Brazil: Technology

The In-House Lawyer Logo

This country-specific Q&A provides an overview to technology laws and regulations that may occur in the Brazil.

It will cover communications networks and their operators, databases and software, data protection, AI, cybersecurity as well as the author’s view on planned future reforms of the merger control regime.

This Q&A is part of the global guide to Technology. For a full list of jurisdictional Q&As visit

  1. Are communications networks or services regulated? If so what activities are covered and what licences or authorisations are required?

    Yes, both are regulated in Brazil. In order to provide telecom services, the interested party has to apply for a telecommunications license and a spectrum license (when the service depends on the use of spectrum). Services are regulated individually, either through a federal law (which is the case of pay-TV services) or regulations enacted by the telecom regulator (“Anatel”). The most common licenses held by Brazilian companies are: fixed switched telephone services (“FSTS”), cellular telephone services, pay-TV (named as SeAC – conditioned access service) and multimedia communication service license (for broadband data and transmission of voice and image signals).

    Over-the-top (OTT) providers (such as Netflix, WhatsApp, Wechat, etc.) are not regulated as telecommunications companies and may be offered without a license.

    Networks are also regulated. Mandatory interconnection, offer of wholesale network capacity, duty of equal treatment and non-discrimination and net-neutrality are among the most important rules. Sharing of non-utilized network infrastructure among telecommunication companies and between telecommunications companies and utility companies operating in energy and oil & gas sectors are also mandatory.

    Net neutrality, a principle which forbids different treatment of internet traffic on the basis of its origin, destination, application or content, has been assured by Law No. 12,965/2014. Any discrimination or degradation of data traffic may only occur (i) based on technical requirements essential to the adequate provision of services and applications, or (ii) to give priority to emergency services. This matter was further regulated by Decree No. 8,771/2016.

  2. Is there any specific regulator for the provisions of communications-related services? Are they independent of the government control?

    Yes. Anatel, the Brazilian Telecommunications Agency, is the federal authority responsible for the regulation of communications-related services, as established by the Telecommunications Act (Law No. 9,472/1997). The agency is independent, as Anatel´s commissioners cannot be dismissed by the President of the Republic. Financial and administrative independency is also guaranteed for the agency.

  3. Does an operator need to be domiciled in the country? Are there any restrictions on foreign ownership of telecoms operators?

    Yes. Under Decree No. 2617/1998, any Brazilian telecommunications operating entity has to be (i) incorporated and headquartered in Brazil, and (ii) controlled by another Brazilian entity, also headquartered in Brazil. Despite, there are no foreign ownership restrictions in the telecommunications sector, except for radio and TV broadcasting, where foreign capital is limited to 30% of the company´s total and voting capital.

  4. Are there any regulations covering interconnection between operators? If so are these different for operators with market power? What are the principal consumer protection regulations that apply specifically to telecoms services?

    Yes. The Telecommunications Act establishes that interconnection shall be carried out in a non-discriminatory manner, under adequate technical conditions, with the practice of fair and isonomic prices.

    Additionally, the General Interconnection Regulation, approved by ANATEL Resolution No. 410/2005, provides the applicable rules to interconnection requests, interconnection public offers, the time limits that must be observed for the implementation of interconnections, and the procedure for disputes resolution.

    There are specific obligations for operators holding significant market power as established by the General Competition Plan (“PGMC”) enacted by Anatel. The PGMC provides rules to determine whether an economic group holds the so-called significant market power (“SMP”) to influence economic conditions in certain telecommunications markets. According to PGMC, operators found to hold SMP may be subject to asymmetric regulatory obligations regarding transparency, resources access, products offer and equality, as well as wholesale price control. In order to determine whether an economic group holds significant market power in a relevant market, Anatel undertakes an assessment with regard to the group’s (i) market share; (ii) ability to benefit from economies of scale and scope in the relevant market; (iii) control over an essential infrastructure; and (iv) presence in both wholesale and retail segments.

    For groups that hold SMP, the offer of wholesale network capacity (dedicated circuits) is mandatory, and shall be provided within deadlines established in the regulation, so as to avoid procrastinations or other anti-competitive behaviors.

