Although there are no specific laws about cloud services in Brazil, many local laws refer to this matter, as follows.
The Internet Act (Law No 12,956/2014, MCI), further regulated by Decree No 8,771/2016, provides principles, rights and obligations about the use of internet in Brazil, and sets forth obligations for internet connection and application providers that are relevant for cloud computing solutions in general. The MCI main obligations regarding cloud are related to data retention by internet application providers.
The Brazilian General Data Protection Act (Law No 13,709/2018, LGPD), which came into force in 2020, provides for the processing of personal data irrespectively of industry or business – as controllers or processors of personal data, cloud service providers shall comply with the referred law. The LGPD impacts cloud computing and its providers, in particular with regard to the requirements for the processing of personal data and for data transfers.
On the matter of personal data processing, it is important to enhance the relevance of data protection in a cloud computing environment, highlighting specific issues in this context, as follows.
Law No 8,078/1990 (the Consumer Protection Code, CDC) governs all consumer relationships, including cloud computing products or services.
Brazilian Central Bank’s Resolution No 4,893 of 2021 provides for the cyber data policy and establishes requirements for contracting cloud processing services to be observed by companies regulated by the Brazilian Central Bank.
Complementary Norm/No 14/IN01/DSIC/GSIPR, established in 2012 and edited in 2018, has the objective of setting guidelines regarding the use of technologies in government agencies. More specifically, it addresses cloud computing and the aspects related to security and data protection. The Norm requires that information classified as secret or top secret cannot be processed on the cloud, for any reason. Also, data and metadata produced by and/or under the responsibility of the agency must be stored in data centres within national territory. In addition, it is important to note that, in 2016, the Information Security Cabinet of the President’s Office and the Ministry of Planning, Budget and Management – which is now part of the Ministry of Economy – issued a general guideline with best practices, orientations and restrictions to be followed by federal entities when contracting cloud computing services. The document outlines some contractual requirements that should be ensured by the agencies contracting cloud services, and the following are particularly worth mentioning.
Risk and Liability
Blockchain technology regulation is still in its initial phase in Brazil. The first guidelines in this regard were introduced by the Securities and Exchange Commission (Comissão de Valores Mobiliários, CVM) in 2020 through the Normative Ruling (No 626/2020) that encompasses new business models and technologies available in capital markets, such as blockchains. The Central Bank has announced that it will authorise the issuance of blockchain tokens in the national financial system, part of the regulatory sandbox. Also, since 2020, notary offices are able to certify and time-stamp official documents via blockchain technology.
Notwithstanding the foregoing, as this technology is being accepted to the fulfilment of many purposes, including as evidence to be used in court, it is necessary to observe the legality of the procedure and observe the principles of due process, not to mention the assurance with respect of ethics and constitutional values. Risks and liabilities involving personal data are mentioned in the topic below.
The Brazilian Copyright Association allows the registration of intellectual property in blockchain and recognises its validity in the same way as the procedures undertaken by the Brazilian National Library. The greatest difference between those two procedures is the time of processing, which via the National Library can take up to 180 days and does not include a digital registry, while when using blockchain technology it should not take longer than five minutes to register and includes digital registry.
Additionally, non-fungible tokens (NFTs) are being used as a means to register intellectual property and, since it is based on blockchain technology, it is given a digital certificate of copyright. IBM, for example, has announced that it will use NFTs to register patents and, even though the certificates of ownership are not equivalent to the register made in the National Institute of Industrial Property, they are able to identify the owner of a piece of art, a meme or a registry. Blockchain technology seems to be a promising way to facilitate access to such registries, since it is faster and costs less, which will enable small businesses and individual artists to certify the ownership of their work in a more efficient way.
Blockchain is not incompatible with the Brazilian Data Protection Act (Law No 13,709/2018), even though its immutability may rise questions regarding the right to be forgotten and the processing of personal data. One of the main issues debated in this context is the right to be forgotten, since personal data (or any information) contained in a blockchain would never be forgotten. The right to be forgotten, in turn, was recently declared by the Brazilian Supreme Court to be incompatible with the Federal Constitution in a very specific case, which did not analyse issues related to technology, the internet or blockchain. So, it is possible that the matter will generate new discussions in the future, especially when blockchain has its own regulation.
As the regulation of blockchain technology is still in its initial phase in Brazil, there are still no general rules regarding service levels.
