• Brazilian Regulators Slap $1.59 Million Fine on Telecom Giant Oi, Alleging Violations of Users’ Privacy Rights
  • September 18, 2014 | Authors: Ieuan Jolly; James D. Taylor
  • Law Firm: Loeb & Loeb LLP - New York Office
  • As a reminder of the transnational nature of online data collection-and the ever-expanding web of regulatory bodies stepping in to monitor how information is collected and used-Brazilian regulators announced that they had issued the nation's first penalty under the country's new Internet law, the Marco Civil da Internet. Brazil's consumer protection agency, the Justice Ministry's Department of Consumer Defense and Protection (DPDC), sued the telecommunications company Oi for a variety of violations relating to Oi's partnership with a U.K.-based online advertising company, Phorm. Together, the companies developed software that tracked and generated profiles of users' browsing practices. The profiles were then sold to online advertising firms, which could ultimately use the data to generate customized "behavioral" advertisements.

    The Brazilian law, enacted in April 2014, includes a number of controversial provisions, including a net neutrality provision requiring that every data transmission be treated equally regardless of its content, origin, destination, service, terminal, or application, and a restriction on how companies that collect online data share that information with government officials. Although an earlier draft of the law would have required foreign companies (such as Facebook) to store data concerning Brazilian users on Brazil-based servers, those provisions garnered considerable opposition and were ultimately defeated. The law, however, does include a "long-arm" jurisdiction provision that allows the Brazilian government to enforce its provisions against off-shore businesses that collect, maintain, or store data from Brazilian users.

    Oi was charged with violating the provisions of the law that prohibit Internet service providers and mobile app providers from blocking, monitoring, filtering, or analyzing any data transmission. The DPDC found that Oi violated the law by, among other actions, overriding network defaults and misleading consumers by failing to disclose how browsing histories would be charted and used for advertising purposes. Oi's partner, Phorm, had already been the subject of an investigation by officials in the U.K. and European Union. Although it paid the fine, Oi has denied any violation of the law, reportedly asserting that the use of the tracking software was limited to a small group of consumers who had been invited to and agreed to participate in the testing of the tracking software. Oi also asserts that its use of the tracking software was overseen by Brazilian regulators and was suspended in March 2013, and that no data has been sold to third parties. The company reportedly intends to appeal the DPDC's decision, but it remains to be seen whether customers will bring individual civil suits or class actions for injuries associated with the alleged privacy violation.

    The nearly $1.6 million fine should serve as a warning to multinational companies operating in the fast-growing Brazilian market to take appropriate measures to comply with all applicable laws-domestically and internationally.