Esther Nunes and Paulo Bonomo

The Brazilian Law on the Rights of Internet Users – Law No. 12,965, of April 23, 2014 (“Law No. 12,965/2014”)

After a time-consuming legislative process that lead to several discussions and postponements in recent years, Law No. 12,965/2014, known as the Brazilian “Marco Civil da Internet, was published on April 24, 2014. The law will take in effect within sixty (60) days from such date.

The objective of the Marco Civil da Internet is to establish the principles, guarantees, rights and obligations for the use of the Internet. In order to assure its enforceability, Law No. 12,965/2014 establishes several concrete requirements that will have to be observed by different Internet players.

Fundamental Rights of Internet Users

The Marco Civil da Internet creates a very extensive list of fundamental rights of Internet users. The law specifically identifies these rights whereas previously they were found to derive from the Brazil Federal Constitution concerning the fundamental right to privacy, as well as the Civil and Consumer Protection Codes.

Among these fundamental rights of Internet users under the new law, it is worth mentioning the following:

  1. The obligation to obtain consent of users for the collection, use, storage and processing treatment of users’ registries and personal data, as well as for the transfer of such information to third parties;
  2. The right of users to have their personal data deleted upon termination of their relationship with a connection or application provider, except when the storage of such information is required by law;
  3. The right to have clear and complete information about the purposes of the collection of their personal data and registries, which must be stated in the contracts entered with connection or content providers;
  4. Secrecy of the communication flows made through the internet, except in case of judicial order; and
  5. The application of Brazilian consumer protection rules in the consumer relations established online.

The list of fundamental rights established by the Marco Civil da Internet provides concrete guidance to assist foreign companies when implementing their online services in Brazil through their privacy policies and terms and conditions.

Application of the Marco Civil da Internet to Foreign Players

Law No. 12,965/2014 sets specific standards for its application, even in cases where the services are provided from abroad. The law will have to be observed in any operation involving the collection, storage or processing of databases and personal data where any of these practices occur in Brazil.

That will also be the case when the data is collected within the national territory by a legal entity located abroad, as long as the services are offered to the Brazilian public or if the entity has a presence in Brazil (by means, for instance, of another company of the same economic group).

Data Recording Obligations

The Marco Civil da Internet differentiates two major sets of information, namely: (i) connection registries, which contains data about the date, time and duration of an internet connection made by a certain IP address (“CRD”); and (ii) application access registries, which compile data about the date, time and duration of the use of an application through a specific IP address (“ARD”).

The recording of personal data and of these registries must be made in a manner that does not violate the privacy and intimacy of Internet users. The disclosure of such information will be subject to a previous judicial order.

The Marco Civil da Internet also establishes different rules for Internet service providers (“ISPs”) and content providers (“ICPs”) with respect to the types of information that these agents can access and will be required to record.

ISPs will have to store CRD for one (1) year; a responsibility that cannot be assigned to third parties. ISPs are prohibited from collecting ARD.

On the other hand, ICPs, which were formed as a legal entity to explore the activity of providing content with economic purpose, will be required to maintain records of ARD for six (6) months. Furthermore, ICPs will not be allowed to store ARD related to third-party applications without the user’s consent, and the use of personal data must be in strict compliance with the purpose for which such data was collected.

ICPs, other than those characterized as described immediately above may be forced by a judicial order to record ARD for a certain period and as long as such information is related to specific circumstances.

Responsibility for Third-Party Content

The Marco Civil da Internet also sets forth the legal framework for assigning responsibility for third-party content. ISPs will not be held liable for damages caused by third-party content, whereas ICPs will be subject to a different treatment.

ICPs will be responsible for third-party content only if, after being summoned by a judicial order to remove infringing content, within the context and technical limitations of their services, they fail to do so. This rule has a few exceptions, namely:

  1. If the content infringes the copyrights of a third party. In this case,  the Brazilian Copyright laws will continue to apply; and
  2. In cases where the infringing content containing nudity, sexual images, or materials is disclosed without authorization of the participants. Under this circumstance, a simple notice will be sufficient to force ISPs to remove the content; otherwise, they may be considered secondarily responsible for the damages caused.

Net Neutrality

Net neutrality was discussed at length by different Internet players when the Marco Civil da Internet was still in the making by the Brazilian legislators.

The net neutrality obligation was passed and included in Law No. 12,965/2014. Net neutrality imposes that the party responsible for the transmission, routing or commuting of data packages shall treat them equally, without any discrimination based on content, origin, destination, service, or equipment used.

There are exceptions. For example: (i) when traffic degradation or discrimination is necessary due to technical requirements in order to provide adequate services, subject to further regulation; or (ii) to prioritize emergency services. Nevertheless, net neutrality may be further regulated in the near future.

Sanctions

The Marco Civil da Internet also establishes several sanctions applicable to Internet agents who fail to observe and comply with its rules. The penalties are intended to apply without prejudice to other civil, criminal and administrative consequences, and are as follows:

  1. Warning, indicating corrective measures to be adopted within a specific time frame;
  2. Fine of up to ten percent (10%) of the income of the economic group of the violator in the immediate preceding year in Brazil, exclusive of taxes, taking into consideration the gravity of the situation;
  3. Temporary suspension of the activities involving the collection, storage, treatment and processing of users’ personal data and registries; and
  4. Prohibition from conducting any of the aforementioned activities.

If the violation was perpetrated by a foreign entity, its Brazilian subsidiary will be deemed jointly liable for the payment of the applicable fine.

Conclusion

As with all new laws, there is always high expectation as to how its rules will be interpreted by local authorities.

Several aspects of the Marco Civil da Internet will certainly raise controversies about its adequate interpretation, and some other will be further regulated in the near future.

Nevertheless, it is safe to say that Brazil has now a concrete legal framework specifically related to Internet users’ rights. It is very likely that the Marco Civil da Internet may cause our legislators to expedite the voting on the specific bill-of-law on data privacy, already under discussion.

São Paulo, April 30 2014