Monday, 1 August 2016 by Joe Rowley
Brazil is in the vanguard of Latin America’s efforts to regulate the internet and protect users online, but a package of cybercrime bills currently being considering by the country’s Senate has sparked concern among the legal community. Joe Rowley finds out why
Whether socialising with the friends, debating politics or buying groceries, the internet has become an indispensable tool in the daily routine of growing numbers of Brazilians. The rapid evolution of devices such as smartphones, coupled with the development of innovative apps, has brought the internet into evermore areas of people’s lives.
Brazil now has one of the highest levels of internet penetration among developing countries, with almost 58 per cent of its population able to access the internet, according to data compiled by the World Bank. Smartphone ownership is also high and growing fast. Over half of all mobile phone users in the country already own an internet-enabled handset; among Brazilians aged 34 years the figure is over 90 per cent. Rapid growth in smartphone use is also feeding through to the wider economy. Mobile banking transactions have grown exponentially, from less than 1 per cent in 2012 to over 30 per cent in just three years. Between 2014 and 2015 alone, the number of m-banking transactions increased by 138 per cent, according to figures compiled by the Brazilian Banking Federation (FEBRABAN). State-owned Banco do Brasil’s app is among the top 10 most downloaded in the country.
However, such rapid growth in interconnectivity has made Brazil both a target and base for cybercriminals. Location-blocking software and the anonymity and networking opportunities provided by the internet have allowed sophisticated global criminal networks to flourish. Between 2014 and 2015 alone, the number of cyberattacks soared by 197 per cent, according to figures compiled by Brazil’s National Computer Emergency Response Team. A combination of a lack of awareness and insufficient antivirus protections on devices has made users easy prey for cybercriminals. Brazil now ranks second worldwide in online banking fraud and financial malware. “Brazilians are very inventive, for the good and for the bad,” notes Veirano Advogados partner Fábio Pereira. “In Brazil, there is a rich niche of software developers and hackers, but you don’t see the same growth in software protections.”
Foreign and domestic companies must now spend millions of dollars defending their networks from increasingly sophisticated cyberattacks seeking to access sensitive commercial, financial and customer information. In the banking sector, cybercrime accounts for 95 per cent of losses incurred by Brazilian banks, which collectively spent US$910 million on digital security last year, according to FEBRABAN. Indeed, with more and more personal information becoming digitalised and increasing numbers of companies moving online, many expect the cost of cybercrime to rise further. For both individuals and the growing universe of companies and banks for which online transactions have become an important revenue stream, protecting this growing community from criminal activity has become a top priority.
Setting the boundaries
Besides insufficient development and adoption of software, Brazil’s eye-watering cybercrime statistics also find their roots in weak judicial protection. Although regulations protecting personal data already existed in the country’s criminal and civil codes, it was not until 2012 that Brazil adopted its first bill specifically aimed at tackling cybercrime. Known as the Carolina Dieckmann Law after the telenovela actress whose hacked account and stolen private photos led to the legislation, the law for the first time established hacking as a criminal offence, punishable by a fine and three months to one year in prison for invading a computer device, and up to two years (with the possibility of being increased by a further two-thirds) for further release of the data. A second bill signed into law at the same time, created the policing infrastructure required to combat cybercrime. However, while this was broadly welcomed by many within Brazil’s legal community, some have questioned whether the maximum penalties are sufficient to act as a deterrent to would-be hackers. Similar offences in the US, for example, can earn perpetrators up to five or 10 years in prison.
Efforts to curb the growing wave of cybercrime within Latin America’s biggest digital economy has resulted in a flurry of bills aimed at increasing the powers of state agencies to investigate and prosecute cybercriminals, and detailing the rights and responsibilities of all those that use the internet. In 2014, Brazil passed the Marco Civil da Internet law, for the first time codifying the rights and responsibilities of all those that use the internet. Among its articles were provisions ensuring net neutrality (namely that internet service providers, or ISPs, allow equal access to content and without censorship), open government, privacy protections, data storage guidelines and safe harbour guarantees freeing ISPs from liability for user-generated content on their websites. Variously described as a civil rights framework for the internet, or Magna Carta for the web, it was hoped the legislation would have an impact beyond Brazil and form the basis of a universal framework for all internet users worldwide. “The internet we want is only possible in a scenario of respect for human rights, particularly privacy and freedom of speech,” said President Dilma Rousseff during the signing of the bill before her suspension. “The rights that people have offline must also be protected online.”
