Authors: Tatiana Campello, Partner of Intellectual Property and Digital Law and Information Technology areas from Demarest Advogados and Vanessa Ferro, Lawyer of of Intellectual Property and Digital Law and Information Technology areas from Demarest Advogados
As an emerging country, Brazil has many economic incentives to foster privacy rights policy on the Internet and following such vocation, the country approved Law No. 12,965, of April 23, 2014 (the "Marco Civil"), regulated by Decree No. 8,771, dated May 11, 2016 (the "Marco Civil Regulation"). The Marco Civil is recognized internationally as a very good initiative with regard to Internet governance in a democratic society. However, as Brazil is yet to approve a general data protection law to deal with the protection of personal data in a broader manner, and not only on the Internet, we list below ten recommendations that foreigners shall bear in mind regarding treatment under personal under Brazilian norms.
1. Understand the scope of the Marco Civil
The Marco Civil establishes principles, guarantees, rights and duties for the use of the Internet in Brazil. Its main goal is to set out general principles for the protection of privacy and personal data and specific duties on the part of internet connection providers and services providers who offer a set of features that can be accessed through a terminal connected to the Internet (i.e. internet application providers).
2. Understand the concept of personal data under the Marco Civil
According to the Marco Civil Regulation, personal data is any data related to identified or identifiable natural person, including identification numbers, location data or electronic identifiers.
3. Be aware of the acts comprised by the Marco Civil
Any operation of treatment and custody of records, personal data or communications where, at least, one of these acts take place within Brazil are governed by the Marco Civil. We underline that, according to the Marco Civil Regulation, treatment (or processing) of personal data is defined as "any operation carried out with personal data, such as the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, disposal, evaluation or control of the information, modification, communication, transfer, diffusion or extraction."
4. Identify if the Marco Civil will apply to your business
The Marco Civil will apply to any gathering, storage, custody and processing of records, personal data or communications in which at least one of these acts occurs within the Brazilian territory, provided that the data are gathered through at least one terminal located in Brazil. The Marco Civil will apply even if the activities are performed by a legal entity headquartered abroad, on condition that it offers service to the Brazilian public or at least one member of the same economic group has an establishment in Brazil.
5. If your business is under the scope of the Marco Civil, identify at least the main general duties your company shall comply with.
Before treating personal data, the following measures shall be adopted:
-Always obtain prior express consent from users for treatment of their personal data (e.g. written consent or adopting opt in/opt out mechanisms).
-Never disclose to third parties users' personal data, unless upon express, free and informed consent of the user or in accordance with the cases provided by law.
-Adopt all necessary and available measures to protect personal data, Internet users' privacy, private life, honor and image.
-Only retain personal data to the extent necessary and strictly in accordance with purpose for which consent was given by the owner of the data.
6. If your business is under the scope of the Marco Civil, also identify the security standards your company must adopt.
We underline some of the recommended/mandatory security measures to be adopted in relation to the treatment of personal data:
-Maintain strict control over access to data by defining the responsibilities of the collaborators who will have access possibilities and privileges of exclusive access for certain users;
-Maintain authentication mechanisms for accessing records, using, for example, dual authentication systems to ensure the individualization of the person responsible for the processing of records;
-Keep detailed inventory of access to connection and application access records, containing the moment, duration, identity of the company's collaborator and the file accessed;
-Use records management solutions through techniques that guarantee the inviolability of data, such as encryption or equivalent protection measures;
-Maintain access records for internet applications in controlled and security environment, for a minimum of six months, or longer upon request of competent authorities (the custody of these records by the connection providers is prohibited);
-Not to store (i) access records to other Internet applications without the data owner having previously consented; and (ii) personal data that are excessive in relation to the purpose for which consent has been given by its owner;
-Store connection records in a controlled and secure environment for a period of one year (this responsibility cannot be transferred to third parties); and
-Provide application and connection records to third parties only upon court order.
7. Be aware of the administrative sanctions applicable for non-compliance with the Marco Civil
The following sanctions are provided in the Marco Civil for those non-compliant providers:
(i) warning, indicating the deadline for corrective measures;
(ii) fine of up to 10% (ten percent) of the income of the provider's economic group in Brazil in its last fiscal year;
(iii) temporary suspension of activities; or
(iv) prohibition to perform its business activities.
8. Be aware of the Brazilian authorities who will handle the issues set out by the Marco Civil and its Regulation
The National Telecommunications Agency (ANATEL) is the regulator for privacy on the Internet. Certain issues involving consumer relations and violations of the economic order on the Internet sphere are supervised and investigated by the National Consumer Secretariat and the Administrative Council for Economic Defense - CADE, respectively.
9. Take into account the civil liability applicable for non-compliance with the Marco Civil
Under the Marco Civil internet connection providers are not liable for civil damages resulting from content generated by third parties, but an internet application provider can be subject to civil liability for damages resulting from content generated by third parties if, after a specific court order, it does not take any steps to, within the framework of their service and the deadline stated in the order, make unavailable the content that was identified as being unlawful.
In case of copyright and related rights, the liability of internet application providers is currently pending specific legal provisions. In the meantime, case law applies (please see specific comments below).
The Marco Civil establishes only one express possibility of notice and take down solution in relation to unauthorized disclosure of images, videos and other materials containing nudity or sexual activities of a private nature. The internet application provider will be liable if, upon receipt of notice by the participant or his/her legal representative, it refrains from removing, in a diligent manner, within its own technical limitations, such content.
10. Follow-up case law and legislation evolutions
Case law in Brazil has been developing to handle either doubts or omissions regarding the interpretation of the Marco Civil and its Regulation. For instance, in case of liability of application providers for content published by third parties infringing copyright and related rights, the Brazilian Superior Court of Justice decided in a leading case that the internet application provider is liable in case it intentionally induced or encouraged third parties to directly commit copyright (or related rights) infringement or if it earned profits from such infringement committed by third parties and, also, refuses to exercise the power of control or limitation of damages caused to the victim whenever it is possible to do so (see Special Appeal No. 1.512.647/MG of the Superior Court of Justice).
In relation to developments in the legislation, draft bills are under discussions at the Brazilian Congress for approval of a general data protection law to deal with the protection of personal data in a broader manner and not only on the Internet.
Taking into account the framework of laws and regulations currently in force in Brazil establishing general principles and provisions on data protection, all individuals and legal entities shall handle personal data with utmost care, complying with the rights to privacy, protection of personal data and secrecy of private communications.