quarta-feira, 21 de maio de 2014

Repercussions of Brazilian internet Law on international agreements with Brazilian users.

 The picture declares: Say NO to the Brazilian Internet Law. 



The new Brazilian internet law (Marco Civil da Internet), which is bound to enter into force at the end of June, 2014, is a complex regulation, encompassing public policies, technical standards and consumer’s rights. The bill also has some very worrying provisions that allow the State to closely monitor internet users and contents published in the internet and that resemble censorship.

In this article, I will focus on the provisions dealing with private international law and regulation of international agreements related to the internet.

General approach

Brazilian conflict of law rules have historically been based on the domicile of the contracting parties. That is, generally Brazilian law will apply over agreement entered into in Brazil and not apply when agreements have been executed abroad. Nationality of the parties is not important.

In case of agreements between parties who happen to be physically distant, Brazilian law determines that the law of the country of residence of the one making the proposal shall be the applicable law.

Since internet agreements don’t have a physical place where they are signed, and since most of providers of software, applications and other internet services are not located in Brazil, the application of Brazilian rules will generally bend towards the law of the country of the provider (considering that the provider –seller- is typically the one who proposes the terms).

Brazilian government seems to have resented this situation. The new internet law reflects this disturbance and has adopted a legal shortcut to allow the use of Brazilian law in agreements entered into through virtual environments. The Marco Civil determines that whenever a terminal is located in Brazil, the legal residence of the party using the terminal should also be Brazil. And that any internet transaction (or exchange of information) performed through a terminal located in Brazil should be subject to Brazilian law.

Terminal, under the legal definition, is any device capable of accessing internet. From cell phones to heavy processors and servers.

Limits to the application of Brazilian law over terminals located in Brazil.

The use of Brazilian law over terminals located in Brazil is, in theory, restricted to the acts of collection, keeping and using user’s data. And Brazilian law should be applied specifically in what regards privacy and protection against non-authorized use (including sale of information for advertising agencies, espionage and data mining by foreign governments).

If the scope of the use of Brazilian law were limited to the topics above, it means that commercial terms of the agreements should be subject to usual conflict of law rules, meaning that the use of foreign law would be allowed.

This conclusion, however, is not certain.

For once, because another part of the law mentions that the application of Brazilian consumer protection rules is also mandatory.

Also, the law may be used by the government to justify the taxation of software sales and licensing in Brazil.
In addition to that, several principles established by the bill are phrased to sound as “collective interest and national security” issues. Whenever a rule is considered as relevant to nation security, it attracts Brazilian law.
This means that some dominant clauses in standard terms of use, such as a clause allowing the Seller to automatically charge the Buyer’s credit card, may be ruled illegal in Brazil because Brazilian law is very protective of consumer’s credit, and because the application of Brazilian consumerist law may be considered as a matter of national security and public interest.

Limitations to the choice of forum and arbitration

The bill also establishes that mass agreements entered into via internet cannot exclude Brazilian forum. Or, in other words, the law prohibits foreign providers to attract the solution of disputes to their home countries (Facebook would not be allowed to choose the US as the preferred forum for dispute resolution, for instance).

It is not clear if this provision will prevent the use of arbitration or if the use of arbitration in those cases must follow some special provisions that are already applicable to domestic consumer agreements (basically, the need for a very distinctive clause, in bold letters).

Consequences: Shut down of websites and persecution of subsidiaries in Brazil

The consequences of the non-compliance with the privacy rules described in the bill are dire: a fine of up to 10% of the gross revenue of the economic group responsible for the application (think 10% of the worldwide revenues from Angry Birds, or, again, Facebook).

The bill provides, clearly, that the fines may be charged against local subsidiaries of the companies, and even against any assets or related companies and distributor in Brazil .

The law does not mention in clearly, but the shutdown of a website is also a possibility (it is important to note that even famous sites like youtube have been shutdown in Brazil, a few years ago).

Conflicts with international conventions. Possible unconstitutionality.

Some aspects of the Marco Civil violate international privacy protection agreements. Many of those agreements have not been ratified by Brazil, but are applicable in the countries where the application provider is located. Specially, the Marco Civil determines that the Sellers of internet servers or applications must cooperate with Brazilian authorities and share information about its customers with the Brazilian police and courts.

