Subscribe to regular updates:
A close-up of the Brazil's regulatory approach to data governance, content moderation, competition and more.
This is the seventh issue of the “DPA Digital Digest” series based on the Digital Policy Alert database. This series provides concise summaries of each G20 nation’s recent policy changes in data governance, content moderation, competition and further domestic focal points.
Tommaso Giardini, Maria Buza
09 May 2023
Brazil’s economy, the largest in South America, is digitalising. In the past 15 years, Brazil tripled the share of its population with Internet access and grew the share of digitally deliverable services of its services exports from 46% to 65%, according to the OECD. Brazil’s Digital Transformation Strategy identifies thematic axes to promote Brazil’s digitalisation, including infrastructure and access to technology, research and development, and trust in the digital economy.
But what do Brazil’s domestic digital policies stand for? The seventh DPA Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and Brazil-specific points of emphasis.
Discover the details of Brazil’s approach below and stay informed on our dedicated page:
Remain up-to-date on new and upcoming policy developments with our free notification service: https://digitalpolicyalert.org/subscription
Data protection policy developmentsBrazil’s General Data Protection Law was implemented in 2021, following a grace period. The Law unifies over 40 statutes governing personal data protection and establishes the national data protection authority (ANPD). The Law defines data controllers, processors and subjects and distinguishes different types of personal data. Data subjects are granted the rights to be informed and opt out of data processing, to access, rectify and erase data, as well as data portability. Data controllers must implement preventive, detective and responsive security measures against data breaches. They must report data breaches to the ANPD and affected data subjects within a “reasonable” time. The ANPD’s guidance specifies that notification is due within two working days of obtaining knowledge of the incident.
In 2022, a constitutional amendment enshrined personal data protection as a fundamental right in the Brazilian constitution. Currently, specific privacy protections including rules for minors’ data processing, data access in research, consent-based data processing and data retention for criminal investigations are under consideration in Brazil’s “fake news” law (see content moderation below).
Data transfer/localisation developmentsThe General Data Protection Law allows the cross-border transfer of personal data only to countries with an equivalent level of data protection. Mechanisms to establish equivalence include governmental adequacy decisions, approved contractual clauses and binding corporate rules, as well as certification and authorisation by the ANPD. Other justifications include consent and necessity regarding international legal cooperation or compliance with legal or contractual obligations. In 2020, a proposed amendment requiring the local storage of Brazilians’ personal data and prohibiting the use of cloud computing services storing data abroad was rejected. Since 2022, the ANPD is deliberating a regulation for data transfers. Its consultation covered compliance obstacles and mechanisms as well as interoperability for contractual tools.
In April 2023, Brazil enacted the Convention on Cybercrime. The Convention enables authorities conducting criminal investigations to request information from foreign governments to identify foreign domain owners and to request user information directly from foreign service providers.
In August 2021, the government issued instructions concerning cloud service procurement for federal agencies, requiring government data to be hosted in Brazil. Cloud service providers must store local copies of all government data. Classified data cannot be processed outside of Brazil.
Secondary legislation and enforcement developmentsBrazil’s newly established national data protection agency (ANPD) has published regulations on administrative penalties as well as the inspections and sanctioning process. The ANDP is currently deliberating guidance on the processing of minors’ personal data and "high-risk" personal data, having published guidance on cookies and data protection impact reports.
In March 2023, Brazil's Supreme Court denied compensation following a data leak concerning the plaintiff’s name, birth date, address and ID number. The court denied compensation because the plaintiff did not prove "indemnifiable moral damage". This proof was required because the leak did not concern sensitive data.
Content moderation developmentsFake news has been at the centre of over 50 legislative proposals in Brazil. The government is currently fast-tracking the fake news law of 2020 (Law on Freedom, Responsibility and Transparency on the Internet). The Law introduces requirements for “social networks” and private messaging service providers with over 2 million registered users. Both providers must appoint legal representatives in Brazil, establish “disinformation” reporting mechanisms, and both explain content moderation decisions and allow user appeals. Social networks must not host inauthentic accounts, are required to label sponsored content and must regularly publish statistics on moderated posts and accounts. Private messaging service providers must limit the number of times a message can be forwarded, disable the reception of mass messages by default, and limit the dissemination of disinformation. Current amendment proposals include preventive moderation obligations, which sparked reactions from digital platforms that in turn had to be taken down following a court order in May 2023.
In April 2023, the government initiated a campaign against social media content promoting violence in schools (Operation Safe School). The campaign is conducted by the National Secretariat for Public Security, which coordinates user identification data submissions by social media platforms, creates a database of illegal content, provides guidance to platforms and can require platforms to remove content it considers harmful.
Before the 2022 elections, the Supreme Electoral Tribunal (TSE) approved a resolution to combat disinformation that could compromise the integrity of the electoral process. The resolution empowered the president of the TSE to order “digital platforms” to immediately remove false or defamatory news of presidential candidates, threatening fines of BRL 100,000 (approx. USD 20,000) per hour of non-compliance. The TSE’s determination extended to reproduced content, without requiring new determination. In addition, paid online political advertising was banned 48 hours before and 24 hours after the election.
In 2021, the Supreme Court suspended a decree that prohibited social media platforms from deleting content, including disinformation, or suspending users without a court order, with the exception of threats of violence, terrorism, sexual crimes and cyberattacks, among others.
In 2020, Brazil introduced a bill enabling news organisations to request remuneration for the publication or hyperlinking of their content or demand removal. The bill has not progressed.
Enforcement developmentsIn April 2023, the government reported that “Operation Safe School” led to 812 content removal requests within 7 days. The consumer protection authority requested Facebook to report on its measures to monitor, limit and restrict online content that promotes violence against schools and students.
