The draft of the decree which regulates the Civil Rights Framework for the Internet (Marco Civil da Internet – Law 12,965 / 14), to treat the exceptions to net neutrality and indicate procedures for data guard for connecting providers and application (attached) has been released on 27, Jan.
The Decree is currently under public discussion in the Marco Civil page. Interested parties may contribute and suggest changes in wording or content. In addition, the participant may agree or disagree with the contributions of other participants. Below is the text of the draft, and the downloadable version is here:
This Decree regulates the Law 12,965, dated April 23rd, 2014 to deal with exceptions of network neutrality and provide procedures for data storage by connection and application providers.
The PRESIDENT OF BRAZIL, in the use of powers granted to her by art. 84, item IV, subitem, of the Brazilian Constitution, and aiming at the provisions of Law 12,965, dated April 23rd, 2014, HEREBY DECREES:
Art. 1 – This Decree deals with exceptions of network neutrality and provide procedures for data storage by connection and application providers.
Art. 2 – The provisions herein apply to services, functionalities and operations related to the access and use of the Internet, under article 5 of Law 12,965 of 2014.
Sole paragraph. This decree does not apply:
I – to telecommunication services not intended to provide internet connection;
II – to specialized services, even if they use TCP/IP protocols or similar, provided their functionalities are not merged with the public and unrestricted character of the Internet.
Art. 3 The requirement of isonomic treatment referred into art. 9 of Law 12,965, dated April 23rd, 2014, must ensure the protection of the public and unrestricted character of the access to the Internet.
Art. 4 Traffic discrimination or degradation may only result from technical requisites required to properly provide services and applications or from the prioritization of emergency services, considering that all requisites provided in art. 9, paragraph 2 of Law 12,965 of 2014 shall be observed.
Sole paragraph. Business offers and charging business models regarding the access to the internet must preserve a unique, open, plural and diverse internet, which is considered as a mean for social and human development, also contributing to develop an inclusive and non-discriminatory society.
Art. 5 The technical requisites required to properly provide services and applications are the ones resulting from:
I – the management of network security issues, such as restriction to send mass messages (spam) and controlling of denial-of-service attacks;
II – the management of situations of networks congestion, such as load redistribution, alternative routes in case of downtimes in the main route and managing in emergency situations;
III – the management of network quality issues to ensure the compliance with the minimum quality standards set in regulation published by ANATEL [National Telecommunications Agency]; and
IV – the management of essential issues necessary for the proper use of applications, aiming to ensure the user’s experience quality.
Paragraph 1 In the cases listed in items III and IV of the head paragraph, the responsible for the transmission, commutation or routing may adopt technical measures enabling the separation of different classes of applications, which are provided in international standards, being subjected to the isonomy between each class of application and the provisions of item IV, of paragraph 2 of art. 9 of Law 12,965 of 2014.
Paragraph 2 ANATEL will audit and assess violations regarding the technical requisites listed herein, according to guidelines established by CGI [Brazilian Internet Steering Committee].
Paragraph 3 Traffic discrimination or degradation arising out of the mandatory technical requisites referred herein shall be subjected to the provisions of paragraph 2, art. 9, of Law 12,965 of 2014.
Art. 6 The responsible for the transmission, commutation or routing shall adopt active transparency measures to inform the user on the reasons for traffic management involving the discrimination or degradation referred into art. 4, such as:
I – reference in the service agreements executed with final users or application providers, by indicating the impact of the traffic management practices on the user’s experience quality;
II – the disclosure of information related to the adopted traffic management practices on their websites, using a language easy to understand;
Art. 7 The degradation or discrimination arising out of the prioritization of emergency services may only result from:
I – the communications sent to the emergency service providers, as set forth in ANATEL regulation; or
II – the necessary communications to inform people in situations related to risk of disaster, emergency or state of emergency.
Sole paragraph. In the cases listed herein, data transmission will be free of charges.
Art. 8 The agreements between connection and application providers shall preserve the public and unrestricted character of the access to the Internet.
