This country-specific Q&A provides an overview to technology laws and regulations that may occur in the Brazil.
It will cover communications networks and their operators, databases and software, data protection, AI, cybersecurity as well as the author’s view on planned future reforms of the merger control regime.
This Q&A is part of the global guide to Technology. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/index.php/practice-areas/technology
Are communications networks or services regulated? If so what activities are covered and what licences or authorisations are required?
Yes, both are regulated in Brazil. In order to provide telecom services, the interested party has to apply for a telecommunications license and a spectrum license (when the service depends on the use of spectrum). Each service is regulated individually, either through a federal law (which is the case of pay-TV services) or regulations enacted by the telecom regulator (Nacional Agency of Telecommunications – “Anatel”). The most common licenses held by Brazilian companies are: (i) fixed switched telephone services (“FSTS”); (ii) cellular telephone services; (ii) pay-TV (named as SeAC – conditioned access service); and (iii) multimedia communications service license (for broadband data and transmission of voice and image signals).
Over-the-top (“OTT”) providers (such as Netflix, WhatsApp, WeChat, among others) are not regulated as telecommunications companies and may be offered without a license.
Networks are also regulated. Mandatory interconnection, offer of wholesale network capacity, duty of equal treatment and non-discrimination and net-neutrality are among the important rules. Sharing of non-utilized network infrastructure among telecommunication companies and between telecommunications companies and utility companies operating in energy and oil & gas sectors are also mandatory.
Net-neutrality, assured by Law No. 12,965/2014 (“Internet Act”), is a principle applicable to Internet service providers that forbids different treatment of internet traffic based on its origin, destination, application or content. Any discrimination or degradation of data traffic may only occur (i) based on technical requirements essential to the adequate provision of services and applicationsor (ii) to give priority to emergency services. This matter was further regulated by Decree No. 8,771/2016, which regulates the Internet Act.
Is there any specific regulator for the provisions of communications-related services? Are they independent of the government control?
Yes. Anatel is the federal authority responsible for the regulation of communications-related services, as established by the Telecommunications Act (Law No. 9,472/1997). The agency is independent, as Anatel’s commissioners cannot be dismissed by the President of the Republic.
Does an operator need to be domiciled in the country? Are there any restrictions on foreign ownership of telecoms operators?
Yes. Under Decree No. 2,617/1998, any Brazilian telecommunications operating entity has to be (i) incorporated and headquartered in Brazil; and (ii) controlled by another Brazilian entity, also headquartered in Brazil. Despite, there are no foreign ownership restrictions in the telecommunications sector, except for radio and TV broadcasting, where foreign capital is limited to 30% of the company’s total and voting capital.
Are there any regulations covering interconnection between operators? If so are these different for operators with market power?
Yes. The Telecommunications Act establishes that interconnection shall be carried out in a non-discriminatory manner, under adequate technical conditions, with the practice of fair and isonomic prices.
Additionally, the General Interconnection Regulation, approved by Anatel Resolution No. 410/2005, provides the applicable rules to interconnection requests, interconnection public offers, the time limits that must be observed for the implementation of interconnections and the procedure for disputes resolution.
There are specific obligations for operators holding significant market power as established by the General Competition Plan (“PGMC”) enacted by Anatel. The PGMC provides rules to determine whether an economic group holds the so-called significant market power (“SMP”) to influence economic conditions in certain telecommunications markets. According to PGMC, operators found to hold SMP may be subject to asymmetric regulatory obligations regarding transparency, resources access, products offer and equality, as well as wholesale price control. In order to determine whether an economic group holds signiﬁcant market power in a relevant market, Anatel undertakes an assessment with regard to the group’s (i) market share; (ii) ability to benefit from economies of scale and scope in the relevant market; (iii) control over an essential infrastructure; and (iv) presence in both wholesale and retail segments.
For groups that hold signiﬁcant market power, the offer of wholesale network capacity (dedicated circuits) is mandatory, and shall be provided within deadlines established in the regulation, so as to avoid procrastinations or other anti-competitive behaviours.
What are the principal consumer protection regulations that apply specifically to telecoms services?
The Telecom Consumer Protection Regulation, approved by Anatel Resolution No. 632/2014, is the specific regulation that applies to users of telecom services. Such regulation is enforced in addition to the Consumer Protection Code (Law No. 8,078/1990), which is the general Brazilian law concerning consumer protection.
