The Civil Rights Framework for the Internet Bill (Marco Civil da Internet) was approved by the lower house of Brazilian’s Parliament and is now being discussed by the Brazilian Federal Senate, before being enacted into Law by Brazil’s president.
A substantial portion of the Bill deals with privacy and data protection – and this is one of its major changes since earlier versions. Its first draft was the result of a collaborative work done over the internet, which resulted in a principle-orientated statute with the main aim of assuring a set of rights to internet users. Afterwards, an intense debate emerged concerning issues as the liability of intermediaries and net neutrality. The Bill was amended in order to regulate more specifically these two points.
Another major development was related to privacy and data protection. Firstly, the Bill sustained a general approach to these issues, contemplating privacy and data protection as general principles for the use of internet and reaching a more specific tone mainly on the issue of data retention by internet providers.
This scenario changed substantially after Edward Snowden’s leaks – some of them addressed documentation about Brazilian enterprises and politicians. This inspired the legislator to include more specific data protection and privacy rules in the Bill. Thus, its final text ended up with a rather impressive length of privacy provisions, which we’ll proceed to briefly analyse.
Before going to the text, it must be stressed that Brazil doesn’t have, as of yet, a general data protection statute nor general rules about data protection on the internet.
The privacy provisions on the Bill can be widely classified in three main groups: (i) principles and users’ rights; (ii) specifications on log’s retention; (iii) access to personal data.
The conceptual definitions of Marco Civil are still basically the same of its prior versions. The main issue is the lack of a definition of ‘personal data’ (probably an intended one, as the general forthcoming data protection bill shall work directly on this). This absence is not a problem per se, as it is possible to infer a definition from the usage of the term in actual Brazilian jurisprudence and from legal scholarship as data which is or can be related to an individual. The Bill also was clear enough to specify some special kinds of data that should further be considered as personal (i.g., access logs and other).
The English text of Marco Civil is a free and unofficial translation. We’ll mention only the parts of the Bill directly related to privacy and data protection. A full (and also unofficial) whole version of the text can be found here.
(i) Principles and user’s rights
Privacy and data protection are – separately – mentioned as principles for the use of internet in the very beginning of the Bill.
Art. 3º The discipline of the use of Internet use shall be grounded on the following principles:
II – privacy protection;
III – protection of personal data, in the terms of the law
The fact that privacy and data protection are mentioned separately evokes the concept of data protection as diverse from privacy and with a different scope – despite its similarities. This approach can be traced to the Charter of Fundamental Rights of the European Union, in which they are both mentioned but in different articles (7º and 8º).
Art 3º, III adds to the mentioning of the principle of protection of personal data the expression “in the terms of the law”. This means that the general data protection regulation and principles shall be found in another statute, which will regulate data protection in general terms, while the provisions in Marco Civl related to data protection consist of particular specifications that take into account the characteristics of internet
It is also worth mentioning that, at a first glance, the privacy principles in Marco Civil are compatible with the framework of the draft of the data protection bill that is currently being prepared by the Brazilian Federal Government.
The chapter II of the bill mentions the rights of internet users – several of them related to privacy and data protection.
Art. 7º. Access to the Internet is essential for the exercise of citizenship, and the following rights are secured to its users:
I – the inviolability of intimacy and private life, assuring their protection and compensation for material or moral damages derived from their violation.
II – the inviolability and secrecy of communications on the Internet, except under judicial order, in the hypotheses and form established by law;
III – the inviolability and secrecy of stored private communication, except under judicial order;
Art 7, I to III basically stresses that the general guarantees regarding privacy found in Brazilian Constitution, and partly replicated in the Brazilian Civil Code, are applicable to the internet:
These provisions could be read as rather redundant, except for one very important point made clear by art 7, III. This particular provision concerns the interpretation Brazilian courts make of Brazilian Constitution, according to which the constitution only protects data when it is being communicated (i.e., in a telephone call) and not the data which is stored (i.e. in the memory of a computer or in a datacenter). The Bill recognised this paradox and endowed stored data with the same level of protection as communications have, filling an old gap that wasn’t reasonable anymore given today’s feasibility of storing most of communications data.
VI – the information provided in Internet service provider agreements must be clear and comprehensive, including detailed information on the protection of connection logs and access to Internet applications records, as well as network management practices that may affect quality;
The provision also mentions the necessary availability of information about “logs and access to internet records”, which are the data that the Bill will further regulate in a very stringent way.
