Skip to main content

Brazilian Civil Rights Framework for the Internet (Marco Civil da Internet)

Brazil's Marco Civil da Internet is a foundational internet law guaranteeing rights such as net neutrality and privacy, setting data retention duties, and basing intermediary liability on court orders. It complements Brazil's LGPD data protection law.

Jurisdiction
Brazil

What Marco Civil Is

The Marco Civil da Internet (Law No. 12,965/2014) is Brazil's foundational internet law, often described as an "internet bill of rights." It sets out the principles, guarantees, rights, and duties governing internet use in Brazil, including freedom of expression, privacy, net neutrality, and rules on data retention and intermediary liability. It exists to balance user rights, innovation, and accountability in the digital environment, and it predates and complements Brazil's later data protection law, the LGPD.

Marco Civil shaped how internet access and online platforms operate in Brazil and established a notable model for intermediary liability based on judicial orders.

Who It Applies To

The law applies to internet connection providers, internet application providers (online platforms and services), and users in Brazil. It reaches services that offer functionality to Brazilian users, and certain provisions extend to providers based abroad when they serve the Brazilian market. Connectivity providers and application providers have distinct obligations, particularly around data logging.

Key Requirements

  • Net neutrality — Treat data packets equally, with limited, regulated exceptions, and not discriminate based on content, origin, or application.
  • Privacy and data protection — Protect users' privacy and personal data and require informed consent for data collection and use, consistent with later LGPD rules.
  • Connection log retention — Connection providers must retain connection logs for one year, under defined conditions.
  • Application log retention — Application providers must retain access logs for six months, under defined conditions.
  • Intermediary liability — Platforms are generally liable for third-party content only after failing to comply with a specific court order to remove it.
  • Transparency and due process — Apply clear terms and respect users' rights, including for content removal.

Penalties for Non-Compliance

Violations can result in warnings, fines, temporary suspension, or prohibition of activities, depending on severity. Privacy-related breaches may also engage LGPD penalties enforced by the data protection authority. Courts can order content removal and impose sanctions for non-compliance with judicial orders.

How to Comply

Connectivity and application providers should implement compliant log retention with strong security and access limited to lawful requests. Respect net neutrality in network management, protect user privacy with proper consent practices aligned to LGPD, and operate clear processes to respond to court-ordered content takedowns. Maintain transparent terms of use and due-process protections for users, and coordinate Marco Civil and LGPD compliance, since they overlap on privacy.