TMT 2025 Comparisons

The digital economy in Brazil is characterised by billions of daily online connections among people, companies, devices, pieces of data and processes. Technological evolutions have changed the way society interacts and consumes products and services. The speed at which technology impacts business models and industries means that governments and society need to be brought up to date much faster. There is a need for the legislature to move as quickly as the digital economy, as companies often need opinions and solutions that are not regulated in Brazil.

Brazil has been moving towards adequate regulation of several digital economy services, as illustrated by the following examples.

• Artificial intelligence (AI): Bill No 21/2020 proposes regulating the development and use of AI in Brazil. In addition, Bill No 2,338/2023 provides for the use of AI, considering the development, promotion and ethical and responsible use of AI, with humans assuming the central role. This latter bill has recently been approved by the Senate and is now being analysed by the House of Representatives.
• Telemedicine: Law 8,080/1990 was modified during the COVID-19 pandemic by Law 14,510/2022, which covers telemedicine services. In view of the efficiency of this modality, in May 2022, Brazilian Federal Council of Medicine (Conselho Federal de Medicina; CFM) Resolution No 2,314/2022 was published to regulate telemedicine.
• Start-ups: Complementary Law No 182/2021, also known as the Legal Framework for Start-ups, is aimed at improving innovative entrepreneurship in Brazil and leveraging the modernisation of the business environment.
• Transportation apps: Law No 13,640/2018 regulates the operation of paid private individual passenger transportation in Brazil.
• Data protection ‒ The General Data Protection Act (Lei Geral de Proteção de Dados or LGPD; Law No 13,709/2018) establishes that the processed data of individuals must be used in compliance with the law.
• Financial technology: Fintechs became regulated in 2018 through Brazilian Central Bank (BCB) Resolution No 4,656/2018. This resolution was revoked, but fintechs remain regulated by other resolutions and BCB regulations, such as National Monetary Council (Conselho Monetário Nacional; CMN) Resolution No 5,050/2022.
• Internet: The Brazilian Internet Act (Law No 12,965/2014) regulates the use of the internet in Brazil, providing principles, guarantees, rights and duties for those who use the internet, as well as guidelines for state action.
• E-commerce: Decree No 7,962/2013, known as the “E-commerce Law”, regulates the Consumer Protection Code in relation to e-commerce; this law contains specific provisions about transactions conducted between an online store and consumers.
• Electronic signatures: Provisional Measure No 2,200-2/2001 regulates the use of electronic signatures in Brazil, establishing the Brazilian Public Key Infrastructure (Infraestrutura de Chaves Públicas Brasileira; ICP-Brazil), and Law No 14,603/2020 classifies signatures into simple electronic signature, advanced electronic signature and qualified electronic signature categories.
• Software: Law No 9,609/1998 regulates software protection and commercialisation, and stipulates rights and duties regarding its use.
• Metaverse: Bill No 2,175/2023 proposes a metaverse regulatory framework.
• Sports bets: The recently enacted Law No 14,790/2023 regulates online betting on sports events, with several government control provisions.

Although the Brazilian legislature has approved various laws that touch upon the digital economy, technology is always evolving and is innovative by nature. In this context, the absence of regulations for specific sectors may be the biggest challenge in relation to the digital economy. This absence leads to legal uncertainty for companies and society, difficulty in applying the law, insecurity for investors and limited guidance for clients and internet users, who are not always aware of legal changes.

Nonetheless, the Brazilian government has taken steps towards promoting digital transformation in the country through the implementation of the Brazilian Strategy for Digital Transformation (E-Digital). E-Digital is a strategic framework comprising recommendations designed to steer the initiatives of the federal executive branch towards digital transformation. Its goals include enhancing access to public services; promoting citizens’ rights; strengthening social participation and democracy; and ensuring socioeconomic development through innovation, increased competitiveness, productive and technological autonomy, and improved employment and income levels.

In this context, the SinDigital system was recently revoked, followed by the implementation of the Interministerial Committee for Digital Transformation (CITDigital) by Decree No 12,308/2024. The purpose of CITDigital is to assist the President of Brazil in the drafting, implementation and following-up of public policies aimed at digital transformation.

In the context of the foregoing, it will be important to follow up on the digital transformation expected to take place in Brazil based on governmental initiatives, legislation updates and private sector inputs and demands.

Brazil’s tax system is known for its complexity, mainly arising from the mixing of federal, state and municipal taxes. This complexity extends to the taxation of digital services and goods, which has been a growing area of focus due to the rapid digitalisation of the economy. Digital services and goods are taxed through a combination of indirect taxes, including the ISS (Imposto Sobre Serviços), ICMS (Imposto Sobre Circulação de Mercadorias e Serviços), PIS (Programa de Integração Social), and COFINS (Contribuição para o Financiamento da Seguridade Social) taxes.

ISS

ISS is a municipal tax levied on the provision of services. For digital services, the ISS framework was expanded to include streaming services, software as a service (SaaS) and cloud computing. Rates may vary from 2% up to 5% depending on the municipality where the service provider is located.

ICMS

The ICMS is a state-level tax applied to goods and some services (like telecoms and transportation). In recent years, Brazilian states have interpreted the applicability of ICMS in various ways, leading to disputes over whether certain digital transactions are classified as goods or services. However, the Federal Supreme Court (Supremo Tribunal Federal; STF) established in 2021 that the licensing or right to use software is subject to ISS taxation, which was an important step towards legal security in the technology market.