For instance, MRV, a Brazilian constructor, recently carried out the first real estate development on the market using blockchain technology to optimise notary services in a virtual environment. The procedure refers to incorporation of a project to be launched by the construction company in the municipality of Duque de Caxias, in the State of Rio de Janeiro. Unlike the traditional process, MRV concluded the blockchain real estate development act in a few minutes. Through the physical means, such registration of the purchase and sale deed takes, on average, 30 days to be carried out by the notary's office. Other acts, such as the registration of the memorial of incorporation and convention of condominium, can take up to 45 days.
The technology is accepted in courts to prevent and preserve evidence, mostly regarding digital media, such as registration of social media posts and app conversations. This is the understanding of the Court of Justice of the State of São Paulo, in the judgment of the cases 1000786-26.2019.8.26.0660 and 2237253-77.2018.8.26.0000, which recognised that blockchain registration is a valid proof for the existence of an online content.
As blockchain cannot be altered, it is very helpful to preserve digital events that could possibly be altered by a user (eg, social media posts), proving the authenticity of the evidence.
The technology is available and can be used by anyone, contrasting with older types of evidence registration such as depending solely on the notary’s office to authenticate a document.
Recently, the Brazilian government officialised the use of blockchain through a Normative Ruling (ITI No 19/2021) issued by the National Institute of Information Technology, and this system will be used to certify the existence of a certain document at a specific date and time (ie, time stamp).
Our society has been passing through two big waves of transformation in the area of technology – namely, big data and the usage of artificial intelligence (AI) in companies, projects and businesses in order to offer better and more effective solutions in their applications. The influence of big data and the use of AI through machine learning has been impacting several sectors of the world economy and this impact is only likely to increase in future.
In the Brazilian jurisdiction, there are several legal challenges when starting a project where big data and artificial intelligence are applied. The biggest issue regarding those technologies is that Brazil has not yet provided regulation for the use of AI, machine learning or big data. Therefore, the main practical challenge is the lack of by-laws dealing with these matters. When managing a business programme involving such technologies, the legal, ethical and constitutional principles must be observed, as well as national and international frameworks and guidelines that have already been established, giving special attention to what is being discussed by Brazil's government, national authorities, and by courts related to the matter.
When it comes to the use of large amounts of data, one of the main issues companies must be aware of is personal data protection.
In Brazil, the LGPD sets legal parameters for the use of personal data. The law is applicable to the activities of collecting and processing personal information with big data, which are mainly used by companies for purposes such as data mining and profiling. If not processed properly and in accordance with the law, those data processing techniques can cause severe damages to the rights of data subjects. Therefore, companies must structure their compliance and data governance programmes by adapting to data processing rules. These measures are important for organisations to have a safer and more reliable environment for the protection of society's fundamental rights of privacy and data protection.
Artificial Intelligence and Machine Learning
Many of the main challenges for implementation of AI and solutions where machine learning is applied in Brazilian companies are related to the needful observance to data protection principles and ethical usage of such technologies, and the absence of regulation regarding the matter. AI regulation is a highly discussed topic in Brazil, and there have recently been a number of proposed legislations, both by the Chamber of Deputies and the Federal Senate, some of which have caused controversy.
It should be mentioned that, according to the LGPD, data subjects have the right to request the review of decisions based exclusively on the automated processing of personal data that affects their interests, including decisions that define their personal, professional, consumer and credit status or their personality. However, the LGPD does not grant data subjects the right not to be subject to a decision based solely on automated processing that has a legal impact on them or affects them in any way. In addition, the LGPD does not have the obligation to provide information on automated decision-making, algorithmic logic and the consequences of such processing because, under the LGPD, in theory, if the information is claimed to infringe the industrial or trade secrets, the data controller may refuse to provide clear and sufficient information about the standards and procedures used for automated decision-making.
Even so, the LGPD has indirectly addressed the ethical issues raised by AI because it first stipulated in its legal text that data subjects may need to request to review decisions made only by automated machines. The clause would provide mechanisms to minimise the risks caused by the increasing use of algorithms to evaluate and classify people's lives and behaviours. However, this provision was banned and revised by the President of Brazil. Therefore, the review of the automated decision no longer needs to be done by a natural person. This change has not been welcomed by the legal community, who believe it is harmful to the rights of data subjects and to the moral use of artificial intelligence systems.
