Use the Lexology Getting the Deal Through tool to compare the answers in this article with those from other jurisdictions.

Market overview

Kinds of transaction

What kinds of cloud computing transactions take place in your jurisdiction?

Cloud computing is a reality in Brazil in various industry sectors and businesses. Cloud computing services and business models include the offering of cloud-based storage solutions, software-as-a-service (SaaS), infrastructure-as-a-service (IaaS) and others, and both the private sector and public entities take part in contracting cloud-based solutions.

According to a 2018 research developed by Logicalis (, the private cloud model is adopted by 60 per cent of companies, while 53 per cent use the public model and 31 per cent use a hybrid solution. The percentage for hybrid solutions is expected to reach 64 per cent by the end of 2018.

Active global providers

Who are the global international cloud providers active in your jurisdiction?

The most relevant worldwide cloud service providers already have local presence or operations in Brazil including, for example, Microsoft, Oracle, Verizon, SAP, IBM and, more recently, Google.

Apple and telecommunications companies, such as Vivo and Claro, also provide cloud storage services in a business-to-consumer model.

Other providers offer cloud-based products or licences to Brazilian customers or companies through local subsidiaries or partners. Some local entities are used by major international providers for marketing purposes or for maintenance and implementation, while the cloud products or licences are actually provided by foreign entities of the same economic group.

Active local providers

Name the local cloud providers established and active in your jurisdiction. What cloud services do they provide?

Apart from the local entities of international groups, the number of Brazilian cloud providers is increasing each year. These companies include Locaweb, Cloud2Go, Tivit and Mandic.

Telecommunications companies, such as Vivo (controlled by the Spanish group Telefónica), also provide storage services to their customers.

Market size

How well established is cloud computing? What is the size of the cloud computing market in your jurisdiction?

Brazil is already a large market for cloud providers, with its figures drastically increasing each year.

According to a recent research by Citrix (referenced in this article: and, 57 per cent of Brazilian companies already adopt cloud computer solutions for their businesses. Moreover, 74 per cent of Brazilian companies intend to invest in cloud technologies in the near future and to integrate services and applications to a cloud in the next three years.

The International Data Corporation estimated that, in 2017, investment in the cloud computing sector reached approximately US$20 billion ( us-43-bilhoes-de-um-lado-us-93-bilhoes-de-outro-cloud-e-seguranca-destacam-empresas-brasileiras/).

However, a portion of Brazilian companies still do not completely trust the security of the cloud computing model and fear being dependent on a service provider (lock-in). They view the quality of telecommunications infrastructure as a limitation for adopting cloud-based solutions (

Impact studies

Are data and studies on the impact of cloud computing in your jurisdiction publicly available?

Publicly available research on the impact of cloud computing in Brazil is primarily developed by private entities, with a few exceptions published by the government. A recent study by Logicalis (a private consulting entity) predicts an optimistic future for the IT market (

According to this research, half of the Brazilian companies that were interviewed have IT solution budgets 14 per cent higher in 2018 than 2017, while 34 per cent of companies expect to keep the same level of investment as 2017.


Encouragement of cloud computing

Does government policy encourage the development of your jurisdiction as a cloud computing centre for the domestic market or to provide cloud services to foreign customers?

The government is taking steps to encourage the development and dissemination of new technologies, including cloud computing. One initiative is a federal programme called Strategic Program for Software and IT Services.

The government issued a statement in 2012 stating that it planned to invest 486 million reais only on this segment (40 million real only for start-ups and 446 million reais for companies that develop software for certain industries) and, in 2014, six major technology companies entered into memorandums of understandings with the Ministry of Science, Technology and Innovation to install research and development centres in Brazil.

Other government programmes, such as ‘Brasil Mais TI’, are also targeted at developing its students’ IT-related skills, including those related to programming, internet and cloud.

Additionally, in 2016, the federal government published a guide to assist public bodies in contracting cloud computing services ( This guide included recommendations for data to be kept in the Brazilian territory and for the adoption of a hybrid cloud solution for cases that do not compromise national security.


Are there fiscal or customs incentives, development grants or other government incentives to promote cloud computing operations in your jurisdiction?

Currently, there are no specific fiscal or customs incentives for cloud computing in Brazil. Instead, there is not yet a definition on which tax is applicable - if ICMS (a VAT-like tax) should apply, which is collected by Brazilian states, or if ISS (service tax) should apply, which is collected by Brazilian municipalities.

