This is the sixth InternetLab newsletter about the Brazilian public consultations about the Marco Civil da Internet regulation and the Data Protection Draft Bill, organized by the Ministry of Justice. Check the numbers, statistics and hot topics of this week.

Numbers and statistics

Regulation of Marco Civil: exceptions to the network neutrality

The participant drica raised questions about one of the Marco Civil’ key issues regarding net neutrality: what are the exceptions to this rule?

The Marco Civil text not only the define net neutrality as a rule, but also indicate two exceptions when discrimination or degradation of traffic would is allowed:

I – technical requirements essential to the adequate provision of services and applications; and

II – prioritization of emergency services.

These two exceptions are not very specific and leave room for multiple interpretations of what should be understood as “technical requirements” or “emergency services”. These concern hit main practical issues about how the enforcement of the net neutrality rule will be.

The use of these comprehensive terms was not by chance. The dynamic and intense technological and social change could turn any more specific rule obsolete in little time. It may be important that the law provide a more open legal interpretation framework in this case which could be more easily adaptable to the changes that the Internet waiting for years to come.

The scope of the legal text allows, for example, that the supervisory public authority of the net neutrality rule could create and update regulatory standards when the level of technology and network operation change, while respecting, however, the same Marco Civil general provisions.

Answering to the question raised by drica, the participant Pedro Ramos (who is an InternetLab Fellow Researcher) gave his opinion on what should be covered by the regulatory decree definition regarding “technical requirements” and “emergency services”:

“I. Technical requirements:

– Packet prioritization according to their sensitivity to latency, in order to preserve the quality of the user experience; or

– The adoption of discrimination in order to preserve the security of the network, such as blocking malicious software, spam or DDoS attacks.

II. Emergency services:

– VoIP calls, geolocation services and equivalent posts or substitute to public emergency services (eg, police, fire, hospitals); and

– Official or priority messages in public emergency situations or risk to national security. “

Pedro Ramos also provided the link for his full contribution sent to the Ministry of Justice about net neutrality (in portuguese). The document has bold arguments on key issues that should be addressed by the regulatory decree that the Marco Civil public consultation is ellaborating.

Data Protection: consent waiver and unrestricted public access data sets

The partipant paulo ca argue about Article 11 of the Data Protection Draft Bill, in particular regarding the first words of its spelling:

Art.11. The consent will be waived when the data is unrestricted to public access (…)

The participant’s concern seems to be the use of “unrestricted public access data” by companies that could exploit it commercially. This data sets (obtained without the consent of citizens) could be compared and combined with other source data sets and used to draw potential consumer profiles.

According to paulo ca, this kind of use of “unrestricted public access” data sets could not be considered legitimate only because they are already publicly available. For him this activity would be a violation of an “specific purpose” regarding the public availability of data. In other words, the fact that the consent was waived for this data setes does not mean that it could be used for any purpose.

In order to deepen the discussion about the topic we invited for commentary Dennys Antonialli, the executive director of InternetLab, to answer questions about unrestricted public access data sets.

What should be regarded as unrestricted public access data sets?

Commentary: Dennys Antonialli (PhD Candidate and coordinator of the Law, Internet and Society Nucleus of the University of Sao Paulo Law School and InternetLab’s executive director)

Unrestricted public access data sets are those which can be accessed freely and with no cost by any citizen. This is information provided publicly without the use of validation mechanisms or encryption, such as public exams results (selection lists for public universtity, for example) or data about public servants available at official transparency portals. Anyone who want to know the approved candidates to the undergraduate course of the University of Sao Paulo Medical School can have access to the list. However, not all data available in public databases could be considered as unrestricted accessible. This applies to information such as the voter registration number, electoral situation and CPF (tax payer unique number). The availability in databases  of government websites does not mean they can be found by any person. First, because they depend on other personal data to be found (to get someone’s voter registration number, for example, you must provide full name, date of birth and the mother’s name). Also, in many times these search engines require a validation to make sure that the search is being made by a human being. The most common form is the CAPTCHA (“Completely Automated Public Turing test to tell Computers and Humans Apart”), characterized by those images with letters and numbers that need to be repeated to validate a request made online. The intention seems to be avoid that the task could be performed in an automated way (such as by the use of “robot-technology”). The data provided in these databases, although public, are not designed to be accessed without restriction.

The use of these data sets by data processing companies is legitimate?

Commentary: Dennys Antonialli (PhD Candidate and coordinator of the Law, Internet and Society Nucleus of the University of Sao Paulo Law School and InternetLab’s executive director)

According to the current version of the Personal Data Protection draft bill (Art. 11), only the use of public data of unrestricted access is independent of the citizen’s consent. It would therefore be possible that data such as those cited above be used by companies without the mandatory preauthorization of the citizen. The same can not be said about the data available in databases that require “obstacles” for searching, such as the voter registration number. Since you need to insert other personal information (such as date of birth and affiliation) and go through a validation process (CAPTCHA) for obtaining the information these data sets are not available unrestrictedly, which would exclude the scope of the consent waiver requirement provided in Article 11.

Center for Technology and Society at FGV-DIREITO RIO and the Commons Debates

 The Center for Technology and Society at FGV-DIREITO RIO (CTS) provided this week bold reference materials that are of great help to foster participation during the public consultation process of the Marco Civil of Internet regulation and of the Data Protection Draft Bill (links in portuguese):

 A timeline of the public consultations concerning the Marco Civil and the Data Protection Draft Bill;

FAQ about the objects of consultations;

Interactive maps about net neutrality and data protection issues;

CTS’ contributions sent to the public consultation organized by CGI.br about Marco Civil regulation.