The authors of this chapter would also like to thank Stefania Mariotti Masetti and Camila Sabino Del Sasso for co-contributing.
What is the regulatory regime for technology?
Several laws regulate technology in Brazil, including, without limitation, the following: (i) Internet Act (Marco Civil da Internet, Law 12,965/2014), which establishes the principles, rights and guarantees for the use of internet in Brazil and was regulated by Decree 8,771/2016; (ii) General Data Protection Act (“LGPD”, Law 13,706/2018), which compiles data protection statutes; (iii) Industrial Property Law (“LPI”, Law 9,279/96), created in accordance with the TRIPS Agreement and that regulates intellectual property in general (except for copyrights); (iv) Software Law (Law 9,609/98); and (v) Law 8,248/1991 and Law 13,969/2019, which provide several tax benefits for Brazilian companies engaged in the manufacturing and sales of products and services related to technology.
Are communications networks or services regulated?
The telecommunications sector is basically regulated by the General Telecommunications Law (“LGT”, Law 9,472/1997). The Union, by means of the National Telecommunications Agency (“ANATEL”) and according to the Executive and Legislative Branches’ policies, organizes the exploitation of telecommunications services, including, among others, regulation and inspection of the execution, trade and use of services, and implementation and operation of telecommunications networks, in addition to the use of orbit and radio-frequency spectrum resources. Law 4,117/1962 (Telecommunications Code) regulates radio and television broadcasting services, with their policies being set forth by the Federal Constitution (“CF”) and developed by the Ministry of Communications and the National Congress.
If so, what activities are covered and what licences or authorisations are required?
Telecommunications services might be of restricted interest (intended for their own executor or a certain group of users) or collective interest (available to all interested parties under non-discriminatory conditions). In addition, they might be provided under the public regime, requiring a concession (or permit in specific cases); or private regime, requiring an authorization.
Only Fixed Switched Telephone Services (Serviço Telefônico Fixo Comutado, “STFC”) are provided under concessions, but Law 13,879/2020 enabled adjustment thereof to authorizations. In the private regime, the required authorizations refer to STFC; Personal Mobile Services (Serviço Móvel Pessoal, “SMP”); Multimedia Communications Services (Serviço de Comunicação Multimídia, “SCM”), such as fixed broadband; Pay TV (Serviço de Acesso Condicionado, “SeAC”); and Private Limited Service (Serviço Limitado Privado, “SLP”). Rights to exploit Brazilian or foreign satellites might also be granted (Serviço Móvel Global por Satélite, “SMGS”).
Is there any specific regulator for the provisions of communications-related services?
ANATEL is the regulatory agency setting forth specific rules for telecommunications services, but has no authority over broadcasting, except for technical aspects of radio-frequency use and equipment compliance. Broadcasters are subject to the Ministry of Communications’ control, and the National Cinema Agency (“ANCINE”) regulates audiovisual contents in terms of works’ registration and implementation of government policies for the development of the Brazilian cinematographic sector.
Telecommunications services providers and broadcasters are also subject to legislation on prevention and repression of violations of the economic order, in particular Law 12,529/2011 (the Antitrust Act); therefore, acts of concentration or implying in violation thereof should be submitted to the Administrative Council for Economic Defence (“CADE”), the authority enforcing antitrust regulation and promoting competition.
Are they independent of the government control?
ANATEL, ANCINE and CADE are independent governmental agencies not subject to higher authorities, being respectively linked to the Ministry of Communications, Ministry of Tourism and Ministry of Justice and Public Security.
Are platform providers (social media, content sharing, information search engines) regulated?
Platform providers are not regulated but must comply with the rules set out in the Internet Act, especially regarding the storage of access records to Internet applications for specific periods. For internet application providers, the respective records of access must be kept confidential, in a controlled and secure environment, for the period of six (6) months, under the regulation’s terms. Also, they must comply with the LGPD. However, both laws do not regulate platforms, but related matters, such as intermediary liability and personal data protection.
If so, does the reach of the regulator extend outside your jurisdiction?
