In April 2014, the Brazilian National Congress passed Federal Law number 12.965, known as the Civil Rights Framework for the Internet. This law is praiseworthy both for the means by which it was developed and its effect. That is to say, the legislation i) was the result of numerous public hearings in which civil society was called on to participate actively, ii) endorses democratic principles for full access and use of the Internet in the country, and iii) sets clear parameters for the liability of Internet-service providers. Based on this new legislation, this Chapter sets out to portray the panorama of the liability of Internet-service providers in Brazil today, in comparison with the understanding of Brazilian doctrine and jurisprudence on the matter prior to the enactment of the Civil Rights Framework. It concludes that the Brazilian system seems to have taken an important step in building efficient parameters for the liability of providers, including the need for a legal notification as a formal requirement to hold the provider responsible.

1.1 Introduction

The Brazilian Civil Rights Framework (Law number 12.965, dated 23 April 2014) ‘establishes principles, guarantees, rights and duties related to the use of the Internet in Brazil’. The project arose in 2009 and was approved in the House of Representatives on 25 March 2014 and in the Federal Senate on 23 April 2014, and immediately afterwards approved by President Dilma Rousseff. The legislation deals with themes such as network neutrality, protection of privacy, retention of data, and the social functions that the network must fulfill, in particular ensuring freedom of expression, preventing censorship and transmitting knowledge, in addition to imposing obligations on users and providers with regard to civil liability.

In this aspect, the Brazilian legislation expressly imposes secondary liability on an Internet Service Provider (ISP) for content generated by third parties in cases of non-compliance with a judicial notice requiring the ISP to take down unauthorised, abusive or illicit material. This measure was adopted after taking into account the general criteria for indirect liability in Brazil, as well as the approaches taken in other legal systems that share the same origins as the Brazilian legal system—that is, civil law jurisdictions. It operates on the premise that the provision of internet service should not include any guarantees regarding the content generated by third parties and that strict liability for damage resulting from such provision of services therefore could not be seen as a normal risk of doing business as an ISP.

Nonetheless, the legislation does not ignore the damage that can result from the provision of Internet services. It also effectively makes ISPs responsible for the conduct of third parties in defined circumstances, as set out below.

In that sense, the Civil Rights Framework appears to be a law intended to establish procedures for the protection of Internet users in Brazil. According to Marcelo Thompson, the Civil Rights Framework ‘inspires many of the fundamentals that it acknowledges for the Internet in Brazil, and is especially innovative in its use of a vast platform of collective deliberation to draw up its final text. Above all as regards its aspirations to guarantee what is understood as the rights of Brazilian citizens, it can be said that Civil Rights Framework is a fundamental charter, indeed a real Constitution for the Internet in Brazil’ (Thompson 2012, 205).

This Chapter examines four of the elements of the Civil Rights Framework, namely, articles 18, 19, 20 and 21, and considers how those provisions affect the secondary liability of ISPs in Brazil.

1.2 The concept of the Internet service provider

It is important to identify the situations where the Civil Rights Framework is applicable, or rather, to whom the law is addressed, or even more precisely, who will eventually be called to answer for the damages caused directly or indirectly to users of the Internet. Thus, the first issue to be addressed in this chapter is the meaning of the term ‘ISP’.

As Marcelo Leonardi sees it, ‘the provider of Internet services is the genus of which all the other categories (backbone provider, Internet access provider, e-mail provider, hosting provider and content provider) are species. The Internet-services provider is the individual or corporate person who provides services related to the functioning of, or through, the Internet. The confusion is common because many of the chief providers of Internet services function as providers of information, content, hosting, access and e-mail’ (Leonardi 2005, 21). Despite this notion of providing Internet services being widely accepted by doctrine and jurisprudence, the Civil Rights Framework makes no mention of it.

The Civil Rights Framework does contain the notion of a so-called ‘autonomous-system administrator’, to whom certain of its provisions are applicable.[i] Such a person is defined as ‘a physical or corporate person that administers specific Internet Protocol (IP) address blocks and the respective autonomous routing system, duly registered in the national body responsible for the registration and distribution of IP addresses geographically pertinent to the country’ (article 5, IV).

