Database Protection
IT Crime
Tax Incentives


There are few specific regulations for information technology in Brazil and the regulations that do exist mostly concern the protection of software. Draft legislation concerning computer crimes, digital signatures and the authenticity of digital documents is under discussion. In the meantime the Civil Code (Law 3,071 of January 1 1916) and the Consumer Protection Code (Law 8,078 of September 11 1990) adequately regulate issues concerning the privacy of databases, the protection of personal information, and the validity of contracts and documents, although some interpretative work is necessary to adapt old legal concepts for the digital age.


Computer software is ruled by Law 9,609/98 of February 20 1998. Software is considered to be copyrightable subject matter and the Copyright Law also applies.

Software is protected for 50 years from January 1 of the year following its publication, release or creation. Registration is not required for the protection of software copyrights, although the Patent and Trademark Office accepts the registration of computer programs.

Rights relating to software that is developed during employment rest with the employer unless the relevant contract includes a contrary provision. All rights relating to software that is created by the employee outside the employment relationship are reserved to the employee.

Law 9,609/98 requires that software sold in Brazil must bear the technical validity period in the licence agreement, purchase invoice or package. The software licensor and/or authorized distributor must provide technical maintenance and assistance for customers during the technical validity period.

The law lists what are considered to be abusive clauses for licence agreements. Invalid clauses include those that exempt any parties of responsibility for indemnifying losses or damages caused to third parties by viruses, flaws or defects of the software, and/or copyright infringement.

Technology transfer agreements relating to software must be registered with the Patent and Trademark Office in order to be effective against third parties. For the purposes of registration the source code and other technical documents relating to software are recorded secretly with the office.

Violation of software rights is subject to the following penalties:

  • detention for between six months and two years, or a fine;
  • imprisonment for between one and four years and a fine if the software copyright infringement involves counterfeiting; or
  • imprisonment for between one and four years and a fine if a person sells, makes available to commerce, brings into the country, acquires, hides or stores, for commercial purposes, the original or a copy that has been created by an infringing third party.

A software owner is entitled to provisional remedies that include the removal of the relevant hardware (especially personal computers) and claims for loss and damages against the infringer. The statute of limitations to recover losses and damages for copyright infringement is five years.

A company's criminal responsibility is attributed to its legal representatives at the time of the crime.

The following do not constitute software infringement:

  • reproduction of legally acquired software for back-up purposes;
  • similarity to pre-existing software, if the resemblance concerns technical restrictions or the specific characteristics of the program's application; and
  • integration of software to an operating system, if it is for the integrator's private use.

Database Protection

Databases are protected as copyrights under Copyright Law (Law 9,610 of February 20 1998). Regulations covering contract protection, trade secret and unlawful competition are also applied to the use of databases. Several laws in the areas of telecommunications, banking and crime protect data itself.

The 1988 Constitution grants the fundamental right to privacy. The Consumer Protection Code (Law 8,078 of September 11 1990) regulates the collection of personal information and the protection of databases. The code emphasizes that a consumer's consent should be obtained before collecting personal data. It also establishes that consumers shall have continuous access to personal data. It restricts the keeping of registers that hold 'negative' information to five years.

Following world trends concerning self-regulatory e-commerce practices, a research organization affiliated to the University of São Paulo (Fundação Carlos Alberto Vanzolini) created a Reference Rule for Online Privacy (Norma de Referência da Privacidade Online, June 2000).

The reference rule is the result of an adaptation of various legal sources on privacy practices, such as ISO9000, as well as recommendations issued by official agencies and foreign legislation. These include the American Senate's Federal Trade Commission, the European Council, the Spanish Agency on Data Protection and the British Data Protection Act.

Although the reference rule is not considered to be enforceable it provides an efficient method for evaluating quality and commitment levels of companies that collect data and use databases. The rule has become a standard reference document in Brazil. Privacy certificates are issued to companies on its basis.

The reference rule foresees certain minimum standards for a privacy policy:

  • The user must be able to identify the company that is collecting personal data;
  • The company must make clear what information is being collected, the purpose of obtaining the data and whether it will be forwarded to third parties;
  • The company must take all precautions to guarantee the integrity and security of use of the personal data;
  • The user must be entitled to refuse to provide personal data. In this case, the company must explain the consequences of refusal;
  • The company must allow users to halt a company's use of personal data;
  • The company must request the consent of users prior to commencing the personal data collection;
  • The company must offer a free communication channel so that users can access, amend and upgrade personal data;
  • The company must inform the exact extent of its privacy policy concerning third parties' use;
  • The privacy policy must be displayed in an easily accessible manner, so that the user can read and accept its terms before the commencement of any data collection; and
  • The privacy policy must be explained to all company staff.

The Habeas Data Law (Law 9,507 of November 11 1997) also covers the demand for access to and rectification of personal data contained in public registers. This law determines the procedure for obtaining personal data stored in public registers.

IT Crime

A project that is under discussion at Congress relates to IT crimes. The project determines that all internet service providers must keep a register of their clients' names, addresses and identification registration numbers. This must be kept for at least three years.

The collection of personal data will be subject to the prior authorization of the relevant person or legal entity. Use of personal data may be suspended at the request of the person or entity. Penalties are imposed for unauthorized disclosure of sensitive or personal data.

Most of the newly recognized crimes are not already covered by criminal law. If the project is approved, the following actions will be prohibited:

  • 'hacking' of private databases or computer networks;
  • unauthorized destruction, modification or erasure of electronic data;
  • electronic distribution of child pornography; and
  • spreading of computer viruses.

Provisions are not yet enforceable and are still subject to change.

A related governmental aim is the manufacture of inexpensive computers (costing around $200) so that they can be made available to low income families. This task is to be handled in conjunction with the Ministry of Science and Technology. Further information can be obtained at

Tax Incentives

On January 12 2001 the legislative branch enacted Law 10,176 which regulates the capacity and competitiveness of the IT sector.

According to the law, domestic companies that develop and manufacture IT and computer goods will enjoy the following benefits:

  • a 95% reduction of tax on manufactured goods until December 31 2001 followed by further annual reductions until 2009;
  • the maintenance and use of the credit of the tax on manufactured goods that relates to raw material, intermediary products and packing material; and
  • accelerated undervaluing.

The IT goods that are manufactured in the domestic tax exemption zone (Zona Franca de Manaus) will continue to be exempt from the tax on manufactured goods until 2013.

The annual investment for research and development of 5% of the gross income obtained from the sale of goods and services in the IT sector is still obligatory. Tax deductions on this investment are allowed but at least 2.3% of the gross income shall be invested under the new IT law.

The law defines the concept of 'IT goods' in the following terms:

  • electronic components including semiconductors, optical electronics and various raw electronic materials;
  • digital machines and equipment and the respective electronic raw materials, parts, pieces and physical support for the operation;
  • computer programs, machines and equipment relating to information treatment and associated software; and
  • technical services associated with the above goods and services.

Also, the new law determines that cell phones and video monitors can be considered to be IT goods.

The new law requires further regulation in the form of decrees. Future decrees are expected to define the procedures and requirements that are necessary in order for the IT industry to be exempt from tax.

For further information on this topic please contact Maristela Basso at Tozzini, Freire, Teixeira e Silva Advogados by telephone (+55 11 232 2100) or by fax (+55 11 232 3100) or by e-mail ([email protected]).

The materials contained on this web site are for general information purposes only and are subject to the disclaimer