Brazil is a member of the System of Conformity Assessment Schemes for Electrotechnical Equipment and Components (IECEE), which is based on the principle of mutual recognition (reciprocal acceptance) by its members of test results for obtaining certification or approval at national level. Pursuant to Resolution No. 715, the Brazilian National Telecommunications Agency (ANATEL; Agência Nacional de Telecomunicações) implements testing requirements for telecommunication products and equipment. Through subsequent implementing acts, ANATEL has reduced the frequency of testing requirements and introduced the use of a declaration of conformity with test results procedures for certain products, based on a risk analysis.
However, it has been reported that ANATEL needs to approve products that connect to the public telephone network. This approval process requires in-country testing, not accepting test reports from foreign accredited labs. This is the case of the following products, among others: Network routers with E1 WAN ports; WiFi 802.11a/b/g/n access points; GSM and CDMA cellular phones; Network switches; Satellite, Bluetooth; ZigBee products. Other products need certification by ANATEL. For example: Cell phones; Bluetooth headset; Wireless telephones, including DECT systems; Antenna systems; Digital communication systems; Security gateways; Wi-Fi modules.

Normative Ordinance No. 371 introduced a mandatory certification for IT equipment (Voltage stabilizers) as of July 2011. Generally, testing must be performed in-country, unless the necessary capability does not exist in Brazil. Moreover, entities engaged in product testing and mandatory certification must be accredited by the National Institute of Metrology, Standardization and Industrial Quality (INMETRO).

According to Art. 41 of Ordinance 23 of July 2011 of the Secretary of Foreign Trade the importation of used machinery, equipment, devices, instruments, molds, and containers are prohibited unless these used goods are not produced in the country, or are irreplaceable by other similar products manufactured in the country. Art. 42 establishes that imports of used computer and used telecommunications products are only allowed under limited circumstances.

According to Art. 4 of Normative Instruction 1984, a declarant of goods is defined as importers, exporters, purchasers of imported goods on their own account, orders of imported goods, and legal entities domiciled in the Manaus Free Trade Zone (ZFM) that promote the admission of goods to the rest of the national territory. According to Art. 16, declarants require authorization to operate in foreign trade, which may be granted in one of the following ways:
I - Express, in the case of a legal entity incorporated as an open joint stock company, with shares traded in the stock exchange; or a public company or government-controlled company;
II - Limited, in the case of a declarant of assets not included in the Express form whose financial capacity is estimated in an amount equal to or less than the maximum limit established in Art. 17;.
In accordance with Art. 17, the declarant of goods qualified in the limited modality may carry out import operations, in each consecutive six-month period, up to the limit of USD 50,000, or its equivalent in another currency, if its estimated financial capacity is equal to or less than that amount. Alternatively, if its estimated financial capacity is between USD 50,000 and USD 150,000, then the declarant can carry out imports operations until USD 150,000. To determine the limits established in this article, import operations shall be considered at the customs value of the goods.

The Law 12,965 of 2014 (Internet Civil Regulation) introduces a liability exemption for Internet connection providers and the application of the safe harbor doctrine for other Internet application providers. Art. 18 addresses the liability of Internet connection providers, grants an exception to those services regarding intermediary liability. It states that “the Internet connection provider shall not be subject to civil liability for content generated by third party”. Art. 19, which addresses Internet application providers (excluding connection providers) states that “in order to ensure freedom of expression and to prevent censorship, an Internet application provider shall only be subject to civil liability for damages caused by virtue of content generated by third parties if, after specific court order, it does not take action, according to the framework and technical limits of its services and within the time-frame ordered, to make the infringing content unavailable.”

It is reported that Brazil imposes an identity requirement for SIM registration. Anyone wanting to purchase a SIM card has to provide their national ID card, or a passport in case of foreigners, to activate a new prepaid SIM card. According to Art. 42 of the Resolution No. 477, users must provide a minimum set of personal data to be able to subscribe to a mobile telephone service. This information includes name, identity card number, and taxpayer number.

