Net neutrality and privacy protection: what does the decree of the Brazilian Civil Rights Framework for the Internet say

The Brazilian Civil Rights Framework for the Internet (Law 12.965/2014), ever since its publication, is considered a very important progress in Brazilian lawmaking, not just because of the matter it regulates, but alto due to the fact that there was broad civil participation through public consultations since 2008. A poignant trait of this law is its principles. They allow for future applications and adaptations, according to new necessities on the online environment.

In a sense, some aspects of the law still required definition and regulation, which would be put into effect by an Executive Decree. Back in 2014, there was a lot of discussion regarding whether or not these definitions should occur by and Executive Decree, since this is an unstable legislative tool. Basically, the Executive Branch has the ability to alter it at any time.

Despite all that criticism, in the same way that the Brazilian Civil Rights Framework for the Internet underwent public consultations, the Executive branch opened up four new consultations to elaborate this decree, at the Brazilian Internet Management Committee (Comitê Gestor da Internet – CGI.br), the Ministry of Justice and the Brazilian National Telecommunications Agency (ANATEL).

One of Dilma Rousseff’s last actions before leaving the presidential office was to publish the Executive Decree 8771, in May 2016. Despite what many news about this last executive act, the decree was very mature and gathered several discussions already held with civil society.

What about net neutrality?

On one hand, with regard to net neutrality, it is worth mentioning Article 2, II, (a), in which it is possible to observe a prohibition to projects such as Facebook’s Internet.org. In this project, Facebook aimed to provide Internet service in areas with no providers, or extremely low-income consumers. However, this access would be limited to the user’s Facebook profile and “partners” of the project. Article 3 also prohibits zero rating packages. These packages are offered by internet cell service providers. Even though your data package has reached its limit, it allows the use of certain apps, such as Facebook, WhatsApp, Twitter, etc.

On the other hand, articles 4 and 5 add new exceptionalities to break net neutrality, such as detrimental technical requisites, the priority of emergency services, network congestion, when the connection provider observes a security breach due to spam, or denial of service attacks – DDoS. Article 5, paragraph 2nd, establishes that ANATEL would be responsible for overseeing these exceptionalities, always by means of CGI.br’s directives.

Personal data and privacy protection

Users’ personal data and privacy protection continue to be a great problem in Brazil, especially due to the lack of specialized legislation on the subject. The Brazilian Civil Rights Framework for the Internet and its decree seek to be tangent to the subject, but there are several threats to personal data security nowadays, such as the indiscriminate sharing of information between different government services, besides very little transparency when it comes to the way companies treat these data.

Artcile 11 of the decree gave leeway so that authorities request personal data without judicial order, but at least it demanded that motives and purposes be declared, reasonable and proporcional. According to article 13, there should be strict control of data access, by means of a clear definition of responsibilities for people who will have access and privileges to this information. In addition, it foresees authenticity mechanisms to access registries using, for example, double authentication systems in order to assure accountability of employees in data treatment. Finally, it also requires that conection and application providers store the minimum amount of personal data possible, as well as private communication and conection and access registries, which should be excluded when its purpose of use is reached.

In Brazilian Congress, there is the Bill 5276 (House of Representatives), which tries to determine conditions for personal data collection, treatment, processing and storage. There is also Bill 4060 (House of Representatives), Bill 330 (Senate) and Bill 181 (Senate). Bill 5276 went through public consultations over the last two years and is based on an European law regarding the same matter.

Supervision and transparency

This is another sensitive aspect in the decree. CGI.br is an administrative body, therefore it could not exercise police duties (supervision, fines, etc.). Thus, this power was delegated to ANATEL (Article 5, paragraph 2, and Article 17), to the National Consumer’s Secretary (Article 18) and to the Brazilian System of Competition Law (Article 19). However, something which was very much emphasized by the decree in its Article 20, is that, regardless of the federal body that will be responsible for police duties online, the CGI.br will always be the one elaborating recommendations and directives for the supervision of rights and duties provided by the decree.