The main rights afforded to all telecommunication service users are: (i) enjoyment of the service, in accordance with quality standards established by regulation and the services agreements; (ii) choice of the provider and the service plan; (iii) non- discriminatory treatment pursuant to access and service use conditions; (iv) previous knowledge about all charges and material conditions or limitations of the service offering; (v) communications’ inviolability and confidentiality; (vi) non-suspension of the service, except in circumstances allowed by the regulations; (vii) conﬁdentiality of invoices and on the use of users’ data; (viii) efficient and prompt responses to complaints; (ix) compensation for damages caused by the violation of rights; (x) re-establishment of all rights related to the services provision, upon payment of outstanding debts; (xi) not be subject of tie-in sales; (xii) termination of service agreements at any time; and (xiii) not be charged for any values unrelated to the provision of the telecommunications service without previous and express consent.
What legal protections are offered in relation to the creators of computer software?
Software is protected by the same intellectual property rules granted to literary works by the Brazilian Copyright Act (Law No. 9,610/1998), and is subject to the Software Act (Law No. 9,609/1998). Software is protected regardless of registration with the Brazilian Patent and Trademark Office (INPI), although such registration, in certain cases, may be advisable to demonstrate and prove anteriority. Protection is granted for fifty (50) years, counted from January 1st of the publication’s following year or, in the absence of publication, of its creation.
In the Brazilian copyright system, the software author is the person who developed the software, while the software owner is the person or entity that can exploit the software from a commercial perspective.
According to the Software Law, unless agreed otherwise, the employer shall have full title over the software developed by its employees, assuming that the development of software was within employees´ duties at the company. The same applies for software made-for-hire, which IP shall belong to the hiring party.
Do you recognise specific intellectual property rights in respect of data/databases?
Generally, the information added to a database is not subject to IP protection. Nevertheless, the form of organization or arrangement of such information (i.e. the database structure) may be protected as a copyright work.
What key protections exist for personal data?
The Brazilian data protection legal framework is going through a significant change. After years of legislative process, the Brazilian Congress approved in July, 2018, a comprehensive data protection law (Lei Geral de Proteção de Dados – “LGPD”), which regulates the use of personal data by both private and public entities in Brazil. Before the approval of the LGPD, privacy and data protection were generally protected under the Federal Constitution (as fundamental rights of individuals) and by sector-specific laws. The final enactment of the LGPD is expected to occur in August 2018, and the companies will have 18 months thereafter to ensure compliance with the law.
The LGPD mirrors a number of obligations and rights set forth in the General Data Protection Regulation – “GDPR” of the European Union, establishing detailed rules for the collection, use, processing and storage of personal data, which will affect all economic sectors, both in the digital and physical environment.
The LGPD introduces new rights to data subjects, such as the right to obtain information regarding the processing of data, right to access, rectify and delete data, right to withdraw the consent at any time, the right to data portability to another supplier of goods and services and the right to obtain the review of automated decisions.
Under the LDPG, the processing of personal data may only be carried out when based on one or more of the legal grounds provided for in such law. Among other cases, the processing of personal data is authorized upon the consent of the data subject, for the purpose of compliance with legal or regulatory obligations, when necessary for the performance of a contract, or when necessary to meet the legitimate interest of the data controller. Other specific legal basis apply to the processing of sensitive data (which definition includes, among others, health information and biometric and/or genetic data of the data subject).
According to the LGPD, data controllers and processors must adopt certain actions, which may include, but are not limited to:
(a) Define and document the legal grounds for processing personal data;
(b) Appoint a data protection officer, who will be in charge of handling personal data within the organizations;
(c) Report data breaches and security incidents to the national data protection authority and, in some cases, to the affected data subjects;
(d) Adopt technical and organizational measures to protect personal data from unauthorized access and from accidental or unlawful destructions, loss, change, communications, transmission, or any other occurrence resulting from inadequate or illegal treatment; measures that shall be adopted since the creation of any new technology or product (privacy by design);
(e) Perform privacy impact assessments where required by the national data protection authority;
(f) Observe strict requirements in the transfer of data out of the country (as detailed in answer 8 below).
Until the LGDP becomes effective, the Consumer Protection Code (Law No. 8,078/9, the “Consumer Code”) and the Internet Act (Law No. 12,965/14) remain as the most prominent federal statutes governing the use, collection and processing of personal data.
The Consumer Code is applicable whenever a consumer relationship is formed between an individual (or corporate entity, in certain circumstances) and a service provider or a product manufacturer. The privacy of consumer relations and handling of databases are regulated by this Code. The Consumer Code requires that the individual whose data is being collected must be informed of the input of his/her information into a database (there is no requirement for consent, but rather, a notice). The consumer should have the right to access, rectify and correct his/her database information.