For that reason, in March 2020, the Brazilian Ministry of Science, Technology and Innovations (MCTIC) wrapped up a Public Consultation on the Brazilian Artificial Intelligence Strategy (EBIA), in order to collect subventions to enhance the benefits of AI to the country and help mitigate negative impacts. The public consultations aimed to provide solutions related to legislation, regulation and ethical use of AI and machine learning in order to promote proper development and adoption of these technologies.
When it comes to the proposition of legislations, Draft Bill No 5051/20, proposed by Senator Styvenson Valentim, stands out for its proposal regarding the liability of damages caused by automated decisions of AI devices, stating that the responsibility should always lie with the human supervisor of the system. Also proposed by the same Senator, Draft Bill No 5691/2019 institutes a National Policy for Artificial Intelligence, addressing requirements for AI and machine Learning solutions to be understandable and accessible, with mechanisms for human intervention, if necessary, without discriminatory bias.
Another important proposed legislation was drafted by Deputy Eduardo Bismarck (Draft Bill No 21/20), establishing that the use of AI must be based on respect for human rights and democratic values, equality, non-discrimination, plurality, free initiative and data privacy. In addition, AI must have, as a principle, the guarantee of transparency in its use and operation, also imposing several duties on the development and operating agents, where these agents must provide clear and adequate information about the procedures used by AI systems, to which such duty is formerly imposed on the processing agents in the LGPD. Also, AI and machine learning operating agents should respond as stipulated by the law to decisions made by an AI system and provide continuous protection of AI systems against cybersecurity threats.
When contemplating a project with connected devices, Decree 9,854/2019, which instituted the National Internet of Things Plan to improve the quality of life, foster competition, increase productivity and Brazil’s integration to the international landscape, among other objectives, should be considered. According thereto:
Implementation and development of IoT is based on free competition and circulation of data, but compliance with information security and personal data protection guidelines is required. Health, cities, industries and rural environments are priorities for IoT solutions.
According to Law 9472/1997 (General Telecommunications Law, LGT), VAS are not:
Contrarily, telecommunications services (activities enabling the offer of transmission, emission or reception of symbols, characters, signs, writings, images, sounds or information, whether by wire, radio-electricity, optical means or any other kind of electromagnetic process), as per LGT, are regulated in Brazil and provision thereof depends on ANATEL’s authorisation.
However, transmission of data between IoT devices is required for their operation and, thus, there should be connectivity. Consequently, two issues arise:
Connected devices are deemed communications products using radioelectric spectrum for information’s propagation, being subject to compliance with technical requirements, certification and authorisation by ANATEL.
Operation of radiocommunications transmitting stations also requires prior licensing with ANATEL, but Law 14108/2020 exempted stations integrating M2M communications systems from prior licensing.
Being deemed VAS, IoT is not subject to the tax on circulation of goods and services (ICMS), levied on telecommunications services; tax on services (ISS) is due, but at rates lower than those of ICMS.
Law 14108/2020 also exempted M2M communications systems’ stations from the payment of certain fees until December 2025.
Information Security/Personal Data Protection
Reliable and stable networks are fundamental for IoT. Regulations to avoid cyber-attacks and unauthorised access to data and disclosure thereof should be complied with. Several laws and regulations provide on the matter and should be considered, such as:
Fifth-generation (5G) technology is expected to be implemented in Brazil in 2022 and boost the IoT market, fostering innovation and impacting local economy and society. Minimum cybersecurity requirements for 5G networks were set by the Office of Institutional Security of the Republic Presidency’s Normative Instruction 4/2020.
As the law and case law in Brazil have not yet addressed the matter of IT service agreements in general, they must be regulated in specific details.
The main challenges of IT service agreements in Brazil are probably related to intellectual property rights (IPRs), service levels, liability and data privacy.
First, in the IT industry, the continuous development of technologies is essential and contracts shall clearly regulate the ownership of existing intellectual property and future intellectual property developed during the commercial relationship between the parties involved.
Furthermore, as software is often provided as a service in Brazil, service level agreements (SLAs) are heavily discussed. In this regard, although there is not specific regulation about SLAs (so this is mostly a commercial matter), general laws and customs provide minimum requirements in terms of uptime, back-ups, disaster recovery and business continuity.
Liability is always a significant issue. The Software Law (Law No 9,609/98) expressly says that clauses that “exempt any of the contracting parties from any third-party actions arising from misuse, flaws, or violation of copyrights” are null and void (Article 10). However, limitation of liability is allowed and case law varies considerably about the possible caps to indemnifications regarding IT contracts.
