During her impassioned speech at the UN General Assembly, President of Brazil Dilma Rousseff announced that a quick adoption of the “Marco Civil da Internet” will be one of the cornerstones of her domestic Internet strategy. Since then, the Marco Civil has gained widespread international attention because of its provisions designed to control where and how Brazilians’ personal data is stored and accessed – often referred to as ‘forced localization.’
The Marco Civil is not a new law. In fact, it is the result of a multi-year, multi-stakeholder consultation aimed to comprehensively address Internet user rights, including privacy, freedom of expression and net neutrality (and in fact outside of the forced localisation provisions many elements of the law are widely admired). The process started in 2009 and one year later, the Executive Government approved the Marco Civil and sent it to Congress for adoption. However, despite several attempts to pass the bill, no formal vote took place and interest among policymakers started to fade until this summer when the Snowden revelations started to emerge.
Following Rousseff’s speech in New York, Congress quickly resumed work on the Marco Civil and amended it in view of providing more robust safeguards against surveillance. Several votes were scheduled over the past couple of months but all have been delayed amidst pressures from telecom providers to soften the net neutrality provisions. Last week, as it became clear that the leading parties would not come to an agreement on net neutrality, the Government again decided to defer a scheduled vote, which will likely push the adoption to the next year.
Nevertheless, observers believe that the main parties will remain committed to the Marco Civil, as none of them can afford to withdraw from an initiative that enjoys such broad public support. As the negotiations progress, CCIA will continue to remind Brazilian policymakers that the location of data is not what makes it safe – but rather the protections against unauthorised access which have that effect. Also, we work closely with local and international stakeholders to push for an outcome that addresses Brazil’s concerns without undermining the fundamentally borderless nature of the Internet ecosystem. A recent example of these efforts is our participation in the drafting of a letter by the Brazil-US Business Council outlining the views of the international business community.
While much of the international attention is centered around forced localization, the scope of the Marco Civil is much broader and includes helpful net neutrality and intermediary liability protections amongst other positive elements. However, the new law is potentially problematic in areas such as data privacy, which is further complicated by a lack of definitions and the potential for extraterritorial regulation. Here are some of the key element of the Marco Civil:
Forced localisation: the Government reserves the right to oblige Internet services to host their data locally with possible fines running up to ten percent of annual revenues in Brazil.
Net Neutrality: the protections on net neutrality are comprehensive and robust. Only technical requirements may be used to guide traffic and providers are forbidden to block, monitor, filter, analyze or inspect the content of data packets.
Safe harbours: strong safe harbour protections with a sensible ‘notice and takedown’ regime, similar to Section 230 of the US CDA and Section 512 of the DMCA. However, it is not clear how safe harbours extend to copyright infringement as this will be handled by the new Copyright Act (expected in 2015).
Graduate response: the establishment of private ‘graduate response’ systems by ISPs appears to be prohibited.
Privacy protections: there are two main problems with the bill’s privacy provisions: no definition for ‘personal data’ is given and it is unclear what constitutes ‘express consent’ to the sharing of that data.
Right to be forgotten: the bill includes an ambiguous version of the ‘right to be forgotten’, where It is unclear whether personal information reposted by third parties will be covered (such as Argentina has provided in its law).
Do-not-track: it also appears that website tracking must be opt-in and requires explicit consent from users.
Extraterritoriality of privacy laws: the privacy provisions of the Marco Civil could potentially create extraterritoriality issues as all data collected in Brazil must fully respect local privacy laws irrespective of where the data is being stored or processed.
Given Brazil’s influential role in international relations and the strong leadership of President Rousseff in calling for a people-centric, human-rights based dialogue about surveillance in the information society, Brazil is at the front rank of countries in Internet policy. For all these reasons, the Marco Civil will almost certainly have an impact on national legislation far beyond Brazil. CCIA will closely monitor the international discussions around the Marco Civil and its implementation.