    The Telecom Consumer Protection Regulation, approved by ANATEL Resolution No. 632/2014, is the specific regulation that applies to users of telecom services. Such regulation is enforced in addition to the Consumer Protection Code (Law No. 8,078/1990), which is the general law concerning the consumer protection in Brazil.

    The main rights afforded to all telecommunication service users are: (i) enjoyment of the service, in accordance with quality standards established by regulation and the services agreements; (ii) choice of the provider and the service plan; (iii) non-discriminatory treatment with respect to the access and service use conditions; (iv) previous knowledge about all charges and material conditions or limitations of the service offering; (v) inviolability and secrecy of communication; (vi) non-suspension of the service, except in circumstances allowed by the regulations; (vii) confidentiality of invoices and on the use of users’ data; (viii) efficient and prompt responses to complaints; (ix) compensation for the damages caused by the violation of rights; (x) re-establishment of all the rights relating to the provision of the services, upon payment of outstanding debts; (xi) not to be subject to tie-in sales; (xii) termination of the services agreement, at any time; and (xiii) not be charged for any values unrelated to the provision of the telecommunications service without previous and express authorization.

  5. What legal protections are offered in relation to the creators of computer software?

    The software creators are protected by the same intellectual property rules granted to literary work creators stipulated by the Copyright Act (Law No. 9,610/1998), and is also subject to the Software Act (Law No. 9,609/1998). Software is protected regardless of registration with the Brazilian Patent and Trademark Office (INPI), although such registration, in certain cases, may be advisable to demonstrate and prove anteriority. Protection is granted for fifty (50) years, counted from January 1 of the year following publication or, in the absence of a publication, of its creation.

    In the Brazilian copyright system, the software author is the person who developed the software, while the software owner is the person or entity which can exploit the software from a commercial perspective.

    According to the Software Law, unless agreed otherwise, the employer shall have full title over the software developed by its employees, assuming that the development of software was within employees´ duties at the company. The same applies for software made-for-hire, which IP shall belong to the hiring party.

  6. Are specific intellectual property rights in respect of data/databases recognised?

    Generally, the information added to a database is not subject to IP protection. Nevertheless, the form of organization or arrangement of such information (i.e. the database structure) may be protected as a copyright work.

  7. What key protections exist for personal data?

    In Brazil, privacy and data protection are treated as fundamental rights of individuals under the Federal Constitution. Individuals who suffer material or moral damages as a result of violation of such rights have the right to indemnification. In addition to the Federal Constitution, the Brazilian Civil Code (Law No. 10,406/02), the Consumer Protection Code (Law No. 8,078/9, the “Consumer Code”) and the Internet Act (Law No. 12,965/14) are the most prominent statutes governing the use, collection and processing of personal data in specific cases by private enterprise.

    The Brazilian Civil Code acknowledges and reinforces the principle that privacy is inherent to an individual’s personality and dignity, providing that such right is non-assignable and not subject to waiver, and cannot be voluntarily limited. Still under this statute, the private life of an individual is inviolable and the court shall, upon request, take such actions as necessary to prevent or cease the violation, without prejudice to material and moral damages and other applicable sanctions.

    The Consumer Code is applicable whenever a consumer relationship is formed between an individual (or corporate entity, in certain circumstances) and a service provider or a product manufacturer. The privacy of consumer relations and handling of databases are regulated by this Code. The Consumer Code requires that the individual whose data is being collected must be informed of the input of his/her information into a database (there is no requirement for consent, but rather, a notice). The consumer should have the right to access, rectify and correct his/her database information.

    The Internet Act establishes other principles and rules with respect to the privacy and protection of internet users’ personal and behavioural data. It contemplates specific rules on the collection, storage and processing of personal information through internet services and applications. One of the important provisions of the Internet Act deals with the users’ rights to be fully informed, on a clear and direct manner, of the data treatment, which can only be made: (i) for the reasons that justified its collection; (ii) if not prohibited by law; and (iii) if allowed by the applicable service agreements or terms of use. Free, express and informed consent is required from data subjects. Any information that may be collected in excess of the reason why such information has been collected may trigger liability. Under the Internet Act, personal data must be kept in secrecy, and shall only be disclosed upon a valid court order, if authorized by user or if expressly provided by law. In addition to the data subject´s right of access, rectification and correction of his/her personal data, the Internet Act also provides for the right of deletion of personal data.

