The NETmundial Secretariat issued today the Bill of Internet Rights (Marco Civil da Internet).Marco Civil reiterates the principles comprised in the Decalogue; it states fundamental rights and duties of all of the stakeholders (including by stating normative horizons to be pursued by the Brazilian government); it operationalizes the net neutrality principle and rules related to third party liability, as well as to the protection of privacy and personal data and communications, including formal and institutional limitations to access to data and metadata by public and private actors.
Presidency of the Republic
LAW No. 12.965, APRIL 23RD 2014
Establishes the principles, guarantees, rights and obligations for the use of Internet in Brazil
THE PRESIDENT OF THE REPUBLIC. I make known that the National Congress decrees and I sanction the following Law:
Art. 1 o This Law establishes principles, guarantees, rights and obligations for the use of the internet in Brazil and provides guidelines for the actions of the Union, the States, the Federal District and the municipalities in this regard.
Art. 2o The discipline of internet use in Brazil is founded on the basis of respect for freedom of expression, as well as:
I – the recognition of the global scale of the network;
II – human rights, personality development and the exercise of citizenship in digital Medias;
III – plurality and diversity;
IV – openness and cooperation;
V – Free enterprising, free competition and consumer protection; and
VI – social purpose of the network.
Art. 3o The discipline of internet use in Brazil has the following principles:
I - guarantee of freedom of speech, communication and expression of thought, in accordance to the Federal Constitution;
II – protection of privacy;
III – protection of personal data, pursuant to law;
IV – preservation and guarantee of network neutrality;
V – Preservation of stability, security and functionality of the network, via technical measures consistent with international standards and by encouraging the use of best practices;
VI – the liability of the agents according their activities, pursuant to the law;
VII – preservation of the participative nature of the network;
VIII – freedom of business models promoted on the internet, provided they do not conflict with the other principles set out in this Law.
Sole Paragraph. The principles expressed in this Law do not exclude others set out under other Brazilian laws related to this matter or in the international treaties of which the Federative Republic of Brazil is part.
Art. 4o The discipline of internet use in Brazil aims to promote:
I –the right of all to access the internet;
II – the access to information, to knowledge and participation in the cultural life and in the handling of public affairs;
III – the innovation and the stimulus to the broad diffusion of new technologies and models of use and access; and
IV – the adoption of open technology standards that allows communication, accessibility and interoperability between applications and databases.
Art. 5o For the purposes of this Law, the following concepts apply:
I – internet: the system consisting of the set of logical protocols, structured on a global scale for public and unrestricted use, in order to enable communication of data between terminals, through different networks;
II – terminal: a computer or any device that connects to the internet;
III - internet protocol address (IP address): the code assigned to a terminal from a network to enable their identification, defined according to international standards;
IV – autonomous system administrator: an individual or legal entity that administrate specific blocks of IP addresses and its specific autonomous routing system, duly registered in the national entity responsible for the geographically registration and distribution of IP addresses related to the Country;
V – Internet connection: the enabling of a terminal for sending and receiving data packets over the Internet, by assigning or by authenticating an IP address;
VI – connection record/log: the set of information pertaining to the date and time of the beginning and end of a connection to the internet, the duration thereof and the IP address used by the terminal to send and receive data packages;
VII – Internet applications: a set of functionalities that can be accessed through a terminal connected to the Internet; and
VIII – registrations of access to Internet applications: the set of information regarding the date and time of use of a particular internet application from a particular IP address.
Art. 6o in the interpretation of this Law – in addition to the foundations, principles and purposes set forth – the nature of internet, its particular uses and costumes and its importance for the promotion of human, economic, social and cultural development, shall be taken into account.
RIGHTS AND GUARANTEES OF THE USERS
Art. 7o The access to the internet is essential to the exercise of citizenship, and the following rights are guaranteed to the users:
I – inviolability of intimacy and private life, safeguarded the right for protection and compensation for material or moral damages resulting from their breach;
II – inviolability and secrecy of the flow of users’ communications through the Internet, except by court order, as provided by law;
III – inviolability and secrecy of user’s stored private communications, except upon a court order;
IV - non-suspension of the Internet connection, except if due to a debt resulting directly from its use;
V – Maintenance of the quality of Internet connection contracted before the provider;
VI – clear and full information entailed in the agreements of services, setting forth the details concerning the protection to connection records and records of access to internet applications, as well as on traffic management practices that may affect the Quality of the service provided;
VII – non-disclosure to third parties of users’ personal data, including connection records and records of access to internet applications, unless with express, free and informed consent or in accordance with the cases provided by law;
VIII – clear and complete information on the collection, use, storage, processing and protection of users’ personal data, which may only be used for the purposes of:
a) Justify its collection;
b) Are not prohibited by law; and
IX – the expressed consent for the collection, use, storage and processing of personal data, which shall be specified in a separate contractual clause;
X – the definitive elimination of the personal data provided to a certain internet application, at the request of the users, at the end of the relationship between the parties, except in the cases of mandatory log retention, as set forth in this Law;
XII – accessibility, considering the physical, motor, perceptive, sensorial, intellectual and mental abilities of the user, as prescribed by law; and
XIII – application of consumer protection rules in the consumer interactions that take place in the internet.
