By Philippe Bradley and Dan Cooper

On April 23rd, 2014 Brazil’s president signed into law a wide-ranging civil rights bill for Internet users and service providers (the “Marco Civil da Internet”, or “Marco Civil”).  The law had been in the works since 2009; it was made a priority by the Brazilian government in the wake of Edward Snowden’s revelations about NSA espionage activities targeting Brazilian communications data.  This short article discusses the main provisions of the new law.

The Marco Civil da Internet introduces protections for a number of rights for Internet users and service providers, covering freedom of expression, interoperability, the use of open standards and technology, protection of personal data, accessibility, multi-stakeholder governance and open government data.

Privacy will mostly be dealt with by a general data protection bill still making its way through the Brazilian legislative process.  After widespread opposition, a controversial localization obligation requiring service providers to store Brazilian-sourced data exclusively on servers located in Brazil was dropped from the draft Marco Civil.  Instead, legislators reportedly reinforced provisions giving extra-territorial effect to privacy rights enjoyed by Brazilian citizens, protecting their data regardless of where in the world it is stored and processed.

The law also includes a general net neutrality framework based on models established in Chile and the Netherlands.  This framework will be fleshed out by presidential decree following consultation with the Internet Steering Committee (CGI.br) and ANATEL, the national telecommunications agency.

The law also regulates general intermediary liability for content, although it specifically excludes intermediary liability for copyright infringement, which will be dealt with in a pending reform of Brazilian copyright law.  Under the general provisions, third party intermediaries may only be held liable for unlawful content if they do not comply with an explicit takedown order issued by a court.

Also included was a data retention obligation, forcing Brazilian Internet communications and content service providers to retain certain metadata between 6 to 12 months.  The retained data will only be accessible pursuant to a court order.  Comparisons will inevitably be drawn with a similar European law, the EU Data Retention Directive (Directive 2006/24/EC), that was invalidated earlier this month by the Court of Justice of the European Union (for more information, readers are referred to our coverage of the Court’s ruling, as well as our brief 2012 overview of national and international initiatives to introduce mandatory data retention).