    In addition to the aforementioned laws, there are other sector-specific laws that deal with privacy and data protection, such as the Wiretap Act (Law No. 9,296/96), the Bank Secrecy Act (Complementary Law No. 105/01), and the Information Access Act (Law No. 12,527/01), which governs information collected by federal government. Other privacy and data protection regulations apply to specific sectors of the economy, labor relationships and the exercise of profession (doctors, attorneys and financial advisors, for example).

    In the past couple of years, the Brazilian National Congress has been discussing a comprehensive data protection law that will apply across multiple sectors and in all kind of personal or professional relationships. The most important bills under discussion are the Senate Bill No. 330 and House of Representatives Bill No. 5,276 (the “Bills”). Based on the discussions in the Brazilian National Congress, a federal law on privacy and data protection is expected to be approved until the end of 2018. Both Bills were inspired in the European data protection legal framework and, if approved, the new law will significantly affect the way companies and individuals act with respect to privacy and data protection in Brazil. International data transfer, coverage and enforceability of the law and the requirement of express consent by the data subject are the main aspects covered by this new law.

  8. Are there restrictions on the transfer of personal data overseas?

    There is no specific regime or regulation regarding the transfer of data outside Brazil. As a rule, if the notice/consent is provided (when required) and the relevant privacy policy expressly provides for the international data transfers, international transfer should be allowed. There are some provisions related to international data transfers in the Bills, which will impose additional requirements for transferring data to countries considered to have less protection than Brazil. The data privacy authority shall also determine which countries fall into the category of less safe for such purposes.

  9. What is the maximum fine that can be applied for breach of data protection laws?

    The fines may vary depending on the claimant and the rules that were not complied in each specific case. For example, if a consumer protection agency is responsible for issuing the fine (e.g. for violation of Consumer Code’s rules), the maximum fine would be around USD 4 million (with few exceptions, depending on the agency). Public prosecutors may file class actions and ask for a compensation for collective damages and, in this case, there is no statutory limit for this kind of claim.

    According to the Internet Act, companies that fail to comply with Brazilian rules concerning data protection may be subject to a fine of up to 10% of the income of the economic group revenues generated in Brazil in the previous fiscal year.

  10. Are there any restrictions applicable to cloud-based services?

    Cloud services remain broadly unregulated in Brazil, although subject to existing laws regarding data privacy, the consumer protection and contract law. Certain restrictions or requirement may apply to the use of cloud-based services by government.

  11. Are there specific requirements for the validity of an electronic signature?

    No. Employees, assets or contracts have to always to be formally assigned or transferred to a third party (e.g. an IT service provider) if necessary, as Brazilian laws does not provide for any automatic transfer in the event of outsourcing of IT services. Please note, however, that depending on how the relationship is managed, there may be a risk of an employment relationship between the IT service provider and the client housing the employees.

  12. In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?

    No. Employees, assets or contracts have to always to be formally assigned or transferred to a third party (e.g. an IT service provider) if necessary, as Brazilian laws does not provide for any automatic transfer in the event of outsourcing of IT services. Please note, however, that depending on how the relationship is managed, there may be a risk of an employment relationship between the IT service provider and the client housing the employees.

  13. If a software program which purports to be an early form of A.I. malfunctions, who is liable?

    Under the Consumer Code, product liability is based on a strict liability regime and any entity that participates in the chain of development, distribution and/or offer of the product is jointly and severally liable for any product defect or malfunction. Therefore, all the entities of the production chain may be subject to liability. The main causes of action that may trigger liability relates to defects in the products and services, failure to provide clear information to consumers on the risks and limitations of the products and services and misleading advertising. Therefore, liability may be triggered if the customer does not receive all information on how the A.I. works and any possible malfunction/risks associated to the product or, in any case, if the product is deemed, by its nature, defective.