Article 5 also does refer to two other more technically appropriate concepts, which perhaps are of greater relevance: (i) the concept of connection to the Internet, involving the setting-up of a terminal for sending and receiving packages of data over the Internet by means of attributing or authenticating an IP address (article 5, V); and (ii) the concept of Internet applications, being the set of functionalities that can be accessed by means of a terminal connected to the Internet (article 5, VII). The first concept has to do with the activity of providing a connection, the second with that of providing applications (content, search, hosting and email, for instance). That is to say, the rules of the Civil Rights Framework highlighted below apply (with some variation) in situations of civil liability for those whom the law calls access providers and application providers. The former is addressed in Article 18, while the latter is governed by Article 19.

1.3 Article 18: exclusion of liability of access providers for content generated by third parties

Article 18 of the Civil Rights Framework states that ‘the party that provides connection to the Internet [an ‘Internet access provider’] will not be made civilly responsible for damage caused by content generated by third parties’. An Internet access provider is the one who connects to a backbone provider through a good-quality line and supplies connectivity in his area of activity to other (usually smaller) providers, institutions and especially individual users through dedicated or even dialed lines . . . being a retailer of Internet connectivity’ (apud Leonardi 2005, 24).

The access provider allows an individual to have access to the Internet, but this is a service that is merely instrumental; in other words, a service that enables the use of other services that, for instance, offers applications whereby contents can be posted or generated.

One might say, then, that the risk assumed in the business of providing access to the Internet does not include the consequences of control over the contents generated by third parties. The fact that a third party posts improper content on the network does not—a priori and in the abstract—amount to negligent conduct on the part of the party that provides access (culpa in vigilando).

1.4 Article 19: secondary and conditional liability of the application provider

Article 19 of the Civil Rights Framework states that ‘in order to assure freedom of expression and impede censorship, the provider of Internet applications can only be held civilly responsible for damage resulting from content generated by third parties if, following a specific legal notice, the provider fails to take measures, within the scope and technical limitations of the service and the timeframe established [in such a court order], to render unavailable the content identified as infringing, except where otherwise established by legal provisions’.

This article emphasises the right to freedom of expression while mentioning at the same time impeding censorship, these matters being seen as rights to be guaranteed by the law.[ii] Second, this norm derives from a contemporary juridical conception in terms of which the provider of applications should be held responsible only in exceptional circumstances—that is, when the conditions stipulated in article 19 are met.

The legislation undeniably takes a position in favor of free expression of ideas (and against censorship) by guaranteeing that ISPs will not be held responsible for merely including third-party content in their application, even though such content is a posteriori held to be illicit, abusive and an infringement of rights. This means that in the Brazilian legal system those who provide applications are not obliged to check beforehand and prevent content being posted by third parties (which would constitute censorship) because they will not subsequently be held responsible for any damage caused by this content. That is to say, liability for content generated, posted and/or disseminated over the Internet falls first and as a rule on the person who directly engages in the the damaging conduct. This rule, nonetheless, makes a specific exception: providers will be held responsible, jointly with the direct perpetrator, if, after being judicially notified of improper content posted by third parties, they fail to take this down within the timeframe set by the court.

Thus, the following elements must be established for an ISP to be held legally responsible for content generated by a third party: 1) the existence of a request for legal notification made by a person who alleges that his or her rights have been violated; 2) judicial determination, albeit preliminary and provisional, of the potential harmfulness of the conduct of the person who has posted the content; 3) a preliminary decision notifying the application provider indicating the improper content to be taken down and the lapse of time to do so; and 4) non-compliance by the ISP with the judicial order to takedown content.

Only if these four requirements are satisfied can the ISP be held responsible. Even in these cases, it is possible to hold the person who post the improper content on the network directly responsible. This conclusion also leads us to the first major question as regards the application of article 19—that is, whether the ISP’s civil liability is of a secondary nature, or shared with that of the person who directly caused the damage.