If the service tax ends up prevailing, then there is an indirect incentive for cloud service providers to be located in the Brazilian territory (ie, a local entity as the cloud provider) since the amount of taxes applicable to providers located abroad are significantly for importation of services.

After there is a definition on which tax is applicable to cloud computing solutions, it is very likely that Brazilian states (in case of VAT-like tax) or municipalities (in case of service tax) will create tax incentives to bring service providers to their locations.

See questions 24 and 25 for more tax-related information.

Legislation and regulation

Recognition of concept

Is cloud computing specifically recognised and provided for in your legal system? If so, how?

There is no express reference to cloud computing in Brazilian federal laws. However, the Brazilian Central Bank issued Resolution No. 4,658 on 26 April 2018, which sets forth requisites for processing and storing data and for cloud computing solutions for information collected by financial institutions (see question 13).

Note that there are federal laws that apply specifically to internet operations and to data protection, which impact cloud computing and their providers.

The Brazilian Civil Rights Framework for the Internet (Federal Law No. 12,965/2014 (the MCI)), which was further regulated by Federal Decree No. 8,771/2016, provides for principles, rights and obligations regarding the use of the internet in Brazil, and sets forth obligations for internet connection and application providers, which are relevant for cloud computing solutions in general.

Recently, the Brazilian General Data Protection Act (Federal Law No. 13,709/2018 (the BR GDPA)) was sanctioned and will come into force in February 2020. The BR GDPA will apply irrespective of industry or business when personal data is collected or processed. Among other norms, it provides for user consent for the collection, processing and transfer of data (with specific provisions pertaining cross-border transfer), data security and data breaches, sensitive personal data and situations for ceasing the processing of data.

Governing legislation

Does legislation or regulation directly and specifically prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

Brazilian legislation does not directly and specifically prohibit or restrict cloud computing services, either in or outside Brazil.

In 2018, the Brazilian Central Bank issued Resolution No. 4,658, which provides for precautions to be taken by financial institutions in contracting cloud services and for the responsibility of such institutions for the reliability, integrity, availability, security and confidentiality of the contracted cloud services. The financial institution must notify the Central Bank prior to contracting the services and certain requirements must be met for the cloud service to be rendered abroad.

See questions 8 and 10 for information on norms applicable to cloud computing and internet-based services.

What legislation or regulation may indirectly prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

The MCI provides for rights and obligations for different stakeholders on the internet and sets forth parameters for the protection of user data. The MCI is applicable to internet connection and application providers in general. It provides for a vague and broad definition of internet application providers (‘a set of features that might be accessed through a computer connected to the internet’), which potentially makes cloud computing services subject to such legislation.

General requirements are related to the following obligations and provisions:

  • access logs data retention by internet application providers;
  • users’ rights in connection with personal data;
  • agreement provisions that might be considered void under Brazilian law;
  • obligation to provide information on data processing activities;
  • data request by Brazilian authorities; and
  • liability for content created by third parties.

The BR GDPA will be applicable irrespective of industry or business when it comes to the processing of personal data. Among other norms, it provides for user consent for the collection, processing and transfer of data (with specific provisions pertaining cross-border transfer), data security and data breaches, sensitive personal data and situations for ceasing the processing of data.

It is also worth mentioning Decree 8135/2013, enacted by the federal government in response to the Snowden revelations. This Decree sets forth that all ‘data communication’ of the federal government must take place in networks and services provided by public companies belonging to the federal administration. The Decree, however, failed to work in practice and has been largely ignored by the government.

Breach of laws

What are the consequences for breach of the laws directly or indirectly prohibiting, restricting or otherwise governing cloud computing?

According to the MCI, if an internet application provider (in which category cloud computing providers are included) fails to comply with a take-down order issued by a court (or with an extrajudicial letter sent by an affected party in case of pornography or sexual content), it may be held liable for content created by third parties. Thus, the MCI established a safe harbour for such situations, by which an application provider is not held liable before it is notified either by a party or by a judge.

If the application provider fails to comply with a court order or extrajudicial letter, it would likely be sentenced to pay an indemnification for material or moral rights to the aggrieved party, depending on the facts of the case (there are several types of content that may be deemed unlawful under Brazilian laws, the most common types of which are defamation, racism, child pornography, bullying, rights of publicity and other personality rights).

The MCI also provides for penalties of warning; administrative fines of up to 10 per cent of the income of the economic group in Brazil, net of taxes, to be calculated according to the economic condition of the offender and the principle of proportionality between the severity of the offence and the intensity of the penalty; and suspension or prohibition of the activities pertaining to the collection, storing or processing of logs, personal data or communications.