    As for the Civil Code regime, which is usually applicable to contracts between corporations, liability is imposed to the entities that caused or contributed to the damage caused; in this scenario, joint liability may only be imposed based on express statutory or contractual provisions. In any event, the Civil Code contemplates the “theory of risk”, imposing strict liability on any service provider that offers services that are deemed to expose people to an unreasonable and unexpected risk.

  14. What key laws exist in terms of obligations as to the maintenance of cybersecurity?

    According to the provisions set forth in the Consumer Code, companies shall take all reasonable measures to offer safe and free-of-defect products and services. Therefore, if the company does not implement appropriate security measures (normally based in industry-standards) their product or service may be deemed defective and trigger liabilities. The Internet Act establishes that, in addition to the provisions of the Consumer Code, the following security measures to be implemented by internet application providers:

    1. strict control over the access to personal data upon the definition of responsibilities for the personnel who will have access to the data stored;
    2. authentication mechanisms must be used to allow the access to personal data stored (e.g., two steps verification should be used to ensure the identification of the individual who have permissions to access personal data stored);
    3. detailed data inventories must be created containing the access to personal data (date, time and duration of the access, the identity of the employee responsible for the access, as well as the files that were accessed must be kept); and
    4. use of IT solutions that ensure the inviolability of data, such as encryption or equivalent protective measures.

    In addition to the foregoing, the Brazilian Internet Steering Committee (the “CGI”) may recommend additional security measures and standards to be adopted.

  15. What key laws exist in terms of the criminality of hacking/DDOS attacks?

    Under the Criminal Code (Law No. 2,848/1940), the act of attacking a computing device, whether connected to the internet or not, by breach of a security mechanism and for the purpose of collecting, altering or destroying data or information or installing vulnerabilities to obtain an illegal benefit is deemed as crime.

  16. What technology development will create the most legal change in the jurisdiction?

    The use of encryption and blockchain technologies will probably lead to important changes in the Brazilian legal system. On encryption, several discussions are taking place in the Supreme Court regarding the lawfulness of using strong encryption systems to ensure privacy, in opposition of allowing law enforcement agencies to wiretap private communications systems. As for blockchain, we believe that such technology will probably lead to a material change on how legal documents are treated. By creating a safe environment for identifying individuals/legal entities online and assuring integrity of documents in a low cost way, it will certainly affect and lead to a material change on how the judiciary and other stakeholders deal with documentation in the country.

  17. Which current legal provision/regime creates the greatest impediment to economic development/ commerce?

    We believe that the Brazilian tax system imposes high complexity for technology companies, notably when different taxing authorities believe that a certain service revenue may be subject to State VAT and Municipal taxes (according to applicable tax laws, it should be either State or Municipal taxable revenues, not both). So companies are forced to litigate and handle onerous proceedings and unsubstantiated tax assessments due to this “tax war” among Brazilian authorities.

    Another risk that we envision relates to certain areas of government which wishes to regulate (and therefore, tax) OTT just as traditional service providers. Several barriers have to be lifted and a more competitive environment needs to be put in place to allow the development of IOT products and services.

  18. Do you believe the legal system specifically encourages or hinders digital services?

    In certain areas, it encourages and in others, not so much. The Internet Act enacted in 2014 brought a very positive legal environment for internet companies, which is positive. Among other provisions, it creates a safe harbour to internet service providers on liability for user-generated content and defines clear and specific rules for collection, use and treatment of personal data collected in the internet. In addition to the Internet Act, another initiative of the Brazilian government is the development of the national plan for the internet of things (IoT), aiming at creating a favourable and safe legal environment for the Industry 4.0. If approved, it will certainly encourage even more the offering of digital services in the country.

    In terms of protecting IP rights with patents, Brazil is not going a good job, and a patent may easily take more than 10 years to be granted.

  19. To what extent is the legal system ready to deal with the legal issues associated with artificial intelligence?

    To a certain extent, existing laws may apply to AI providers and to seek redress in case of any damage that may be caused by an AI device. The strict liability regime under the Consumer Code and the Civil Code could be applied in such cases. In any event, regulating AI more broadly could be important, given the ramifications of the AI technology, mainly when the AI products and services start to create actions independently from the software programmers.