellation of
their records upon request and, as determined by Article 9, the sharing of information
is allowed.
Similar to the Consumer Protection Code, the Credit Information Act prescribes
the principle of quality or accuracy of personal data (Article 3, §1) and the rights
to access, rectification and cancellation of data (Article 5, II and III). In addition,
it guarantees access by the consumer to the main criteria used in the credit rating
process, that is, the consumer has the right to know the criteria upon which a calcu-
lation of credit risk is based (Article 5, IV). Concerning risk assessment, the law
ensures the right to ask for a review of any decision made exclusively by automated
means (Article 5, VI).55
The Credit Information Act also includes a very important provision: it offers
an explicit legal basis for the purpose limitation principle, which was only implicit
under the Consumer Protection Code. The principle of purpose, which in the General
Data Protection Act also gained much prominence, spreads through the entire credit
information system. Firstly, the Act defines the strict scope of its application, which
is solely to risk assess rather than assessment databases in credit and commercial
transactions (Article 2, I). Secondly, it establishes the right of the data subject to have
the processing of personal information limited to the original purposes of collection
(Article 5, VII). Thirdly, Article 7 describes the purposes for using the data collected
under the Act: either to conduct risk analysis or to assist decisions regarding the
granting of credit or other commercial transactions that involve financial risk. That
is to say that these databases cannot be used for marketing or any other activity not
explicitly provided for in the law.56
The prohibition against the storage and use of sensitive and excessive informa-
tion, as provided by Article 3, §3, is a decisive rule of the Credit Information Act,
55 This rule is comparable to Article 22 of the GDPR and aims to ensure the possibility of human
intervention in a process that can significantly affect his or her life. According to Article 22 of
the GDPR, “The data subject shall have the right not to be subject to a decision based solely on
automated processing, including profiling, which produces legal effects concerning him or her or
similarly significantly affects him or her”.
56 In this context, one notices another similarity to the European Directive, particularly Article 6,
1, b, which determines that personal data should be “collected for specified, explicit and legitimate
purposes and not further processed in a way incompatible with those purposes”.
Algorithms and Discrimination: The Case of Credit Scoring … 429
also in line with the General Data Protection Act. Pursuant to the norm, excessive
information is defined as the information unrelated to the credit risk analysis. Sensi-
tive information, on the other hand, is described as the information related to social
and ethnic origin, health, genetic information, sexual orientation and political, reli-
gious and philosophical beliefs. The prohibition intends to prevent that some types
of information lead to profiling, discrimination and the violation of the principle of
equality.57
Regarding the enforcement of the Act, instead of creating an authority to carry
out enforcement, it designates the existing public consumer protection bodies at the
federal, state and local levels, as responsible for the supervision (Article 17). The law
also establishes that the administrative penalties provided in the Consumer Protection
Code are applicable to credit scoring. Both provisions are only applicable, however,
when the data subject qualifies as a consumer. This norm’s main problem derives
from the lack of expertise of the consumer protection entities to deal with personal
data. This may explain the timid approach of these entities concerning this issue, in
spite of the law explicitly attributing such competence to them.
The Superior Court of Justice (STJ for its Portuguese acronym) has defined the
practical application of the Credit Information Act in two opportunities. The first case
deals with the lawfulness of credit scoring and its boundaries, and the second case
with credit information access by the registered person and the processual formalities
to do so.
In the Special Appeal (“Recurso Especial”) n. 1.419.697, it was established that
the credit scoring is compatible with Brazilian law and is a licit commercial conduct,
as disposed by Articles 5, IV and 7, I, of the Credit Information Act. However,
the decision specified that the limits imposed by the Consumer Protection Code, in
respect to privacy and the transparency of contractual relations, must be observed in
the credit risk evaluation.
The decision also stipulated that, despite consumer consent not being mandatory
for the consult, access to the credit history source as well as to the personal infor-
mation evaluated, if requested, must be granted. Finally, it established that the use
of excessive or sensitive information is cause for damages (Article 3, I and II) and
that refusing credit based on incorrect data will give rise to strict solidary liability
between the service supplier and the person responsible for the database (Article 16).
Another relevant aspect of this decision is that a specific section was dedicated
to privacy protection and transparency about consumer information, as provided by
the Credit Information Act (Article 3) and the Consumer Protection Code (Article
57 It is possible to make another parallel to the European Directive, namely, Article 8, which concerns
the processing of special data categories. In the General Data Protection Act, the provision on Article
5, II provides the definition of sensitive data.
430 L. S. Mendes and M. Mattiuzzo
43). The limitations imposed by these norms were summarized in five duties to the
service supplier: veracity, clarity, objectivity, prohibition of excessive information,
and prohibition of sensitive information. Relating to the prohibition of excessive
and sensitive information, the Reporting Justice highlighted the distinction: sensitive
information relates to race and ethnic, sexual orientation and religious belief, whereas
excessive information refers to personal taste such as soccer team preferences, and
others. Neither can be used for scoring purposes.
To summarize the ruling, five theses were suggested by the Reporting Justice
and later unanimously approved by the Second Section of the Court, namely: (1)
“The credit scoring system is a method developed to evaluate the credit concession
risk, based upon statistic models that consider diverse variables, with the attribu-
tion of a score to the evaluated consumer (credit risk score)”; (2) “This commercial
practice is licit, being authorized by Article 5, IV and Article 7, I, of the Law n.
12.414/2011 (Credit Information Act)”; (3) “In the credit risk evaluation, the limits
imposed by the consumer protection system in respect to privacy safeguards and the
maximal transparency of contractual relations must be observed, in accordance with
the Consumer Protection Code provisions and Law n. 12.414/2011”; (4) “Despite
consumer’s consent being unnecessary, clarifications must be given, if requested,
about the considered data source (credit history), as well as about the personal infor-
mation evaluated”; 5) “Failure to observe these legal limits in using the credit score
system configures an abusive exercise of rights (Article 187 of the Civil Code),
and may give rise to strict solidary liability between the service supplier and the
responsible for the database, the source and the consulting (Article 16 of Law n.
12.414/2011), for the occurrence of damages in the use of excessive or sensitive
information (Article 3, I and II of Law n. 12.414/2011) or in situations where credit
is refused based on outdated or incorrect data”.
In Special Appeal 1.304.736, the Court established the grounds for a consumer’s
judicial demand for accessing the credit history source and the information used for
credit scoring, brought up in the decision discussed above. The decision determined
the existence of legal interest in bringing proceedings to compel the exhibition of
documents whenever the author of the demand intends to know or verify her own
documents, or any documents of her interest, notably the ones referring to her person
and that are in the power of others. To this end, for the document to be exhibited it
is important that it be of common interest.
In this context, the decision proclaimed two requirements to fulfill the legal interest
in bringing proceedings: first, proof of a request for obtaining the data—or at least of
the attempt to do so—before the institution responsible for the scoring; and, second,
proof of the refusal to obtain the desired credit, owing to the score attributed by the
system.
The decision imposes severe restrictions to the access of information for the
consumer regarding the criteria used to calculate her credit score and could be inter-
preted as a hindernisse to address algorithm discrimination in the credit reporting
context.
Algorithms and Discrimination: The Case of Credit Scoring … 431
It should be noted that both decisions date from before the General Data Protection
Act was approved, so this piece of legislation was not part of the Justices’ analysis.
Also, they were both expedited before the Credit Information Act was reformed.
Having set the ground for how credit scoring functions in Brazil, we now turn to our
thoughts on the challenges faced by policy proposals aimed at hindering algorithmic
discrimination in credit scoring. First, we will present an overview of the literature
58 Cf. Article of the Secretary of Economic Politics of the Ministry of Finance: Pinho Mello et al.
(2018).
59 Idem.
432 L. S. Mendes and M. Mattiuzzo
To deal with the issue of algorithmic discrimination and regulation, one must first
survey the literature on algorithmic governance. The body of authors that discuss how
discrimination can be a factor in algorithmic decision-making has come to realize
that policy solutions are needed and thus focused on providing an overview of what
these solutions might be. This subsection will review the most important debates that
have arisen in this field, focusing on (i) the commonly discussed policy solutions,
(ii) the disagreements among authors on these proposals, and (iii) our view on the
topic.
The literature on algorithmic governance, though fairly recent, is already vast.
Several authors debate when and how (or whether) algorithms should be regulated.
Most notably, some groups of scholars have come up with principles that could
govern algorithmic decision-making. The Fairness, Accountability and Transparency
in Machine Learning Organization (FAT-ML) is one of such institutions. They have
compiled a list of what they believe to be the key principles that should be observed by
companies and government when dealing with algorithms: responsibility, explain-
ability, accuracy, auditability, and fairness.60 In the United States, the Association
for Computing Machinery (ACM) followed the same path and devised its own prin-
ciples, adding awareness, access and redress, data provenance, and validation and
testing to the list.61
Responsibility, in the FAT-ML’s view, is connected to the idea that one, in
designing algorithmic systems, must be aware of the people that will be impacted
by the decision-making process and as such should to some extent provide alterna-
tives for redress—both at individual and societal levels. This idea connects to the
ACM’s principles of awareness—which is mostly focused on making the algorithm’s
builders and users mindful of the possible consequences of its use, especially of the
biases that can arise from it; and of access and redress—which claims regulators
should adopt mechanisms that allow individuals impacted by the decisions made by
algorithms to question and redress the possible harm caused.
As Doshi-Velez et al. put it, the idea of explanation (or explainability), when
applied to decision-making, usually means “the reasons or justifications for that
particular outcome, rather than a description of the decision-making process in
impossible to understand, audit studies can crack the code through trial and error: researchers can
apply expert knowledge to the results of these audit tests. By closely monitoring these online plat-
forms, we can discover interactions between algorithm and data. In short, auditing these algorithms
demands a third party that can combine both expert and everyday evaluations, testing algorithms
on the public’s behalf and investigating and reporting situations where algorithms may have gone
wrong”.
434 L. S. Mendes and M. Mattiuzzo
such, tools aimed at bringing algorithms to light have been considered by some an
essential step in any proposed regulatory solution.66
There is no consensus on what precisely is the ideal combination of these
proposals, and authors often disagree on their importance and usefulness. The most
visible disagreement comes from those who believe transparency—and even explain-
ability—are not adequate or sufficient tools to deal with algorithms, defending
accountability to be a better option in many cases.
Pasquale and Citron are among the authors who believe transparency is a mean-
ingful solution for algorithmic discrimination, specifically when applied to credit
scoring. In their words:
We believe that each data subject should have access to all data pertaining to the data
subject. Ideally, the logics of predictive scoring systems should be open to public inspection
as well. There is little evidence that the inability to keep such systems secret would diminish
innovation.67
They are clear in stating that the “threats to human dignity” are sufficient to justify
disclosing not only the dataset and the overall functioning of the system to authorities,
but also the code and modeling of algorithms to the public in general.68
Another author that follows a similar line of thought is Zarsky, who puts the
argument forward in the context of automated predictions in government initiatives.
In short, he claims that “the most basic and popular justification for transparency is
that it facilitates a check on governmental actions.”69 He states that, in this context,
accountability and transparency are usually referred to as synonyms, but argues
the concepts are fundamentally different for accountability regards the idea that
individuals are ethically responsible for their actions, whereas transparency is a
tool—and not the only tool—aimed at facilitating accountability.
Some experts, however, have pointed towards the limitations of transparency
solutions. Lawrence Lessig has famously presented such a view in respect to govern-
ment transparency, when he claimed that turning the panopticon upon the rulers and
building civic omniscience had its issues. He builds his argument by explaining the
ideas expressed by Brandeis in Other People’s Money, especially the argument that
full disclosure of information would help the public judge quality and as such allow
the people to regulate the market. But as Lessig warns, “not all data satisfies the
simple requirement that they be information that consumers can use, presented in a
way they can use it”.70 Though the goal of his paper was not to discuss algorithmic
discrimination, many of his observations hold true for this context.
66 Pasquale (2013).
67 Pasquale and Citron (2014), p. 26. They also say: “The FTC’s expert technologists could test
scoring systems for bias, arbitrariness, and unfair mischaracterizations. To do so, they would need to
view not only the datasets mined by scoring systems but also the source code and programmers’ notes
describing the variables, correlations, and inferences embedded in the scoring systems’ algorithms”.
68 Pasquale and Citron (2014), pp. 30–31.
69 Zarsky (2013), p. 1533.
70 Lessig (2009).
Algorithms and Discrimination: The Case of Credit Scoring … 435
Specifically regarding algorithms, Kroll et al. offer four main arguments why
transparency is not a sufficient policy proposal71 : firstly, because it simply may be
unattainable—there either will be well-grounded public reasons that forfeit the right
to disclosure, such as national security or the prevention of strategic behavior aimed
at gaming the system,72 or reasons that impact the individuals under scrutiny, for
example if the data collected is highly sensitive, in which case it may be in the
individual’s best interest not to have full transparency applied to the database—;
secondly, because it might be insufficient—even if a rule is public, “[the] methods
are often insufficient to verify properties of software systems, if these systems have
not been designed with the future evaluation and accountability in mind”,73 as often
is the case; thirdly, whenever the algorithm incorporates randomness—which is
arguably a fundamental function of computerized systems—full transparency guar-
antees nothing74 ; fourthly, “intelligent” systems that change over time and adapt
to their environment, such as ML algorithms, cannot be properly comprehended
through transparency solutions. Following this line of thought, the authors argue that
accountability, in the form of procedural regularity, is a better policy proposal that
should be studied in more depth, for it can provide the desired outcome even in the
face of secrecy.
Desai & Kroll, for their turn, claim that transparency, though having its place, is
limited, for it may further emphasize discrimination by providing a false sense of
clarity. In their words:
Many of the current calls for transparency as a way to regulate automation do no address
such limits [of the algorithmic systems], and so they may come up short on providing the sort
of legal-political accountability they desire, and which we also support. Instead, as software
(and especially machine learning systems, which separate the creation of algorithms and
rules from human design and implementation) continues to grow in importance, society may
find, and we argue, that identifying harms, prohibiting outcomes, and banning undesirable
uses is a more promising path.
Edwards & Veale also highlight the limitations of transparency and explainability,
aiming specifically at the General Data Protection Regulation in Europe. They point to
the uselessness of transparency, both for its unfeasibility and for its lack of fit to users’
needs—namely inability to redress substantive justice, and suggest a framework
focused on building better algorithmic solutions from the start (solutions that are
rithm—use a random number generator to assign a number to each participant and have the partici-
pants with the lowest numbers win—yields results that cannot be reproduced or verified because the
random number generator will produce new random numbers when it is called upon later”. Kroll
et al. (2017).
436 L. S. Mendes and M. Mattiuzzo
effectively concerned with policy objectives) and giving agencies and institutions
the power to oversee algorithmic integrity.75
In our view, placing too much faith on transparency is indeed misguided, though
not for the goal transparency aims at attaining, but for the fact that it may prove
insufficient in fulfilling its promise. In the specific context of credit scoring, disclo-
sure of databases and of decision-making processes usually faces resistance, be it
for claims of commercial secrecy, be it for allegations of systems’ gaming. From
a policy standpoint, especially considering the insertion of ML into credit scores
and the randomness element indicated by Kroll et al., transparency is a tool whose
usefulness is limited to informing data subjects of their current scores and allowing
such individuals to correct and update information. But advocating for open source
code in this context, as will be seen in the next subsection, is unlikely to provide
practical and sufficient solutions.
In this subsection we aim at, first, presenting how our typology of discrimination
helps shed light upon possible discriminatory outcomes that may arise in the Credit
Information Act. To do so, we will present how some provisions of the Act converse
with our discussion, and also how the General Data Protection Act may come to
influence the debate. Secondly, we intend to connect such provisions to the literature
on algorithmic governance, and suggest some policy proposals that could assist in
fighting discrimination.
Remembering our typology, we claimed there are four types of discrimination
running from algorithmic systems:
(i) Discrimination by statistical error,
(ii) Discrimination by generalization,
(iii) Discrimination by use of sensitive information,
(iv) Discrimination by inadequate correlation.
Naturally, the first type of discrimination may arise in any case in which an algorithm
is in use, so long as the program presents errors—wrong prediction models, for
instance.
The General Data Protection Act has established a principle regarding data quality
that speaks to this concern, as well as a right for any individual to correct or complete
data available in datasets. There is however no provision aimed at ensuring that
models are statistically correct, much less to verify their accuracy. One could claim
75 Edwards and Veale (2017), pp. 22–23. “As the history of industries like finance and credit shows,
rights to transparency do not necessarily secure substantive justice or effective remedies. We are
in danger of creating a “meaningless transparency” paradigm to match the already well known
“meaningless consent” trope”.
Algorithms and Discrimination: The Case of Credit Scoring … 437
the reason for lack of regulation here is that the market incentives are sufficient
to address this problem. In other words, no norm is needed because it is not in a
company’s best interest to have its algorithm present statistical imprecisions, simply
because inaccuracy of this kind would mean inefficient resource allocation. Classi-
fying a good creditor as a bad one ultimately means less revenue. Still, it is worth
noting that there is no overreaching obligation for the private or for the public
sectors to show that their models are statistically sound, and present no mathematical
mistakes.
In Germany, for example, such an obligation does exist. The DSAnpUG-EU, or
the new Bundesdatenschutzgesetz (BDSG), in section 31, states that the method
used for credit scoring needs to be a scientifically recognized statistical procedure.76
This provision is viable in Germany because the country has a well-established data
protection system and a central authority responsible for supervising the application
of the norm. Still, especially with the approval of the General Data Protection Act
and the creation of a central authority in Brazil, such a recommendation could go a
long way in hindering type 1 discriminatory outcomes.
Turning to discrimination by generalization, the issues credit scoring may present
are three-fold. Firstly, there is the problem of accuracy. Secondly, the challenge of
data correction. Thirdly, the question of insufficient data leading to miscategorization.
