Law 12.965/2014, better known in Portuguese as the ‘Marco Civil da Internet’ (Legal Framework for the Internet) was published yesterday following heated discussions throughout the three years it made its way through the ratification process. President Dilma Rouseff sanctioned the Law without any vetoes in time for it to coincide with the ‘Netmundial – Global Multistakeholder Meeting on the Future of Internet Governance’, an international congress which took place in São Paulo on 23 and 24 April.

The Law, which will enter into effect on June 23, 2014, was based upon a document issued by the Brazilian Internet Management Committee, and seeks to regulate the use of the Internet, establishing rights for users as well as a series of obligations for the providers of internet applications and connections, principally as a means of guaranteeing freedom of expression and privacy for users.

The Law establishes the neutrality of the web, forbidding the discrimination against or degradation of the exchange of data on the Internet, except for certain cases that are to be regulated. In relation to the providers’ responsibilities over the preservation of personal privacy, honor and image of the users, it was established that personal information and the records of access made by users may not be made available to third parties, unless there is a court order requiring it.

On the issue of respecting rights to privacy, internet connection provider companies are required to keep records of users’ connections, in a manner that is confidential and safe, for a period of one year, being forbidden to transfer this responsibility to any third party. Meanwhile, internet application provider companies are subject to the same obligation, being required to store information on access to the respective applications, but for a period of just six months.

Should the provisions for the protection of personal data and communications not be complied with, the offending party may be subject to punishment including a warning, a fine at 10% of the business group’s income in Brazil and temporary suspension of its activities, or even suspension of the right to perform these activities. It is worth mentioning that, should a fine be applied to a foreign company providing services in Brazil, the company’s branches, subsidiaries, offices or establishments located in Brazil will be held jointly responsible for the payment.

Finally, the Law established that connection providers will not be held civilly responsible for any damages arising from content created by a third party. Application providers, on the other hand, will be held responsible if they do not make the sufficient necessary arrangements for the withdrawal of infringing content.

The provision that providers should be required to keep “datacenters” in Brazil for the storage of personal data and communications obtained in the country was withdrawn from the text of the original bill, as long as it is mandatory for Brazilian legislation to be applicable to those application and connection providers which collect, store, keep or work with all records, personal data or communications that originated within Brazilian territory.