The LGPD shall apply to any processing operation performed by an individual or a legal entity, subject to public or private law, regardless the country in which the legal entity is seated or the country where the data is located, as long as the processing operation is carried out within the national territory; or if the purpose of the processing activity is the offer or supply of goods or services or the processing of data of individuals located in the national territory; or if personal data object of the processing has been collected in the national territory. The Internet Act provides that the Brazilian law applies when the collection, storage or processing of data occurs in Brazil, not only, but especially regarding data privacy, even if the company or data servers are located outside the Country.
Does a telecoms operator need to be domiciled in the country?
Telecommunications services providers should be organized under Brazilian laws, with headquarters and administration in Brazil.
Are there any restrictions on foreign ownership of telecoms operators?
In general, there are no restrictions on foreign ownership of telecoms operators. However, as per Decree 2,617/1998, in addition to being organized under Brazilian laws and having headquarters and administration in Brazil, the majority capital thereof should be held by individuals resident in Brazil or companies organized under Brazilian laws, with headquarters and administration in the country. Additionally, according to the CF and Law 4,117/1962, at least 70% of the total capital and voting capital of radio and television broadcasters should be held by native Brazilians, individuals naturalized Brazilian for over 10 years, or companies organized under Brazilian laws headquartered in Brazil.
Are there any regulations covering interconnection between operators?
Interconnection is ruled by LGT and ANATEL’s Resolution 693/2018 (General Interconnection Regulation, “RGI”), which set forth principles and guidelines for the interconnection of telecommunications services providers’ networks and systems, including the commercial, technical, and legal aspects thereof. Interconnection among networks is mandatory, with integrated operation being ensured domestically and at international level. Interconnection conditions might be freely agreed upon between the parties, provided respecting the broad, free, and fair competition, and should be formalized in an agreement, to be homologated by ANATEL. Agreements for traffic exchange with foreign providers should comply with provisions and procedures included in agreements between the Brazilian administration and other countries or economic blocks.
If so are these different for operators with market power?
ANATEL’s Resolution 600/2012 approved the General Competition Goals Plan (“PGMC”) and sets forth criteria and guidelines for identifying groups with significant market power, which are subject to regulatory measures regarding transparency, equal and non-discriminatory treatment, price control, access obligations and others, also being bound to the terms of product reference offers homologated by ANATEL.
RGI additionally sets forth that STFC providers and companies with market power should maintain at least one Point of Interconnection (“POI”) or Point of Presence for Interconnection (“PPI”) in each geographic area with the same national code of its provision area able to exchange telephone traffic by means of switch technologies per packages. Moreover, when requested by collective interest telecommunication service providers, local and/or long-distance STFC providers and companies with market power are compelled to make their networks available for the forwarding of calls between POIs within the same local area or among different local areas, as applicable.
What are the principal consumer protection regulations that apply specifically to telecoms services?
ANATEL’s Resolution 632/2014 approved the General Telecommunications Services Consumer Rights Regulation (“RGC”), improving transparency in fixed and mobile telephone services, multimedia communications and pay TV. Several obligations are imposed to operators such as automated cancellation of services effective within 2 business days, or immediately with the assistance of an operator. Number portability among different providers, ruled by ANATEL’s Resolution 460/2007, is also allowed, provided within the same provision area; however, portability of a STFC number to a SMP number, or vice-versa, is not possible. Consumer Defence Code (Law 8078/1990) and Civil Code (Law 10406/2002) provisions might also apply.
What legal protections are offered in relation to the creators of computer software?
Software is regulated in Brazil by the Software Law and subsidiarily by the Copyright Law (Law 9,610/98). According to such laws, creators of computer software are considered “authors”, but as specifically provided by the Software Law, such creators only have economic rights associated to the software, in opposition to moral rights (except for authorship rights, i.e., the author(s) has/have to be recognized). Since computer software is protected by the Copyright Law, it does not need to be registered in order to be protected in Brazil. Nonetheless, the software’s owner may choose to register it with the Brazilian National Institute of Industrial Property (“INPI”).
Do you recognise specific intellectual property rights in respect of data/databases?
Yes. The Copyright Law grants intellectual property rights in connection with the creation of a database (art. 7, XIII).