VII – guarantee that personal data, including connection logs and access to Internet applications records will not be shared with third parties, except upon the user’s express free and informed consent or as provided by law;
Consent is here presented as the instrument the individual can use to decide whether his personal data will (or won’t) be disclosed or transmitted to third parties. The connection logs and ‘internet applications records’ mentioned here will be further detailed in specific provisions later.
The consent must be free (it must correspond to the actual will of the citizen, not forced by any means) and informed (valid only after the citizen has been given enough information in order to know the context and the consequences of his choice) – both are very important criteria that must inspire industry to be clear and precise when informing and asking for citizens’ consent.
Lastly, consent will not be required when there is specific law permitting the treatment of personal data even without consent.
VIII – there must be clear and comprehensive information on personal data collection, use, storage, care and protection, which can only be used for the purposes that
a) justify the collection;
b) not prohibit by law; and
c) are specified in the Terms of Service or Use of Internet applications.
Here Marco civil begins to turn into a small data protection framework, as two of its main principles are presented: transparency and purpose.
The need for ‘clear and comprehensive’ information is a consequence of the adoption of the informed consent mechanism and ckarifies that all treatments of personal data shall be known and transparent to the data owner, in its existence and characteristics.
The purpose principle here stresses that use of personal data for purposes other than those known (and authorized) by the data owner is unlawful. Thus, the secondary use of personal data (out of its prior purpose) will not be possible unless a new consent is sought.
It is very important to note that these (and other) provisions are valid and must be followed also in case of data treatments authorised by law without the consent of the data’s owner. Thus, if the Law allows personal data to be used by an enterprise for a certain purpose and without consent (for databases of unpaid loans, for example), this does not absolutely mean that these data can be used for any other purpose not explicitly mentioned in the law.
IX – clear consent of the collection, use, storage, processing of personal data, which shall occur separately from the other contractual terms;
The consent requisite is mentioned again, but this time in general terms; the consent shall be obtained to any form of treatment of personal data, which is mentioned in its fundamental forms of ‘collection, use, storage, processing’.
A fundamental specification here is that consent cannot be obtained by a clause inserted in a contract with other provisions – it must be obtained separately- This is a formal traditional contractual tool to assure that the data subject actually had the opportunity to freely reflect before giving its consent.
X – upon a user’s request, at the end of the term of the agreement between parties, personal data stored in connection with access to an application must be completely removed, except in case of mandatory record keeping established in this Law; and
Marco Civil included here a ‘right to be forgotten’ provision, which is rather weak and potentially problematic. In fact, the Bill should have recognised that, in the end of the agreement between parties, personal data must be completely removed by an internet application, for the very fact that there would be no contractual justification its maintenance anymore. Anyway, the provision does not change the fact that the consent was given for a certain use of the data during an agreement and that, of course, the end of the agreement implies the necessary destruction of the data, unless law or the contract have different provisions.
Another problematic provision is that the text gives the impression that the individual is free to ask for the removal of his data only at the end of an agreement. Nonetheless, there shall be occasions in which the individual does not want (or even can’t) end or break an agreement, yet he may want his personal data to be totally or partially removed. In several situations this will be a legitimate claim and the Marco Civil provision must be interpreted in a way that safeguards this fundamental right of the individual to revoke, totally or partially, his consent to the treatment of his data, even without ending another agreement.
As the Marco Civil does not permit some categories of personal data to be erased, it mentions that even a request of the citizen cannot be enough to cancel the data in some occasions. These are the cases of logs’ retention, to be later analysed.
XIII – incidence of consumer protection and defence rules in all consumer relations conducted on Internet.
The fact that several data treatments conducted in internet are also subjected to consumer law endows the internet user with a very protective set of consumer rules to assure his personal data will be fairly used. The intersection between Marco Civil and consumer law (mainly the Law 8.078 of 1990) will, thus, be the main framework to regulate personal data in internet while there is no general data protection law enacted.
Importantly, Brazilian courts recognise that consumer law is also applicable to internet services which are provided ‘free of charge’, or in other words, when it is possible to identify any form of ‘indirect payment’ (such as the permission to use personal data, in fact).
Article 8 Protection of the right to privacy and freedom of expression in communications is a prerequisite for the full enforcement of the right of access to the Internet.
Sole paragraph. Any provision contrary the above mentioned is void, such as:
I – implies offence to inviolability and confidentiality of private communications over the Internet; or
The last of the ‘general’ data protection provisions on the Bill provides another strong and sound affirmation of the fundamental value of privacy (as well as of freedom of expression) whenever internet is considered.