The Brazilian model for accuracy assurance is far from ideal. The entire credit
information system is based upon the notion that correction lies with the consumer—
she must be able to identify mistakes, bring such mistakes forward, and require the
company responsible to modify the information. The idea is very much in line with
individual complaints and runs from consumer law methodology, but it is bound to
fail. First, because the information asymmetry is enormous—putting it bluntly, the
consumer knows far less about the database then the company; her effort to verify
whether the information collected is accurate is completely disproportionate to the
effort of the databroker—, and secondly, because there are other far superior ways
to ensure accuracy—Brazilian legislation could adopt audit mechanisms, periodical
reports of the databases etc., as has been the case in other jurisdictions.77
The General Data Protection Act builds on this idea and establishes a principle
aimed at tackling the quality of data as an overreaching goal that should be followed
by companies regardless of individual complaints. Also, because the provisions
on liability in the GDPA are far more severe than those of the Credit Information
76 § 31 (1, no. 2) BDSG: “Die Verwendung eines Wahrscheinlichkeitswerts über ein bestimmtes
zukünftiges Verhalten einer natürlichen Person zum Zweck der Entscheidung über die Begrün-
dung, Durchführung oder Beendigung eines Vertragsverhältnisses mit dieser Person (Scoring)
ist nur zulässig, wenn […] die zur Berechnung des Wahrscheinlichkeitswerts genutzten Daten
unter Zugrundelegung eines wissenschaftlich anerkannten mathematisch-statistischen Verfahrens
nachweisbar für die Berechnung der Wahrscheinlichkeit des bestimmten Verhaltens erheblich sind”.
77 Hurley and Adebayo (2016). Congress directed the FTC to conduct a study of credit report
accuracy and provide interim reports every two years, starting in 2004 and continuing through
2012, with a final report in 2014. The reports are being produced under section 319 of the Fair and
Accurate Credit Transactions Act, or FACT Act.: https://www.ftc.gov/news-events/press-releases/
2013/02/ftc-study-five-percent-consumers-had-errors-their-credit-reports. Accessed 11 Jan. 2022.
438 L. S. Mendes and M. Mattiuzzo
Act—controllers are liable whenever damage is caused, and obliged to repair such
damage—the tendency is for the individual to be more protect even when she is not
as engaged in verifying the accuracy of credit scores.
A different issue is that of data correction. According to the Credit Information
Act, if the consumer identifies a mistake in the database, it is not clear how precisely
the problem should be addressed. Article 5, III of the Credit Information Act states
that the consumer can request the correction of the data, but it does not provide how
such request can be made, nor, more importantly, what happens in case there is a
dispute between the consumer and the database operator regarding the accuracy of
the information. Who bears the burden of proof? If we take Brazilian consumer law
as a parameter, the burden should fall upon the database operator, but if we claim the
Credit Information Act should be the sole source of the answer, we simply fall short
of providing a response. In the GDPA, the request for data correction is explicit in
Article 18, III. The Act goes further and states that the request for data correction
shall be complied with by the data controller in a timely manner (Article 18, §5—
the law also states that the exact deadline for controllers shall be determined by the
authorities via infralegal regulation).
In regards to miscategorization due to incompleteness, Brazilian law is silent on
any matter related to what is a bundle of information sufficient to render useful
credit scoring results. The existing mechanism that could be of service to address
such problem is the right to revision in Article 5, VI Credit Information Act. But
again, for this right to have any meaning, the consumer would either have to identify
the information in her score—which we already established to be difficult due to
the accuracy model present in the law; or to infer that her low score is due to a
miscategorization of the sort presented in item 2—the database assumes that, because
she lives in a neighborhood usually associated with low income, she is a bad creditor,
because it does not have any other sources of information for that particular person.
Obviously, placing such burden upon the consumer seems less than ideal.
It should also be said that, due to Article 21 of the GDPA and Article 7-A, III of
the Credit Information Act, the individual has a further level of protection in case of
type 2 mistakes. Personal data that refers to the exercise of rights by the individual
can not be used in her detriment. A practice that fits in this norm is for instance the
lowering of the credit score when the consumer verifies her own score, which was
already reported by some data protection activists in Germany and motivated the
change of the former German Data Protection Act (BDSG).78 Another example are
the black lists created by employers to register employees who filed cases in labor
courts.79
Moving on to our third category, discrimination by use of sensitive information,
the Credit Information Act explicitly addresses such problem in Article 3, §3, I and
II, as mentioned in Sect. 3, and so does the GDPA, in Article 11, stating that use
of sensitive personal data is only allowed in limited circumstances. However, the
lack of cases that deal with this issue—there has not been one single instance in
which a consumer claimed the data being used by a company was sensitive and thus
prohibited—is telling of the problem faced by Brazilian legislation. Because Brazil
has a still very recently established central data protection authority, there is still
no enforcement, running from the inexperience of the consumer system on dealing
with this matter. In addition, and likely also related to lack of enforcement, there
is no standard to address the issue of proxies. The Act prohibits using sensitive or
excessive information, but it says nothing about information that is neither sensitive,
nor necessarily excessive, and still provides a good proxy for either one of those
categories. Again, were there stronger enforcement, and consequently case law that
helped build criteria for what precisely sensitive or excessive data is, this problem
would likely be mitigated. The creation of a DPA, and the coming into force of the
GDPA, may change this scenario.
The fourth type of discrimination—by inadequate correlation—was evidently
possible in Brazil, but after the reform of the Credit Information Act, became unlawful
for the purposes of credit scoring. Previously, whenever the databrokers used the
request of information by the consumer on her credit score to determine the score
itself, we faced such a scenario. Now, after the inclusion of Article 7-A, III, the
fulfillment of the individual’s right to access information about herself cannot be
used against the consumer.
We now move on to our thoughts on how the aforementioned problems could be
mitigated through modifications in the Credit Information Act, and by the application
of the overreaching data protection system in Brazil. When it comes to type 1 issues,
we believe a provision such as the one in the new BDSG would be sufficient to address
the problem, but it is also possible that the challenge will be solved by itself due to
market incentives. Specially, with the creation of a central data protection agency
and the expectation of enforcement, companies are unlikely to risk their business by
providing inaccurate scoring methods.
As for discrimination by generalization, there are still many challenges to be faced
before a normative system able to overcome this problem emerges. Nevertheless
important measures have been taken to reduce discrimination by generalization,
such as guaranteeing in an automated individual decision making process the right
to obtain review, as granted by Article 22, 3, GDPR and, in Brazil, by Article 20 of
the GDPA. The Credit Information Act grants the individual a similar right to ask for
revision from automated decisions. In both cases, the idea is that the atypical case
could be demonstrated with evidences brought by the affected person.
Consumers should have an easier way to access data, and a clear procedure to
request corrections from databases. Ideally, we believe this procedure should be
homogeneous for all databrokers, in order to diminish consumers’ transaction costs.
Still, the issue we believe to be the hardest to address here is that of proxies. A
way forward could be that of the German regulation, which, though not providing an
overall prohibition on the use of proxies, states that no score based solely on address
information shall be allowed and that, if such address data is in fact used, the data
subject must be notified in advance.80 This solution is partial for it deals with only
one type of data—zip codes, and we are not aware of norms in other jurisdictions
that specifically tackle this problem. Both the GDPR and the GDPA, when stating
that the consumer has the right to a review of automated decisions, are not explicit
on the problem of proxies.
In regards to discrimination by use of sensitive information, though Brazilian
law clearly states that the use of such information for scoring is prohibited, there is
little to no orientation on what precisely sensitive or excessive information means.
What are traits that pertain to social and ethnic origin, health, genetic information,
sexual orientation, and political, religious and ideological convictions? If a company
has enough information to infer someone is gay, but nothing that by itself would
indicate sexual orientation, is the use of this bundle of data prohibited? For this
debate to evolve, enforcement is paramount. Again, the creation of a centralized data
protection authority may go a long way in providing clearer criteria. But a necessary
alternative is to build capacity and bring awareness in the consumer system.
Discrimination by inadequate correlation, lastly, was addressed in the context of
credit scoring with the addition of Article 7-A, which is similar to the one put forward
in the former German legislation. A similar concept was introduced by the General
Data Protection Act in Article 21. Although the concept behind article 21 is correct
and useful, it is not yet clear what its real boundaries will be, since fulfillment of a
right could be interpreted in a very broad fashion.
The Brazilian system would also benefit from substitute for “an understanding
that” the concept of excessive information, which already exists in the Credit Infor-
mation Act, also covers situations where discrimination arises from inadequate corre-
lations. But this would require the further development of this concept by case law
and doctrine, in order to specify its definition and facilitate its appliance.
Finally, the purpose limitation principle, established in Article 5, I b of GDPA,
could be applied, in order to avoid spurious correlations in the use of data, since it
prohibits the use of a subsequent processing that is incompatible with these initial
purposes of the processing.
It is clear that the challenges of this last type of algorithmic discrimination lays
in better establishing the criteria used to distinguish legitimate from inadequate use.
Although the GDPA has made an important progress in this direction, its consistent
interpretation will depend on the relevant activities of the Data Protection Authority.
5 Final Considerations
Brazilian legislation could adopt some of the suggestions that have been put
forward elsewhere in the Credit Information Act, but the algorithmic discrimination
debate is still far from over and will likely consume policy makers’ agenda for a long
time.
Furthermore, the debate on credit scoring poses other specific challenges for
Brazil, since the establishment of a specialized authority to enforce data protection
rules may address some of the problems concerning algorithm discrimination. It is
clear that the ANPD’s role will be essential in many aspects: it could provide clarity
on when the GDPA should prevail over the Credit Information Act, in cases where
conflicts of interpretation may arise; it would be a technical body able to deal with
the complex issues arising out of data protection debates, some of which the existing
authorities have difficulty in handling; and it would be a source of legal certainty for
any entity subjected to the Brazilian legislation that deals with data protection and
credit scoring, most notably facing debates such as when algorithmic discrimination
in fact takes place and how it should be addressed.
References
Edwards L, Veale M (2017) Slave to the algorithm? Why a ‘right to an explanation’ is probably not
the remedy you are looking for. Duke Law Technol Rev 16(1):18–84
Federal Trade Commision (2012) Report to congress under section 319 of the fair and accurate
credit transactions act of 2003. December 2012. https://www.ftc.gov/sites/default/files/doc
uments/reports/section-319-fair-and-accurate-credit-transactions-act-2003-fifth-interim-federal-
trade-commission/130211factareport.pdf. Accessed 11 Jan. 2022
Finley S (2018) I didn’t even meet my potential employers. BBC News 6 Feb 2018. http://www.
bbc.com/news/business-42905515. Accessed 11 Jan. 2022
Gee K (2017) In Unilever’s radical hiring experiment, resumes are out, algorithms are in. In:
Ginsberg J et al (2009) Detecting influenza epidemics using search engine query data. Nature,
vol 457, pp 1012–1014
Goodman BW (2016) Economic models of (algorithmic) discrimination. Paper presented at 29th
conference on neural information processing systems, Barcelona, Spain
Hurley M, Adebayo J (2016) Credit scoring in the era of big data. Yale J Law Technol 18(1):148–216
Institute for Technology & Society of Rio de Janeiro (2017) Algorithm transparency and governance:
a case study of the credit bureau sector
Kroll J et al (2017) Accountable algorithms. Univ Pennsylvania Law Rev 165:633–705
Lazer D et al (2014) The parable of Google Flu: traps in big data analysis. Science 343:1203–1205
Lessig L (2009) Against transparency. The New Republic, 9 Oct 2009. https://newrepublic.com/art
icle/70097/against-transparency. Accessed 11 Jan. 2022
Marques CL (2011) Contratos no Código de Defesa do Consumidor. O Novo Regime das Relações
Contratuais. Revista dos Tribunais, São Paulo
Mayer-Schönberger V, Cukier K (2014) Big data: a revolution that will transform how we live,
work, and think. First Mariner Books, New York
Mendes, LS (2014) Privacidade, proteção de dados e defesa do consumidor. Linhas gerais de um
novo direito fundamental. Saraiva, São Paulo
Mendes, LS (2015) Schutz vor Informationsrisiken und Gewährleistung einer gehaltvollen Zustim-
mung. Eine Analyse der Rechtmäßigkeit der Datenverarbeitung im Privatrecht. De Gruyter,
Berlin
Moro A (2009) Statistical discrimination. In: Durlauf NS, Lawrence E (eds) The New Palgrave
dictionary of economics. Palgrave Macmillan, Basingstone
O’Neil C (2018) Personality tests are failing American workers. In: Bloomberg View, 18
Jan 2018. https://www.bloomberg.com/view/articles/2018-01-18/personality-tests-are-failing-
american-workers. Accessed 11 Jan. 2022
Papacharissi Z (2010) A private sphere: democracy in a digital age. Polity Press, Cambridge
Pasquale F, Citron D (2014) The scored society: due process for automated predictions. Washington
Law Rev 89:1–33
Pasquale F (2013) The Emperor’s new codes: reputation and search algorithms in the finance sector.
Draft for discussion at the NYU “Governing algorithms” conference
Phelps E (1972) The statistical theory of racism and sexism. Am Econ Rev 62:659–661
Pinho Mello JM, Mendes M, Kanczuk F (2018) Cadastro Positivo e democratização do crédito.
In: Folha de São Paulo, March 2018. https://www1.folha.uol.com.br/opiniao/2018/03/joao-man
oel-pinho-de-mello-marcos-mendes-e-fabio-kanczuk-cadastro-positivo-e-democratizacao-do-
credito.shtml. Accessed 11 Jan. 2022
Sandvig C et al (2014) An algorithm audit. In: Gangadharan SP (ed) Data and discrimination:
collected essays. Open Technology Institute
Schauer F (2006) Profiles, probabilities, and stereotypes. Harvard University Press, Cambridge
Silver N (2012) The signal and the noise. The art and science of prediction. Penguin, London
State v. Loomis. 881 N.W.2d 749 (Wis. 2016). In: Harvard Law Review. https://harvardlawreview.
org/2017/03/state-v-loomis/. Accessed 11 Jan. 2022
Tepedino G (1999) As Relações de Consumo e a Nova Teoria Contratual. In: Tepedino G Temas
de Direito Civil. Renovar, pp 199–216
Zarsky T (2013) Transparent predictions. Univ Ill Law Rev 2013(4):1503–1570
Algorithms and Discrimination: The Case of Credit Scoring … 443
Laura Schertel Mendes Professor for Civil Law at the University of Brasília (UnB) and at
the Public Law Institute of Brasília (IDP). PhD in private law at the Humboldt University in
Berlin, Germany. Director of the Center for Internet and Society at IDP (CEDIS/IDP). Main areas
of research: Data Protection, Consumer Law, Algorithmic Governance. Selected publications:
Privacidade, proteção de dados e defesa do consumidor: linhas gerais de um novo direito funda-
mental. Saraiva, 2014; Schutz vor Informationsrisiken und Gewährleistung einer gehaltvollen
Zustimmung: eine Analyse der Rechtmäßigkeit der Datenverarbeitung im Privatrecht. De Gruyter,
2015; (Co-author) The Regulation of Commercial Profiling: a Comparative Analysis. European
Data Protection Law Review, v. 2, 2016, pp. 535–554; (Co-author) Discriminação algorítmica:
conceito, fundamento legal e tipologia. Revista de Direito Público, v. 16, 2019, pp. 39–64;
(Co-author) Datenschutz und Zugang zu Informationen in der brasilianischen Rechtsordnung—
Einführung. In: Indra Spiecker gen. Döhmann; Sebastian Bretthauer (Hrsg.) Dokumentation zum
Datenschutz, 2019, pp. 225ff.
Marcela Mattiuzzo Ph.D. Candidate at the University of São Paulo, Master in Constitutional
Law from the University of São Paulo, former visiting researcher at Yale Law School and chief
of staff from the Office of the President at the Administrative Council for Economic Defense
(CADE). Partner at VMCA Advogados. Main areas of research: Data Protection, Antitrust, Algo-
rithmic Governance, Artificial Intelligence. Selected publications: Online Advertising Platforms
and Personal Data Retail: Consequences for Antitrust Law. Competition Policy International
Antitrust Chronicle, v. 7, p. 1, 2015; (Co-author) Discriminação algorítmica: conceito, fundamento
legal e tipologia. Revista de Direito Público, v. 16, 2019, pp. 39–64; (Co-author) Data Portability:
The Case of Open Banking and the Potential for Competition. In: David S. Evans; Allan Fels
AO; Catherine Tucker (Eds.) The Evolution of Antitrust in the Digital Era: Essays on Compe-
tition Policy. Competition Policy International, 2020, v. 1, pp. 183 ff.; “Let the algorithm decide”:
is human dignity at stake? Revista Brasileira de Políticas Públicas, v. 11, n. 1, 2021, pp. 342–369.
Safeguarding Regional Data Protection
Rights on the Global Internet—The
European Approach Under the GDPR
Raoul-Darius Veit
Abstract Enforcing law on the Internet is a general challenge that cannot be limited
to data protection rights. It is, however, in the context of these rights that the
complexity of the issue becomes particularly clear: the unlimited archiving of (poten-
tially false) personal information and data has initiated a debate over the possibilities
of “forgetting on the Internet”. The global cross-border dimension of (anonymous)
communication and (nontransparent) network-like flow of data on the Internet makes
it difficult not only to determine who is processing what data where and for which
purposes, but also to identify the applicable jurisdiction and even more so to enforce
national law against the communication partner and/or data processors (potentially)
acting from abroad. Against this background, a binding global data protection frame-
work appears to be the most suitable instrument to meet these challenges. While, as
will be shown, this remains a distant goal and alternative approaches to data protection
governance have not proved to be successful in the international context, significant
progress with respect to the harmonization of data protection laws has been made
at the level of European Union: With the recently passed General Data Protection
Regulation (GDPR), the EU is setting an example on how to tackle the enforcement
issues in a regional, multi-national context. The GDPR provides for different instru-
ments to ensure the effective enforcement of its provisions not just within the EU
but also extraterritorially. The legal act is complemented by data protection agree-
ments with non-EU states of which the former so-called EU-US Privacy-Shield can
be considered the one with the greatest practical impact. The aim of this chapter is to
analyze the approach of the European Union pursued in the General Data Protection
Regulation and evaluate it with respect to its effectiveness and normative legitimacy.