PIS and COFINS

PIS and COFINS are federal social contributions levied on gross revenues. Digital goods and services are subject to PIS and COFINS at rates of 0.65% and 3%, respectively, if the service provider is under the cumulative system. If the service provider is under the non-cumulative system, the rates of PIS and COFINS are 1.65% and 7.6%, respectively, and the company is entitled to tax credits on some expenses provided by legislation. Special rules apply depending on whether the software is developed in Brazil or not.

Special Considerations for International Providers

Non-resident companies providing digital services to Brazilian consumers face additional tax requirements. A withholding tax (WHT) is imposed on cross-border transactions involving royalties or technical services at a rate of 15%. In cases involving a double tax treaty (DTT), the WHT rate may change. Additionally, CIDE (Contribuição de Intervenção no Domínio Econômico) may apply to certain technology-related payments at a rate of 10%.

Challenges Faced by Brazilian Companies in Managing Tax Compliance

The main challenge in managing tax compliance in recent years was the classification of digital products and services, which was resolved to some extent by an STF decision according to which the licensing or right to use software is subject to ISS taxation.

Another significant challenge is the lack of uniformity in tax regulations. Tax rules vary widely among jurisdictions, resulting in considerable discrepancies in the application of rates and rules. Previously, the digital provision of services was understood to be subject to either ICMS or ISS, depending on the interpretation of the respective tax authority. This issue is further compounded by Brazil’s administrative structure, which comprises 27 states and over 5,000 municipalities. This fragmented framework has created a highly complex environment for managing tax compliance, demanding significant resources and expertise from businesses to ensure adherence to diverse local regulations.

Frequent changes in tax laws, the high cost of compliance and aggressive tax enforcement have contributed to a highly complex tax system for many years. However, the landscape has started to shift following the STF decision, which clarified certain aspects of digital taxation. Looking ahead, the ongoing tax reform may bring significant changes, potentially simplifying compliance and addressing long-standing issues within the system.

It is important to bear in mind that tax disputes in Brazil are common, with companies often resorting to litigation to settle issues. The judicial system is slow, and tax cases can take years to resolve, leading to prolonged uncertainty. Additionally, it is important to mention that the Brazilian Congress passed a major tax reform in the end of 2024, which shall start being progressively implemented from January 2026. The transition period is expected to last a few years until the new rules are all in force.

Digital advertising, previously defined as the “provision, without definitive transfer, of audio, video, image, and text content via the internet”, is subject to a mix of federal and municipal taxes in Brazil. Companies operating in this sector must manage several critical tax obligations, including:

• ISS – the tax rate ranges from 2% to 5%, depending on the legislation of the municipality where the service provider is located;
• PIS and COFINS – (i) for non-cumulative taxpayers, rates are 1.65% and 7.6%, respectively, with the possibility of tax credits on specific expenses; and (ii) for cumulative taxpayers, the rates are reduced to 0.65% and 3%, respectively, but tax credits are not permitted;
• cross-border digital advertising services – payments for services rendered by foreign providers to Brazilian customers are subject to (i) withholding income tax (WHT) at a rate of 15%, which may be reduced or exempted under a DTT; and (ii) tax on financial transactions (impuesto sobre operaciones financieras; IOF), levied at a rate of 0.38% on foreign exchange (FX) transactions.

To navigate Brazil’s intricate tax regulations for digital advertising, companies should adopt the following best practices:

• understand the applicable local tax rules;
• maintain precise and organised financial and fiscal records;
• seek advice from experienced tax professionals;
• invest in compliance technologies for rational tax management; and
• stay informed about legislative updates that may impact tax obligations.

In Brazil, digital products and services in the TMT sector are mainly regulated by the Consumer Defense Code (CDC), which applies to the consumer relationship, covering both physical and digital products and establishing fundamental rights for consumers, such as the right to clear information, safety, quality and compensation for damages.

As for commercial transactions involving digital goods and services, Decree No 7,962/2013 regulates e-commerce, requiring that information about products and services be clear, that customer service be easily available and establishing that the consumer has the “right to regret” (which is a legal guarantee that allows the consumer to withdraw from a purchase or service without justification within seven days). This right applies to off-premises purchases, such as those made online.

With the advance of digitalisation, complementary laws have also been introduced to protect consumers in the digital environment. The Civil Rights Framework for the Internet (Marco Civil da Internet; MCI) defines principles, rights and duties for internet use in Brazil. It protects net neutrality and user privacy and ensures access to quality services, establishing that online service providers are responsible for guaranteeing consumer security and privacy.

In addition, the LGPD regulates the processing of consumers’ personal data and guarantees transparency of the practices of companies in the digital sector. The LGPD requires clear consent for the collection and use of data, allowing consumers to access, correct or request the deletion of their information.

For companies to ensure that consumer rights are respected in the digital economy, it is essential that they adopt clear transparency policies and invest in efficient and accessible communication channels. Companies must provide detailed information about products and services, respect the right to regret purchases and guarantee the security of online transactions. Compliance with the LGPD, to protect consumers’ personal data, is also crucial to strengthening trust and avoiding sanctions.

The resolution of consumer complaints in the digital economy is guided by various legal frameworks. In addition to the CDC, which establishes procedures for resolving conflicts and repairing damages, consumers can turn to consumer rights protection bodies, such as Procon, and to extrajudicial resolution platforms such as Consumidor.gov.br. The latter allows consumers to register complaints directly with companies, promoting the rapid resolution of disputes. This is without prejudice, of course, to the possibility of consumers taking legal action, as it is common for these cases to be dealt with by courts of small claims.

To effectively deal with consumer disputes, TMT companies must adopt best practices, such as creating agile service channels, training support teams and investing in technology to monitor and respond promptly to complaints. Mediation and conciliation are also valuable alternatives for avoiding lawsuits and maintaining customer satisfaction.