Finally, data privacy matters are also deeply discussed. Personal data (including sensitive data) is usually stored by IT systems, regulated by these IT agreements. Controllers and processors of data (as defined in the LGPD) shall comply with local regulation, subject to legal penalties.
Rules regarding Data Protection
The Brazilian Data Protection Act (LGPD), approved in Brazil in August 2018, effective since 2020, provides for the processing of personal data by natural persons or legal entities of public or private law.
The legislation states that the processing of personal data must be based on good faith and the following principles:
Regarding the territorial scope, LGPD establishes that the law is applicable:
The law defines personal data as any “information related to any identified or identifiable individual”, while sensitive personal data is the personal data regarding racial or ethnic origin, religious belief, political opinion, affiliation to any trade union or to a religious, philosophical or political organisation, data relative to health or sex life, genetic or biometric data, when associated to an individual.
Legal basis for data processing
The processing of personal data shall only occur under the following legal basis:
Special rules may apply when concerning the legal basis for processing sensitive personal data.
Data protection impact assessments
When the processing is based on the legitimate interest of a controller or third parties, the Brazilian National Authority (ANPD) may require the data controller to submit a data protection impact assessment (DPIA). This report must contain, at least:
Data subjects rights
Processing agents must provide means for the exercise of rights of data subjects, which are:
Obligations of processing agents
The LGPD determines that data controllers are required to record:
When the processing agent is a small business or start-up, the record of processing activities may be simplified, and the template will be provided by the regulatory authority.
According to the LGPD, data controllers must appoint a DPO and disclose their identification and contact information to the public in a clear and objective form, preferably on the data controller’s webpage. The duties of the data protection officer are the following:
According to Resolution No 2, small businesses and start-ups that process personal data are not required to appoint a DPO, provided that they do not (i) perform high-risk personal data processing or (ii) earn, individually or within the sum with their economic group, gross revenue above BRL4.8 million per year (or BRL16 million per year in the case of start-ups). The obligation to establish a communication channel with the data subject remains maintained.
The LGPD also determines that the controller must notify the national authority and the data subjects immediately, whenever a security incident that may pose a significant risk or cause damage to data subjects occurs. A security incident with personal data is defined as any confirmed adverse event related to a breach in the security of personal data, such as unauthorised, accidental or unlawful access that results in the destruction, loss, alteration, leakage or any form of data processing inadequate or unlawful, which may pose a risk to the rights and freedoms of the holder of the personal data. The incident notice must contain, at least:
Besides those elements listed above, the ANPD recommends that the notice contains:
If it is not possible to provide all the information at the time of the preliminary communication, additional information may be provided later. Whilst the regulation is pending, it is recommended that after becoming aware of the adverse event and having a relevant risk, the ANPD shall be contacted as soon as possible, this being considered as an indicative period of two business days, counting from the date of knowledge of the incident.
In relation to small sized processing agents, according to Resolution No 2 from ANPD, they will have double the period established in the LGPD to undertake some acts, such as responding to a data subject’s requests and communicating to the ANPD and the data subject about the occurrence of security incidents.
International data transfers
LGPD establishes the permitted hypothesis of transfers. It allows international data transfers, including:
The LGPD determines that the level of data protection in foreign countries/international bodies will be assessed by the national authority, along with the definitions of content of specific contractual clauses, SCCs, global corporate rules or seals, certificates and codes of conduct.
Up to this point, the national authority has not yet issued opinions on the subject and has also not undertaken data protection adequacy level analysis of other countries. It is estimated that the topic will be considered in the first half of 2022, when it will be the subject of a resolution by the ANPD, according to its regulatory agenda.
Enforcement and administrative penalties
The LGPD establishes that any data controller or processor who, through personal data processing, gives rise to pecuniary or moral damage, individually or collectively, in violation of applicable personal data protection laws, shall have to compensate it.
The Brazilian law also establishes that the data processor shall be jointly liable for damages caused by the processing of data in violation of applicable data protection laws or due to failure to follow any lawful instruction from the controller, in which case the processor shall be deemed equivalent to the controller, except if an exclusion of liability is applicable.
In Brazil, it is still important to mention that the consumer defence bodies have had an effective performance, following all the movements related to the subject of privacy and protection of personal data, besides filing countless lawsuits.
In regard to the penalties foreseen by the law, the LGPD defines the administrative penalties in case of violation of privacy laws. Processing agents will be subject to the following sanctions by the national authority:
The LGPD does not limit the sanctions to those imposed by the supervisory authority. Data subjects and their representatives go to court for compensation, in which case the limitation of the monetary amount imposed by the LGPD will not be applicable.
