Octopus Cybercrime Community

Legislative process

The legislative process is initiated with the proposal of an ordinary or supplemental law (a bill of law) by:

• any member or committee of the Chamber of Deputies, Federal Senate, or National Congress;
• the President of the Republic;
• the Federal Supreme Court and Higher Federal Courts;
• the Attorney General of the Republic;
• any ordinary citizen in the manner and cases provided for in the Constitution of 5 October 1988.

A bill approved by one Chamber must be reviewed by the other in a single round of discussion and voting. If the reviewing Chamber approves the bill, it must be sent for enactment or promulgation, or if it is rejected, it must be archived. If a bill is amended, it must return to the Chamber that initiated it.

After being approved by the reviewing house, a bill is then sent to the President for final approval or veto. If approved by the President, it becomes law forty-five days after its publication in the Official Gazette (Diário Oficial), or within the period of time established in the bill.

The President can veto a bill of law in whole or in part if he/she considers it unconstitutional or contrary to the public interest. The veto must occur within fifteen working days, counted from the date of receipt, and the President must inform the President of the Senate of the reasons for his/her veto within forty-eight hours. After a period of fifteen days has elapsed, silence on the part of the President of the Republic operates as an approval.

A presidential veto is examined in a joint session, within thirty days counted from the date of receipt, and may be rejected only by the absolute majority of the Deputies and Senators through secret voting. If the veto is not upheld, the bill is sent to the President for promulgation. (US Library of Congress, 2020)

Cybercrime legislation

Over the years, cybercrime has preoccupied the legislator significantly, with both houses of Congress proposing several amending draft laws to the Penal Code and Criminal Procedure Code in this respect. The following legislation incorporates or is dedicated to specific aspects regarding cybercrimes and electronic evidence:

• Penal Code/ Código Penal – Decreto-Lei Nº 2.848 (Dec 1940);
• Law/ Lei Nº 12.737 (Nov 2012), amending the Penal Code with some substantive provisions on cybercrimes;
• Law/Lei Nº 14.155 (May 2021), amending the Penal Code and Criminal Procedure Code (with impact on cybercrime offences and competence);
• Law/ Lei Nº 8.069 (Jul 1990) – statute of children and adolescents;
• Criminal Procedure Code/ Código de Processo Penal – Decreto-Lei Nº 3.689 (Oct 1941).
• Law/ Lei Nº 9.296 (Jul 1996) – on interception of communications;
• Law/ Lei Nº 9.610 (Feb 1998) – Brazilian Copyright Law;
• Law/ Lei Nº 9.609 (Feb 1998) – on intellectual property of computer programmes (Brazilian Software Law);
• Brazilian Internet Law/ Marco civil da Internet – Lei Nº 12.965 (Apr 2014) – rights and obligations of internet use;

Lei Nº 12.965 (2014), known as the Brazilian Internet Law aims to consolidate the rights, duties and principles for the use and development of the Internet in Brazil. It also provides for the ISPs to retain connection data.

Currently, the Congress of Brazil is debating a draft law amending the Criminal Procedure Code, defining the rules for obtaining and admissibility of digital evidence in criminal proceedings.

The Penal Code of 1940 was amended in 2012 and further in 2021 and as effect, new cybercrime offences were included or amended and/or heavier sanctions were included for several cybercrime offences.

As such, in 2012, Law 12.737 introduced into the Penal Code the crimes of illegal access, illicit dissemination of devices and denial of service (Articles 154-A, 154-B, and 266). It also criminalized the counterfeit of credit cards.

Illegal interception is provided for in article 10 of the Law 9.296/96.

The Statute of the Child and Adolescent (Estatuto da Criança e Adolescente), Law 8.069/1990, in articles 240, 241-A, 241-B, 241-C and 241-E, provides for punishment of factuality related to digital child pornography., while the law Nº 13.185 of 2015 focuses on online bullying.

The Brazilian legal framework does not provide specific provisions on digital evidence. There are also no specific international judicial cooperation rules in the area of cybercrime. Some procedural powers still exist in other laws:

• Article 10,§3º Law 12.965 (2014) allows police authorities and the Public Attorney's Office to request directly to service providers to grant access to users' subscriber data (not included IP addresses which depend on a court order).
• Article 10 of Law 12.965/2014 provides that a court order is required for providers to make available connection records, as well as stored content of private communications.
• The provisions of the Criminal Procedure Code on traditional search and seizure (art. 240 of the Criminal Procedure Code) are use also for search and seizure of stored computer data.
• Interception of communications is regulated by Law 9.296/1996, allowing the interception on both telephone and information technology systems in the scope of criminal investigations. Setting up an interception is conditioned by a court order and the request must be justified by a reasonable suspicion of the crime and by the impossibility of obtaining evidence by other means.
• The new article 10-A of Law 12.850 (2013) included and regulated the possibility of virtual infiltration by police agents.
• Article 38 of ANATEL Resolution 596/2012 allows the agency to directly request access to account information and call records of users from service providers.

