Cyber Law in Brazil
Introduction
Cyber law in Brazil (Direito Digital or Direito Cibernético) is anchored by the Marco Civil da Internet (Law 12.965/2014), often described as the “Internet Constitution” or “Internet Bill of Rights,” and the General Data Protection Law (Law 13.709/2018, LGPD). Brazil was one of the first countries to enact comprehensive internet regulation, and its framework has influenced digital rights legislation across Latin America. Brazilian cyber law addresses net neutrality, intermediary liability, data protection, cybersecurity, and digital rights.
Marco Civil da Internet (2014)
Foundational Principles
The Marco Civil establishes principles, guarantees, rights, and duties for internet use in Brazil. Its three foundational principles are: neutrality of the network (neutralidade de rede), privacy (privacidade), and freedom of expression (liberdade de expressão).
Net Neutrality
Article 9 of the Marco Civil mandates net neutrality, requiring that internet connection providers treat all data packets equally, without discrimination by content, origin, destination, or application. The law permits limited exceptions for technical and emergency services, regulated by the Brazilian Internet Steering Committee (CGI.br) and the National Telecommunications Agency (ANATEL).
Intermediary Liability
Article 19 creates a notice-and-takedown regime for intermediary liability. Internet application providers (social media platforms, search engines, content hosts) are liable for third-party content only if they fail to remove specific content after a court order. This provision, which limits liability more than the US Section 230 but less than the EU’s strict liability regime, has been controversial.
In ADPF 130 (2009), the STF declared the 1967 Press Law unconstitutional, and in ADI 4.451 (2018), the STF examined the Marco Civil’s liability provisions. The STF is currently reviewing Article 19’s constitutionality in ADPF 403 and RE 1.037.396 (Theme 987), with arguments addressing whether the requirement of prior court order unduly restricts the removal of harmful content.
Data Retention
The Marco Civil requires internet connection providers to retain connection logs for one year (Article 10) and application providers to retain access logs for six months (Article 13), subject to privacy and confidentiality protections.
General Data Protection Law (LGPD)
The LGPD, effective since 2020, is Brazil’s comprehensive data protection framework. Modeled on the EU’s General Data Protection Regulation (GDPR), the LGPD establishes principles, rights, and obligations for processing personal data. See the General Data Protection Law article for detailed analysis.
Cybercrime Legislation
Law 12.737/2012 (Carolina Dieckmann Law)
This law, enacted in response to a high-profile hacking incident, criminalized unauthorized access to computer devices, disruption of electronic communications, and creation of malicious code. It introduced Articles 154-A and 154-B to the Penal Code.
Penal Code Provisions
The Penal Code now includes: (i) unauthorized access to a computer device (invasão de dispositivo informático, Article 154-A); (ii) interruption of electronic communications; (iii) impersonation in cyberspace; and (iv) theft of digital data.
ANATEL Regulation
The National Telecommunications Agency (ANATEL) regulates telecommunications and internet services. ANATEL regulations address: (i) quality standards for broadband; (ii) consumer rights in telecommunications; (iii) cybersecurity requirements for telecom providers; and (iv) spectrum allocation for mobile internet.
Digital Rights and Access
Internet Steering Committee
The Brazilian Internet Steering Committee (CGI.br), created in 1995, is a multi-stakeholder body responsible for coordinating internet governance in Brazil. CGI.br has issued Principles for the Governance and Use of the Internet (2009), which influenced the Marco Civil’s drafting. It promotes digital inclusion, manages domain registration (.br), and conducts research on internet development.
Right to Internet Access
Brazilian law does not recognize a constitutional right to internet access per se, but courts have held that internet access is an essential service. During the COVID-19 pandemic, the STF affirmed that internet access is necessary for the exercise of fundamental rights, including education and work.
Freedom of Expression and Platform Regulation
Disinformation Regulation
Brazil has debated legislation to combat disinformation. Bill 2.630/2020 (the Fake News Bill or PL das Fake News) proposes transparency requirements for platforms, obligations to combat coordinated inauthentic behavior, and accountability for paid content. The bill remains under congressional consideration.
Electoral Regulation
The Superior Electoral Court (TSE) has issued resolutions regulating online political advertising, requiring transparency in digital campaign financing, and combating disinformation during elections. The TSE maintains partnerships with platforms to remove electoral misinformation.
Cybersecurity
National Cybersecurity Policy
Decree 10.222/2020 established the National Cybersecurity Policy and the National Cybersecurity Committee, aiming to strengthen Brazil’s cybersecurity posture, protect critical infrastructure, and promote international cooperation.
Critical Infrastructure Protection
Law 13.506/2017 and regulations by the Presidential Institutional Security Office (GSI) require entities operating critical infrastructure to implement cybersecurity measures and report incidents.
Conclusion
Brazilian cyber law provides a comprehensive regulatory framework that balances innovation, freedom of expression, privacy, and security. The Marco Civil da Internet established pioneering rules for net neutrality and intermediary liability, while the LGPD created robust data protection standards. Brazil continues to develop its cyber law framework through legislation addressing disinformation, AI, and cybersecurity, positioning itself as a leading digital jurisdiction in Latin America.