Apart from administrative fines that may be imposed according to the MCI, courts can impose fines for non-compliance with preliminary injunctions or final decisions ordering the removal of content or the producing of data. There is no limitation for such penalties, which are set by judges on a case-by-case basis. Courts may also award damages if the company fails to obey the court order to remove the content.

If the company does not take down a specific content after a court order, this could be considered a crime of ‘disobedience’ (article 330 of the Brazilian Criminal Code), the penalty for which is 15 days’ to six months’ imprisonment (for officers or administrators) and a fine. The risk of criminal liability is higher in matters involving criminal organisations or child pornography.

Regarding infringements to the provisions of the BR GDPA, in addition to liability for moral and material damages, data-processing agents are subject to the following administrative sanctions: warning with a deadline implementing corrective measures; fine of up to two per cent of the revenues earned by the legal entity, group or conglomerate in Brazil in the preceding year, net of taxes, capped at 50 million reais per offence; daily fine, subject to the cap referred to above; disclosure of the offence after the occurrence thereof having being investigated and confirmed; blocking of the personal data to which the offence refers, until the processing activity is regularised; and deletion of the personal data related to the infringement.

Consumer protection measures

What consumer protection measures apply to cloud computing in your jurisdiction?

Legal consumer relations in Brazil are regulated by Law No. 8.078/1990 (the Consumer Protection Code or CDC), which governs all consumer relationships, including cloud computing products or services where there is a supplier on one side and a consumer on the other side. ‘Consumer’ for this purpose is defined as any individual or legal entity that acquires or uses products or services as an end user.

The CDC protects consumers and, in general, its language allows consumers to file claims against companies involved in the supply chain. If an entity is not directly responsible for damage suffered by the consumer, such company may seek the amount paid by it to the consumer from the other liable company.

The CDC sets forth a 30-day or 90-day deadline for the consumer to file a suit pertaining to a defective product or service and a five-year period for damages caused to the consumer’s physical or mental health.

The supplier (where the consumer is an individual) cannot disclaim or limit its liability for product or service defects, and all contractual clauses with this language will be null and void. The agreement also cannot include clauses impairing, disclaiming or mitigating obligations to indemnify. There is no legal restriction on the warranty term apart from the 30-day or 90-day terms counted from the delivery of the product or from the rendering of the service, by any contractual warranty must be clear, precise and additional to the legal warranty.

The CDC also provides for a right to regret, by which consumers have the prerogative to return a product or a service contracted outside the point of sale within seven days of delivery. Currently, this rule applies to purchases made through the internet, where the consumer has no physical contact with the product or service.

Choice of foreign law and arbitration/foreign venue clauses in consumer contracts are usually held null and void by Brazilian courts, especially small claims courts, because they tend to complicate the consumer’s pursuit of his or her rights. However, in a 2018 decision, the Superior Court of Justice considered that the nullity of a choice of venue clause (where the elected venue was a different city of the same Brazilian state) was contingent on the proof of harm to the consumer’s ability to claim his or her rights.

Sector-specific legislation

Describe any sector-specific legislation or regulation that applies to cloud computing transactions in your jurisdiction.

The Brazilian Central Bank issued Resolution No. 4,658 on 26 April 2018, which sets forth requisites for processing and storing data and for cloud computing activities related to information collected by financial institutions.

Resolution No. 4,658/18 sets forth that the outsourcing of relevant data processing, storage and cloud computing services must be communicated in advance by the financial institution to the Central Bank. Such communication must comprise the name of the service provider, the service being outsourced and the indication of the countries where the services may be rendered and the data may be stored and processed.

The financial institution contracting cloud services must implement procedures to verify the service provider’s ability (companies that offer cloud computing, data storage and processing services to financial institutions) to ensure:

  • compliance with prevailing laws and regulations;
  • the institution’s access to the data and information to be processed or stored by the service provider;
  • the confidentiality, integrity, availability and recovery of data and information being processed or stored by the service provider;
  • the service provider’s adherence to certifications required by the institution for outsourcing of the corresponding services;
  • the institution’s access to reports prepared by an independent expert audit company hired by the service provider concerning the controls and procedures being adopted for outsourced services;
  • the availability of management information and resources that are adequate to monitoring the outsourced services;
  • the identification and segregation of data belonging to the institution’s clients, via physical or logical controls; and
  • the quality of access controls targeted at protecting the data and information referring to the institution’s clients.

