Brazil´s New Law is Not Tough Enough to Fight Electronic Crimes

Renato Opice Blum

After 15 years of discussion, Brazil´s government has enacted a law that typifies computer-related crimes and covers important issues such as electronic device invasion, unauthorized remote access and interruption of web services. This article intends to analyze some aspects of the long-awaited Law 12.737/2012.

The text of this short law is as follows:

Article 1: This Act provides for the classification of criminal offences and other matters involving computers.

Article 2: Decree-Law 2848 of December 7, 1940 – Criminal Code, is now amended by the addition of the following Articles, 154-A and 154-B.

Article 154-A, Unauthorized access of computer devices: Accessing computer devices, be they connected or not to a network, violating without authorization security mechanisms, to obtain, tamper or destroy data or information without the express or implied consent of the owner of the device or to install programs or data intending to gain an unfair advantage: Penalty – detention of 3 (three) months to one (1) year and a fine.

  1. The same penalty shall apply to those who produce, deliver, distribute, sell or disseminate a device or computer program in order to facilitate the commission of the conduct defined above.
  2. The penalty will be increased by one sixth to one third if the unauthorized access results economic loss.
  • In the event that the access results in the obtaining of private electronic communications, commercial or industrial secrets, confidential information, as defined by law, or the unauthorized control remotely of a computer device: Penalty – imprisonment of six (6) months to two (2) years and a fine, where the conduct does not constitute a more serious crime.
  1. In the case of iii) above, the penalty shall be increased by one third to two thirds if any disclosure by any means of the data or information obtained is sold or transferred to a third party.
  2. The penalty shall be increased by one third to a half if the offense is committed against:
  3. the President, governors or mayors;
  4. the Chairman of the Supreme Court;
  5. Chairman of the Chamber of Deputies, the Senate, the State Legislative Assembly, the Legislative Chamber of a Federal District or Municipality;
  6. the head of a direct or indirect federal, state, local or Federal District administration.

Article 154-B, Criminal prosecution: The offenses defined in article 154-A, will be brought by request unless the offense is committed against the direct or indirect administration of the Union, States, Federal District and Municipalities or against Utilities or Public Services.

Article 3: Articles. 266 and 298 of Decree Law 2848 of December 7, 1940 – Criminal Code, become effective with the following wording: “Interruption or disruption of telegraph, telephone, computer, telematic or public information service”.

Article 266.

  1. The same penalty shall apply to those who interrupt telematic or public information services, or prevent or hinder their recovery.
  2. Penalties shall be doubled if the crime is committed during a time of public crisis.”(NR)

Counterfeiting of Private Documents

Section 298. ………………………………………….. ………………….

Counterfeiting of a card

Single paragraph. For purposes of this head, will mean any personal card, credit card or debit card.

Article 4: This Law shall enter into force 120 (one hundred twenty) days after official publication.

Brasilia, 30 November 2012; 191st and 124th Independence of the Republic.

The first point to mention is the fact that the law limits the typifying of invasion to cases in which an %u201Cinfringement of security mechanisms%u201D occurs, excluding computer devices without protection mechanisms from the enforcement. Moreover, the expressions %u201Csecurity mechanism%u201D and %u201Ccomputer device%u201D (Only hardware, what about software?) are not defined by the law, raising doubts about the legal framework in certain cases.

Furthermore, since the conduct %u201Cto invade%u201D gives the idea of %u201Centering forcefully%u201D, cases of inappropriate acquisition of data through social engineering techniques and other means (e.g. disclosure of password by the owner to third parties) theoretically would not be included in the newly born classification. This is because such actions would not constitute violation, but merely unauthorized access.

Additionally, it is possible to foreseen a broad debate about who would be the %u201Cowner of the dispositive%u201D invaded %u2013 expression used to designate the victim. The legal text seems to refer only to the owner, not clarifying if an eventual possessor or user could also be protected.

It is also important to mention that, concerning the penalization of disclosure of industrial secrets obtained by invasion, there is an apparent duplicity of legal prediction: the improper disclosure was already considered crime by the Protection of Industrial Property Law (Law 9.279/96).

It%u2019s true enough that the new law comprises many other interesting topics. However, the sentences imposed appear to be too soft, allowing the enforcement of the conditions of Special Courts%u2019 proceedings. This when the international trend is precisely the opposite: recently it became news the fact that the State of California (USA) condemned to 10 years of prison a hacker accused of stealing pictures from celebrities through the web – in addition to the payment of a compensation for the sum of 76 thousand dollars.

Obviously, we are not advocating the sudden increase of Brazil%u2019s prison population just to punish computer crimes. Nevertheless, it is hard to understand how the creation of a law after so many years of debate, can establish punishments with such a weak deterrent effect. Such aspect of the penalties is disconcerting since in the majority of computer crimes the material loss is just a small part of the problem: the damage occurs within the intimate sphere of private lives or concerning sensible business information %u2013 what makes the lost data invaluable for the victim.

For these reasons, it seems lenient to punish such conducts with the concession of benefits directed to minor crimes. If technology achieved a relevant role in the daily life of the Brazilian citizen, the law should follow this change, recognizing in practice its gigantic potential to affect people%u2019s lives %u2013 for better or, unfortunately, for worse.

Renato Opice Blum is an attorney and economist; MBA on Electronic Law Coordinator at Sao Paulo Law School and in the 1st Digital Law course of FGV/GVLaw in 2011; Professor at USP and Mackenzie; Member of Octopus Cybercrime Community connected with Council of Europe; President of the Council of Security and Information Technology at Commerce Federation of São Paulo and of the American Chamber of Commerce Technology Law Committee; Advisor for the Brazilian Bar High Technology Crimes Committee; Invited professor at the following international programs: Technology Policy Institute; Council of Europe; SEDONA; American Bar Association; International Technology Law Association; High Technology Crime Investigation Association; Information Systems Security Association; International Association of Privacy Professionals; Georgetown Law CLE; International Law Association and Inter-American Bar Association; Coordinator and co-author of the books %u201CManual of Electronic Law and Internet%u201D and “Electronic Law: Internet and Courts”.

Renato Opice Blum

Renato Opice Blum

Advogado, economista e professor, membro de variados institutos de direito digital ao redor do mundo e reconhecido nacional e internacionalmente pelos principais diretórios jurídicos (Chambers and Partners, Legal 500, Who's Who Legal, Best Lawyers, Análise Advocacia).
Renato Opice Blum

Leave a Reply

Your email address will not be published. Required fields are marked *