Art. 8o The guarantee to the right to privacy and freedom of speech in the communications is a condition for the full exercise of the right to access to the internet.
Sole Paragraph. Contractual clauses that are in breach of the caput above are void by operation of law, such as those that:
I – cause an offense to the inviolability and secrecy of private communications over the internet; or
II - in adhesion contracts, do not provide an alternative to the contracting party to adopt the Brazilian forum for resolution of disputes arising from services rendered in Brazil.
PROVISION OF CONNECTION AND INTERNET APPLICATIONS
Of the Network Neutrality
Art. 9o The party responsible for the transmission, switching or routing has the duty to process, on an isonomic basis, any data packages, regardless of content, origin and destination, service, terminal or application.
§1º The discrimination or degradation of traffic shall be regulated in accordance with the private attributions granted to the President by means of Item IV of art. 84 of the Federal Constitution, aimed at the full application of this Law, upon consultation with the Internet Steering Committee and the National Telecommunications Agency, and can only result from:
I – technical requirements essential to the adequate provision of services and applications; and
II – prioritization of emergency services.
§2º In the happening of discrimination or degradation of traffic provided in §1º, the responsible entity mentioned in Art. 9o must:
I – abstain from causing damages to users, as set forth in art. 927 of Law no 10.406, January 10th, 2002 - the Civil Code;
II – act with proportionality, transparency and isonomy;
III – provide, in an advanced notice, in a transparent, clear and sufficiently descriptive manner, to its users, the traffic management and mitigation practices adopted, including those related to network security; and
IV – offer services in non-discriminatory commercial conditions and refrain from anti-competition practices.
§3º when providing internet connectivity, free or at a cost, as well as, in the transmission, switching or routing, it is prohibited to block, monitor, filter or analyze the content of data packets, in compliance with this article.
Records, Personal Data and Private Communications Protection
Art. 10. The retention and the making available of connection logs and access to internet applications logs to which this law refers to, as well as, of personal data and of the content of private communications, must comply with the protection of privacy, of the private life, of the honor and of the image of the parties that are directly or indirectly involved.
§1° The provider responsible for the retention of the records as Seth for in art. 10o shall only be obliged to provide them, whether separately or associated with personal data or other information that allows the identification of the user or of the terminal, upon a judicial order, as provided in Section IV of this Chapter, in compliance with what is set forth in art. 7º.
§2° The content of private communications may only be made available by court order, in the cases and in the manner established by law, and in compliance with items II and III of art. 7o.
§3°. The provision of the caput of art. 10 does not prevent administrative authorities to have access to recorded data that informs personal qualification, affiliation and address, as provided by law.
§4º The security and confidentiality measures and procedures shall be informed in a clear manner by the responsible for the provision of the services, and meet the standards set in regulation, in compliance with rights of confidentiality of business secrets.
Art. 11. In any operation of collection, storage, retention and treating of personal data or communications data by connection providers and internet applications providers where, at least, one of these acts takes place in the national territory, the Brazilian law must be mandatorily respected, including in regard the rights to privacy, to protection of personal data, and to secrecy of private communications and of logs.
§1°. The established in Art. 11 applies to the data collected in the national territory and to the content of the communications in which at least one of the terminals is placed in Brazil.
§2°. The established in Art. 11 applies even if the activities are carried out by a legal entity placed abroad, provided that it offers services to the Brazilian public or at least one member of the same economic group is established in Brazil.
§3°. The connection providers and the internet application providers must provide, as set forth by regulation, information that allows verification concerning its compliance with Brazilian legislation regarding the collection, storage, retention and treating of data, as well as, in regard to the respect of privacy and of confidentiality of communications.
§4°. A Decree shall govern the procedures to determine the infringements to what is established in this article.
Art. 12. Without prejudice to any other civil, criminal or administrative sanctions, the infringement of the rules set forth in the Articles 10 and 11 above are subject, in a case basis, to the following sanctions applied individually or cumulatively:
I – a warning, which shall establishing a deadline for the adoption of corrective measures;
II - fine of up to 10% (tem percent) of the gross income of the economic group in Brazil in the last fiscal year, taxes excluded, considering the economic condition of the infractor, the principle of proportionality between the gravity of the breach and the size of the penalty;
III – the temporary suspension of the activities that entail the events set forth in Article 11; or
IV – prohibition to execute the activities that entail the activities set forth in Article 11.