In Brazil, there has been an evolution from scepticism to belief regarding cryptocurrency. This is demonstrated, for example, by the enactment of laws, the actions of regulators like the BCB and the Brazilian Securities and Exchange Commission (Comissão de Valores Mobiliários; CVM) and a number of bills under discussion in Congress.

Cryptocurrencies are regulated mainly by Law No 14,478/2022 and by Decree No 11,563/2023, which attributed to the BCB competencies regarding virtual assets. It is expected that the BCB will be responsible for regulating the crypto market and for granting licences to financial institutions operating virtual currencies.

The Federal Revenues Service (Receita Federal do Brasil; RFB) has enacted Normative Instruction (Instrucción Normativa; IN) No 1,888/2019, ruling on the taxation of cryptocurrency transactions. The RFB has also recently closed a public consultation on the NI that will establish “DeCripto”, a crypto-assets statement.

The Brazilian Criminal Code, Law No 7,492/1986 and Law 9,613/1998 have been modified by Law No 14,478/2022, which covers the crime of fraud involving virtual assets and adds to the scope of the crime of money laundering by including the providers of virtual asset services. The AML legislation currently in place also applies to such transactions, even though it does not specifically address the matter.

The BCB has issued some resolutions addressing blockchain. The BCB and CVM have been applying regulatory sandboxes to projects involving blockchain technology, cryptocurrency, etc. The BCB has recently started a public consultation regarding a proposal for the regulation and authorisation of virtual asset services, which will be ongoing until at least February 2025.

The Brazilian Association of Cryptoeconomics (ABCripto) launched a good practices manual in 2020, aimed at preventing money laundering and the financing of terrorism, specifically for Brazilian exchanges. ABCripto also introduced a Self-Regulation Code for companies engaged in the custody, intermediation and brokerage of crypto assets.

Although no robust regulatory framework for cryptocurrency is currently in place, it is expected that such a framework will be developed in the near future. A major challenge is to adapt existing technologies to regulatory standards that will be in place after design and other parameters have been decided upon. Another relevant issue to be addressed is fraud and security breaches. The use of technologies in regulatory sandboxes, along with public consultations and discussions, allows the exchange of experience between the TMT industry, civil society and the government, which will lead to the development of more precise, useful and feasible rules for the cryptocurrency sector.

Although Brazil does not have specific legislation dedicated solely to cloud services, various local laws address this issue.

The MCI outlines principles, rights and duties pertaining to the use of the internet in Brazil, establishing obligations for internet connection and application providers that are pertinent to cloud computing solutions. A significant aspect of the MCI is the requirements related to data retention imposed on internet application providers.

The LGPD regulates the handling of personal data across all sectors. Cloud service providers, whether acting as controllers or processors of personal data, must adhere to this Act. The LGPD particularly influences cloud computing and its providers by establishing criteria for personal data processing and data transfers.

Regarding personal data processing, there are several key points in the cloud computing context:

• the physical location of personal data is crucial for determining the applicable national law;
• multiple stakeholders typically collaborate throughout the value chain in cloud computing, which raises complex issues regarding personal data processing requirements, including data security concerns that may escalate with the addition of new service providers; and
• cloud computing often involves significant personal data transfers across borders, necessitating that both data controllers and processors ensure compliance with relevant data protection regulations.

The CDC applies to consumer transactions, including those involving cloud computing products or services.

Banking

Resolution No 4893/2021 of the BCB establishes requirements for cloud services used by financial institutions. It imposes critical obligations on entities regulated by the BCB, including specific cybersecurity policies related to cloud environments.

Insurance

The Brazilian Superintendence of Private Insurance (Superintendência de Seguros Privados; SUSEP) has also issued standard cybersecurity guidelines applicable to insurance companies and their service providers, extending to general cloud services (Circular No 638/2021).

Government Entities

For over a decade, the Institutional Security Cabinet of the President’s Office has been issuing Complementary Norms (Normas Complementarias; NC) to regulate the use of technology within government agencies. The latest version (NC No 05/IN01/DSIC/GSIPR), addressing cloud computing security and data protection, prohibits the processing of classified information on the cloud and mandates that agency-related data be stored in data centres located within national borders. The Institutional Security Cabinet of the President’s Office has issued various educational materials since 2016, outlining best practices for federal entities when engaging with cloud services. Key contractual requirements include:

• ensuring that agency data remains within Brazilian territory, including backups and replications;
• using Brazilian jurisdiction to resolve legal disputes arising from contracts with cloud service providers;
• guaranteeing the portability of data and applications, ensuring timely access without additional costs to promote business continuity; and
• ensuring contractual confidentiality regarding information held by providers and prohibiting unauthorised third-party access.

Finally, Digital Government Secretariat/Ministry of Management and Innovation in Public Services (Secretaría de Gobierno Digital Secretaría de Gobierno Digital/Ministério da Gestão e da Inovação em Serviços Públicos; SGD/MGI) Ordinance No 5,950 of 2023 established a template for federal public administration agencies to use when contracting software and cloud computing services. This ordinance is aimed at standardising and streamlining the procurement process while emphasising the security, privacy, integrity and governance of agency-held data. It specifies various aspects such as remuneration structures, minimum service levels, product verification standards, acceptance criteria and security requirements. Compliance with this ordinance has been mandatory for contracts signed as of 30 April 2024. However, agencies may apply the standards to previous contracts as well. Contracts entered into before 1 November 2023 are exempt from this ordinance. Agencies must justify any deviations from the prescribed contracting models, submitting them for approval by the SGD.

