Brazil, the Internet and the Digital Bill of Rights - Reviewing the State of Brazilian Internet Governance

Brazil, the Internet
and the Digital Bill of Rights

Reviewing the State of Brazilian Internet Governance

Daniel Arnaudo
Author: Daniel Arnaudo • Editor: Nathan B. Thompson • Designer: Raphael Durão


Passed in 2014, the Marco Civil da Internet (MCI/The Brazilian Internet Bill of Rights) is a landmark in 21st century governance, both for Brazil and internationally. It codifies ten principles developed by the country’s Internet Steering Committee in the constitution, including network neutrality, freedom of expression and privacy, to define and grant strong civil rights for citizens both online and off. Using these principles as a framework, this report surveys the implementation of the MCI, as well as a host of other laws, bills and regulations relating to the Internet. This comes following the impeachment of former President Dilma Rousseff, whose Workers’ Party controlled the executive for more than 13 years and developed the MCI. These policies are being challenged by Rousseff’s former Vice-President and successor, President Michel Temer, and his allies in Congress. The report details Rousseff’s final actions to secure her digital legacy, signing decrees to implement the MCI, draft a national broadband plan and ensure freedom of information for any document not categorized as classified information by the bureaucracy. It analyzes key cybersecurity and data protection bills, including proposed laws emanating from a commission on cybercrime and numerous proposals to strengthen law enforcement investigations online. Judges in Brazil shut down WhatsApp’s instant messaging network three times over the past year when the company refused requests for data, and pressed Facebook and other companies with similar demands. The government and private corporations are constructing domestic and international Brazilian-owned infrastructure, including six new transatlantic fiber optic cables and a Geostationary Defense and Strategic Communications Satellite. As one of the world’s largest economies, a model in digital law, a member of the group of BRICS countries and a leader in the Global South, Brazil’s strategies for the virtual space, both physically and legally, provide a model for democratic Internet governance while illuminating both challenges and opportunities for any country connected to the global network.

Table of Contents

List of Abbreviations

Introduction and Key Findings

Although suffering from interlocking political and economic crisis, Brazil is the dominant power in Latin America. It features the region’s largest population, the world’s seventh largest economy and one of the planet’s most active online communities. Notwithstanding a deep recession, corruption investigations and political uncertainty, Brazil plays a central role in the networks that make up the Internet, with a large percentage of Latin America’s traffic flowing through its Internet Exchange Points (IXPs). Data from across the region is frequently stored in Brazilian data centers, and distributed throughout the world via transatlantic fiber optic cables emanating from Fortaleza, Rio de Janeiro and São Paulo. The country is a fundamental part of the digital infrastructure that makes the Internet work. What is more, Brazil’s government has helped craft the policies that are essential to the Internet’s core architecture, operations and management worldwide.

The central component of the digital political ecosystem in Brazil is the Marco Civil da Internet (MCI) or Brazilian Internet Bill of Rights. This law modifies the country’s constitution to give citizens, the government and organizations rights and responsibilities with regard to the Internet. The MCI is driven by a set of ten principles, including network neutrality, privacy, freedom of expression, security and universality. This report uses the ten principles as a framework for assessing the state of Internet governance in Brazil; it also considers the implementation of the MCI and other bills and laws related to these principles and global Internet governance. In addition, it examines the state of Internet usage and infrastructure throughout the country. Brazil is a lynchpin in the global Internet ecosystem and an exemplar of an alternative approach to international policy regarding the governance of online networks.

Through a series of interviews, analysis of data, laws and proposed legislation, the paper examines the core principles of Brazilian Internet law in turn. Beginning with a history of the MCI, there follows an explanation of how the law defines Internet governance through these principles, and an examination of how they are expressed in the Brazilian legal and political landscape. The first principles examined are freedom of expression, privacy and human rights. These are core pillars of the MCI, human rights that are reflected in numerous statutes and proposed laws today. Second, there is a discussion of how Brazil’s government has attempted to promote democratic and collaborative governance online. Third, the report reviews how the country is working to expand access through the goal of universality, promoting diversity of users and spurring innovation. Fourth, it considers how network neutrality is being treated as a human right and implemented as the final core pillar of the MCI. Fifth, the paper examines the infrastructure in Brazil and the state of access in real terms. Finally, it seeks to explain the state of security online in terms of data about attacks, the organization of law enforcement, the military and intelligence services online, informed by a number of laws, including the MCI. It concludes with some considerations on the future of the Brazilian Internet governance model, both domestically and internationally.

Key Findings:

A Brief History of the MCI

Due in part to its size and governance structure, Brazil provided an early model for Internet governance from the onset of multinational online networking. An Internet Steering Committee (Comitê Gestor da Internet, or CGI), a multi-stakeholder entity with representatives from the public and private sectors, academia and civil society, guides Brazil’s executive branch and Congress in formulating and implementing legislation that governs use of the Internet. CGI promulgates rules for the management of the network and advises Congress on new regulations. The committee formed an integral part of the initial process to steward the country’s transition from a National Research Network into what would become Brazil’s commercial Internet backbone in the 1990s.

In a 2009 resolution, CGI issued ten guiding principles for what became the Brazilian Digital Bill of Rights, known in Portuguese as the Marco Civil da Internet (MCI). These principles are central to the provision of a robust and free Internet and crucial to fostering security, economic development, and a strong civil society in an increasingly digital world. In addition to the official resolution, calls from civil society encouraged the government to create a civil rights framework for cyberspace. One of the principal advocates of the concept of a Marco Civil was the Center for Technology and Society at the Getúlio Vargas Foundation (CTS-FGV). CTS-FGV and other devotees of an open Internet maintained that while it was necessary to articulate strong penalties and a clear legal framework to address criminality online, it is equally important to define a set of rights and responsibilities for all Internet governance policy stakeholders – at the individual and collective levels.

From 2009 to 2014, the bill underwent a lengthy process of online discussion, debate and editing through an unprecedented, open source participation system. Participants worked from a draft of the bill created by the Ministry of Justice and the staff of CTS-FGV, making their own comments and edits to the bill. Individuals, organizations, companies, government agencies and even other governments offered input throughout the process, improving the pioneering online, open source system along the way. Pedro Abramovay was the Ministry of Justice’s Secretary for Legislative Affairs at the time, and coordinated the MCI process there. For Abramovay, it marked a turning point in democratic governance in Brazil.

If we want to mobilize society, this is dangerous and normally doesn’t work. What we needed were openings inside government to interact with public mobilizations that already existed. There was already resistance to existing security legislation, such as to Senator Azeredo’s [cybersecurity] law. The role of the process was to turn this resistance against something into a proposal, and that was the key to the MCI process. There were many conditions that had to be met, from people taking the vote seriously, to the public having a vote, to legislators taking the vote seriously in Congress. This is not something that will be easily replicated.

After this process, then President Rousseff submitted the bill to Congress, where it remained for some time – a victim of political inertia and opposition to its provisions, particularly from telecom companies hostile to the concept of network neutrality.

In the summer of 2013, NSA whistle-blower Edward Snowden’s disclosure of the United States’ global surveillance system broke the logjam. Snowden presented evidence of spying on Brazilian citizens, wiretapping of Brazilian network infrastructure and surveillance at the highest levels of industry and government. Perhaps partly responding to revelations that the NSA had tapped her phone, Rousseff cancelled a planned state visit to Washington D.C. and was among the most vocal of world leaders to denounce the surveillance. At the same time, the Brazilian president demanded that her government respond to online surveillance by stimulating domestic industries for computer software and hardware, and by developing new network infrastructure such as transatlantic cables that would avoid the U.S. altogether; Rousseff made the passage and implementation of the MCI a legislative priority.

These developments led to a fast track for the bill in 2014. While the Senate debated certain provisions (such as requiring multinational Internet companies to store Brazilian data domestically in Brazil, or whether to strip net neutrality out of the bill completely), the MCI ultimately passed in March 2014 in a form that largely hewed to the version originally submitted to Congress. Challenges to the MCI would continue, in different forms, before and after its final passage. When President Rousseff signed the bill into law on April 23rd 2014 at the NetMundial Global Meeting on the Future of Internet Governance in São Paulo, she signaled that her government considered the MCI as a framework not only for Brazil, but for the world. She called on governments, civil society organizations and companies to join her in supporting a NetMundial process for the export of Brazilian Internet governance principles internationally. President Rousseff thus positioned Brazil as a leader for democratic Internet governance principles.

The MCI presents a new set of standards for Brazil and for the rest of the world. The bedrock of this Digital Bill of Rights rests on ten principles that define its articles and the original objectives of providing for individual rights in cyberspace. These principles define a set of goals for government, business and society online, providing the framework for a law grounded in the three pillars of net neutrality, privacy and freedom of expression. In the charged atmosphere of a political crisis involving impeachment proceedings and deepening corruption investigations against the entire political class, the MCI was fully implemented by presidential decree in mid-2016. However, whether the law will succeed in its objectives remains unclear. In many cases, Temer’s administration is increasingly proving to be in opposition to its predecessor’s objectives, for instance opposing universal access through public sector investment. Notwithstanding Brazil’s political turmoil, an examination of these principles, how they operate in the law and online, inform and describe a set of debates that continue in Brazil and in countries around the globe grappling with the increasingly challenging task of developing sound Internet governance policies.

Understanding Internet Governance through the Marco Civil

The Brazilian government took more than two years after the passage of the new law to determine how best to apply its specific provisions. On May 11, 2016, while facing suspension of her term by the Senate, President Rousseff signed an executive decree fully implementing the MCI. This report examines the objectives of the legislation, the ways in which stakeholders have debated the rulemaking process and how the law’s objectives are carried out through coordination between government, civil society and private sector actors. The goals of the Rousseff administration and the PT were frequently at odds with those of the opposition parties and their backers, such as law enforcement, telecommunications companies, and the military. During her mandate, Dilma and the PT considered the MCI as one of the administration’s signature legislative accomplishments. Issuing an executive decree to implement the MCI on her final day in office demonstrated the importance Rousseff placed on this legislative achievement and its potential legacy. After the Senate trial found her guilty of manipulating the country’s budgetary accounts and removed her from office on August 31, 2016, Michel Temer was sworn in as President, and will serve out the remainder of Rousseff’s term until 2018.