Moreover, the application of penalties over local subsidiaries that have not performed any illegal activities per se may be ruled unconstitutional, since the Brazilian constitution prohibits the penalization of innocent parties.
The Brazilian internet law is bound to controversy and, possibly, to battles in court regarding its validity vis a vis international conventions, as wells as its constitutionality. We shall watch carefully how the principles and rules described in the law are applied,




Practical problems with the new Brazilian internet law (Marco Civil da Internet) - 2


Please also read: 

Mandatory changes to Internet User Agreements in Brazil


I'm starting a series on Brazilian new Internet Law.  This is the second post. 


I will proceed with some conversations I had just after the law came into force. A longer and more detailed article will follow. 





Dear Adler,

I actually thought about you those days.

We are currently researching questions around data security of cloud services (i.p. e-mail, files) in Brazil for a Germany company who is planning to integrate a Brazilian subsidiary into their IT. We hope to get a project out of it, in which case we would probably also need some legal advise on the topic. E.g. 

- regulations and data protection laws (compared to US/ Europe)
- privacy protection for data transferred to Brazil
- do other international companies use cloud services in Brazil, despite the security problems?
- etc.

Is that an area you are familiar with, so that we could come back to you? 

Best regards,


---------------------------------

Dear Edith,


Your consultation comes at a very interesting time. Just yesterday a new law has come into force in Brazil, the Marco Civil da Internet (Internet Civil Regulation). 

Is has basically changed the Brazilian data protection system completely. It has, for example, made Brazilian law mandatory in many cases.

Since this kind of conflict of law situation is my specialty, I'm currently providing consultancy to another foreign company in the matter. 

That said, I would be honored to help you in this situation.  Please tell me more details. I'm also open to a phone call, if you prefer. 

May I post this conversation in my blog, without mentioning names? I'm currently writing a few articles on this subject, since the law is very recent and there is little material about it. 


Regards,


Adler

--------------------------


Hi Adler,

as promised, here is some more background information:
- A Germany-headquarted international company has recently acquired two companies in São Paulo. 
- Now the IT should be integrated, and it is evaluated whether cloud services can be used for email and files (Microsoft Office365). 
- Technical support should be provided from support centers in the EU and/ or USA. For this purpose, personal data from Brazilian employees and customers, stored on servers in Brazil, would need to be accessed from Europe or the US. 
- Sidenote: EU’s data protection laws restrict exporting personal data outside of the EU. Companies must sign detailed EU Standard Contractual Clauses (aka “Model Clauses”) with partners outside of the EU. For data exchange with US-companies, there is also a "Safe Harbour" framework, which e.g. Microsoft has signed.

So here are some questions that come to my mind:
- Do you know whether it is common for international companies to use cloud services in Brazil?
- What are the legal regulations and requirements w.r.t. data protection for using cloud services in Brazil, and exporting personal information to the exterior?
- I have read the new law. What will it mean in practice for a company using cloud services like Office365 in Brazil? Are there other laws and regulations besides the Marco Civil da Internet applicable for this case?
- Are there any standard regulations or contracts between Brazil and the EU or USA (like the "Safe Harbour")?

I am free to talk via phone or e-mail, whatever is more convenient for you. For phone please just let me know when there would be a good time to call you. 

We should also think about a future collaboration, I hope that there will be a project and further advice needed.

Many thanks,

E. C.

---------------


Dear Adler,

just a quick heads up: I will have to finish my research on this topic today.

From what I found out so far, there is no restriction in Brazil for a company saving user data outside of the country. The only difference with the new law seems to be that Brazilian law applies. So that if a Brazilian authority requires the data it has to be available regardless the law of the country where the data is stored.

In case there is anything else you can advise to the topic in addition to that, I would be greatful for a hint.

Thanks for your time and effort!

E.C.

-------------------


Dear Edith,

You are correct. It is possible to save data abroad, but Brazilian law will apply. Not all of Brazilian law, but only some specific privacy provisions brought by the Marco Civil.

But I would add that it is not only the data that must be available,  it must be clear to the government that the company has taken measures not to keep data from Brazilians for longer that the law allows (typically one year). 