1.5 Secondary or joint liability?

Under Brazilian law, secondary liability applies under civil law whenever a person is responsible for damage caused directly by another person, resulting from a prior legal relationship of attribution of liability. Examples include employer-employee and parent-child relationships (art. 932).[iii] The Brazilian legal system protects the victim of damage and allows him/her rapid reparation of the damage caused, by providing for joint rather than secondary liability[iv], in accordance with the general rule provided in article 933 of the Civil Code, which expressly provides for a principle of solidarity.[v]

Not only can the person immediately responsible for the damage, causally speaking—that is, a minor-age child, a protected person, a ward, employee, a servant, etc—be directly sued by the victim for compensation, but so can those indirectly responsible for the damage—that is, the parent, guardian, employer, etc. The legal suit can be brought against either or both parties, since joint tortfeasorship imposes joint and several liability. But where the indirectly liable party is sued, he or she has a right of recourse against the party directly responsible for the damage.

Further, under articles 932 and 933 of the Civil Code, guarantor and guardian liability is no-fault (so-called ‘objective’) liability, meaning he or she is obliged to compensate for the damage regardless of any fault on his part, even in cases where he or she took all reasonable procedures to prevent harm.

But how would this theory of indirect civil liability apply—if at all—in the case of ISPs, in respect of the content generated by a third party? Generally speaking, in order for there to set civil liability on the part of ISPs—regardless of the sort of legal relation established—there has to be damage, an attribution factor (fault or risk) and causality. Indirect or accessory liability imposes liability to compensate for the damage on the party who controls the activity, medium or instrument that caused direct damage to the person. And courts have extended liability to those who profit from infringing activity when an enterprise has the right and ability to prevent the infringement. A common example is when an employer answers for the damage caused directly by the employee since he has the control of the means used by the latter while the work is being carried out. Similarly, the owner of an animal is liable for the damage caused directly by it, since he has control over the animal and is therefore able to prevent it from causing and harm.

From the indirect nature of the provider’s responsibility, one may conclude that his obligation to compensate would be joint with that of the person who is the direct cause of the damage. That is how the Brazilian courts proceeded before the enactment of the Civil Rights Framework. In 2012, the Superior Court of Justice held that ‘when notified that a certain text or image possesses illicit content, the provider must act energetically to take the material down from the air immediately, under penalty of answering jointly with the direct author of the damage, by virtue of the omission practiced’ (Supreme Court of Justice, Special Appeal 1308830/Rio Grande do Sul, Rapporteur Minister Nancy Andrighi, Third Panel, decided on 08/05/2012).[vi]

This approach is advanced by Marcel Leonardi, for whom ‘civil liability for the acts of users and third parties is based on a system that attributes secondary liability to providers in the case of willful misconduct or negligence, when they fail to fulfill their duties (thereby making it impossible to identify the person responsible for the illicit act) or else when they collaborate in the practice or neglect to block access to illegal information after being notified of the existence of same’ (Leonardi 2005, 49-50).

Under the Civil Rights Framework, the ISP will be liable for damage caused by his omission to take down the material following a legal notice requiring it to do so, even when the illicit or abusive content generated is not causally connected to the direct conduct of the ISP. Thus, it seems that the Framework has attempted to place secondary and joint responsibility on the provider for a misdeed committed by a third party. This means that, unlike article 933 of the Civil Code, which establishes objective indirect liability of the guarantor/guardian, the Civil Rights Framework embraces indirect civil liability based on fault—negligent omission to remove infringing content generated by a third party after legal notification—which also entails joint liability of the Internet provider for damage caused directly to the victim by a third party.

1.6 Liability based on the risk of the provider’s activity or on the basis of presumed fault?

ISPs provide the means for third parties to act in a way that causes damage to others. If the ISP can control the means and so prevent any damage, it must assume the responsibility for any damage that ensues. The nature of this responsibility is in principle objective, based on the theory of risk—that is, on the concept that whoever has an instrument available that could potentially infringe upon the rights of others should be responsible for any resulting harm. In other words, those who have greater capacity to prevent damage should assume the responsibility for the consequences. The ISP, however, has a right to reimbursement from the person who directly caused the damage.

The Brazilian system considers as co-existing grounds for civil liability on the part of the service provider contributory acts such as risk control (risk theory) and presumed fault in neglecting to take precautionary measures to lower the risk of infringement. This will depend on the type of control that the Internet-services provider has over the content previously made available, or the legal relationship that exists between provider and third party.