Temer moved quickly to make changes in the structure of the government, even before Rousseff’s impeachment had been confirmed. While still interim president, he signaled his administration’s policy priorities by eliminating the Ministry of Culture and the Ministry of Communications, folding the former into the Ministry of Education and the latter into the Ministry of Science and Technology. Both shuttered ministries have historically played important roles in the formation of Internet governance policy, alongside the Ministry of Science and Technology. After vehement objection and pressure by artists, intellectuals and the public at large, Temer reversed course and reinstated the Ministry of Culture. Nonetheless, the reorganization indicates fundamental differences between Rousseff and Temer’s respective approaches to governance. The Ministry of Communications remains merged, though André Figueiredo (the outgoing Minister of Culture and now a member of Congress), challenged the administrative reorganization in the Supreme Court. Among other functions, the Ministry of Communications holds a seat on the CGI and helps manage both the National Telecom Agency (ANATEL) and the national telecom provider, Telebras. The ministry’s reorganization will have serious effects on Internet governance policy in Brazil.

Freedom of Expression, Privacy and Human Rights

The MCI law is fundamentally a digital bill of rights. Its opening articles state that the democratic principles of freedom, privacy and human rights are equally applicable in cyberspace. In particular, Articles 2 and 3 frame these civil rights principles while “acknowledging the global scale of the network”, as well as pluralism, diversity, openness and collaboration and economic rights such as free enterprise, competition and consumer protection. Civil rights take precedence in the legislative language, but free enterprise and new business models are also encouraged “provided they do not conflict with the other principles established in this Law.”

The right to privacy is also guaranteed by the law. Personal data is protected “as provided by the law,” while ensuring that citizens and organizations, both public and private, are accountable according to their activities. Under Article 7, this right to privacy is defined as the “inviolability and secrecy of the flow of the user’s communications through the Internet, except by court order, as provided by law.” Carlos Affonso Souza, Director of the Institute for Technology and Society (ITS) in Rio, participated in the process throughout the development of the MCI in his capacity as a legal scholar at CTS-FGV. He describes how Article 7 became a direct response to Snowden’s revelations of NSA spying, and how this was not the case initially:

First of all, it is important to understand that the MCI was not conceived as tool to tackle the Snowden programs…Because of the scandal, the MCI was changed in a number of ways. Article 7 included privacy and data protection, not only because of the Snowden revelations. [Congressman] Molon realized at the time that the Ministry of Justice had tried to push data protection since 2010 and nothing much happened. At the time, the Marco Civil was looking like a bill with a chance of passing, so they thought that they could take some draft provisions from the data protection bill. One of the main changes relates to data protection and Article 7.

Alessandro Molon, a member of Brazil’s lower house of Congress and sponsor of the Marco Civil, used a legislative maneuver to insert provisions into Article 7 that would compel law enforcement to seek a court order to violate the secrecy of user communications.

In 2015, a conservative block in Congress pushed back against this provision, even as the government continued to determine how the MCI should be implemented. What began as a proposed law to punish “crimes of honor” (such as defamatory or libelous comments on social networks) became a vehicle for an attack on the MCI’s privacy provisions – known formally as PL 215/2015 and by critics as the PL Espião, or “Big Spy Bill”. Opposition members proposed revisions to the civil code and MCI that would require Internet companies to store user data such as name, home address, email and CPF (a Brazilian national ID number). In addition, law enforcement authorities would no longer need to request a judicial order in order to receive this information.

PL 215/2015 was also expected to implement a variation of the European “right to be forgotten” into the law. It would differ from Europe’s legislation, however, where offending content is delisted from search engines like Google. In this case the company hosting the content would be required to remove it from its servers, based on information it collects about every user, such as their real name, national ID number and home address. Affonso of ITS has characterized this debate as “an ongoing conversation reflected in discussions throughout the MCI draft legislation. One side is looking to have human rights-driven legislation in Brazil, but there are repeated attempts to play another round.” Molon put it even more simply: “If approved in this form, PL 215/2015 would practically destroy data secrecy.”

In April of 2016, as the lower house of Brazil’s legislature approved President Rousseff’s impeachment trial and a corruption investigation against senior members of her government and the opposition grew, a special Congressional commission (the Commission of Parliamentary Inquiry on Cybercrime, or CPICIBER) issued a report recommending a series of controversial bills, ostensibly related to cybercrime. These bills include proposals that would enable the expansion of user data retention for applications and Internet providers (PL 3237/2015), or grant access to IP addresses in criminal investigations without a judicial warrant (PLS 730/2015). PL 5204/2016 would permit the blockage of sites at the root level. Another could penalize online security researchers for testing malware. PL 5203/2016 would increase penalties for infringement of copyright, and for hosts that do not quickly take down illegal content. The authors of the MCI specifically excluded copyright from the law – and it remains a section of the Brazilian legal code in need of reform – but the commissioners appear intent on taking a punitive tact. This approach would be in alignment with more extreme copyright enforcement regulations, such as the U.S. Digital Millennium Copyright Act (DMCA).

Finally, CPICIBER proposes paying for these initiatives by appropriating money that is generally earmarked for the development of infrastructure to support universal Internet access (the Fistel telecommunications fund) and re-allocating it towards police investigations and other security operations. The ambitious scope of these proposals, which seek to modify already implemented aspects of the MCI, highlight the commission’s desire to revisit the more punitive objectives of the cybercrime bill that inspired the MCI (i.e. Azeredo’s Law). As a digital bill of rights, a primary objective of the MCI was to contest the penal approach to cybercrime with the construction of a broader legal framework defining rights and responsibilities for individuals and organizations.

Abramovay described this framework, and the Ministry’s approach:

Our position was against punitive criminal law and ‘law and order’ perspectives on many issues – from alternative penalties, to drug policy and many others. The [MCI] process was part of this perspective, the civil rights perspective for criminal law. Because we took this position, civil society came closer to us during this process, and we had no particular expertise within the ministry to discuss Internet and telecommunications issues.

Later, the Ministry of Justice worked with the Ministry of Culture to develop the online open source system that drafted the bill, and consulted closely with CTS-FGV on the initial text and the integration of the subsequent comments and feedback. Groups that back the “law and order” position have the support of President Temer’s allies in Congress; the CPI Cybercrime bills, PL 215/2015 and challenges to full MCI implementation are all indicators of this continued opposition.

Brazilian and international civil society groups have criticized these proposals and accompanying challenges to the law, including the CPICIBER commission recommendations. An open letter to Brazil’s Congress, signed by Brazilian and international organizations ranging from Access Now and the Electronic Frontier Foundation to ITS, CTS-FGV and the Igarapé Institute, articulated the main concerns:

The bills in this report and the report itself ­would criminalize the practices of ordinary Internet users under the pretext of preventing cybercrimes. We urge the Brazilian Congress to continue standing for Internet Freedom. Congress should drop the draft bills proposed by the Commission of Parliamentary Inquiry on Cybercrimes (CPI dos Crimes Cibernéticos) and continue to focus on advancing an open and free Internet.

Conversely, the MCI does not provide explicit descriptions of penalties, methods and user safeguards for personal data protection, which the law calls for the President’s office to develop. Data is the currency of our age; it is the lifeblood of nearly every country and company, from China to Facebook. It is therefore critical to have open discussions and debates on how data is defined and codified within a country’s legal system. How should companies approach and handle data? What should organizations do to protect data, how can users ensure it is being stored properly and how does the law distinguish between different kinds of digital information (e.g. anonymized, meta or personal)?

In early 2015, the Brazilian Ministry of Justice began taking public comments on a draft law for data protection. The government received 1,200 comments from a wide variety of groups, including private sector companies, non-profit organizations and individual citizens. After the open comment period, the legislature has moved to develop its own proposals focused on data protection. Senators from the Committee on Science and Technology and another senator who headed the committee investigating espionage in the country in 2014 developed versions of the law. The objective of these efforts is to prevent the commercialization and misuse of personal data.

On May 12, 2016, the same day the Senate approved President Rousseff’s impeachment trial and suspended her from office, Rousseff sent a new version of the data protection bill (PL 5276/2016) to two lower house committees: The Committee on Justice and the Constitution, and the Committee on Labor, Public Service and Administration. This draft bill would sanction the use of data only with the permission of Internet users and for the execution of specific purposes they define. The bill also proposes to create an authority to implement and monitor a protection regime, providing users with mechanisms to report infringement of the regulation. Rousseff’s office noted that such a proposal for a new bureaucratic administration could only emanate from her office, suggesting another reason for her urgent order on the day. Civil society groups were largely supportive of the new bill, which was drafted by integrating extensive public comments and demands for robust privacy protections.

Questions of data protection, privacy and security predate the passage of the MCI. In terms of the penalties for non-compliance, Rousseff’s May data protection proposal is stronger and more narrowly-defined than earlier proposals, such as PL 4060/2012 or the Senate drafts. Two cybersecurity laws are directly connected to the MCI – Azeredo’s Law (Law 12.735/2012) and Carolina Dieckmann’s Law (Law 12.737/2012). The latter is named for a celebrity whose nude photos were leaked over the Internet after hackers broke into her personal computer; the former is a general modification of the penal code to specify electronic crimes, named for Senator Eduardo Azeredo, the sponsor of the bill since 1999. The MCI itself was, in part, a critical response to Senator Azeredo’s cybersecurity law. As with more recent proposals, such as PL 215/2015, legal scholars and civil society groups criticized Azeredo’s bill as being too punitive and focused on protecting the interests of the wealthy and powerful. The law sanctioned increased penalties for crimes against public figures, such as politicians and wealthy entrepreneurs.

While this proposed cybersecurity law was being debated in 2007, Ronaldo Lemos, a legal scholar and co-founder of the Institute of Technology and Society (ITS) in Rio de Janeiro, authored a widely-read editorial that jump started the MCI process. Lemos argued that policymakers could not define Internet crimes in the penal code without corresponding rights and responsibilities for individual citizens, companies and government agencies online. Security, as well as concerns about government overreach and online digital rights, were at the heart of the draft legislation from the outset.

