“THE best possible birthday gift for Brazilian and global web users” is how Tim Berners-Lee, the British inventor of the world wide web, which turned 25 this month, described Brazil’s “internet bill of rights” in an open letter on March 24th. The next day legislators in the lower house of Congress duly approved it.

The sweeping bill, which now goes to the Senate, is “pretty much one of a kind”, says Ronaldo Lemos, a lawyer and academic involved in creating the original proposal in 2009. It enshrines the principle of “net neutrality”, which holds that network operators must treat all traffic equally. It also ensures that 100m Brazilian internet users enjoy online privacy (by barring providers from rummaging through their data) and freedom of expression (a court order is required to force the removal of contentious content).

Perfect it isn’t, however. Tucked into the bill is article 11, which extends the reach of Brazilian law to any internet service in the world with Brazilian users. A firm based in the United States whose services are used by Brazilians could, for example, be penalised for adhering to its domestic data-disclosure laws if they conflict with Brazil’s—as they often do. Penalties include fines of up to 10% of a firm’s Brazilian revenues or even blocking services.

When the European Union mulled something similar following the revelations last year of widespread online snooping by the National Security Agency, United States officials argued that would be extraterritorial. They are following the Brazilian case closely.

So are the internet firms. If other countries follow this approach, says a policy wonk at a big Western firm, companies like his would have to contend with a bewildering array of national legislation. In some smaller markets, they might stop offering services altogether.

Mr Lemos thinks a better solution would be to renegotiate Brazil’s mutual legal-assistance treaties, agreements which provide a mechanism for co-operation between different jurisdictions. This is unlikely. Brazil’s secretary for IT policy, Virgílio Almeida, insists the clause is innocuous. Indeed, “it should make business easier, by making the rules clearer.”

He adds that the government has already given ground by dropping an even more draconian requirement: that Brazilians’ data be held on servers in Brazil. Concerted lobbying by internet firms, as well as many activists, convinced legislators that this would make business in the country prohibitively expensive, especially for smaller startups. But Dilma Rousseff, the president, sees the jurisdiction provision as a point of pride. She almost certainly won’t budge.

Ironically, notes Sergio Amadeu, an internet scholar and member of the Internet Steering Committee, which oversees the web in Brazil, this may make Brazilians’ data more vulnerable to prying eyes. Because the country lacks a comprehensive data-protection law, it may be easier for the Brazilian authorities to get their hands on user data if looser local standards apply.

The bill is set to race through the Senate, which is dominated by Ms Rousseff’s Workers’ Party. Sir Tim has conceded that “there is still discussion around some areas.” Brazilian and global web users are getting a nice gift, but one that is less appealing than it might have been.