The use of AI is currently being discussed in Brazil through the deliberation of Bill No 3,592/2023, Bill No 2,338/2023 and Bill No 5,691/2019. Bill 3,592/2023 discusses the use of audiovisual representations of deceased people aimed at safeguarding their dignity, privacy and rights after death. Bill No 2,338/2023 focuses on the use of AI in general. Bill No 5,691/2019 establishes the National Policy for Artificial Intelligence, with the goal of stimulating the formation of a favourable environment for the development of AI technologies. This bill is the result of the unification of other previous bills.

The National AI Policy establishes, as its core principles:

• inclusive and sustainable development;
• respect for ethics, human rights, democratic values and diversity;
• protection of privacy and personal data; and
• transparency, security and reliability.

The bill also states that AI should:

• respect people’s autonomy;
• preserve people’s intimacy and privacy;
• preserve the bonds of solidarity between people of different generations;
• be intelligible, justifiable and accessible;
• be open to democratic scrutiny and allow for debate and control by the population;
• be compatible with maintaining social and cultural diversity and not restrict personal lifestyle choices;
• contain safety and security tools that allow human intervention where necessary;
• provide traceable decisions without discrimination, prejudice or bias; and
• follow governance standards that ensure ongoing management and mitigation of potential technological risks.

The bill developing most rapidly is Bill No 2,338/2023, focusing on the responsible use of AI, the protection of fundamental rights and the safety of AI systems. Some view this bill as being excessively focused on risks, but this reflects concern regarding the protection of fundamental rights, risk assessment and the liability of developers and operators of AI systems. As for deepfake technologies, they would fall under the definition of synthetic content modified or generated by AI systems. For now, the protection of a person’s likeness, moral rights or equivalent rights is supported by the laws that are currently in place, like the Criminal Code, the Civil Code, the LGPD, etc.

Since there is no AI regulation in force, high-risk applications like autonomous vehicles are not yet regulated. The use of drones is regulated by the National Civil Aviation Agency (Agência Nacional de Aviação Civil; ANAC), complemented by the National Telecommunications Agency (Agência Nacional de Telecomunicações; ANATEL) and the Department of Airspace Control (Departamento de Controle do Espaço Aéreo; DECEA). Autonomous operation of drones is not currently permitted, and regulations will likely eventually apply to the use of AI in commercial and delivery drones.

Pending the regulation of AI in Brazil, and since there are no specific laws at present, other legislation, such as the Consumer Protection Code, may impact the way AI is used and dictate the rules and obligations for the parties involved, for example in relation to data privacy and internet use.

Decree No 9,854/2019 instituted the National Internet of Things (IoT) Plan to improve quality of life, foster competition, increase productivity and integrate Brazil into the international landscape, among other objectives. Health, cities, industries and rural environments are priorities for IoT solutions.

According to the National Internet of Things (IoT) Plan, the IoT serves as infrastructure for the provision of value-added services (VAS) through virtually connected devices based on evolving information and communication technologies with interoperability, whereas machine-to-machine (M2M) communications systems are telecommunications networks, including access devices, for the transmission of data to remote applications with the aim of monitoring, measuring and controlling devices, the surrounding environment or networked data systems.

The provision of IoT/M2M solutions is not regulated in Brazil. However, the connectivity required for the transmission of data between devices is relevant, since telecommunications services are regulated in Brazil – ie, are subject to the provisions of Law No 4,972/1997 (the “General Telecommunications Law”; LGT) and regulations issued by ANATEL. A licence from ANATEL is also required for the provision of such services.

As per the LGT, VAS refers to the addition of new supportive utilities – related to the access, storage, presentation, movement or recovery of information – to a telecommunications service, while telecommunications services can be used to transmit and receive symbols, characters, signs, writings, images, sounds or information by wire, radio-electricity or optical means, or by any other kind of electromagnetic process.

If an IoT/M2M solution involves connectivity via a third-party telecommunications provider holding the applicable licence, the IoT/M2M provider is deemed to be the user of a telecommunications service supporting the application, and as such is not subject to the telecommunications regulatory rules or to ANATEL’s control. In this case, the ISS tax is due, the rate of which varies according to the municipality.

If an IoT/M2M solution is both a VAS (related to the IoT/M2M application) and a telecommunications service (related to device connectivity), the solution provider is subject to telecommunications regulatory rules and ANATEL’s control, and it should hold the relevant authorisation; in this scenario, the state tax on the circulation of goods and services (Imposto Sobre Circulação de Mercadorias e Prestação de Serviços; ICMS) is due at a higher rate than the ISS tax.

Connected devices are deemed communications products using the radio-electric spectrum for information propagation and, as such, they should be in compliance with technical requirements issued by ANATEL and be certified and homologated by the same agency.

Prior licensing with ANATEL is also required for radiocommunication transmission station operation; however, Law No 14,108/2020 exempted stations integrating M2M communications systems from such prior licensing, and from the payment of certain fees until December 2025.