Accordingly, the provider of the connection answers civilly for the damage caused to the user by poor provision or undue interruption of service. Likewise, the provider of content is liable for damage caused to a person for defamatory material published on his site, if he acts as editor of the site, with previous control of the material to be posted.

On the other hand, the Internet service provider is responsible for fault based upon content generated by third parties when the provider is legally notified about the illegal content and and fails to take it down within the appointed timeframe; we refer to this hypothesis herein.

According to the Superior Court of Justice, ‘prior inspection, made by the provider, of the sort of information posted on the web by each and every user is not an activity intrinsic to the service rendered, therefore one cannot consider as defective, in the terms of article 14 of the Consumer Code, a site that does not examine and filter the data and images inserted therein. The moral damage resulting from messages with offensive content inserted in the site by the user does not constitute a risk inherent to the activity of those who provide content, therefore the objective liability provided in article 927, single paragraph, of the CC/02 does not apply to them’ (Special Appeal 1308830/Rio Grande do Sul, Rapporteur Minister Nancy Andrighi, Third Panel, decided on 08/05/2012).

Similarly, the Third Panel of the Supreme Court of Justice has stated that: ‘Compensatory and comminatory claim entered by a professional Formula 1 car-racer who learned of the existence of false ‘profiles’ that used his name and photographs with damaging information, as well as ‘communities’ meant for the sole purpose of attacking his image and private life: the provider was notified extra-judicially to remove the content from the Internet. 2. Refusal of the company providing the Internet services to solve the problem. 3. Polemic with regard to civil responsibility by omission of the Internet provider, who is not objectively liable for the insertion of illicit data on the site by third parties. 4. Impossibility of imposing on the provider the obligation to exercise prior control of the content of information posted on the site by its users, since this would constitute a form of prior censorship, which is not admissible in our legal system. 5. However, on being informed of the existence of illicit data on the ‘site’ under his administration, the provider of Internet services has 24 hours to remove said data under penalty of responding for the damage caused by his omission’ (Supreme Court of Justice, Special Appeal 1337990/Sstice, Sp by his omissions has 24 hoursTarso Sanseverino, Third Panel, decided on 21/08/2014).

Thus, the higher courts have held that where an ISP is unable to foresee or control the risks of the activity, the theory of assumed risk does not provide a basis for the imposition of civil liability for content that is generated by third parties. This is based on the fact that ISPs do not possess the capacity to predict (and consequently prevent) the risks of damage caused by third parties—because there is no prior monitoring or selection of what is posted on the network—and because it is important to protect freedom of expression and avoid private or public censorship.

Erica B. Barbagalo, argues that ‘the provider of hosting services is not responsible for the content of the sites he hosts, since he does not intervene in their content, not having the editorial control of the electronic pages. Nor can the hosting provider be expected to carry out inspection activities: in most cases, the host has no access to the content of the site, which is only allowed to the owner, who can change the content of his pages as often as he wants. Furthermore, there are many pages and sites hosted in each server, which makes it impossible for the hosting provider to inspect the content’ (Barbagalo 2003, 347).

Barbagalo also says that adopting the theory that the ISPs has assumed the risk of infringing content would be a mistake. She argues that ‘the activities carried out by the provider of Internet services are not by nature [risky] activities, they entail no greater risks to the rights of third parties than the risks of any commercial activity. And to interpret the norm as meaning that any damage must be compensated, regardless of the fault element, by the mere fact that an activity is carried out, would definitively burden those who regularly engage in productive activities, and consequently hamper development’ (Barbagalo 2003, 360).

Thus, the basis of the civil liability of ISPs in respect of content generated by third parties is fault, with specific regard to the omission factor and by presumption, when the provider, after being legally notified, fails to take the necessary measures to take down inappropriate material from his network.

1.7 Legal notification as a formal requirement to establish responsibility of the Internet provider

Article 19 settled the controversy concerning the nature of the notice necessary to compel an ISP to remove infringing content. Prior to the introduction of the Civil Rights Framework, the courts had considered that an extra-judicial notification informing the ISP of an infringement of rights and requiring takedown of the material before a certain date, would suffice to define the provider’s secondary liability if such notification were ignored.

