President Dilma Rousseff signed Federal Decree No. 8,771/2016 regulating the Internet Legal Framework (Federal Law 12,965/2014). The final version of the Decree was published in an extra edition of the Official Gazette last evening. The Decree has significant changes when compared to the Ministry of Justice's draft submitted to public consultation on January 27, 2016.
 
The Decree addresses cases where internet data packages discrimination and traffic degradation are permitted, indicates procedures for connection and application providers to store and protect data, indicates transparency measures for the request of users' enrollment information by public administration entities and establishes parameters for monitoring and investigating legal violations.
 
As already set forth in the Internet Legal Framework, the Decree details the circumstances under which the principle of network neutrality does not apply, therefore allowing network traffic discrimination or degradation. To this effect, network neutrality shall not be required as a result of necessary technical requirements for the proper provision of services and prioritizing emergency services. The technical requirements mainly refer to network safety issues and exceptional situations of network jams. The Decree sets forth that Anatel (Brazilian Telecommunications Agency) will supervise and investigate violations of such technical requirements, and may issue regulatory parameters considering guidelines of the Internet Steering Committee in Brazil (CGI.br).
 
In addition to establishing transparency measures to inform users of cases in which network traffic discrimination and degradation are permitted, the Decree expressly prohibits certain conducts or unilateral acts or agreements between internet connection providers and application providers which prioritize data packages as a result of commercial arrangements or that favor applications offered by internet connection providers or affiliated companies thereof.
 
As regards protection of logs, personal data and private communications, the Decree defines "user enrollment information" and determines that administrative authorities, when requiring users' enrollment information to providers, must indicate the legal basis for their express authority to access such information and the motivation for the request. Providers which do not collect user enrollment information shall inform such fact to the authorities and are released from the obligation to provide this information.
 
In addition, the Decree is specially concerned with data privacy, establishing safety and confidentiality standards for logs, personal data and private communications to be adopted by connection and application providers. Among such measures are, for instance, strict control over data access through the definition of responsibilities of the persons who may have access to data and exclusive access privileges to certain users, inventory of any such accesses, and the need to use techniques which ensure the inviolability of data, such as encryption or equivalent protective measures. CGI.br may recommend procedures, rules and technical standards related to such measures.
 
The concern with data privacy is also reflected in the obligation that connection and applications providers retain the least possible amount of personal data, private communications and connection and access logs. Such data must be immediately deleted after it reaches the purpose for which it was collected or upon expiration of the retention period established by law. However, the Decree establishes that such records, personal data and private communications shall be stored in an interoperable and structured format, for easy access arising from court decisions or legal provision.
 
Finally, the Decree also establishes that federal authorities specifically competent to deal with matters related to the Decree shall act in a collaborative manner, including during proceedings for applying penalties, taking into account the guidelines set forth by CGI.br. Anatel will be responsible for regulating, inspecting and investigating violations as provided for in Federal Law No. 9,472/1997 (General Telecommunications Law).
 
The Decree becomes effective in 30 days.
 
Our Intellectual Property and Information Technology practice group remains available for any additional information or clarification.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.