Nonetheless, both security laws were enacted in 2013, a year before the MCI. Their passage was prompted in large part by the leaked Dieckmann photos and subsequent media coverage. The Dieckmann law addresses invasions of privacy and the protection of personal data, making it a crime to “obtain, tamper with or destroy data or information without the expressed or tacit authorization of the owner of the device, or install vulnerabilities” to achieve these ends. The statute contains language that increases penalties for decrypting or accessing private electronic communications that are commercial, industrial or governmentally defined secrets, significantly boosting fines and jail time for such crimes. Interrupting or tampering with telecommunications of any kind is now an indictable offense, punishable through the civil code.

However, these laws highlight the contradictions between strong privacy protections and the criminalization of online behavior. Dieckmann’s law in particular differentiates between citizen data, and data possessed by the government and private businesses. This is a concern of legislators, who sometimes use laws like Dieckmann’s and the proposed PL 215/2015 to gain special protection under the law as public figures. The so-called “right to be forgotten” is an example. “There are at least five bills that have been introduced into the Congress [in 2015], and none of them exempts politicians or authorities from the scope of the right to be forgotten,” noted Affonso in an interview. In 2016, as battles over corruption and impeachment turned into highly visible affairs, politicians have shown themselves as particularly eager to have ways of protecting their image online. Lemos, one of the principal drafters of the MCI, says these types of protective legal mechanisms do not have a place in a democracy: “In democratic countries (and also in Brazil), public figures, especially those holding elective office, have a lower threshold than the general public in terms of defamation of character. It is vital that this is so, to allow continual scrutiny.”

At the same time, the judiciary and law enforcement, backed by conservative legislators, have advocated for increased access to user data by any means necessary. During the deliberations to draft the MCI in 2014, legislators proposed a provision that would force all multinational Internet companies to store data locally on servers in Brazil. While this initiative was ultimately defeated, it mirrored proposals put forth in countries such as Russia and Turkey that have been moving towards more authoritarian systems of government.

The competing goals surrounding user privacy and public security policies gained headlines in December 2015, when a São Paulo judge ordered the shutdown of instant messaging service WhatsApp for 48 hours, because its parent company, Facebook, refused to turn over user data for investigations into drug tracking and organized crime. A higher court overturned the ruling less than 13 hours later, but the episode demonstrated how intent investigators are in gaining access to personal communications. Law enforcement officials have found allies in the telecoms that have to respond to court-ordered requests for data; Brazilian mobile operators increasingly view WhatsApp – and other over-the-top (OTT) messaging services, such as Telegram – as a threat to traditional SMS messaging, for which they charge fees and are heavily regulated. In the past, groups such as Vivo (owned by Spain’s Telefonica) and Oi filed appeals against such shutdowns, but in the December 2015 WhatsApp shutdown, only Oi made such an appeal.

In 2015, the president and CEO of Telefônica Brasil, which owns Vivo, called WhatsApp “pirates”, criticized its business model as leeching off of telecoms’ investment in the networks and demanded that ANATEL regulate such services as they do telecoms that provide SMS or traditional telephony. Marília Maciel, Director of CTS-FGV at the time, noted in an interview that regulating such services in this way conflicted with the principle of net neutrality and other provisions of the Marco Civil:

By asking the telecom providers to block WhatsApp, the judge put them in a difficult situation. With each blockage, telecoms may be in contravention of the principles of network neutrality. It was a very unfortunate decision. It did not meet the basic principles of proportionality, and it hampered the ability for Brazilian citizens to communicate freely. It’s a real problem that needs to be confronted…it’s an incentive for public authorities to say “let’s localize data.”

This conflict has grown more pronounced in the contested political environment and with a new president with different policy goals and priorities. As the CPICIBER congressional commission debated the final version of its cybercrime report in April, a judge in the state of Sergipe ordered another shutdown of the WhatsApp service – this time for 72 hours. The action – and the outcry of digital rights groups – prompted the commission to include language preventing the blanket shutdown of social networks, even curtailing aspects of the MCI that impose network shutdown penalties for Internet companies that do not comply with judicial orders.

The modifications did not change the punitive nature of the newly proposed laws, however, nor did they address the potentially broadened authority of law enforcement to investigate and shut down users online. Some civil society groups argued that this order contravened the MCI’s network neutrality provisions, in that it blocked a specific kind of traffic; an appeals judge rescinded the shutdown after 24 hours, short of the 72 mandated by the original court order. In March, another judge in São Paulo had attempted a different approach, briefly jailing Diego Dzodan, the vice president of Facebook for Latin America, in another effort to force WhatsApp to provide data for an ongoing criminal investigation. In July, WhatsApp was blocked for a third time in seven months by a judge in Rio de Janeiro state, though service was restored when the judicial order was overturned by Brazil’s Supreme Court. Unlike the earlier two blocks, the Rio de Janeiro judge did not ask for previous communication logs, but for real-time monitoring of encrypted communications of a suspect, demonstrating a lack of understanding of how end-to-end encrypted messaging functions. The judge’s action prompted calls for a more open dialogue between the Ministry of Justice and digital rights groups on the laws governing such wiretaps and the nature of the technology used.

These judicial blocks and the detention of a Facebook executive highlights the contentious nature of the present environment in Brazil and the frustration of many political, judicial and law enforcement actors to accept new cryptographic systems imposed by foreign companies in their products. WhatsApp had been steadily integrating a new end-to-end encryption backbone since Edward Snowden’s revelations about NSA surveillance activity in 2013. The company significantly deepened its expertise in this area by hiring cryptographers from Open Whisper Systems (developers of Snowden’s messaging app of choice, Signal), completing full implementation across platforms for its one billion users in April 2016. Despite the Rousseff administration’s commitment to stronger encryption and alternative systems within the government as a wedge against U.S. dominance of international networks, members of her government, law enforcement, opposition, and members of the judiciary continued to challenge privacy, freedom of expression and civil rights principles in a pursuit to ensure greater security.

A struggle of political forces, security services and civil society is embedded in the history of the MCI. It began with debates over Azeredo’s draft law going back to the 1990s, and continued in struggles over the MCI’s implementation, with especially contentious arguments between telecom providers and Internet companies such as Facebook, WhatsApp and Google over data protection and localization, and repeated attempts in Congress to amend articles of the law dedicated to privacy. The NSA eavesdropping scandal bolstered the case of human rights and privacy advocates, strengthening the draft legislation’s core provisions, but once the scandal faded and the Rousseff administration made peace with the U.S. government, Dilma appeared unwilling to push for greater privacy rights in public. At the same time, the opposition to the president grew, and completely paralyzed the government by the time of Rousseff’s removal from office in May 2016. Responding directly to the WhatsApp blockage, members of Congress proposed new bills (such as PL 5172/2016 and PL 5130/2016) that would prohibit social network shutdowns, integrating suggestions from CPICIBER. A more recent proposal has challenged the constitutionality of Article 12 of the MCI, which calls for the suspension of services that do not comply with the law’s data retention and provision in cases of law enforcement requests, as defined by Articles 10 and 11. Some lawmakers and judges have said these articles could be used to justify future blockages. Finally, a proposal circulating in late 2016 (PL 5402/16) would provide legal justifications for shutting down social networks for any crime punishable by more than 2 years in prison. It is particularly driven by copyright holders as a means to shutdown social networks for unauthorized content. While the MCI does not address copyright, it remains a key concern of the private sector and their trade organizations, supported by Temer’s administration.

At a conference on privacy and data protection in August 2016, Affonso, the Director of ITS, commented that in his reading, the MCI did not sanction these kind of blockages. “The sanctions in Article 12 includes these activities, but not the complete suspension of activities of an application”, he observes. “It is understood that the judge has a prerogative to suspend or block an application, but the power of the judge needs to pass a test of proportionality. It is not an absolute power. Thus, you have two ways to try to prevent a complete shutdown: by appealing that this power doesn’t appear in the MCI, and that the power in general of the judge needs to appeal to this test.” Affonso also noted that the head of the Supreme Court had ended the blockages quickly, ruling that they were not proportional and infringed on the rights of freedom of expression for millions of Brazilians. In October 2016, ITS entered an amicus curiae brief with Brazil’s Supreme Federal Tribunal, arguing that such judicial blocks of applications and services in the Internet’s infrastructure layer are a direct violation of the MCI.

Over the past year, Brazil has witnessed competing impulses to pursue copyright infringement and give prosecutors more power to pursue investigations while allowing freedom of expression and preventing large-scale blockages as in the WhatsApp case. In this atmosphere, Rousseff’s rivals in Congress, backed by members of the judiciary, law enforcement and of the intelligence services, consolidated their efforts to scale back the privacy protections of the MCI with PL 215/2015, CPICIBER and resisting certain aspects of the MCI’s implementation.

Democratic and Collaborative Governance

After laying the groundwork for the law with his 2007 editorial, “The Brazilian Internet Needs a Bill of Rights,” Lemos and a team of supporters moved to develop and operationalize the concept. Lemos’ research group at CTS-FGV began a collaboration with the Brazilian Ministry of Justice to draft a version of the bill that eventually became the MCI. At the same time, CTS-FGV and the Ministry of Justice proposed and launched an online platform that would allow public comments on the draft. Hosted by the Ministry of Culture, the website was open source, enabling contributors to build the tool through a “Git” system that allows for interactive development. Musician Gilberto Gil, Brazil’s Minister of Culture at the time, became a major proponent of the Creative Commons concept. Pedro Abramovay, the former Legislative Affairs Secretary at the Ministry of Justice, described his team’s approach and strategy for this collaborative process:

We had to find some allies, and that ally in civil society at the time was CTS-FGV. We wanted a collaborative process, and we had been trying to create an online system in the Ministry of Justice for other subjects for two years. The IT department said it was impossible, because it would slow down the website, which was vulnerable to online attacks. So the case of the MCI was a golden opportunity. I asked the people from CTS-FGV if they had the technical capacity to develop a system on the web. They said yes, and I called the Ministry of Culture and they agreed because they cover copyleft, and they had the, which was a social network for policy. I asked if they could host the project, and in such a way that CTS-FGV could manage it, and they said yes.

The MCI thus became open source, copyleft and part of the creative commons. The law created new standards in terms of content, participation and technical systems for policymaking online. The principles codified in the MCI reflect this techno-political background. Some, such as privacy, freedom of expression and democratic collaboration, are traditional rights-based concepts, while others such as network neutrality, the unaccountability of the network or standards-setting and interoperability are technical concepts that are explicitly linked to civil rights. This reflects the work of scholars such as Lawrence Lessig, Yochai Benkler and Manuel Castells, who study the importance of codes and networks in political and technical terms. Lessig’s book “Code” describes the relationships between the technical standards that define networks, software and hardware, and the laws and policies that shape society. Benkler elaborates the concept of a networked public sphere, which is grounded in society’s use of online systems to work collaboratively, debate concepts and promulgate responses through technology and the law.

