Content area
After five years of discussion by the public and almost three by Congress, Federal Law No. 12,965/2014, known as Marco Civil da Internet or the Internet Legal Framework, which deals with the regulation of Brazilian cyberspace, was approved on Apr 23, 2014, and went into effect on Jun 23, 2014. The law establishes the principles and rights regarding the use of the Internet and details the responsibilities of Internet connection providers as well as content providers and the government in the virtual environment. In this survey the authors will explain two positive aspects of the law: one relating to privacy and data protection rules that must be respected by foreign companies that offer services to Brazilian citizens; the other relates to the protection of network neutrality. They will also discuss Internet service providers' liability for damages resulting from content generated by third parties.
Introduction
After five years of discussion by the public and almost three by Congress, Federal Law No. 12,965/2014, known as Marco Civil da Internet or the Internet Legal Framework, which deals with the regulation of Brazilian cyberspace, was approved on April 23, 2014, and went into effect on June 23, 2014.1 The law establishes the principles and rights regarding the use of the internet and details the responsibilities of internet connection providers as well as content providers and the government in the virtual environment.
In this survey we will explain two positive aspects of the law: one relating to privacy and data protection rules that must be respected by foreign companies that offer services to Brazilian citizens; the other relates to the protection of network neutrality. We will also discuss internet service providers' liability for damages resulting from content generated by third parties.
Transparency and Data Protection
Brazil has codified general principles and rules about transparency and data protection in the Brazilian Federal Constitution of 1988; in the Brazilian Civil Code (Federal Law No. 10,406/2002);2 in Federal Law No. 8,078/1990, the Consumer Protection Code;3 and, most recently, in Decree No. 7,962/13,4 which regulates contracts with customers in electronic commerce. Among other things, the decree provides that suppliers shall present a summary of a contract highlighting any clauses that limit consumer rights before the customer signs it, and suppliers must also utilize safe payment and data handling practices for the treatment of consumer data.5
The Brazilian Ministry of Justice considers data privacy and security to be critical enough to warrant the inclusion of additional specific rules about personal data in a draft bill known as the Personal Data Protection Act6-even though the Internet Legal Framework already deals with some of the issues relevant to this. Article 7 of the Internet Legal Framework provides that any private communications that are stored remain confidential except under the direction of a court order.7 The Internet Legal Framework prohibits the disclosure to third parties of personal data and electronic records of users, except with the user's free, informed consent in writing.8 Furthermore, service suppliers are required to provide clear, complete information to their users about the collection, use, storage, treatment, and protection of the user's personal data, which can only be used for purposes that are justified, not prohibited by law, and specified in terms of use of the relevant internet application or service agreement.9 In addition to governing service providers, Article 7 protects user rights in requiring free, express, and informed consent regarding the utilization of personal data.10 Clauses addressing the use of personal data in contracts should stand out from other agreement clauses; furthermore, users will have, upon request, the right to have personal data provided to internet applications permanently excluded at the end of the relationship between the parties, except in cases of mandatory record keeping established under the Internet Legal Framework.11
In addition to the above provisions, Article 9 states that the party responsible for providing internet connectivity, data transmission, and switching or routing is prohibited from blocking, monitoring, filtering, or analyzing the content of data packages. Exceptions to this servicer obligation of neutrality shall be regulated by a presidential decree, upon previous consultation with two Brazilian bodies as described below.12
SOVEREIGNTY AND THE BRAZILIAN LEGISLATION
In July 2013, allegations surfaced that Brazil was the victim of electronic espionage. Besides, prior to the Internet Legal Framework issuance, there was a doubt about which country legislation would apply to regulate a court case involving data stored in a foreign country: the Brazilian legislation or legislation of the country where the data are stored. In response, it was proposed by the Brazilian federal government that a provision be included in a bill Law No. 2,126/ 2011,13 in which it would be obligatory for all companies that do business in Brazil to keep Brazilian citizens' data stored locally. Although this proposal was not signed into law, Article 11 of the Internet Legal Framework establishes in detail that where any provider of internet connections or applications collects, stores, or processes records, personal data, or communications within the national territory of Brazil, the provider must respect Brazilian legislation.14
This is important for foreign companies because in view of the provisions of Article 11, even when a company that does business in Brazil stores Brazilian internet users' data abroad, it will be obligated to respect Brazilian legislation, including the rules regarding privacy.
NETWORK NEUTRALITY
The Internet Legal Framework has come out clearly in favor of net neutrality, a hot topic in the United States this year. Article 9 establishes that "(tjhe party responsible for data transmission, switching, or routing must treat all data packages on an isonomic basis, irrespective of the type of content, origin and destination, service, terminal, or application."13 Any exception to the neutrality rule shall be regulated by a decree, issued by the president, who will listen beforehand to the opinion of the Brazilian Internet Steering Committee and the National Telecommunications Agency.16 Any discrimination or degradation shall only result from essential technical requirements for adequate service or the prioritization of emergency services.17
LIABILITY FOR DAMAGES RESULTING FROM CONTENT GENERATED BY THIRD PARTIES
Another subject, the responsibility of providers for damages resulting from content generated by third parties, has been treated in the Internet Legal Framework, at least partially, in a way that differs from the precedent (i.e., consolidated case law) set by the Brazilian Superior Court of Justice (Superior Tribunal de Justiga ("STJ")). This action represents a significant step back in terms of internet users' rights.