In respect of the National Data Protection Authority (ANPD), the LGPD defines it as a public administration body responsible for ensuring, implementing and overseeing compliance with this law within the whole national territory.
The ANPD is responsible for defining the minimum level of security, rules of data portability, enforcement of sanctions and other factors, in the LGPD. According to the LGPD, the ANPD shall be competent to:
Besides the actions mentioned above, the national authority may establish additional rules, authorise international transfers of personal data, and assess the level of data protection of foreign countries or international bodies, considering the parameters set out by the LGPD. The ANPD is also responsible for defining the content of standard contractual clauses, verifying specific contractual clauses for a given transfer, global corporate rules or seals, certificates and codes of conduct. The national authority will be in charge of enforcing the administrative sanctions mentioned in the topic above, and may order the data controller to prepare an impact assessment report on the protection of personal data relative to its data processing operations, pursuant to regulation, subject to trade secrets.
Distinction between Companies/Individuals
The LGPD rules apply to processing activities involving personal data (information relating to an identified or identifiable natural person). Brazilian law, therefore, adopted the expansionist criterion. Therefore, personal data can be anything from a name, a telephone number, a home address, the IP number of a computer, or any other information that can identify an individual. On the other hand, data relating to legal entities are not considered personal data – for example, company name, National Register of Legal Entities and business address.
General Processing of Data
Every day companies have access to a huge volume of data, whether internal to the business, external or coming from third-party databases. These companies can process data, which is nothing more than the collection, compilation, organisation and disposition of information.
There is no provision for applying the LGPD to the processing of information that is not considered personal or sensitive data. However, their good practices can still be observed.
Processing of Personal Data
Brazilian law considers a large number of activities as processing personal data. They include the collection, classification, reproduction, receipt, archiving, dissemination, extraction, access, transmission, distribution, processing, communication, transfer, or any operation performed with some kind of handling of personal data.
Monitoring and limiting the use by employees of computers resources are common practices used by companies in Brazil. However, in order to implement this practice in accordance with the Brazilian Consolidation of Labour Laws (Law No 5,452/43, CLT), the Brazilian General Data Protection Act (Law No 13,709/18, LGPD) and case law, there are specific rules that must be observed.
There are no restrictions on prohibiting or limiting the use of private email, social media, and/or specific websites or content during working hours. Nevertheless, if the company allows their employees the use of working devices for non-working-related activities or to access personal content, the monitoring of the device, if implemented incorrectly, may result in a violation of the employee’s rights regarding their privacy and personal data.
Furthermore, with the entry into force of the LGPD, new obligations regarding the processing of employee’s personal data, and therefore the monitoring of their activities, has emerged. The LGPD requires that, in addition to the obligation of processing personal data only under one of the legal bases listed on Article 7 and/or Article 11, the processing can only occur under the following conditions.
The employment of technical measures to protect personal data from unlawful situations of destruction, loss, change, communication or dissemination (eg, data loss prevention tools (DLP), web traffic monitoring) is required by the LGPD, provided for in Article 6, item VII. However, the obligations and requirements listed above must be considered prior to the implementation of security information tools/mechanisms, in order to ensure that the employee’s fundamental rights and personal data are not infringed.
According to LGT and complementary rules (eg, issued by ANATEL, the agency in charge of administering radio frequencies’ spectrum and orbits’ use), telecommunications services might be:
The following telecommunications technologies are the main currently regulated.
Brazilian and foreign satellites might be used by community-interest services providers to transport telecommunications signals, but this is not intrinsically a telecommunications service.
Provision of FSTS under the public system depends on a concession granted in a bid and the execution of the concession agreement. Law 13879/2019 stipulates that concessionaires might request ANATEL to adjust the concession into an authorisation, if certain requirements are met by the interested party.
Exploitation of telecommunications services in the private regime depends on ANATEL’s prior authorisation. The following applies:
For an authorisation to be granted, the provider should:
The interested party requires the applicable authorisation through ANATEL’s information system, providing certain information and documents according to such agency’s Resolution 720/2020. Prior notification to ANATEL regarding which services will be provided is mandatory. The authorisation’s amount due is BRL400 for community-interest services and BRL20 for restricted-interest services. Nevertheless, when the provision of community-interest services can be impacted by many competitors, a bid might be required for the issue of authorisations.
