BRAZIL
Since 2014
Pillar Intermediary liability |
Sub-pillar Safe harbor for intermediaries for copyright infringement
Law 12.965, of 2014 - Internet Civil Regulation (Lei 12.965, de 2014 - Regulamento Civil da Internet)
The Law 12,965 of 2014 (Internet Civil Regulation) introduces a liability exemption for Internet connection providers and the application of the safe harbor doctrine for other Internet application providers. Art. 18 addresses the liability of Internet connection providers, grants an exception to those services regarding intermediary liability. It states that “the Internet connection provider shall not be subject to civil liability for content generated by third party”. Art. 19, which addresses Internet application providers (excluding connection providers) states that, “in order to ensure freedom of expression and to prevent censorship, an Internet application provider shall only be subject to civil liability for damages caused by virtue of content generated by third parties if, after specific court order, it does not take action, according to the framework and technical limits of its services and within the time-frame ordered, to make the infringing content unavailable.”
Coverage Internet intermediaries
BRAZIL
Since April 2014
Pillar Domestic Data policies |
Sub-pillar Minimum period for data retention
Brazil Civil Rights Framework (Lei 12.965)
According to Art. 15 of the Brazil Civil Rights Framework, internet application providers that are constituted as a legal entity and that carry out this activity in an organized manner professionally and with economic purposes, must retain the respective records of access to internet applications for a period of six months.
Coverage Internet application providers
BRAZIL
Since August 2013
Pillar Domestic Data policies |
Sub-pillar Minimum period for data retention
Criminal Organizations Law (Lei 12.850)
According to Art. 17 of Criminal Organizations Law, concessionaires of fixed or mobile telephony must keep, for a period of five years, at the disposal of the Police Chief or the Public Prosecutor, records of identification of the terminal numbers of origin and destination of international, long distance and local phone calls.
Coverage Telecommunication sector
BRAZIL
Since January 2002
Since 2015
Since 2015
Pillar Domestic Data policies |
Sub-pillar Minimum period for data retention
Codigo Civil
Special Remedy No. 1.785.092 - SP (2015/0293529-2) (Recurso Especial No. 1.785.092 - SP (2015/0293529-2))
Special Remedy No. 1.785.092 - SP (2015/0293529-2) (Recurso Especial No. 1.785.092 - SP (2015/0293529-2))
According to Art. 1,194 of the Brazilian Civil Code, the entrepreneurs and the business companies are obliged to retain all the bookkeeping, correspondence and other papers concerning their activity, as long as there is no statute of limitations or decay with regard to the acts contained therein. Based on this article, the Superior Court of Justice has understood that internet service providers (like other companies) have a legal duty to keep records and register their activities during the statute of limitations period for a civil claim in the Special Remedy No. 1.785.092.
Coverage Internet service providers (ISPs)
BRAZIL
Since 2021
Since 2018
Since 2018
Pillar Domestic Data policies |
Sub-pillar Requirement to perform an impact assessment (DPIA) or have a data protection officer (DPO)
National Agency for Data Protection - Guidelines for the Appointment of Data Treatment Agents and Data Protection Officers, 2021 (Agência Nacional de Proteção de Dados - Diretrizes para a Nomeação de Agentes de Tratamento de Dados e Encarregados de Proteção de Dados, 2021)
Law 13.709 of 2018 - Personal Data Protection Law (Lei 13.709 de 2018 - Lei de Proteção de Dados Pessoais)
Law 13.709 of 2018 - Personal Data Protection Law (Lei 13.709 de 2018 - Lei de Proteção de Dados Pessoais)
The Guidelines for the Appointment of Data Treatment Agents and Data Protection Officers clarify Art. 41 of the Data Protection Law setting out that all institutions, either public or private, have the obligation to appoint a Data Protection Officer ("encarregado") (DPO). A previous reading of the Art. 23 of Law led to the conclusion that only public institutions would be obliged to appoint a DPO. However, the guidelines state that, contrary to other foreign legislations, the Data Protection Law does not determine the circumstances in which an organization should appoint a DPO. Therefore, one has to assume, as a general rule, that all organizations need to appoint a DPO. However, §3 of Art. 41 states that future regulations of the National Authority may determine the hypothesis for the dispensation of the need to appoint a DPO taking into account the nature, size and volume of operations of data treatment.
