The Law 12,965 of 2014 (Internet Civil Regulation) introduces a liability exemption for Internet connection providers and the application of the safe harbor doctrine for other Internet application providers. Art. 18 addresses the liability of Internet connection providers, grants an exception to those services regarding intermediary liability. It states that “the Internet connection provider shall not be subject to civil liability for content generated by third party”. Art. 19, which addresses Internet application providers (excluding connection providers) states that, “in order to ensure freedom of expression and to prevent censorship, an Internet application provider shall only be subject to civil liability for damages caused by virtue of content generated by third parties if, after specific court order, it does not take action, according to the framework and technical limits of its services and within the time-frame ordered, to make the infringing content unavailable.”

According to Art. 15 of the Brazil Civil Rights Framework, internet application providers that are constituted as a legal entity and that carry out this activity in an organized manner professionally and with economic purposes, must retain the respective records of access to internet applications for a period of six months.

According to Art. 17 of Criminal Organizations Law, concessionaires of fixed or mobile telephony must keep, for a period of five years, at the disposal of the Police Chief or the Public Prosecutor, records of identification of the terminal numbers of origin and destination of international, long distance and local phone calls.

According to Art. 1,194 of the Brazilian Civil Code, the entrepreneurs and the business companies are obliged to retain all the bookkeeping, correspondence and other papers concerning their activity, as long as there is no statute of limitations or decay with regard to the acts contained therein. Based on this article, the Superior Court of Justice has understood that internet service providers (like other companies) have a legal duty to keep records and register their activities during the statute of limitations period for a civil claim in the Special Remedy No. 1.785.092.

The Guidelines for the Appointment of Data Treatment Agents and Data Protection Officers clarify Art. 41 of the Data Protection Law setting out that all institutions, either public or private, have the obligation to appoint a Data Protection Officer ("encarregado") (DPO). A previous reading of the Art. 23 of Law led to the conclusion that only public institutions would be obliged to appoint a DPO. However, the guidelines state that, contrary to other foreign legislations, the Data Protection Law does not determine the circumstances in which an organization should appoint a DPO. Therefore, one has to assume, as a general rule, that all organizations need to appoint a DPO. However, §3 of Art. 41 states that future regulations of the National Authority may determine the hypothesis for the dispensation of the need to appoint a DPO taking into account the nature, size and volume of operations of data treatment.

According to the Art. 10.12 of the Chile - Brazil Bilateral Trade Agreement, the Parties recognize that each Party may have its own regulatory requirements on the transfer of information by electronic means. Each Party shall permit the cross-border transfer of information by electronic means where such activity is for the conduct of the business of a person of a Party. Nothing in this Article shall prevent a Party from adopting or maintaining measures inconsistent with paragraph 2 to achieve a legitimate public policy objective, provided that the measure is not applied in a manner that would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade.

The Personal Data Protection Law provides an horizontal data framework, with detailed regulations. It applies to the treatment of personal data, including through digital means, by natural or juridical persons of a public or private nature. The law applies regardless of the country of origin of the person and the country where data is located provided that: data treatment is made in the national territory; or data treatment activities aims at the supply of goods or services or data treatment of individuals located in the national territory; or data has been collected in the national territory.

Connection logs of Internet service providers (ISPs) should be retained for a minimum period of one year (Art. 13 of the Brazil Civil Rights Framework). The police, administrative authorities, or the Public Prosecutor's Office may request in a precautionary manner that the connection logs be kept for a longer period. Authorities will have a period of 60 days, counting from the time of the request, to obtain a court order to access the information.

Resolution No. 85 by Brazil's Central Bank and Resolution No. 4,893 by National Monetary Council set out regulations on how financial institutions and other institutions regulated by the Brazilian Central Bank should hire cloud computing services from providers that store or process information outside Brazil. In the absence of a formal agreement with the regulators of the country where the services are performed, prior authorization is required, at least 60 days before.

The Personal Data Protection Law allows the international transfer of personal data only under certain conditions (Arts. 33-36). The main conditions for such a transfer are that the recipient jurisdiction has an adequate level of data protection; the controller adduces adequate safeguards (for instance, by using model contract clauses, binding corporate rules or other contractual arrangements); the data subject has given his/her consent explicitly; or the transfer is necessary for the performance of a contract between the data subject and the controller. Art. 11 provides stricter conditions for processing of sensitive personal data and it is reported that in practice these conditions forced many organizations to store privacy-sensitive data in Brazil. The law applies extraterritorially to all companies that target Brazilian consumers even when the company is not established in the Brazilian market.

It has been reported that, although Brazil permits Brazilian-owned entities to acquire the exclusive right to operate a satellite and its associated frequencies from specific positions, foreign-licensed satellite operators may obtain only a non-exclusive right (a landing right) to provide service in Brazilian territory. The National Telecommunications Agency (ANATEL) grants these landing rights for a fixed term of no longer than 15 years, after which the operator must reacquire the landing rights in order to continue providing services. Foreign operators are also required to pay higher annual landing fees than Brazilian firms.

Brazil has not appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

Brazil has a telecommunications authority: The National Telecommunications Agency (ANATEL). However, it is reported that the decision making process of this entity is not fully independent from the government.

Section 4 of the Annex of Normative Instruction on Public Procurement of Cloud Computing Services requires the existence of a national data centre. However, only classified information (reserved, secret and ultra secret) must be stored in the country. This results from the regulations of the Institutional Security Cabinet, especially Complementary Regulations No. 14/IN01/DSIC/SCS/GSIPR, which state that classified information should be exclusively stored in Brazil. The model terms of reference for procurement clarify this requirement. On the other hand, it is up to the high management of the public organization to define which information can be stored in the national territory or abroad.

Telecomunicações Brasileiras SA (Telebras), the former incumbent, is a state-owned enterprise, that was re-established in by Decree No. 7.175 of 2010, with a more limited role. Its task is to implement public policies related to the universalization of access to telecommunications in Brazil. Its focus is on digital inclusion and broadband access to remote localities as well as providing solutions for connections to universities, research centres, schools, hospitals, community centers and other public interest facilities.