Marco Civil: A Brazilian reaction to surveillance on the internet
Bill No. 2126/2011 in Brazil, known as the Brazilian Civil Rights Framework for the Internet (in Portuguese: Marco Civil da Internet), was finally passed by the Brazilian Senate on 22 April 2014, and sanctioned the following day by President Dilma Rousseff at the opening ceremony of NETmundial . 1 With this, the bill became Federal Law No. 12965/2014, which is the result of widespread mobilisation by civil society searching for a guarantee on internet rights – a mobilisation which resulted in an innovative participatory movement in the Brazilian law-making process.
The three key pillars of the Marco Civil– net neutrality, intermediary liability aligned with freedom of expression, and data protection and privacy – encouraged people to link themselves to the mobilisation campaign and great resistance in the National Congress of Brazil. The purpose of this report is to highlight the relevant points in the process of preparation and approval of the law, as well as to discuss the rules related to the three pillars, while emphasising data protection and privacy. A description of the main challenges to be faced after the approval of the law is also provided at the end of the report.
A bill of rights for the internet with civil society playing a leading role
The idea of a civil rights framework (“Marco Civil”) for the internet in Brazil gained momentum in the context of society’s reaction against regulation of the net focused on the persecution and punishment of its users. Bill No. 84/99, debated for almost 10 years in the National Congress, channelled much of this opposition when it was returned from the Senate to the Chamber of Deputies because it proposed very restrictive regulations. 2 Activists and civil society organisations joined in a broad online and offline campaign 3 that attacked the bill and its conception of net regulation, placing pressure on the president then in office, Luiz Inácio “Lula” da Silva, and changing the approach of the federal government on the subject.
In the absence of any other relevant legal framework, the Brazilian legal system considers criminal law the last resort in the regulation of conduct. Civil society further consolidated the idea that before cyber crimes can be legislated, it is necessary to guarantee rights and define liabilities on the net. A civil rights framework was necessary for the internet in Brazil. The federal government took over the project and, in partnership with the Center for Technology and Society of the Law School at the Fundação Getúlio Vargas (CTS/FGV), conducted an online public consultation in two phases.
The public consultations occurred between 2009 and 2010 and resulted in approximately 2,000 comments from many different sectors. In both phases a participatory online platform was used, allowing views and comments on the contributions already received. One of the important references in the draft of the text was the Internet Governance and Use Principles, established by a resolution of the Brazilian Internet Steering Committee (CGI.br). After the public consultation, the wording of the bill was concluded by the executive branch and it was sent to the Chamber of Deputies, the lower house of Congress, in 2011. Brazil at the time was already under President Dilma Rousseff.
A special committee was created to discuss the bill, and Congressman Alessandro Molon was appointed as rapporteur. He held a series of public hearings and seminars, as well as a fresh round of online public consultations.
From July 2012 the report was ready to be voted on by the Chamber of Deputies, but there were many pressures that led to repeated delays. The strongest came from telecommunications companies, but negotiations were also necessary when it came to the issue of copyright with Rede Globo, a powerful media group in Brazil, and with sectors engaged in the fight against cyber crime regarding the matter of the retention of log files. Edward Snowden’s espionage claims directly involving the Brazilian government, in the second half of 2013, brought Rousseff into the discussion, and pulled the Marco Civil back onto the legislative agenda.
The executive branch determined discussion of the bill in Congress to be of “constitutional urgency”, and it came to lock the agenda of votes in the lower house on 28 October 2013 (in line with the Brazilian constitution, if a bill granted “urgency” has not been voted on within 45 days, deliberation on all other legislative matters is suspended in that house of Congress until voting is concluded). Nevertheless, resistance, a congressional recess and political manoeuvring delayed its approval for almost five more months – until it was finally approved on 25 March 2014. In the Senate, the pressure for approval, the proximity of the NETmundial event, and a composition of senators more favourable to the government helped the voting to take less than one month. Through all this, mobilisation of civil society through online campaigns, messages being sent to members of Congress, increased public awareness through social media networks, public events and lectures, and the physical presence of activists in the halls and plenary sessions of the National Congress, were fundamental. 4
Data protection and privacy: One of the pillars of the Marco Civil
Privacy protection and personal data protection are, separately, two of the principles provided for by law to regulate the use of the internet in Brazil (in Article 3). The clauses in the Marco Civil dealing with these protections were strengthened after Edward Snowden’s public allegations of mass surveillance, and an important set of such provisions are set forth in Article 7 of the law. Such provisions ensure the inviolability and secrecy of the flow of communications on the internet and of stored private data, except if disclosure is required by court order. The inviolability and secrecy of data and communications are rights guaranteed under the Brazilian Federal Constitution, but the judiciary understands that such provisions are only applicable to the flow of communications, not to communications that are stored. The Marco Civil represents a breakthrough in the protection of stored data.
As a corollary to Article 7, Article 8 of the Marco Civil states that the guarantee of the right to privacy and freedom of expression in communications is a prerequisite for the full exercise of the right to access the internet. Accordingly, any contractual clause in breach of these provisions, such as those involving harm to the inviolability and privacy of communications on the internet, will be considered null and void.
In order to fight the surveillance reported by Snowden, Article 11 determines that Brazilian law related to privacy must be respected by internet connectivity and applications providers when collecting personal data, logs and communications content when this occurs in the country or involves a terminal located in Brazil. This obligation also applies to legal entities domiciled abroad, provided that they offer services to the Brazilian public or that any member of their business group has a business unit in the country.