1 Introduction
It is common knowledge that for any laws, legal rules, or rights to be effective, they
require mechanisms and institutions that safeguard their application and enforcement.
Traditionally, in Western social thought, the creation and enforcement of rules are
seen as capacities exclusively reserved for and therefore closely linked to nation-
states.1 In a democratic state, parliaments pass laws as reflections of democratically
adopted policies, and their enforcement is primarily assigned to the national executive
and judiciary. In this way, the nation-state fulfills its profound democratic obligation
to sustain the rule of law.
In the age of the Internet, however, this traditional paradigm is increasingly coming
under pressure. The current trends of globalization and digitalization affect every
aspect of life and thus every field of law: the shift from offline to online and conse-
quently from national to transnational in economic and social interaction has led to
legal issues occurring more and more frequently in cross-border constellations where
various authorities and courts each tasked with enforcing their domestic laws meet
and jurisdictional conflicts arise.
This increase of transboundary interaction, fueled particularly by the rise of the
relatively new global phenonemon/network, has likewise turned governance into a
matter that requires a transnational or even global scope, which, in turn, has resulted
in a shift in the global legal order in the last twenty years: in reaction to the observation
that nation-states alone can no longer effectively respond to this new scenery due to
their territorial and jurisdictional limitations, an ever-increasing number of regional
and international organizations have come to the fore, competing for influence in the
task of providing appropriate legal frameworks in response to these developments.2
With respect to data protection law, certainly as one of the most prominent subjects
of postnational governance in general and Internet regulation in particular, the Euro-
pean Union is considered to be the most influential stakeholder with its former
core instrument, Data Protection Directive 95/46/EC (hereinafter: Directive 95/46),3
having served as a blueprint for data protection laws all across the globe.
protection of individuals with regard to the processing of personal data and on the free movement
of such data, Official Journal L 281/31.
Safeguarding Regional Data Protection Rights on the Global Internet … 447
After a long and cumbersome legislative procedure,4 the European Union recently
gave this framework a much-anticipated update: the General Data Protection Regu-
lation (hereinafter: GDPR),5 which came into force in May 2016 and has been appli-
cable since 25 May 2018. In legal scholarship, the quality of this new legal act has
been subject to controversial debate; while some praise it as “a milestone”6 or a “role
model for other policy areas,”7 others see in it an “unconstitutional aberration” that
“will fail.”8 Prominent points of discussion are, among others, the new legal act’s
‘perforated’ structure9 as well as its (lack of) sustainability.10
This article seeks to contribute to this debate, but with a different focus; in light of
the aforementioned challenges, this paper analyzes the EU data protection regime’s
extraterritorial reach under the scope of the new GDPR and assesses whether its
instruments provide a feasible and normatively justified approach to the enforcement
of data protection law and rights in the era of the Internet.
For this purpose, the first part (Sect. 2) will outline the specific challenges to data
protection law and rights and their enforcement which have emerged in recent years.
In response to the rise of the Internet and the pressure on traditional enforcement
mechanisms along with it, various alternative approaches to Internet governance have
been put forward, however, with little influence or success in the international context
(Sect. 2.1). While a legal data protection regime with a global scope therefore appears
to be the most suitable instrument to meet the new challenges, such a global regime
remains a distant goal. However, different regional laws have been adopted, of which
the European Union’s Directive 95/46 is often seen as the most influential due to its
wide international impact and broad territorial scope, and its successor is expected to
have similar influence (Sect. 2.2). The second part (Sect. 3) will present relevant case
law of the European Court of Justice (ECJ) in the context of the external dimension
of European data protection law, which will also reveal the Court’s impact on the
provisions of the GDPR. Drawing on these findings, the third section (Sect. 4) will
4 For first-hand insights into this procedure by the rapporteur for the General Data Protection
Regulation in the European Parliament see Albrecht and Jotzo (2017), pp. 40–44.
5 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),
Official Journal L 119/1.
6 Dammann (2016), p. 314.
7 Albrecht (2016), p. 289.
8 Giesen (2016), p. 23.
9 ‘Perforated’ in the sense that instead of setting one consistent data protection standard for all the
EU Member States, as originally intended, the legal act contains various provisions allowing for
additional concretizing, specifying, or even deviating national legislation (’opening clauses’). It
is difficult to say how wide the national margin of maneuver is as the opening clauses are quite
different in their wording and scope. The possibilities and limits of national legislation within the
framework of the GDPR have been subject to debate since the publication of the final version of the
legal act. See, for instance, Wagner and Benecke (2016), pp. 353–361. By now, all twenty-seven
Member States have adopted national legislation to “fill” these “gaps” and the remaining countries
have published drafts.
10 Rather critical: Roßnagel (2016), p. 561, Zarsky (2017), p. 995.
448 R.-D. Veit
then focus on the GDPR and shed light on the extraterritorial mechanisms it provides,
the new territorial scope (Sect. 4.1) as well as the third-country data transfer regime
laid down in Chapter V of the regulation (Sect. 4.2), in order to assess whether the
updated European regime pursues a feasible approach to the enforcement of data
protection rights on the Internet that is normatively justified. Finally, the findings
will be summarized (Sect. 5).
While the challenges to the enforcement of law and rights in an interconnected online
world cannot be limited to a specific field of law, it is in the context of personality
and data protection rights that they are particularly evident. The anonymity in public
Internet fora offers ideal conditions for uninhibited behavior of their users, including
hate speech and slander, and raises the question of how and to what extent we should
safeguard the personality rights of the affected users,11 particularly when infringe-
ments occur in cross-border constellations (for example, on international social media
platforms) with different notions of how to balance freedom of expression and the
personality rights involved.12
With respect to privacy and data protection rights,13 the dynamic development
of new information and communication technologies that rely on global networks,
notably the Internet, and their ever-increasing use in all aspects of human life generate
massive flows of data across borders, including personal information relating to the
users. This globalization of data and information movements is complemented and
11 To counter issues such as online hate speech, libel, slander, and defamation, Germany passed the
Network Enforcement Act, Gesetz zur Verbesserung der Rechtsdurchsetzung in sozialen Netzwerken
(Netzwerkdurchsetzungsgesetz, NetzDG), 1 September 2017, BGBl. I p. 3352. This law introduces
an obligation for telemedia service providers to maintain a procedure that allows them to remove
or block access to content that is “manifestly unlawful” within 24 h of receiving the complaint.
On the NetzDG see Schulz (2022), in this volume. For alternative approaches to tackle offensive
communication online with a self-regulatory emphasis see Ladeur (2013), pp. 283–286; Hartmann
(2022), in this volume.
12 Even in the EU, where legal cultures are relatively homogeneous, no consensus on this question
could be found and jurisdictions are not so clear-cut. On this matter see Márton (2016). On the
legal landscape in Brazil with comparative accounts see Lana de Freitas Castro and Pereira Winter
(2014).
13 Data protection and privacy are related to each other but at the same time distinct rights; data
protection is a predominantly European concept and is both broader and narrower than privacy. It is
narrower because it protects privacy only as far as personal information and data are concerned, and
it is broader because it does not solely serve the protection of privacy but encompasses a “complex
bundle of interests and legal positions aiming at protection the individual in his or her sociality,”
see Albers (2014), pp. 224–229. On the distinction of the concepts in the jurisprudence of the ECJ
and the European Court of Human Rights see Kokott and Sobotta (2013), pp. 222–228.
Safeguarding Regional Data Protection Rights on the Global Internet … 449
accelerated by the constant and rapid emergence of new data processing technolo-
gies (such as big data and its algorithm-based analysis) and appliances (‘Internet of
Things’ or rather ‘Internet of Everything’) that notwithstanding their obvious benefits
also bear new challenges and (at least in part) require new regulatory approaches.14
In the social dimension, it is safe to assert that we find ourselves in an information
society where the distinction between the public and private domain has become
blurred and individuals are no longer mere ‘victims’ of the data collectors but are
actively involved in the generation and cross-border transfer of data by shifting
everyday activities into the online world.
While the necessity of the free movement of data and information across borders
for the expansion of international trade and cooperation is generally undisputed,15 this
new digital reality also presents new risks and dangers for the individual’s personal
rights and freedoms. The ubiquitous and no longer point-to-point but network-like
flow of information and data across the globe naturally goes hand in hand with
the individual to whom the information relates losing knowledge and control over
who is processing which data for what purposes—and to whom and for how long
this personal information and data shall be accessible.16 The lack of transparency
of the collection, processing, and (potentially transboundary) transfer of personal
data and information impedes the free development of the individual; it encourages
self-censorship and “social cooling”17 and thereby also entails negative impacts on
democratic processes.18 The recent data scandal involving Facebook and Cambrige
14 Traditional (European) data protection paradigms such as the focus on personal data as well as
the principle of purpose limitation appear to be opposed to the rationalities of, for example, big
data analysis. For its (possible) incompatibility with the GDPR see, for instance, Zarsky (2017),
pp. 1004–1018. For constructive ideas in this regard see Ladeur (2013), pp. 286–287, who suggests
that the regulatory focus of data protection laws should no longer be on the individual, but on
networks and the collective effects of the processing of data flows. Also see Broemel and Trute
(2016), p. 50.
15 The GDPR acknowledges this in recital 101. More generally, Article 1(1) GDPR reflects the dual
objectives of EU data protection law: the protection of personal data and the free movement of such
data. Likewise, Article 3 VIII of the Marco Civil da Internet lays down the freedom to do business
as a principle underlying Internet governance in Brazil.
16 The easy accessibility of potentially outdated or even false personal information and data for an
indefinite period of time, especially through Internet search engines, has initiated a debate over the
need and possibilities of ‘forgetting on the Internet.’ This debate was fueled by the EU Commission’s
GDPR proposal that in its Article 17 provided for a ‘right to be forgotten and to erasure.’ The matter
attracted further attention when the European Court of Justice in its Google judgement also used
this terminology, see ECJ, C-131/12, Google Spain v González, judgment of May 13, 2014, paras
89–99, accessible under http://curia.europa.eu. This ruling was received quite controversially in
German and Brazilian scholarship. However, the right to be forgotten is not to be missunderstood
as being just a synonym for the right to deletion. See for closer considerations on this subject Sarlet
(2022), in this volume, and Schimke (2022), in this volume.
17 Social cooling as a result of a latent fear of being surveilled was the main topic at the last congress
acting parties know about each other. When one party has to fear a profound informational imbal-
ance, they will be inhibited in the outright expression of their thoughts and opinions, which can, in
turn, affect democratic processes. See Boehme-Neßler (2015), pp. 1282–1287.
450 R.-D. Veit
Analytica has demonstrated the severity of the repercussions that the uncontrolled,
nontransparent collection and analysis of personal information and data can have. In
light of the Snowden revelations concerning the scale of global surveillance practices
of various states that have fueled the adoption of legal responses in various regions
of the world, including the EU19 and Brazil,20 this lack of transparency and loss of
control gain yet another dimension that is well captured by Orwell’s famous metaphor
of Big Brother potentially eavesdropping at any moment:
There was of course no way of knowing whether you were being watched at any given
moment. How often, or on what system, the Thought Police plugged in on any individual
wire was guesswork. It was even conceivable that they watched everybody all the time.21
19 In David Bernet’s film “Democracy—Im Rausch der Daten,” a documentary about the legislative
process of the GDPR, Jan Philipp Albrecht states that Snowden’s disclosures were crucial to the
adoption of the law.
20 Both the lawmaking process of the Brazilian Internet Bill of Rights (Marco Civil da Internet)
and the Data Protection Draft Bill 5,276/2016 were impacted by the Snowden revelations. For
insights into the legislative process of the Marco Civil and the ‘Snowden effect’ on it see Rossini
et al. (2015), pp. 5–7. Draft Bill 5,276/2016 was one three different draft bills on data protection in
Brazil, and it was advanced thanks to the Federal Ministry of Justice, which returned to prioritizing
the issue as a result of the Snowden leaks. For this, as well as for an overview on the different draft
bills, see de Souza Abreu et al. (2016) pp. 18–29. The General Law on the Protection of Personal
Data (Lei Geral de Proteção de Dados Pessoais) is based on Draft Bill No. 5,276/2016, but also
contains elements of the other drafts. For more detail see below Footnotes 52, 53.
21 Orwell (2016), p. 3.
22 Albers (2014), pp. 227–229.
23 For an overview of the existing data protections law see Greenleaf (2017), pp. 10–13. This
diversity of legal frameworks is, at least in part, rooted in the different models of data protection
that are commonly used across the globe and can be distinguished as comprehensive, sectoral,
self-regulatory, and technology-based, see Curtiss (2016), p. 106.
Safeguarding Regional Data Protection Rights on the Global Internet … 451
array of (sometimes conflicting) legal provisions with which they should be eager
to comply in order to avoid sanctions. This all illustrates the urgent necessity of
effective international data protection governance.
These technical, economic, and social developments all call for a solid, and most
importantly, transnationally effective response to ensure privacy and data protection
rights in the digital sphere. However, Internet governance is generally a complex
matter as the Internet and law have opposite structural characteristics; while the
Internet is global and rather dynamic, law is traditionally national and slow to adapt
to those dynamic changes. The most obvious and also most developed approach to
dealing with this tension between the global dimension of the Internet and the limited
territorial reach of (national) law is to place domestic or regional legal instruments on
the international platform and to work toward a legal framework with a global scope.
However, since the rise of the Internet, different alternative suggestions regarding its
governance have been put forward, two of which will be presented briefly, since they
could also be considered in the context of international data protection regulation.
One relatively early idea as to how to respond to the rationalities of the new
global phenonemon/network was to establish a separate (self-regulatory) regime for
cyberspace as a new ‘fourth legal dimension’ with its own universally applicable
rules and voluntary arbitration, irrespective of (national) jurisdictional boundaries.24
While such an approach is indeed innovative in the sense that it breaks with tradi-
tional governance paradigms and also offers solutions to the problems of conflicting
jurisdictions and the diversity of notions about privacy and data protection, it is in line
with neither the political nor the legal reality and also raises questions about legiti-
macy. Establishing a separate jurisdiction for the Internet with its own institutional
control would require national states and other political entities to delegate not only
their legitimate democratic power but also their obligation to uphold the rule of law
(at least in part) to private institutions. Regardless of the question of its desirability,
such an institutional shift is more than unlikely, particularly since nations and other
24 For that (early) idea see Johnson and Post (1996), p. 1367 as well as Mayer (1996), pp. 1789–
1790. On a similar note, but more recently and in the specific context of data protection law,
the suggestion was made to install self-organized private institutions (‘information brokers’) as
representatives of the hybrid public–private interests of Internet users which transcend the users’
individual limited privacy concerns and put the focus on the trans-subjective components of data
processing on the Internet, see Ladeur (2013), p. 287. This idea deserves further contemplation but
it also raises questions about legitimacy. Possibly, the decisions of these self-organized institutions
could ultimately be subject to the jurisdiction of state courts in order to enhance the democratic
legitimacy of the institutions. This way, the democratically constituted political entities would not
entirely outsource their (often) constitutional obligation to protect their citizens.
452 R.-D. Veit
political entities have already passed extensive Internet laws, implicitly rejecting the
idea that the Internet is a field beyond the scope of their power.25
Another alternative approach to reconciling the conflicting characteristics of the
Internet and law is to restructure the former along the physical national borders
by imposing territorial restrictions through technical means (‘re-territorialization of
the Internet’)—a suggestion with a trajectory quite contrary to granting the Internet
its own jurisdiction. The interim injunctions of a French court in the Yahoo! case in
200026 first sparked the discussion about using the techniques of zoning and geoloca-
tion to ‘re-territorialize’ the global network.27 However, the feasibility and accuracy
of these techniques were disputed soon after, and they are considered ineffective
because the restrictions they impose can easily be circumvented.28
As a consequence of Edward Snowden’s disclosures about the spying practices
and techniques especially in the U.S., the idea to restructure the Internet along (supra-)
national lines was reignited; the reactions to the surveillance scandal were particularly
vigorous in Germany and Brazil since the confidential documents revealed that top-
ranking politicians including Chancellor Merkel and President Rousseff were directly
affected.29 In Germany, Telekom AG suggested establishing ‘national routing’ or
‘Schengen routing’, meaning that when both sender and recipient are located within
national or EU territory, the data will not be routed via the U.S.30 Angela Merkel even
went so far as to demand a separate communications network for the EU altogether.31
Although the argument in favor of such ‘data nationalism’32 seems to be evident—
more protection against third-country spying—the idea is no longer being pursued,
at least not in the sense in which it was originally proposed.33 National routing, like
the techniques of zoning and geolocation, would lead to a decentralization of the
Internet, which is entirely contradictory to its open and freely accessible structure.
This openness is not only crucial to the dynamic processes of digitalization and
25 For this reason, among others, the idea of the Internet as its own territory was rejected quite soon
after it was first suggested. See Miller (2003), p. 234.
26 Tribunal de Grande Instance de Paris, N° RG: 00/05308, LICRA v. Yahoo! Inc. and Yahoo France,
its access accordingly, and geolocation is a procedure that makes it possible to assign IP addresses
to geographical locations, see Hoeren (2007), pp. 3–6.
