Have you ever wondered how the storage and registration of information on the internet work? Or whether the information contained therein remains stored indefinitely? The Brazilian Civil Rights Framework for the Internet clarifies these questions.
Connection and access registration to internet applications
First, let's understand the definition of records. The Brazilian Civil Rights Framework for the Internet (Law 12,965/2014) has conceptualized two different types of records. The connection record relates to the date, start and end time, i.e., the duration, and the IP address used when the user connects to the internet. (Item VI, Article 5 of Law 12,965/14).
In contrast, the access log to applications is a set of information regarding the date and time of use of a specific internet application from a particular IP address. (Item VIII, Article 5 of Law 12,965/14). Internet applications refer to, for example, content portals, social media, emails, etc. Therefore, it refers to some functionality accessible via the internet.
How does the Civil Rights Framework interpret data retention?
The data retention system is its own system, which means that the Civil Rights Framework grants freedom for its own storage policy, provided that these data are subsequently removed and kept confidential. In other words, the data must be retained for a limited period, and access is ensured only in certain circumstances and upon prior judicial authorization.
What is the legal regime for different records, according to the Civil Rights Framework for the Internet?
Regarding the internet connection provider, it is the responsibility of the autonomous system administrator (for example: Comcast, AT&T, and Verizon) to store connection records. For these providers, it is mandatory to maintain or store connection records under secrecy, in a controlled and secure environment, for a period of 1 year. (Article 13).
Acess records to applications have some differences. First of all, it is the application providers who are obligated, but not all of them. According to Article 15 of the Brazilian Civil Rights Framework for the Internet, only the application provider that is constituted as a legal entity and that conducts activities in an organized, professional, and economically with profit-making goals are required to store application records for a period of 6 months. Thus, non-profit NGO websites, for example, do not need to keep these records since they do not meet the requirements of Article 15.
What are the ways to access this data?
Administrative Request
The administrator must keep the records confidential, respecting the deadline until judicial authorization is granted. However, police authorities, the Public Ministry, or administrative authorities may request, in a cautious manner, any provider to keep records for periods longer than those provided for, for a period of one year for connection records and six months for access records (Article 15, § 2 of the Civil Rights Framework). These authorities have a period of 60 days, counted from the request, to file for judicial authorization to access the records; if the request is not made within the period, this administrative request will lose its effect. (Article 13, §3 of the Civil Rights Framework).
Moreover, administrative authorities may have access to registration data without prior judicial decision, such as the user's personal information, affiliation, and address, in accordance with Article 10 §3 of the Civil Rights Framework.
Judicial Request
The interested party may, in order to form a set of evidence in a judicial process, make a judicial request to access the records, provided it meets the admissibility requirements, established in Article 22 of the Civil Rights Framework including: there must be demonstrated founded indications of the occurrence of the offense, a motivated justification of the usefulness of the requested records for the investigation or probative instruction, and the period to which the records refer. If the requirements are met, the judge will analyze the merit and grant the request, ensuring the party access to the records.
Conclusion
The Brazilian Civil Rights Framework for the Internet was an important step in ordering the information that is recorded, legitimizing data storage, and, more than that, its use for eventual liability for offenses committed. Thus, it established limits on access to data, including a deadline for the providers' own retention of the information and requiring, in most cases, motivated judicial decisions to authorize their use.
Furthermore, it is important to remember that the storage of these records involves personal information, so their storage must be carried out in a way that does not violate the privacy rights of users.
