"REPLACEMENT (to the Senate Law Projects 76/2000, and 137/2000, and Chamber-of-Deputies Law Project 89/2003) Amendment to the Decree-Law nš 2848 of 7 December 1940 (Penal Code), the Decree-Law nš 1001 of 21 October 1969 (Military Penal Code), the Law nš 7716 of 5 January 1989, the Law nš 8069 of 13 July 1990, and the Law nš 10446 of 8 May 2002 classifies behaviors performed by the use of electronic, digital, or similar systems, computer networks, or performed against communication devices, or informatics systems, and the like, and takes other measures." THE NATIONAL CONGRESS decrees: Article 1. This Law amends the Decree-Law nš 2848 of 7 December 1940 (Penal Code), the Decree-Law nš 1001 of 21 October 1969 (Military Penal Code), the Law nš 7716 of 5 January 1989, the Law nš 8069 of 13 July 1990, and the Law nš 10446 of 8 May 2002 to categorize behaviors performed by the use of electronic, digital, or similar systems, computer networks, or performed against communication devices, or informatics systems, and the like, and takes other measures. Article 2. To Title VIII of the Special Part of Penal Code is added the Chapter IV, as written: "Chapter IV REGARDING CRIMES AGAINST THE SECURITY OF INFORMATICS' SYSTEMS Unauthorized access to the computer network, communication device or informatics system Article 285-A. To access - through breach of security - computer network, communication device or informatics system, protected by express access restriction: Penalty - imprisonment, 1 (one) to 3 (three) years and a fine. Sole paragraph. If the agent takes advantage of a false identity or uses the identity of third parties to the perpretation of crime, the penalty is increased by the sixth part. Unauthorized obtention, supply or transference of data or information Article 285-B. To obtain or transfer, without authorization or in breach of the authorization of the legitimate holder of computer networks, communication devices or informatics systems, protected by express access restriction, data or information available in them: Penalty - imprisonment, 1 (one) to 3 (three) years and a fine. Sole paragraph. If the data or information obtained without authorization is provided to third parties, the penalty is increased by one third. Penal Action Article 285-C. The crimes defined in this Chapter only take place through representation, unless the crime is committed against the Union, State, City, concessionaire of public services, agencies, foundations, autonomous public agencies, public companies or public-private societies and subsidiaries." Article 3. To Title I of the Special Part of Penal Code is added the following Article, as written: "Dissemination or misuse of information and personal data 154-A. To disseminate, use, sell or make available data and personal information contained in informatics system with a different purpose from that which justified its registration, except in cases specified by law or by express permission of the person to which it refers, or his/her legal representative. Penalty - detention, 1 (one) to 2 (two) years and a fine. Sole paragraph. If the agent takes advantage of a false identity or uses the identity of third parties to the perpretation of crime, the penalty is increased by the sixth part." Article 4. The caput of the Article 163 of Decree-Law nš 2848 of 7 December 1940 (Penal Code) shall be in force as follows: "Damage Article 163. To destroy, to render useless or to degrade things of others or electronic data of others: ......................................................" (New Wording) Article 5. To Chapter IV of Title II of the Special Part of Decree-Law nš 2848 of 7 December 1940 (Penal Code) is added the following Article 163-A, as written: "Insertion or dissemination of malicious code Article 163-A. To insert or disseminate malicious code in communication device, computer network, or informatics system. Penalty - imprisonment, 1 (one) to 3 (three) years and a fine. Insertion or dissemination of malicious code followed by damage Paragraph 1. If the crime results in destruction, rendering useless, damage, alteration, impaired operation, or unauthorized operation by the legitimate holder of communication device, computer network, or informatics system: Penalty - imprisonment, 2 (two) to 4 (four) years and a fine. Paragraph 2. If the agent takes advantage of a false identity or uses the identity of third parties to the perpretation of crime, the penalty is increased by the sixth part." Article 6. The Article 171 of Penal Code shall be in force with the addition of the following: "Article 171......................................................... Paragraph 2. The same penalties are incurred by that who: ..................................................................... Larceny by electronic fraud VII - disseminates, by any means, malicious code in order to facilitate or allow undue access to the computer network, communication device or informatics system: Paragraph 3. If the agent takes advantage of a false identity or uses the identity of third parties to the perpretation of the crime in item VII of Paragraph 2, the penalty is increased by the sixth part." Article 7. Articles 265 and 266 of Penal Code shall be in force with the following wordings: "Attack against the security of public utility service Article 265. Attack against the security or the operation of the department of water, light, power, heat, information, or telecommunication, or any other of public utility: ..............................................................." (NW) "Interruption or disruption of telegraphic, telephonic, informatics, telematics' services, communication device, computer network or informatics system Article 266. To interrupt or disrupt telegraphic, telephonic, informatics, telematics' services, communication device, computer network, informatics or telecommunication systems, as