In addition, there are other sector-speciﬁc laws that deal with privacy and data protection, such as the Wiretap Act (Law No. 9,296/96), the Bank Secrecy Act (Complementary Law No. 105/01), and the Information Access Act (Law No. 12,527/01), which governs information collected by federal government. Other privacy and data protection regulations apply to speciﬁc sectors of the economy, labor relationships and the exercise of profession (doctors, attorneys and ﬁnancial advisors, for example).
Are there restrictions on the transfer of personal data overseas?
As mentioned in the previous answer, the LGPD, when effective, will impose strict requirements for international data transfer. It provides that international data transfer shall be permitted solely in the following circumstances:
(a) to countries with an adequate level of protection (to be determined by the national data protection authority);
(b) through the use of standard contractual clauses, binding corporate rules, seals, certificates and codes of conduct approved by national data protection authority;
(c) with the specific and prominent consent of the data subject, case which prior information on the international character of the operation shall be provided, clearly distinguishing this from other purposes;
(d) to comply with a legal or regulatory obligation;
(e) when necessary for the performance of a contract;
(f) for the protection of life and physical safety of the data subject or third party;
(g) for the regular exercise of rights in judicial, administrative or arbitral proceedings;
(h) when necessary for international legal cooperation between intelligence, investigation and prosecution public bodies, in accordance with the instruments of international law;
(i) based in a commitment made in an international cooperation agreement;
(j) when authorized by the national data protection authority; and
(k) when necessary for the execution of public policy or compliance with the legal attribution of the public service.
What is the maximum fine that can be applied for breach of data protection laws?
The ﬁnes may vary depending on the claimant and the rules that were not complied in each speciﬁc case. For example, if a consumer protection agency is responsible for issuing the ﬁne (e.g. for violation of Consumer Code’s rules), the maximum ﬁne would be around USD 4 million (with few exceptions, depending on the agency). Public prosecutors may ﬁle class actions and ask for a compensation for collective damages and, in this case, there is no statutory limit for this kind of claim.
According to the Internet Act, companies that fail to comply with Brazilian rules concerning data protection may be subject to a ﬁne of up to 10% of the turnover of the economic group revenues generated in Brazil in the previous ﬁscal year.
Non-compliance with the rules of the LGPD (when effective) may result in fines of up to two percent of the turnover of the infringing company’s conglomerate in Brazi, in the preceding fiscal year, excluding taxes, but limited to a total of R$ 50,000,000.00 (fifty million reais) per violation.
Are there any restrictions applicable to cloud-based services?
Cloud services remain broadly unregulated in Brazil, although subject to existing laws regarding data privacy, the consumer protection and contract law. Certain restrictions or requirement may apply to the use of cloud-based services by government and, in the financial sector, specific requirements shall be observed in the contracting of cloud-based processing and storage services by financial institutions.
Are there specific requirements for the validity of an electronic signature?
The Provisional Measure 2,200-2/2001 attributes presumption of authenticity for digital signatures electronically certified by a certification authority accredited by ICP-Brasil, a hierarchical and reliable chain that governs and enables the issuance of digital certificates for the virtual identification of an individual or legal entity. However, the parties may also choose other methods to certify the signatures authenticity, including the use of a digital certificate issued by any entity not accredited by ICP-Brasil; in this case, the certification must be accepted by the parties as valid or accepted by the person to whom the document was opposed to.
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
No. Employees, assets or contracts have to always to be formally assigned or transferred to a third party (e.g. an IT service provider) if necessary, as Brazilian laws does not provide for any automatic transfer in the event of outsourcing of IT services. Please note, however, that depending on how the relationship is managed, there may be a risk of an employment relationship between the IT service provider and the client housing the employees.
If a software program which purports to be an early form of A.I. malfunctions, who is liable?
Under the Consumer Code, product liability is based on a strict liability regime and any entity that participates in the chain of development, distribution and/or offer of the product is jointly and severally liable for any product defect or malfunction. Therefore, all the entities of the production chain may be subject to liability. The main causes of action that may trigger liability relates to defects in the products and services, failure to provide clear information to consumers on the risks and limitations of the products and services and misleading advertising. Therefore, liability may be triggered if the customer does not receive all information on how the A.I. works and any possible malfunction/risks associated to the product or, in any case, if the product is deemed, by its nature, defective.