28 Hoeren (2007), pp. 5–6. That is not to say that such techniques are not employed at all in the
context of data protection. Google, for instance, uses Geoblocking to ensure that de-referencing is
effective in all Member States, see ECJ, C-507/17, CNIL, Judgment of 24 September 2019, para
32, accessible under http://curia.europa.eu.
29 This also sparked the idea for a new exclusive Internet cable between Brazil and Europe, see
Cáceres (2014).
30 For a detailed description of the progression of this debate (not just) in Germany see Geminn
2092.
33 For chances of the re-territorialization paradigm surviving see Büttner et al. (2016), pp. 149–151.
Safeguarding Regional Data Protection Rights on the Global Internet … 453
a central value for various social realities,34 but it can also catalyze democratic
processes, as became apparent in the Arab Spring. Finally, the Snowden revelations
have shown that large-scale data-sharing is taking place between EU intelligence
services and those of third countries,35 which casts further doubt on the effectiveness
of re-territorializing the Internet.
In conclusion, despite their theoretical appeal, neither the idea of an entirely
separate jurisdiction for the Internet nor its re-organization along national lines have
had a lasting influence on Internet governance in general and international data
protection governance in particular.
In the absence of feasible alternatives that provide effective protection of privacy and
data protection rights in an environment of global flows and ubiquitous processing of
personal data, the only adequate response to the enforcement issues outlined above
appears to be a harmonized, globally applicable and enforceable legal framework.
However, despite calls from a broad variety of stakeholders36 and with the number
of national omnibus data protection laws growing constantly,37 there is, as it stands,
no binding and therefore effective global regime in place38 and there is little chance
that this objective will be achieved in the foreseeable future. The main obstacle to
APEC Framework is “the most promising foundation” to build on, see Fleischer (2007). At their
annual conferences the world’s privacy and data protection commissioners have passed various
resolutions dealing with international data protection standards and cross-border enforcement,
among them the 2009 Madrid Resolution on “International Standards on the Protection of Personal
Data and Privacy”, accessible at https://globalprivacyassembly.org/wp-content/uploads/2015/02/
The-Madrid-Resolution.pdf (accessed 11 Jan. 2022). Its supporters also include civil society coali-
tions that have organized conferences discussing global privacy standards, see, for example, http://
thepublicvoice.org/2009/07/global-privacy-standards-in-a-global-world-1.html (accessed 11 Jan.
2022).
37 For an overview of this development see Greenleaf (2017), pp. 10–13. In 2018, Brazil passed
a much-anticipated General Law on Data Protection (Lei Geral de Proteção de Dados), which is
clearly inspired by the GDPR and also has a comprehensive approach. Before this law was adopted,
the legal landscape was rather piecemeal with provisions in various sectoral laws. On this see
Doneda and Mendes (2014), pp. 3–20.
38 The UN has taken several steps toward a global framework: in 1990, the Guidelines for the
Regulation of Computerized Personal Data Files (Resolution 45/95) were adopted and in 2013,
the General Assembly passed a resolution affirming the application of the right to privacy online
(Resolution 68/167). In addition, the UN Human Rights Commission is working to promote the right
to privacy in the digital age and appointed a Special Rapporteur on the right to privacy in 2015, see
http://www.ohchr.org/EN/Issues/DigitalAge/Pages/DigitalAgeIndex.aspx (accessed 11 Jan. 2022).
However, all of these measures are non-binding and have had little practical impact. Nevertheless,
454 R.-D. Veit
the achievement of this goal is the diversity of ideas about privacy and data protec-
tion across the globe, which is not only rooted in different cultural and historical
backgrounds but is also owed to particular political and economic interests.39
Significant progress with regard to the harmonization of data protection standards,
however, has been made at the regional, supranational level. Among the various
frameworks from different multinational organizations that have been adopted since
the 1980s,40 the European Union’s first data protection act, Directive 95/46, stands
out in two ways. Firstly, by way of its provisions on international data transfers, the
Directive introduced a ‘border control’ of data flows and thereby indirectly expanded
its influence even beyond the territory of the EU.41 Secondly—and most likely as
a consequence of its extraterritorial reach—, this legal act has had an outstanding
impact on privacy and data protection legislation throughout the world, serving as
the basis for most of the international privacy laws in the last two decades,42 and is
considered to be “the most influential body of data protection worldwide.”43
However, regardless of its unprecedented role as an international benchmark for
privacy and data protection legislation, Directive 95/46 was drafted at a time when the
World Wide Web was still in its infancy and people were not aware of, and could not
foresee the aforementioned challenges. For obvious reasons, including its territorial
scope,44 an update of the framework was therefore overdue.
As the European General Data Protection Regulation came into force in May
2016 and has applied since 25 May 2018, the time for this update has come. This
some authors promote the UN guidelines as the most promising basis for an international regime,
see de Hert and Papakonstantinou (2013), pp. 323–324.
39 While in the EU both privacy and data protection are constitutionally guaranteed fundamental
rights that are assumed to also owe their existence to the experiences of Nazi surveillance during
World War II, there are no explicit equivalents in, e.g., the U.S. constitution, Cunningham (2016),
p. 422. The strong opposition to a comprehensive data protection framework in the U.S. derives
from various factors, including the high value placed on the principles of free speech as well as the
traditional reliance on market-based solutions, see Cunningham (2013), p. 447, who also asserts that
the U.S. is nevertheless slowly conforming to the EU approach. The profitable and rapidly growing
data aggregation industry in the U.S. most likely also adds to the reluctance of the government to
establish a comprehensive regime.
40 The most important regional privacy data protection frameworks are the OECD Privacy Guide-
lines, the Council of Europe’s Data Protection Convention 108, the Asia Pacific Economic Coop-
eration (APEC)’s Privacy Framework, and the Economic Community of West African States
(ECOWAS) Supplementary Act on Personal Data Protection. For the history and gradual devel-
opment of the regional and international sources of data protection law, see de Hert and Papakon-
stantinou (2013), pp. 274–288. In May 2018, the Committee of Ministers of the Council of Europe
adopted an amending protocol to modernize the Data Protection Convention 108, which is now
open for signature. The consolidated text of the modernized treaty is available online at https://sea
rch.coe.int/cm/Pages/result_details.aspx?ObjectId=09000016807c65bf (accessed 15 Dec. 2021).
41 See Chapter IV of the Directive.
42 Cunningham (2016), pp. 426–428. Also see Greenleaf (2012), pp. 72–79.
43 Kuner (2014), p. 55. With reference to Directive 95/46, the EU has also been referred to as “the
decisive leader not only for EU Member Nations, but worldwide,” Cunningham (2013), p. 427.
44 Kranenborg (2014), p. 241 rightly points out that the scope did not necessarily cover modern data
new (general) Regulation is the main instrument of the European data protection
law reform45 and shall apply equally in every Member State,46 replacing not only
Directive 95/46 itself but also to a great extent the national frameworks that are to
this day largely determined by it.
Unsurprisingly, EU representatives expect this new legal act to have influence on
the global developments of data protection law similar to that of its predecessor;
some even go so far as to claim that it will “change the world as we know it.”47
In scholarship, the majority tends to share this view and to confirm that the GDPR
has a highly influential role in the global context,48 while others criticize it for its
lack of pluralistic openness and assert that the EU approach is increasingly insular.49
However, in light of the broad influence of the European standards on national data
protection laws worldwide,50 there is no reason to fear that the EU will become
isolated in international data protection governance. On the contrary, it is the states
that refuse to adopt comprehensive regimes that increasingly find themselves on the
sidelines.51 The General Law on Data Protection (Lei Geral de Proteção de Dados,
LGPD)52 in Brazil can be considered an indication of the continuing influence of the
EU regime also under the GDPR. The content and structure of this comprehensive
framework are to a great extent clearly inspired by the European legal act.53
45 Along with the GDPR, the EU has passed two more legal acts to regulate data protection in
specific sectors: Directive (EU) 2016/680 for the area of crime investigation and prosecution and
Directive (EU) 2016/681 for the field of passenger name record (PNR) data. As part of the Digital
Single Market policy of the Juncker Commission, a proposal for a third act, the ePrivacy regulation,
has been published, which is intended to complement the GDPR with respect to data protection in
electronic communication, see COM(2017) 10 final.
46 The legal act, however, contains numerous ‘opening clauses’ that allow or even demand additional
the GDPR’s worldwide influence will be most visible in the private sector.
49 Kuner (2014), p. 65 demands that the GDPR should include a provision requiring the Commission
to consider the enactment by third countries of regional or international data protection instruments
when assessing the adequacy of their standards. This statement, however, disregards Article 45(2)(c)
GDPR, which explicitly mentions the international commitments or other obligations entered into
as a criterion to be taken into account when assessing the adequacy.
50 See Greenleaf (2012), pp. 72–77.
51 For the example of the U.S. see Cunningham (2013), pp. 452–453.
52 Lei Nº 13.709, de 14 de Agosto de 2018, Dispõe sobre a proteção de dados pessoais e altera a Lei
nº 12.965, de 23 de abril de 2014 (Marco Civil da Internet), Official Journal of the Union (Diário
Oficial da União), section 1, Nr. 157, Wednesday, 15 August 2018, pp. 59–64.
53 Before the enactment of the LGPD, there were three draft bills on data protection from different
authors competing for adoption: bills No. 4.060/2012, 330/2013, and 5.276/2016, of which bill
No. 5.276/2016, an initiative by the Ministry of Justice, was the one that was the closest to the
EU approach. The content of the adopted LGPD mainly follows the patterns of former draft bill
5.276/2016, but also contains elements of draft bills 4.060/2012 and 330/2013, which were all
merged during the legislative process. On this see Mangeth and Marinho Nunes (2018).
456 R.-D. Veit
While the GDPR mostly appears to be little more than an updated version of
Directive 95/46, it also comes with substantive and institutional innovations, among
them concepts of non-European origin such as privacy impact assessments as well
as privacy by design and by default,54 new individual data protection rights,55 but
also new mechanisms to ensure more effective transborder enforcement within the
EU.56 With respect to its extraterritorial application, the GDPR continues with the
patterns of the Directive but also introduces new features, and the new penalty regime
certainly discourages indifference. However, before these extraterritorial instruments
are presented and their feasibility and legitimacy are assessed (Sect. 4), an overview
of the ECJ’s jurisprudence on the external dimension of EU data protection law will
be given, as it shaped the regime in a major way and also influenced the content of
the GDPR.
54 See Articles 35 and 25 GDPR. The introduction of these concepts does indeed reflect the Regu-
lation’s consideration of and openness to privacy policies from all over the world, see Schwartz
(2013), p. 2002.
55 Such as the ‘right to be forgotten’ or the right to data portability, see Articles 17 and 20 GDPR.
56 These are the introduction of a one-stop shop with a lead supervisory authority (Article 56 GDPR)
as well as the cooperation and consistency mechanisms (Article 60; 63 GDPR). On these as well as
the entire institutional control system under the GDPR see Schantz and Wolff (2017), pp. 295–335.
57 For an overview of the ECJ’s jurisprudence in the field of data protection before and after the
coming into force of the Charter of Fundamental Rights see Skouris (2016), pp. 1359–1364.
58 Charter of Fundamental Rights of the European Union, 2012/C236/02, Official Journal C 326/391.
For a closer look to the substantive content of the fundamental rights to data protection guaranteed
in Article 8 CFR see Reinhardt (2022), in this volume.
Safeguarding Regional Data Protection Rights on the Global Internet … 457
In Lindqvist,59 the ECJ first dealt with the third country data transfer regime under
Directive 95/46 and took a rather cautious stance. The judgment from 2003 held that
it does not constitute a data transfer to a third country60 when an individual in a
Member State uploads personal data onto a website that is also hosted within the
EU, even if this website is accessible to anyone with an Internet connection. In its
reasoning, the Court established that if in such a case a third country data transfer
were to occur, the exception of Article 25 Directive 95/46 would turn into a general
rule for the Internet, making the whole network subject to European Data Protection
Law.61
Little of this reserved stance, however, was apparent in the subsequent judgments
of the Court in the matter. In Digital Rights Ireland,62 the Court declared the former
Data Retention Directive 2006/2463 to be invalid due to violations of Article 7 and
8 CFR; the external dimension of European data protection law was therefore not
directly at issue. However, the Court also based the invalidity partly on the fact that
the Directive did not require the data to be stored within the EU, which, in turn, meant
that the constitutionally required control, as laid down in Article 8(3) CFR, would
not be ensured.64 This passage of the judgment indeed implied that the Court took the
view that the constitutional requirement of institutional control of data processing
deriving from Article 8 CFR also applies to data that is transferred from the EU to
third countries.65
A landmark judgment that was published only one month later and attracted global
attention, inter alia, due to its implications for the scope of European data protection
law, is Google Spain.66 In this judgment, the Court established a broad territorial
scope of Directive 95/46, finding that it applies to the activities of a search engine
operated by an enterprise that is seated outside EU territory but has an establishment
in an EU Member State promoting and selling advertising space and directing its
services toward the population of that Member State.67 According to the Court, “the
European Union legislature sought to prevent individuals from being deprived of
the protection guaranteed by the directive […] by prescribing a particularly broad
http://curia.europa.eu.
63 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on
the retention of data generated or processed in connection with the provision of publicly available
electronic communications services or of public communications networks and amending Directive
2002/58/EC, L 105/54.
64 ECJ, Footnote 62, para 68.
65 Kuner (2014), p. 63. The Court confirmed this interpretation in later judgments, particularly in
under http://curia.europa.eu. On another major aspect of the judgment see above, Footnote 16.
67 ECJ, Footnote 66, para 55.
458 R.-D. Veit
territorial scope.”68 Methodologically, it based its broad interpretation on the fact that
the Directive’s goal is to guarantee the effective protection of fundamental rights,69
reaffirming the extraterritorial dimension of the fundamental rights to private life and
to data protection first established in Digital Rights Ireland. However, the ECJ did not
make clear how far exactly this “broad territorial scope” reaches or where its limits
are. In its recent judgment in CNIL,70 the Court specified the territorial boundaries of
the “right to de-referencing” as established in Google Spain. It held that internet users’
access – including those outside the Union – to the referencing of a link referring to
information regarding a person whose center of interests is situated in the Union is
likely to affect that person within the Union itself and that this consideration may, in
general, justify the existence of a competence of the EU legislature to lay down an
obligation for search engine operators to carry out a de-referencing on all versions
of the search engine.71 Following an analysis of both Directive 95/46 and the GDPR,
however, the Court came to the conclusion that, currently, EU data protection law does
not contain such an obligation.72 Nevertheless such de-referencing shall, in principle,
be carried out in respect of all the Member States73 and, what is more, national
authorities of the Member States remain competent to order, where appropriate and
according to national standards of protection, search engine operators to carry out a
de-referencing concerning all versions.74
Certainly one of the most significant rulings of the ECJ with relation to the third
country data transfer regime of the EU is Schrems,75 which, much like Google Spain,
sparked a global public reaction. The two main holdings of the Court were (1) that an
adequacy decision of the Commission pursuant to Article 25(6) Directive 95/46 does
not preclude national data protection authorities from overseeing data transfers to
third countries and (2) that the Commission’s Decision 2000/52076 establishing that
the variety of national values among the Member States, more specifically the potentially divergent
interests of the public in accessing information. Constitutionally, this is in line with, inter alia, Article
53 CFR according to which nothing in the Charter, including Article 8 CFR, shall be interpreted
as restricting human rights and fundamental freedoms as recognised, in their respective fields of
application, inter alia, by the Member States’ constitutions.
75 ECJ, C-362/14, Maximillian Schrems v Data Protection Commissioner, Judgment of 6 October
European Parliament and of the Council on the adequacy of the protection provided by the safe
harbor privacy principles and related frequently asked questions issued by the U.S. Department of
Commerce (notified under document number C(2000) 2441) (Text with EEA relevance), Official
Journal L 215.
Safeguarding Regional Data Protection Rights on the Global Internet … 459
the Safe Harbor Principles issued by the U.S. Department of Commerce77 provided
an “adequate level of protection” as required by Article 25(1) Directive 95/46 is
invalid.
In the context of their first holding, the European judges strengthened the position
of the national supervisory authorities in stating that, in accordance with Article 8(3)
CFR, they are “vested with the power to check whether a transfer of personal data
from its own Member State to a third country complies with the requirements laid
down by Directive 95/46.”78 After defining criteria for the assessment of the adequacy
of a third country’s data protection rules,79 the judges, as in Digital Rights Ireland,
invalidated the Commission’s decision because of its violation of the fundamental
rights guaranteed by Articles 7, 8 and 47 CFR.80 Their main considerations for this
finding were that the Commission’s decision did not establish that U.S. law provided
for an effective redress for EU citizens, nor for any limitation on the powers of the
U.S. public authorities to interfere with these rights.81 The Court held that legislation,
such as Decision 2000/520, that authorizes storage of all the personal data of all
the persons whose data has been transferred from the EU to the U.S. without any
differentiation, limitation, or exception being made, is not limited to what is strictly
necessary which, however, is a requirement of Article 8 CFR.82 It further established
that the generalized, unlimited access by public authorities to the content of electronic
communications compromises the core of the fundamental right to private life laid
down in Article 7 CFR,83 but remained silent as to the essence of the right to data
protection.
On the same note, the Court once more reaffirmed the extraterritorial dimension
of Article 8 CFR in finding that the adequacy assessment “implements the express
obligation laid down in Article 8(1) of the Charter to protect personal data and […]
is intended to ensure that the high level of that protection continues where personal
data is transferred to a third country.”84
the ECJ also found the U.S. authorities’ access to data to be incompatible with the EU standards of
purpose limitation and proportionality that are also set out in Article 8 CFR, see ibid. para 90.
