Intellectual property and data protection
Generally, software in Brazil is protected by copyright law. Briefly, this means that source codes are equated to authorship works such as literary or artistic works, and it is not necessary to register it with the authorities to ensure protection. Therefore, any ownership dispute may be solved with proof of authorship.20 Nevertheless, it is possible to register the source code with the entity responsible for the registration and management of industrial property in the country – the National Institute for Industrial Property.
There are some cases in which patents can be issued regarding software and computer programs. This happens if it fills the requirements of characterisation of an industrial creation (a process or product associated with the process). Thus, if the solution implemented by a computer program solves a problem found in the art and scope a technical effect that does not only concern how the computer program is written, it may be considered an invention and would be patentable.
To verify whether a new financial technology includes an invention protected by patent rights, it is necessary to know if it fits the following basic requirements: novelty; inventive step; industrial application; and technical effect. Note that the first three criteria apply to all patents, while the latter concerns the patentability of computer programs or software. The novelty requirement is broadly met when creation did not exist and was invented, that is, it is entirely new. Meanwhile, inventive step means that the invention was not obvious or obvious from the state of the art (a legal term used for what already exists and is available to the public). Industrial application is the possibility of using or producing the creation in any type of industry.
The technical effect considers the practical effects achieved throughout the steps developed by the invention implemented by the computer program. The general rule is that, in order to grant a patent registration for software, there must be practical application in addition to the patentability requirements. In short, the industrial creation implemented by software may be subject to protection by patent rights if: (1) it solves a problem found in the technique; and (2) it achieves a technical effect that does not only concern how the software is written.
The patent application process involves accurately describing the invention created. This precise description will be the one that is protected. In this sense, a new version of the same software would not be covered by the same patent protection.
In any case, to determine the immediate ownership of software or computer program developed by third parties even before any registration or patent, it is necessary to verify the relationship with the author or inventor. If the creator is an employee and thus contracted under employment relationships, the rule of thumb provided by law is that the employer owns the intellectual property of software and computer programs developed in the context of the employee's activities. The contract executed between the parties may determine different aspects, but in the case of omission, this is the general rule.
Regarding data protection, data privacy legislation is going through important modifications in Brazil: as mentioned, LGPD, which regulates any treatment of personal data, by public and private entities, in the online and offline environments, using automated and non-automated means was enacted in August 2018. The Law was inspired by international guidelines, especially those provided by the EU General Data Protection Regulation and came into force in September 2020 (except with respect to certain provisions, as detailed below).
Currently, there are several pieces of legislation in Brazil dealing with different scopes of privacy and data protection such as intimacy, private life, honour, image and secrecy of correspondence, bank operations and communications. Such pieces of legislation include the Federal Constitution, the Civil Code, the Consumer Protection and Defence Code, the Banking Secrecy Law, the Brazilian Internet Act and the Criminal Code. However, LGPD is the first omnibus law in Brazil that deals specifically with personal data protection without limiting its applicability to certain categories of agents and subjects (e.g., consumers, employees, financial institutions) or types of treatment (e.g., operation in the online environment).
LGPD has set standards and established important definitions to the Brazilian data privacy regulation, such as personal data, sensitive personal data, anonymised data, data controller and data processor, among others. It adds to the framework surrounding data processing, including compliance with a legal or regulatory obligation, the fulfilment of a contractual or legal obligation and the controller's legitimate interest, as well as determining the details on how the user's consent must be collected to legitimise personal data processing.
LGPD also addresses international transfer of personal data, rules on liability, data breach and penalties related to the violation of data privacy rights. The effects of LGPD extend to any treatment of personal data carried out in the Brazilian territory, any treatment of personal data collected in the Brazilian territory, or any treatment of personal data made with the purpose of offering or supplying goods or services to individuals located in the Brazilian territory.
LGPD further provided for the creation of the Brazilian National Data Protection Authority (ANPD). Among other things, ANPD has the authority to supervise the LGPD application, to prosecute data incidents, and to apply penalties in the administrative sphere. Additionally, ANPD can issue regulations about specific LGPD points (such as the approval of standard contractual clauses and the list of countries offering a level of data protection similar to Brazil for the purposes of international transfer of personal data, security standards, duties of data protection officers, etc.).
At the end of 2020, the chairman and the other four executive officers of ANPD were appointed and it is expected that ANPD will become fully operational and start issuing regulations addressing the points above in the near future. The administrative penalties that may be applied by ANPD to sanction breaches and other violations of privacy law (e.g., fines, interruption and suspension of activities involving the processing of personal data) will be effective as of August 2021.