Coverage Horizontal
BRAZIL
Since August 2020
Pillar Cross-border data policies |
Sub-pillar Participation in trade agreements committing to open cross-border data flows
Chile - Brazil Bilateral Trade Agreement (Brazil Chile FTA)
According to the Art. 10.12 of the Chile - Brazil Bilateral Trade Agreement, the Parties recognize that each Party may have its own regulatory requirements on the transfer of information by electronic means. Each Party shall permit the cross-border transfer of information by electronic means where such activity is for the conduct of the business of a person of a Party. Nothing in this Article shall prevent a Party from adopting or maintaining measures inconsistent with paragraph 2 to achieve a legitimate public policy objective, provided that the measure is not applied in a manner that would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade.
Coverage Horizontal
BRAZIL
Since 2018, entry into force in September 2020
Pillar Domestic Data policies |
Sub-pillar Framework for data protection
Law 13.709 of 2018 - Personal Data Protection Law (Lei 13.709 de 2018 - Lei de Proteção de Dados Pessoais)
The Personal Data Protection Law provides an horizontal data framework, with detailed regulations. It applies to the treatment of personal data, including through digital means, by natural or juridical persons of a public or private nature. The law applies regardless of the country of origin of the person and the country where data is located provided that: data treatment is made in the national territory; or data treatment activities aims at the supply of goods or services or data treatment of individuals located in the national territory; or data has been collected in the national territory.
Coverage Horizontal
BRAZIL
Since April 2014
Pillar Domestic Data policies |
Sub-pillar Minimum period for data retention
Brazil Civil Rights Framework (Lei 12.965)
Connection logs of Internet service providers (ISPs) should be retained for a minimum period of one year (Art. 13 of the Brazil Civil Rights Framework). The police, administrative authorities, or the Public Prosecutor's Office may request in a precautionary manner that the connection logs be kept for a longer period. Authorities will have a period of 60 days, counting from the time of the request, to obtain a court order to access the information.
Coverage Internet service providers (ISPs)
BRAZIL
Since April 2021
Since March 2021
Since March 2021
Pillar Cross-border data policies |
Sub-pillar Conditional flow regime
Central Bank Resolution No. 85 (Resolução BCB No. 85. Dispõe sobre a política de segurança cibernética e sobre os requisitos para a contratação de serviços de processamento e armazenamento de dados e de computação em nuvem a serem observados pelas instituições de pagamento autorizadas a funcionar pelo Banco Central do Brasil)
National Monetary Council Resolution No. 4,893 (Resolução CMN No. 4.893. Dispõe sobre a política de segurança cibernética e sobre os requisitos para a contratação de serviços de processamento e armazenamento de dados e de computação em nuvem a serem observados pelas instituições autorizadas a funcionar pelo Banco Central do Brasil)
National Monetary Council Resolution No. 4,893 (Resolução CMN No. 4.893. Dispõe sobre a política de segurança cibernética e sobre os requisitos para a contratação de serviços de processamento e armazenamento de dados e de computação em nuvem a serem observados pelas instituições autorizadas a funcionar pelo Banco Central do Brasil)
Resolution No. 85 by Brazil's Central Bank and Resolution No. 4,893 by National Monetary Council set out regulations on how financial institutions and other institutions regulated by the Brazilian Central Bank should hire cloud computing services from providers that store or process information outside Brazil. In the absence of a formal agreement with the regulators of the country where the services are performed, prior authorization is required, at least 60 days before.
Coverage Financial sector
BRAZIL
Since August 2018, entry into force in September 2020
Pillar Cross-border data policies |
Sub-pillar Conditional flow regime
Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (Lei Nº 13.709, de 14 de agosto de 2018, Lei Geral de Proteção de Dados Pessoais)
The Personal Data Protection Law allows the international transfer of personal data only under certain conditions (Arts. 33-36). The main conditions for such a transfer are that the recipient jurisdiction has an adequate level of data protection; the controller adduces adequate safeguards (for instance, by using model contract clauses, binding corporate rules or other contractual arrangements); the data subject has given his/her consent explicitly; or the transfer is necessary for the performance of a contract between the data subject and the controller. Art. 11 provides stricter conditions for processing of sensitive personal data and it is reported that in practice these conditions forced many organizations to store privacy-sensitive data in Brazil. The law applies extraterritorially to all companies that target Brazilian consumers even when the company is not established in the Brazilian market.