Praised by many within Brazil’s legal community at the time as a ground-breaking (if imperfect) piece of legislation, the Marco Civil was further strengthened and clarified by an executive decree issued by Rousseff in May this year that details the extent of ISP liability under the law’s safe harbour provisions and reaffirms the protection of personal data and privacy online. “One of the points the regulated decree brought was how the data should be maintained and secured in a way that hacking, for example, of individual’s information would be avoided,” explains Veirano’s Pereira.
A second executive order also issued in May further increased data protection online. In one of her last acts of head of state before beginning a 180-day suspension following impeachment proceedings, Rousseff attached an urgency request to a new data privacy law, giving the upper and lower houses of Brazil’s Congress 45 days each to approve the bill. The law established a framework for the protection, transfer and storage of sensitive data by companies; bringing Brazil in line with other Latin American jurisdictions, such as Argentina, Chile and Uruguay. “It is the first federal privacy bill and the most important legislation on data privacy in Brazil,” says Mattos Filho, Veiga Filho, Marrey Jr e Quiroga Advogados’ Fabio Ferreira Kujawski. “It contains a very strong set of privacy provisions, including restrictions on the international transfer of data that we do not have today, and establishes a new regulatory agency in charge of data that currently doesn’t exist. It is a landmark piece of legislation and is likely to impact a lot of companies that handle sensitive data, especially in the insurance and medical sectors.”
Balancing privacy with protection
While efforts to regulate and protect users and companies online have been welcomed, a recent package of measures currently being considered by Brazil’s Senate has proven more divisive. Passed by Brazil’s lower house in May, the bills have sparked widespread criticism for undermining online privacy and have been called unconstitutional. “The proposals represent a step backwards and a threat to freedom of expression, privacy, and other constitutional rights, as well as to technology innovation and new business models, which constitute the main elements of the Marco Civil law,” argues Azevedo Sette Advogados partner Ricardo Barretto Ferreira. “In addition, the bills enable excessive surveillance and abuses by state police, the Public Prosecutor Office and public officials, in that there are proposals which dispense with a judicial order for breaching privacy.”
Of the seven bills, three propose changes to articles in the Marco Civil. This would allow courts to block application providers after all alternatives have been exhausted, include IP addresses in the registered data of each user (permitting disclosure without judicial order), and require content deemed offensive or damaging to honour be removed from websites without a judicial order. Many within Brazil’s legal circles share the view that such amendments could undermine the right to privacy online and make it easier for public figures to close down social networking sites. “After several years of open and inclusive dialogue, Brazil managed to come up with its internet legal framework, the Marco Civil da Internet, which clearly protects free speech and online privacy,” notes Machado, Meyer, Sendacz e Opice Advogados partner Elton Minasse. “Such protection is threatened by many of the cybercrime bills.”
Several argue that a dangerous precedent has already been set following recent actions taken by several state courts towards ISPs. In May, a judge in the north-eastern state of Sergipe ordered wireless phone carriers block access WhatsApp for 72 hours after the company allegedly refused to release information relating to a criminal investigation; the second time the instant messaging site has been shut down in six months. The decision attracted strong criticism and was eventually overturned by a São Paulo court. Although the incident may have posed little more than mild inconvenience to many users, Azevedo Sette’s Paulo Brancher argues the fact the court cited article 12 of the Marco Civil law, which encompasses a group of sanctions, namely warnings, fines [and] the temporary suspension of activities, to justify its decision, raises deeper legal concerns. “Those sanctions should be applied gradually and must be strictly aimed at entities that violate the rules related to the protection of logs, personal data, and private communications,” he says. “Article 12 of the Marco Civil law cannot be construed as something that entails the full and unrestricted suspension of all activities of internet connection and applications providers that operate in Brazil.”
Many fear the courts would block more ISPs if the draft proposals are passed. “My concern is that if courts are given broader blocking rights, they will apply it more broadly,” says Trench, Rossi e Watanabe Advogados (in cooperation with Baker & McKenzie) partner Flávia Rebello. “The internet legal framework states that courts can only suspend or block activities of a web provider that infringes data privacy, and even then only block activities of those Brazilian internet users, but courts have been applying the law in a way that is so far away from the letter.”
