New Brazil “Bill of Rights” Takes Effect at End of June

Published On June 17, 2014 | By Elizabeth Banker | Electronic Communications Privacy Act (ECPA), General, International

There is more happening this summer in Brazil than just the World Cup. On June 23, 2014, Brazil’s new internet law, Marco Civil da Internet, Law No. 12, 965 (April 23, 2014), goes into effect and will have sweeping impacts on service providers of all types Photo by Digo_Souza from Flickrwho have users in Brazil. The scope of the law is broad. Styled as an Internet Bill of Rights for consumers, it addresses everything from privacy, secrecy of communications, data retention, and net neutrality, to provider liability for third party content and accessibility. Importantly, its key requirements apply to service providers (ISPs or Application providers) who collect information from users in Brazil, regardless of whether the business has a presence in Brazil, and it applies to the secrecy of communications where one end of the communication is on a computer or device in Brazil, regardless of where the data may be stored. The core provisions are explained below.

Access to User Data and Content

The Snowden leaks certainly created a backlash in Brazil and for a while Brazilian lawmakers considered a data localization requirement as part of the new law to protect Brazilians from U.S. government snooping. The origins of the law enforcement access provisions in this law, however, go much further back to the issues Brazilian law enforcement had with Google’s Orkut service, and similar services offered by U.S. providers, in obtaining user information. The new provisions go to the heart of the long-standing tension between companies that store data in the U.S. and foreign law enforcement officials who seek content. This time Brazil is not going to take “MLAT” for an answer.

Under the new provisions, log data and private communications may not be disclosed absent a Brazilian court order. According to the terms of the law, Brazilian law must be followed for this data even if the data is stored abroad, if one of the following occurs in Brazil: a) collection, storage or processing of data; or b) one end of personal communications. This requirement is explained to apply where data or communications are collected in Brazil by virtue of one of the computers or devices being located in Brazil.  Further, it applies even if the actions are performed by a legal entity domiciled abroad, if a public service is offered in Brazil or a member of the same corporate family owns property in Brazil.

Providers who are subject to these requirements must maintain records demonstrating compliance, which may be subject to audit by the Brazilian government.

For data stored in the U.S., this brings two major conflict of law issues to the fore.

  1. If data is stored in the U.S., then the only way that content can be disclosed to a foreign government pursuant to a foreign court order without violating ECPA is by relying on user consent (but see “Other Consumer Rights” below); and
  2. If data is stored in the U.S., but subject to the laws of Brazil requiring that data be only disclosed pursuant to a Brazilian court order, it may violate Brazilian law to disclose the data to the U.S. government under compulsory process.

To further complicate these issues, the new law also imposes new data retention requirements for:

  1. ISPs to hold connectivity logs for one year (but prohibiting ISPs from collecting and storing logs of applications accessed); and
  2. For Application providers to keep records of access to their applications (but not other applications, unless user give prior consent) for 6 months.

Unfortunately, storing data in Brazil may not solve these problems. For example, a magistrate recently upheld the authority of U.S. law enforcement to use ECPA warrants to obtain data stored in Ireland by serving a U.S. company. Disclosure of data stored in Brazil under similar circumstances could arguably violate Brazilian law to disclose the data to U.S. law enforcement absent a Brazilian court order.

Liability for Third-Party Content

The new law provides some protections for companies who host or transmit third party content. A connectivity provider may not be held civilly liable for third party content. Internet Applications, however, are protected from liability except when they fail to comply with a court order that requires that specified content be removed. An application provider who receives an order requiring that content be removed, must notify the user who posted the content of the court order and of the reasons for removal. At the user’s request, the provider shall post a copy of the order for removal where the content was posted. Application providers must also remove content containing nudity or sexual acts, when notified by the participant or their agent that the disclosure was unauthorized to avoid potential liability.

Other Consumer Rights

There are a number of other provisions in the law that govern the relationship between a service provider and a user. The law contains basic data protection provisions which require clear notices to consumers about the purposes of any collection, use, storage, and protection of personal data. Express consent, which is to occur separately from consent to other contractual terms, is required for collection of personal data. Consumers can request deletion of personal data, except that subject to mandatory data retention requirements. In adhesion contracts, a choice of law provision that does not offer Brazil as an option is considered void.

In order to disclose personal data, including connection logs and application logs, to third parties, a provider must obtain express and informed consent of the user. However, the law appears to prohibit obtaining consent to allow the disclosure of the content of communications (see Chapter II, Article 8). This appears to invalidate consent as a basis for disclosure of private communications under Brazilian law, though if the terms and privacy policy could still be effective under U.S. law to qualify for an exception under ECPA.

Risks

Providers who do not have a physical presence in Brazil may be able to take a more aggressive approach to the law, allowing the Brazilian authorities to impose sanctions that they likely will not bring to the U.S. to seek judicial enforcement. However, any company that has any physical presence in Brazil (whether a sales office or a subsidiary) should be aware that the law provides that the local establishment shall be jointly and severally liable for payment of any fines imposed for violations of the privacy of log data or communications content.  The punishments for violations of those provisions include warnings, fines, and temporary or permanent suspension of services involving the collection or processing of such data in Brazil.

Featured Photo by Mike Vondran from Flickr
Soccer Photo by Digo_Souza from Flickr

About The Author

Elizabeth Banker has developed a practice that includes advising clients on interactions with foreign and domestic law enforcement, strategic issues related to data storage and transfers, providing advice on surveillance and employee monitoring laws inside and outside the U.S., as well as data protection, security and consumer protection issues.

Comments