This article even makes use of a common procedure in consumer law, that is, to recognise as void any contractual clause which is contrary to the right to privacy (as well as, specifically, the secret of private communications). In such cases, the clause is to be considered not written, although ® the rest of the contract can still be valid and enforced.
(ii) specifications on log’s retention
Record, Data Protection and Private communications protection
Article 10. Record retention of Internet connection and access to application logs, for the purposes of this Law, as well as personal data and private communications content, must protect the privacy, private life, honour and image of the parties directly or indirectly involved.
Before mentioning the mandatory retention of some types of personal information, Marco Civil makes it clear that the data stored must be used only in accordance of the law. This technique of mentioning the protective standard first and the data retention second reinforces the interpretation of data retention as an exception that must be treated as such.
The provision calls for the protection of personal data of everyone involved, be it the sender, receiver of the communication as well as any third party mentioned or indirectly involved.
§ 1 The provider responsible for record retention will only be required to provide the aforementioned logs, alone or combined with personal data or other information that may help identifying a user or terminal, upon court order, as set forth in Section IV of this Chapter, complied with article 7o.
As a way to protect the individual,the logs stored must only be disclosed upon judicial order, avoiding thus generic (and, in some occasions, bad-faith) requirements to access personal data made processed in some easier way.
Not only logs, but other personal information stored and useful to identify users can be given by the provider upon judicial request.
§ 2o. Private communications content may only be released by court order, in the terms and provisions established in this Law, complied with article 7, II and III.
The specific mention to the content of communications in § 2o strengths the conceptual difference between content and metadata in internet communications. It also establishes as mandatory the requirement to obtain a specific judicial order to access the content of communication, which cannot be a general one or one that only refers to the metadata involved in communications.
§ 3o The provisions in this article do not prevent the access by administrative authorities that have legal competence to request data related to personal qualification, affiliation and address, in terms of the law.
This provision establishes a major exception in Marco Civil: in particular situations, personal data can be requested by an administrative authority without the need for a warrant.
It is important to note that not all personal data is subject to this kind of request, but only ‘personal qualification, affiliation and address’.
This provisions is essentially the repetition of one presented in Law 12683 of 2012, which authorised the police and the public prosecutor to request data for the purpose of investigations regarding money laundering
As this provision is and must be considered as an exception, its interpretation is restrictive and must take into account the limits to the requisition of personal data which are already mentioned in Law 12683 of 2012 and that basically narrows these request to the scope of ongoing investigations. Thus, even if this provision is a fundamental exception in Marco Civil, an integrative perspective of the statute assures that it may not, in any sense, be taken as a general nor multi-purpose exception, and that its misuse is unlawful by its own terms.
§ 4º Security and confidentiality measures and procedures must be communicated by the provider and clearly meet the standards set forth by regulation.
This provisions establishes that the citizen must be informed of the security measures taken to protect its data from misuse and unauthorised access. The specificities of the security measures and standards that must be followed for the treatment of personal data in internet are to be detailed in secondary legislation as defined by the Brazilian government.
Art. 11. Any operation involving collection, storage, retention and treatment of records, personal data and communications by Internet connectivity and applications providers, wherein at least one of these acts occur in national territory, it will be mandatory to comply with national legislation, privacy rights, data protection rights and the confidentiality of private communications and records.
§ 1º The provisions in this article apply to any data and communications content collected in the national territory, wherever at least one of the terminals are located in Brazil
§ 2º The provision in this article applies to foreign-based legal entities, if they provide services to Brazilian audience or at least one of the holder in the same economic group is based in Brazil.
§ 3º Internet connectivity and applications providers have to provide information that allow for the inspection of compliance to Brazilian legislation referring to collection, retention, storage and treatment of data, as well as the respect to privacy and confidentiality of communications, under the terms of the law.
§ 4º A Decree shall regulate the procedures for inspection of violations to this article.
This is the jurisdiction clause of Marco Civil, which establishes that any treatment of personal data that is processed in Brazil, even if partially and even if the data is only collected by means of a terminal located inside the territory, must comply with Brazilian legislation (which includes but is not restricted to the Marco Civil). l,.
Foreign companies are subjected to this rule whenever they provide services to Brazilian citizens. This means that even if a company doesn’t particularly focus and approaches Brazilian users but admits them as customers, this provision shall apply. Also, if the company holds a foothold or subsidiary of its same group in Brazil, the provision will also apply.