well as to prevent or impair its restoration: ..............................................................." (NW) Article 8. The caput of the Article 297 of Penal Code shall be in force with the following wording: "Forgery of public document or electronic data Article 297. Counterfeit, in whole or in part, public document or electronic data, or alter real public document: ..............................................................." (NW) Article 9. The caput of the Article 298 of Penal Code shall be in force with the following wording: "Forgery of private document or electronic data Article 298. Counterfeit, in whole or in part, private document or electronic data, or alter real private document: ..............................................................." (NW) Article 10. The Article 251 of Chapter IV of Title V of the Special Part of Book I of Decree-Law nš 1001 of 21 October 1969 (Military Penal Code), shall be in force with the addition of item VI to its Paragraph 1, and of Paragraph 4, with the following wordings: "Article 251. ....................................................... Paragraph 1 - The same penalties are incurred by that who: ..................................................................... Larceny by electronic fraud VI - disseminate, by any means, malicious code in order to facilitate or allow undue access to the computer network, communication device or informatics system, to the detriment of the military administration: ..................................................................... Paragraph 4. If the agent takes advantage of a false identity or uses the identity of third parties to the perpretation of the crime, the penalty is increased by the sixth part." Article 11. The caput of the Article 259 and the caput of the Article 262 of Chapter VII of Title V of the Special Part of Book I of Decree-Law nš 1001 of 21 October 1969 (Military Penal Code), shall be in force with the following wordings: "Simple Damage Article 259. To destroy, render useless or degrade things of others or electronic data of others, given it is under military administration:" (NW) ..................................................................... ..................................................................... "Damage to warfare material or equipment or electronic data Article 262. To cause damage to warfare material or equipment or electronic data of military utility, even under construction or manufacturing, or in effects collected in deposit, belonging or not to the armed forces:" (NW) Article 12. To Chapter VII of Title V of the Special Part of Book I of Decree-Law nš 1001 of 21 October 1969 (Military Penal Code), is added the Article 262-A, as written: "Insertion or dissemination of malicious code Article 262-A. To insert or disseminate malicious code in communication device, computer network, or informatics system, as long as the fact threatens military administration: Penalty - imprisonment, 1 (one) to 3 (three) years and a fine. Insertion or dissemination of malicious code followed by damage Paragraph 1. If the crime results in destruction, rendering useless, damage, alteration, impaired operation, or unauthorized operation by the legitimate holder of communication device, computer network, or informatics system: Penalty - imprisonment, 2 (two) to 4 (four) years and a fine. Paragraph 2. If the agent takes advantage of a false identity or uses the identity of third parties to the perpretation of crime, the penalty is increased by the sixth part." Article 13. To Title VII of the Special Part of Book I of Decree-Law nš 1001 of 21 October 1969 (Military Penal Code), is added the Chapter VII-A, as written: "Chapter VII-A REGARDING CRIMES AGAINST THE SECURITY OF INFORMATICS' SYSTEMS Unauthorized access to the computer network, communication device or informatics system Article 339-A. To access - through breach of security - computer network, communication device or informatics system, protected by express access restriction, as long as the fact threatens military administration: Penalty - imprisonment, 1 (one) to 3 (three) years and a fine. Sole paragraph. If the agent takes advantage of a false identity or uses the identity of third parties to the perpretation of crime, the penalty is increased by the sixth part. Unauthorized obtainment, supply or transference of data or information Article 339-B. To obtain or transfer, without permission or in breach of the authorization of the legitimate holder of computer networks, communication devices or informatics systems, protected by express access restriction, data or information available on them, as long as the fact threatens military administration: Penalty - imprisonment, 1 (one) to 3 (three) years and a fine. Sole paragraph. If the data or information unauthorizedly obtained is provided to third parties, the penalty is increased by one third. "Dissemination or misuse of information and personal data Article 339-C. To disseminate, use, sell or make available data and personal information contained in informatics system under military administration with a different purpose from that which justified its registration, except in cases specified by law or by express permission of the person to which it refers, or his/her legal representative. Penalty - detention, 1 (one) to 2 (two) years and a fine. Sole paragraph. If the agent takes advantage of a false identity or uses the identity of third parties to the perpretation of crime, the penalty is increased by the sixth part." Article 14. The caput of Article 311 of Chapter V of Title VII of Book I of the Special Part of Decree-Law nš 1001 of 21 October 1969 (Military Penal Code), shall be in force as follows: "Forgery of document Article 311. To counterfeit, in whole or in part, public or private document, or electronic data or alter real document, as long as the fact threatens