Brazil launches consultations on internet and privacy laws
Consultations follow enactment of Marco Civil law
Law number 12,965/2014, also known as the Brazilian Legal Framework for the Internet or ‘Marco Civil da Internet’ (the ‘Internet Law’) was sanctioned by the Brazilian President on 23 April 2014 and entered into force on 23 June 2014. The Internet Law is based on the principles of freedom of speech and user privacy and defines a number of rights and obligations for internet users, internet service providers (‘ISPs’) and internet applications. With 32 sections broadly discussed in Congress and via public consultation online, the Internet Law covers subjects such as: (i) net neutrality (section 9); (ii) protection of personal data (sections 10 and 11); and (iii) the safeguarding of information on users’ internet application log access (sections 13 through 15).
The Internet Law is already in full effect. However, the three subjects mentioned above, among others, still need to be regulated by way of a Decree. On 28 January 2015 the Ministry of Justice launched a public consultation concerning the regulation of the Internet Law1 and the deadline for comments is 31 March. This consultation has been divided as follows:
Net neutrality: the law provides for equal treatment of data traffic regardless of its content, origin and destination, service, terminal or application. Under this rule, internet providers are not allowed to offer internet services which prioritize access to certain types of data to the detriment of others. In practice, therefore, internet providers cannot offer easier or cheaper access to specific types of data. The consultation is focused on the exceptions contained in the Internet Law, which allow for the prioritization of ‘emergency services’ and ‘essential technical requirements’ in the provision of services and applications, terms that still require definition. The consultation is also probably going to cover details regarding the possible suspension of a user’s internet access upon his/her reaching the limit of the contracted internet access quota;
Privacy: the law expressly provides for the internet user’s ownership of his/her personal data and guarantees the user’s right to privacy of communications and to prior consent to the collection and treatment of the user’s personal data. The principles and regulations need to be clarified, such as those regarding transparency procedures, for example;
Log access information: the law establishes that both internet service providers and internet application providers shall maintain safe and confidential records on users’ internet and internet application access for one and a half years. The regulation should cover, for example, how such records should be kept;
Other matters: under this section comments may cover any aspects of the Internet Law which may require more detail, as well as obligations by the Federal government in connection with the Law.
The Decree covering the regulations shall be drafted based on the comments offered as part of the public consultation.
The Internet Law impacts internet service providers and internet application providers that do business in Brazil, who should adapt their procedures in accordance with the Internet Law and keep a close eye on the enactment of the Decree, which will further regulate this law.
Simultaneously with the launch of the public consultation described above, the Ministry of Justice launched another online consultation in regards to the draft Personal Data Protection Bill of Law2. The deadline for comments is 30 April. While the Internet Law contains certain sections covering the collection and treatment of personal data, the draft Personal Data Protection Bill of Law goes much further, not only because it applies to the protection of data collected online and elsewhere, but also because this draft bill is a much more thorough, detailed and specific piece of legislation. The draft presented for public consultation is based on the principles of freedom of expression and privacy protection. Under the draft, the treatment of personal data requires free, specific and informed express consent, consent that may be revoked at any time. The data subject shall be informed about the purposes, form, and duration of the treatment. Consent shall not be required when the data collection and processing activities are required to comply with a contract with the data subject, as well as for the protection of the life or safety of the data subject or third parties. The treatment of sensitive data requires separate consent. The international transfer of data requires that the receiving country offers adequate security standards and such adequacy shall be measured by the competent governmental agency, still to be appointed in accordance with future regulation of the law. In case the level of security does not meet the minimum requirements, the data transfer shall require the data subject to make a separate and specific consent. Sanctions to be applied as a result of non-compliance with the law, which will also be subject to future regulation, shall take into consideration the seriousness and extent of the damage and the economic situation of the offender.
Unlike most Latin American countries, Brazil is only now working towards comprehensive legislation on data protection. All companies doing business in Brazil will be affected by the law and, therefore, should take part in the public consultation as well as closely monitor the developments.
Evy Marques Partner | Isabel Andrade | Senior Associate | Lays Pedro Associate | Felsberg Advogados, Brazil
Font: 1. participacao.mj.gov.br/marcocivil | 2. dadospessoais.mj.gov.br
E-Commerce Law and Policy – March 2015