Additionally, the provider should comply with all specific conditions established by regulations applicable to the relevant telecommunications service, which requires a deep analysis.
Services and solutions adding utilities – and not to be confused with the telecommunications services supporting them (eg, instant messaging, RFID tags, communication between computers connected to the internet with no connection to telephony networks) – are deemed VAS and are not subject to telecommunications rules.
However, if they also encompass the provision of telecommunications services, ANATEL’s authorisation is required and telecommunications regulations will apply. Computers’ communication using voice-over IP (VoIP) to connect with fixed/mobile phones, and VoIP services simultaneously originating and terminating the communication with public telephony networks are examples of this.
Moreover, communications products using the radioelectric spectrum for the propagation of information should comply with the applicable technical requirements, in addition to being certified and authorised by ANATEL.
Audio-visual and media services (broadcasting services) are subject to the Federal Union in terms of regulation, maintenance and exploitation, although the Brazilian Telecom Code (BTC) allows private individuals to execute such services under proper concessions, authorisations or permissions to be granted for renewable and successive deadlines of ten (radio broadcasting) or 15 years (television broadcasting). Concessions and authorisations are not exclusive and the Federal Union may directly execute the same services.
After publication of a notice, interested parties may present their proposals, which will be subjected to the President of the Republic after the competent body analyses the proposals and issues its opinion. The broadcasting station is subject to a previous licence, which must be required after the concession contract is registered by the audit officer. If the station is approved, the licence shall be issued within 60 days.
The authorisation or permission is subject to the following requirements:
The fees payable for the use of the telecommunications services provided by the entity will be fixed in order to always remunerate the total costs of the services, the amortisation of the invested capital and the formation of funds necessary for the conservation, replacement and modernisation of the equipment, and extensions of services.
These requirements do not apply to application providers, such as platforms on which users may post their content, such as videos. These platforms are foreseen by specific law, which regulates the use of the internet in Brazil, which includes the application providers.
Legal Requirements Governing the Use of Encryption
Although Brazil's General Data Protection Regulation (LGPD) does not explicitly address the matter, encryption is one of the fundamental principles of information security, ensuring confidentiality of processed data. Hence, the LGPD does not require the use of encryption as an obligation to companies. However, the law mentions the adoption of technical and organisational measures to protect data from unauthorised access and from accidental or unlawful situations of destruction, loss, alteration, communication, or any form of inappropriate or unlawful processing. Up until now, Brazil’s Data Protection Authority (ANPD) has not issued such regulation providing for minimum technical standards to make these security measures, such as encryption, applicable.
It is important to highlight that Article 5 of the Brazilian Federal Constitution guarantees the secrecy of correspondence and telegraphic, data and telephonic communications as inviolable, except, in the latter case, by court order, in the situations and manner established by law for purposes of criminal investigation or the fact-finding phase of a criminal prosecution. Also, Article 7(III) of the Civil Rights Framework for the Internet (Law No 12,965) guarantees the inviolability and secrecy of online user communications, with exceptions only permitted by court order.
Digital signature and encryption
Companies and individuals can request a digital signature (known as ICP-Brasil), issued through a certificate by the National Institute of Information Technology, according to Provisional Measure 2,200/2001, establishing the Brazilian Public Key Infrastructure – ICP-Brasil, which ensures the authenticity, integrity and legal validity of documents in electronic format. The rules established by the management committee of ICP-Brasil determine that the signature associates an entity or a person with a pair of cryptographic keys, through asymmetric cryptography. Thus, when a document is encrypted with the public key, it can only be decrypted with the corresponding private key.
In Brazil, several legislations were created to address relevant issues involving the impact caused by the COVID-19 pandemic. Specific to the TMT sector, telecommunications and internet services were included in the list of essential activities, defined as ones that are essential to meet the urgent needs of the community – ie, those that, if not attended, endanger the survival, health or safety of the population:
Legal Implications of Cybersecurity Incidents and Data Breaches in Brazil
Cybersecurity has recently become a hot topic, both in Brazil and worldwide. With the COVID-19 pandemic sweeping across the world in early 2020, and new variants emerging every three to four months, the hybrid work model has proven to be successful, and investing in cybersecurity has become even more of a priority for companies and governments worldwide.