83 ECJ, Footnote 75, para 94. Interestingly, the European Court of Human Rights (ECtHR) recently
ruled that it does not necessarily have to be the content of data that leads to an infringement, but
that the combination of metadata may give as much information about an individual. See below,
ECtHR, Footnote 208.
84 ECJ, Footnote 75, para 72. In another passage, the Court states that if the supervisory authorities
were bound by an adequacy decision, persons whose data has been or could be transferred to the
third country concerned would be denied their rights guaranteed by Article 8(1) and (3) of the
Charter, see ECJ, Footnote 75, para 58, and thereby stresses the extraterritorial dimension of the
institutional control.
460 R.-D. Veit
The demise of the Safe Harbor Agreement, however, does not mark the end of
international data transfer agreements of the EU being challenged before the ECJ.
The EU-U.S. Privacy Shield, the successor of the Safe Harbor Agreement,85 has
already been brought before the Luxembourg Court by privacy activist groups.86
Moreover, the Irish Commercial High Court in October 2017 rendered a judgment
in which it raised doubts as to the validity of the Standard Contract Clauses (SCC)
decisions of the Commission with respect to data transfers from the EU to the U.S.,
and announced the referral of the matter to the ECJ for a preliminary ruling.87 After
taking her time to consider all of the submissions by those party to the proceedings,88
the Justice referred the case to the Court in May 2018,89 shortly before the GDPR
came into force.
In July 2020, the ECJ published its decision in this case, another landmark judg-
ment, which in scholarship is often referred to as Schrems II.90 In accordance with the
extensive questions referred, the Court did not limit itself to ruling on the validity of
the SCC Decision91 but decided on other substantive aspects of the external dimen-
sion of EU data protection law as well, including the interpretation of Article 46
GDPR as well as the validity of the Commission’s Decision 2016/1250 implementing
the EU-U.S. Privacy Shield.92
In the context of its second holding, the ECJ stated that the provisions of the GDPR
dealing with data transfers to third countries (Chapter V) “are intended to ensure the
continuity of [the level of protection guaranteed by the GDPR] where personal data
is transferred to a third country” and that this level of protection must be guaranteed
Judgment of 16 July 2020, accessible under http://curia.europa.eu. Before responding to the ques-
tions referred, the judges pointed out that and why those must be answered in the light of the
provisions of the GDPR rather than those of the Directive, see paras 77–79.
91 2010/87/: Commission Decision of 5 February 2010 on standard contractual clauses for the
transfer of personal data to processors established in third countries under Directive 95/46/EC of
the European Parliament and of the Council, Official Journal, L 39/5.
92 Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive
95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided
by the EU-U.S. Privacy Shield (notified under document C(2016) 4176) (Text with EEA relevance),
Official Journal L 207/1.
Safeguarding Regional Data Protection Rights on the Global Internet … 461
irrespective of which provision of the chapter serves as legal basis for the transfer.93 In
relation to the institutional dimension, the Court further strengthened the position of
the national supervisory authorities by way of holding them competent (and obliged),
unless there is a valid adequacy decision in place,94 to suspend or prohibit a data
transfer to a third country pursuant to SCCs adopted by the Commission, if those
clauses are not or cannot be complied with in that third country and where the
controller or processor has not itself suspended the transfer.95 With regard to the
SCC Decision of the Commission, the ECJ, following an analysis of the guarantees
contained in the standard data protection clauses in the annex to the Decision, ruled
that it does not violate Articles 7, 8 and 47 CFR and is therefore valid.96 In their
reasoning, the judges state that the fact that these clauses do not bind the authorities
of third countries may, depending on the third country in question, entail the necessity
for the controller or processor established in the EU to supplement the guarantees
contained in the standard clauses, but it cannot affect the validity of the Commission’s
decision.97 Thus, the Court emphasized the individual responsibility of the controllers
and/or processors. In its last holding, however, the Court ruled that Decision (EU)
2016/1250 implementing the EU-U.S. Privacy Shield is invalid.98 After a detailed
analysis of both the provisions and recitals of the Privacy Shield Decision and the
applicable US national law, the judges came to the conclusion that the Commission,
in finding that the US ensures an adequate level of protection under the EU-US
Privacy Shield, disregarded the requirements of Article 45(1) GDPR read in the light
of Articles 7, 8 and 47 CFR.99
Another instance in which the ECJ dealt with the EU data protection regime in
the context of data transfers to third countries was in its Opinion on the draft EU-
Canada PNR agreement issued in July 2017.100 The Court was called upon by the
European Parliament pursuant to Article 218(XI) TFEU101 to give its opinion on the
compatibility of the planned agreement between the EU and Canada on the transfer
93 ECJ, Footnote 90, paras 93 and 92. For more details on Chapter V and the Court’s holdings in
this context see below, Sect. 4.2.
94 If there is a valid adequacy decision and a complaint is lodged by a person, the authorities remain
competent to examine whether the transfer in question complies with the requirements laid down
by the GDPR and, if relevant, bring an action before the national courts, see para 120.
95 ECJ, Footnote 90, paras 106–122.
96 ECJ, Footnote 90, paras 137–149.
97 ECJ, Footnote 90, paras 123–136.
98 ECJ, Footnote 90, para 201. The Court found the validity of Decision (EU) 2016/1250 to be
relevant for the purposes of assessing both the obligations of the controller and recipient of personal
data transferred to a third country pursuant to the Standard Contract Clauses and also any obligations
to which the supervisory authority may be subject to suspend or prohibit such a transfer, see ECJ,
Footnote 90, para 154.
99 ECJ, Footnote 90, paras 162–199. For more details on the reasoning see below, Sect. 4.2.2.
100 ECJ, Opinion 1/15, Draft EU-Canada PNR agreement, Opinion of 26 July 2017, accessible
under http://curia.europa.eu.
101 Consolidated version of the Treaty on the Functioning of the European Union, Official Journal
C 326/47.
462 R.-D. Veit
of passenger name record data, and it ruled that the draft, in its current form, must
not enter into force because several of its provisions are incompatible with Articles
7, 8, 21, and 52 CFR.102 While, as an international agreement generally constituting
a “legitimate basis laid down by law” as required under Article 8(2) CFR,103 the
draft, according to the judges, in many aspects fails to limit the interferences with
these rights to what is strictly necessary, among other reasons,104 because it is not
sufficiently precise as regards the scope of PNR data to be transferred105 and because
it permits the transfer of sensitive data to Canada as well as the use and retention of
such data by the Canadian authorities.106
With respect to the external dimension of European data protection law, the judges
held that Article 8 CFR “requires, inter alia, that the high level of protection of
fundamental rights and freedoms conferred by EU law continues where personal
data is transferred from the European Union to a non-member country,”107 however
also restating that the means to provide for an equal standard may differ.108 To further
justify this holding, the Court referred to the Charter’s preamble in which the fourth
paragraph states the necessity “to strengthen the protection of fundamental rights
in the light of changes in society, social progress and scientific and technological
developments.”109 Furthermore, the Canadian authorities were only to be allowed
to transfer the PNR data to authorities in other third countries if those countries
provided for an essentially equivalent level of protection.110
In conclusion, the European Court of Justice has played a fundamental role both
in shaping the substantive content and expanding the external dimension of the Euro-
pean data protection regime. After taking a rather cautious stance at first, it subse-
quently started to widen the territorial scope with regard to the EU (Google, CNIL)
as well as increasingly reaffirm the international data transfer regime (Digital Rights,
Schrems I & II, and EU-Canada PNR agreement). Throughout all the judgments, the
main consideration was the fundamental right to data protection (and its concretiza-
tion in the GDPR), which would lose its effectiveness and could easily be circum-
vented if the high standard of protection it provides ended at the European territorial
border. As will be established below, the judgments also affected the content of the
102 It was the first time that the ECJ decided on the compatibility of a draft international agreement
with the fundamental rights laid down in the Charter. Opinion 1/15 therefore has implications for
other agreements on international data transfers such as the PNR agreement with the USA.
103 ECJ, Footnote 100, paras 145–147.
104 For an overview of the other reasons given and amendments required by the ECJ see Docksey
above.
109 ECJ, Footnote 100, para 135.
110 ECJ, Footnote 100, para 214. The Court thereby reaffirmed what it first established in the Schrems
case.
Safeguarding Regional Data Protection Rights on the Global Internet … 463
reformed regime under the GDPR with regard to both its territorial scope and the
rules on international data transfers.
As the analysis of the relevant ECJ case law has revealed, the external dimension of
the EU data protection regime is founded on the constitutional obligation to safeguard
the European standard and effectively enforce it in an increasingly globalized and
interconnected world.111 The EU Data Protection Directive 95/46 was one of the
first comprehensive and binding data protection frameworks to tackle the issue of
transborder data flows and thereby consider the borderless nature of the Internet. It
achieved its broad reach even beyond EU territory as well as its international success
mainly through two normative instruments: (1) its territorial scope that included
non-European data controllers when they made use of equipment situated on EU
territory112 and (2) its restrictions on personal data transfers to third countries or
entities that do not provide an adequate standard of protection.113
The new General Data Protection Regulation continues with these trends but also
further extends the external dimension of EU data protection law by introducing
additional instruments, most notably the new (extra-)territorial scope in Article 3(2)
GDPR, which has been referred to as “the single most important provision in the entire
[…] Regulation” for any non-EU party, “perhaps followed by [Chapter V] dealing
with the transfer of personal data to third countries.”114 From the perspective of data
controllers and processors worldwide who aim to interact with the European market,
the new sanction regime, which introduces fines of up to 4 percent of an enterprise’s
worldwide turnover in the case of non-compliance, makes the significance of these
provisions clear.115
In the age of the Internet, extraterritoriality in comprehensive and effective data
protection frameworks is indeed inevitable,116 and extraterritorial provisions can no
longer be rejected categorically. The research focus must be on the extent to which
a particular claim is legitimate. Therefore, the aforementioned mechanisms of the
GDPR will be analyzed and their normative legitimacy assessed in the following.
111 This notion is also apparent in the GDPR. See, for instance, Article 44 as well as Recitals 23
and 101.
112 Article 4(2)(c) Directive 95/46.
113 Article 25, 26 Directive 95/46.
114 Svantesson (2014), p. 71.
115 See Article 83(5) GDPR. On 21 January 2019, the French national data protection authority,
CNIL, imposed a financial penalty of fifty million euros on Google for non-compliance with GDPR
provisions.
116 Cunningham (2016), p. 421.
464 R.-D. Veit
The instruments in the GDPR can be distinguished into those with direct and with
indirect extraterritorial effect.
The central innovation that the General Data Protection Regulation introduces to the
external dimension of EU data protection law is its widened territorial scope, which is
defined in Article 3 GDPR. Article 3(1) GDPR continues with the patterns of Article
4(1)(a) Directive 95/46 and states that the Regulation applies to data controllers and
processors with an establishment in the Union if the processing takes place in the
context of the activities of this establishment. However, the new provision now makes
explicit that it is irrelevant whether the processing takes place in the Union or not.117
Article 3(3) GDPR, similarly to Article 4(1)(b) Directive 95/46 before it, extends
the territorial scope to data controllers who are established in places where Member
State law applies by virtue of public international law.
The actual innovation of the GDPR is laid down in Article 3(2) GDPR. It has been
argued that this provision “will likely bring all Internet services providers […] under
the scope of the EU Regulation as soon as they interact with data subjects residing
in the European Union.”118 It unfolds direct extraterritorial effect by extending the
Regulation’s scope also to data controllers and processors established outside the
Union, where their processing activities are related to a) the offering of goods or
services in the Union to data subjects who are in the EU or b) the monitoring of their
behavior as far as their behavior takes place within the Union. By abandoning the
hitherto existing requirement of the use of equipment situated on EU territory,119 the
European legislator went beyond a mere territoriality-based approach and established
a ‘marketplace principle’ which focuses on the scope of a controller’s and processor’s
targeting of data subjects in the European market. Where this provision applies, it
is complemented by the obligation for non-EU based controllers and processors to
designate a representative in the Union who shall be mandated to be addressed by
supervisory authorities and data subjects,120 which creates a territorial contact point
for more effective enforcement.
Up until the judgment of the ECJ in the Google case, the territorial scope of
Directive 95/46 was subject to a heated debate centered around its (in)adequacy
in the Internet setting; in this context, it was deemed “overly […] complex to the
117 This clarification can be seen as an approval of the ECJ’s interpretation of Article 4(1)(a)
Directive 95/46 in the Google Spain judgment, see ECJ Footnote 66, paras 50–60.
118 Svantesson (2014), p. 71. However, this statement was made with regard to the wording of
the provision in the EU Commission’s proposal. The finally adopted version narrowed the scope
significantly and taking this into account, the statement would have to be amended to: “as soon as
they interact with data subjects who are in the Union within the Union”.
119 See Article 4(1)(c) Directive 95/46.
120 Article 27 GDPR.
Safeguarding Regional Data Protection Rights on the Global Internet … 465
degree of being dysfunctional.”121 The Directive was drafted in the early 1990s, that
is, at a time when the Internet as a global information and communication network
was still in its infancy. Naturally, its provisions, including those on the territorial
scope, did not yet reflect the digital reality of large-scale cross-border movements
of (personal) data that has since evolved. In order for the legal act’s normative claim
not to be rendered void in the face of these developments, the ECJ, in Google,
therefore interpreted the criteria of Article 4(1)(a) Directive 95/46 extensively and
held the Directive applicable even in situations where the actual data processing is
not carried out on EU territory.122 While this expansion was viewed by some as a
necessity for the effective and complete protection of fundamental rights,123 others
consider it judicial overreach.124 Thus, the judgment did not set aside all the concerns
that were raised in the context of the territorial scope of Directive 95/46.
Against this background, placing the focus on the degree of interaction with the
European market is an innovative game changer in EU data protection regulation that
appears to be more appropriate in the online environment than the (albeit watered
down) requirement of a territorial nexus. That being said, it is not clear whether
the new provision will necessarily increase legal certainty for non-EU-based data
controllers and processors. Considering the wide impact of Article 3(2) GDPR, the
wording of its criteria is rather vague. However, as with any legal act of the European
Union, the explanatory recitals of the GDPR offer some insight as to the intended
meaning of its provisions.125
With respect to Article 3(2)(a) GDPR, recital 23 states that, in order to determine if
data subjects in the Union are being targeted for the offering of goods and services,126
it must be “ascertained whether it is apparent that the controller or processor envis-
ages”127 these activities. The decisive element therefore is the subjective intention
of a controller or processor, which is naturally difficult to determine, but the recital
subsequently lists objective factors that are intended to give guidance. As examples
for such indicators, the recital names “the use of a language or a currency gener-
ally used in one or more Member States with the possibility of ordering goods and
services in that other language” and “the mentioning of customers or users who are
arguments. Critical due to the lack of clear jurisdictional limits also Kuner (2014), p. 69.
125 According to Article 296(2) TFEU, legal acts of the EU shall state the reasons on which they
are based. The EU legislator fulfills this obligation by adding recitals to adopted legal acts. In its
judgments, the ECJ often refers to them when defining the content and meaning of a provision, but
they are not themselves subject to interpretation.
126 This also includes the offering of “information society services” as defined in Article 1(1)(b) of
Directive (EU) 2015/1535, see European Data Protection Board (EDPB), Guidelines 3/2018 on the
territorial scope of the GDPR (Article 3), 12 November 2019, p. 16, accessible under https://edpb.
europa.eu.
127 Emphasis added.
466 R.-D. Veit
in the Union,” whereas passive elements such as the mere accessibility of a data
controller’s or processor’s website in the Union are not sufficient. Considering that
these ‘objectivizing’ criteria were developed in the context of a different field of law,
they have yet to prove their practical workability in data protection law.128 However,
recital 23 is only an interpretative guideline and does not contain an exhaustive
list of all factors to be taken into account for the determination of the intention to
target the EU market. Thus, there is room for the development of further, possibly
more appropriate criteria that may better reflect the fact that the EU data subjects (in
some cases) have a market choice, too.129 As, in practice, (EU) data subjects often
make their choices on the basis of a search engine’s results, one useful indicator for
targeting intentions could be a data controller’s or processor’s expenditures on an
Internet referencing service to the operator of a search engine in order to facilitate
the access to their websites by data subjects in the EU.130 Article 3(2) of the Brazilian
LGPD reads very similarly to Article 3(2)(a) GDPR. Therefore, the provision raises
the same issue of finding appropriate criteria for the establishment of the intention
to target.
Regarding the interpretation of Article 3(2)(b) GDPR, recital 24 states that “it
should be ascertained whether natural persons are tracked on the Internet including
potential subsequent use of personal data processing techniques which consist of
profiling a natural person” so as to establish if a controller or processor aims to
monitor the behavior of EU data subjects within the Union. According to the wording,
the mere act of tracking is sufficient to trigger Article 3(2)(b) GDPR; as opposed to
Article 3(2)(a) GDPR read in conjunction with recital 23, the subjective intention
or motivation of a data controller or processor to monitor a data subject’s behavior
is irrelevant. At the same time, the explicit clarification that the subsequent use of
the tracked user’s data for profiling purposes is included can be understood as an
indication that such tracking, which is carried out only for technical maintenance
purposes, shall be exempted from the scope.131 Article 3(2)(b) GDPR is intended to
cover those third country data controllers and processors that systematically track
128 As pointed out by Gömann (2017), p. 585, these criteria are a clear reference to the ECJ’s findings
in Pammer and Alpenhof , a European international procedural law case. See ECJ, C-585/08 and
C-144/09, Pammer and Alpenhof , judgment of 7 December 2010, accessible under http://curia.eur
opa.eu. The EDPB also established that the criteria developed in this case are, inter alia, to be taken
into consideration when considering whether goods or services are offered to data subject in the
Union, see EDPB, Footnote 126, pp. 17–19.
