Login to MyACC
ACC Members

Not a Member?

The Association of Corporate Counsel (ACC) is the world's largest organization serving the professional and business interests of attorneys who practice in the legal departments of corporations, associations, nonprofits and other private-sector organizations around the globe.

Join ACC

Authors: Tatiana Campello, Partner of Intellectual Property and Digital Law and Information Technology areas from Demarest Advogados and Vanessa Ferro, Lawyer of of Intellectual Property and Digital Law and Information Technology areas from Demarest Advogados

As an emerging country, Brazil has many economic incentives to foster privacy rights policy on the Internet and following such vocation, the country approved Law No. 12,965, of April 23, 2014 (the "Marco Civil"), regulated by Decree No. 8,771, dated May 11, 2016 (the "Marco Civil Regulation"). The Marco Civil is recognized internationally as a very good initiative with regard to Internet governance in a democratic society. However, as Brazil is yet to approve a general data protection law to deal with the protection of personal data in a broader manner, and not only on the Internet, we list below ten recommendations that foreigners shall bear in mind regarding treatment under personal under Brazilian norms.

1. Understand the scope of the Marco Civil

The Marco Civil establishes principles, guarantees, rights and duties for the use of the Internet in Brazil. Its main goal is to set out general principles for the protection of privacy and personal data and specific duties on the part of internet connection providers and services providers who offer a set of features that can be accessed through a terminal connected to the Internet (i.e. internet application providers).

2. Understand the concept of personal data under the Marco Civil

According to the Marco Civil Regulation, personal data is any data related to identified or identifiable natural person, including identification numbers, location data or electronic identifiers.

3. Be aware of the acts comprised by the Marco Civil

Any operation of treatment and custody of records, personal data or communications where, at least, one of these acts take place within Brazil are governed by the Marco Civil. We underline that, according to the Marco Civil Regulation, treatment (or processing) of personal data is defined as "any operation carried out with personal data, such as the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, disposal, evaluation or control of the information, modification, communication, transfer, diffusion or extraction."

4. Identify if the Marco Civil will apply to your business

The Marco Civil will apply to any gathering, storage, custody and processing of records, personal data or communications in which at least one of these acts occurs within the Brazilian territory, provided that the data are gathered through at least one terminal located in Brazil. The Marco Civil will apply even if the activities are performed by a legal entity headquartered abroad, on condition that it offers service to the Brazilian public or at least one member of the same economic group has an establishment in Brazil.

5. If your business is under the scope of the Marco Civil, identify at least the main general duties your company shall comply with.

Before treating personal data, the following measures shall be adopted:

-Provide Internet users with clear and complete information on the treatment of their personal data, adopting straightforward and uncomplicated terms of use and privacy policies.

-Always obtain prior express consent from users for treatment of their personal data (e.g. written consent or adopting opt in/opt out mechanisms).

-Never disclose to third parties users' personal data, unless upon express, free and informed consent of the user or in accordance with the cases provided by law.

-Adopt all necessary and available measures to protect personal data, Internet users' privacy, private life, honor and image.

-Only retain personal data to the extent necessary and strictly in accordance with purpose for which consent was given by the owner of the data.

-Provide clear information in the privacy policies and terms of use regarding policy for exclusion of records and always exclude, on irreversible basis, the personal data retained in records, at the request of the users, at the end of the relationship between the parties, except in cases of mandatory log retention for a minimum six months period.

6. If your business is under the scope of the Marco Civil, also identify the security standards your company must adopt.

We underline some of the recommended/mandatory security measures to be adopted in relation to the treatment of personal data:

-Maintain strict control over access to data by defining the responsibilities of the collaborators who will have access possibilities and privileges of exclusive access for certain users;

-Maintain authentication mechanisms for accessing records, using, for example, dual authentication systems to ensure the individualization of the person responsible for the processing of records;

-Keep detailed inventory of access to connection and application access records, containing the moment, duration, identity of the company's collaborator and the file accessed;

-Use records management solutions through techniques that guarantee the inviolability of data, such as encryption or equivalent protection measures;

-Maintain access records for internet applications in controlled and security environment, for a minimum of six months, or longer upon request of competent authorities (the custody of these records by the connection providers is prohibited);

-Not to store (i) access records to other Internet applications without the data owner having previously consented; and (ii) personal data that are excessive in relation to the purpose for which consent has been given by its owner;

-Store connection records in a controlled and secure environment for a period of one year (this responsibility cannot be transferred to third parties); and

-Provide application and connection records to third parties only upon court order.

7. Be aware of the administrative sanctions applicable for non-compliance with the Marco Civil

The following sanctions are provided in the Marco Civil for those non-compliant providers:

(i) warning, indicating the deadline for corrective measures;

(ii) fine of up to 10% (ten percent) of the income of the provider's economic group in Brazil in its last fiscal year;

(iii) temporary suspension of activities; or

(iv) prohibition to perform its business activities.

8. Be aware of the Brazilian authorities who will handle the issues set out by the Marco Civil and its Regulation

The National Telecommunications Agency (ANATEL) is the regulator for privacy on the Internet. Certain issues involving consumer relations and violations of the economic order on the Internet sphere are supervised and investigated by the National Consumer Secretariat and the Administrative Council for Economic Defense - CADE, respectively.

9. Take into account the civil liability applicable for non-compliance with the Marco Civil

Under the Marco Civil internet connection providers are not liable for civil damages resulting from content generated by third parties, but an internet application provider can be subject to civil liability for damages resulting from content generated by third parties if, after a specific court order, it does not take any steps to, within the framework of their service and the deadline stated in the order, make unavailable the content that was identified as being unlawful.

In case of copyright and related rights, the liability of internet application providers is currently pending specific legal provisions. In the meantime, case law applies (please see specific comments below).

The Marco Civil establishes only one express possibility of notice and take down solution in relation to unauthorized disclosure of images, videos and other materials containing nudity or sexual activities of a private nature. The internet application provider will be liable if, upon receipt of notice by the participant or his/her legal representative, it refrains from removing, in a diligent manner, within its own technical limitations, such content.

10. Follow-up case law and legislation evolutions

Case law in Brazil has been developing to handle either doubts or omissions regarding the interpretation of the Marco Civil and its Regulation. For instance, in case of liability of application providers for content published by third parties infringing copyright and related rights, the Brazilian Superior Court of Justice decided in a leading case that the internet application provider is liable in case it intentionally induced or encouraged third parties to directly commit copyright (or related rights) infringement or if it earned profits from such infringement committed by third parties and, also, refuses to exercise the power of control or limitation of damages caused to the victim whenever it is possible to do so (see Special Appeal No. 1.512.647/MG of the Superior Court of Justice).

In relation to developments in the legislation, draft bills are under discussions at the Brazilian Congress for approval of a general data protection law to deal with the protection of personal data in a broader manner and not only on the Internet.

Taking into account the framework of laws and regulations currently in force in Brazil establishing general principles and provisions on data protection, all individuals and legal entities shall handle personal data with utmost care, complying with the rights to privacy, protection of personal data and secrecy of private communications.

The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.

This site uses cookies to store information on your computer. Some are essential to make our site work properly; others help us improve the user experience.

By using the site, you consent to the placement of these cookies. For more information, read our cookies policy and our privacy policy.