Privacy impact assessments must be provided to the Autoridade Nacional de Proteção de Dados (ANPD, National Data Protection Authority) upon request. Therefore, even though they are not initially mandatory, it is highly recommended to have them already developed. The ANPD may require the controller to prepare a DPIA relating to its data processing operations, as provided for by the regulations, with due regard to commercial and industrial secrecy (Art. 10(§3º) of Law No. 13.709). This DPIA should contain at least a description of the types of data collected, the methodology used for collection and as a guarantee for the security of the information, an analysis of the controller in relation to the measures, safeguards, and risk mitigation mechanisms adopted (Art. 38).

The Law 12,965 of 2014 (Internet Civil Regulation) introduces a liability exemption for Internet connection providers and the application of the safe harbor doctrine for other Internet application providers. Art. 18 addresses the liability of Internet connection providers, grants an exception to those services regarding intermediary liability. It states that “the Internet connection provider shall not be subject to civil liability for content generated by third party”. Art. 19, which addresses Internet application providers (excluding connection providers) states that, “in order to ensure freedom of expression and to prevent censorship, an Internet application provider shall only be subject to civil liability for damages caused by virtue of content generated by third parties if, after specific court order, it does not take action, according to the framework and technical limits of its services and within the time-frame ordered, to make the infringing content unavailable.”

According to Art. 15 of the Brazil Civil Rights Framework, internet application providers that are constituted as a legal entity and that carry out this activity in an organized manner professionally and with economic purposes, must retain the respective records of access to internet applications for a period of six months.

According to Art. 17 of Criminal Organizations Law, concessionaires of fixed or mobile telephony must keep, for a period of five years, at the disposal of the Police Chief or the Public Prosecutor, records of identification of the terminal numbers of origin and destination of international, long distance and local phone calls.

According to Art. 1,194 of the Brazilian Civil Code, the entrepreneurs and the business companies are obliged to retain all the bookkeeping, correspondence and other papers concerning their activity, as long as there is no statute of limitations or decay with regard to the acts contained therein. Based on this article, the Superior Court of Justice has understood that internet service providers (like other companies) have a legal duty to keep records and register their activities during the statute of limitations period for a civil claim in the Special Remedy No. 1.785.092.

The Guidelines for the Appointment of Data Treatment Agents and Data Protection Officers clarify Art. 41 of the Data Protection Law setting out that all institutions, either public or private, have the obligation to appoint a Data Protection Officer ("encarregado") (DPO). A previous reading of the Art. 23 of Law led to the conclusion that only public institutions would be obliged to appoint a DPO. However, the guidelines state that, contrary to other foreign legislations, the Data Protection Law does not determine the circumstances in which an organization should appoint a DPO. Therefore, one has to assume, as a general rule, that all organizations need to appoint a DPO. However, §3 of Art. 41 states that future regulations of the National Authority may determine the hypothesis for the dispensation of the need to appoint a DPO taking into account the nature, size and volume of operations of data treatment.

According to the Art. 10.12 of the Chile - Brazil Bilateral Trade Agreement, the Parties recognize that each Party may have its own regulatory requirements on the transfer of information by electronic means. Each Party shall permit the cross-border transfer of information by electronic means where such activity is for the conduct of the business of a person of a Party. Nothing in this Article shall prevent a Party from adopting or maintaining measures inconsistent with paragraph 2 to achieve a legitimate public policy objective, provided that the measure is not applied in a manner that would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade.

The Personal Data Protection Law provides an horizontal data framework, with detailed regulations. It applies to the treatment of personal data, including through digital means, by natural or juridical persons of a public or private nature. The law applies regardless of the country of origin of the person and the country where data is located provided that: data treatment is made in the national territory; or data treatment activities aims at the supply of goods or services or data treatment of individuals located in the national territory; or data has been collected in the national territory.

Connection logs of Internet service providers (ISPs) should be retained for a minimum period of one year (Art. 13 of the Brazil Civil Rights Framework). The police, administrative authorities, or the Public Prosecutor's Office may request in a precautionary manner that the connection logs be kept for a longer period. Authorities will have a period of 60 days, counting from the time of the request, to obtain a court order to access the information.