Brazilian ministries – including Justice, the office of the president, the CGI and private groups such as Lemos’ new NGO, the Institute of Technology and Society (ITS) – have developed online participatory systems that reflect the ideals of democratic and collaborative governance, powered by online participatory systems. The Brazilian government’s online portals have become integrated into the lawmaking process and democratic governance systems. This is true with regard to net neutrality (where both the Ministry of Justice and the CGI solicited comments through their own systems), fighting corruption, and developing data protection laws. Luca Belli, a researcher at CTS-FGV, describes how the participatory model works: “Besides being an international model of participatory governance to produce Internet-related laws, it is a meaningful standard that has been set here in Brazil,” he said. “Beginning with the MCI, if you want to develop any kind of statute that touches upon Internet law or regulation, you have to do it in a participatory way; civil society expects that you will do it in a participatory way. You cannot develop a regulation without considering civil society’s input.”

The President’s office solicits similar input through its own portal,, a system inaugurated after the MCI was signed into law at the NetMundial conference in 2014. The objective of is to foster online participation on how to promote the law and the NetMundial process internationally. The site requests and accepts input on a range of subjects, from women’s rights to open data, but had less than 2,000 registered users as of September 2016, suggesting there are considerable barriers to entry, such as the opportunity costs associated with following and contributing to the process, as well as access to a computer and knowledge of specialized policy issues.

Another government-sponsored project, LabHacker, seeks to connect people to the policy process by showing them the work of Congress and connecting them to it online. The group is physically located in the Chamber of Deputies in Brasilia and develops applications to increase public participation in the policy process. Retórica Parlamentar shows how deputies propose bills, on what subjects and in what numbers, while an e-democracy system connects citizens to a range of policy areas through online forums. LabHacker is also developing an app and website to track corruption investigations through tools such as Retórica Parlamentar. Another project, “Social Panel”, tracks the popularity of specific education, transportation and consumer rights policies on social networks. The organization also sponsors “hackathons” in which users can visit Congress and work directly with the LabHacker team to develop existing projects or create their own. All of these initiatives help the government in its stated aim to broaden access to citizens, providing a direct channel to the information it produces and archives.

Presidents Lula and Rousseff advocated for greater transparency in government. For example, in addition to the democratic and collaborative governance applications, Rousseff signed a freedom of information law (PL 12.527/2011) which provided a mechanism for open data and transparency across all levels of government (federal, state and local) and ministries. Her administration created “Transparent Brazil”, an initiative that seeks to actualize these goals. On the final day before her suspension from office for the Senate impeachment trial, Rousseff signed a decree mandating that all unclassified documents be made available to Brazilian citizens online. The decree included core MCI principles, especially the interoperability and machine readability of publicly accessible online databases.

Brazil rose to seventeenth place (out of 92 countries) in the Worldwide Web Foundation’s 2015 report, which ranks open data policies, while the Open Government Partnership also noted progress across ministries. The country’s new online information systems are enabling innovative legislative, democratic, open data and transparency functions. And while it still unclear what the Temer administration plans in terms of the future of these programs, President Rousseff and her allies created a strong legacy of open, democratic and collaborative government backed by the MCI – a robust framework which may prove difficult to reverse.

Universality, Diversity, Innovation

The government’s goals in creating a National Broadband Plan (Plano Nacional de Banda Larga, or PNBL) in 2010 were clear: to induce the country’s telecom providers to build out their networks to reach areas without access, and provide fixed and mobile connections for publicly-accessible centers such as community centers and schools. This would in turn create better networks and broadband access for the public at large. To achieve this, in 2007 under Lula, the Brazilian government reconstituted the national telecom provider, Telebras, and offered tax incentives for companies to expand their coverage – beginning in cities and moving to rural areas. A Rural Broadband Plan specifically emphasizes these remote areas and includes a plan to wire all schools. Telebras is tasked with building out backbone infrastructure throughout the country. However, the PNBL has been the central program to enable universality since its inauguration. Its goals included:

In 2016, however, these goals remained only partly realized, and the government has moved to substitute a new “Intelligent Brazil” plan. The aim of this project is to reinvigorate the PNBL under a new name, but it is unclear exactly the source of the funds that will make it a reality. The former Minister of Communications, Ricardo Berzoini, commented in July 2015 that the speed of the implementation would depend on the public accounts, which are in a downward spiral along with the economy. The head of broadband for the Ministry said that it would require R$ 27 billion to implement and expressed optimism that the government could spur investment through the Telecommunications Service Fund, Fistel (Fundo de Fiscalização das Telecomunicações in Portuguese). Berzoini’s successor, André Figueiredo, came into power in a cabinet reshuffle in 2015. On the eve of President Rousseff’s suspension in May 2016, Figueiredo announced the Intelligent Brazil program. However, this was followed rapidly by Figueiredo’s termination as Minister and the merger of the Ministry of Communications into Science and Technology, signaling aggressive policy changes in the new government’s agenda.

Intelligent Brazil aims to provide broadband of an average 25 mbps to 70 percent of Brazilian municipalities (currently only around 53 percent are connected) and 95 percent of the population by 2018. The Rousseff administration announced plans to connect 30,000 schools and support the creation of six new international submarine fiber optic cables to Europe, Africa and the United States in order to provide more connections, improve security and reduce connection costs by 20 percent. Another initiative is an ambitious plan to wire the north of the country, largely bounded by the Amazon forest. The government has begun laying fiber in the Amazon River as part of a plan called “Amazonia Connected.”

In sign of how these public programs will likely suffer in the present economic context, the National Research Network (Rede Nacional de Pesquisa or RNP) – another pillar of Brazil’s Internet infrastructure and the driver of Amazonia Connected – narrowly avoided disconnecting a number of its 1,300 research centers in August 2016 due to budget shortfalls (see Figure 1). During the 1990s, the RNP served as the basis for the Brazilian Internet, much as the Advanced Research Projects Agency Network (ARPANET) formed the nucleus of U.S. networks in the 1970s and 1980s. The RNP remains crucial for next generation IT and research technologies at universities and other centers in Brazil, and its funding for 2017 is in doubt. President Temer’s Minister of Science, Innovation, Communication and Technology only bolstered the RNP budget for 2016 at the last minute through an emergency decree.

Another means of linking distant communities to urban centers and the rest of the country is via wireless connectivity. ANATEL has supported companies by providing satellite access through existing services, contracting foreign companies to provide access through new satellites and launching a completely new Brazilian-controlled geostationary satellite by the end of 2016. Known as the Geostationary Satellite of Defense and Strategic Communications (the Satélite Geoestacionário de Defesa e Comunicações Estratégicas, or SGDC), this satellite will support the objectives of Intelligent Brazil while providing Brazil’s military with full control of a satellite for secure, encrypted communications.

In March 2016, a proposal to restructure telecoms and regulate all services as public concessions to fund a new broadband plan met with opposition from telecoms. The new plan claimed that R$ 500 million would be levied by ANATEL from the sale of “white space” radio frequencies, while the Ministry of Education would contribute R$ 1.5 billion and additional contributions from the treasury. The fact that one of Temer’s first acts was to fold the Ministry of Communications (responsible for procuring the R$ 500 million) into Science and Technology may affect the prospect of following through on the implementation of Intelligent Brazil. Since 2001, Fistel and two other funds – Fundo de Universalização dos Serviços de Telecomunicações (Fust) and Fundo para Desenvolvimento de Tecnológico das Telecomunicações (Funttel) – have collectively seen over 50 percent of their funds diverted to service the public debt. Legislation to change this state of affairs has languished in Congress since 2007. As a result, plans for universalization were at an impasse until the announcement of the new Intelligent Brazil program.

One of the first policy proposals of the Temer administration and its allies regarding universality came through the proposed law PL 3453/2015. If passed, the initiative would remove benefits from the public purse and place them back in the hands of telecom providers such as Oi, Vivo and NET. The Federal Tax Agency (Tribunal de Contas da União) assessed this value at over 100 billion R$, although ANATEL and telecoms argue this number is closer to R$20 billion with depreciation gained from traditional telephony designated to support the construction of new infrastructure under the 1997 Telecommunications Law) and return them to telecoms to build out their networks as they see fit.PL 3453/2015 moved into the Senate renamed PLC 79/2016 where it passed an internal committee without public consultation or a plenary vote. Opposition senators have protested the process in the Supreme Court, and demand that all technical committees be consulted, and a full committee vote occur.

The status of the country’s connectivity in 2016 demonstrates that access has changed in a way that the authors of the original PNBL could not have predicted, but it also highlights the challenges inherent in attaining the goal of true universal access. According to ANATEL, there were just over 26 million fixed broadband Internet connections in Brazil in June 2016 (see Figure 2). However, the speed of roughly 8 million of those connections is less than 2 Mb/s (Megabits per second), the minimum threshold for broadband connectivity as defined by the government’s 2010 plan.

Mobile connectivity, on the other hand, has exceeded expectations with over 182 million registered 3G connections, third generation WDCMA cellular access or 4G fourth generation LTE access (see Figure 3). This significantly exceeds the roughly 75 million estimated seven years ago for 2016 and even higher than the 120 million mobile users that the government’s PNBL projected for 2018. However, access speeds in 2014 still fell short of the goal as measured by ANATEL (1.8 Mb/s across the national network for mobile connections), but did reach the target in 2015 with an average of 2.5 Mb/s (as measured in the first trimester). Akamai clocked the average broadband speed in Brazil at 4 Mb/s in the fourth quarter of 2015. As a point of comparison, the average for OECD countries was 8.8 Mb/s in September 2014 (see Figure 4).

