Internet service providers (ISPs), social media websites, search engines, and other online companies hosting user-generated content that do business in Brazil or collect information online from Brazilian consumers should be aware of Law No. 12,965/2014 (the Brazilian Internet Law), that  takes effect 23 June 2014. While Brazil still does not have a comprehensive privacy law, the Brazilian Internet Law contains privacy requirements that broadly restrict these companies from the sharing of users’ personal information, their communications, and certain online logging data. Covered companies will, however, be required to retain Web logs for a period of time and protect the user-related information they hold.

The Brazilian Internet Law also incorporates an approach to liability for Internet companies hosting third-party user-generated content that is analogous to section 230 of the Communications Decency Act in the United States (47 U.S.C. sec. 230). Specifically, under the Brazilian Internet Law, an Internet company will not be liable for user- generated content posted on its service unless it ignores a judicial order to remove content.

Notably, the Brazilian Internet Law does not include the original proposal (driven by political pressures in the wake of the Edward Snowden disclosures) of a mandatory Brazilian cloud for storage of Brazilian users’ data. However, the new law does embrace a broad concept of Brazilian government jurisdiction over online companies that collect or use Brazilian users’ data, even for companies located outside of Brazil.

Finally, the new law more broadly impacts Internet policy in Brazil, embracing net neutrality and increased Internet access for Brazilians. Additional details are provided below.

Background

On 24 April 2014, Brazilian President Dilma Rousseff approved the enactment of the Brazilian Internet Law, also known as Marco Civil da Internet. Praised by consumer advocates and viewed with concern by some business interests, the Brazilian Internet Law is considered the “Magna Carta” for the use of the Internet in Brazil, establishing for the first time in Brazil express legal rights and obligations of Internet users and providers alike.

The new law draws on the principles of freedom of speech, freedom of information, and the right to privacy by instituting certain guarantees for the protection of private information and the secrecy of information exchanged or stored online, and by restricting the liability of ISPs and Internet application providers (IAPs), such as social media websites and search engines for third-party content. The Brazilian Internet Law also establishes new rules and imposes obligations applicable to ISPs and IAPs regarding Internet connectivity and the provision of Internet services.

New privacy requirements

Under the Brazilian Internet Law the “private information” of users, including personal information, the contents of private communications, connectivity, and Internet application access logs, cannot be shared or disclosed by ISPs or IAPs unless required by a judicial order or as authorized by law. This restriction, however, does not prohibit administrative authorities with powers to do so from accessing certain user data, including names and IP addresses. In addition, ISPs and IAPs are prohibited from collecting and storing more of an individual’s private information than was authorized by the user.

The Brazilian Internet Law requires Internet companies to retain certain information of Internet users for minimum timeframes, although they must do so in a secure environment and in a confidential manner. For example, ISPs must store connection logs for one year and these logs must include users’ connection dates, start and end times, and the IP address of the terminal used to connect to the Internet. IAPs must store the date and time of use of applications and associated IP addresses for six months. Notwithstanding the retention mandates, ISPs are prohibited from storing third party Internet application access logs, and IAPs are prohibited from storing access logs from other Internet applications without prior consent of the user.

Immunity provisions for user-generated content

The Brazilian Internet Law protects ISPs and IAPs from civil liability arising from damages related to hosting content generated by third parties. IAPs’ liability specifically is limited to cases where it fails to remove damaging content in a timely manner after a judicial order or, in cases of sexual content or nudity, after the request of the injured party or its legal representative. These provisions have generated concerns, as they go against a string of judicial rulings from Brazilian courts holding IAPs liable for damages if they fail to remove damaging content after the request of the injured party. Following the effective date of the new law, IAPs will only be held responsible if they fail to remove the damaging content after a judicial order (unless in cases of sexual content or nudity).

Notably missing from the Brazilian Internet Law is a controversial provision, which had been introduced in the original bill in the wake of the Edward Snowden disclosures, that would have required ISPs and IAPs to store all information regarding Brazilian users on servers physically located in Brazil. After strong objection from major IT companies, this provision was eventually dropped from the final legislation. However, the Brazilian Internet Law instead provides for “long-arm” jurisdiction allowing the Brazilian government to enforce the Brazilian Internet Law against any ISPs or IAPs outside of Brazil that collect, maintain, treat, or store data from Brazilian users, as long as they provide services to Brazilian users or at least one member of their economic group maintains offices in Brazil.

Internet policy

The Brazilian Internet Law adopts the concept of “net neutrality,” meaning that every data transmission must be treated the same regardless of its content, origin, destination, service, terminal, or application. Moreover, ISPs and IAPs are prohibited under the new law from blocking, monitoring, filtering, or analyzing any data transmissions.

The Brazilian Internet Law also establishes that the government must aim to develop Internet services and connectivity in Brazil as well as increase the digital inclusion of Brazilians by stimulating the industry, adopting new measures and technologies, and developing Internet education programs. Some of these measures include the creation of transparent, collaborative, democratic, and multi-participatory governance mechanisms with the participation of the government, corporations, individuals, and academics; preferential adoption of open technologies, standards, and formats; optimization of network infrastructure; the stimulating of the establishment of data storage, management, and dissemination centers in Brazil; and the promotion of technical quality, innovation, and propagation of Internet  applications.

Conclusion

Any ISPs, IAPs, or other companies operating online, whether located in Brazil or otherwise, that collect, store, or maintain online user information of Brazilians should familiarize themselves with the Brazilian Internet Law for its privacy and security obligations. Such companies would be well advised to understand the implications of other aspects of the new law as well.