Insolvency laws

Outline the insolvency laws that apply generally or specifically in relation to cloud computing.

There are no insolvency laws in the Brazilian legal system that apply specifically to cloud computing. The general provisions governing liquidation and recovery in insolvency proceedings are provided for in Federal Law No. 11.101/2005 (the Insolvency Law).

The Insolvency Law provides for which credits or creditors have preference with regard to the others in insolvency or credit recovery, and a Brazilian customer seeking to enforce rights against an insolvent cloud computing provider would have to follow the regular procedures, being in general a regular creditor (unless there is a specific guarantee with respect to the services provided). Micro or small companies, for instance, have certain benefits (representation in general meetings, for example) and their credits come before general unprivileged credits.

Data protection/privacy legislation and regulation

Principal applicable legislation

Identify the principal data protection or privacy legislation applicable to cloud computing in your jurisdiction.

The BR GDPA is the main norm to be applicable (after February 2020) to any personal data processing activity in Brazil. It will create a robust legal landscape for personal data processing and will strengthen data subjects’ rights in relation to their personal data. It applies irrespective of industry or business when it comes to the processing of personal data. Among other norms, it provides for user consent for the collection, processing and transfer of data (with specific provisions pertaining cross-border transfer), data security and data breaches, sensitive personal data and situations for ceasing the processing of data.

It also provides to the implementation of controlled processes to ensure data subjects’ rights, such as the rights to access, correction, anonymisation, blocking, deletion and portability of personal data, as well as provide for the possibility of creation of several documents by companies, including privacy policies, consent forms, internal manuals, agreements with data operators and companies with whom it shares collected personal data, documentation supporting cross-border transfers of personal data, impact assessment reports.

Additionally, there are provisions of the MCI and the Federal Decree No. 8,771/2016 that are applicable to data processing in general, including cloud computing providers. Such provisions include obligations to keep access logs for a minimum period of time; to obtain consent for the processing of personal data (and such processing must be adequate and clear); to use the data only for the purposes that justify its collection; and to delete the collected personal data as soon as its processing is finished.

General provisions provided by sparse laws may also be applicable depending on the issue involved (eg, for consumer relationships, the Consumer Protection Code will apply).

Cloud computing contracts

Types of contract

What forms of cloud computing contract are usually adopted in your jurisdiction, including cloud provider supply chains (if applicable)?

There are a few main forms of cloud computing contracts usually adopted in Brazil: IaaS (where the contracting party seeks to rent IT infrastructure usually for the processing, storing or transferring of data); platform-as-a-service (mainly for developing, delivering and managing software applications); and SaaS (for a wide range of activities, including communications, collaboration, productivity, customer management, taxing and account activities, etc).

Typical terms for governing law

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering governing law, jurisdiction, enforceability and cross-border issues, and dispute resolution?

In B2B contracts, parties are generally free to choose the applicable law and to elect a venue for dispute resolution. When the parties to the contract are all Brazilian entities, the governing law and the venue chosen for dispute resolutions are usually Brazilian.

When the cloud computing provider is not a Brazilian entity (eg, when the provider does not have operations in Brazil or when its local entity is only for marketing, implementation or maintenance), the parties may negotiate different applicable law and dispute resolution clauses, including foreign law and foreign courts or arbitration tribunals.

However, the MCI provides that, in adhesion agreements, where the terms of the agreement are standard and the contracting party is not able to negotiate its clauses, any foreign forum selection clause for disputes arising out of services rendered in Brazil will be null and void.

Notice that, under the CDC, a company could be considered a consumer if it acquires the product or service as an end user and it is vulnerable when compared with the supplier of products or services, so the CDC may also apply in B2B contracts. In this case, any provision that limits or impairs the consumer’s pursuit of rights (such as the election of foreign law or foreign courts or arbitration) likely to be considered null and void by Brazilian courts.

Typical terms of service

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering material terms, such as commercial terms of service and acceptable use, and variation?

In general, cloud computing services are paid for on a monthly basis, and prices can be either a fixed amount or an amount according to the volume of use (eg, the amount of data stored or processed). The agreements may include regular monetary adjustments according to national inflation indexes.

Service level agreements are also common, and they usually provide for minimum efficiency levels and discounts or penalties in case such levels are not met.

Typical terms covering data protection

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering data and confidentiality considerations?

Cloud computing contracts usually cover security measures applicable to data, especially personal data collected by a party. These security measures may comprise data isolation, minimum standards and parameters, encryption and backups.