While increasingly ubiquitous, mobile connectivity is distinct from fixed line broadband accessed through a desktop computer, laptop or other device. Mobile users do not have a traditional keyboard or mouse and often use cell phones less for content consumption than for content creation. In addition to the cost of computer and other hardware, fixed line broadband can be prohibitively expensive for many people, measured by the ITU to cost roughly $13 USD a month in 2014, and may not be available in informal or rural communities. In nearly all Latin American countries, a user can purchase unlimited Internet access for this price. Demi Getchko, the Internet expert on the Internet Steering Committee, and director of the Brazilian Network Information Center (, sought to clarify this distinction: “Cellular Internet access does not substitute for access a user experiences with more time using a fixed Internet connection. I would say that both are important. The Internet needs to have mobility, but it also needs to have introspection.” In other words, the user needs to place their experience online within the context of the complete Internet, understanding its the risks and potential. In an interview, Getchko elaborated on the difference between mobile and fixed Internet usage:

With mobile, you have accessibility anywhere so that one can send messages quickly, which substitutes for a call or other instantaneous means. Fixed access allows you to examine a text with depth, add context and develop your opinion. One has mobility and stays connected all the time, the other in your house allows your child to study and write a text with more thought. I think they are complementary; one alone doesn’t meet all of the needs of the average user.

Brazil’s present political crisis, a flagging economy and resulting squeeze on public resources will make it exceedingly difficult for the government to achieve its objectives of raising Brazil’s average broadband speed to 25 Mb/s by 2018. However, there are other ways of spurring connectivity, such as through private sector projects like Facebook’s Free Basics and initiatives, or Google’s Loom. is now a broader initiative that aims to achieve connectivity by using drones with laser-enabled fiber optic networks, and with free Wi-Fi business zones in municipalities like Heliopolis, a favela (informal settlement) in São Paulo. Loom is a project using balloons that create large, free floating Wi-Fi zones, and has been tested by Google in the Amazon. The project now includes what Facebook calls Free Basics, one of the more successful – and controversial – projects for universal access. Facebook is partnering with Samsung, Ericsson, MediaTek, Opera Software, Nokia and Qualcomm to bring Internet services, including its own social network, to communities in developing countries.

In April 2015, Dilma Rousseff met with Facebook CEO Mark Zuckerberg, who signaled that he wanted to bring – including Free Basics – to Brazil by June of that year. Countries ranging from Myanmar to Zambia, Bolivia and Guatemala have launched the project in partnership with local telecom carriers. Free Basics has also generated controversy, as it only grants users access to certain component of the Internet (i.e. Facebook), which then drives traffic and users through its system. According to the MCI, the principle of universal access is meant to be achieved through “open technology standards that allow communication, accessibility and interoperability between applications and databases.” Facebook’s initiative appears to violate this directive. Because of this – and the possibility that the Free Basics initiative abrogates net neutrality – it had not been launched in Brazil as of this writing, and no plans have been announced.

Until Rousseff’s suspension from office in May 2016, the Ministry of Culture remained committed to the creative commons ideal, an integral component of the collaborative process of the MCI. The ministry created a network of culture labs in various cities to encourage the creation and dissemination of music, video and other content, including technologies for teaching and promoting digital literacy. Innovation is encouraged through cultural programs promoted by the government, further facilitated in an environment in which companies are free to explore new business models to develop applications, websites and other ICTs online. “It is not a generic protection of new business models, but a business model that ends up fostering the principles and rights that are in the MCI,” observes Carlos Affonso of ITS. This includes “zero rating and Facebook as well as Uber and urban mobility. In terms of innovation, the MCI tries to protect and develop the whole online ecosystem.” Notwithstanding this business climate, Brazil can be tough market for innovative new models. Companies like Uber have faced vigorous opposition from state and local governments, incumbents represented by strong unions and complex regulatory processes. The conflict between the goals of the MCI to spur online innovation and the structural incentives of the federal, state and municipal governments to regulate the Internet make this a challenging objective to achieve.

In April 2016, Vivo, one of the largest ISPs in Brazil, proposed to put data caps on its Internet service plans, as is the practice in Canada, the United States and other countries. Users would have to pay to get more data, or have their connection shut off or throttled. ANATEL, has challenged the legality of these plans with the support of domestic civil society groups such as ITS and CTS-FGV, and international ones like the Electronic Frontier Foundation and Access Now. These groups argue that such plans would violate the MCI, particularly its provisions on net neutrality, which ensure access without “discrimination or degradation.” For now, if telecoms introduce services with data caps, ANATEL has mandated that companies must also provide unlimited plans, suggesting it favors the MCI principle of freedom of expression and true universal access in this regard. Net neutrality is one of the most important aspects of this debate (along with others like zero-rating practices and online security), now defined under President Rousseff’s May decree on the MCI.

Network Neutrality

The neutrality of the network has become the defining principle of Internet law, not only in Brazil, but in countries around the world. First coined in 2002 by Tim Wu, a legal scholar at Columbia University Law School, net neutrality dictates that the network should treat all traffic equally – no matter the source, destination or content – from one end of the network to the other. In other words, a message from Facebook, Apple or IBM should be treated the same way as a message from one privately hosted email address to another. The principle of net neutrality is a key pillar of the MCI and was a major sticking point in the debate leading up to the law’s passage. Telecom providers argued that they should be able to manage the networks as they saw fit, but they faced strong resistance from civil society, Internet services companies and allies in Congress who sought provisions supporting a democratic management of the network, with equal access for all.

The contentious debate stalled the bill multiple times, but the government remained a strong supporter of net neutrality during MCI deliberations in Congress and in international fora such as the International Telecommunications Union’s meetings (ITU) and the NetMundial Internet governance conference. Ultimately, the MCI included a number of articles addressing net neutrality; Article 9 of the law references it explicitly. An open and public online comments phase to define net neutrality began in 2015, before full implementation of the law. The same stakeholders initially arguing for and against the inclusion of net neutrality were given the opportunity to comment and offer guidance to the Ministry of Justice – from January 28, 2015 until the end of April of that year. Belli of CTS-FGV argues that because of the collaborative and public process that evolved around net neutrality, this model is now the norm for other types of legislation: “You have an administrative procedure to share the draft and a request for comments for a certain period”, he notes. “Now that there is a minimum standard, no one would expect the government to author any kind of Internet-related legislation or regulations without considering input from society or other multi-stakeholder actors.”

The review the MCI’s implementation followed the same protocols that created the original draft legislation of the MCI: an open source forum, managed by a neutral broker, open to anyone. Participants could raise questions or comment on any subject. Network neutrality was the most discussed topic; 98 out of 339 topics addressed it, compared with 70 discussing retention of access logs and 68 on Internet privacy. Stakeholders weighed in on various aspects of network neutrality, illustrating the complexities of regulating a network under a democratic, participatory process. Zero-rating programs were one of the most contentious topics. Cell service providers and certain application-level providers have been forming partnerships to grant users free access to certain services such as WhatsApp, Facebook and Waze, which are “rated zero” in that the customer pays no additional fee to use them. Telecom providers Claro and TIM have created plans in this mold, allied with major telecom groups such as Frebatel, Sinditebrasil and Telebrasil (as well as providers of backbone infrastructure like Cisco). They claim zero-rating programs are legal and should be examined on a case-by-case basis. Claro, in particular, argues that zero-rating programs should be exempt from net neutrality rules because such programs provide Internet access to people who would not otherwise have it. In statements made during the review process, telecoms maintained that network management on the logical layer of data packets should be neutral under the law, but on a commercial level (i.e. the “content layer”) these rules do not apply; consumer protection and antitrust safeguards are the guiding principles.

A wide range of groups from civil society, academia, consumer protection organizations and the technology sector argued that the MCI’s net neutrality provisions cover zero-rating practices, and that when the MCI is implemented, they should become illegal. These groups also differed on who should have jurisdiction over enforcement of the law, once enacted. The telecoms and their allies view ANATEL as the major regulator, while others advocated greater roles for the Internet Steering Committee, as well as for government consumer protection bodies in the Ministry of Justice and the Administrative Council for Economic Defense’s Antitrust Authority (CADE). These multiple viewpoints reflect the belief that while the national telecom regulator plays an important role, other sectors – and the CGI itself – should have input in order to give teeth to the law’s provisions. Telecoms and digital rights organizations bring diverging views on how the regulations should be promulgated. Civil society groups like CTS-FGV, ITS and InternetLab argue that there must be a clearly-defined and narrowly-focused list of acceptable management rules and practices, while telecoms and their representatives prefer more broadly-defined guidelines that do not risk becoming outdated once new practices are adopted.

The MCI’s regulations also address content delivery networks (CDNs) and whether these could potentially abrogate the principle of net neutrality. Services such as Netflix and YouTube, for example, use specially configured networks (i.e. CDNs) to deliver their bandwidth-hungry content faster. Just as zero-rating policies provide content for entry-level users, CDNs are solutions that provide high-end users with video and other bandwidth-heavy services. When legislative language and regulations confer the technical management of the network to content providers, the providers argue that next generation networks – including CDNs – fall under this guidance. CDNs operate on the content layer; as a result, mobile operators such as Claro (one of many offering zero-rating services in Brazil) view this as reasonable network management under the law. In April 2015, ANATEL offered an online forum specifically focused on debating network neutrality.

Ultimately, Rousseff’s final proclamation on the MCI articulated a more narrowly-tailored definition of net neutrality. Not only did the executive decree declare that network neutrality could be broken only in exceptional or emergency cases, it arguably precluded the use of zero-rated content and programs (or even CDNs) in the future, according to Mariana Valente of InternetLab and Maria Inês Dolci, president of Proteste (a Brazilian Consumer Defense Association). Dolci also noted that ANATEL could interpret the decree’s net neutrality provisions to bar data caps.

The United States is undertaking a similar review. The Federal Communications Commission (FCC) is attempting to implement network neutrality by mandating that ISPs operate under common carrier rules or provide services similar to traditional telephonic providers. In India, concerns over zero-rating policies have brought the government, civil society groups, telecoms and ISPs into a debate with Facebook over its provision of zero-rating programs. The world’s largest social network has been pushing the political and regulatory envelope – not only with Facebook Zero (which TIM offers in Brazil) but also with Free Basics.