129 Article 3(2)(a) GDPR has been criticized for not being clear enough as it might also cover such
data controllers and processors who act globally but do not necessarily target the EU market, see
de Hert and Czerniawski (2016), p. 239. However, reading the provision in conjunction with recital
23, it becomes clear that the legislator did not intend to cover those cases; the mere accessibility of a
website is not sufficient. On the contrary, there must be an element apparent in which the controller’s
or processor’s intention to target EU data subjects becomes manifest. See also, including examples,
EDPB, Footnote 126, pp. 15–16.
130 This factor was considered by the ECJ in a different context. See ECJ, Footnote 128, para 81.
131 The EDPB has clarified that in its view, “the use of the word ‘monitoring’ implies that the
controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data
about an individual’s behavior within the EU.”, see EDPB, Footnote 126, p 20.
Safeguarding Regional Data Protection Rights on the Global Internet … 467
the preferences and behavior of the users of their services through tools such as
cookies or social plug-ins that register the websites visited by a user.132 While its
wording is rather broad, the scope of the provision is limited in two ways; it only
applies to behavior that is taking place in the Union and only to data subjects who
are in the Union. This is a reasonable limitation of the EU regime’s reach. In any
case, establishing jurisdiction on the grounds of the monitoring of behavior is an
innovative approach in data protection law and certainly more appropriate in the
Internet setting than the requirement of a territorial link.133
As pointed out above, Article 3(2) GDPR constitutes a paradigm shift in the
territorial scope of data protection laws. Nevertheless, its criteria, particularly those of
Article 3(2)(a) GDPR, have yet to prove whether they provide for workable solutions
and more legal certainty for data controllers and processors in practice. The task
of concretizing the GDPR’s often vague provisions (and thereby adding to their
workability) is assigned primarily to the new Data Protection Board134 as well as,
ultimately, the European Court of Justice. Criticism, however, is not only directed at
the wording of the provision, but also at the establishment of a marketplace principle
in general. Prominent points of criticism are (1) the broad variety of marketplaces that
the Internet comes with, which could potentially entail conflicts of interest as well as
high compliance costs, particularly for smaller businesses, and (2) the lack of actual
enforceability in practice.135 Regarding the first aspect, it is to be noted that businesses
operating in different markets simultaneously may indeed see themselves confronted
with diverging, sometimes even conflicting, legal requirements. This, however, is a
natural consequence of the global nature of the Internet and is something for any
business intending to act internationally to take into consideration. Costs resulting
from diverging data protection and privacy standards could be reduced by complying
with the EU regime, as the arguably most demanding standard, wherever in the world
business is conducted, as some enterprises already have.136 In this sense, the EU
standards serve as compliance benchmarks. The alleged lack of enforceability is at
the very least doubtful. The new sanction regime constitutes a serious incentive for
compliance and could, if necessary, be complemented by “market access restriction
question covering the application of this Regulation and issue guidelines, recommendations and
best practices in order to encourage consistent application of this Regulation.” The EDPB has acted
on this task and published its first guidelines on the territorial scope of the GDPR, see EDPB,
Footnote 126.
135 For references see Klar (2017), p. 534.
136 At the event Die neue EU-Datenschutzgrundverordnung, Bucerius Law School, Hamburg, 8
December 2016, Director of Privacy & Data Protection Officer at eBay International AG Anne
Zeitler stated that eBay will implement the standards of the GDPR not only on EU territory but
globally.
468 R.-D. Veit
137 The term “market access restriction measures” is inspired by the suggestion of Svantesson to
determine justifiable jurisdiction over the Internet by focusing on marketplace control instead of
persons, conducts, or physical links. See Svantesson (2014), p. 96–100.
138 Recital 80 makes clear that the representative “should be subject to enforcement proceedings in
conducted by foreign-based legal entities, if they offer services to the Brazilian public or at least
one of the members of the legal entities’ economic group has an establishment in Brazil.” Likewise,
Article 3(2) LGPD reads very similarly to Article 3(2)(a) GDPR.
142 With regard to the Children’s Online Privacy Act (COPPA), for example, the U.S. Federal
Trade Commission (FTC) has in its FAQs explicitly stated that “[f]oreign-based websites and
Safeguarding Regional Data Protection Rights on the Global Internet … 469
of the data protection regime a necessity in order to protect the fundamental right to
data protection in the online world.143 The duty to protect human rights even beyond
the jurisdictional territory is supported in scholarship144 and is also in line with
international law.145 Moreover, the extension of the territorial scope of European data
protection law is not without a just cause; it stems from technological, economic, and
societal developments and has to be seen as an instrument to adjust the constitutional
obligation to protect fundamental rights accordingly. Incentivizing compliance by
way of market pressure is an effective and normatively just way to fulfil this duty.
Like its predecessor, the General Data Protection Regulation contains a chapter that
is entirely dedicated to the regulation of data transfers to third countries and much
resembles the regime of Directive 95/46. This chapter’s provisions have indirect
extraterritorial effect because they do not apply directly in third countries, but only
encourage compliance by outlawing data transfers to third countries which do not
ensure an adequate standard of protection.146
Compared to the Directive, the articles of the GDPR are more detailed, take into
account the ECJ’s recent jurisprudence, and reflect a generally more compromising
default: instead of prohibiting data transfers on a general basis, unless the destination
country ensures an adequate level of protection, Chapter V starts with setting out
“General principles for transfers” in Article 44 GDPR, which stipulates that personal
data transfers, including onward transfers,147 to non-EU countries or other entities
may take place only if, subject to the other provisions of the GDPR, the conditions
laid down in the chapter are complied with. Thus, data controllers and processors
who intend to transfer personal information and data to a third country must comply
with both the general provisions of the GDPR and the specific requirements set
out in Chapter V. Infringements of the provisions of this Chapter are subject to
online services must comply with COPPA if they are directed to children in the United States, or
if they knowingly collect personal information from children in the U.S.”, see https://www.ftc.
gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions (accessed
11 Jan. 2022). For this and further examples also see Klar (2017), p. 536.
143 This becomes evident in Recital 23, where it states that the Regulation should apply to non-EU
based data controllers and processors that fall under the scope of Article 3(2) GDPR “[i]n order to
ensure that natural persons are not deprived of the protection to which they are entitled under this
Regulation”.
144 On extraterritoriality in human rights, including examples from EU and U.S. law, see Torre-
mans (1995), pp. 290–296. For the constitutional obligation to safeguard fundamental rights
extraterritorially see Hoffmann-Riem (2014), pp. 61–62.
145 For an in-depth analysis, taking into account all sources of international law as laid down in
Article 38 of the Statute of the International Court of Justice, see Svantesson (2014), pp. 76–94.
146 Kuner (2015b), p. 239, argues that the distinction between ‘extraterritorial in scope’ and
high administrative fines.148 Furthermore, Article 44 GDPR states that the Chapter’s
provisions “shall be applied in order to ensure that the high level of protection for
natural persons guaranteed by this Regulation is not undermined”,149 which is to be
viewed as an interpretative guideline.150
With regard to its structure, Chapter V of the GDPR maintains the pattern of Direc-
tive 95/46 and provides for three pathways for lawful transfer to third countries: (1)
transfer to a country with an adequate standard of protection (Article 45 GDPR), (2)
transfer subject to appropriate safeguards (Article 46 GDPR), and c) derogations for
specific situations (Article 49 GDPR). These three options are formally independent
from each other in the sense that, for instance, the invalidity, suspension, or repeal of
an adequacy decision does not affect the possibility of using the other instruments.151
The recently passed Lei Geral de Proteção de Dados in Brazil follows the same
model, but differs in structure and detail. Article 33 LGPD sets forth the general rule
according to which an international transfer of personal data is only permitted in the
subsequent cases. Article 33(1) LGPD then legitimizes the transfers to countries or
international organizations only when they provide a level of protection adequate
to the provisions of the law.152 Unlike in case of adequacy, Article 33(2) LGPD
allows data transfers also when the controller offers and substantiates guarantees of
compliance with the principles and rights of the data subject and the data protection
regime provided in the act, and the provision sets forth four different options which
much resemble those for appropriate safeguards in Article 46 GDPR, albeit with less
detail.153 Finally, Articles 33(3)–(9) LGPD provide for other legitimate grounds for
international data transfer. Structurally, these provisions are similar to the derogations
set out in Article 49 GDPR, but they differ in their content. While Article 49(1) GDPR
repeats the general criteria for the lawfulness of processing set out in Article 6(1)
GDPR,154 this is not the case for Article 33(2–9) LGPD.
148 These fines can be up to e20 million or 4 percent of the total worldwide turnover of the preceding
financial year. See Article 83(5)(c) GDPR.
149 This corresponds with the teleological interpretation of Directive 95/46 by the ECJ according to
which the level of data protection as guaranteed under the Directive “could easily be circumvented”
if the adequacy assessment did not require a level “essentially equivalent” to the EU by virtue of
the Directive 95/46, see ECJ, Footnote 75, para 73.
150 See also ECJ, Footnote 90, para 92: “That level of protection [as mentioned in Article 44 GDPR]
must therefore be guaranteed irrespective of the provision of that chapter on the basis of which a
transfer […] is carried out”.
151 Article 45(7) GDPR states that a repeal, amendment, or suspension of an adequacy decision “is
At the same time, Article 33 (parágrafo único) LGPD empowers certain legal entities of public
law and the parties accountable to request the national authority to evaluate the level of protection
provided by a particular country or international organization.
153 However, Article 35 LGPD states that the content of the guarantees referred to in Article 33(2)
LGPD will be defined by the national authority, and the article also lays down criteria for the
authority to take into consideration when carrying out this task. For more detail on Article 46
GDPR see below, 4.2.3.
154 On Article 49 GDPR see also below, Sect. 4.2.3.
Safeguarding Regional Data Protection Rights on the Global Internet … 471
The ‘adequacy regime’ remains the core principle of European third country data
transfer regulation and is now laid down in Article 45 GDPR. According to Article
45(1) GDPR, a transfer of personal data to a non-EU destination country may take
place “where the Commission has decided that the third country, a territory or one or
more specified sectors within that third country, or the international organization in
question ensures an adequate level of protection.” Where such an adequate standard
of protection is determined, Article 45(3) GDPR empowers the Commission to make
a formal adequacy decision by way of an implementing act, which then legitimizes
data transfers to that destination without further authorization. The wording of Article
45(1) GDPR contains two central changes in comparison to Article 25(1) Directive
95/46. Firstly, it abandons the word ‘only’ and thereby implicitly emphasizes the
existence of alternative legitimate grounds for data transfers, and secondly, it gives
the Commission more flexibility as to the assessment of adequacy. The adequacy of
a protection standard can now explicitly be attested not only to a third country, but
also to smaller geographical units within that country, such as a “territory or one or
more specified sectors” as well as to an international organization. This additional
specification allows for the Commission to take into account regional or sectoral
developments and could be an instrument to further catalyze developments such
as the influence of California’s privacy legislation on other states and the federal
lawmakers in the U.S., which has been referred to as the ‘California effect’.155
Article 45(2) GDPR now specifies the criteria for assessing adequacy, which are
much more detailed than they were in the Directive. The emphasis is on the existence
of effective rights for the data subjects as well as their effective enforceability through
administrative and judicial means.156 The new provision is more pluralistic in the
sense that it obliges the Commission to take into account international commitments
of the destination entity in relation to the protection of personal data.157 The focus
on effective rights and their effective enforcement reflects the elements laid down in
Article 8 CFR as they were established by the ECJ in the Schrems case in which the
Court held that, while the means of the third country may very well differ from those
employed in the EU, including self-regulatory approaches,158 they must “neverthe-
less prove, in practice, effective to ensure protection essentially equivalent”159 and
needs to fulfil in order to be considered as a valid ingredient of adequate protection. See Article
29 Working Party, ‘Working Document: Judging industry self-regulation: when does it make a
meaningful contribution to the level of data protection in a third country?’, WP 7, 14 January 1998,
p. 6.
159 ECJ, Footnote 75, para 74. Also see ECJ, Footnote 90, para162.
472 R.-D. Veit
that the main considerations of the Commission when assessing adequacy must be
“the content of the applicable rules in that country […] and the practice designed to
ensure compliance with those rules.”160 Furthermore, the European judges obliged
the Commission to review periodically whether its finding of adequacy is still factu-
ally and legally justified.161 This reasoning was also implemented in the GDPR,
which now requires the formal adequacy decision to feature a mechanism for peri-
odic review162 and mandates the Commission to “monitor developments […] that
could affect the functioning of the decision adopted” on an ongoing basis.163 Overall,
the Commission’s discretion as to the adequacy assessment is reduced, and the review
of the criteria provided for in EU law must be read in light of the Charter and should
be strict.164
Under the Directive, this adequacy regime, as far as it was accepted on a general
basis, was criticized for having two central flaws165 : firstly, the Directive did not
specify how an “adequate level of protection” is assessed; Article 25(2) Directive
95/46 remained quite unclear as to the criteria of the assessment. Secondly, the
opinions of the EU Member States differed on what constitutes an adequate level of
protection. Another concern was that, due to the absence of on-site audit mechanisms,
judgments of adequacy would be made in a nonempirical way, according to the
analysis of formal indicators.166
Against this background, the GDPR provides for clearer and more detailed provi-
sions and renders this criticism invalid. Article 45 GDPR now sets out precise, non-
exhaustive criteria for the Commission to work with, and by imposing the obligation
to monitor developments and adjust the decision accordingly, it prevents legal dead-
lock. The issue of divergent stances among the Member States is now obsolete as
the competence to assess the adequacy of a third country’s data protection regime
is exclusively reserved for the Commission. As a matter of fact, the GDPR equips
the national supervisory authorities with the power to suspend data flows,167 which
is in line with the recent holding of the ECJ that the authorities are not bound by an
adequacy decision and may take their own view.168 However, this capacity is only
limited to singular data transfers to third countries or other entities and does not
generally affect the adequacy decisions of the Commission.169 Under the GDPR,
160 ECJ, Footnote 75, para 75. Regarding the decision implementing the EU-U.S. Privacy Shield,
the ECJ came to the conclusion that the Commission did not sufficiently assess the content of the
applicable rules in the US, see ECJ, Footnote 90, para 163–198.
161 ECJ, Footnote 75, para 76.
162 Article 45(3) GDPR.
163 Article 45(4) GDPR.
164 ECJ, Footnote 75, para 78. On the necessity to interpret the criteria for the adequacy assessment
in light of the Charter rights also see ECJ, Footnote 90, paras 169–185 and 186–197.
165 Greenleaf (2012), p. 77.
166 Bennett and Raab (2006), p. 103.
167 Article 58(2)(j) GDPR.
168 ECJ, Footnote 75, para 66.
169 Nevertheless, if the Commission has adopted a valid adequacy decision and a complaint is lodged
by a person concerning the protection of his or her data protection rights, the authorities remain
Safeguarding Regional Data Protection Rights on the Global Internet … 473
4.2.2 The U.S. Exception: From Safe Harbor to the Privacy Shield
The United States is not among the countries whose level of protection has been
attested as adequate by the EU Commission. But considering how deeply interwoven
the European and U.S. markets are and the economic impact a sudden rupture of the
trade relations between the two players would have,172 both sides had incentives
to find a solution. Thus, negotiations were initiated and in 2000, the Commission
issued a decision173 that found the U.S. “safe harbor principles”174 to be constituting
an adequate standard of protection. In short, this framework provided for a voluntary
self-regulatory program for U.S.-based companies that required adherence to seven
fundamental privacy principles that mirrored the EU regime and was overseen by
a U.S. federal agency, namely the Federal Trade Commission.175 This compromise
was heavily criticized mainly for its mere self-regulatory nature as well as its defi-
cient enforcement scheme,176 and in October 2015 it was invalidated by the ECJ
in the Schrems case for violation of fundamental rights.177 Shortly after this judg-
ment was issued, the EU and the U.S. entered into negotiations for a replacement,
competent to examine whether the transfer in question complies with the requirements laid down
by the GDPR and, if relevant, bring an action before the national courts, see ECJ, Fn 90, para. 120.
170 Article 45(2)(b) GDPR.
171 These are Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan,
Jersey, New Zealand, Switzerland, United Kingdom, and Uruguay. Adequacy talks are taking
place with South Korea, see https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-
outside-eu/adequacy-protection-personal-data-non-eu-countries_en (accessed 11 Jan. 2022).
172 For estimates see, for instance, Cunningham (2013), pp. 436–437.
173 See Footnote 76.
174 See Footnote 77.
175 See U.S. Department of Commerce, U.S.-EU Safe Harbor Overview, https://2016.export.gov/
pp. 436–440.
177 ECJ, Footnote 75.
474 R.-D. Veit
which culminated in the establishment of the EU-U.S. Privacy Shield,178 which was
implemented in EU law by a new adequacy decision of the Commission.179
In July 2020, this adequacy decision of the Commission was also held invalid by
the European Court of Justice.180 Prior to the judgment, the views on the efficacy of
the Privacy Shield differed.181 Its structure was similar to the one of the Safe Harbour
agreement; it also provided for a voluntary self-regulatory program, and compliance
was subject to supervision by the same U.S. institutions. However, it was generally
more detailed, introduced new “supplemental principles,” and was complemented by,
inter alia, commitments of various U.S. officials, including the establishment of an
ombudsperson as an oversight mechanism for national security interference through
which authorities in the EU can submit requests on behalf of EU citizens regarding
intelligence practices of the U.S.182
Nevertheless, the ECJ held that the limitations on data protection arising from the
domestic US law, which the Commission assessed in the Privacy Shield Decision,
namely Sect. 702 of the FISA and E.O. 12,333, read in conjunction with PPD-
28, “are not circumscribed in a way that satisfies requirements that are essentially
equivalent to those required, under EU law, by the second sentence of Article 52(1)
of the Charter”.183 What is more, the Court stated that the ombudsperson mechanism
contained in the Privacy Shield Decision does not provide for any cause of action
before a body which offers guarantees essentially equivalent to those required by
Article 47 CFR to the persons affected.184 As a result, EU-based controllers and/or
processors willing to transfer personal data to the US will have to resort to the
alternative legal grounds for data transfers provided for in the GDPR.
