Brazil’s long-debated “Internet Bill of Rights” has finally become law. The legislation, which passed the Brazilian Senate unanimously in April, is intended to secure equality of access to the Internet in Brazil—i.e., Net Neutrality—and provide privacy protections for Brazilian users of the Internet. Experts hailed the law “for balancing the rights and duties of users, government and corporations while ensuring the Internet continues to be an open and decentralized network.”
The law, known as the Marco Civil da Internet or “Marco Civil” (in English, the Civil Internet Regulatory Framework) was first proposed in the Brazilian Congress in 2011, but received new significance in late 2013 after revelations that the U.S. National Security Agency had spied on the communications of persons across the world—including Brazilian President Dilma Rousseff. Rousseff signed the Marco Civil into law on April 23, 2014. The law goes into effect in July.
Commonly referred to in English as an “Internet Bill of Rights” or “Internet Constitution”, Brazil’s new Marco Civil provides for the freedom of expression and of content on the internet while also limiting the amount of metadata that can be gathered on Brazilian Internet users.
The legislation also includes broadly worded protections for privacy on the internet. Disclosure of personal data to third parties generally requires the informed consent of an Internet user, except under a valid court order.
Companies that collect personal data from residents of Brazil will be subject to Brazil’s laws and courts in cases involving information on Brazilians, even if the data is stored on servers abroad. In order to ensure its passage, a controversial provision was dropped from the law that would have required companies to store data related to Brazilian Internet users on servers within country.
In addition, ISPs will be required to retain Internet access logs for one year.
The Marco Civil may not be the end of legislation related to the Internet and personal data protection for Brazil. The Brazilian Congress was also working on law to protect personal data protection bill at the same time that the Marco Civil was under consideration. The personal data protection bill was described as containing “an EU-style adequacy standard that would prohibit data transfers outside of Brazil unless the recipient country ensures an adequate level of data protection.”
The Brazilian Congress was expected to take up this data protection bill after the Marco Civil was passed, though it is not clear whether the Marco Civil’s final form has effectively tabled this issue.