Brazil is a huge potential market for any company, online or off, with increasing numbers of people gaining access to the Internet in recent years. The latest available numbers from the Internet Steering Committee’s research group CETIC asserts that about 55 percent of the country’s 205 million population is now online, and had accessed the Internet within 90 days of a nationally-representative survey. Facebook scrubbed the launch of Free Basics in Brazil after a debate similar to the one in India erupted. Civil society groups argued that a fully-implemented MCI could be interpreted as legal impediment to zero-rating programs. Brazil appears to be moving towards a ban of zero-rating services such as Free Basics, WhatsApp or Facebook Zero. Net neutrality regulation is now fully defined by the executive decree, and appears to limit such programs. A review of the country’s Internet infrastructure and user base provides an additional dimension to these vibrant debates over how to keep Brazil’s network free, open and fair.

Infrastructure Update

Along with the physical infrastructure Brazil’s network, online protocols and systems such as Internet Protocol (IP) addresses, domain name servers (DNS), and autonomous system numbers (ASNs) make up the country’s virtual infrastructure. These include nineteen root level DNS servers that authenticate and serve domain name requests throughout the country. Domain name management is governed by a variety of entities internationally, including the Internet Corporation for Assigned Names and Numbers (ICANN), Verisign (an Internet security and certification service) and the Internet Systems Consortium (ISC). In conjunction with these groups, CGI and its executive arm, the Network Information Center (, coordinate systems and best practices alongside standards-making bodies such as the World Wide Web Consortium, the Internet Engineering Task Force (IETF) and the International Telecommunications Union (ITU). Top-level domain names registered under the .br domain totaled over 3.9 million as of October 2016 (see Figure 5).

ICANN is transitioning the IANA system that maintains and monitors these suffixes (e.g. .com, .co, .br, .org, .xxx) from its primary home in the United States to a fully international system of management. ICANN is expanding the domain system in two crucial ways: First, it is switching from IPv4, the original numbering system (which is running out of addresses) to a hexadecimal IPv6 system with an unlimited number of addresses and more suited to the Internet of Things. Second, it is allowing corporations, cities and other organizations to create their own new domains outside of the traditional nomenclature. Brazil led the way in this regard when it registered more new top-level domains (TLDs) than any other country in Latin America, as well as the first city domain, .rio, in August 2015. These TLDs only make up a small fraction of the complete Internet, but together with IP addresses and ASNs they represent crucial aspects of Internet governance policy that Brazil is attempting to influence through the MCI (in Brazil) and the NetMundial initiative (globally).

ICANN is a focal organization in the global Internet governance system because it controls many of these resources. The IANA transition became a source of great controversy in the U.S. in September 2016 when Republican opposition threatened to disrupt the Obama administration’s plan to transfer the management of the domain names system to full international control. The transition removes U.S. Department of Commerce oversight (in effect since the inception of the modern Internet), and the proposed international system mirrors the Brazilian model in that it will employ a multi-stakeholder governance structure. Internet companies such as Google and Facebook, as well as world governments and civil society groups, have supported the IANA move as a better, more transparent system that befits what is now a global network. The Brazilian government has actively sought to partner with ICANN for coordination of the domain system and on the NetMundial initiative. However, NetMundial has struggled in recent months and appears to have reached an impasse, with little support from ICANN and other former patrons, while a new Brazilian government has not indicated it plans to resuscitate the initiative.

ASNs are larger groups of networks that the Regional Internet Registry (RIR) for Latin America (the Latin American and Caribbean Internet Addresses Registry, or LACNIC) assigns to larger commercial, industrial, governmental or other large clients. There are more than 4000 ASNs assigned to Brazil. The majority of Brazil’s ASNs are concentrated in the South and Southeast of the country, with nearly 70 percent of all ASNs located in six states (see Figure 6). manages the Brazilian domain name system and has labored to make the country a power and technological pioneer in the region.

The Brazilian Internet is the largest network in Latin America, as measured by the number of users, IXPs, IP addresses and other indicators. There are 25 Internet Exchange Points (IXPs) managed by nationally, compared with the usual one or two that most countries support. São Paulo’s IXP alone directs an average of 500 Gb/s (gigabits per second) of traffic daily from roughly 700 peers, or large clients representing corporations, government agencies or other sizable parties.

Brazil connects to other parts of the world through 13 transatlantic fiber optic cables, with an additional six direct connections to other parts of Latin America, Europe, the United States and Africa – either planned or under construction as of this writing. The Rousseff administration made the construction of alternate transatlantic connections a major priority in the aftermath of the NSA scandal. In an interview, Glenn Greenwald noted that

75 or 80 percent of all Internet traffic in 2012 transited the U.S., which is one major reason why the U.S. surveillance program was so effective. They [the Brazilian government] were in high-level negotiations with European countries like Germany and Portugal and other Latin American countries about just building a new system that didn’t depend in any way on American soil.

Brazil has only one direct connection to the European continent, the aging Atlantis 2 cable (in use since 2000 and managed by an international consortium of telecoms, including U.S. operators AT&T and Verizon). Atlantis 2 has a lit capacity of 40 Gb/s, whereas the capacity of newer cables is now measured in terabits (one thousand gigabits) per second (Tb/s). Four new cables are in the works to connect Brazil’s Internet backbone to Africa and Europe. These projects emerged due to government support, but also because of multinational corporate interests. The EulaLink cable is being constructed by Telebras, the Brazilian government telecom firm, and will connect Santos and Fortaleza with Lisbon, Portugal. Three other cables will run from Fortaleza to Africa (see Figure 7):

All of these are due to become operational in 2017 or 2018 and will have a serious impact on the state of network traffic from Brazil to the rest of the world. A proposal for a BRICS submarine cable system, discussed in 2012 before the Brazilian economic downturn, appears dead for the time being.

In terms of new connections to the Americas, Seabras-1 will provide a direct connection between São Paulo state and New York. 70 Tb/s in lit capacity will provide exponentially increased speed and bandwidth for connections between the largest commercial markets in each country. The Seaborn networks group constructing it is backed by European banks, Natixis, Banco Santander, Commerzbank and Intesa Sanpaolo, and COFACE, the French Export Credit Agency. India’s Tata Corporation has purchased significant capacity in Seabras-1. An additional cable, Monet, will connect the cities of Santos and Fortaleza in Brazil to Boca Raton, Florida, with 64 Tb/s lit capacity. Monet will be operated by Algar Telecom (Brazil), Angola Cables (Angola), Antel (Uruguay) and Google.

Twenty nine tier 3 or 4 certified data centers provide services for a number of larger financial, media or technical institutions, such as the backbone provider Embratel, Banco Santander Brasil, Itaú Bank and the Globo media group. These corporations are among the largest banks and media organizations in the country, and are often required to create their own private networks or, in the case of the ICANN system, reserve their own TLDs (e.g. .itau, .globo). The Uptime Institute, an international organization that certifies these data centers, grades the data centers from Tier 1 to 4 based on metrics such as security, reliability and design. The high-level centers are located primarily in Rio de Janeiro and São Paulo, but less developed data centers have proliferated rapidly to provide services throughout the country.

Notwithstanding this progress, the government has struggled to achieve its goals of implementing structural changes in Brazil’s network – both in terms of hardware and software. As Greenwald observes:

It is not an easy task to just radically alter how the Internet works. And I don’t think Brazil is particularly good at these kinds of things. It also takes an immense amount of resources that they don’t actually seem to have. So it is a priority for them, but there haven’t been serious changes. They are more aware of operational security, but they are definitely aware of the need to get better at it.

However, the construction of alternative physical networks and infrastructure is only one aspect of guaranteeing security and autonomous control of the network. The state of Brazilian cybersecurity in 2016 also emphasizes points to a number of conflicting priorities at the heart of the MCI. New bills proposed in the parliamentary commission on cybercrime’s (CPICIBER) report could challenge the MCI’s civil rights protections at the very moment the government is attempting to address a range of growing threats and vulnerabilities.

Security, Functionality and Stability

Before and since the passage of the MCI, the security, functionality and stability of the network has been at the core of the debate over its principles. These priorities are often at odds with the law’s privacy provisions (e.g. Article 10). Efforts to provide greater security online – first the proposals, beginning in the 1990s, that led up to the eventual passage of Azeredo’s law, followed by calls for a strong, independent Brazilian Internet with data localization after the NSA scandal. PL 215/2015 and a number of recently proposed cybersecurity bills have become central to the ongoing and contentions debates between security and privacy advocates in the country. Following the passage of the MCI, repeated attempts by the congressional opposition to insert access provisions for law enforcement into the law are signs that this fight will continue.

The current administration, along with law enforcement, elements of the judiciary, the intelligence agency ABIN and the military, have vested but discrete interests in Brazil’s network security. The military, in particular, has assumed responsibility for the security of the Brazilian Internet through the formation of the Brazilian Cybernetic Defense Center (CDCiber). CDCiber became operational in 2012 and is legally empowered to take the network security lead. CDCiber coordinates security responses to major events and incidents in coordination with the CGI’s Computer Emergency Response Team (CERT), Brazilian Computer Security and Incident Response Teams, which are made up of private and public partners, ANATEL, federal and state police, and other divisions of the military.

Brazil’s military and CERTs face multiple threats, in the form of organized criminal networks operating online, using such techniques as phishing, spam, online fraud, botnets and other malware to take down websites or access other online resources through Distributed Denial of Service (DDoS) attacks. Symantec, a multinational antivirus and online security firm, rates Brazil the 6th largest source of botnets, 8th for attacks online, and 10th in overall insecurity. Given its size, location, and the complexity of its network in terms of IXPs and international connections, Brazil’s ranking is not entirely surprising. The country’s networks are home to a significant amount of web traffic, but the sheer number and diversity of threats have been a concern in recent years for authorities tasked with providing network security. In 2014, the year Brazil hosted the World Cup, registered over a million incidents, over three times the amount in 2013, including five times the number of fraud cases reported in 2013. In 2015, reported incidents declined somewhat (see Figure 8), but the upward trend is expected to continue in 2016 as Rio played host to the Olympic Games.