Although the implementation and development of the IoT in Brazil is based on free competition and circulation of data, there must be compliance with information security and personal data protection guidelines, and several laws and regulations may apply, including:

• the Federal Constitution, which provides that privacy, private life, honour, the “image of people” and the confidentiality of data are inviolable (except in cases of court orders related to criminal investigations or discoveries);
• Law No 9,296/1996, which provides that the interception of information technology, telematics, telephone communications, etc is a crime;
• Law No 12,737/2012, which provides for cybercrimes and classifies the disclosure of proprietary information as a crime;
• Law No 12,965/2014 (Brazilian Internet Act), which sets principles and rules for ensuring data privacy and protection in relation to the internet;
• Decree No 8,771/2016, which sets security standards for the custody, storage, and processing of personal data and private communications by providers of connections/applications;
• The LGPD, which regulates personal data protection and processing, among other provisions;
• ANATEL’s Resolution 740/2020 (the “Regulation of Cybersecurity Applied to the Telecommunications Sector”), which establishes conduct and procedures to promote security in telecommunications networks and services and protect critical structures; and
• ANATEL’s Act 77/2021, which provides cybersecurity requirements for telecommunications equipment.

In addition, reliable and stable networks are fundamental for the IoT. In particular, 5G technology, implemented in Brazil in 2022, boosted the IoT market, fostered innovation and impacted the local economy and society. Importantly, the minimum security requirements for 5G networks set by the Office of Institutional Security of the Presidency of the Republic (NI 4/2020) are to be complied with.

Although the free circulation of data is inherent to the IoT market, compliance with enforceable legal provisions is required and, for this purpose, deep analysis is necessary. In general terms:

• information security is of paramount importance – protection of transmitted and stored data shall be ensured regardless of the number of connected devices, avoiding unauthorised access and cyberattacks;

• the collection and processing of personal data by IoT solutions shall be in accordance with the legislation on personal data protection;

• companies shall comply with specific laws and rules applicable to the sector in which IoT solutions are implemented, ensuring regulatory compliance;
• providers shall take measures to mitigate the risk of hacker attacks, data theft, service interruptions and other negative impacts; and
• providers shall identify, assess and manage risks that might affect IoT solutions, which is important to help ensure continuity of business.

Proper policies, controls and processes should form part of companies’ corporate governance, fostering transparency and corporate responsibility.

Even though the huge amounts of data that IoT devices collect, process and share are necessary for achieving solutions and intended results, whenever there is any sharing of personal data, IoT companies become subject to the provisions of the LGDP.

The LGDP stipulates that the processing of personal data may only occur in certain circumstances, such as when the data subject has provided express consent for personal data collection and processing; to enable the personal data controller to comply with legal or regulatory duties; or to protect the life or physical integrity of the data subject.

The processing of sensitive personal data (ie, data related to racial or ethnic origin; religious convictions; political opinions, union membership or participation in a religious, philosophical or political organisation; health or sex life; or genetic or biometric data) or data in the categories of “children“ and “teenagers” is subject to further specific requirements. It is important to note that additional requirements may apply in certain sectors. Therefore, deep analysis on a case-by-case basis is advisable.

Audiovisual and media (broadcasting) services are regulated in Brazil, being maintained and exploited by the Federal Union. Individuals holding the due concessions, authorisations or permissions – which are renewable and granted for successive ten-year (for radio broadcasting) or 15-year (for television broadcasting) periods, are allowed by the Brazilian Telecom Code (BTC) to provide broadcasting services.

The process begins with the publication of a notice, after which the interested parties submit their proposals; these are in turn sent to the President of the Republic after being analysed by the competent body, which issues an opinion.

A prior licence is required for broadcasting stations, and the related applications are submitted following the registration of the concession contract by the Public Finance Court. In case the stations are approved, licences are issued within 60 days.

The following requirements are to be met to obtain authorisation/permission:

• 70% or more of the broadcasters’ total and voting capital must be directly or indirectly held by native Brazilians or individuals naturalised as Brazilians for more than ten years, a fact that shall be duly proved on a yearly basis – these individuals mandatorily carry out administration activities and set the programming content;
• one individual may not participate in the administration or management of more than one concessionaire, licensee or authorised entity of the same kind of broadcasting service in the same location;
• any contractual amendments shall be submitted to the executive branch within 60 days;
• the transfer of concessions, authorisations or permissions to third parties shall be approved a priori by the competent body;
• broadcasters’ information, entertainment, advertising and publicity services are subordinate to educational and cultural services inherent to broadcasting, in the best interests of the country;
• except for weekends, holidays and other specific occasions, radio stations must rebroadcast A Voz do Brasil, the official information programme of the Brazilian Republic;

• at least 5% of the air time of broadcasting (including television) organisations shall be allocated to news services; and

• executives or partners cannot have violated ineligibility criteria provided for in specific laws.

The fees to be paid are fixed, taking into account the total costs of services, the amortisation of the capital invested and the formation of the funds necessary for the conservation, replacement and modernisation of equipment, and for the extension of services.

The foregoing requirements are not applicable to providers of applications on which user-generated content (eg, videos, photos) is posted, where these platforms are regulated by a specific law on the use of the internet in Brazil.

According to the LGT and complementary rules (eg, ANATEL’s resolutions), telecommunications services may be:

• provided under the public regime (subject to stricter legal/administrative conditions) or the private regime (less regulated); and
• of community interest (provided to any party interested in their enjoyment, under non-discriminatory conditions) or restricted interest (intended for the executor’s own use or provided to groups of users selected by the provider, being the interconnection to other prohibited networks).

The main communications technologies currently regulated are as follows.

• Fixed-switched telephone service (FSTS): transmits voice and other signals between fixed points, using telephony, for communication purposes. FSTS is the only service rendered under the public regime (based on concessions – subject to greater state control), but it can also be provided under the private regime (based on authorisations).
• Personal mobile service: enables communication between mobile stations, and between mobile and other stations.
• Multimedia communication service: enables the transmission, emission and receipt of multimedia information (ie, audio, video, data, voice and other sound signals, images, text and other information), and the provision of an internet connection to subscribers. Importantly, the transmission, emission or receipt of conditioned access services is not allowed.
• Conditioned access service: distributes audiovisual content by means of any technology, process, electronic media or communication protocol, with access based on paid subscription.
• Private limited service: a restricted-interest service encompassing the communication of data, video/audio signals, voice signals and text, the capture/transmission of scientific data (eg, meteorology data), etc.