Companies must also permit inspections aimed to verify the compliance of its practices to the legislation. The Bill does not specify nor clarify which is the body in charge of this inspection, although the inspection procedures are also going to be further regulated in a Decree (the second explicitly mentioned in Marco Civil).
Art. 12 Regardless of other civil, criminal or administrative sanctions, any violation to articles 10 and 11 are subject to the following sanctions applied exclusively or in conjunction with others, according to each case.
I – Warning, with a deadline to start any corrective action;
II – fine up to 10% of the economic group revenue in Brazil, according its last financial year, excluding taxes, and considering the economic condition of the offender and the principle of proportionality between the level of fault and the severity of the penalty.
III – temporary suspension of activities involving the actions referred in article 11;
IV – prohibition of activities that involve the actions referred in article 11.
sole paragraph. In the case of foreign based companies, any subsidiary, branch, office or establishment in the country will be jointly liable.
Here we can find listed the substantial sanctions for the lack of compliance with the data retention provisions in the Bill, which ranges from warning, corrective measures and fines, to suspension and even prohibition of the activities that involves data retention. Foreign companies are also subject to these sanctions, which can also be imposed on their Brazilian subsidiaries or alike.
Internet Connection Records Retention
Art. 13. Under the terms of the relevant Regulation, when providing Internet connection, autonomous system administrators are obliged to retain connection records under strict confidentiality, in a controlled and safe environment for one year.
§ 1 The responsibility for retaining connection logs cannot be transferred to third parties.
§ 2 The police, administrative authorities or the public prosecutors may require that precautionary connection logs are retained for longer than foreseen in the caput of this article.
§ 3 In the case foreseen in paragraph 2, the applicant authority shall have a period of sixty days, from the date of request to the ISP, to file for a court order to authorise access to the referred records.
§ 4 The provider responsible for record retention must protect the confidentiality of the requests foreseen in paragraph 2, which shall be void if the court order is denied or if it is not filed within the period set forth in paragraph 3.
§ 5º In any case, the availability of records mentioned in this article to the applicant must be preceded of a court order, according Section IV of this Part.
§ 6º In the execution of sanctions for the violations of this article, it should be considered the nature and severity of the infraction, the respective damages, potential benefit gathered by the offender, aggravating circumstances, background violations of the offender and recidivism.
The data retention performed by internet providers embodies a lengthily discussed provision of the Marco Civil – and is, interestingly, one of the main reasons of the very existence of the Bill! In effect, this piece of legislation was firstly proposed as a counter part to another Bill that proposed mandatory data retention within a legal framework build upon criminal sanctions.
The very definition of a connection log can be found at Article 5, V:
VI – connection log: a set of information regarding the date and time that the Internet connection begins and ends, its duration and the IP address used by the terminal to send and receive data packets;
The minimum period for the retention of data of connection logs is one year, but this period can be extended if a request is made by the police, administrative authorities or the public prosecutors (no judicial order is needed for the extension but the request to a judicial order must be filed within 60 days).
There is no maximum time limit for data retention.
The log must be kept by the company which collected it. In order to technically comply with this obligation, the company will not be able to use a contractor or third party as a kind of ‘data processor’.
Access to Internet Applications Records Retention in Connectivity
Art. 14. In the provision of Internet connection, costly or gratuitous, it is forbidden to retain records of access to Internet applications.
Marco Civil uses the technique of not bundling together the connection logs (kept by ISP’s) with data from ‘internet application (kept by sites and alikes) – in fact, it forbids it. This very explicit measure is key to its privacy framework as it expects ISP’s not only not to deal with the contents in one’s connection, but also not to keep logs of what is happening in the sphere of ‘internet applications’, which would be a restrict place for the OTT (over-the-top).
As the Bill makes it mandatory both kinds of logs (at least for the big branch of applications with ‘economic purposes’), this provisions aims to draw a strict line between these two main genre of mandatory logs that will, in fact, be the very ‘recent memory’ of internet use in Brazil once the Bill is enacted and effective. It can be argued if it is really possible to conceive such a clear and concrete line.
Access to Internet Applications Records Retention for Applications Provision
Art. 15 providers established as a legal entity acting in organised and professional structure, with economic purposes, shall keep records of their access to Internet application, under confidentiality, in safe and controlled environment, for at least 6 months, under the terms of regulation.
§ 1º Court order may require, for a specific time frame, Internet applications providers that are not under the above mentioned requirements, to keep record of access log to Internet applications, only if it is related to a specific event in a specific period
§2, the police, administrative authorities and public prosecutors may require in precaution to any Internet applications provider that records are stored, including for a longer term than above-mentioned, observed the procedure and terms set forth in § § 3 and 4 of article 13 from this Act.