For those data controllers and processors who aim to transfer data to a non-EU
entity that does not provide for an adequate standard of protection, the GDPR offers
alternative pathways to lawfulness. They can opt to provide appropriate safeguards
or, exceptionally, transfer personal data by way of derogation.
and pointed out that Article 49 GDPR provides for legal grounds for data transfers to thirds countries,
see para 202.
181 EU stakeholders had taken a more skeptical view. The Article 29 Working Party, for instance,
directed criticism both at the commercial aspects and the governmental access to data transferred to
the U.S., see Article 29 Working Party, ‘Working Document: EU - U.S. Privacy ShieldFirst annual
Joint Review’, WP 255, 28 November 2017. For a more positive notion see, for example, Kuner
(2017), pp. 912–913.
182 See Commission Implementing Decision, Footnote 92, Annex III.
183 ECJ, Footnote 90, para 185. See also paras 178–184.
184 ECJ, Footnote 90, para 197. For the different reasons for this holding see paras 190–196.
Safeguarding Regional Data Protection Rights on the Global Internet … 475
According to Article 46(1) GDPR, data controllers and processors may, via bilat-
eral or multilateral agreements that contain ‘appropriate safeguards’, compensate for
the absence of an adequacy decision in the country they aim to transfer the data to
if ‘enforceable data subject rights’ and ‘effective legal remedies’ are available. The
GDPR distinguishes between such safeguards that require further authorization by
a supervisory authority and those that do not. Article 46(2) GDPR contains non-
exhaustive examples for adequate safeguards not requiring further authorization:
a legally binding and enforceable instrument between public authorities, binding
corporate rules (BCRs),185 standard data protection contract clauses (SCCs),186 codes
of conduct, and a certification mechanism. Pursuant to Article 46(3) GDPR, adequate
safeguards that are subject to further authorization may be provided for, in particular,
by (1) contractual clauses between the controller or processor and the controller,
processor, or recipient in the third country and (2) provisions to be inserted into
administrative arrangements between public authorities.187
As compared to its predecessor, the new provision is more detailed, introduces
new options for legal data transfers, and, by explicitly accepting BCRs and self-
regulatory mechanisms, demonstrates the ambition to reconcile the high standard
maintained in the EU with the diverging approaches to data protection worldwide.
With regard to the substantive requirements of Article 46 GDPR, the ECJ, in its
recent judgment in Schrems II, clarified that the provision, because it appears in
Chapter V, must be read in the light of Article 44 GDPR and that, therefore, the
level of protection provided for by the GDPR must be guaranteed irrespective of
the provision of that chapter on the basis of which a transfer is carried out.188 As a
result, the judges stated that the term ‘appropriate safeguards’ is to be understood
as requiring such measures that are “capable of ensuring that data subjects whose
personal data are transferred to a third country pursuant to standard data protection
clauses are afforded […] a level of protection essentially equivalent to that which
is guaranteed within the European Union”.189 As regards Article 46(2)(c) GDPR
in particular, the Court ruled that, when determining the adequacy of the level of
protection in a third country when data is transferred there pursuant to SCCs adopted
under this provision, the criteria to be taken into consideration are, in particular, both
the contractual clauses themselves and the relevant aspects of the legal system of the
third country as regards any access by its public authorities to the data transferred.190
185 The detailed requirements for the approval of BCRs are laid down in Article 47 GDPR.
186 Under Directive 95/46, the EU Commission issued decisions adopting sets of Standard Contrac-
tual Clauses. According to Article 46(5) GDPR, they shall remain in force until amended, replaced,
or repealed. In its recent judgment in Schrems II, the ECJ confirmed the validity of Decision 2010/87
in light of Articles 7, 8 and 47 CFR, see above, Sect. 3.
187 See Article 46(3) GDPR. In these cases, the supervisory authority shall apply the consistency
mechanism, Article 46(4) GDPR. The EDPB has provided further guidance as to the application
of Articles 46 (2)(a) and 46 (3)(b), see EDPB, Guidelines 2/2020, 15 December 2020, accessible
under: https://edpb.europa.eu.
188 ECJ, Footnote 90, para 92.
189 ECJ, Footnote 90, para 96.
190 ECJ, Footnote 90, paras 102–104.
476 R.-D. Veit
Regarding the assessment of the latter, the factors to be taken into account in the
context of Article 46 GDPR correspond to those set out, non-exhaustively, in Article
45(2) GDPR.191 The Court stressed that the contractual mechanism provided for in
Article 46(2)(c) GDPR “is based on the responsibility of the controller or his or
her subcontractor established in the European Union and, in the alternative, of the
competent supervisory authority.”192 Thus, not all safeguards required by Article 46
GDPR must necessarily be provided for in a Commission decision such as the SCC
Decision but it is, above all, for the controller or processor to verify whether the law
of the third country of destination ensures adequate protection.193
The third option for data controllers and processors to transfer data to entities
without an adequate protection standard, which is intended as the last resort, is to
do so by way of derogations. Article 49(1) GDPR sets forth seven exhaustive condi-
tions194 and introduces a new general clause that requires the balancing of the transfer
purpose and the interests and rights of the data subject affected.195 These deroga-
tions, however, are not tailored to generally providing an adequate long-term legal
basis for repeated, mass, or structural data transfers. Only in cases where it would
be genuinely inappropriate or even impossible for the transfer to take place on the
basis of appropriate safeguards as laid down in Article 46 GDPR should the deroga-
tions be applied.196 The term ‘derogation’ is misleading insofar as a transfer on the
basis of Article 49 GDPR may constitute a derogation from the general requirement
of an adequate standard of protection, but such a transfer, pursuant to Article 49
GDPR, does not exempt the controller or processor from the obligation to respect
the fundamental rights of the data subject.197 The European Data Protection Board
has recently published guidelines seeking to provide guidance as to the application
of Article 49 GDPR.198
and the controller, (3) necessity for the performance of a contract between a third party and the data
controller in the interest of the data subject, (4) necessity for important reasons of public interest,
(5) necessity for establishment, exercise, or defense of legal claims, (6) necessity for the protection
of vital interests of the data subject or other persons, and (7) transfer from a public register.
195 See Article 49(1)(subpara. 2). When a controller or processor makes use of this option, Article
49(6) stipulates the additional obligation to document the assessment made as well as the suitable
safeguards employed in the records referred to in Article 30 GDPR.
196 See, with regard to the old regime, Article 29 Working Party, ‘Working Document on a Common
level of data protection in a third country, the controller or processor should make use of solutions
that provide data subjects with enforceable and effective rights as regards the processing of their
data in the Union once those data have been transferred so that that they will continue to benefit
from fundamental rights and safeguards.” (emphasis added).
203 See Article 12(3) of the Data Protection Convention 108 and No. 17 of the OECD Privacy
Guidelines.
204 In Schrems, Footnote 75, the Court held that interfering legislation must “lay down clear and
precise rules governing the scope and application of a measure,” impose minimum safeguards for
the data subjects to be “effectively protected against the risk of abuse and any unlawful access and
use of that data” (para 91), and that derogations and limitations may apply only insofar as strictly
necessary (para 92).
205 However, it needs to be noted that EU data protection law consists of (functionally) different
elements or, more metaphorically, “building blocks” that complement each other but do not neces-
sarily need to be applied all at once but rather in a differentiated manner with a view to the field
of regulation in question, on this, in the German national context, see Albers (2012), pp. 183–231,
particularly pp. 230–231. Taking this flexible nature of EU data protection law into consideration
478 R.-D. Veit
when assessing whether the level of protection in a third country is essentially equivalent to the EU
standard could be helpful for the task of reconciling diverging notions of privacy and data protection.
206 See also Kuner (2017), p. 899.
207 The jurisdiction of the ECJ is limited to the interpretation and application of EU law, see Article
19 TEU. Correspondingly, the GDPR, as laid down by Article 2(2)(a) and like the Directive before
it, does not apply to activities which fall outside the scope of Union law, which explicitly includes
activities concerning national security, see Recital 16. However, this has not stopped the Court from
finding national legislation which allows for a general and indiscriminate retention of all traffic and
location data of all users of electronic communication to violate Articles 7, 8, 11 and 52 CFR. See
ECJ, C-203/15 and C-698/15, Tele 2 Sverige AB/Watson and Others, Judgment of 21 December
2016, accessible under http://curia.europa.eu, paras 62–112. On this matter see also ECJ, C-207/17,
Ministerio Fiscal, Judgment of 2 October 2018, accessible under http://curia.europa.eu, paras 29–
43. In a recent referral for a preliminary ruling, the Court was called upon to clarify the scope of its
jurisdiction with respect to national security law. The referring British court asked, inter alia, how
and to what extent the findings of the ECJ in the Tele 2 Sverige case apply to a national requirement
to a provider that it must provide bulk communications data to the security and intelligence agencies
of a Member State if the use of such data is essentially necessary to protect national security. In
its judgment, the ECJ held that “national security remains the sole responsibility of each Member
State” but it interpreted the term rather narrowly and distinguished it from “objectives of combating
crime in general, even serious crime, and of safeguarding public security”, see ECJ, C-623/17,
Privacy International, Judgment of 6 October 2020, accessible under http://curia.europa.eu, paras
74–75. All in all, the Court did not use the opportunity to define clear jurisdictional limitis with
regard to national security law.
208 In a recent judgment, the ECtHR ruled that parts of the (former) surveillance program of the
British GCHQ violate Articles 8 and 10 of the European Convention of Human Rights (ECHR).
See ECtHR, nos. 58170/13, 62322/14 and 24960/15, Big Brother Watch and Others v. the United
Kingdom, Judgment of 13 September 2018, accessible under http://hudoc.echr.coe.int.
209 In Schrems II, the ECJ, when asked whether the ECHR or national law and practices in the
context of national security in one or more Member States are to be included when determining
whether a data transfer to a third country on the basis of the SCC Decision constitutes a violation of
rights, held that this is not the case, see Footnote 90, paras 97–101. This is not a convincing solution
as it disregards both the function of the ECtHR in the framework of the multilevel cooperation of the
Safeguarding Regional Data Protection Rights on the Global Internet … 479
European constitutional courts and the necessity of a common stance on the legality of surveillance
practices.
210 Kuner (2017), p. 917.
211 For this term see Schwartz (2013), pp. 2001–2003.
212 On the pluralist nature of global data protection law Kuner (2014), pp. 66–67.
213 ECJ, Footnote 75, para 74.
214 Article 45(2)(c) GDPR.
215 Article 50 GDPR.
480 R.-D. Veit
have been helpful if the ECJ had given a more detailed explanation of what, in its
view, are the minimum requirements for a legal system to be considered as providing
a level of protection “essentially equivalent” to the EU standard. On the other hand,
judicial self-restraint is necessary in order to provide the EU Commission with more
flexibility when entering into (political) negotiations.
5 Conclusion
The rise of the Internet has brought changes to the rationalities of economies and soci-
eties across the world that put pressure on traditional political and legal paradigms.
Because of the loose connection between the object of regulation and the subject
of protection, the challenges are particularly evident in the field of data protec-
tion law. While a global legal regime, as the most desirable response, is not on the
horizon, outstanding progress regarding the regulation of transnational data flows
was achieved by the EU through its Directive 95/46, which is seen as the most
influential instrument in international data protection regulation. With its update, the
new General Data Protection Regulation, the EU is expected to further deepen its
influence on international data protection governance, mainly because of the new
marketplace principle as well as the revised third country data flow ‘border control’
regime.
This chapter has assessed these instruments and established that they originate
from the constitutional obligation of the European Union and its institutions to safe-
guard the fundamental rights to private life and to data protection, which are facing
new challenges in the era of the Internet due to ubiquitous, often nontransparent
cross-border data processing and the global surveillance practices of various states.
It argues that the focus on the degree of interaction with the EU market is a legitimate
approach to fulfilling this obligation and that it is not a peculiarity of the European
regime, but is also used in (data protection) laws in other countries, such as Brazil
or the United States.
Safeguarding data protection rights on the Internet is a complex and difficult task.
The General Data Protection Regulation approaches it by adjusting its territorial
scope to the reality of a globalized data-driven economy and continuing to control
data flows to third countries. Of course, like most instruments of international law,
the enforcement of the EU data transfer regime is subject to limits. Wherever in the
world legal regimes collide, they cannot claim absolute and unconditional applica-
bility and enforcement. The creation of international standards is always a political
process that follows its own rationalities and is determined by reciprocal adjustment.
Modern data protection laws therefore need to be designed so that they are open
to conflicting notions of privacy and political and economic interests while at the
same time maintaining their normative claim. In this context, scholarship plays an
important role in helping to find harmonizing solutions where conflicts of regimes
arise, ideally through interdisciplinary and comparative approaches.
Safeguarding Regional Data Protection Rights on the Global Internet … 481
This chapter has argued that in many ways, the EU data protection regime reflects
the pluralistic nature of international data protection law and is open to international
data protection policy innovations. In this sense, it is a more flexible instrument than
its predecessor. With regard to the goal of a globally harmonized data protection
standard, the GDPR is certainly a step in the right direction.
References
Albers M (2014) Realizing the complexity of data protection. In: Gutwirth S, Leenes R, De Hert P
(eds) Reloading data protection. Springer, Dordrecht, pp 213–235
Albers M (2012) § 22 Umgang mit personenbezogenen Informationen und Daten. In: Hoffmann-
Riem W, Schmidt-Aßmann E, Voßkuhle A (eds) Grundlagen des Verwaltungsrechts, C.H. Beck,
Munich, pp 107–234
Albrecht JP, Jotzo F (2017) Das neue Datenschutzrecht der EU. Nomos, Baden-Baden
Albrecht JP (2016) How the GDPR will change the world. Eur Data Protect Law Rev 3(3):287–289
Bennett CJ, Raab CD (2006) The governance of privacy. The MIT Press, Cambridge, Massachusetts
Boehme-Neßler V (2015) Big data und Demokratie - Warum Demokratie ohne Datenschutz nicht
funktioniert. Deutsches Verwaltungsblatt 130(20):1282–1287
Broemel R, Trute HH (2016) Alles nur Datenschutz? Zur rechtlichen Regulierung algorithmen-
basierter Wissensgenerierung. Berliner Debatte Initial 27(4):50–65
Bruehl J, Tanriverdi H (2017) Der überwachte Mensch zensiert sich selbst. Süddeutsche Zeitung.
http://www.sueddeutsche.de/digital/kongress-des-chaos-computer-club-der-ueberwachte-men
sch-zensiert-sich-selbst-1.3808605. Accessed 11 Jan. 2022
Büttner B et al (2016) Reterritorialisierung und Privatheit. In: Bütter B et al (eds) Die Reterritori-
alisierung des Digitalen. Kassel University Press, Kassel, pp 139–152
Cáceres J (2014) Brasilien und EU planen gemeinsames Datenkabel. Süddeutsche Zeitung. http://
www.sueddeutsche.de/politik/folgen-der-nsa-affaere-brasilien-und-eu-planen-gemeinsames-dat
enkabel-1.1896673. Accessed 11 Jan. 2022
Carolan M (2018) High Court to rule on data issues to bring to EU Court of Justice. The
Irish Times. https://www.irishtimes.com/business/technology/high-court-to-rule-on-data-issues-
to-bring-to-eu-court-of-justice-1.3361504. Accessed 11 Jan. 2022
Cunningham M (2016) Complying with international data protection law. Univ Cincinnati Law Rev
84(2):421–450
Cunningham M (2013) Diminishing sovereignty: how European privacy law became international
norm. Santa Clara J Int Law 11(2):421–453
Curtiss T (2016) Privacy harmonization and the developing world: the impact of the EU’s general
data protection regulation on developing countries. Washington J Law Technol Arts 12(1):95–122
Dammann U (2016) Erfolge und Defizite der EU-Datenschutzgrundverordung. Zeitschrift für
Datenschutz 6(7):307–314
De Hert P, Czerniawski M (2016) Expanding the European data protection scope beyond territory:
Article 3 of the general data protection regulation in its wider context. Int Data Privacy Law
6(3):230–243
De Hert P, Papakonstantinou V (2013) Three scenarios for international governance of data privacy:
towards an international data privacy organization, Preferably by a UN Agency. I/S: J Law Policy
Inf Soc 9(2):271–324
De Souza Abreu J, Sousa Nakagawa FM, Pacetta Ruiz J (2016) Data protection in Brazil, draft
report/review of legal background. Internetlab. http://www.internetlab.org.br. Accessed 11 Jan.
2022
Docksey C (2017) Opinion I/15: privacy and security, finding the balance. Maastricht J Eur Comparat
Law 24(6):768–773
482 R.-D. Veit
Doneda D, Mendes LS (2014) Data protection in Brazil: new developments and current challenges.
In: Gutwirth S, Leenes R, De Hert P (eds) Reloading data protection. Springer, Dordrecht, pp
3–20
Fleischer P (2007) Call for global privacy standards. Google Public Policy Blog. https://publicpol
icy.googleblog.com/2007/09/call-for-global-privacy-standards.html. Accessed 11 Jan. 2022
Geminn CL, Ledder S, Pittroff F (2016) Routing und die Arena seiner Aushandlung. In: Bütter B
et al (eds) Die Reterritorialisierung des Digitalen. Kassel University Press, Kassel, pp 23–59
Giesen T (2016) Euphorie ist kein Prinzip des Rechtsstaats. In: Datenschutz S (ed) Zukunft der
informationellen Selbstbestimmung. Erich Schmidt Verlag, Berlin, pp 23–47
Gömann M (2017) The new territorial scope of EU data protection law: deconstructing a
revolutionary achievement. Common Market Law Rev 54(2):567–590
Greenleaf G (2017) Global data privacy laws 2017: 120 national data privacy laws, including
Indonesia and Turkey. Privacy Laws Bus Int Rep 145:10–13
Greenleaf G (2012) The influence of European data privacy standards outside Europe: implications
for globalisation of convention 108. Int Data Privacy Law 2(2):68–92
Hartmann IA (2022) Self-regulation in online content platforms and the protection of personality
rights. In: Albers M, Sarlet IW (eds) Personality and data protection rights on the internet.
