In addition to the relevant provisions on net neutrality, the draft of the Marco Civil da Internet regulatory decree also brought a number of privacy rules. They are articles related to how the obligations established in the Marco Civil must be implemented in practice and concern the protection of personal data of citizens and the mandatory retention of Internet users connection and application logs, which allows traceability. These topics are now under discussion in the second phase of consultation, which will remain open until February 29.

InternetLab mapped all the points that were debated in the first phase. We identified what was at stake and what alternatives were proposed by different sectors. We now look at the draft provided in the second phase and discuss what choices were made by the Ministry of Justice.

Account information: what is the definition and who can require?

The Marco Civil da Internet authorizes administrative authorities requisitions to Internet service or application providers in order to obtain registration data when and if they have legal competence to do so (art. 10, § 3º). According to the law, they shall have access to account information such as “to inform personnel qualification, affiliation and address.”

In an attempt to clarify what could be considered account information, the draft decree adopts a definition: “It is considered registration data affiliation, address and personal qualification, understood as name, first name, marital status and profession of the user”. In other words, the definition dissects the concept of account information, stating that it encompasses name, first name, civil status and user profession. In this sense, the adoption of a clear definition can generate even more doubt. That’s because it is unclear whether the list mentioned in the draft decree creates any obligation to providers to retain this kind of information or not, consisting on information that may be kept by providers and, upon request, delivered to authorities. If the first interpretation is adopted, this would mean that Internet service and applications providers should require the user’s answers to these questions. The final wording of the decree will have to address this point.

During the first phase of consultation, some participants suggested that the decree should expressly indicated that “administrative authorities” allowed to perform this type of request would be only those who currently already have such power conferred by law – such as the legal capacity given to the police and public prosecutor by Money Laundering Act (Act n. 12,683 / 2012) and Criminal Organizations Act (Act n. 12,850 / 2013). This could prevent a broad interpretation of the law.

In its Article 9, the draft decree deals with this issue merely requiring that such requests for access to account information must be motivated and provide legal grounds basing the competence of the administrative authority. Therefore, the option was to keep the question open, without imposing a restrictive interpretation to the Marco Civil provision. As much as the obligations of legal basis and motivation can facilitate the judicial inquiry of requests without appropriate legal basis, there remains the possibility of abuse by any authorities who feel entitled to make such a request by the text of the Marco Civil.

Finally, Article 10, which closes the section about the account information, determines the publication of annual reports on account information requests by each Federal agency that use this legal power, containing the number of requests, a list of Internet Service Providers and application providers to which the data were requested and the number of requests accepted and rejected by these providers . The device is well aligned with suggestions that emerged in the first phase of the debate, specifically coming from civil society organizations (such as Article 19), on transparency related to the activity of public authorities.

The provision is already a target of suggestions in this second phase of debate. Especially two comments are worth noting. The participant MRI OGP 2nd NAP Brazil suggested that, among the information that already are requested in the report, it should be mandatory to include also the legal basis used to motivate the data requests. Along the same lines, the participant Bruno Schmitt also suggested that the reports include detailed information about the geographic distribution of requests.

Apart from that, the obligation of transparency addressed to the agencies does not extend to statistical reporting on court orders issued for non-content data (logs) and private communications disclosures and is only directed to requests to access account information. In this new phase, this point will possibly generate discussion.

Data security and confidentiality

Articles 11 to 14 of the draft decree (which make up its section II) establish security and confidentiality standards for data retention, storage and processing. In the first phase this topic was approached differently by academics, civil society organizations and by the private sector.

The wording of Article 11 leaves some questions unanswered. In specifying security standards for the retention, storage and processing of “data” the draft does not make clear which types of “data” are under this definition. Are the “data” information that providers are obliged to retain for later identification of users (under the Marco Civil) or do they encompass other information?

However, the same Article 11 seems to have been sensitive to some arguments offered during the first phase of the public consultation. This is because the regulation suggested in the draft provides upgradeability of standards upon CGI’s (Brazilian Internet Steering Comittee, a multistakeholder organization) intervention (as suggested by the CTS-FGV) and also establishes the need for the use of encryption, or equivalent technology (such as required in a civil society organizations joint contribution). This point of the draft also creates a number of new obligations for Internet service and application providers (such as the logical separation of data stored compulsorily and data processed for commercial purposes and the creation of an inventory of access to such records), which, once more, can generate discussion about the limits and scope of a regulatory decree.

New definitions: personal data and data processing

The Marco Civil provides in its text various obligations related to personal data and data processing, without, however, defining these two terms. The uncertainty can be partly explained by the fact that specific draft laws on the protection of personal data in Brazil are being discussed by the Executive and by the Congress, and that they are considered as the most appropriate instruments to encompass these definitions. There were contributions in the first phase of the debate in that sense (CTS-FGV, GEPI-FGV, National Association of Newspapers – ANJ, Direct Marketing Brazilian Association – ABEMD, Internet Brazilian Association – ABRANET), defending the need for this issue not be addressed by this decree, but by the future personal data protection law.

Nevertheless, the decree, in Article 12, establishes definitions for the two terms. Besides several challenges related to the possibility of a decree making these settings, the adoption of these concepts may conflict with those possibly adopted by specific legislation of personal data protection, hierarchically higher and with broader application scope than a decree.

Enforcement and sanctions

Enforcement and sanctions were not the most discussed topics during the first phase. Some participants, however, proposed suggestions regarding to the way that enforcement should take place and to the necessary limitation on the scope of penalties.

Two contributions should be highlighted about enforcement. The first, sent by the MPF, suggested that the decree should foresaw the competent authorities to monitor and enforce sanctions, without prejudice to judicial supervision, whenever provoked. The second, by the Information Technology Industry Council, suggested that enforcement and issuance of fines should be in charge of a single federal authority, in order to provide uniform application of the law.

The draft decree, in articles 15 to 18, chose to recognize the legal competence of a multiplicity of supervisory bodies. The National Telecommunications Agency (ANATEL), the National Consumer Office of the Ministry of Justice (SENACON), the Administrative Council for Economic Defense (CADE) and entities of the federal government will act, according to the decree, within their respective legal competences. It should be highlighted that the sole paragraph of Article 15 provides that ANATEL is responsible for monitoring and investigating of offenses related to the protection of connection logs by ISPs.

Finally, with regard to the penalties, despite calls from some participants that the decree modulate the effects of the sanctions provided for in the Marco Civil (eg, predicting that the fine of 10% in revenues is limited to sales of the activity that gave rise to the fine in Brazil – Information Technology Industry Council), the draft, in its article 19, merely says that the determination of penalties provided for in the Marco Civil will attend the internal procedures of each enforcing authority.

In this sense, the decree does not provide any guidance on this subject. Bearing in mind the judicial blockade of Whatsapp, in which the temporary suspension was allegedly authorized by art. 12, III, of the Marco Civil, one would expect greater mobilization of the participants in this area in this new phase.

By Dennys Antonialli, Francisco Brito Cruz, Jacqueline Abreu and Jonas Coelho Marchezan.