Some companies provide in their contracts that the data will be kept in servers in the Brazilian territory (which may be a requirement for public contracting entities).

After the MCI, companies have been including consent clauses in their agreements to support their collection and processing of personal data. This will be strengthened and more detailed in contracts until February 2020, when the BR GDPA enters into force and the companies’ practices will need to comply with its provisions, so changes to the standard cloud computing agreements are expected by then.

Typical terms covering liability

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering liability, warranties and provision of service?

Parties are generally free to negotiate clauses covering liability, warranties and provision of service. Thus, liability or indemnification caps are common, as well as warranties for the rendered services and service level agreements with a minimum level of service to be met by the provider.

If the clauses are abusive, especially if the contracting party is vulnerable and not able to negotiate the contract terms (eg, in the case of an adhesion contract), they could be considered null and void in litigation. This could be the case for small liability caps that do not cover a substantial amount of the damage caused by a provider to the contracting party.

Finally, the CDC (which may apply to agreements entered into by legal entities) provides that, although any clause that limits the responsibility of the supplier for damages caused to individual consumers will be null, this is not the case for consumer relationships where the consumer is a legal entity and there is justification for the limitation of liability.

Typical terms covering IP rights

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering intellectual property rights (IPR) ownership in content and the consequences of infringement of third-party rights?

Cloud computing agreements usually provide that there will be no transfer of ownership and that all intellectual property will be held by the party who owns it in the first place.

This means that the cloud computing provider will keep all intellectual property related to the provision of services and to the technology related to the services, and the customer will keep all intellectual property on the content that it provides for the services to be rendered (for example, the content uploaded to a cloud storage).

It is also common to include in contracts clauses by which the customer declares that it is responsible for the content that it provides for the rendering of services, and that it shall not infringe any third-party rights (eg, that the customer will not keep infringing material in a cloud storage).

In the case of third-party intellectual property infringement, the parties usually agree that the infringing party will indemnify the other in case it is held liable.

Typical terms covering termination

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering termination?

Termination clauses depend on the nature of services being rendered. While certain agreements allow for any party to terminate at any time, others may provide for predetermined agreement terms or extension cycles (eg, one-year terms extendable for successive one-year terms) with certain periods for termination notices (eg, at least 30 days before the end of the current term). In this situation, there could be penalties where the agreement is terminated early or not in accordance with the procedure set forth in the termination clause.

Typically, termination clauses cover the return or destruction of the data provided by the customer under the agreement in a safe manner to ensure that no data will be lost or unduly breached by third parties, and confidentiality terms will apply to both parties for an indefinite or limited amount of time.

The MCI obliges all internet application providers (and such definition comprises cloud computing providers) to keep internet application access logs for a minimum of six months, and some companies include this data retention in their agreements to inform their customers about this legal obligation to keep data for some time.

The BR GDPA provides that personal data should be deleted after its processing purpose has been reached, with a few exceptions, which include transfer to third parties and exclusive use of anonymised data. This matter can be included in a termination clause in case the cloud computing provides wishes to use data after the termination of the agreement, provided that all limitations under the BR GDPA are met.

Employment law considerations

Identify any labour and employment law considerations that apply specifically to cloud computing in your jurisdiction.

There are no specific labour laws applicable to cloud computing.

If, in a specific contractual situation, cloud computing is considered as not a mere provision of services but as an outsourcing of workforce for the contracting party, then certain labour laws could apply. In this case, if the cloud computing provider fails to pay its employees their wages and benefits, the contracting party could be held responsible and be obliged to fulfil such labour law obligations.


Applicable tax rules

Outline the taxation rules that apply to the establishment and operation of cloud computing companies in your jurisdiction.

Cloud computing providers are subject to the corporate income tax and the social contribution on net profits at the joint rate of 34 per cent, as well as the contribution to the profit participation programme (PIS) and the social security financing (COFINS), at 9.25 per cent (over total revenue) under the non-cumulative regime or 3.65 per cent under the cumulative regime.

Based on the nature of cloud services, revenues should be subject to the non-cumulative PIS and COFINS regime with the application of the 9.25 per cent rate and the possibility of using credits.

If the cloud services are imported from outside, remittances are subject to the WHT at a 15 per cent rate (or 25 per cent, if the beneficiary is located in a tax haven jurisdiction). Tax authorities have recently manifested themselves, when analysing the taxation of remittances related to the resale of SaaS, that such remittances should be classified as technical services subject to the CIDE at a 10 per cent rate, and to the PIS/COFINS at the combined 9.25 per cent rate.