Springer, Dordrecht, Heidelberg, New York, London (in this volume)
Hijmans H (2014) Right to have links removed: Evidence of effective data protection. Maastricht
J Eur Comparat Law 21(3):555–563
Hoeren T (2007) Zoning und Geolocation - Technische Ansätze zu einer Reterritorialisierung des
Internet. Multimedia Und Recht 10(1):3–6
Hoffmann-Riem W (2014) Freiheitsschutz in den globalen Kommunikationsinfrakstrukturen.
Juristenzeitung 69(2):53–63
Johnson DR, Post D (1996) Law and borders—The rise of law in cyberspace. Stanford Law Rev
48(5):1367–1402
Klar M (2017) Die extraterritoriale Wirkung des neuen europäischen Datenschutzrechts. Daten-
schutz und Datensicherheit 41(9):533–537
Kokott J, Sobotta C (2013) The distinction between privacy and data protection in the jurisprudence
of the CJEU and the ECtHR. Int Data Privacy Law 3(4):222–228
Kranenborg H (2014) Article 8—Protection of personal data. In: Peers S et al (eds) The EU charter
of fundamental rights. Hart Publishing, Oxford and Porland, pp 223–265
Krisch N (2010) Beyond constitutionalism. Oxford University Press, Oxford
Kuner C (2015a) Data nationalism and its discontents. Emory Law J Online 64:2089–2098
Kuner C (2015b) Extraterritoriality and international data transfers in EU data protection law. Int
Data Privacy Law 5(4):235–245
Kuner C (2017) Reality and illusion in EU data transfer regulation post Schrems. German Law J
18(4):881–918
Kuner C (2014) The European Union and the search for an international data protection framework.
Groningen J Int Law 2(1):55–71
Ladeur KH (2013) New institutions for the protection of privacy and personal dignity in internet
communication. Braz J Public Policy 3(2):282–296
Lana de Freitas Castro E, Pereira Winter P (2014) O Conflito de Jurisdições em Caso de Violação
de Direitos da Personalidade por Publicação na Internet. Revista de Estudos Jurídicos UNEPS
18(28). https://dialnet.unirioja.es/descarga/articulo/5191698.pdf. Accessed 11 Jan. 2022
Mangeth AL, Marinho Nunes B (2018) A proteção de seus dados pessoais está em jogo
no Senado. ITS Rio. https://feed.itsrio.org/senado-vs-c%C3%A2mara-seus-dados-pessoais-em-
jogo-97d7b0cefc54. Accessed 11 Jan. 2022
Márton E (2016) Violations of personality rights through the internet: jurisdictional issues under
European law. Nomos, Baden-Baden
Mayer C (1996) Recht und Cyberspace. Neue Juristische Wochenschrift 49(28):1782–1791
Miller SF (2003) Prescriptive jurisdiction over internet activity: the need to define and establish the
boundaries of cyberliberty. Indiana J Glob Legal Stud 10(1):227–254
Safeguarding Regional Data Protection Rights on the Global Internet … 483
Raoul-Darius Veit Ph.D. Legal clerk at the Higher Regional Court Hamburg (Hanseatisches
Oberlandesgericht) and former Research Assistant at Prof. Dr Marion Albers’ Chair for Public
Law, Information and Communication Law, Health Law and Legal Theory at Hamburg University.
Member and Scholarhip Holder of the Albrecht Mendelssohn Bartholdy Graduate School of Law
(AMBSL). Visiting Researcher at PUCRS and FGV Rio de Janeiro in 2017 and 2018 as part of the
Brazilian/German CAPES/DAAD PROBRAL-Research Project „Internet Regulation and Internet
Rights“. Main areas of research: Data Protection Law, German Constitutional Law, European Law
and the Interrelations of National and EU Law. Selected Publications: Commentary of Art. 6 and
484 R.-D. Veit
9 General Data Protection Regulation (GDPR), in: Heinrich Amadeus Wolff/Stefan Brink (Eds.),
Data Protection Law, Beck’scher Online-Kommentar, C. H. Beck München, 2018 et seqq., since
the 25th Ed. (in collaboration with Marion Albers); Commentary of §§ 22 and 23 Federal Data
Protection Act (Bundesdatenschutzgesetz—BDSG), in: Heinrich Amadeus Wolff/Stefan Brink
(Eds.), Data Protection Law, Beck’scher Online-Kommentar, C. H. Beck München, 2018 et seqq.,
since the 25th Ed. (in collaboration with Marion Albers).
Index
A B
Accuracy, 88, 124, 205, 411, 415, 425, 428, Balancing, 10, 11, 24, 26, 28, 29, 57, 61,
432, 433, 436–438, 452 91, 103, 107, 149, 150, 152, 155,
Adequacy regime, 13, 471–473 163–165, 170, 173, 197, 206, 233,
278, 298, 309, 310, 317, 318, 321,
Aida Curi, 149–151, 164 322, 334, 370, 372, 399, 476
Algorithm, 6, 7, 10, 12, 80, 117, 126, 158, Behavioral economics, 63
161, 184–186, 268–270, 275, 276, Big data, 3, 12, 56, 59, 117, 126, 332,
283, 284, 340, 407–416, 419–421, 407–409, 411–413, 416, 449
423, 425, 430, 432–437, 440, 441, Binding Corporate Rules (BCRs), 475
449 Blasphemy, 325, 327, 328, 330
Algorithmic discrimination, 1, 12, 407, Brazilian Civil Code, 8, 37, 113, 144, 311,
409, 416, 420, 421, 431, 432, 434, 361, 364
436, 440, 441 Brazilian Civil Framework for the Internet,
Algorithmic governance, 407, 409, 432, 113, 120
433, 436 -see also Marco Civil da Internet
Anonymity Brazilian Civil Rights Framework for the
Internet, 264, 367, 370
- before Brazilian courts, 314
-see also Marco Civil da Internet
-concept of anonymity, 11, 322, 333 Brazilian dictatorship, 35
-prohibition on anonymity, 222, 330 Brazilian doctrine, 138
-right to anonymity, 7, 337, 342–344 Brazilian Internet Bill of Rights, 213–216,
-under European human rights’ law, 318 218, 225, 228–231, 233–235, 237,
450
Anonymization services, 84, 86, 94, 128
-see also Marco Civil da Internet
Anonymous expression of opinion, 337 Brazilian private law, 36, 37, 39, 44, 50
Apollonia case, 188
App blocking, 317
Appropriate safeguards, 470, 474–476 C
Arbitrary watchfulness, 115, 116 Cambridge Analytica, 6
Candelaria Slaughter, 150, 164
Artificial intelligence, 3, 56, 75, 109, 270, Causation, 408, 412–414
301, 414 Chilling effect, 43, 77, 78, 250, 278, 295,
Auditability, 432, 433 329, 330, 345, 348
Autonomy, 22, 40, 63, 64, 166, 217, 319, Civil liability, 46, 163, 171, 219, 223, 231,
343, 358, 362, 365, 368, 372 233, 234, 236, 241, 242, 247, 249,
© Springer Nature Switzerland AG 2022 485
M. Albers and I. W. Sarlet (eds.), Personality and Data Protection Rights on the Internet,
Ius Gentium: Comparative Perspectives on Law and Justice 96,
https://doi.org/10.1007/978-3-030-90331-2
486 Index
251–254, 256–258, 261, 263, 264, Correlation, 310, 408, 411–414, 416,
315 420–422, 434, 436, 439, 440
Code, 11, 37–40, 44–47, 60, 75, 80, 85, Council of Europe
143–145, 151, 157, 169, 247, 249, -recommendation on the roles and
251, 252, 264, 267, 270, 274–276, responsibilities of internet
279, 282–284, 292, 293, 295, 300, intermediaries, 301
304, 327, 362, 366, 427, 430, 433, Credit Information Act, 427–431, 436,
434, 436, 440, 475 438–441
Commission Nationale de l’Informatique et Credit scoring, 12, 126, 407, 409, 414, 416,
des Libertés (CNIL), 42, 452, 458, 421, 423, 426, 428–432, 434,
462, 463 436–438, 440, 441
Communication Cross-border
-on the internet, 1, 2, 5, 69, 72, 74, 93, -data transfer, 449
190, 244, 320, 337 -law enforcement, 463–480
-temporal dimension, 187 Cryptography, 315
Confidentiality of communications, 82, Cyberbullying, 310
123, 309, 322
Consent, 8, 42, 44–47, 57, 63–65, 96, 113, D
114, 121, 127, 145, 146, 187, 191, Damages, 11, 39, 50, 92, 114, 119, 120,
232, 298, 311, 313, 362, 364, 371, 122, 123, 140, 145, 146, 149, 151,
372, 428–431, 436, 476 153, 155, 162–165, 171, 172, 190,
Constitution, 8, 9, 12, 25, 36, 37, 40, 41, 213, 222, 223, 226–228, 230–233,
43, 44, 49, 78, 85, 89, 91, 113–115, 235, 237, 241, 242, 245, 247–259,
120, 134, 138, 142, 143, 145, 172, 261, 263–265, 311, 314–316, 349,
214, 216, 217, 220, 222, 223, 227, 355, 360, 362, 364, 371, 382,
228, 236, 241, 252, 254–258, 264, 425–430, 438
276, 279, 296, 297, 301, 309, 311, Data doubles, 75
312, 314, 316–318, 333, 337–339, Data-driven economy, 407, 409, 410, 413,
353, 356, 359, 370, 377, 386, 398, 416, 424, 480
399, 402, 423, 424, 454, 458 Datafication, 1, 2, 5, 56, 59, 69, 70, 74, 105,
Constitutional law, 24, 26, 30, 31, 48, 68, 109
89, 91, 276, 277, 298, 337, 339, 345, Data protection, 7, 8, 12, 18, 27, 35–37, 40,
347, 348, 375, 377, 379, 380, 393, 42–44, 47–51, 55–58, 60–66, 91, 96,
394, 396, 398, 399, 402, 483 97, 106, 113, 114, 134, 135, 137,
Consumer Protection Code, 45, 143, 154, 146, 160, 162, 167, 169, 175, 180,
162, 167, 367, 423, 426–430 186, 191–197, 199–204, 206–208,
Content generated by third party, 11, 122, 213, 233, 258, 294, 303, 311–313,
230, 241, 242, 247, 249, 251, 252, 333, 338, 342, 344, 355, 356, 360,
258, 259, 315 367, 370, 371, 377, 379, 380, 393,
Content moderation, 11, 267, 287, 295, 303 402, 409, 423–427, 438–441,
Control, 5, 7–9, 27, 43, 47, 48, 59, 63, 66, 445–451, 453–459, 462, 463, 465,
69, 71, 74–76, 86, 90, 96, 98, 104, 467, 468, 470, 471, 474, 475,
107, 108, 115, 116, 118, 119, 126, 477–481
128, 134, 145, 148, 153, 154, 161, Data Protection Directive (EU-DPD), 5, 82,
163, 167, 175, 189, 193, 205, 244, 181, 203, 446, 463
248, 274, 275, 279, 283, 290, 291, Data protection law
302, 319, 324, 355, 357, 360, 362, -adequate level of, 18, 27, 66, 459, 461,
413, 449–451, 454, 456, 457, 459, 469, 471–473, 477
468, 480 -external dimension of, 13, 447, 456,
Copyright, 11, 61, 84, 214, 233, 234, 236, 457, 460, 462–464
237, 239, 249, 250, 256, 259, 264, -global regime for, 453
268, 269, 271, 273, 278, 279, 281, -harmonization of, 445, 454
300, 324, 350, 364, 377, 382 -in favour of the testator, 393
Index 487
N
J National routing, 452
Jurisdiction, 10, 13, 26, 85, 90, 103, 104, Neutrality, 5, 8, 36, 113, 120–122, 213,
122, 169, 174, 175, 188, 195, 291, 312, 313, 351, 352, 357
294, 296, 310, 312, 318, 320, 334, Normative legitimacy, 445, 463, 477
338, 351, 399, 437, 440, 445, 448, Notice and takedown, 247, 249–253, 257,
451–453, 458, 467, 468, 478 281, 282
NSA-Scandal, 21
O
L
Objectification of interests, 64
Law in context, 31 Onlife World, 1, 2, 69, 70, 109
Lebach, 135, 141, 164, 187, 189 Online archive cases, 181, 187
Legal comparison, 30, 31 Online communication, 116, 202, 289–291,
Lei Geral de Proteção de Dados (LGPD), 8, 310, 313, 321, 322, 331, 333, 334
36, 48–51, 311, 314, 450, 453, 455, Online evaluation portals, 12, 337, 345, 349
466, 468, 470 Online rating portals, 342
-see also General Data Protection Act Overblocking, 293, 295, 299, 340
Liability, 6, 11, 66, 93, 122, 146, 153, 154,
156–163, 167, 172, 190, 194, 195,
200, 207, 213, 214, 219, 223, 224, P
227, 230–237, 247–249, 252, Personal dignity, 50
255–257, 264, 270, 278, 292, 296, Personality profile, 342, 390
309, 315, 321, 323, 351, 426, Personality rights, 5, 8, 11, 35–41, 44, 46,
429–431, 437 48–51, 66, 114, 133–138, 140,
490 Index
142–144, 150, 152, 153, 155, Public space/sphere, 7, 20, 21, 29, 56, 59,
157–159, 161–163, 165, 166, 170, 115, 198, 199, 217, 242, 279
172, 173, 175, 190, 194, 196–198,
202, 206, 241, 248, 253, 257–259,
264, 267, 270, 276–278, 280–282, Q
289, 290, 294, 298, 311, 317, 334, Qandeel Baloch, 327
349, 350, 355, 356, 358–361, 365, Quadrature du Net and Others, 95, 100, 101
367–371, 373, 378, 383, 390–392,
448
Platform governance, 271–284, 291–304 R
Positive obligations, 8, 22, 55, 58, 60, Regulation
64–66, 322, 334 -self-regulation, 11, 59, 60, 174, 229,
Power relations, 64, 73, 74 230, 267, 270–274, 276, 277,
Press law, 10, 172, 179–181, 190–192, 279–284, 292, 293, 295, 304, 471
194–197, 199–208, 223 Responsibility, 5, 22, 26, 27, 31, 59–61, 65,
Principle of purpose limitation, 8, 57, 90, 74, 91, 123, 133, 157, 161, 182, 186,
193, 205, 449 190, 194, 229, 248, 258, 259, 282,
293, 299, 301, 302, 314, 318, 347,
Privacy
348, 427, 432, 461, 476
-privacy language, 30
Right of inheritance
-privacy protection, 8, 20, 24, 28, 29,
-individual right, 385
58, 114, 128, 277, 429
-legal institution, 41, 385
-privacy protection beyond the State, 26 -limited guarantee of continued
-private/public distinction, 59 existence, 385
Privacy shield, 5, 13, 460, 461, 472–474 -universal succession, 383, 386
Private life, 8, 11, 23, 27, 38, 43, 46, 47, 96, Right to a free development of the
106, 116, 118, 122, 127, 138, 144, personality, 138
151, 152, 167, 172, 173, 254, Right to a new beginning, 139
309–311, 313, 314, 317, 318, 321, Right to be forgotten
324, 325, 333, 334, 340, 343, 358, -constitutional dimension, 188
361, 371, 379, 424, 456, 458, 459, European Court of Justice, 17, 179, 187,
480 195, 449
Profiling, 6, 103, 126, 130, 310, 320, 332, -in data protection law, 10, 179–181,
334, 409, 414, 416, 420, 428, 429, 187, 190–192, 194, 195, 207
466 -in press law, 181, 190, 192, 195
Proportionality, 25, 61, 62, 66, 84, 86, 88, Right to data protection, 56, 58, 66, 79, 96,
90, 91, 96, 97, 105, 106, 142, 163, 114, 360, 371, 459, 477
167, 171, 299, 301, 303, 346, 385, Right to deindexation, 133, 146, 153, 154,
423, 459 160–162, 170
Protection of Records, 122 Right to deleting data, 133
Provider, 3, 5, 11, 24, 28, 46, 61, 65, 69, 71, Right to erasure of data, 136
79, 81–91, 93, 94, 97–99, 101–103, Right to honor, 140
105–108, 115, 121–123, 125, 126, Right to know, 43, 80, 130, 428
128, 133, 136, 146, 147, 153–162, Right to one’s own image, 140
166–169, 171, 182, 192, 206, 214, Right to personal identity, 260
219, 226, 228, 230–236, 241, 247, Right to privacy, 17, 19–21, 24–26, 29, 30,
249, 251–253, 256–260, 263, 264, 36, 43, 50, 56, 62, 66, 79, 114, 115,
279, 291–299, 315, 320, 321, 333, 120, 124, 140, 144, 151, 228,
337, 350, 351, 371, 378, 380–384, 309–311, 313, 315, 317, 319,
388–397, 401, 403, 448, 464, 478 323–325, 334, 453
Pseudonymity, 310, 315, 322, 323, 326, 330 Right to reinvent oneself, 139
Publicity, 20, 121, 149, 247, 319, 324, 326, Right to resocialization, 141, 143
360, 371 Right to respect for private and family life,
Public-private-dichotomy, 17, 20 318
Index 491