Sole paragraph. In case of a foreign company, the subsidiary, branch, office or establishment located in the Country will be held jointly liable for the payment of the fine set forth in Art. 11.
Keeping of connection records
Art. 13. In the provision of Internet connection, the entity responsible for the management of the autonomous system must maintain the connection records, under confidentiality, in a controlled and safe environment, for the term of 1 (one) year, in accordance with regulation.
§1°. The responsibility for the maintenance of such of connection records cannot be transferred to third parties.
§2°. The administrative or police authority or the Public Prosecutor may require precautionary keeping of connection records for longer periods of that set forth above in Art. 13.
§3°. In the case of Art. 13. §2, the authority that requires such precautionary keeping shall have 60 (sixty) days, as of the date of the first request, to initialize a Court proceeding to request access to the records set forth above in Art. 13.
§4°. The provider responsible for keeping the records shall maintain confidentiality regarding the requirement set forth in Art. 13 §2.º, which will become ineffective once the court order is denied or the Court proceeding is not started within the term set forth in Art. 13 §3.º above.
§ 5º In every circumstance, the disclosure to the requesting party of the logs referred to in this article must be preceded by a court order, as set forth in Section IV of this Chapter.
§ 6º When imposing a sanction due to breach of this article, the nature and gravity of the breach shall be considered, as well as the damages arising from such breach, any vantages obtained by the breacher, any aggravating circumstances, any prior records and any repeated infringements.
Keeping of records of access to the Internet applications in the Provision of Connection
Art. 14. In the provision of connection, whether free or at cost, it is prohibited to retain users’ records of access to Internet applications.
Keeping of records of access to the Internet applications
Art. 15. The Internet application provider that is duly incorporated as a legal entity and carry out their activities in an organized, professional and with economic purposes must keep the application access logs, under confidentiality, in a controlled and safe environment, for 6 months, as detailed in regulation.
§ 1º A judicial order can mandate that application service providers that are not subject to Art. 15. to keep, for a determined period of time, access logs to Internet applications, to the extent that such logs are related to specific facts in a specific period of time.
§ 2º The police authority, the administrative authority or the Public Prosecutor may require, as a preventive measure, any application service provider to keep access to applications logs, including for a period of time greater than that set forth in this article, with due regard to §§ 3º and 4º of Art. 13.
§ 3º In any circumstance, the disclosure to the requesting party of the logs referred to in this article must be preceded by a court order, as set forth in Section IV of this Chapter.
§ 4º When imposing a sanction due to breach of this article, the nature and gravity of the breach shall be considered, as well as the damages arising from such breach, any vantages obtained by the breacher, any aggravating circumstances, any prior records and any repeated infringements
Art. 16. In the provision of Internet applications, whether free or at cost, it is prohibited to retain:
I - the records of access to other Internet applications without users’ prior and express consent, in accordance with Art. 7o; or
II - personal data that exceeds the purpose for which consent was given by the owner of the data.
Art. 17. Unless in cases provided in this Law, the option to not keep records of the access to internet applications does not imply liability for damages arising from the use of these services by third parties.
Liability for any damages arising from content generated by third parties
Art. 18. The provider of connection to internet shall not be liable for civil damages resulting from content generated by third parties.
Art. 19. In order to ensure freedom of expression and prevent censorship, the provider of internet applications can only be subject to civil liability for damages resulting from content generated by third parties if, after an specific court order, it does not take any steps to, within the framework of their service and within the time stated in the order, make unavailable the content that was identified as being unlawful, unless otherwise provided by law.
§ 1. The referred court order must include, under penalty of being null, clear identification of the specific content identified as infringing, allowing the unquestionable location of the material.
§ 2. The implementation of the provisions of this article for infringement of copyright or related rights is subject to a specific legal provision, which must respect freedom of speech and other guarantees provided for in art. 5o of the Federal Constitution.
§ 3º The compensation disputes for damages arising from content made available on the internet related to the honor, reputation or personality rights, as well as the removal of related contents by internet application providers, can be presented to special small causes courts.
§ 4º The judge, including within the proceeding set forth in § 3º, can antecipate, partially or in full, the effects of the request contained in the initial petition, to the extent that undisputable proof exists of the fact, considering society´s colective interest in the availability of the content on the internet, as long as the requisites of truthiness of the author´s claims, the reasonable concern of irreparable damage, or damage that is difficult to repair are met.
Art. 20. Whenever the contact information of the user directly responsible for the content, referred to in art. 19, is available, the provider of internet applications shall have the obligation to inform the user about the execution of the court order with information that allows the user to legally contest and submit a defense in court, unless otherwise provided by law or in a court order.
Sole Paragraph. When requested by the user, who provided the content made unavailable, the provider of internet applications that carries out this activity in an organized, professional manner and for economic purposes, shall replace the content made unavailable for a note of explanation or with the text of the court order that gave grounds to the unavailability of such content.
