In July, the Brazilian Department of Consumer Protection and Defence (‘DPDC’) fined the telecom provider Oi 3.5 million reals ($1.59 million) for recording and selling its subscriber browser data. The fine is the first enforcement action to be brought by the DPDC since the Internet law (Marco Civil da Internet) came into force in June.
The DPDC investigated allegations that Oi had entered into an agreement with British online advertising firm Phorm Inc. to develop an Internet activity monitoring program called ‘Navegador’. The investigation confirmed that this program was in use and actively collected the browsing data of Oi’s broadband customers.
The browsing data was collected and stored in a database of user profiles, with the stated purpose of improving the browsing experience. Oi then sold this data to behavioural advertising companies without having obtained the consent of its customers.
The amount of the fine imposed took into account several factors, including the economic benefit to Oi, its financial condition, and the serious nature of the offence. The fine was issued after Oi suspended its use of the Internet activity monitoring software.
Oi denied violating customer privacy and claimed that use of the Internet monitoring program was overseen by government regulators. Phorm Inc. denied that any of the data collected from Oi’s customers was sold, and said that all relevant privacy regulations had been adhered to strictly.
The fine serves as a warning that Brazil will take strong action to enforce its new Internet law.