The Brazilian Federal Constitution (1988) generally protects the right to privacy, including the secrecy of correspondence, telegraphic, telephone and data communications. The amendments of February 2022 brought on the Constitution included the right to the protection of personal data, including in digital media, is ensured under the law, as a constitutional fundamental right.

Law 12.965 (Marco Civil da Internet, 2014) provides safeguards on article 7 which ensures the secrecy of private stored data, which can be disclosed only by a judicial order, and the secrecy of communications flow, which can be disclosed only by a judicial order with the limits specified in the law.

The Interception law also contains safeguards, the period for surveillance may not exceed 15 days, but it can be renewed for equivalent periods under strict court scrutiny and only when it is the sole means to investigate a crime.

• Constituição Da República Federativa Do Brasil (1988)
• Penal Code/ Código Penal – Decreto-Lei Nº 2.848 (Dec 1940);
• Law/ Lei Nº 12.737 (Nov 2012) – amending the Penal Code;
• Law/ Lei Nº 12.735 (Nov 2012) – amending the Penal Code to set up specialized teams in the judicial police to combat cybercrime;
• Law/ Lei Nº 14.155 (May 2021) – amending the Penal Code and Criminal Procedure Code;
• Criminal Procedure Code/ Código de Processo Penal – Decreto-Lei Nº 3.689 (Oct 1941);
• Law/ Lei Nº 9.296 (Jul 1996) – on interception of communications;
• Resolução Nº /Resolutions 426 (Dec 2005), 477 (Aug 2007) and 614 (May 2013) of the Agencia Nacional de Telecomunicacoes/ National Telecommunications Agency (ANATEL) requiring service providers to retain data related to landline and mobile telephone services;
• Law/ Lei Nº 8.069 (Jul 1990) – statute of children and adolescents;
• Law/ Lei Nº 9.610 (Feb 1998) – Brazilian Copyright Law;
• Law/ Lei Nº 9.609 (Feb 1998) – on intellectual property of computer programmes (Brazilian Software Law);
• Law/ Lei Nº 9.279 (May 1996) – Brazilian Industrial Property Law;
• Brazilian Internet Law/ Marco civil da Internet – Lei Nº 12.965 (Apr 2014) – rights and obligations of internet use;
• Civil Code/ Código Civil – Lei Nº 10.406 (Jan 2002);
• Code of Civil Procedure/ Código de Processo Civil – Lei Nº 13.105 (Mar 2015);
• Brazilian Corporation Law (translation of amendments till 2001)/ Lei Nº 6.404 (Dec 1976);
• Anti-Corruption Law or Clean Company Act (unofficial translation) / Lei da Empresa Limpa or Lei Anticorrupção – Lei Nº 12.846 (Aug 2013);
• Law 13.709 (Aug 2018) on general data protection (unofficial translation)/ Lei Geral de Proteção de Dados Pessoais - LGPD48 and amends Lei Nº 12.965 (Apr 2014) – Brazilian Internet Law;
• Decree No. 8.420 (unofficial translation) / Decreto Nº 8.420 (Mar 2015) – regulates the Anti-Corruption Law;
• Law/ Lei Nº 13.445 (May 2017) – immigration law;
• Lei Nº 8.137 (Dec 1990) – defines crimes against tax, economic and consumer relations;
• Lei Nº 12.735 (Nov 2012) – amends the Penal and Military Codes, and Law Nº 7.716 (Jan 1989) on racial/ethnic discrimination; sets up specialized police stations to fight cybercrimes;
• Lei Nº 9.613 (Mar 1998) – on money laundering;
• Lei Nº 12.850 (Aug 2013) – on organized crime;

The Ministry of Justice and Public Security, through the Department of Asset Recovery and International Legal Cooperation of the National Secretariat of Justice (DRCI/Senajus) acts as the Central Authority for International Legal Cooperation. As provided in Decree No. 9662 of 1 January 2019, the processing of measures relating to extradition and the transfer of convicted persons is the competence of the same Department of Asset Recovery and International Legal Cooperation of the National Secretariat of Justice. With the aim of improving the processing flow of extradition requests, giving this process greater celerity, Ordinance No. 217 of 27 February 2018 was published.

International Cooperation Unit (SCI) at the Federal Prosecution Service (MPF) is attached to the Office of the Prosecutor General and has been assisting the Office of the Prosecutor General since 2005 in matters of international judicial and legal cooperation with foreign authorities and international organizations, and in relations with national bodies involved in international cooperation activities.