Article 18 of new Law No. 12,965/14 states that "the provider of an internet connection shall not bear any civil liability for damages arising from content generated by third parties."18 However, according to Article 19, the provider will be civilly liable for damages of this nature if, after receiving a specific court order, the provider has not taken any measures to make the content that was identified as being unlawful unavailable.19
Currently, takedown requests that involve an offense to an individual's reputation are quickly resolved on an extrajudicial basis; the existing precedent from the STJ is that the provider is jointly liable with the third party should it not remove the offending content within twenty-four hours of written notice by the victim.20 The Internet Legal Framework alters this position and, under Article 19, provides for the necessity of a court order for removal of the content.21 One concern is that the changes it introduces will lead to significant additional pressure upon the judicial system as well as considerable and unnecessary expense to victims.
The legal exception is detailed in Article 21, which concerns any breach of privacy arising from the disclosure of images, videos, and other materials containing nudity or sexual activities of a private nature without the permission of the participant or his/her legal representative when, after receipt of notice by the participant or his/her legal representative, a third-party content provider fails to remove such content in a diligent manner, within the ambit and technical limits of its service.22
It should be noted that in cases of content generated by third parties leading to copyright infringement, as per Article 3123 and Article 19, paragraph 2,24 and until the enactment of specific statutes that aim to regulate this matter, the liability of the provider of internet applications for copyright infringement shall continue to be governed by the applicable Brazilian copyright legislation.23 Thus, because an internet-specific rule regarding copyright has not been issued, providers of internet applications will most likely continue to remove, on an extrajudicial basis, content that has been claimed to be infringing a copyright upon the notice and request of the holder of the copyright. Providers will probably react in this manner to minimize the risk of joint liability with the third party that has generated the content.
CONCLUSION
Marco Civil, the Internet Legal Framework, is effective in providing and assuring important constitutional guarantees, such as the protection of freedom of ex pression, privacy, and dignity to all internet users in Brazil. It also provides further regulation regarding the quality and maintenance of services provided as well as transparency regarding their terms and conditions. However, it does have certain drawbacks, such as those related to third-party generated content that open it to significant criticism.
1. The law is Lei No. 12.965, de 23 de Abril de 2014, Diário Oficial da Uniäo [D.O.U.] de 24.04.2014 (Braz.).
2. Lei No. 10.416, de 10 de Janeiro de 2002, Diário Oficial da Uniäo [D.O.U.] de 11.01.2002 (Braz.). The name of this Code in Portuguese is Código Civil-C.C.
3. "Código de Proteçâo e Defesa do Consumidor-(C.D.C.)." The law is Lei 8.078, de 11 de Setembro de 1990, Diário Oficial da Uniäo-Supp. [D.O.U.] de 12.09.1990 (Braz.).
4. Decreto No. 7.962, de 15 de março de 2013, Diário Oficial da Uniäo [D.O.U.], Ediçâo Extra, de 15.03.2013 (effective May 14, 2013).
5. Decree No. 7,962/13 art. 4, items I, VII ("In order to ensure clear sendee for consumers in ecommerce transactions, the supplier must present a summary of the agreement before its execution, with the necessary information for the consumer to fully exercise [the] right to choose, emphasizing the clauses that limit rights [item I] . . . [and] use efficient features of security for payment by consumers as well as for treatment of their data [item VII].").
6. This draft bill-the Personal Data Protection Act ("Anteprojeto de Lei de Protegao de Dados Pessoais")-is available at http://www.acessoainformacao.gov.br/menu-de-apoio/recursos-passo-apasso/anteprojeto-lei-pro tecao-dados-pessoais.pdf.
7. See Lei No. 12.965, de 23 de Abril de 2014, Diario Oficial da Uniao [D.O.U.l de 24.04. 2014 (Braz.) (art. 7, item II ("inviolability and confidentiality of the flow of the user's communications over the Internet, except under court order, as provided by law")).
8. Id. art. 7, item VII ('"non-disclosure to third parties of the user's personal data, including connection logs and access logs for internet applications, except through free, expressed, and informed consent or in hypotheses provided by the law").
9. Id. art. 7, item VIII ("clear and complete information on the collection, use, storage, treatment and protection of the user's personal data, which can only be used for purposes which: a) justify their collection; b) are not prohibited by legislation; and c) are specified in sendee agreements or in the terms of use of internet applications").
10. Id. art. 7, item IX ("the express consent regarding the collection, use, storage and treatment of personal data, shall stand out from the other clauses").
11. Id. art. 7, item X ("the permanent exclusion of personal data provided to certain Internet applications, at the user's request at the end of the relationship between the parties, except in the cases of mandator)? record keeping under this Law").
12. Id. art. 9 ("The party responsible for transmission, switching or routing must treat all data packages on an isonomie basis, irrespective of type of content, origin and destination, sendee, terminal or application." Para 3 . . . .-"In the provision of internet connection, paid or free, as well as in the transmission, switching or routing, it is prohibited to block, monitor, filter or analyze the content of data packets, in accordance with the provisions set forth in this article.").