Brazilian and foreign satellites might be used by community interest service providers to propagate telecommunications signals, but this is not intrinsically a telecommunications service.

The provision of an FSTS under the public system depends on a concession being granted and executed. After the enactment of Law No 13,879/2019, concessionaires were allowed to request from ANATEL that the concession be upgraded to an authorisation, which requires certain requirements to be met.

Exploitation of telecommunications services in the private regime depends on ANATEL’s prior authorisation, but there are some exceptions:

• telecommunications activities carried out within the movable/immovable property category (except if involving the use of radio frequencies by means of radiocommunication equipment not categorised as “restricted radiation equipment”) do not require an authorisation; and
• authorisation for the exploitation of services is waived if the support telecommunications networks use specific means and/or restricted radiation radiocommunication equipment, provided that no numbering resources are employed and, in case of community interest services, there are fewer than 5,000 users – however, the provider should inform ANATEL prior to the start of any activities.

For an authorisation to be granted, the provider should:

• be organised in accordance with Brazilian laws, with its principal place of business and administration being in Brazil;
• be able to contract with public authorities;
• have the technical qualifications required to provide the service, good economic/financial standing and tax regularity;
• be in good standing with the social security administration; and
• not already be responsible for providing the same kind of service in the same location.

An interested party must apply for authorisation through ANATEL’s information system, providing certain information and documents according to ANATEL Resolution No 720/2020. Prior notification to ANATEL regarding the services that will be provided is mandatory. The authorisation fee is BRL400 for community interest services and BRL20 for restricted-interest services. However, when the provision of community interest services can be impacted by many competitors, a bid might be required for the issuance of authorisations.

Additionally, the provider should comply with all specific conditions established by regulations applicable to the relevant telecommunications service, which requires a deep analysis.

Services and solutions adding utilities to telecommunications services (eg, instant messaging ‒ communication between computers connected to the internet with no connection to telephony networks) are deemed VAS and are not subject to telecommunications rules. However, if they amount to the provision of telecommunications services, ANATEL authorisation is required, and telecommunications regulations apply. Computer communication using voice-over-IP (VoIP) to connect with fixed/mobile phones, and VoIP services simultaneously originating and terminating communication with public telephony networks, are examples of this latter scenario.

Moreover, communications products using the radio-electric spectrum for the propagation of information should comply with the applicable technical requirements, in addition to being certified and homologated by ANATEL.

The Brazilian Internet Act establishes that the preservation and guarantee of net neutrality is one of the principles applicable to the use of the internet in Brazil. According to this Act, the party in charge of transmission, switching or routing shall process, in an isonomic manner, any data packages regardless of their content, origin and destination, service, terminal or application.

This Act has an impact on the telecommunications sector, prohibiting providers of internet connections from blocking, monitoring, filtering or analysing the content of data packages.

However, Decree No 8,771/2016, which regulates the Act, covers exceptional circumstances in which discrimination or traffic degradation is admissible. Such measures, designed to maintain the net’s stability, security, integrity and functionality, might be taken if essential for the proper provision of services and applications (eg, handling network security issues by restricting spam messages, as well as dealing with network congestion), provided those in charge of such measures abstain from causing damage to users; act proportionately, with transparency and isonomy; inform their users a priori about the adopted traffic management and mitigation practices, including those related to network security; and offer services under non-discriminatory business conditions and abstain from anticompetitive conduct.

Although it is still not possible to foresee what emerging technologies such as 5G, the IoT and AI will ultimately enable individuals and companies to achieve, it is already clear that regulations will be necessary for many aspects thereof.

Laws and regulations shall ensure individuals’ rights, privacy, security and dignity, but at the same time a balance should be sought by legislation to foster technological development.

Cybercrimes occur on a daily basis; therefore, legislation shall be in force to regulate operations that may lead to cybercrimes and properly penalise this kind of criminal conduct.

Many bills are being analysed, and discussions are presently ongoing in Brazil to address issues associated with emerging technologies.

When integrating these technologies, the matter of liability is highly relevant; the party liable for decisions taken, for example, by AI solutions, should be determined, especially when errors or damage occur.

Data privacy must also be considered, ensuring compliance not only with local legislation but also with the applicable international regulations.

In addition, other concerns may arise when dealing with these technologies, and interested parties should seek specific advice to address them.

Closely regulating all aspects of technology agreements is of paramount importance, since Brazilian legislation and case law have not deeply considered them so far. IP rights, service levels, liability and data privacy are the most challenging topics for technology agreements.

Especially considering the fast-paced development of technologies, ownership of current and future IP is a highly sensitive matter. Provisions stating the covenants between the parties to agreements are necessary.

Regarding software licence agreements, it is of relevance that SaaS is frequently provided in Brazil. Considering that service level agreements (SLAs) are not specifically regulated, but rather result from business negotiations, it is also important to regulate all aspects thereof, such as uptime, backups, disaster recovery and business continuity.

Concerning liability, the Software Law holds that contractual provisions exempting any parties from actions brought by third parties resulting from copyright misuse, flaws or violation are null and void. However, limitation of liability is not forbidden, and the understanding of the maximum indemnification when technology agreements are involved varies.

