On April 23, 2014, Brazilian President Dilma Rousseff enacted Law No. 12.965, which establishes the legal regime for the use of the Internet in Brazil (the Brazilian Internet Civil Framework, hereinafter referred to as the "BICF").
The enactment of the BICF was prompted in part by Brazilian press coverage stating that communications over the Internet by members of the Brazilian Executive, including Brazilian President Dilma Rousseff herself, were accessed by foreign governments (the United States amongst them) or companies within their jurisdictions. The text of the law, perhaps due to its political motivation, is unnecessarily long and in somewhat redundant style repeats general principles of the Brazilian Constitution and other existing laws such as the Brazilian Civil Code and the Brazilian Consumer Protection Code. This article reports on the BICF's main and substantive provisions, many of which are still to be subject to further regulation.
Contractual Issues and Data Protection
The BICF provides that agreements for Internet access must contain clear and full information on protection of registers of connection (information related to the date and hour of start and end of an Internet connection session, its duration and the IP address used by a terminal connected to the Internet for the sending and receiving of data packages), information on access to Internet applications (sites accessed by the terminal) as well as information on Internet management practice affecting quality.
The new law contains two main rules regarding data protection:
i) the need for the express consent of the Internet data owner for the collection, storage, handling, transfer to third parties and use of data by Internet connection and Internet application providers; and
ii) the right of the Internet data owner to require exclusion of personal data supplied to an Internet application or connection provider upon end of the legal relationship among the parties.
The consent of the Internet data owner for the collection, use, storage, handling, transfer and treatment of personal data is to be highlighted and separated from other contractual clauses.
The BICF establishes that the person responsible for the transmission, exchange or routing of Internet communications has the duty to treat equally any data packages, without differentiation by content, origin, destination, service, terminal or application. The law determines that it is illegal for service providers to block, monitor, filter or analyze the content of data packages.
The cases in which Internet traffic discrimination or degradation is admissible will be indicated by Executive Branch decree, being limited to i) indispensable technical intervention for adequate service provision and ii) emergency services priority need. Even in these cases, traffic change should be informed in advance to users and discriminatory commercial conditions and anticompetitive practices are to be avoided.
Data Storage and Protection
Connection registry, Internet application access, private communication content or any other information that may identify the terminal user or the terminal can only be disclosed via court order. The exception to this rule is the access to personal qualification, parent and address information registry data by law enforcement organs such as the police and public prosecutors for purposes of money laundering prevention.
The Executive Branch shall enact rules as respects data protection and confidentiality procedure.
The BICF also sets forth rules for the keeping of connection and Internet application access registry records, mandatory for the time period of one year in the case of connection registry records and six months for the latter. Such information must be stored confidentially in a secure and controlled environment. Connection registry record storage responsibility cannot be transferred to third parties. The terms in this paragraph may be extended at the request of police or administrative authorities, as well as of the public prosecutor. In which case, the officer requesting the extension should file a formal request in court asking for access to the information kept. In case of registers of connection, the formal request to court is to be presented within 60 days.
The BICF prohibits Internet application access registry storage by connection providers, as well as the keeping of access records of Internet applications by other Internet applications (this can, however, be waived by the data owner).
In addition to applicable civil and criminal liability, the BICF sets forth as penalties: (i) warning with a deadline for the adoption of remediation measures; (ii) fine of up to 10% of the gross sales invoiced in Brazil in the last fiscal year of the economic group liable for the breach, which fine may vary according to the economic condition of the offender and the seriousness of the breach; and (iii) temporary suspension or the forbidding of specified activities. As respects non-Brazilian companies, any local branch or office is joint and severally liable for any fine imposed.
Breach of data protection, secrecy and privacy investigation procedure shall be regulated by the Executive Branch. The BICF does not indicate what entity is to supervise Internet activities or apply the above-mentioned penalties. This is a major gap to the new regulation.
The above provisions shall apply whenever any of the following acts occur within the Brazilian territory: the collection, storage, guarding or handling of registries, personal data or communication by connection providers or Internet applications. Brazilian law is also applicable whenever one of the terminals involved is located in Brazil.
Liability for Damages Due to Content Produced by Third Parties
According to the BICF, the connection services provider is not liable for damages arising out of content produced by third parties. As respects the Internet application provider, liability may exist if it fails to comply with a court order determining any content regarded as unlawful to be rendered unavailable. This court order shall contain clear and specific identification of the unlawful content, in such a manner as to allow it to be found. The party that supplied the content should, whenever possible, be advised by the Internet application provider of the reasons leading to unavailability of the content, with information sufficient to enable it to present an effective defense in court.
More stringent rules apply to Internet application provider in the case of images, videos or any other materials depicting scenes of nudity or sexual acts of private character. In this case, the application provider should eliminate access to the content as soon as it is notified by any person appearing in the material, or by such person´s legal representative, being otherwise liable.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.