As for the Civil Code regime, which is usually applicable to contracts between corporations, liability is imposed to the entities that caused or contributed to the damage caused; in this scenario, joint liability may only be imposed based on express statutory or contractual provisions. In any event, the Civil Code contemplates the “theory of risk”, imposing strict liability on any service provider that oﬀers services that are deemed to expose people to an unreasonable and unexpected risk.
What key laws exist in terms of obligations as to the maintenance of cyber security?
Organizations processing personal data shall observe the cybersecurity requirements imposed by the LGPD, when effective. The LGPD requires data controllers and processors to adopt technical and organizational measures to protect personal data from unauthorized access and from accidental or unlawful destructions, loss, change, communications, transmission, or any other occurrence resulting from inadequate or illegal data treatment activity. Technical and organizational measures are likely to be defined based in industry-standards. In addition, the LGPD requires data controllers and processor to adopt and implement a privacy by design on new products, services and technologies.
In addition, according to the Consumer Code, companies shall take all reasonable measures to oﬀer safe and free-of-defect products and services. Therefore, if the company does not implement appropriate security measures (normally based in industry-standards) their product or service may be deemed defective and trigger liabilities.
The Internet Act establishes that, in addition to the provisions of the Consumer Code and the LGPD (when applicable), the following security measures shall be implemented by internet application providers:
- strict control over the access to personal data upon the deﬁnition of responsibilities for the personnel who will have access to the data stored;
- authentication mechanisms must be used to allow the access to personal data stored (e.g., two steps veriﬁcation should be used to ensure the identiﬁcation of the individual who has permission to access personal data stored);
- detailed data inventories must be created, containing the access to personal data (date, time and duration of the access, the identity of the employee responsible for the access, as well as the ﬁles that were accessed must be kept); and
- use of IT solutions that ensure the inviolability of data, such as encryption or equivalent protective measures.
What key laws exist in terms of the criminality of hacking/DDOS attacks?
Under the Criminal Code (Law No. 2,848/1940), the act of attacking a computing device, whether connected to the internet or not, by breach of a security mechanism and for the purpose of collecting, altering or destroying data or information or installing vulnerabilities to obtain an illegal beneﬁt is deemed as crime.
What technology development will create the most legal change in your jurisdiction?
The use of encryption and blockchain technologies will probably lead to important changes in the Brazilian legal system. On encryption, several discussions are taking place in the Supreme Court regarding the lawfulness of using strong encryption systems to ensure privacy, in opposition of allowing law enforcement agencies to wiretap private communications systems. As for blockchain, we believe that such technology will probably lead to a material change on how legal documents are treated. By creating a safe environment for identifying individuals/legal entities online and assuring integrity of documents, it will certainly affect and lead to a material change on how the judiciary and other stakeholders deal with documentation in the country.
Which current legal provision/regime creates the greatest impediment to economic development/commerce?
We believe that the Brazilian tax system imposes high complexity for technology companies, notably when different taxing authorities believe that a certain service revenue may be subject to State VAT and Municipal taxes (according to applicable tax laws, it should be either State or Municipal taxable revenues, not both). So companies are forced to litigate and handle onerous proceedings and unsubstantiated tax assessments due to this “tax war” among Brazilian authorities.
Another risk that we envision relates to certain areas of the Government which wishes to regulate (and therefore, tax) OTT just as traditional service provider. Several barriers have to be lifted and a more competitive environment needs to be put in place to allow the development of IoT products and services.
Do you believe your legal system specifically encourages or hinders digital services?
In certain areas, it encourages and in others, not so much. The Internet Act enacted in 2014 brought a very positive legal environment for internet companies, which is positive. Among other provisions, it creates a safe harbor to internet service providers on liability for user-generated content. In addition to the Internet Act, the LGPD will bring clear and specific rules for the processing of personal data by private and public organizations in the country. Another initiative of the Brazilian government is the development of the national plan for the internet of things (IoT), aiming at creating a favorable and safe legal environment for the Industry 4.0.
In terms of protecting IP rights through patents, Brazil still has a huge registration backlog, and a patent may easily take more than 10 years to be granted.
To what extent is your legal system ready to deal with the legal issues associated with artificial intelligence?
To a certain extent, existing laws may apply to AI providers and to seek redress in case of any damage that may be caused by an AI device. The strict liability regime under the Consumer Code and the Civil Code could be applied in such cases. In any event, regulating AI more broadly could be important, given the ramiﬁcations of the AI technology, mainly when the AI products and services start to create actions independently.