Marco Civil da Internet Presidential Draft Decree – Comments and main points
On January 27, the Brazilian Ministry of Justice released a draft of the presidential decree which will regulate some aspects of the Marco Civil da Internet. The draft was opened to public consultations until February 29 via an online platform accessible here.
First, it is important to bear in mind that the decree deals only with two aspects of the Marco Civil da Internet, which are net neutrality and proper security procedures regarding data stored by Internet connection and application providers. Regarding data protection, it does not cover aspects such as profiling, big data, right to opposition, data portability, legitimate interests, international transfers, and so on. The decree only covers data security by providing safeguards on how Internet connection and application providers should properly act upon data requests by competent public authorities, and how to implement data security standards and maintain confidentiality of electronic registers, personal data and private communications.
Here are the main points of the draft decree:
- The net neutrality principle was established in Brazil by the Marco Civil da Internet, the law that establishes principles, guarantees, rights and obligations for the use of the Internet in Brazil. However, the exceptions listed on the law were to be clarified by a presidential decree.
- Marco Civil established two exceptions to the net neutrality principle:
- Technical requisites required to properly provide services and applications; or
- For the prioritization of emergency services, considering all requisites provided in art. 9, paragraph 2 of the law.
- According to the draft decree, the technical requisites required to properly provide services and applications can only be related to the following situations:
- The management of network security issues, such as restriction to send mass messages (spam) and controlling of denial-of-service attacks (DDoS);
- The management of situations of networks congestion, such as load redistribution, alternative routes in case of downtimes in the main route and managing in emergency situations;
- The management of network quality issues to ensure compliance with the minimum quality standards set in regulation published by ANATEL, the Brazil National Telecommunications Agency; and
- The management of essential issues necessary for the proper use of applications, aiming to ensure the user’s experience quality.
- As to the last situation, the decree does not clarify what is essential to maintain the quality of the user’s experience. This provision might be considered an open door to innumerous traffic management practices.
- Traffic discrimination or degradation arising out of the mandatory technical requisites may also adopt technical measures enabling the separation of different classes of applications based on international standards (e.g., VOIP, streaming, XMPP and other protocols), as long as such practices are not discriminatory.
- All Internet connection providers must comply with transparency principles and expose to consumers the reasons for traffic management practices that might lead to traffic discrimination or degradation due to technical requisites. The decree confers to ANATEL the authority to oversight net neutrality practices and violations, according to provisions established by CGI, the Brazilian Internet Steering Committee.
- The degradation or discrimination arising out of the prioritization of emergency services may only result from communications sent to emergency service providers, or the necessary communications to inform people in situations related to risk of disaster, emergency or state of emergency. In these situations, data transmission will be free of charge.
- The draft decree establishes that agreements between connection and application providers resulting from discriminatory prioritization of data packages are forbidden. Such determination does not clarify whether some business models, such as “zero rating,” are forbidden, even with the provision that implies business offers and charging business models regarding the access to the Internet must preserve a unique, open, plural and diverse Internet. However, these agreements will be under the oversight of different authorities according to their practices.
- The decree is clear to establish that the regulation does not apply to telecommunication services unless they intend to provide Internet connection. Specialized services are also not subject to the decree, even if they use TCP/IP protocols or similar, provided their functionalities are not merged with the public and unrestricted character of the Internet. However, the decree fails to determine what can be deemed as specialized services, a concept as broad as the different types of services offered over the Internet.
Data protection by Internet service providers
- The decree authorizes administrative authorities referred to in art. 10, paragraph 3 of Marco Civil to request and receive record data (parents’ names, address and personal details such as name, last name, marital status and profession of the user) without proper judicial oversight, hence without a court order, as long as the authorities state the legal basis of their authority to do so and reasons for it. However, the decree fails to clarify which administrative authorities are authorized to act in such a manner, leaving a probable blank check to abuses.
- Transparency reports shall be published on a yearly basis by federal government agencies on its websites comprising statistics of requests for record data, including the quantity of requests, the list of connection or application service providers from which data was required, and the quantity of requests granted and rejected by connection providers and application service providers.
- Both Internet connection providers and application providers are obliged to comply with security standards and measures regarding collection, storage and processing of data, which might arise from international technical standards and/or recommendations, studies and guidelines promoted by CGI.
- Security measures include the need for log-management solutions, which implement cryptography technologies or similar protection measures to ensure data integrity and the logical separation from other data processing systems for business purposes.
- On top of everything, it is import to bear in mind that the decree shall not be interpreted as a data protection law. For example, the decree provides for a limited concept of personal data, determining that personal data is all data related a natural person identified or identifiable by identification numbers, location data or an electronic unique identifier, including connection logs and private communication content. It does not include, for example, factors specific to the physical, physiological, genetic, biometric, mental, economic, cultural or social or gender of the data subject.
- In addition, according to section 12 of the decree, this concept of personal data only relates to the decree itself, naming net neutrality and data security practices. In addition, it is awkward that a presidential decree can provide a concept of personal data, since such piece of legislation can be easily altered by the executive branch, without being properly discussed by the legislative.
- To conclude, the decree may enhance the protection of personal data within some areas, but it does compensate for the fact that a comprehensive data protection legislation will not be enacted soon. It is still a sectoral regulation. Marco Civil cover Internet services. The decree only covers net neutrality and data security. Hence, it is an even narrower regulation regarding the protection of personal data.
Audit and Transparency
- Oversight will mostly be performed by the National Telecommunications Agency, ANATEL, regarding net neutrality practices, but it will also include the Brazilian Office of Consumer Affairs, from the Ministry of Justice, that shall audit and assess violations under Consumer Law, and the Brazilian Competition Policy System, that shall assess violations to the Brazilian economic order.
- The Brazilian Internet Steering Committee shall provide support whenever required, and all entities must ensure compliance with Brazilian legislation by enforcing applicable remedies even in case of operations performed by an entity located abroad.
One can foresee that business will for sure be affected by the decree, since they will have to implement several procedures to properly safeguard the data, such as security standards, interoperable formats, privacy policies, transparency reports, and logical separation between regular data and data used for business purposes. The 45 days established for the decree to come into effect after being enacted and published might not be sufficient to adapt to these new environments.
As mentioned, the public discussion ends February 29. Until then, anyone can go to the online platform and provide suggestions and comments. After this period, a final version of the decree will be drafted. It might go once again to public discussion, or it might be sent to the Civil House of the Executive Branch, which will analyze it and provide its opinion, then send the text to be signed and enacted by the president. Therefore, the decree may go into effect during the first half of 2016.