The Interpretative Act No. 7 of August 2014, issued by the Brazilian Federal Revenue Secretariat (Receita Federal do Brasil – RFB), deals with the taxation of cross-border payments for data centres outside Brazil. It applies to all amounts paid, credited, delivered or remitted by individuals or legal entities resident or domiciled in Brazil to companies headquartered abroad that are identified as offshore data centres.
According to the Act, when the Brazilian source of payment hires offshore data centres for the use of infrastructure for storage and remote high-performance data processing systems, the transactions are deemed to be typical provision of services and cannot be characterised as rental of movable assets for tax purposes. The consequence of this interpretation is that the use of offshore data centres triggers the following federal taxes in Brazil:
- Withholding income tax (Imposto sobre a Renda Retido na Fonte – IRFF) at the rate of 15% or 25% whenever the recipient is located in a tax haven jurisdiction;
- Cide-royalties contribution (Contribuição de Intervenção no Domínio Econômico destinada a financiar o Programa de Estímulo à Interação Universidade-Empresa para o Apoio à Inovação – Cide-royalties), at the rate of 10%;
- PIS-importation contribution (Contribuição para o PIS/Pasep-Importação) at the rate of 1.65%;
- Cofins-importation contribution (Contribuição para o Cofins-Importação) at the rate of 7.6%; and
- IOF (Imposto sobre Operações de Câmbio), which is the financial tax levied on the foreign exchange transaction, at the rate of 0.38%.

The Personal Data Protection Law provides a framework for comprehensive data protection in Brazil. It applies to the treatment of personal data, including through digital means, by natural or juridical persons of a public or private nature. The law applies regardless of the country of origin of the person and the country where data is located provided that: data treatment is made in the national territory; or data treatment activities aims at the supply of goods or services or data treatment of individuals located in the national territory; or data has been collected in the national territory.

Art. 13 of the Civil Rights Framework for the Internet states that connection logs of Internet service providers (ISPs) should be retained for a minimum period of one year. The police, administrative authorities, or the Public Prosecutor's Office may request in a precautionary manner that the connection logs be kept for a longer period. Authorities have a period of 60 days, counting from the time of the request, to obtain a court order to access the information.

According to Art. 15 of the Civil Rights Framework for the Internet, internet application providers that are constituted as a legal entity and that carry out this activity in an organised manner professionally and with economic purposes must retain the respective records of access to the Internet applications for a period of six months. Internet applications are defined in Art. 5 (VII) as a set of functionalities that can be accessed through a terminal connected to the Internet.

According to Art. 17 of Criminal Organisation Law, concessionaires of fixed or mobile telephony must keep, for a period of five years, at the disposal of the Police Chief or the Public Prosecutor, records of identification of the terminal numbers of origin and destination of international, long distance and local phone calls.

The Guidelines for the Appointment of Data Treatment Agents and Data Protection Officers clarify Art. 41 of the Data Protection Law, setting out that all institutions, either public or private, have an obligation to appoint a Data Protection Officer ("encarregado") (DPO). A previous reading of the Art. 23 of Law led to the conclusion that only public institutions would be obliged to appoint a DPO. However, the guidelines state that the Data Protection Law does not determine the circumstances in which an organisation should appoint a DPO. Therefore, as a general rule, one must assume that all organisations must appoint a DPO. However, §3 of Art. 41 states that future regulations of the National Authority may determine the hypothesis for the dispensation of the need to appoint a DPO, taking into account the nature, size, and volume of data treatment operations

The Civil Rights Framework for the Internet law establishes a safe harbour regime for intermediaries for copyright infringements. Art. 18 states that “the Internet connection provider shall not be subject to civil liability for content generated by third party”. Art. 19, which addresses Internet application providers (excluding connection providers), states that “in order to ensure freedom of expression and to prevent censorship, an Internet application provider shall only be subject to civil liability for damages caused by virtue of content generated by third parties if, after specific court order, it does not take action, according to the framework and technical limits of its services and within the time-frame ordered, to make the infringing content unavailable.”

The Civil Rights Framework for the Internet law establishes a safe harbour regime for intermediaries beyond copyright infringements. Art. 18 states that “the Internet connection provider shall not be subject to civil liability for content generated by third party”. Art. 19, which addresses Internet application providers (excluding connection providers), states that “in order to ensure freedom of expression and to prevent censorship, an Internet application provider shall only be subject to civil liability for damages caused by virtue of content generated by third parties if, after specific court order, it does not take action, according to the framework and technical limits of its services and within the time-frame ordered, to make the infringing content unavailable.”

According to Art. 1 of Law 10.703, it is the responsibility of prepaid telecommunications service providers operating in the national territory to have an updated register of users. The registration, in addition to the full name and address, must contain, in the case of natural persons, the identity card number or registration number in the registry of the Ministry of Finance.
In addition, under Art. 42 of Resolution No. 477, users must provide a minimum set of personal data to be able to subscribe to a mobile telephone service. This information includes name, identity card number, and taxpayer number.

According to Arts. 41 and No. 42 of Ordinance 23 of July 2011 of the Secretary of Foreign Trade, the importation of used machinery, equipment, devices, instruments, moulds, and containers are prohibited unless these used goods are not produced in the country or are irreplaceable by other similar products manufactured in the country.

Brazil has joined an agreement with binding commitments to open data transfers across borders: the Chile-Brazil Bilateral Trade Agreement (Art. 10.12).

Brazil has a copyright regime under Law 9.610. However, the exceptions do not follow the fair use or fair dealing model, therefore limiting the lawful use of copyrighted works by third parties. Sections 46-48 list the exceptions, which include: the reproduction of news or informative articles published in newspapers or periodicals, mentioning the author's name; speeches delivered at public meetings of any nature; portraits, or any other form of representation of the image, made on commission, when made by the owner of the object ordered, without opposition from the person represented in them or his/her heirs; among others.

It is reported that there are long-standing concerns about the IP enforcement regime in Brazil and that online piracy, the use of illicit streaming devices (ISD), video game piracy, piracy in the metaverse, signal theft and the use of unlicensed software in the country remain major obstacles to the adoption of legitimate content distribution channels.

Brazil has not signed the World Intellectual Property Organization (WIPO) Copyright Treaty.

Brazil has not signed the World Intellectual Property Organization (WIPO) Performances and Phonograms Treaty.