A civil rights framework for the internet in Brazil
July 2014 | EXPERT BRIEFING | DATA PRIVACY
Altogether it took about six years. President Dilma Rousseff enacted, on 23 April 2014, Law No. 12,965/2014, adopting a Civil Rights Framework for the Internet (Marco Civil da Internet) in Brazil. And it was the best of times and the worst of times.
Back in 2008 the Brazilian Ministry of Justice began a broad consultation to gather elements for the Civil Rights Framework, a highly praised initiative that eventually led to a bill of law introduced in Congress in 2011. A normal legislative process followed course until the Snowden affair hit the headlines in mid-2013. What should have been a diplomacy issue turned into retaliation by the Brazilian President against the large US internet companies. President Dilma Rousseff’s government pushed (unsuccessfully) very strongly for these companies to be legally compelled to have their servers physically located in Brazil to guarantee to Brazilians that their privacy would be respected. Penalties for non compliance with this rule even included an overall prohibition to do business locally. A tug of war over the net neutrality principle between internet activists and content companies on one side, and telecommunications companies on the other, added more uncertainty whether the bill would ever become law – but it did.
The Law was well received by the local press and the public in general. Controversies are still expected on the net neutrality issue until specific regulations are issued. The Brazilian government has expressed its intent to introduce soon in Congress a law on data protection The Law becomes effective within 60 days from 24 April 2014.
The Brazilian government’s objective was twofold: turn into law certain public policies regarding the internet (hence the term ‘framework’) and bring consistency to court decisions.
Access to the internet is deemed under the Law as essential for the exercise of citizenship. It also establishes basic principles, guarantees, rights and obligations for the use of internet in Brazil. The Law’s main provisions deal with protection of privacy rights, record-keeping to assist law enforcement, liability for third-party content and net neutrality.
Brazil lacks a specific regulation on data privacy. Privacy and personal data are protected by the Federal Constitution, the Civil and Consumer Protection Codes and other federal laws applicable to certain businesses. The Law reinforces the right to communications secrecy on the internet, except under judicial order. Users are also assured the non-disclosure of their personal data, connection logs and internet application access logs to third parties, except with users consent or as permitted by law.
The Law further determines that whenever an act of collection, storage, safekeeping or treatment of records, personal data or communications occurs in Brazil, Brazilian laws regarding privacy, protection of personal data and communications secrecy must be observed. This applies to companies based both in Brazil and abroad, but in the case of foreign companies, only if they provide service to Brazilian users or at least one company of their economic group is present in Brazil. Failure to comply with any of these obligations subjects companies to the following penalties, individually or combined: (i) warning and obligation to remedy the breach within a fixed time period; (ii) fine of up to 10 percent of the revenues of the provider’s economic group in Brazil in the last year (it being defined that if the breach is by a foreign company, its branch or office in Brazil is jointly liable for payment of the fine); (iii) temporary suspension of activities that involve storage, management and dissemination of data; and/or (iv) prohibition of any such activities. No in-country data storage obligation or restriction on international transfer of data was imposed.
As for record-keeping obligations, a distinction is made between connection logs (information referring to the date and time of the beginning and end of an internet connection, its duration and IP address) and application access logs (information referring to the date and time of use of a specific internet application from a certain IP address). Internet connection providers must keep connection logs stored in a secured environment for one year (unless a longer period is required by police and administrative authorities). This responsibility cannot be transferred to third parties. Internet connection providers are prohibited from storing application access logs, but internet application providers must do so for six months (as long as the providers act in an organised, professional and economically-oriented manner).
Law enforcement authorities may order that application access logs be stored during a longer period and a court may order that providers that do not fit the characteristics above also store logs, provided that they relate to specific facts within a determined timeframe. Internet application providers are prohibited from storing access logs to other internet applications (except if previously authorised by the user) or personal data that is deemed excessive in relation to the purpose authorised by the user. Internet services contracts must clearly and thoroughly inform about data protection and logs storage practices.
Liability for third-party content
The Law also attempts to end the legal gap on third-party content liability by stipulating that: (i) internet connection providers are not responsible for damages arising from content posted by third parties; and (ii) except if otherwise established by law, internet application providers can only be held liable for damages caused by third-party content if, after receiving a specific court order, they do not take action to make the infringing content unavailable. An exception to the liability of internet application providers is related to the unauthorised disclosure of images, videos or other material with nudity or sex content of a private nature. If the provider fails to remove content after receiving a notice from individuals appearing in it, the provider will be secondarily liable for damages arising out of the content disclosure.
Liability of internet application providers for violation of copyrights and related rights shall continue to be regulated by Brazilian Copyright Law until a specific law is enacted on the matter.
Net neutrality was one of the most debated items of the Law. Under the Law, all data packages must be treated equally, without distinction of content, origin and destination, service, terminal or application. Traffic discrimination or degradation is only permitted if needed to meet technical requirements indispensable to the adequate provision of services or for the prioritisation of emergency services – but the actual events in which it may occur were left to be further regulated by the Federal Executive, after hearing the National Telecommunications Agency – ANATEL and the Internet Management Committee. Internet connection providers are not allowed to block, monitor, filter or analyse the content of data packages.
Raphael de Cunto is a partner and Julia Arruda is a senior associate at Pinheiro Neto Advogados. Mr de Cunto can be contacted by email: firstname.lastname@example.org. Ms Arruda can be contacted by email: email@example.com.
© Financier Worldwide
Raphael de Cunto and Julia Peixoto de Azevedo Arruda
Pinheiro Neto Advogados