Since Brazil does not have jurisdiction abroad, lack of compliance will probably means that Internet providers in Brazil will be forbidden to grant access to the website.  That is, your website or email server could be shut down.

Regards, 

Adler









Practical problems with the new Brazilian internet law (Marco Civil da Internet) - 1

I'm starting a series on Brazilian new Internet Law. 

Please also read: 

Mandatory changes to Internet User Agreements in Brazil




I hope the image ilustrating the post helps explaining what this law really is about: censorhip (and taxes, but we will get there later).

I will start with some conversations I had just after the law came into force. A longer and more detailed article will follow. 









CONVERSATION 1.


Hi Adler - 

Hi hope this finds you well.  I'd like to call an old favor. 

As you may remember, I work for an American National Entity that is very concerned with Internet privacy and internet communications. We have a website available to Brazilians.

We are trying to get a grasp of how the new Marco Civil will impact our business and what changes we need to make (if any). I'm not sure if this falls within your area of expertise. If not, could you recommend someone that we could speak with?

Nick F.


---------

Nick,

You know you can always count on me.

I'm studying the new law right now. I'm focusing on its conflict of law provisions (mandatory application of Brazilian law in some cases) and in its tax provisions. 

We can talk about that if you want. I will also publish a blog post on the next days. 


Regards, 

Adler

---------


Adler,

+ our legal counsell operative, Matt.

Thanks for getting back to me. 

Although we are interested in all aspects of the law (including tax provisions), what we are most concerned about right now (correct me if I'm wrong, Matt) is how this law impacts the collection, use, storage, and process of personal data for which the law seems to state a website needs a users consent. 

Depending on the interpretation of this text, it could make it very difficult for websites to operate in Brazil. Is this something you have a grasp on? Maybe the better question is, does anybody in Brazil have a grasp on the meaning of this? 

FYI - We still do not have a Brazilian entity, but it is something we are considering in the near future. 

Thanks again,


N.F.
-------------------------

Nick,

To be honest, I'm not quite sure. The law is terribly drafted. 

Article 7 institutes heavy limitations on the use of customer's information. 

Article 8 says that the exclusion of Brazilian courts is not allowed in "Internet contracts", but it is not clear if the use of arbitration would circumvent this prohibition. 

Finally, article 11 mandates the use of Brazilian law, basically whenever there is collection of cusomer's information. However, it is not clear if: 

i) arbitration would circumvent this; 
ii) the execution of a separate agreement, specially a commercial one, would be enough to allow for the use of a foreign law;
iii) if this has any practical application, since:

  a) it is not probable that Brazilian will choose local courts to sue foreign-based companies and web sites.  and
  b) Brazilian general conflict of law rules would indicate a different approach, and it is not clear which rule (the general ones or this one) will apply in a determined case


Also, the law mentions that registers of the use of the information by foreign applications must be maintained by local service providers in Brazil. I suppose this is aimed at big Telecom or phonecompanies that sells apps in Brazil, inter alia. 

But I'm not sure how this would translate to mass markets if you take the use of internet via desktops into account. 


I'm open to discuss this matter over the phone, without cost.  In case you feel you need a legal opinion, we can discuss that. 

May I publish this conversation in my blog, without mentioning your name? This would help a lot. 

Regards, 

Adler
-------------------------

Correct

We need to understand what qualifies as a "user" ?  Someone who merely "uses" or site without registering with an account, or someone who registers with our site only (where we can get an "agreement" to some extent)

We need to understand what PI is for such casual users, and for registered users.

We need to understand cookies on users.

But yes.  This law on its face seems difficult if not impossible to comply with.


Matt M.







sábado, 17 de maio de 2014

Visa obstacles hurting World Cup before it starts - Soccer | Fútbol - MiamiHerald.com

It is definitely bad for business.

But a piece of me enjoys a little Schadenfreude. Brazilian adpots automatic reciprocity on most (theoretically all) of its international relationships. Therefore, Brazilian requirements mirror American ones minutely. It would be very good if the US could give us a break on the visa procedure.





Visa obstacles hurting World Cup before it starts - Soccer | Fútbol - MiamiHerald.com:



'via Blog this'

segunda-feira, 12 de maio de 2014