Advances in Cyberspace Legislation and Possible Impacts in Business in Brazil
As we all know, Brazil is a country going through a developing process, with highly promising market and, as is common for countries in such circumstances, Brazil has been facing some difficulties to adapt its legal system to this new reality.
In this context, there have been countless initiatives to legislate on cyberspace. The computer science control of remote working, the crime of infantile pornography through the Internet, the computerization of the judicial process and the electronic monitoring of prisoners, among many other subjects have already been drawn up.
In fact, the legal world has always been permeated by technological advance, which constantly imposes the legislator the challenge of reformulating the laws conceived up to then, especially in countries that adopt the Civil Law system.
In December of the year 2012, Act No. 12.737/2012 that typifies some computer offenses as crime was at last enacted. It is interesting to note the origin of this legislation, which was passed after the personal computer of a famous Brazilian actress was hacked and her photographs in intimate situation had been disclosed on the Internet.
The new legislation addresses important issues such as hacking of electronic device, unauthorized remote access, interruption of telematic services, among others.
It is undeniable that all these issues should have been inserted in the Brazilian criminal legislation long ago. The harmfulness of the conducts and complete revulsion demonstrated by society with regard to the cases occurred were notorious. Evidently, to complete the three-dimensionality of the Law adopted by the Brazilian system, just the much needed rule was missing.
Rule enacted, although untimely, we must analyze some of its elements, especially in the aspect of the impact that it can originate to business done in Brazil.
Regarding the invasion of device and derived forms, we find the first point for reflection: the new Act restricted the typicality of conduct in cases where there is undue violation of security mechanisms. Thus, we can understand that all computing devices not equipped with protection tool would be excluded from the scope of such legal application.
Furthermore, it is worth to point out that, as the terms "security mechanism" and "computing device" (only hardware and software?) have not been defined in the law, and there may be doubts on the complete classification of certain criminal cases.
To clarify the concept of "mechanisms", perhaps it is the case of interpretation similar to the Brazilian jurisprudential indicative of "obstacle", used for the configuration of qualified larceny. Following this reasoning, the accessories might be considered like this, not integral parts of the regular functionalities of the asset protected, whose purpose is to prevent access to them. This would be one of several possibilities of interpretation.
It is also important to analyze the assumptions of the conduct "to invade. This verb conceptually brings the idea of forcibly entering, hostile entry, barrier violation. Therefore, cases of undue obtaining of data through social engineering techniques and other means (password disclosure of the asset to third parties by the holder himself, for example) in theory would not be covered by the newborn classification. This is because there would be no violation, but only unauthorized access.
It is inferred, therefore, that all the hypotheses of increased punishment related to the practice to invade, set forth in the paragraphs of article 154-A (obtaining of private communications, data disclosure.) shall be preceded by the violation of security mechanism. Thus, there will be no crime in case of obtaining and undue disclosure of data, when the agent has free access to the electronic device of the victim (for instance, technician of Information Technology company, co-worker).
The impact on the conduction of business is evident: those that allocated in Brazilian territory, held electronic devices connected to the Internet or not, must implement security mechanisms to such devices, so that in case of invasion, the classification of the unlawful conduct to the crime set forth by law is possible. It is, ultimately, a strategic decision that companies should adopt in the ambit of Information Technology.
Furthermore, companies in the technology field that provide services such as conducting safety tests in their clients’ computer systems whose invasion is a necessary conduct to assess the possible existence of vulnerabilities in security mechanism, also suffer direct impacts in their business. It will be essential that the contracts entered into in order to authorize the violation of the security mechanism for the purpose of testing are written.
It is also mandatory to mention that, concerning the penalties of disclosure of trade secrets obtained by invasion (§ § 3 and 4 of art.154-A) there is an apparent duplicity of such legal provision since undue disclosure was already considered independent crime by the Industrial Property Protection Act (item XII of article. 195, of Act 9.279/96).
Further on the fruitful caput of article. 154-A, it is possible to foresee ample discussion on who would be the "holder of the device" invaded. May the mere holder of the device and the possible user appear as victims of this offense? The text of the law does not specify, but there is the slight impression that the crime refers only to the owner.
Here lies another point that gives rise to impact in the business, for the employer may have the seek for the offender’s liability harmed, if he is not the actual owner of the device invaded precisely because the law is not clear as to the victim of the offence ( device owner or user). This issue is further aggravated by the growing corporate policy of BYOD - Bring Your Own Device, which encourages employees to use their own devices for corporate purposes.
Finally, it seems that the low penalties applied by the new legislation will not have the potential to achieve the intended purpose, mostly in cases of practice, reportedly, with ideological purposes. By the way, in general, the penalties to which a penalty is prescribed by this Law are little inhibitory, since they allow the application of the facilities provided by small claims courts procedures.
Unlikely, it seems that the international trend is exactly the opposite: recently it was reported that the Judicial System of the State of California (USA) sentenced a hacker accused of subtracting celebrity photos by the Web to 10 year imprisonment, besides the payment of damages in the amount of $ 76,000 (seventy six thousand dollars).
Of course, it is not advocated here the multiplication of Brazilian prison population only for the punishment of computer crimes. However, it is difficult to understand how the creation of a law, after so many years of discussion, can establish symbolic penalties which do not discourage the offender.
Let us compare: in Brazil, for the crime of theft of a wallet with rupture of obstacle (door breaking, etc.), the Law provides from 2 to 8 years of imprisonment For embezzlement the basic penalty is from 1 to 5 years of imprisonment. In both cases, the damage may be only material, with the probability of arresting the offender and even the recovery of the goods stolen. And, most times such goods are fungible.
On the other hand, in great part of cybercrimes the material losses are only a small part of the problem. Furthermore this is precisely the great differential of these occurrences: the damage can be on of individuals’ aspects of intimacy and private life, sensitive business information, etc. That is: intangible data and, naturally of incalculable value!
For these reasons and in view of frequent news regarding bankrupted companies and jobs lost due to the practice of computer crimes, it seems a shy criminal punishment for such conducts - with such grievous consequences - the payment of basic food, provision of services to community and other benefits directed at minor offenses.
Given these considerations, it is concluded that foreigners wishing to do business in Brazil should be aware of meanders of Brazilian legislation, especially regarding the Electronic Law so that in the future, they do not suffer negative consequences due to lack of preparation.
Renato Opice Blum, lawyer, economist and professor. Pioneer in studies of Law of Cyberspace in Brazil.
Camilla do Vale Jimene, lawyer and professor. Performing in Law of Cyberspace area in Brazil.