Contributed By Azevedo Sette Advogados
The metaverse is the virtual environment in which people, through various technologies (such as augmented or virtual reality, NFTs, crypto-active, blockchain and avatars), seek to reproduce and interact with the real world. Although the metaverse is at a stage of technological development around the world, when it comes to a regulatory framework, there is still a long way to go.
In Brazil, so far, there are no specific laws or regulations for the metaverse, and no legal cases or court decisions have considered the matter thus far. It is possible that in the coming years there will be discussion about the regulation of the relations performed in the metaverse, besides the application of the already existing laws, such as the following.
The metaverse experience will require a series of solutions that aim to deal with some challenges that are already present (and others that will arise), such as:
Although the platform model peaked in the first two years, the metaverse has faced a proportionally huge downturn. Accordingly, there is no expectation that eventual regulation on the subject will occur at a fast pace.
The digital economy in Brazil results in billions of daily online connections among people, companies, devices, data, and processes. Technological evolution has changed the way society interacts and consumes products and services. The speed at which technology reaches business models and industries means that governments and society need to be brought up to date much faster. There is a need for the legislature to move as fast as the digital economy, as companies often need opinions and solutions that are not regulated in Brazil at a given moment.
Brazil has been moving towards adequate regulation of several digital economy services, as illustrated by the examples below.
Although the Brazilian legislature has approved various laws that touch upon digital economy, technology is always evolving and is innovative by nature. In this context, the absence of regulations for specific sectors may be the biggest challenge in relation to digital economy. This absence signifies legal uncertainty for companies and society, difficulty in applying the law, insecurity for investors, and limitation on guidance for clients and internet users, who are not always aware of the legal changes.
Nonetheless, the Brazilian government has taken steps towards promoting digital transformation in the country, through the implementation of the Brazilian Strategy for Digital Transformation (SinDigital). The purpose is to harmonise the federal executive initiatives linked to the digital environment, to harness the potential of digital technologies towards sustainable social and economic development, innovation, increased competitiveness and productivity, among other objectives.
This initiative is composed of the Brazilian Strategy for Digital Transformation (E-Digital), its thematic pillars (split between enabling and digital transformation pillars) and a governance structure. These are set forth by Federal Decree No 9,319/2018, which implements SinDigital and the Brazilian Strategy. SinDigital is co-ordinated by the office of the President’s Chief of Staff.
The digital transformation pillars comprise digital transformation of the economy and of the government. On the other hand, some of the enabling pillars are:
The 2018‒22 initial E-Digital agenda ended up getting expedited with the COVID-19 pandemic, and the government issued a 2022‒26 update after an evaluation process that included public consultations, meetings with experts and other initiatives.
In the above context, it will be important to follow up on the digital transformation expected to take place in Brazil, based on the governmental initiatives, on the legislation updates, and on the private sector inputs and demands.
Although there are not specific laws about cloud services in Brazil, many local laws refer to this matter, including the following.
The Internet Act (Law No 12,956/2014, MCI), further regulated by Decree No 8,771/2016, provides for principles, rights and obligations about the use of the internet in Brazil. It sets forth obligations for internet connection and application providers that are relevant for cloud computing solutions in general. Among the main obligations set out by the MCI regarding cloud are those related to data retention by internet application providers.
The Brazilian General Data Protection Act (Law No 13,709/2018, LGPD), which came into force in 2020, provides for the processing of personal data, irrespective of industry or business – as controllers or processors of personal data, cloud service providers shall comply with the referred law. The LGPD impacts cloud computing and its providers, in particular with regard to the requirements for the processing of personal data and for data transfers.
On this matter of personal data processing, it is important to stress the relevance of data protection in a cloud computing environment, highlighting specific issues in this context:
Law No 8,078/1990 (the Consumer Protection Code, CDC) governs all consumer relationships, including cloud computing products or services.
Brazilian Central Bank’s Resolution No 4,658, replaced in 2021 by Resolution No 4893, establishes requirements for cloud services to financial institutions. This ruling has established important obligations on companies regulated by the Brazilian Central Bank, such as specific rules for internal policies relating to cybersecurity and the cloud environment in general.
