STF establishes that Article 19 of the Brazilian Internet Legal Framework is partially unconstitutional, creating a new regime of civil liability

In brief

The Supreme Court (“STF”) ruled, by majority, the partial unconstitutionality of the safe harbor of Article 19 of the Brazilian Internet Legal Framework (“MCI” – Law No. 12,965/2014“), which, as a general rule, conditioned the civil liability of Internet application providers for third-party content to the non-compliance with a prior court order. According to the majority opinion, there are now different liability regimes applicable to Internet application providers depending on the type of content and on the providers’ involvement degree. The decision also establishes a “duty of care” in connection with systemic failures to the Internet application providers for certain types of content and a significant expansion of the liability under the “notice and takedown” regime.

Background

On June 26, STF concluded the judgment of two landmark cases that addressed the civil liability of Internet application providers for third-party-generated content. The first case, the so-called “Theme 987”, arising from Extraordinary Appeal No. 1,037,396, questioned the constitutionality of Article 19 of the MCI, which requires a prior court order for a provider to be held liable for failing to remove certain third-party content. The second case, the so-called “Theme 533”, arising from Extraordinary Appeal No. 1,057,258 – which involved facts occurring prior to the enactment of the MCI – discussed the possibility of platform liability and the necessity of a court order for the removal of unlawful content. By a vote of 8 to 3, the Court held that Article 19 of the MCI is partially unconstitutional, with the dissenting votes of Justices André Mendonça, Edson Fachin, and Nunes Marques, who defended the full constitutionality of the provision.

With this decision, STF established that the safe harbor under Article 19 (requiring the non-compliance with a court order as a condition for considering Internet application providers liable) remains applicable only in specific cases, such as crimes against honor. In turn, for other types of content generated by third party, the general rule would be the “notice and take down” regime, under which application providers are liable when they fail to remove certain content after receiving an extrajudicial notice from the aggrieved party or their representative. Such notice and take down regime was already contemplated under Article 21 of the MCI, previously applicable to content involving nudity or private sexual acts (“revenge porn”). Notice and take down now becomes the more broadly applicable rule for the civil liability of Internet application providers for unlawful content, acts and crimes committed by third parties, including situations involving inauthentic accounts or successive replications of content already declared unlawful. In such cases, liability is subject to the determination of the provider’s negligence in failing to take action after receiving notice.

The Court also created a different liability standard, and established scenarios in which the provider’s negligence is presumed, such as in cases of unlawful content promoted through paid advertisements or disseminated by artificial networks (bots or automated accounts). In these situations, Internet application provider’s liability for such third-party content may arise even without prior notice, unless the provider can evidence that it acted diligently and within a reasonable time to remove the content. In cases of massive circulation of serious unlawful content – such as crimes against democracy, terrorism, suicidal ideation or self-harm, hate speech, violence against women, child pornography, and human trafficking – failure to remove the content may constitute a systemic failure, giving rise to liability of the Internet application provider regardless of notice based on the breach of the duty of care under this scenario. In case the Internet application provider is able to prove such content is an exception in its services, the notice and take down liability regime will apply. The Internet application provider may also establish that it has not been negligent by evidencing the deployment of state of the art technology to prevent and remove the above-mentioned types of content. Further, if the Internet application provider takes action to remove such content, and later a court order considers it legal, the provider will not have a duty to compensate the author of the content.

Additionally, STF determined that Internet application providers operating in Brazil must have an office and a representative in the country. The representative must have authority to respond judicially and administratively, provide information to competent authorities, and comply with legal and judicial determinations. Internet application providers must also issue self-regulation that necessarily covers the following topics: a notification system, due process and annual transparency reports in relation to out-of-court notices, advertisements and boosts.

The decision will have only prospective effects, safeguarding final and unappealable decisions, and was accompanied by a request to the National Congress to update the current legal framework, addressing the identified gaps.

The changes will have a significant impact on the activities of Internet application providers in Brazil.