Data privacy is another challenging issue in the regulation of technology agreements, since personal data is usually stored by IT systems, and international data transfer may occur. In this regard, both data controllers and processors shall act in compliance with the LGPD and rules issued by the National Data Protection Authority (Autoridad Nacional de Protección de Datos; ANPD).

Technology transfer agreements – including for IP, know-how and software licences (if the transfer involves the software source code) – shall be registered with the National Institute of Industrial Property (Instituto Nacional de Propiedad Industrial; INPI) to produce effects for third parties, enable the licensee to proceed with the tax deductibility of amounts paid as royalties and technical service fees and legitimise the remittance of royalties abroad, in case of foreign licensors.

It is noteworthy that Law No 14,286/2021, which regulates the Brazilian exchange market, amended Law No 8,383/1991 and established that technology transfer agreements do not need to be registered for the payment of royalties abroad.

Telecommunications service agreements should contain information on conditions related to the price, accessibility and use of the services. Such information should be clear, objective, sufficient, written in easy-to-understand language and presented in a manner that allows adequate decision-making by the party contracting the services. Readjustment of the price paid for the services may only occur at least 12 months after they were contracted, and the agreement should define the readjustment criteria and frequency, in addition to the readjustment index.

Favourable terms may be negotiated between telecommunications service providers and customers, since free, broad and fair competition is ensured by the LGT. Acts contrary thereto, such as subsidies for an artificial price decrease and the use of information obtained from competitors and resulting from service provision agreements, and which are aimed at achieving a competitive advantage, are prohibited.

The LGT stipulates that interconnection between networks is mandatory. When entering into interconnection agreements, companies should ensure that the connection between telecommunications networks is in compliance with the regulations in force, as well as compatibility between different providers, both national and international, such that users of one network may communicate with users of another network or access services available therein.

Brazil has had an advanced digital signature structure since 2001, when Provisional Measure No 2,200-2 (MP 2,200-2) was enacted, regulating the use of electronic signatures in Brazil and creating ICP-Brasil. ICP-Brasil is composed of a managing authority and a chain of certifying bodies – ie, entities accredited to issue digital certificates.

With this infrastructure, each digital certificate belongs to a person who has a pair of encrypted keys, which must controlled, used and known of only by that person. The rules established by the ICP-Brasil management authority determine that when a document is encrypted with a public key, it can only be decrypted with the corresponding private key, which means that the digital signature associates an entity/person with a pair of encrypted keys through asymmetric encryption.

According to MP 2,200-2, electronic documents are considered public or private for all legal purposes, and the content of documents electronically produced with certification from ICP-Brasil is considered authentic in relation to the signatories thereof. It is important to highlight the difference between digital and electronic signatures. Digital signatures use ICP-Brasil infrastructure through a digital certificate issued by ICP-Brasil, whereas electronic signatures do not use such digital certificate. Although the legal presumption of authenticity and integrity applies only to documents signed within the ICP-Brasil framework, MP 2,200-2 states that it does not prohibit the use of other means intended to prove the authorship of documents in electronic format, including those using certificates not issued by the ICP-Brasil, provided that such use is accepted in advance by the parties.

Therefore, agreements and documents in general can be signed with digital or electronic signatures. However, certain government authorities and boards of trade only accept documents signed electronically or using certified digital certified signatures issued by ICP-Brasil, under the assumption that the signatures are provided through platforms that certify their validity via a QR code, hash code or validation code. In this regard, Law No 14,063/2020 emerged with the objective of expanding access to digital public services by reducing the bureaucracy associated with electronic signatures in documents. This law amended MP 2,200-2 and provided for the use of electronic signatures in interactions with public entities, and in relation to the acts of legal entities and health issues.

As a recent development in this matter, the Superior Court of Justice (Superior Tribunal de Justiça; STJ) recognised the validity of electronic signatures within a digital platform not certified by ICP-Brasil, as long as the parties involved accept such platform’s validity, along with the entity to which the signed document is submitted. This represents an important step away from excessive formality, considering the nuances of the digital environment.

The term “digital identity” has no standard definition in Brazil. However, it can be defined as the way in which an individual is represented and documented online. Several distinct identifiers can represent a digital identity, such as:

• name;
• date of birth;
• login credentials;
• email address;
• passport number;
• social security number;
• browsing behaviour; and
• online shopping activity.

Law No 14,852/2024 (the “Electronic Games Framework”), in force since May 2024, establishes the regulatory framework for the manufacturing, importation, commercialisation, development and commercial use of electronic games in Brazil. This law excludes from its scope lotteries, sports bets (which are regulated by other laws) and any games involving bets or offering prizes in the form of real or virtual assets, or involving random or predicted outcomes. The main provisions of the Electronic Games Framework include:

• industry regulation – the law regulates aspects of the electronic games industry, allowing the use of games for entertainment and other lawful activities, including education and therapy;
• tax incentives – the industry is expected to benefit from incentives similar to those in the cultural sector, according to the Rouanet Law (Law No 8,313/1991) and the Audiovisual Law (Law No 8,685/1993);
• age and content rating – the government will be responsible for the age rating of games, considering the risks associated with the use of microtransactions; and
• protection of children and adolescents – there are specific measures to protect underage users, such as requiring that games be designed with the interests of individuals under 18 years of age in mind, the implementation of risk-mitigating measures and consideration of accessibility and non-discrimination, as well as special rules for games that include the exchange of text, audio or video messages, among other provisions.

Additionally, the law establishes that the government will regulate customs clearance and import taxes related to electronic games. Individual entrepreneurs and micro-entrepreneurs developing games will receive special treatment to be defined later. This new framework represents a significant step towards regulating the electronic games industry in Brazil, promoting innovation and consumer protection especially in relation to vulnerable users.