The ‘notice and take-down’ remedy usually operated without judicial oversight, via extra-judicial notification; courts did not carry out an analysis of reasonableness of the remedy or even consider the existence of a right having been violated. The following two extracts are representative of many Superior Court of Justice decisions, insofar as their approach to notice and take-down remedy prior to the Civil Rights Framework was concerned:

In this hypothesis, the decision made expressly states that the provider of Internet services was notified extra-judicially as to the creation of a false, defaming profile of the alleged holder, did not take the appropriate measures but rather opted to remain inert, which is the reason that he has been held jointly liable for the moral damage inflicted on the prosecuting party, thus configuring the subjective liability of the accused’ (Supreme Court of Justice, Special Appeal under Specific Court Regulations 1402104/Rio de Janeiro, Rapporteur Minister Raul Araujo, Fourth Panel, decided on 27/05/2014).

The decision reached expressly provides that the provider was served extra-judicial notice by means of an instrument that he himself makes available for denouncing abuses—for instance, creating a defamatory false profile of the supposed holder, this proving offensive to third parties—and failed to take the proper steps, preferring rather to remain inert, for which reason he became jointly liable for the moral damage inflicted on the plaintiff, thereby configuring subjective responsibility of the accused (Special Appeal under Specific Court Regulations no. 1396963/Rio Grande du sol, Rapporteur, Minister Raul Araapp, Fourth Panel, decided on 08/05/2014).

The ‘notice and take-down’ system, however, is flawed because it allows arbitrary removal of content based on a simple complaint made by the interested person, without the necessary due process of law. Furthermore, it is a system that condones censorship, temporary or permanent, or else intimidates or restricts freedom of expression. The absence of judicial oversight may lead to an abusive exercise of rights. First, it might permit, by means of a simple notification, a restriction of freedom of expression. Second, it could result in undue or unjustified censorship (Leonardi, ([vii]

Imagine the hypothesis of a person who, in a blog maintained by an ISP (blogspot, for instance), writes a theatre review of a play that is currently being shown, using somewhat harsh words against the main actress, or even draws a not very favourable cartoon of the actress. The actress, perceiving the text or drawing as a violation of her dignity, could legally request the provider to remove the allegedly defamatory material, which in accordance with the above approach should be carried out under penalty of holding the provider jointly responsible. This example illustrates the dangers of censorship and the possible restriction of the freedom of expression (Bezerra 2014, 9).[viii]

With the introduction by the Civil Rights Framework of a requirement of judicial notice before an ISP can be held legally responsible, the ISP will feel more confident that it will not be held responsible without prior judicial oversight. In order to grant the order, the judge must consider the following questions: 1) the existence of fumus boni iuris (‘likelihood of success on the merits’); 2) periculum in mora (‘danger in delay’), that is, whether maintaining the alleged violation will create a situation difficult to correct or else make the damage all the worse. Should these two requirements be satisfied, the judge will order the ISP to remove the relevant content.

In accordance with the first paragraph of article 19, the legal notice must contain, under penalty of invalidity, clear and specific identification of the content alleged to be infringing in order to enable unmistakable location of the material. The best interpretation to be given to this paragraph in my opinion is that the order to take down the content must indicate by URL (Uniform Resource Locator) the exact rights-infringing material so that entire web-sites are not taken down or applications blocked, which of course would impede other users from accessing the platform.[ix]

1.8 Legal procedure

As regards legal procedure, the Civil Rights Framework provides that lawsuits concerning compensation for damages, resulting from content made available over the Internet, that are related to honour, reputation or personality and privacy rights, as well as such content being made unavailable by ISPs, can be presented before special courts. This is because there is often a need to speed up the process, since lawsuits that begin in special courts are usually quicker than those that begin in common civil courts. However, that there are two possible difficulties with this approach. First, technical proof by a skilled professional is not allowed in these special courts. Second, there is a limit to the value of lawsuits in such courts. These two restrictions may mean that the ordinary process is preferable. Since the plaintiff has the right to choose which route to follow, there is no disadvantage for the plaintiff in adopting the procedural strategy considered to be the most convenient.

1.9 Exclusion of application of article 19 to copyright

Article 19 does not apply to c