The Brazilian Superintendence of Private Insurance (SUSEP) has also published standard cybersecurity rules to be followed by insurance companies and their service providers, which are also applicable to cloud services in general (Circular No 638/2021).
Complementary Norm No 14/IN01/DSIC/GSIPR, established in 2012 and amended in 2018, has the objective of setting guidelines regarding the use of technologies in government agencies. More specifically, it addresses cloud computing and the aspect related to security and data protection. The Norm requires that information classified as secret or top secret cannot be processed on the cloud, for any reason. Also, data and metadata produced by and/or under the responsibility of the agency must be stored in data centres within national territory. In addition, it is important to note that in 2016 the Information Security Cabinet of the President’s Office and the Ministry of Planning, Budget and Management issued a general guideline with best practices, orientations and restrictions to be followed by federal entities when contracting cloud computing services. The document outlines some contractual requirements that should be ensured by the agencies contracting cloud services, and the following is worth mentioning.
Recently, Ordinance No 5,950 SGD/MGI, of 26 October 2023, established a template for contracting software and cloud computing services by Federal Public Administration agencies, which is in line with the recent case law of the Federal Court of Auditors (TCU). The aim of the rule is to standardise and simplify the process of contracting software and cloud computing services, with emphasis on the security, privacy protection, integrity and governance of data held by the agencies and entities of the Information Technology Resources Management System (SISP).
The new ordinance defines specific forms of remuneration, minimum service levels, product verification and acceptance criteria and minimum security criteria. It is important to note that compliance with the aforementioned ordinance will be mandatory for contracts entered into after 30 April 2024. Nonetheless, agencies and entities may apply the standards to contracts entered into before that date. This ordinance does not apply to contracts entered into before 1 November 2023. After these deadlines, agencies will have to justify the adoption of other contracting models, but the contracting will have to be approved by the Digital Government Secretariat (SGD).
The use of AI is currently being discussed in Brazil through joint deliberation of Bill No 3,592/2023, Bill No 2,338/2023 and Bill No 5,691/2019. Bill 3,592/2023 discusses the use of audio-visuals of deceased people aimed at safeguarding their dignity, privacy and rights after death. Bill No 2,338/2023 focuses on the use of AI in general. The Temporary Internal Committee on Artificial Intelligence (CTIA) was formed on August 2023 and had its work duration extended to May 2024.
Bill No 5,691/2019 establishes the “National Policy for Artificial Intelligence”, with the goal of stimulating the formation of a favourable environment for the development of technologies in AI. This bill is the result of a union of other previous bills that discussed the topic:
The National AI Policy establishes as its core principles:
The bill also states that AI should:
Pending the regulation of AI in Brazil, since there are no specific laws about the matter, other legislation may impact the way AI is used and may dictate rules and obligations for the parties involved, such as data privacy rules, internet use, and the Consumer Protection Code, for example.
Decree No 9,854/2019 instituted the National Internet of Things (IoT) Plan, aimed at improving the quality of life, fostering competition, increasing productivity, and integrating Brazil into the international landscape, in addition to other objectives. Health, cities, industries and rural environments are priorities for IoT solutions.
According to this plan, IoT is the infrastructure integrating the provision of value-added services (VAS) with physical or virtual connection capabilities of things with devices based on information and communication technologies or evolutions thereof, with interoperability. Machine-to-machine (M2M) communications systems, in turn, are telecommunications networks, including access devices, for the transmission of data to remote applications aimed to monitor, measure and control the device itself, the environment around it, or data systems connected thereto by means of such networks.
The provision of IoT/M2M solutions is not regulated in Brazil. However, the connectivity required for the transmission of data between the solution’s devices might have an impact on the activity, since telecommunications services are regulated activities, being subject to the provisions of Law No 4,972/1997 (General Telecommunications Law, LGT) and the regulations issued by the National Telecommunications Agency (ANATEL), requiring a licence from ANATEL for their provision.
As per the LGT, VAS refers to activities that involve adding new utilities related to the access, storage, presentation, movement or recovery of information to a telecommunications service supporting it, with which it is not confused. The LGT also stipulates that telecommunications services are activities enabling the offer of transmission, emission or reception of symbols, characters, signs, writings, images, sounds or information by wire, radio-electricity, optical means or any other kind of electromagnetic process.