Keeping networks secured is a key element in preventing cybersecurity incidents, which can cause major damage to businesses resulting in financial losses, data breaches, leaking of strategic and confidential information, reputational damage, and severe legal consequences. Therefore, it is very important to adopt adequate legal and technical measures to protect organisational systems, and effectively train the entities’ employees.
According to a report published by the Brazilian newspaper Valor Econômico in October 2021, Brazil was the country second-most affected by cyber-attacks in Latin America, only surpassed by Mexico. Also according to Valor Econômico, in the first half of 2021 alone, Brazil suffered more than 16.2 billion incident threats: from January to August of 2021, 6.4 million attacks were reported.
Besides the huge volume of threats and effective attacks, these reports are very alarming since: (i) attacks are expected to get more sophisticated and aggressive with time; and (ii) companies have been placing more value on, and are extremely dependent on, their data. In this scenario, it is important for organisations in Brazil to understand exactly what they are facing, how they should adapt their systems and operations, what are the expected consequences if a cyber-attack happens and how they can develop a proper contingent plan?
What is a cybersecurity incident?
A cybersecurity incident is defined as an occurrence that, actually or potentially, jeopardises the confidentiality, integrity or availability of an information system. It is an unwelcome attempt to steal, expose, alter, disable, or destroy information through a variety of threats, including malware, phishing, ransomware, data breach and denial of service. The attacks can be motivated by a variety of reasons, such as criminal, political and personal motives.
In Brazil, the biggest cyber-attack trend has been ransomware. Hackers usually take advantage of a system’s weakness and use a strong encryption to hold the system (or a specific data set) "hostage", demanding payment in exchange for releasing the system (or data set). Some of Brazil’s biggest organisations have been targeted in the past year, such as Brazil’s Ministry of Health, the National Treasury of Brazil, large retail chains and major corporates.
Ransomware attacks are feared by corporations, since they usually result in interruptions to business operations, loss of sensitive data, impacts for clients, reputational damage, and financial losses. Inability to access the system after a ransomware attack is highly reported and, according to research published by the leading cybersecurity platform Keeper Security, 28% of these outages lasted for a week or longer, and 26% of the affected organisations were unable to fully perform their activities for at least a week.
This type of attack always sparks a debate on whether the targeted organisation should negotiate and pay the hackers to regain access to the system. Brazil does not have any regulations on how to deal with ransomware attacks, but many other countries discourage or prohibit payments to hackers in this type of situation. The USA, for example, has warned companies that paying a sanctioned entity (eg, known terrorists) can lead to sanctions to the companies themselves, even if the payer does not know the identity of the recipient. Other places, such as the UK, Australia and Hong Kong follow the same principle and can make the payer liable if payment is made to sanctioned entities or if the recipient is tied to serious crimes.
How to protect your organisation from a cyber-attack
Organisations can adopt different technical and legal measures regarding cybersecurity. The first step is to conduct risk assessments to identify the most sensitive areas within the organisation. This will help the company to identify its fragilities and better allocate its resources in order to minimise the chances of a potential attack or, at the very least, to be prepared to reduce its impacts. Vulnerability testing, simulations and tabletop exercises are also a good way to prepare for possible attacks and to identify whether the organisation needs cybersecurity controls, systems or an infrastructure upgrade.
Another important measure is to offer proper and ongoing training to employees on cybersecurity risks and how to proceed in case of an attack. Enforcing proper policies and guidance regarding cybersecurity is also paramount, since these documents not only help employees in dealing with potential threats but are also a simple and effective way of demonstrating that your organisation holds itself (and its employees) to the highest standards regarding the subject.
The organisation should also have a cybersecurity expert team to handle the threats or actual cybersecurity attacks. The group must be trained and ready to adopt the necessary measures to defend the organisation, since time is essential in this situation, as well as detection capabilities and a structured incident response plan. The response generally involves mitigation measures to constrain the attack and recovery measures regarding the system, and also notification obligations to authorities, investigations and other remediation actions.
When it comes to Brazil, all the recommendations above are applicable and should be implemented. In addition, since almost all information systems also store at least some type of personal data, organisations in Brazil have to be aware of the new and strong regulation regarding personal data protection, which requires an incident response plan and some extra measures to be in place to make sure that the organisation is compliant with Brazil’s General Data Protection Law, No 13,709/18 (Lei Geral de Proteção de Dados or LGPD).
Additionally, many discussions are emerging around the need for the new local regulations involving the internet and remote computing services or cloud computing, available globally. Before the difficulty of establishing general regulations, some strategic sectors of the economy have already established their own regulations, such as the Central Bank of Brazil, which has recently regulated the use of the cloud by financial institutions.
