The Brazilian Internet Act completes 10 years focusing, among other key points, on privacy of users and their personal data.
Such attention reinforces the need for companies and financial institutions that operate in digital environment to be aware of the rules involving breach of data confidentiality, so that they can adopt a collaborative stance with the Judiciary and, in parallel, avoid liability towards its users.
According to the Brazilian law, anyone can make a legal request to breach confidentiality of a user’s data, as long as they present:
1. evidence that said user has committed an offense against them in a virtual environment;
2. justification of the usefulness of the requested data, for the purposes of investigation or evidentiary instruction; and
3. indication of the period to which the records refer, that is, in which period the act considered abusive was committed.
However, companies must only reveal user data upon express court order, under penalty of violating privacy and possible liability on the part of the user who had their data unduly revealed. As per Brazilian Internet Civil Act, only a judge can verify whether an abusive or illicit act on the part of the user occurred, which justifies the breach of personal data – it would not be up to companies to make such a judgment to define whether or not to provide such personal data.
Furthermore, according to the law, the data that must be stored by companies (and provided in a timely manner upon court order) are access records (i.e., IP address, date and time) and other information that may contribute to the identification of the infringing user. In other words, if the judge determines the presentation of additional data, beyond what is provided for by law, the order may be challenged.
