President Dilma Rousseff signed Federal Decree No. 8,771/2016
regulating the Internet Legal Framework (Federal Law 12,965/2014).
The final version of the Decree was published in an extra edition
of the Official Gazette last evening. The Decree has significant
changes when compared to the Ministry of Justice's draft
submitted to public consultation on January 27, 2016.
The Decree addresses cases where internet data packages
discrimination and traffic degradation are permitted, indicates
procedures for connection and application providers to store and
protect data, indicates transparency measures for the request of
users' enrollment information by public administration entities
and establishes parameters for monitoring and investigating legal
violations.
As already set forth in the Internet Legal Framework, the Decree
details the circumstances under which the principle of network
neutrality does not apply, therefore allowing network traffic
discrimination or degradation. To this effect, network neutrality
shall not be required as a result of necessary technical
requirements for the proper provision of services and prioritizing
emergency services. The technical requirements mainly refer to
network safety issues and exceptional situations of network jams.
The Decree sets forth that Anatel (Brazilian Telecommunications
Agency) will supervise and investigate violations of such technical
requirements, and may issue regulatory parameters considering
guidelines of the Internet Steering Committee in Brazil
(CGI.br).
In addition to establishing transparency measures to inform users
of cases in which network traffic discrimination and degradation
are permitted, the Decree expressly prohibits certain conducts or
unilateral acts or agreements between internet connection providers
and application providers which prioritize data packages as a
result of commercial arrangements or that favor applications
offered by internet connection providers or affiliated companies
thereof.
As regards protection of logs, personal data and private
communications, the Decree defines "user enrollment
information" and determines that administrative authorities,
when requiring users' enrollment information to providers, must
indicate the legal basis for their express authority to access such
information and the motivation for the request. Providers which do
not collect user enrollment information shall inform such fact to
the authorities and are released from the obligation to provide
this information.
In addition, the Decree is specially concerned with data privacy,
establishing safety and confidentiality standards for logs,
personal data and private communications to be adopted by
connection and application providers. Among such measures are, for
instance, strict control over data access through the definition of
responsibilities of the persons who may have access to data and
exclusive access privileges to certain users, inventory of any such
accesses, and the need to use techniques which ensure the
inviolability of data, such as encryption or equivalent protective
measures. CGI.br may recommend procedures, rules and technical
standards related to such measures.
The concern with data privacy is also reflected in the obligation
that connection and applications providers retain the least
possible amount of personal data, private communications and
connection and access logs. Such data must be immediately deleted
after it reaches the purpose for which it was collected or upon
expiration of the retention period established by law. However, the
Decree establishes that such records, personal data and private
communications shall be stored in an interoperable and structured
format, for easy access arising from court decisions or legal
provision.
Finally, the Decree also establishes that federal authorities
specifically competent to deal with matters related to the Decree
shall act in a collaborative manner, including during proceedings
for applying penalties, taking into account the guidelines set
forth by CGI.br. Anatel will be responsible for regulating,
inspecting and investigating violations as provided for in Federal
Law No. 9,472/1997 (General Telecommunications Law).
The Decree becomes effective in 30 days.
Our Intellectual Property and Information Technology practice group
remains available for any additional information or
clarification.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.