Data protection compliance in Brazil
The LGPD covers personal data relating to Brazilian data subjects, personal data collected directly from Brazil, or personal data collected through the offering of goods or services to Brazil. Similarly to the EU’s data protection law (GDPR), Brazil’s law defines “personal data” to include all information related to an identified or identifiable natural person. The LGPD also contains special restrictions related to the processing of personal data from underage people and “sensitive personal data”, which is defined as data relating to an individual’s racial or ethnic origin, religious beliefs, political opinion, affiliation to unions or political, philosophical, or religious organisations, health, sex life or genetic and biometric data. All personal data processed by an organisation must be in compliance with the LGPD.
In order to be compliant with the LGPD, each organisation needs to verify every processing activity carried out with personal data, as well as the purposes of their processing, such as:
With the proper knowledge of this information, the legal basis for the processing of the personal data should be established and the organisation will need to record the processing activities in order to be compliant with the LGPD. Depending on the sensitivity of the processing, the organisation will also need to draft a Data Protection Impact Assessment report that could be required by the Brazil’s National Data Protection Authority (ANPD) at any time.
When there is no other applicable legal basis, the organisation must obtain consent from the data subject in order to process the personal data. If the processing is carried out based on the data subject's consent, the organisation must be prepared to collect, store and manage the consent form, since it can be withdrawn at any time. In order for the consent to be considered valid, it has to be: freely given, specific, informed and with an unambiguous indication of the data subject’s agreement to the processing of their personal data, such as by a written statement, including by electronic means, or by other means that demonstrates the expression of will of the data subject. If there are any changes in the purpose for the processing of personal data, the data subject shall be informed in advance and the consent shall be duly updated.
Non-compliance with the LGPD may result in administrative penalties (including fine) and judicial lawsuits (individual or collective) requiring indemnification. The organisation may be subjected to penalties, such as:
In addition, the ANPD may require the organisation to temporarily or permanently suspend all processing activities for certain violations.
Even though the ANPD does not define which security measures organisations should have in place, it is required that they implement a level of security that is "appropriate" to the risks presented by each processing. It is also required from organisations to report any data breaches to the ANPD not later than two business days after the event.
If an organisation in Brazil suffers a cybersecurity incident and is not compliant with the LGPD, it will endure the consequences relating to the non-compliance with the LGPD and may undergo other legal consequences foreseen by the Brazilian legislation.
Legal consequences for an organisation affected by a cybersecurity incident
Since organisations must be able to protect all information stored in their informational systems when a cybersecurity incident occurs, the entity can be punished and suffer other legal consequences. In Brazil, public prosecutors can initiate an administrative investigation of the incident and file a public civil action against the organisation. The compensation for collective moral damages in this type of class action can reach BRL20–50 million.
Affected consumers can also file a claim before the Consumer Protection Office (Procon), which will start an administrative procedure that can lead to fines and other punitive measures. Also, individual lawsuits can be filed by affected consumers, which can lead to compensation for moral damages (psychological harm due to exposure of any sensitive data), as well as compensation for material damages (financial losses caused by the data breach).
Also, other regulatory entities may apply specific penalties based on sparse legislation, according to the volume and sensitivity of the data affected, among which the financial and health sectors stand out.
Reports of cybersecurity incidents have been constantly growing and it is almost certain that the number of attacks will continue to rise, not only in Brazil but globally. Hackers are getting more sophisticated and improving their technology, while companies are placing ever more value on their data, in a global scenario of change in consumer relations based on the intensive use of personal information. Consequently, organisations must pay extra attention to their cybersecurity infrastructure and prepare to avoid possible threats.
Sometimes an incident is inevitable, but how the organisation responds to the threat is very important and can help mitigate legal consequences. This is because most punitive measures imposed to an organisation that suffered a cybersecurity incident take into account not only the damage caused, but how preventable the attack was and how the organisation responded to the threat. Therefore, it is very important to be prepared for the attack, have a cybersecurity expert team to handle the threat and offer adequate training to employees on this matter.
In Brazil, organisations also have to be concerned with the personal data stored in their informational system in case of an attack, since the country has a new and strong regulation on this matter. Thus, in case of a cybersecurity incident, an organisation may undergo legal consequences foreseen by the Brazilian legislation, as well as suffering other legal actions relating to the LGPD if the personal data protection law was violated.