In April 2023, the government temporarily suspended messaging app Telegram for failing to provide information on users of an anti-semitic group to the police upon request. Following an appeal, a court lifted the suspension but upheld the daily fines of BRL 1 million (approx. USD 200,000). Previously, in March 2022, the Supreme Court revoked the blocking of Telegram for failing to appoint a legal representative and submitting an action plan to combat disinformation (as well as suspend a journalist’s account).
In March 2023, Senacon requested Google and Facebook to remove illegal content concerning online credit card scams within 48 hours upon notification.
Competition policy developmentsIn November 2022, Brazil introduced the Bill Regulating Digital Platforms. Broadly defined “digital platforms” with local annual revenues over BRL 70 million (approx. USD 13.8 million) are considered "essential access control power holders". This status entails transparency and reporting requirements, as well as obligations to treat users in a non-discriminatory manner and not to refuse service to business users. The Bill grants the National Telecommunications Agency (Anatel) regulatory and administrative powers to regulate digital platforms. Anatel can settle conflicts between platforms and professional users, investigate violations of user rights, fine platforms up to 2% of their local annual revenue and suspend certain business activities.
Enforcement developmentsThe Brazilian Administrative Council for Economic Defence (CADE) is the main enforcement agency for competition and has investigated several large digital platforms. Since January 2023, CADE is investigating Apple for requiring app developers to use the App Store payment system and restricting developers’ ability to direct users to their websites. In 2019, CADE closed its investigation into Google for the alleged abuse of dominance in the advertising sector. CADE denied the anti-competitive effects of restrictive clauses in contracts with advertisers, preventing advertisers from using other search platforms. In October 2022, CADE approved the Microsoft/Activision Blizzard acquisition
A distinguished focus of CADE’s enforcement is exclusivity clauses. In September 2022, CADE signed a cease-and-desist agreement with gym membership platform Gympass, prohibiting the company from implementing exclusivity clauses. Gympass previously prevented gyms from signing with competing service providers. In February 2022, CADE signed a similar agreement with food delivery provider iFood, due to its practice of preventing restaurants and supermarkets from registering themselves with competitors. iFood is prohibited from implementing exclusivity clauses, has a cap on the percentage of exclusive restaurants on its platform, and must allow its partners to cooperate with and offer promotions on rival food delivery platforms.
In 2022, the Ministry of Justice ordered Apple to stop selling the iPhone 12 without a charger and pay BRL 12.3 million (approx. USD 2.4 million). The Ministry deemed the practice to be discriminatory against consumers, i.e. selling an incomplete product.
 The law covers intermediary platforms, search, social media, video-sharing and messaging services, operating systems, cloud computing services, and online advertising services.
Further points of emphasis
In 2021, Brazil adopted its Artificial Intelligence (AI) Strategy to strengthen research, development and innovation in AI. The strategy establishes principles including privacy, security, ethics, human rights by design, transparency, equity and non-discrimination. The strategy covers workforce creation, research and development, innovation and entrepreneurship, government application and public safety, among others. Finally, the strategy outlines objectives, including research on AI ethics, national education reform, diversity in AI research, and AI-friendly ecosystems for the private and public sectors.
Since 2020, Brazil is deliberating the Artificial Intelligence Bill. The Bill would create a legal framework for the development and use of AI-based applications. The framework emphasises human rights and democratic values, equality, non-discrimination, plurality, free enterprise and data privacy. AI developers and operators face various duties including compliance with data protection obligations, legal responsibility for AI decisions and AI impact reporting.
Brazil has advanced several proposals to tax digital services. In April 2023, Brazil's finance minister announced a "digital tax" on e-commerce shipments, following negotiations with e-commerce provider Shein. The proposal would not impose a new tax but rather amend the tax collection system. It obliges e-commerce platforms to collect taxes before shipping goods and exempts consumers from tax collection during purchases. Brazil recently refrained from ending a tax exemption on international individual-to-individual orders with values below USD 50.
Previously, Brazil proposed several digital service taxes that eventually did not advance but prompted an investigation by the United States Trade Representative. The Social Contribution on Digital Services would apply to companies with global revenues exceeding BRL 4.5 billion (approx. USD 900 million). It includes a tax rate of 3% on revenues from digital services supplying “digital data”, including electronic files, programs, applications, music, videos, texts and games, as well as applications that allow users to transfer digital content. The proposed Contribution for Financing Social Security would apply the highest tax rate of 10.6% to companies exceeding monthly revenue thresholds of BRL 20 million (approx. USD 4 million) globally and BRL 6.5 million (approx. USD 1.3 million) locally. It covers revenues from communication platforms, the online sale of goods and provision of services, and online advertising. The proposed Contribution for Intervention in the Economic Domain would introduce a progressive tax rate between 1% and 5% on revenues from online advertising, e-commerce, and data transfer services. It covers companies exceeding annual revenues of BRL 3 billion (approx. USD 600 million) globally and BRL 100 million (approx. USD 20 million) locally.
In June 2023, the “Crypto Bill of Rights”, regulating the cryptocurrency market, enters into force. The Law recognises cryptocurrencies as a valid payment method and requires virtual asset service providers to seek governmental authorisation before operating. The Brazilian Securities and Exchange Commission (CVM) is in charge of oversight. Previously, the CVM published guidance on the criteria for cryptocurrencies to be classified as securities. The CVM differentiates between payment tokens, utility tokens and asset-backed tokens. New technologies used for token trading, including bookkeeping, centralised deposit, registration and settlement of securities transactions, are considered securities.