One of Brazil’s online security priorities in recent years has been preventing threats to major international events. The nucleus of CDCiber formed to manage the Rio+20 United Nations Conference on Sustainable Development in 2012, which hackers attempted to disrupt online, taking down a number of related sites. After Rio+20, the city hosted a papal visit for World Youth Day in 2013, followed by the 2013 Confederations Cup, the 2014 World Cup and the 2016 Olympic Games. While Rio 2016 was generally considered a success in terms of providing physical security for participants and visitors, Brazilian authorities again struggled to keep hacktivists from temporarily disrupting or taking down government and Olympics-related sites. The government has worked to improve intelligence and responses to other potential threats, such as terrorism, organized crime or even political opposition. Public protests shook Brazil in 2013 during the Confederations Cup as the economic crisis began to worsen and the NSA revelations came to light. Greenwald’s reporting, based on information provided by Edward Snowden, revealed that the US had focused particular attention on Brazil. The country’s Internet infrastructure, the state oil company Petrobras’ networks and government officials – including President Rousseff herself – were targeted:

The Snowden revelations created this momentum in Brazil in defense of communication privacy, but at the same time, the Brazilian government is in so many ways subjecting the Brazilian population to increased forms of electronic surveillance. The Hacking Team revelations revealed that Brazil’s Polícia Federal and a couple other agencies were significant clients of a lot of the hacking technologies and programs. At the same time, the intelligence service ABIN is active and interested in pursuing more offensive actions, although not on the level of the NSA.

Protests and civil unrest have accompanied many of Brazil’s mega events, best exemplified by the widespread demonstrations in 2013 during the Confederations Cup and the massive protests supporting impeachment in 2016 – showing a possible linkage between the surveillance and control of large-scale movements. Especially with the lack of transparency within the military there are concerns over the way security policy is being formulated online, and military and intelligence services’ relationship with law enforcement (especially the military police) in tracking and investigating protests.

During the World Cup, the Olympic Games and other major events, CDCiber has coordinated the country’s cyber defense with the Brazilian National Intelligence Agency (ABIN), the Federal Police, the Air Force and Navy, as well as ANATEL and IT companies. It is clear that the military and intelligence services are interested in having better data for tracking cybercrimes; increased Brazilian cooperation with foreign law enforcement and intelligence agencies in 2016 is one indicator of this. Brazil’s Congress has also signaled it is favoring increased surveillance capacity over personal data protection and digital rights. For example, if passed, the legislative outputs of CPICIBER (e.g. PLS 730/2015) and other bills being debated (e.g. PL 215/2015) would require ISPs and Internet application providers to store identifying data that could then be retrieved by law enforcement without a judicial warrant.

Diminished user privacy in the name of of security mirrors a worrying lack of transparency on record keeping about attacks. The government does not provide records of large scale foreign attacks, and there have been few reported cases of large scale hacks on major corporations, suggesting a culture of security by obscurity and an unwillingness to share data on security publicly persists in both the private and public sectors. Other countries, such as France and Germany, have adopted legislation requiring financial institutions to report when they have been a victim of a cyber attack or data breach. They have done so without compromising individual privacy or causing harm to the financial services industry. A report by the international Open Government Partnership reviewed transparency initiatives across the bureaucracy. It indicates that the Ministry of Defense is moving slowly to comply with new freedom of information requests and initially struggled to develop a system to process requests under the country’s freedom of information law (PL 12.527/2011). It is unclear if the new administration will follow these regulations and promote transparency in the same way.

Azeredo’s and Carolina Dieckmann’s laws provided the government with a number of mechanisms to respond to cybercrimes. People can now report online criminal actions at specially designated centers in cities around the country, but these are limited to major cities such as Rio de Janeiro, São Paulo and Belo Horizonte. There is a serious disconnect between the civil rights, freedom of expression and privacy goals of the MCI and the more traditional law and order objectives being advanced in Congress. Simultaneously, there is a lack of alignment between the goals of these laws across agencies and the private sector (including CDCiber and overall management of network security, the role of the police in its coordination with the military, Brazilian intelligence services, the CERT system and private sector actors), leading to a lack of transparency and trust among government entities.

The government has taken steps to secure its own network, including the Geostationary Satellite of Defense and Strategic Communications, which will support the country’s universality goals in the Intelligent Brazil program while providing secure, encrypted communications for the military and the government as a whole. Telebras will also provide an encrypted intergovernmental system that will span federal, state and municipal networks, initially planned to be completed by the end of 2016.

Communications security continues to be a major challenge for the government, as demonstrated by a number of embarrassing leaks that have hurt both the Rousseff and Temer administrations. Most notably, as the impeachment crisis deepened, President Rousseff moved to appoint former President Lula to be her Chief of Cabinet. Lula was under investigation for involvement in a corruption case, and his promotion to a cabinet-level position would have shielded him from prosecution outside of the Brazil’s Supreme Court, a special privilege granted to cabinet-level officials or any member of Congress. Prosecutors somehow procured and leaked a recording of the two allegedly making a deal to shield Lula from prosecution. The leaked recording spurred major protests and was arguably a deciding factor in the Supreme Court’s decision to deny Lula’s appointment. These events further turned public and legislative opinion against Dilma, ultimately helping to seal her suspension from office.

Further disclosures of recorded conversations between members of the PMDB (including the Minister of Planning Romero Jucá, the Senate Speaker Renan Calheiros and Jose Sarney, Senator and former President) demonstrated further evidence of possible collusion to avoid government prosecution in broadening corruption investigations. Indeed, the tapes suggest that these members of Temer’s party may have pushed for impeachment principally to take power and to torpedo the massive “Lava Jato”, or “Car Wash”, corruption investigations encompassing numerous pay-to-play schemes.

The legislature has proposed bills seeking new penalties for recording communications, especially those of government officials. PL 1676/2016 criminalizes recording, photographing or filming without authorization and creates a “right to be forgotten”. It permits the censure or banning of sites that publish these materials, as with the Big Spy Bill, PL 215/2015. The central difference is that PL 1676/2016 would further punish individuals for publishing recorded material on social networks, explicitly linking the concept of a “right to be forgotten” with the deletion of the offensive content.

The MCI challenges the government and corporations to be more open with regard to the management of the Internet as whole, promoting security for citizens and governmental entities alike. This includes respect for the privacy and confidentiality of communications and the security, functionality, and stability of the network, software platforms and applications. It remains to be seen whether Dilma’s decrees to fully implement the MCI and mandate open data in government (outside of formally classified information) will push the current bureaucracy to harmonize its online security policies further. The MCI already contains provisions that address these questions, but legislators, chastened by leaks revealing embarrassing levels of corruption within the government, are seeking ways to ensure their own security of information through the law. The final MCI decree calls on ISPs to retain data for criminal investigations for six months, but it also notes that such data should only be retrieved with formal legal justification and by “competent authorities.” It will be up to the Temer administration, the CGI and ANATEL to narrowly define who those authorities will be and what justification said authorities should provide. If the Congress passes either PL 3237/15, or PL 215/2015 the new laws would directly challenge the core privacy provisions of the MCI in the name of greater security.

Brazilian Internet Governance on the Global Stage

The Brazilian government under President Rousseff and Brazil’s Internet Steering Committee (CGI), promoted the MCI on the international stage as a digital bill of rights that could be adopted by other countries. The new Temer government may not share many of these objectives. The CGI and the Rousseff administration were the driving forces behind the NetMundial initiative, inaugurated when Dilma signed the MCI into law at an event in São Paulo in April 2014. While the Brazilian government created the CGI, it is a nonprofit organization formally outside of the public sector, with representatives from the public, private and non-profit sectors. NetMundial brought together ICANN, the World Economic Forum, and CGI to promote and disseminate multi-stakeholder, multi-sectorial approaches to Internet governance.

In November 2015, Brazil hosted the global Internet Governance Forum (IGF) in João Pessoa, the second time the country had hosted one of the principal UN forums on the management of the Internet. Brazil was an active participant in the original IGF, formed after the 2005 World Summit on the Information Society (WSIS) in Tunisia created a forum for multi-stakeholder discussions of Internet governance. As opposed to the International Telecommunications Union (or ITU, the UN telecom agency which favors a more government-centric model of negotiations and regulations), the IGF is focused on bringing diverse range of business sectors, civil society groups, technical experts and academics – as well as governments – to the table.

In 2012, the ITU held its World Conference on International Telecommunications (WCIT), the first time in over ten years that the UN’s designated telecom organization had met to discuss its jurisdiction over the Internet. Governments debated the regulatory process, and how to integrate global Internet governance mechanisms into existing regulations and telecommunications systems. The Brazilian delegation, controlled by ANATEL representatives, allied with a group of countries led by China, Russia and other authoritarian states to call for greater governmental control over the Internet’s management.

Much has changed since 2012, however. Edward Snowden’s disclosures of NSA eavesdropping turned the global surveillance status quo on its head, prompting global discussions and changes with regard to privacy and encryption technologies. The new dynamic also created a policy window in which the Rousseff administration succeeded in passing the MCI and assumed a more prominent role in global Internet governance debates. After a speech at the UN criticizing U.S. intelligence collection practices, President Rousseff fast tracked the MCI bill, signing it into law. Shortly before her suspension from office for an impeachment trial, Rousseff completed full implementation of the MCI by decree, while convening the NetMundial to sign it and hosting an IGF to discuss issues related to its core principles.

The multi-stakeholder system is Brazil’s model domestically, represented by the CGI and the MCI’s public consultations. Brazil’s support and hosting of the IGF is one manifestation of this policy. NetMundial also proposed another highly visible venue for debates on the transition of the IP and DNS allocation systems away from ICANN’s historic home in the U.S. towards a more international, multi-stakeholder model. Brazil is also working to propagate its political and technical management models in other domestic contexts. Notably, the Italian government has consulted with the authors of the Brazilian law to formulate their own digital bill of rights.

These goals are now in doubt. It is likely that the new president and his allies will continue to support the CGI, the work of ANATEL and the Brazilian foreign ministry to promote multi-stakeholder model in international fora like IGF, ICANN or the ITU. However, it is less apparent how the new administration will hew to these objectives, and if their opposition to the MCI will be reflected in opposition to foreign policy related to NetMundial or resistance to the Brazilian model for Internet governance promoted during the Rousseff and Lula administrations.At the 2016 IGF meeting in Guadalajara, a group of international organizations, including EFF, Access Now and Public Knowlegde, released a Manifesto pushing the government to continue to support the MCI and its goals. They aligned themselves with the Brazilian Coalition for Rights Online and called on the government to develop policies to universal access and network neutrality, not only for the benefit of the private sector.