Art. 21. The internet application provider that makes third party generated content available shall be held liable for the breach of privacy arising from the disclosure of images, videos and other materials containing nudity or sexual activities of a private nature, without the authorization of the participants, when, after receipt of notice by the participant or his/hers legal representative, refrains from removing, in a diligent manner, within its own technical limitations, such content.
Sole Paragraph. The notice set forth above must contain sufficient elements that allow the specific identification of the material said to violate the right to privacy of the participant-user and the confirmation of the legitimacy of the party presenting the request.
Judicial Requests for records
Art. 22. The interested party may, for the purpose of creating evidence in civil or criminal legal procedures, in character incidental or autonomous, require the judge to order the entity responsible for the keeping of records to provide the connection or access logs to internet applications.
Sole Paragraph. Without any impairment to other legal requirements, the request shall contain, under penalty of inadmissibility:
I – justified evidence of the occurrence of the illicit;
II – motivated justification of the usefulness of the requested records for investigation or probative instruction; and
III – the period of time to which the records correspond.
Art. 23. It is the duty of the judge to take the necessary measures to ensure confidentiality of received information and the preservation of intimacy, private life, honor and image of the user. The judge may determine secrecy of justice, including with respect to the requests for record retention.
THE ROLE OF PUBLIC AUTHORITIES
Art. 24. The following are guidelines for the performance of Federal Government, States, Federal District and municipalities in the development of Internet in Brazil:
I – establishment of mechanisms of governance that are multi-stakeholder, transparent, cooperative and democratic, with the participation of the government, the business sector, the civil society and the academia;
II – promotion of the rationalization of management, expansion and use of the internet, with the participation of Brazilian Internet Steering Committee (CGI.Br).
III - promotion of rationalization and technological interoperability of e-Government services, within different branches and levels of the federation, to allow the exchange of information and speed of procedures;
IV – promotion of interoperability between different systems and terminals, including among the different federal levels and different sectors of society;
V – Preferred adoption of open and free technologies, standards and formats;
VI – advertising and dissemination of public data and information in an open and structured manner;
VII – optimization of network infrastructures and promoting the implementation of storage, managing and dissemination of data centers in the country, promoting the technical quality, innovation and the dissemination of internet applications, without impairment to the openness, neutrality and participatory nature;
VIII – development of initiatives and training programs for internet use;
IX – the promotion of culture and citizenship; and
X – Provide public services for attending citizens in an integrated, efficient and simple manner and through multi-channel access, including remote access.
Art. 25. The internet applications provided by public governmental entities ought to aim at:
I – compatibility of e-government services with multiple terminals, operating systems and applications for their access;
II – accessibility to all interested users, irrespective of their physical and motor skills, perceptual, sensorial, intellectual, mental, social and cultural characteristics, respected confidentiality and legal and administrative constraints;
III – compatibility with both human reading and automatic processing of information;
IV – easy understanding of e-government services, and
V – Strengthening social participation in public policy.
Art. 26. The compliance with the constitutional duty of the State in providing education at all educational levels, includes integrated training and other educational practices, for safe, conscious and responsible use of the internet, as a tool for the exercise of citizenship, for the promotion of culture and for the technological development.
Art. 27. Public initiatives to promote digital culture and promote the internet as a social tool shall:
I – promote digital inclusion;
II – seek to reduce gaps, especially between different regions of the country, regarding the access and use of information technology and communication; and
III – promote the production and dissemination of national content.
Art. 28. The State must periodically seek to develop and promote studies, as well as set goals, strategies, plans and schedules for the use and development of the Internet in the country.
Art. 29. The user shall have free choice in the use of software in his/hers own device to enforce parental control over content that the user understands to be improper to his-hers minor children, to the extent that the principles set forth in this Law and in Law No. 8,069 of July 13, 1990 are respected.
Sole Paragraph. The government, together with providers of connection services and internet applications, as well as with civil society, shall promote educational initiatives and provide information about the use of the software referred to in this article, as well as establish good practices for digital inclusion of children and teenagers.
Art. 30. The defense of the interests and rights set forth in this Law may be exercised either individually or collectively, in the form of the law.
Art. 31. Until the entry into force of specific law provided for in § 2º of art. 19, the liability of the internet applications provider for damages arising from content generated by third parties, in case of copyright or related rights infringement, shall continue to be governed by applicable copyright legislation in force, at the time of entry into force of this Law.
Art. 32. This Law shall enter into force after the expiry of sixty (60) days of its official publication.
Brasília, 23rd of April of 2014;
Year 193o of the Independency and year 126o of the Republic.
José Eduardo Cardozo
Paulo Bernardo Silva
Clélio Campolina Diniz
This does not replace the text published in the DOU of 04/24/2014