Indirect taxes

Outline the indirect taxes imposed in your jurisdiction that apply to the provision from within, or importing of cloud computing services from outside, your jurisdiction.

The most relevant analysis from a Brazilian tax perspective is whether cloud computing services are subject to ICMS (a VAT-like tax) or to ISS (service tax). Both ISS and ICMS are consumption taxes in Brazil.

ICMS is assessed over the sale of goods and the provision of communication and transport services. Recent modifications in the legislation regulated the procedures for charging ICMS for transactions related to digital goods.

ISS, in turn, is a service tax assessed over any service (except those subject to ICMS) as long as the service is provided for in a list of services attached to Complementary Law 116/2003.

Item 1.03 of Complementary Law 116/2003 includes processing, storage of hosting of data, texts, images, videos, web pages, apps, information systems, among other forms, and congeners in the list of services taxed by ISS, and these activities are the core of cloud computing.

It is currently not a clear on which tax should apply to such digital activities, fuelled by a dispute between Brazilian states and municipalities, because ICMS are collect by the former and ISS by the latter.

Specifically regarding SaaS activities, Tax Authorities of the Municipality of São Paulo published Normative Ruling No. 1/17 stating that SaaS activities are subject to ISS based on item 1.05 (software licensing) of the list of services of Complementary Law 116/2003.

In this same Normative Ruling, authorities also recognised the hybrid nature of SaaS activities and, consequently, the possibility of it encompassing additional services classified on items 1.03 (indicated above) and 1.07 (technical support in IT, including the installation, configuration and maintenance of computer programs and database).

The consumption taxes mentioned above are applicable if the service is provided from within or imported from outside.

Recent cases

Notable cases

Identify and give details of any notable cases, or commercial, private, administrative or regulatory determinations within the past three years in your jurisdiction that have directly involved cloud computing as a business model.

In September 2018, Engineering do Brasil, SAP and Google Cloud announced a commercial partnership to promote innovative solutions using artificial intelligence, machine learning and cloud computing. Such three companies are working on an artificial intelligence that assists other companies in managing their tax obligations. For this project, the objective is to integrate the technologies provided by Google Cloud and SAP with Engineering do Brasil’s tax expertise.

Another notable commercial partnership was entered into in 2017 by Microsoft and Infraero, a state-owned organisation responsible for managing Brazilian commercial airports. Both companies developed a cloud-based corporate social network to unite employees of the Brazilian company. The network aims to improve the communication and collaboration between Infraero teams and directors.

The Brazilian Central Bank is also interested in regulating and incentivising cloud computing technologies, which is evident from this year’s issuance of Resolution No. 4,658 and from the creation of a Technological Financial Innovation Lab, coordinated by the Central Bank, which has AWS, IBM, Microsoft and Oracle (relevant companies in the provision of cloud computing services) as supporters.

Update and trends

Update and trends

What are the main challenges facing cloud computing within, from or to your jurisdiction? Are there any draft laws or legislative initiatives specific to cloud computing that are being developed or are contemplated?

The main legal challenge in the next few years will be for companies and the public sector to adapt to the new General Data Protection Law (Federal Law No. 13,709/2018 (the BR GDPA)), which was passed in August 2018 and will enter into force in February 2020. It is similar in many aspects to the EU General Data Protection Regulation and sets forth detailed personal data protection obligations and rights for individuals and companies.

An additional challenge related to data protection will be the creation of a data protection authority. Even though there are several matters that must be regulated and enforced by the authority, the provisions that would create it were vetoed by the President in enacting the BR GDPA. However, it is very likely that a new law creating the data protection authority will be passed by the time the BR GDPA comes into force.

The data protection authority, as provided in several provisions of the BR GDPA, will then create its regulations on personal data protection with specific provisions on technical standards and detailed norms, as well as on proceedings and investigations carried out by it.

Other challenges to the cloud computing industry in Brazil concern the quality of the telecommunications infrastructure; the bureaucratic and costly barriers to create and run companies; and the complexity and burden created by the Brazilian tax regime. However, Brazil is a large and growing market for IT services and technology developments and is currently attracting international companies and giving incentives to the creation of local players.

In 2018, the BR GDPA (which is applicable not only to cloud computing but to all activities that involve the collection, processing and transfer of personal data) and Central Bank Resolution No. 4,658 (which contains sections applicable specifically to the contracting of cloud services by financial institutions) were issued, both of which are major legal developments for the field.