"REPLACEMENT (for the Senate Law Projects 76/2000 and 137/2000, and Chamber-of-Deputies Law Project 89/2003) An amendment to Decree-Law no. 2848 of 7 December 1940 (Penal Code), Decree-Law no. 1001 of 21 October 1969 (Military Penal Code), Law no. 7716 of 5 January 1989, Law no. 8069 of 13 July 1990, and Law no. 10446 of 8 May 2002 which categorizes acts performed using electronic, digital, or similar systems, computer networks, or performed against communication devices or information systems or the like, and takes other measures." THE NATIONAL CONGRESS decrees: Article 1. This Law amends Decree-Law no. 2848 of 7 December 1940 (Penal Code), Decree-Law no. 1001 of 21 October 1969 (Military Penal Code), Law no. 7716 of 5 January 1989, Law no. 8069 of 13 July 1990, and Law no. 10446 of 8 May 2002 to categorize acts performed using electronic, digital, or similar systems, or computer networks, or performed against communication devices or information systems or the like, and to take other measures. Article 2. Title VIII of the Special Part of the Penal Code is extended with Chapter IV, as written: "Chapter IV REGARDING CRIMES AGAINST THE SECURITY OF INFORMATION SYSTEMS Unauthorized access to a computer network, communication device or information system Article 285-A. Accessing, through a breach of security, a computer network, communication device or information system, protected by explicit access restrictions: Penalty - imprisonment, 1 (one) to 3 (three) years and a fine. Sole paragraph. If the agent takes advantage of a false name or uses the identity of third parties to the perpretation of crime, the penalty is increased by one sixth. Unauthorized obtention, transfer or supplying of data or information Article 285-B. Obtaining or transfering data or information available on a computer network, communication device or information system, protected by explicit access restrictions, without permission or inconsistent with the authorization of the legitimate holder: Penalty - imprisonment, 1 (one) to 3 (three) years and a fine. Sole paragraph. If the data or information obtained in an unauthorized manner is provided to third parties, the penalty is increased by one third. Penal Action Article 285-C. Prosecution of the crimes defined in this Chapter is done only through representation, unless the crime is committed against the Union, a State, a City, a provider of public services, a public agency, a foundation, an autonomous public agency, a public company or a public-private society or subsidiary." Article 3. Title I of the Special Part of the Penal Code is extended with the following Article, as written: "Dissemination or misuse of information and personal data 154-A. Dissemination, use, sale or the making available of data and personal information stored on an information system with a purpose distinct from that which led to its recording, except in cases specified by law or by express permission of the person to which it relates, or his/her legal representative. Penalty - detention for 1 (one) to 2 (two) years and a fine. Sole paragraph. If the agent takes advantage of a false name or uses the identity of third parties to the perpretation of crime, the penalty is increased by one sixth." Article 4. The caput of Article 163 of Decree-Law no. 2848 of 7 December 1940 (Penal Code) shall be enforced with the following change: "Damage Article 163. Destroying, disabling, or degrading things of others or electronic data of others: .............................................................." (New Wording) Article 5. Chapter IV of Title II of the Special Part of Decree-Law no. 2848 of 7 December 1940 (Penal Code) is extended with Article 163-A, as written: "Insertion or distribution of malicious code Article 163-A. Insertion or distribution of malicious code in a communication device, computer network, or information system. Penalty - imprisonment, 1 (one) to 3 (three) years and a fine. Insertion or distribution of malicious code resulting in damage Paragraph 1. If the crime results in destruction, disabling, damage, alteration, impaired operation, or operation not authorized by the legitimate owner, of the communication device, computer network, or information system: Penalty - imprisonment, 2 (two) to 4 (four) years and a fine. Paragraph 2. If the agent takes advantage of a false name or uses the identity of third parties to the perpretation of crime, the penalty is increased by one sixth." Article 6. The Article 171 of the Penal Code shall be enforced with the addition of the following: "Article 171................................................................. Paragraph 2. The same penalties are incurred by anyone who: ............................................................................. Larceny by electronic fraud VII - disseminates, by any means, malicious code in order to facilitate or allow undue access to the computer network, communication device or information system: Paragraph 3. If the agent takes advantage of a false name or uses the identity of third parties to the perpretation of the crime in item VII of Paragraph 2, the penalty is increased by one sixth." Article 7. Articles 265 and 266 of the Penal Code shall be enforced with the following changes: "Attack against the security of a public utility service Article 265. Attacking the security or the operation of the department of water, light, power, heat, information, or telecommunication, or any other public utility: ......................................................................." (NW) "Interruption or disruption of telegraph, telephone, information, or telematics services, communication devices, computer networks or information systems Article 266. Interrupting or disrupting telegraph, telephone, information, or telematics services, communication devices, computer networks, information or telecommunication systems, as well as preventing or impairing their restoration: ......................................................................." (NW) Article 8. The caput of Article 297 of the Penal Code shall be enforced with the following change: "Forgery of public documents or electronic data Article 297. Forgery, in whole or in part, of a public document or electronic data, or alteration of a real public document: ......................................................................." (NW) Article 9. The caput of Article 298 of the Penal Code shall be enforced with the following change: "Forgery of private documents or electronic data Article 298. Forgery, in whole or in part, of a private document or electronic data, or alteration of a real private document: ......................................................................." (NW) Article 10. Article 251 of Chapter IV of Title V of the Special Part of Book I of Decree-Law no. 1001 of 21 October 1969 (Military Penal Code), shall be enforced with the addition of item VI to its Paragraph 1, and of Paragraph 4, with the following wording: "Article 251. ............................................................... Paragraph 1 - The same penalties are incurred by anyone who: ............................................................................. Larceny by electronic fraud VI - disseminates, by any means, malicious code in order to facilitate or allow undue access to the computer network, communication device or information system, to the detriment of the military administration: ............................................................................. Paragraph 4. If the agent takes advantage of a false name or uses the identity of third parties to the perpretation of the crime, the penalty is increased by one sixth." Article 11. The caput of Article 259 and the caput of Article 262 of Chapter VII of Title V of the Special Part of Book I of Decree-Law no. 1001 of 21 October 1969 (Military Penal Code), shall be enforced with the following changes: "Simple Damage Article 259. Destruction, disabling, or degradation of things of others or electronic data of others, given they are under military administration:" (NW) ............................................................................. ............................................................................. "Damage to material or equipment of war or electronic data Article 262. Damaging of material or equipment of war or electronic data of military use, including in construction or manufacturing, or in effects collected for deposit, belonging or not to the armed forces:" (NW) Article 12. Chapter VII of Title V of the Special Part of Book I of Decree-Law no. 1001 of 21 October 1969 (Military Penal Code) is extended with Article 262-A, as written: "Insertion or distribution of malicious code Article 262-A. Insertion or distribution of malicious code in a communication device, computer network, or information system, if the act is against the military administration: Penalty - imprisonment, 1 (one) to 3 (three) years and a fine. Insertion or distribution of malicious code resulting in damage Paragraph 1. If the crime results in destruction, disabling, damage, alteration, impaired operation, or operation not authorized by the legitimate owner, of the communication device, computer network, or information system: Penalty - imprisonment, 2 (two) to 4 (four) years and a fine. Paragraph 2. If the agent takes advantage of a false name or uses the identity of third parties to the perpretation of crime, the penalty is increased by one sixth." Article 13. Title VII of the Special Part of Book I of Decree-Law no. 1001 of 21 October 1969 (Military Penal Code), is extended with Chapter VII-A, as written: "Chapter VII-A REGARDING CRIMES AGAINST THE SECURITY OF INFORMATION SYSTEMS Unauthorized access to a computer network, communication device or information system Article 339-A. Accessing, through a breach of security, a computer network, communication device or information system, protected by express access restriction, given the act is against the military administration: Penalty - imprisonment, 1 (one) to 3 (three) years and a fine. Sole paragraph. If the agent takes advantage of a false name or uses the identity of third parties to the perpretation of crime, the penalty is increased by one sixth. Unauthorized obtention, transfer or supplying of data or information Article 339-B. Obtaining or transfering data or information available on a computer network, communication device or information system, protected by explicit access restrictions, without permission or inconsistent with the authorization of the legitimate holder, where the act is against the military administration: Penalty - imprisonment, 1 (one) to 3 (three) years and a fine. Sole paragraph. If the data or information obtained in an unauthorized manner is provided to third parties, the penalty is increased by one third. "Dissemination or misuse of information and personal data Article 339-C. Dissemination, use, sale or the making available of data and personal information stored on an information system with a purpose distinct from that which led to its recording, except in cases specified by law or by express permission of the person to which it relates, or his/her legal representative. Penalty - detention, 1 (one) to 2 (two) years and a fine. Sole paragraph. If the agent takes advantage of a false name or uses the identity of third parties to the perpretation of crime, the penalty is increased by one sixth." Article 14. The caput of Article 311 of Chapter V of Title VII of Book I of the Special Part of Decree-Law no. 1001 of 21 October 1969 (Military Penal Code), shall be enforced with the following change: "Forgery of documents Article 311. Forgery, in whole or in part, of a public or private document, or electronic data; or altering a real document, where the act is against the military administration or the military service:" (NW) Article 15. Items II and III of Article 356 of Chapter I of