§ 3º In any case, the availability of records mentioned in this article to the applicant must be preceded of a court order, according Section IV of this Part.
§ 4º In the execution of sanctions for the violations of this article, it should be considered the nature and severity of the infraction, the respective damages, potential benefit gathered by the offender, aggravating circumstances, background violations of the offender and recidivism.
Several Internet applications shall have to keep records of theirs users’ access for at least six months.
Internet applications are, according to Article 5, V:
VII – Internet application: a set of features that can be accessed by a terminal connected to the Internet
And the logs of access to them contains, says Article 5, VIII:
VIII – Record of access to Internet applications: a set of information regarding the date and time when a specific Internet application was used, from a given IP address.
This measure is a very extreme one as it may not only increase drastically the volume of personal data being kept as a result of regular internet navigation but also makes it impossible to run several kinds of privacy-friendly services which are not meant to preserve records of their normal use.
More data being kept means more costs in the eyes of internet enterprises, but means other pretty negative consequence for internet users: it raises the risks of something bad happens with personal data, such as non-authorised access, accidental disclosures and so on.
Even if the records mentioned doesn’t directly contain personal information, it is clear that they will be useful only in occasions they could be contextually related to an identifiable individual, so, for the proposed purposes, that must be considered as equivalent to personal data.
This kind of mandatory logs were a last-minute increment to the Bill that were not fully discussed, as other provisions were. They find practically no equivalence in other legislation (in fact, data retention usually refers to ISP logs and not log from internet sites). There is a strong argument that can be made on the grounds of the principles of proportionality and economy.
Only for-profit and legal entities qualify as applications that are bound by this provision. The Bill requires a judicial order as the only means for this logs to be disclosed, and even establishes in § 4 some requirements for the order to be issued.
As with connection logs, there is no time limit on the retention of these logs, as the six-months period can be extended on the requirement of an authority.
Art. 16. When providing paid or free Internet applications, it is forbidden to retain:
I – access log to other Internet applications without the data owner previous consent, in compliance with article 7o.
II – personal data that exceed the purpose for which has been consented by the holder.
One internet application is forbidden to keep records of access to other internet applications, in order to make another clear line between who are the natural depositories of these records.
Anyway, this procedure can be done providing the data owner has given his consent.
Art. 17. Except in the cases mentioned in this Law, the choice to not to keep records of access to applications does not imply liability for damages from use of these services by third parties.
The provision tries not to make the retention of access data to internet applications the implicit rule also for non-profit services or to other services not mentioned in Article 15.
(iii) access to personal data
Court Order for Disclosure of Records
Art. 22 For the purpose of gathering evidence and proof for legal proceedings in civil or criminal areas, the interested party may request a judge an order addressed to the entity responsible for record retention to disclose connection or access to applications logs, on an incidental or standalone basis.
Sole paragraph. Without prejudice to other legal requirements, the court order shall contain, subject to becoming void:
I – underlying evidence of the offence;
II – detailed reasons for the relevance of the requested records to the investigation or probative use, and
III – the specific period the records refer to.
Art. 23 The judge is responsible for taking the necessary steps to ensure the confidentiality of the records received under custody, and to safeguard the privacy, private life, honour and image of the user. The judge may deem the legal proceedings classified.
The judicial order, generally required to access private information, is directly mentioned in art. 22 and 23.
A judicial order can be given either in criminal as in civil cases. This substantially widens the array of situations in which a judge can find it reasonable to issue such an order when compared to some propositions to make it ossicle (possible) only in criminal cases.
In order to restrain the effects of a excessively wide judicial order, the Bill mentions that the order shall only be taken into account after the judge has received underlying evidence of the offence which is being discussed; after having received and considered the relevance of the data to the investigation in course, the judge must also define a specific period to which the order refers to.
The principles of proportionality (regarding the measurement of the importance of the data requested and its importance to the investigation) and specification (regarding the limitations the time period the data requested refers to) are present and are important constrains to any form of abuse, proposital or not. Moreover, the judge is not only supposed to issue the order but, as article 23 mentions, he needs to take any necessary precaution to assure the privacy of the individuals affected by the disclosure of the data. This provision also includes the possibility – and, we shall add, the necessity – of the judge classic and the proceedings related to the requested data, as party of his duty to safeguard the privacy of the citizens involved.
The author would like to thank Norberto Nuno de Andrade for his comments on a draft of this post.