Part of the law is also aimed at establishing parameters for the retention and availability of logs for connectivity and access to applications. Generally, the obligation to make these logs available depends on a court order. As regards retention, the Marco Civil provides for two cases in which it can occur. The first, in Article 13, refers to connectivity logs (date and time of beginning and end of a connection, its duration and the IP address). The system administrator must keep them private, and in a controlled and safe environment, for a period of one year, according to the regulations. The second, in Article 15, refers to logs of access to applications (date and time of use of an application from a particular IP address). In the case of applications whose providers are legal for-profit entities, the retention of these logs shall be compulsory for six months, also pursuant to the regulations. Initially provided for as optional, the compulsory character of the retention was a late change to the bill, the result of pressure from the federal police and related sectors, causing great controversy among civil society organisations. Finally, it is important to mention that connectivity providers are prohibited from storing access to applications logs, and may not store these together with connectivity logs.
The provisions commented on here do not comprise all the Marco Civil rules applicable to privacy and personal data, but represent many of them.5 There are also two other pillars of the law that are worth noting.
One is net neutrality, which is guaranteed as one of the principles governing the use of the internet in Brazil. In order to give effect to it, Article 9 establishes that the entity responsible for transmission, switching or routing must treat any data packs equally, irrespective of content, origin and destination, service, terminal or application. The article also forbids these entities from blocking, monitoring, filtering or analysing the contents of the data packs. Two exceptions are provided, and these may result in discrimination or the degradation of data traffic: i) due to technical requirements necessary for the adequate supply of services and applications, and ii) for prioritising emergency services. Even in these cases, there are conditions that providers must meet, such as refraining from doing harm to users and not engaging in anti-competitive conduct. Exceptions will be regulated by presidential decree, after input from the National Telecommunications Agency and CGI.br. While telecommunications companies have managed to include the principle that grants “freedom of business models” among the principles of law, it is the only clause which includes the phrase "provided they do not conflict with other principles under this law" – including net neutrality, detailed in Article 9.
Another important pillar is the issue of intermediary liability with respect to third-party content. According to the general rule laid down in Article 19 of the law, civil liability for third-party content may only occur if the provider of applications fails to comply with a court order requiring the removal of the content. This provision is to ensure due process, as well as the competent judicial scrutiny on the various rights involved in removal requests. There are, however, two exceptions worth noting. In the case of content protected by copyright, until a specific provision of law is adopted for the application of this rule, the current Brazilian Copyright Act remains applicable, which allows a much more restrictive approach to access to knowledge. The second exception is the notice and takedown for breaches of privacy by disclosure of nudity or private sexual acts without the consent of the participants. However, the notification must be made by the participant or his/her legal representative, aiming to avoid moralistic and judgmental censorship which is not rare at all on the net .
The reaction that initially consolidated the idea of a civil rights framework for the internet in Brazil was strengthened with the release of the documents leaked by Snowden. The idea that the regulation of the internet should move away from a persecutory, surveillance approach in order to guarantee the right to privacy and other rights has been reinforced. However, such a conception of internet regulation cannot settle without considerable difficulties – and the Marco Civil is an expression of this. Despite the mobilisation, civil society was not able to contain the pressure for mandatory retention of logs. However, it did succeed in restricting the time period that logs could be retained – a period shorter than the authorities wanted.
The regulation on the retention of logs, especially logs that record a user’s access to applications, may further limit the types of service providers required to retain logs and improve transparency and control mechanisms related to data retention. Moreover, a specific bill on protection of personal data is expected to be sent to the Brazilian Congress soon. This can minimise the problematic aspects of the Marco Civil which, in general terms, introduces important regulations for the protection of user’s privacy on the internet into Brazilian legislation. Beyond this point, the law has other important advances, notably the provisions on net neutrality and intermediary liability. In both cases, the guarantee of rights was set against commercial interests and the threat of censorship. In the future, we can expect pressure to continue to build with regard to exceptions to net neutrality, and changes to the Copyright Act, which is also expected to be sent to Congress.
If disputes follow the approval of the Marco Civil, including the challenges surrounding its effectiveness and continuity, it is certain that these disputes will at least begin from an informed perspective. This includes considering the internet as a rights-based issue, essential to the exercise of citizenship, and which requires the guarantee of privacy and freedom of expression.
2 See more about Bill No. 84/99 and the beginning of the Marco Civil at Pereira, C., Maciel, M., & Francisco. P. (2011). Marco Civil da Internet: uma questão de princípio. Revista poliTICS. https://www.politics.org.br/sites/default/files/poliTICS_n07_souza_maciel_francisco.pdf
3 The campaign was known on the net as Mega No (“Mega Não”).
4 Idec made an online tool available that sent thousands of emails to members of the House of Representatives; Avaaz collected 350,000 signatures supporting the Bill through online petitions. Numerous organisations and activists mobilised using these and other tools forming a cohesive and coordinated front. See: marcocivil.org.br
5 For further analysis, see Doneda, D. (2014). Privacy and data protection in the Marco Civil da Internet. www.privacylatam.com/?p=239; an unofficial translation of the law is available at: thecdd.wordpress.com/2014/03/28/marco-civil-da-internet-unofficial-english-translation