Besides threatening to undermine internet users’ constitutional right to privacy and freedom of speech online, making it easier to block ISPs could also have a wider economic and social impact. WhatsApp, for example, is used by many companies throughout Brazil for business functions ranging from market research and marketing campaigns, to internal coordination between colleagues or responding to customer complaints. Nine out of 10 doctors report regularly using the service to communicate with patients, while some courts use the app to send information about ongoing cases to lawyers. “Even though the fight against cybercrimes is relevant, we cannot close our eyes to the new paradigms created by the internet,” argues Machado Meyer’s Minasse. “It is important to keep the World Wide Web as an open space for innovation, social development and global relationships.”
Another cause for concern among Brazil’s legal practitioners is a proposed amendment to the criminal code, which would classify the invasion of any device a federal offence, regardless of whether the intention was to obtain, tamper with or obstruct data. They argue adopting a blanket definition fundamentally misunderstands the objective and intentions of many hackers, and could unfairly penalise so-called ethical hackers that hack systems to test for faults and report any bugs directly to companies. Facebook, for example, has paid out more than US$4 million under its bounty programme over the last five years to hackers who have reported bugs with its systems. “Businesses benefit from good hackers and companies pay them and given them a reward,” notes Trench Rossi’s Rebello. “If it becomes a crime, what incentive will they have to help the companies?”
While several changes to the bills have already been proposed, including excising both the requirement ISPs remove content deemed offensive to the honor of politicians within 48 hours, and the inclusion of IP addresses within the registered data of each user, few within Brazil’s legal community are confident that the bills will be scrapped together. “We cannot be positive and expect that the bills will be shelved, considering that the current Brazilian Congress has a considerable group of conservative deputies and senators,” explains Azevedo Sette’s Ferreira. “Considering that the bills have arisen from a Parliamentary Commission of Inquiry, they began moving through the National Congress under a fast-track regime, but there is no time estimate for their voting, nor any possibility of predicting exactly what will be enacted at the end of the proceedings.”
Whatever form any final measures take, lawyers say it is essential legislators recognise the importance upholding the principals of user privacy and freedom online. As the internet becomes ever more deeply woven into the political, economic and social fabric of Brazilian society, and with the country’s online community growing larger by the day, most share the view that efforts to combat cybercrime should not undermine the creative and enriching potential of greater interconnectivity. “The concern I have is that we are creating too many obligations and restrictions on something that people use day-to-day,” opines TozziniFreire Advogados partner Marcela Ejnisman. “That is not to say I am against fighting criminality, but at what point does this become an obstacle to creative activity?”
Tightening the net
November 2012 – Brazil’s adopts its first cybercrime bill. Known as the Carolina Dieckmann Law, it establishes hacking as a criminal offence punishable by up to two years in prison. A second bill, the Azevedo Law, puts in place the infrastructure to allow the police to combat cybercrime.
April 2014 – Marco Civil da Internet enters into force, codifying the rights and responsibilities of internet users. Among its articles are guarantees for net neutrality, open government, privacy protections, data storage guidelines and safe harbour provisions for internet service providers.
July 2015 – Former House President Eduardo Cunha establishes the Parliamentary Commission of Inquiry on Cybercrimes (CPICIBER) to “debate on the impacts of cybercrimes on Brazilian economy and society” and propose amendments to combat offences ranging from child pornography and hacking, to organised crime and terrorism.
May 2016 – President Dilma Rousseff issues an executive decree to clarify certain articles in the Marco Civil. These include establishing a judicial notice-and-takedown framework, ensuring ISPs would not be required to remove any content until requested by court order, and providing guidelines on the storage of sensitive data.
May 2016 – Rousseff attaches an urgency request to a new data privacy law, giving the upper and lower houses of Brazil’s Congress 45 days each to approve the bill. The law establishes a framework for the protection, transfer and storage of sensitive data by companies.
– Brazil’s lower house of congress passes CPICIBER’s package of seven bills. The amendments include changes to three articles of the Marco Civil to allow courts to block application providers, include IP addresses in the registered data of each user and require content deemed offensive or damaging to honour be removed from websites without a judicial order. An amendment to Brazil’s criminal code would classify the invasion of any device a federal offence, regardless of whether the intention was to obtain, tamper with or obstruct data. The draft legislation sparks criticism from Brazil’s legal community, politicians and civil society leaders, who claim it undermines privacy and is unconstitutionalLondres, 1º de agosto de 2016. News, Latin Lawyer, http://latinlawyer.com/features/article/50036/caught-web/