What key protections exist for personal data?
In 2018, Brazil has enacted the LGPD, which came into effect in September 2020. The LGPD provides for the processing of personal data by an individual or a legal entity, subject to public or private law, in order to protect fundamental rights of freedom and privacy, and free development of the personality of an individual. Before the LGPD, the CF already protected privacy and personal data, so Brazilian laws granted protection to privacy in many ways, such as in the Consumer Defence Code, the Internet Act, Banking and Telecommunications laws.
Are there restrictions on the transfer of personal data overseas?
The LGPD allows international data transfers to countries or international bodies when: (i) they provide a level of personal data protection in line with the LGPD’s provisions; (ii) data controller offers and substantiates guarantees of compliance with principles, data subject’s rights and data protection system established by LGPD; (iii) the transfer is necessary for international legal cooperation among public intelligence, prosecution, and enforcement bodies; (iv) the transfer is necessary for the protection of the data subject’s or third party’s life or physical integrity; (v) upon authorization from the National Authority (“ANPD”); (vi) the transfer results from a commitment undertaken pursuant to an international cooperation agreement; (vii) the transfer is necessary for purposes of enforcement of a public policy or a legal duty of public service; (viii) upon express consent from a data subject for the transfer; (ix) to meet the requirements of the items of Article 7 of the LGPD, such as compliance with a legal or regulatory obligation by the controller.
What is the maximum fine that can be applied for breach of data protection laws?
As per the LGPD, the ANPD may apply a fine of up to two percent (2%) of the turnover of the legal entity subject to private law, group or conglomerate in Brazil in the last fiscal year, excluding taxes, limited to the aggregate amount of fifty million Brazilian reais (R$50,000,000.00), per infringement.
What additional protections have been implemented, over and above the GDPR requirements?
There are a few more legal bases set forth by LGPD than in GDPR. When it comes to (i) consent; (ii) performance of a contract or in order to take steps at the request of the data subject to enter into a contract; and (iii) compliance with a legal obligation to which the controller is subject, there are no differences between both regulations. However, LGPD creates other legal grounds for data processing, which are (i) the performance of studies by a research body with guarantee of anonymization of personal data wherever possible; (ii) the regular exercise of rights in court, administrative or arbitration proceedings related to a contract to which the data subject is a party, upon the data subject’s request; (iii) the protection of health under procedures performed by health care professionals, health services or health authority and the protection of credit, including with regard to the applicable laws’ provisions.
Unlike GDPR, LGPD does not prohibit the processing of sensitive data, but instead, it sets out the rules for this type of data processing in a separate chapter. Concerning data subjects’ rights, LGPD and GDPR grant the same rights, even though different wordings are used. Concerning the right to access, LGPD, unlike GDPR, grants quick and free access to the type and duration of the processing, as well as the integrity of their personal data. There is no stipulation of fees even if there is an abuse of this right by the data subject.
Are there any regulatory guidelines or legal restrictions applicable to cloud-based services?
There is no specific regulation nor legal restriction applicable to cloud-based services. The restrictions applicable to such services are provided by the LGPD, in the event such cloud-based services are dealing with personal data under Brazilian laws. Nonetheless, the Institutional Security Cabinet has issued an ordinance (GSI IN 9/2018) establishing that public administration may only enter into cloud computing services which agree to host information within the Brazilian territory.
Are there specific requirements for the validity of an electronic signature?
Electronic signatures are regulated in Brazil by Provisional Measure 2200-2 (“MP”). Such law institutes the Brazilian Public Keys Infrastructure (in Portuguese, Infraestrutura de Chaves Públicas Brasileira, “ICP-Brasil”). According to such MP, electronic documents are deemed public or private documents for all legal purposes, and the content of documents electronically produced with the use of ICP-Brasil certification are deemed authentic regarding the signatories thereof. Such presumption is ensured by ICP-Brasil’s operation.
Even though the legal presumption of authenticity and integrity is applicable solely to documents signed within the scope of ICP-Brasil, MP 2200-2 specifically sets forth that it does not prevent the use of other means aimed at proving the authorship of documents in electronic formats, including of those using certificates not issued by ICP-Brasil, provided that such use is previously accepted by the parties.