Former President Rousseff’s executive decrees have solidified the MCI’s legal standing, defined net neutrality, pushed freedom of information and open data initiatives throughout the government, and outlined a new national broadband plan for an “Intelligent Brazil.” However, President Temer has also indicated that his administration may submit a completely new data protection law in the coming months, though he and members of Congress will likely face continued pressure from digital rights and privacy groups to consider aspects of PL 5276/2016. Without a Ministry of Communications, the policy leadership that has championed and managed Internet law is in disarray – reorganized and folded into the Ministry of Science and Technology. If the government and administrative structure continues as is, it will complicate any efforts related to Internet governance moving forward.

The principles articulated in the MCI are tightly related and interconnected. Privacy and security are mutually dependent; one cannot have the former without the latter. Strong data protection laws will provide security for the government, the private sector and individual citizens, but police access to data, another guarantor of security, will challenge this protection. Universal access plans will bolster security through new Brazilian-owned infrastructure, but also will provide new challenges to privacy as more Brazilians come online. Innovation will require new copyright laws, a subject largely unaddressed in the MCI, but if such laws are too restrictive, they risk stifling privacy protections in the name of security. The MCI is ultimately a law that binds these principles together, not only in the articles it introduced into the civil code, but through a diverse set of laws and regulations – such as Brazil’s freedom of information law, Intelligent Brazil, the CPI cybercrime proposals and many more. These laws are no longer discrete entities, but form a unified structure linking traditional principles such as freedom of expression and privacy with new ones like network neutrality and universal access.

Brazil has played a unique role in these debates internationally, modelling a way between the heavily regulated supranational European system, the American one driven by corporate priorities, and the authoritarian online world of censorship, surveillance and government control. Its model is driven and informed by the Internet Steering Committee’s multi-stakeholder approach, the MCI, new democratic online systems and a host of other Internet regulations, and has become an example for the world. The question remains whether the current government will continue along the path begun by the previous – maintaining and promoting this model domestically and internationally – or whether it will attempt to develop an alternative, more free market approach. Early indicators, such as the Temer government’s decision to emphasize private development of Internet infrastructure and defund public initiatives, suggest the latter.

The new administration’s preference for free market policies and negative economic factors will likely push it towards de-emphasizing national broadband plans driven by the public sector. If the government approves PLC 79/2016 to modify the Telecom Law to cut public investment in telecom infrastructure, it will place the burden of development in this area on the private sector. The country’s network will continue to develop independent interconnections, including the six new transatlantic cables, the Geostationary Defense and Strategic Communications satellite and the domestic network, supported by Telebras. This has the potential to change the nature of the global Internet, as more traffic is routed through Brazil rather the U.S. Given the dire economic situation, it is unclear whether the government will be able to develop infrastructure beyond what is already planned; financial challenges to the existing RNP and Telebras projects will continue in 2017. Due to budgetary and political considerations, the government is likely to rely more heavily on private sector initiatives such as Facebook’s or Google’s Loom in order to drive development in the country.

Democratic and collaborative systems such as the Hacker Lab and online governance systems such as will continue to promote the digital democracy model in Brazil. What is less certain is whether lawmakers will be receptive to the input of these collaborative mechanisms. The MCI process was unprecedented in the level of public discussion and the lengths to which the executive branch worked with the Congress to integrate the contributions into the legislation. The PMDB and other opposition parties supported the bill but also attempted to insert revisions in the comments. Network neutrality has been defined by decree, but the administration and ANATEL are still working to set up a monitoring and enforcement system. It is certainly a possibility that Temer could issue a new decree that sidelines institutions like the Internet Steering Committee.

There have been repeated cases of the current administration allied parties in Congress supporting laws that limit privacy protections, and give the police and investigators the right to access user data more easily. Dilma’s data protection bill (PL 5276/2016) does not have widespread Congressional support, and unless there is significant mobilization by civil society and digital rights organizations, other proposals couldtake precedence, either developed from the Senate draft (PLS 330/2013) or a completely new proposal from the Temer administration. The WhatsApp shutdowns and jailing of Facebook’s Vice President in 2015 and 2016 demonstrate the strength and priorities of law enforcement and the security establishment in an effort to challenge and circumvent encryption standards. Civil rights, privacy and freedom of expression legislation embodied principally by the MCI will face continued challenges from proponents of greater security and penalties online through cybercrime legislation such as PL 3237/2015, PLS 730/2015 or PL 215/2015, should they be enacted into law.

As the president has indicated that he will support law and order measures, the proposals stemming from CPICIBER are gathering support, alongside PL Espião. In his first address as President, Temer called for judicial security and the “pacification” of the country. Brazil has acted to promote its model of Internet governance internationally, but the future of policies such as NetMundial are in doubt. It is certainly possible that Brazil could seek to prioritize the policies adopted at the ITU-sponsored WCIT, promoting greater state control over the Internet, rather than the multi-stakeholder model espoused at the end of the Rousseff administration. However, given the country’s size and centrality to the global network, it will play a key role in debates to come. By passing and implementing the MCI, Brazil has articulated a clear set of principles to govern what is at stake in these critical online debates. It is unclear how the new government will come to champion or ignore the system developed during past governments but Brazil’s Digital Bill of Rights is a monumental achievement and benchmark, as Brazil and other countries formulate policy and develop online infrastructure to meet new challenges and opportunities moving forward.

Annex: Key Articles in the Marco Civil da Internet

Articles 2 and 3 of the MCI

Article 2. The discipline of Internet use in Brazil has as fundamentals the respect for freedom of expression, as well as:

  1. acknowledgment of the global scale of the network;
  2. human rights, personality development and citizenship exercise in digital media;
  3. pluralism and diversity;
  4. openness and collaboration;
  5. free enterprise, free competition and consumer protection; and
  6. the network’s social purposes.

Article 3. The discipline of Internet use in Brazil has the following principles:

  1. guarantee of freedom of expression, communication and expression of thoughts, under the terms of the Federal Constitution;
  2. protecting privacy;
  3. protecting personal data, as provided by law;
  4. preserving and safeguarding network neutrality;
  5. ensuring stability, security and network functionality, through technical measures consistent with international standards and by encouraging the implementation of best practices;
  6. ensuring that players/agents are accountable according to their activities, as provided by law, and
  7. ensuring the participatory/collaborative purpose of the network.
  8. ensuring free business models promoted on the Internet, provided they do not conflict with the other principles established in this Law.

Article 4 of the MCI

The discipline of Internet use in Brazil aims to promote:

  1. the right of all to access the Internet;
  2. the access to information, to knowledge and participation in cultural and public affairs;
  3. the innovation and stimulus of new technologies and models for use and access; and
  4. the adoption of open technology standards that allow communication, accessibility and interoperability between applications and databases.

Article 7 of the MCI

Access to the Internet is essential to the exercise of citizenship, and the following rights are guaranteed to its users:

  1. inviolability of intimacy and private life, protection and compensation for material or moral damage resulting from the violation;
  2. inviolability and secrecy of the flow of their communications through the Internet, except by court order, as provided by law;
  3. inviolability and secrecy of stored private communications, except upon a court order.

Article 9 of the MCI

The party responsible for the transmission, switching or routing has the duty to process, on an isonomic basis, any data packages, regardless of content, origin and destination, service, terminal or application.

  1. The discrimination or degradation of traffic shall be regulated in accordance with the private attributions granted to the President by means of Item IV of art. 84 of the Federal Constitution, aimed at the full application of this Law, upon consultation with the Internet Steering Committee and the National Telecommunications Agency, and can only result from:
    1. technical requirements essential to the adequate provision of services and applications; and
    2. prioritization of emergency services.

Article 10 of the MCI

The retention and provision of connection logs and access to Internet applications logs to which this law refers, as well as, of personal data and of the content of private communications, must comply with the protection of privacy, of private life, of the honor and of the image of the parties that are directly or indirectly involved.

  1. The provider responsible for the retention of the records as set forth in Article 10 shall only be obliged to provide them, whether separately or associated with personal data or other information that allows the identification of the user or of the terminal, upon a judicial order, as provided in Section IV of this Chapter, in compliance with what is set forth in Article 7.
  2. The content of private communications may only be made available by court order, in the cases and in the manner established by law, and in compliance with items II and III of Article 7.
  3. The provision of the preamble of Article 10 does not prevent administrative authorities from accessing recorded data that divulges personal information, affiliation and address, as provided by law.
  4. Security and confidentiality measures and procedures shall be informed in a clear manner by the service provider, meeting regulatory standards and in compliance with rights of confidentiality of business secrets.

Article 12 of the MCI

Without prejudice to any other civil, criminal or administrative sanctions, the infringement of the rules set forth in the Articles 10 and 11 above are subject, in a case basis, to the following sanctions applied individually or cumulatively:

  1. a warning, which shall establish a deadline for the adoption of corrective measures;
  2. fine of up to 10% (tem percent) of the gross income of the economic group in Brazil in the last fiscal year, taxes excluded, considering the economic condition of the infraction, the principle of proportionality between the gravity of the breach and the size of the penalty;
  3. the temporary suspension of the activities that entail the events set forth in Art. 11; or
  4. prohibition to execute the activities that entail the activities set forth in Art. 11.

Sole paragraph. In case of a foreign company, the subsidiary, branch, office or establishment located in the Country will be held jointly liable for the payment of the fine set forth in Art. 11.

Article 24 of the MCI

The following are guidelines for the performance of Federal Government, States, Federal District and municipalities in the development of the Internet in Brazil:

  1. establishment of mechanisms of governance that are multi-stakeholder, transparent, cooperative and democratic, with the participation of the government, the business sector, civil society and academia;
  2. promotion of the rationalization of management, expansion and use of the Internet, with the participation of the Brazilian Internet Steering Committee (;
  3. promotion of rationalization and technological interoperability of e-government services, within different branches and levels of the federation, to allow the exchange of information and speed of procedures;
  4. promotion of interoperability between different systems and terminals, including among the federal agencies and different sectors of society;
  5. preferred adoption of open and free technologies, standards and formats;
  6. advertising and dissemination of public data and information in an open and structured manner;
  7. optimization of network infrastructures and promoting the implementation of storage, managing and dissemination of data centers in the country, promoting the technical quality, innovation and the dissemination of Internet applications, without impairment to the openness, neutrality and participatory nature;
  8. development of initiatives and training programs for Internet use;
  9. the promotion of culture and citizenship; and
  10. provision of public services for serving citizens in an integrated, efficient and simple manner through multi-channel access, including remote access.