Regulation on the Internet Bill of Rights


Regulation on the Internet Bill of Rights


With the purpose of regulating Law 12,965/2014, known as Marco Civil da Internet (or the Internet Bill of Rights), Decree 8,771 was enacted on May 11, 2016, and will come into force next June 10.

The decree has 22 articles, divided into four chapters addressing broadly speaking the discrimination of internet data packets and traffic degradation; transparency in the request of registration data on the part of the public administration; procedures for storage and protection of personal data by providers of connection and applications; and supervision and verification of violations.

Net neutrality

One of the most discussed aspects dealt with in the public consultations held on the draft decree was the offer of free access packets by telephony operators (known as zero rating) vis-a-vis the net neutrality. Article 9 of the Decree prohibits unilateral practices and agreements between providers of connection and applications which ‘compromise the public and unrestricted character of internet access’ or prioritize data and applications packets to the detriment of other offers.

The Decree also provides for exceptional hypotheses of discrimination or traffic degradation, which will only be admitted upon compliance with ‘technical requirements deemed essential for the adequate provision of services and applications’, namely: the handling of web security issues (such as, for instance, control over bulk messaging [spams]), and handling of exceptional situations of network congestion.

Request of registration data by public administration authorities
Under Article 11 of the Decree, administrative authorities must request registration data with specification of the data owners and stating the legal grounds of their express competence and the reason for access thereof, any non-specific request being forbidden. Moreover, public federal administration bodies are required to adopt transparency measures and publish statistical reports on registration data requests.

Security and confidentiality of records, personal data, and private communications

The Decree sets out guidelines for security standards to be observed by providers of connection and applications in the handling of personal data and private communications, such as definition of responsibilities and authentication mechanisms to ensure individualization of the persons who will have access to, and handle data, as well as create detailed access logs. The use of encryption to guarantee inviolability of data is likewise recommended.

For the purposes of the Decree, personal data is defined as data related to an identified or identifiable natural person, including identifying numbers, location data or electronic identifiers, where these will happen to be related to a person. Accordingly, the IP number and data referring to the user’s location are now deemed personal data.

Personal data, private communications, connection log, and access to applications will be required to be retained in the smallest amount possible and excluded as soon as the purpose of the use thereof or the time limit defined in a statutory requirement will have ended.

Supervision and Transparency

Supervision and verification of infringements of the rules laid down by the Internet Bill of Rights and its Decree will be conducted in a tripartite manner. Anatel (the National Telecommunications Agency) will act under Law 9,742/1997 (Telecommmunications Act), the Consumer General Secretariat, subordinated to the Ministry of Justice, will act as regards themes treated in the Consumer Protection Code, and the Administrative Council for Economic Defense (CADE), will do it in case of violations against the economic order. Such bodies, as well as other bodies and entities of the federal public administration, will act in a collaborative manner following the guidelines fixed by the Internet Steering Committee (CGI.br).