Title I of Book II of the Special Part of Decree-Law no. 1001 of 21 October 1969 (Military Penal Code), shall be enforced with the following change: "CHAPTER I REGARDING TREASON Aiding the enemy Article 356. ...............................................................: ............................................................................. II - delivering to the enemy, or risking such consequence, any ship, aircraft, force or position, motor-mechanized war engine, provisions, electronic data or any other element of military action; III - losing, destroying, disabling, deteriorating or exposing to danger of loss, destruction, disablement or deterioration, any ship, aircraft, force or position, motor-mechanized war engine, provisions, electronic data or any other element of military action." (NW) Article 16. For penal effects, the following definitions are adopted, among others: I - communication device: any means capable of processing, storing, capturing or transmitting data using magnetic, optical or any other technology; II - information system: any system capable of processing, storing, capturing or transmitting data electronically or digitally, or in a equivalent form; III - computer network: the set of computers, communication devices and information systems that obey a set of rules, parameters, codes, formats and other information grouped into protocols, at a local, regional, national or global topological level through which it is possible to exchange data and information; IV - malicious code: the set of instructions and information tables or any other system developed to perform damaging actions or improperly obtain data or information; V - computer data: any representation of facts, of information or of concepts in a form susceptible to processing in a computer network or communication device or information system; VI - data traffic: all computer data related to communication by means of a computer network, information system or communication device, generated by them as part of a communication chain, indicating the origin of the communication, the destination, the route, the time, the date, the size, the duration or the type of the underlying service. Article 17. For penal effects the data, the communication device, the computer network, or the information system are also considered protected goods. Article 18. The judicial police will structure, in regulatory terms, departments and teams specialized in fighting unlawful action on computer networks, communication devices or information systems. Article 19. Item II of Paragraph 3 of Article 20 of Law no. 7716 of 5 January 1989, shall be enforced with the following change: "Article 20. ................................................................ Paragraph 3. ................................................................ II - the cessation of the respective radio, television, or electronic broadcasts, or of publishing by any means. ......................................................................." (NW) Article 20. The caput of Article 241 of Law no. 8069 of 13 July 1990, shall be enforced with the following change: "Article 241. Presenting, producing, selling, receiving, supplying, disseminating, publishing or storing, by any means of communication, including a global computer network or the Internet, photographs, images with pornography or explicit sexual scenes involving a child or adolescent: ......................................................................." (NW) Article 21. Article 1 of Law no. 10446 of 8 May 2002 shall be enforced with the following change: "Article 1. ................................................................. ............................................................................. V - crimes against or using a computer network, communication device or information system. ......................................................................." (NW) Article 22. The party responsible for providing access to a worldwide computer network, either commercial or from the public sector, is required to: I - retain, in a controlled and secure environment, for a period of three years, with the objective of providing it to a formalized public investigation, the electronic origin address, time, date and GMT reference of any connection made through the computer network and provide it exclusively to investigating authorities by means of a prior judicial order; II - immediately preserve, upon judicial request, other information required by the investigation, responding civilly and criminally for its absolute confidentiality and integrity; III - inform, confidentially, the competent authority, about complaints received containing evidence of the practice of a crime subject to unconditional public penal action, whose perpetration may have occurred within the computer network under his/her responsibility. Paragraph 1. The data addressed in item I of this Article, the security requirements of its custody, the audit to which it will be subject and the competent authority responsible for the audit will be defined in the regulatory terms. Paragraph 2. The responsible party mentioned in the caput of this Article, regardless of compensation for damages to the victim, shall be subject to payment of fines ranging from R$ 2.000,00 (two thousand reais) to R$ 100.000,00 (one hundred thousand reais) per request, doubled in case of recurrence, which will be imposed by the judicial authority with unmet needs, taking into consideration the nature, the severity and the loss resulting from the violation, with a guarantee of opportunity for a broad defense and contestation. Paragraph 3. The financial resources resulting from the collection of fines established under this Article shall be destined for the Public Security National Fund, which is dealt with in Law no. 10201, 14 February 2001. Article 23. This Act will enter into effect one hundred and twenty days after the date of its publication."