Therefore, two situations should be considered.
Furthermore, connected devices are deemed communications products using a radio-electric spectrum for information propagation. As such, they should comply with technical requirements issued by ANATEL, and be certified and homologated by the same agency.
Prior licensing with ANATEL is also required for radiocommunication transmission stations to operate; however, Law No 14,108/2020 exempted stations integrating M2M communications systems from such prior licensing, and exempted said systems from the payment of certain fees until December 2025.
Importantly, although the implementation and development of IoT in Brazil is based on free competition and circulation of data, there must be compliance with information security and personal data protection guidelines. In this regard, several laws and regulations may apply, including:
In addition, reliable and stable networks are fundamental for the IoT. In this regard, 5G technology, which began being implemented in Brazil in 2022, is boosting the IoT market, as expected, fostering innovation and impacting local economy and society. Importantly, the minimum security requirements for 5G networks set by the Office of Institutional Security of the Republic Presidency’s Normative Instruction 4/2020 are to be complied with.
Audio-visual and media (broadcasting) services are regulated, maintained and exploited by the Federal Union. However, the Brazilian Telecom Code (BTC) allows individuals to execute broadcasting services through the due concessions, authorisations or permissions to be granted for renewable and successive terms of ten (radio broadcasting) or 15 years (television broadcasting).
The process begins with the publication of a notice; the interested parties present proposals that will be sent to the President of the Republic after the analysis by the competent body and issuing of an opinion. A prior licence is required for broadcasting stations, which must be required after registration of the concession contract by the Public Finance Court. If the station is approved, the private licence is to be issued within 60 days.
The authorisation/permission is subject to the following requirements:
The fees to be paid are fixed, taking into account the total costs of the services, the amortisation of the invested capital and the formation of necessary funds for the conservation, replacement and modernisation of the equipment, and extensions of the services.
Application providers, such as platforms on which user-generated content (such as videos and photos) is posted, are regulated by specific law regulating the use of the internet in Brazil, so the above-mentioned requirements do not apply to application providers.
According to the LGT and complementary rules (eg, those issued by ANATEL), telecommunications services might be:
The following are the main communications technologies currently regulated.
Brazilian and foreign satellites might be used by community-interest services providers to transport telecommunications signals, but this is not intrinsically a telecommunications service.
Provision of FSTS under the public system depends on a concession granted in a bid and the execution of the concession agreement. Law No 13,879/2019 stipulates that concessionaires might request ANATEL to adjust the concession into an authorisation, if certain requirements are met by the interested party.
Exploitation of telecommunications services in the private regime depends on ANATEL’s prior authorisation. However, the following exceptions exist.
For an authorisation to be granted, the provider should:
The interested party requires the applicable authorisation through ANATEL’s information system, providing certain information and documents according to ANATEL Resolution 720/2020. Prior notification to ANATEL regarding the services that will be provided is mandatory. The authorisation’s amount due is BRL400 for community-interest services and BRL20 for restricted-interest services. Nevertheless, when the provision of community-interest services can be impacted by many competitors, a bid might be required for the issue of authorisations.
Additionally, the provider should comply with all specific conditions established by regulations applicable to the relevant telecommunications service, which requires a deep analysis.
Services and solutions adding utilities to and not confused with the telecommunications services supporting them (eg, instant messaging ‒ communication between computers connected to the internet with no connection to telephony networks) are deemed VAS and are not subject to telecommunications rules.
However, if they also encompass the provision of telecommunications services, ANATEL’s authorisation is required and telecommunications regulations apply. Computers’ communication using voice-over-IP (VoIP) to connect with fixed/mobile phones, and VoIP services simultaneously originating and terminating the communication with public telephony networks are examples of this.
Moreover, communications products using radio-electric spectrum for the propagation of information should comply with the applicable technical requirements, in addition to being certified and homologated by ANATEL.
As the law and case law in Brazil have not yet addressed the matter in depth, technology agreements must be regulated in detail. The main challenges of these agreements in Brazil are probably related to IP rights, service levels, liability, and data privacy. The continuous development of technologies is essential and agreements shall clearly regulate the ownership of existing intellectual property, and future intellectual property developed during the commercial relationship between the parties involved.