military administration or military service:" (NW) Article 15. Items II and III of Article 356 of Chapter I of Title I of Book II of the Special Part of Decree-Law nš 1001 of 21 October 1969 (Military Penal Code), shall be in force as follows: "CHAPTER I REGARDING TREASON Favor the enemy Article 356. .......................................................: ..................................................................... II - delivering to the enemy, or risking such consequence, ship, aircraft, strength or position, motor-mechanized warfare machine, provisions, electronic data or any other element of military action; III - losing, destroying, rendering useless, deteriorating or exposing to danger of loss, destruction, render useless or deterioration, ship, aircraft, strength or position, motor-mechanized warfare machine, provisions, electronic data or any other element of military action." (NW) Article 16. For penal effects, the following definitions are adopted, among others: I - communication device: any means capable of processing, storing, capturing or transmitting data using magnetic, optical or any other technology; II - informatics system: any system capable of processing, storing, capturing or transmitting data electronically or digitally, or in an equivalent form; III - computer network: the set of computers, communication devices and informatics systems that conform to a set of rules, parameters, codes, formats and other information grouped into protocols, in local, regional, national or worldwide topological level through which it is possible to exchange data and information; IV - malicious code: the set of instructions and information tables or any other system developed to perform damaging actions or improperly obtain data or information; V - informatics data: any representation of facts, of information or of concepts in the form susceptible of processing in a computer network or communication device or informatics system; VI - data traffic: all informatics data related to its communication made through a computer network, informatics system or communication device, generated by them as part of a communication chain, indicating the origin communication, the destination, the route, the time, the date, the size, the duration or the type of the underlying service. Article 17. For penal effects are also regarded as protected goods the data, the communication device, the computers network, the informatics system. Article 18. The judicial police bodies will structure, in regulatory terms, departments and teams specialized in fighting unlawful action on computers network, communication device or informatics system. Article 19. Item II of Paragraph 3 of Article 20 of Law nš 7716 of 5 January 1989, shall be in force as follows: "Article 20. ........................................................ Paragraph 3. ........................................................ II - the cessation of their radio, television, electronic broadcasts, or publishing by any means. ..............................................................." (NW) Article 20. The caput of Article 241 of Law nš 8069 of 13 July 1990, shall be in force as follows: "Article 241. To present, produce, sell, receive, supply, disseminate, publish or store, by any means of communication, including global computer network or Internet, photos, images with pornography or explicit sexual scenes involving child or adolescent: ..............................................................." (NW) Article 21. Article 1 of Law nš 10446 of 8 May 2002 shall be in force as follows: "Article 1. ......................................................... ..................................................................... V - the crimes performed against or through computer network, communication device or informatics system. ..............................................................." (NW) Article 22. The responsible party for the provision of access to the worldwide computer network, either commercial or from the public sector, is required to: I - maintain, in a controlled and secure environment, for a period of three years, with the purpose of providing it to a formalized public investigation, data of electronic origin address, time, date and GMT reference of the connection made through the computer network and provide it exclusively to investigatory authority by means of a prior judicial order; II - preserve immediately, after judicial request, other information requested by the investigation, responding civil and criminally for its absolute confidentiality and inviolability; III - inform, confidentially, the competent authority, about received complaints containing evidence of the perpretation of a crime subject to unconditional public penal action, whose perpetration has occurred within the computer network under its responsibility. Paragraph 1. The data comprised by item I of this Article, the security of its custody, the audit to which it will be subject and the competent authority responsible for the audit will be defined in the regulatory terms. Paragraph 2. The responsible party mentioned in the caput of this Article, regardless the compensation for damages to the victim, shall be subject to payment of fines ranging from R$ 2.000,00 (two thousand reais) to R$ 100.000,00 (one hundred thousand reais) per request, doubled if recurrent, which will be imposed by the judicial authority with unmet needs, considering the nature, the severity and the loss resulting from the violation; the opportunity for broad defense and contradictory is secured. Paragraph 3. The financial resources resulting from the collection of fines in this Article shall be assigned to the Public Security National Fund, that is dealt with in Law nš 10201, 14 February 2001. Article 23. This Act will come into force one hundred and twenty days after the date of its publication."