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
No. Such transfer is not automatic. They should be provided and regulated by the respective outsourcing agreement.
If a software program which purports to be a form of A.I. malfunctions, who is liable?
If there is a human-machine interaction, meaning the A.I. malfunction was due to human action or omission, the person responsible for the malfunction is liable. In another case, if the A.I. malfunction is derived from a manufacturing defect, the manufacturer can be liable, but in regard to A.I., the “risk of autonomy” is presumed.
What key laws exist in terms of: (a) obligations as to the maintenance of cybersecurity; (b) and the criminality of hacking/DDOS attacks?
(a) obligations as to the maintenance of cybersecurity
Decree 8,771/2016, which regulates the Internet Act, has some provisions about cybersecurity. Also, Decree 10,222/2020 regulates the national strategy to be followed on cybersecurity in Brazil. The LGPD establishes that data processing agents shall implement technical and organizational security measures able to protect personal data (further guidance from the ANPD). The E-commerce Decree (Decree 7,962/2013) determines that e-commerce platforms shall adopt security mechanisms for the processing of payment transactions and use of consumers’ data. There exist also specific regulations for specific markets; for example, the Brazilian Central Bank has issued certain rules about cybersecurity that apply to financial institutions. It is also important to mention the issuance of certain rules by ANATEL, which shall apply for telecommunications.
(b) and the criminality of hacking/DDOS attacks?
The Criminal Code (Decree Law 2,848/1940) sets forth the crime of invasion of a computing device. In general, the act of attacking a computing device, whether connected to the Internet or not, by breach of a security mechanism and for the purpose of collecting, altering, or destroying data or information or installing vulnerabilities to obtain an illegal benefit is deemed a crime. Recently, the Criminal Code was amended to provide higher penalties for cybercrimes such as fraud, theft, and swindling committed with the use of electronic devices like cell phones, computers, and tablets.
What technology development will create the most legal change in your jurisdiction?
There are many technology developments that will create great legal changes in Brazil in the next few years, such as new telemedicine services recently regulated by local authorities and the Brazilian instant payment method (“PIX”), which was recently created by the Brazilian Central Bank. However, we believe that 5G technology, which is expected to be in operation in 2022, will create the most legal change in Brazil. The Telecommunications sector in Brazil is still awaiting the regulation of the requirements and technical aspects of the 5G auction in the country. 5G is the fifth-generation technology standard for mobile and broadband networks that mobile phone companies started deploying in late 2018. It is a faster, more responsive, and more cost-effective mobile internet connection and will impact several areas, such as transport and telemedicine.
Which current legal provision/regime creates the greatest impediment to economic development/ commerce?
The current legal provisions in Brazil are evolving and are increasingly favourable to economic development/commerce. Nonetheless, the tax regime in Brazil is still very complicated and the lack of legal certainty with many tax issues creates the greatest impediment to economic development/commerce in the country. Anyway, the Congress is discussing a Tax Reform, intended to simplify its code and improve the business environment.
Do you believe your legal system specifically encourages or hinders digital services?
The Brazilian legal system encourages digital services and is increasingly evolving in this regard. Recent innovations within the financial market, such as Open-banking and the recent enactment of the Startup Act (Complementary Law 182/2021) are good examples of recent innovations that have been created in Brazil and that encourage competition between product and service providers, as well as the economic development for the use of digital services.
To what extent is your legal system ready to deal with the legal issues associated with artificial intelligence?
The Brazilian government has enacted an official document in connection with the country’s artificial intelligence (A.I.) strategy to guide actions around research, innovation, and development of related technologies: Ordinance 4,617, dated April 6, 2021. This document establishes some important goals for Brazil, such as: to develop ethical principles that guide responsible use of A.I.; remove barriers to innovation; improve collaboration between the government, private sector, and researchers; develop A.I. skills; promote investment in technologies; and advance Brazilian tech overseas. Nonetheless, this Ordinance does not provide specific regulation on A.I. (but general guidelines). At the moment, the Brazilian Legal System will have to rely on standard rules related to intellectual property, such as the LPI.