STJ decides on the obligation of storing users’ registration data
According to a decision issued by the 3rd Panel of the Superior Court of Justice, Internet access providers have the legal duty to store their users’ data, including the information collected before the enactment of the Brazilian Civil Rights Framework for the Internet (Law No. 12,965/14).
This understanding was expressed in a civil lawsuit filed against a telephone company, in which the plaintiff claimed that her email had been hacked and offensive messages and threats had been sent to her contacts. The company stated that it did not store data of mobile networks before 2009 and that the IP number was dynamic at the time of the incident – not exclusive to one person – thus they could not locate the hacker.
Justice Nancy Andrighi disputed the defendant’s allegations and stated that it was possible to identify the hacker from the time and place of his/her access, which would make his/her IP number unique. In addition, the Justice confirmed that the duty of storage and provision of data by Internet service providers subsisted even before Law No. 12,965/14, since the users’ registration data is mandatory until the statute of limitations for a civil action expires, as provided by Article 1,194 of the Civil Code of 2002.
Finally, the Court decided to also apply a daily fine in case of failure to comply with the decision related to the submission of the user’s registration data.
1Lawsuit No 1.785.092