Regarding software licence agreements, as software is often provided as a service in Brazil, service level agreements (SLAs) are heavily discussed. In this regard, although there is not specific regulation about SLAs (so this is mostly a commercial matter), general laws and customs provide minimum requirements in terms of uptime, back-ups, disaster recovery, and business continuity.
Liability is always also a significant issue. Although the Software Law (Law No 9,609/98) expressly says that clauses that “exempt any of the contracting parties from any third-party actions arising from misuse, flaws, or violation of copyrights” are null and void (Article 10), limitation of liability is allowed, and case law varies a lot with regard to the possible caps to indemnifications regarding technology contracts.
Data privacy matters are also deeply discussed. Personal data (including sensitive data) is usually stored by IT systems and regulated by IT agreements. Controllers and processors of data (as defined in the LGPD) shall comply with local regulation, subject to legal penalties. In addition, such agreements constantly involve the international transfer of personal data, a subject that is pending regulation by the Regulatory Authority, mainly regarding the approval of binding corporate rules and the issuance of standard contractual clauses, among other mechanisms provided for in the LGPD.
Finally, note that, as a rule, technology transfer agreements, which include IP licences, know-how licences and software licences (if the software source code is transferred) shall be registered with the Brazilian National Institute of Industrial Property (INPI) for the following purposes:
Nonetheless, Law No 14,286/2021, which entered into force on 31 December 2022 and regulates the Brazilian exchange market, actually amends Law No 8,383/91 and, as a result, these so-called technology transfer agreements will not need to be registered in order to allow royalty payments abroad.
Brazil has had an advanced digital signature structure since the year of 2001, when it established the Provisional Measure No 2,200-2 (MP 2,200-2), regulating the use of electronic signatures in Brazil and creating the Brazilian Public Keys Infrastructure (ICP-Brasil). The ICP-Brasil is composed of a managing authority and a chain of certifying bodies, which are entities accredited to issue digital certificates.
Through this methodology, each digital certificate belongs to a person and has a pair of encrypted keys, which must be in their exclusive control, use and knowledge. The rules established by the ICP-Brasil management authority determine that when a document is encrypted with the public key, it can only be decrypted with the corresponding private key, which means that the digital signature associates an entity/person with a pair of encrypted keys, through asymmetric encryption.
According to MP 2,200-2, electronic documents are considered public or private for all legal purposes, and the content of documents electronically produced with the certification of ICP-Brasil are considered authentic regarding the signatories thereof. In addition, it is important to highlight the difference between digital and electronic signatures. Digital signatures use ICP-Brasil infrastructure through a digital certificate issued by the ICP-Brasil. On the other hand, the electronic signature does not use a digital certificate issued by ICP-Brasil. Although the legal presumption of authenticity and integrity is applicable only to documents signed within the ICP-Brasil framework, the MP 2,200-2 states that it does not prohibit the use of other means intended to prove the authorship of documents in electronic format, including those using certificates not issued by the ICP-Brasil, provided that such use is accepted in advance by the parties.
Therefore, agreements and documents in general can be signed with digital or electronic signatures. However, certain government authorities and boards of trade only accept documents signed electronically or using certified digital certified signatures issued by ICP-Brasil, provided that the signatures are provided through platforms that certify their validity via QR Code, hash or validation code. In this regard, Law No 14,063/2020 has emerged with the objective of expanding access to digital public services by reducing the bureaucracy of electronic signatures in documents. This Law amends MP 2,200-2 and provides for the use of electronic signatures in interactions with public entities, acts of legal entities, and in health issues, as well as on software licences developed by public entities.
The term “Digital Identity” has no standard definition in Brazil; however, it can be defined as the way in which an individual is represented and documented online. There are several distinct identifiers that can represent a digital identity, such as:
11th floor, International Plaza II Building
1327, Presidente Juscelino Kubitschek Avenue
04543-011
São Paulo/SP
Brazil
+55 11 4083 7600
+55 11 4083 7600
barretto@azevedosette.com.br www.azevedosette.com.br/