Gambling elements are not allowed in the context of the Electronic Games Framework. In-game purchases are not prohibited but must observe the applicable rules. The Electronic Games Framework provides that tools for in-game purchases must be designed to restrict purchases and commercial transactions by children. Here, purchase authorisation from the parents or adults responsible for children is mandatory. Under the Statute of Children and Adolescents (Estatuto da Criança e do Adolescente or ECA; Law No 8,069/1990), children are individuals up to 12 years of age, while adolescents are individuals aged between 12 and 18 years.

Loot boxes have no specific regulations and are not expressly prohibited, but there are activist associations fighting against them, interpreting loot boxes as games of chance. Transversal laws like those of the CDC and ECA are to be observed in connection with in-game purchases and loot boxes, where applicable.

The gaming industry in Brazil is subject to regulation by ministries and public bodies in different sectors, which oversee an array of matters other than those pertaining to the gaming industry. These include:

• the Ministry of Culture – this is the main body involved in the implementation of the Electronic Games Framework, having played an important role in its creation;
• the Ministry of Justice and Public Security – the Commission of Content Rating is part of this ministry, being responsible for classifying movies, TV shows, games, etc, and the National Consumer Secretariat (Secretaria Nacional do Consumidor; SENACON) is also part of this ministry, acting in the defence of consumers’ rights in relation to microtransactions and general commercial transactions;
• the Ministry of Economy – responsible for tax and fiscal supervision, including the provision of fiscal incentives, and for customs regulations and enforcement; and
• ANATEL – this agency is not directly in charge of gaming surveillance, but it regulates aspects related to internet access and infrastructure.

Since the Electronic Games Framework was enacted fairly recently, there are no relevant enforcement actions to report.

A major challenge when it comes to IP in the gaming industry is the fight against piracy, so strengthening the protection of developers’ copyrights to combat piracy and the illegal distribution of games is one of the most important goals.

Under Law 5,988/1971, game copyrights can be registered with the National Library Foundation. This is not compulsory, but it helps with the recognition of authorship. Trade marks, on the other hand, can be registered with INPI. The types of registration include:

• copyright – protects artistic elements such as plot, characters, drawings, sound effects and dramatisation;
• trade marks – protect the name of a game or characters;
• patents – protect technical innovations, such as software or the design of a database; and
• trade secrets – protect confidential information, such as publisher and developer contacts and internal development tools.

Effective protection of IP in the gaming industry demands a thorough strategic framework that integrates multiple legal safeguards. Given the competitive nature of this sector, prioritising the safeguarding of creative assets through IP is essential. Sufficient legal and contractual measures ensure that the investments made in research and development yield economic benefits.

Trade mark protection for virtual products is crucial to prevent disputes with similar brands within the same market segment. Only trade marks registered with INPI can be utilised legally.

When evaluating a game’s IP, the initial legal focus should be on determining ownership of the rights associated with the software, including usage, sales, and distribution rights. It is vital for individuals or companies to formally possess these rights. According to the Software Law, the rights to software developed during a contractual or statutory relationship belong to the employer or contractor.

In this context, it is advisable to submit a registration application before publicly disclosing any details about the game, particularly its name and images. This not only protects these elements but also verifies that other entities are not using similar trade marks, avoiding conflicts post-launch.

Copyright in gaming encompasses narratives, characters, environments, music, graphics and even the source code itself. However, it is crucial to note that copyright protects the expression of ideas rather than the ideas themselves. There are two key implications of this: first, no game concept is eligible for copyright until it is documented (like source code); and second, similar concepts in different games do not automatically infringe existing copyrights. For instance, if an adventure game is copyrighted, another game in the same genre with different elements can still be created, without violating copyright laws.

Various laws and regulations apply to social media, including the Internet Act, the LGPD, the Civil Code, the Criminal Code, the ECA, the CDC and even industry codes of conduct such as that of the Brazilian Advertising Self-Regulation Council (Conselho Nacional de Autorregulamentação Publicitária; CONAR), as well as rules on the marketing and publicising of products or services subject to special control by regulatory bodies like the Brazilian Health Regulatory Agency (Agência Nacional de Vigilância Sanitária; ANVISA), the BCB and the CVM, among others.

Bill 2,630/2020, which has been under discussion for some years, is intended to regulate social media to combat misinformation. It imposes obligations on platforms and establishes penalties for misconduct.

Some of the most challenging areas today include the need to implement measures aimed at protecting children and adolescents in the context of social media, encompassing the ECA, LGPD and other regulations; issues with the use of AI and the lack of transparency in privacy policies; and misuse of AI to deceive or manipulate, including by using deepfakes to commit fraud and obtain undue advantage.

The primary regulatory bodies overseeing the use of social media in Brazil are the ANPD, ANVISA, SENACON and the CVM. Moreover, although not regulatory in nature, the judiciary has been very active in punishing non-compliance and suspending or banning accounts.

The regulatory bodies have powers to establish penalties for inobservance of the laws and regulations in their respective areas. For instance, ANVISA alone has an array of regulations pertaining to the advertising of the products under their supervision, including medication, plant-based products, cosmetics, etc.

There have been many recent enforcement actions in Brazil. For instance, some politicians are having their accounts suspended or banned, and social media platforms are being penalised by the ANPD for not implementing strict measures to protect children and adolescents and, sometimes, for not being sufficiently transparent regarding the processing of personal data. Moreover, CONAR, which is a self-regulatory body for advertisements, continually acts to ensure legal, ethical and proper advertisement.