Coverage Horizontal
Sources
- http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm
- https://platform.dataguidance.com/sites/default/files/lgpd_translation.pdf
- https://www.dataguidance.com/jurisdiction/brazil
- https://idc-a.org/news/industry/Brazils-data-localization-law-spurs-investment-growth-in-data-centers/5b0eadb4-cfb8-49b7-b3a3-be6b49c82e8b
- Show more...
BRAZIL
Reported in 2022
Pillar Telecom infrastructure and competition |
Sub-pillar Other restrictions to operate in the telecom market
Discrimination of foreign satellite operators
It has been reported that, although Brazil permits Brazilian-owned entities to acquire the exclusive right to operate a satellite and its associated frequencies from specific positions, foreign-licensed satellite operators may obtain only a non-exclusive right (a landing right) to provide service in Brazilian territory. The National Telecommunications Agency (ANATEL) grants these landing rights for a fixed term of no longer than 15 years, after which the operator must reacquire the landing rights in order to continue providing services. Foreign operators are also required to pay higher annual landing fees than Brazilian firms.
Coverage Satellite operators
BRAZIL
N/A
Pillar Telecom infrastructure and competition |
Sub-pillar Signature of the WTO Telecom Reference Paper
Lack of appendment of WTO Telecom Reference Paper to schedule of commitments
Brazil has not appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.
Coverage Telecommunications sector
BRAZIL
N/A
Pillar Telecom infrastructure and competition |
Sub-pillar Presence of independent telecom authority
Lack of an independent telecom authority
Brazil has a telecommunications authority: The National Telecommunications Agency (ANATEL). However, it is reported that the decision making process of this entity is not fully independent from the government.
Coverage Telecommunications sector
BRAZIL
Since April 2019
Since March 2018
Since March 2018
Pillar Cross-border data policies |
Sub-pillar Ban to transfer and local processing requirement
Normative Instruction of the Secretariat of Management No. 1 - Public Procurement of Cloud Computing Services Guidelines (Instrução Normativa No. 1 de 4 de Abril de 2019. Dispõe sobre o processo de contratação de soluções de Tecnologia da Informação e Comunicação - TIC pelos órgãos e entidades integrantes do Sistema de Administração dos Recursos de Tecnologia da Informação - SISP do Poder Executivo Federal)
Complementary Regulations No. 14/IN01/DSIC/SCS/GSIPR (Norma Complementar N. 14/IN01/DSIC/SCS/GSIPR)
Complementary Regulations No. 14/IN01/DSIC/SCS/GSIPR (Norma Complementar N. 14/IN01/DSIC/SCS/GSIPR)
Section 4 of the Annex of Normative Instruction on Public Procurement of Cloud Computing Services requires the existence of a national data centre. However, only classified information (reserved, secret and ultra secret) must be stored in the country. This results from the regulations of the Institutional Security Cabinet, especially Complementary Regulations No. 14/IN01/DSIC/SCS/GSIPR, which state that classified information should be exclusively stored in Brazil. The model terms of reference for procurement clarify this requirement. On the other hand, it is up to the high management of the public organization to define which information can be stored in the national territory or abroad.
Coverage Cloud-computing services
Sources
- https://www.in.gov.br/materia/-/asset_publisher/Kujrw0TZC2Mb/content/id/70267659/do1-2019-04-05-instrucao-normativa-n-1-de-4-de-abril-de-2019-70267535
- https://repositorio.cgu.gov.br/handle/1/42764
- https://resourcehub.bakermckenzie.com/en/resources/data-privacy-security/latin-america/brazil/topics/data-localizationresidency
- Show more...
BRAZIL
Since May 2010
Pillar Telecom infrastructure and competition |
Sub-pillar Presence of shares owned by the government in telecom companies
Presence of shares owned by the government in the telecom sector
Telecomunicações Brasileiras SA (Telebras), the former incumbent, is a state-owned enterprise, that was re-established in by Decree No. 7.175 of 2010, with a more limited role. Its task is to implement public policies related to the universalization of access to telecommunications in Brazil. Its focus is on digital inclusion and broadband access to remote localities as well as providing solutions for connections to universities, research centres, schools, hospitals, community centers and other public interest facilities.
Coverage Telecommunications sector