Paragraph 1 Agreements referred into the head paragraph resulting on the discriminatory prioritization of data packages are forbidden.
Paragraph 2 Agreements between connection and application providers are subjected to the assessment of a competent authority, under Chapter IV hereof.
Art. 9 The administrative authorities referred to in art. 10, paragraph 3 of Law No. 12,965 of 2014, will appoint the legal basis of their authority related to the access and reason for the request for record data.
Sole paragraph. Record data are deemed as: parents’ name, address and personal details, such as name, last name, marital status and profession of the user.
Art. 10. On a yearly-basis, the highest authority of each federal government agency will publish on its website statistical reports of requests for record data, which will include:
I – the quantity of requests;
II – the list of connection or application service providers from which data was required; and
III – the quantity of requests granted and rejected by connection providers and application service providers.
Art. 11. In data recording, storage and processing, connection and service application providers shall comply with the following security standards guidelines:
I – the setting of a strict control on access to data by defining the duties of personnel who may have access and have privileges of exclusive access for specific users;
II – the prevision of authentication mechanisms to have access to connection logs and access to application logs, by using, for example, two-factor authentication systems to ensure the individuality of the person responsible for processing the logs;
III – the creation of a detailed inventory on the accesses to connection logs and access to applications logs, including the time, duration, identity of the employee or of the responsible person for the access and the accessed file, as well as for compliance with the provisions of art. 11, paragraph 3 of Law 12,965 of 2014;
IV – the use of logs management solutions by means of cryptography technologies or similar protection measures to ensure data integrity; and
V – the logical separation from other data processing systems for business purposes.
Sole paragraph. CGI shall promote studies and suggest procedures, rules, technical and operational standards for the provisions of the head paragraph, according to the particularities and size of connection and application providers.
Art. 12. For the purposes of the provisions hereof, one considers:
I – personal data as the data related to the identified or identifiable individual, including identification numbers, locational data or electronic unique identifiers, including connection logs and access to applications logs and content of private communications; and
II – processing of personal data as the set of actions related to information collection, production, receipt, qualification, use, access, reproduction, issue, distribution, transport, processing, filing, storage, exclusion, assessment or control, change, blocking or disclosure of personal data to third parties, whether by communication, interconnection, transfer, spread or extraction;
Art. 13. The data referred into art. 10 of Law 12,965 of 2014 must be storage in a format that enables access requests arisen from a court decision or legal order, subjected to the guidelines listed in art. 11 hereof.
Art. 14. The information on security standards adopted by application and connection providers must be disclosed in a clear and accessible way to anyone interested in the information, mainly through their websites.
Art. 15. The National Telecommunications Agency shall regulate the conditions for telecommunication service providers and their relation with value-added service providers, audit and assess violations, as well as prevent violations to rights and behaviors harmful for competition, under the Law No. 9,472, dated July 16th, 1997.
Sole paragraph. The Agency shall also audit and assess violations related to the protection of connection logs.
Art. 16. The Brazilian Office of Consumer Affairs shall audit and assess violations, under the Law No. 8,078 dated September 11th, 1990.
Art. 17. The Brazilian Competition Policy System shall assess violation to the economic order, under the Law No. 12,529 dated November 30th, 2011.
Art. 18. Federal authorities and federal government entities with specific authority regarding the issues hereof shall operate in a cooperative manner, always subjected to the Brazilian Internet Steering Committee, whenever required, and they shall ensure the compliance with Brazilian legislation by enforcing applicable remedies even in case of operations performed by an entity located abroad, under art. 11 of Law 12,965 of 2014.
Art. 19. The assessment of violations to the Law 12,965 of 2014 and to this Decree will be subjected to the internal procedures of each tax authority, and may be voluntarily initiated or by the request of any interested person.
Art. 20. This Decree is effective in forty-five days after the data of its publication.
Brasília, ____ ____, 2016; 195th year of Independence and 128th year of Republic of Brazil.
Escritório de advocacia especializado em Direito Digital e Eletrônico desde 1997.