13. Projeto de Lei No. 2.126, de 2011, do Poder Executivo, available at http://goo.gl/x4uoxM website of the Brazilian House of Representative.
14. Lei No. 12.965, de 23 de Abril de 2014, Diario Oficial da Uniâo [D.O.U.] de 24.04.2014 (Braz.) (art. 11, paras. 1, 2 ("Any operation of collection, storage and treatment of logs, personal data or communication data by providers of connection and internet applications, where at least one of these acts takes place within the national territory, the Brazilian legislation, the rights to privacy, the protection of personal data, private communications and logs confidentiality shall be complied with. Para. 1 The provisions set forth in this section apply to data collected in the national territory and to the content of communications in which at least one of the terminals is located in Brazil. Para. 2 The provisions set forth in this section shall apply even if the activities are performed by a legal entity domiciled abroad, provided that it offers services to the Brazilian public or provided that at least one member of the same economic group is established in Brazil.").
15. Id. art. 9, paras. 1, items I, II.
16. Id. art. 9, para. 1 ("The discrimination or degradation of traffic shall be regulated in accordance with the private attributions granted to the President of the Republic by means of art. 84, item IV of the Federal Constitution, aimed at the full application of this Law, upon consultation with the Brazilian Internet Steering Committee and the National Telecommunications Agency . . . .").
17. Id. "[Discrimination or degradation . . . can only result from I-technical requirements necessary for adequate provision of services and applications, and II-prioritization of emergency services. ").
18. Id. art. 18.
19. Id. art. 19, para. 1 ("In order to ensure freedom of speech and prevent censorship, the provider of internet applications can only be civilly liable for damages arising from content generated by third parties if, after specific court order such provider has not taken any measures within the ambit and technical limits of its service and within the indicated term, to make the content identified as unlawful unavailable, except for legal provisions to the contrary. A court order under this section shall, under penalty of nullity, contain clear and specific identification of the content pointed out as unlawful, allowing for the unequivocal location of the material . . . .").
20. Renato Opice Blum & Rita P. Ferreira Blum, Recent Developments in Cyberspace Law: A View from Brazil, 69 Bus. Law. 301, 303-04 (2013) ("A recent case illustrates the application of these personality rights in the context of a take-down request of an internet sendee provider, which was a novel question in Brazil. In a civil case involving a claim against a social media site originally brought by Mrs. Grazide Salme Leal against Google Brasil Internet Ltda., Brazil's highest court of appeals on all non-constitutional matters announced that a twenty-four hour deadline would be imposed on an internet service provider to remove content or an image that an individual claims may constitute an offense to his/her honor (i.e., personality rights). Failure to comply could result in eral liability for any harm to the claimant. Significantly, the court required removal as a preventive or protective matter, but allowed a later determination to ascertain whether the claim being asserted was accurate, after which the site may republish the information if personal rights are not being implicated.").
21. Lei No. 12.965, de 23 de Abril de 2014, Díárío Oficial da Uniäo [DOU] de 24.04.2014 (Braz.) (art. 19).
22. Id. art. 21.
23. Id. art. 31 ("Until the entry into force of specific law provided for in paragraph 2nd of art. 19, the liability of the internet applications provider for damages arising from content generated by third parties, in case of infringement of copyright or related rights, these will continue to be regulated by the copyright legislation in force applicable on the date of entry into force of this Law.").
24. Id. art. 19, para. 2 ("In order to ensure freedom of speech and prevent censorship, the provider of internet applications can only be civilly liable for damages arising from content generated by third parties if, after specific court order such provider has not taken any measures within the ambit and technical limits of his sendee and within the indicated term, to make the content identified as unlawful unavailable, except for legal provisions to the contrary .... The application of the provisions set forth in this article regarding infringement of copyright or related rights will depend on a specific legal provision which shall respect freedom of speech and other guarantees provided for in article [Fifth] of the Federal Constitution.").
25. Lei No. 9.610, de 19 de Fevereiro de 1998, Diario Oficial da Uniäo [D.O.U], de 20.02.1998 (Braz.).
By Renato Opice Blum, Rony Vainzof, and Rita P. Ferreira Blum*
* Renato Opice Blum is a partner at Opice Blum, Bruno, Abrusio, and Vainzof Attorneys at Law. He is the president of the American Chamber of Commerce Technology Law Committee and president of the Permanent Committee of Studies of Technology and Information at the Instituto dos Advogados de Säo Paulo-IASP. Rony Vainzof is also a partner at the firm. He is the director of the Department of Security of FIESP-Federation of Industries of the State of Säo Paulo (Federaçâo das Industrias do Estado de Säo Paulo) as well as a lecturer and coordinator in the MBA in Electronic Law course at the Escola Paulista de Direito-EPD. Rita P. Ferreira Blum is a senior associated lawyer at the firm, author of the book Consumer Rights on the Internet (2002), and recipient of a doctor of law degree in collective and diffuse rights.
Copyright American Bar Association Winter 2014/2015