Recent developments and future prospects

Trends and developments

Have there been any notable recent trends or developments concerning the conduct of online and digital business (both business to business and business to consumer) in your jurisdiction, including any regulatory changes or case law?

Brazilian authorities have shown an increased interest in online and digital solutions following, in particular, data breaches suffered by major stakeholders in the digital sphere. As a result, the following developments have taken place:

  • The Public Prosecutor’s Office and the Consumers’ National Office have started proceedings to investigate events related to data use;
  • Several bills are under discussion in Congress. In particular, the House of Representatives and the Senate approved the General Data Protection Act (Bill 53/2018), which now awaits approval by the president before being enacted. If approved by the president, enforcement of the act will start 18 months after its publication in the Official Gazette. The law willhave a considerable impact on digital business in Brazil;
  • The Central Bank of Brazil enacted Resolution 4658 regulating cyber risk and cloud storage of financial services. The new regulation sets guidelines on how these entities must design or adapt their internal controls. The regulation confirms that data location and processing may take place outside the Brazilian territory. One of the new requirements is that the Central Bank must be granted access to data stored abroad at all times for inspection purposes. Although the regulation is limited to financial services, it shows the government’s increasing attention to data privacy matters.

In addition, the regulation of video on demand (VoD) has been hotly debated for many years. In the past few years, the National Film Agency attempted to regulate VoD and content sharing platforms in a way similar to pay television. Both Congress and the Ministry of Culture have worked on different draft rules, but given the complexity of implementing these rules consistently throughout the different existing VoD business models, none has come into force yet.

Tax law is also evolving to adapt to the digital economy. Under Brazilian tax law, the provision of services is taxed by municipalities through the tax on services (ISS), while the sale of goods is taxed by the states through the tax on goods and communication and transport services (ICMS).

Over the years this division has caused numerous conflicts between states and municipalities that sought to tax the same activities. The emergence of the digital economy has intensified these conflicts, especially as it is often extremely difficult to differentiate between what is related to a service (subject to ISS taxation) and what is related to a good (subject to ICMS taxation).

In this context, both states and municipalities have sought to issue laws and official pronouncements on the interpretation of laws in order to tax activities related to digital businesses.

In December 2016, Law 157 was published, which listed activities that should be subject to the ISS taxation, such as cloud services and the provision of audio, video and text content by any means. The states then passed Covenant 106 in October 2017, which provided that digital goods such as software and apps are subject to the ICMS.

The enactment of such regulations caused disputes in the administrative and judicial spheres, especially through lawsuits filed by taxpayers to request a judicial order on how their activity should be taxed. A decision from the judicial courts is still pending and a final conclusion for these disputes is likely to take a few more years.

Future prospects

What are the future prospects for digital business in your jurisdiction, including any proposed or potential regulatory reforms and future technological/market developments?

The House of Representatives and the Senate approved the General Data Protection Act, which now awaits approval by the president. If approved by the president, enforcement of the act starts 18 months after its publication in the Official Gazette.

Congressional efforts have gained momentum in the wake of the EU General Data Protection Regulation (GDPR), which came into force on 25 May 2018. This thumbs-up given by the House of Representatives and the Senate is an important step towards a more robust regulation on use of personal data in Brazil, also with regard to digital business. The General Data Protection Act sets forth rules for collection and use of personal data in Brazil, rights of data subjects, processing requirements, rules for international transfer of data, among other provisions. The General Data Protection Act creates a Data Protection Authority in Brazil, resulting in increased supervision and enforcement in the online environment.

Brazilian tax laws are still adjusting their rules for the digital business taxation. There are currently some conflicts between public entities on whether these activities should be taxed, especially between states and municipalities that sought to tax the same activities.

On a state and municipal levels, some laws were enacted in order to establish the taxation of digital business by the ICMS and the ISS, respectively. However, taxpayers are disputing such laws and currently there is no clear definition on how such activities should be taxed.

On a federal level, there are discussions and public consultations to define digital business taxation and we expect news shortly on:

  • the contribution for the development of the Brazilian audiovisual industry (known as the ‘CONDECINE levy’) on VoD services; and
  • the contribution for the intervention in the economic domain (know as ‘CIDE levy’) on remittances abroad for payment of software transactions.

Legal framework

Legislation

What primary and secondary legislation governs the conduct of digital business in your jurisdiction?

Law 12,965/2014, also known as the Civil Rights Framework for the Internet or the Internet Act, is the primary law specifically governing online business. The law establishes basic principles, guarantees, rights and obligations for the use of the Internet and provides some rules on the protection of privacy, record-keeping to assist law enforcement, liability for third-party content and net neutrality.

In addition, Decree 8,771/2016 (which regulates the Internet Act) and Law 8,078/1990 (the Consumer Protection Code) apply, with several other laws and decrees dealing with specific internet-related matters, such as:

  • Federal Law 12,737/2012 (Cybercrimes Law);
  • Decree 7,962/2013 (e-Commerce Decree);
  • Federal Law 9,279/1996 (Intellectual Property Law);
  • Federal Law 9,609/1998 (Software Law);
  • Federal Law 9,610/1998 (Copyright Act); and
  • Provisional Measure 2200-2/2001 (Brazilian Public Key Infrastructure Provisional Measure).

The Federal Constitution, the Civil Code and the Criminal Code also apply to business in general, whether online or offline.

Regulatory authorities

Which authorities regulate the conduct of digital business and what is the extent of their powers?

There is currently no data protection authority in Brazil, but Brazilian law broadly states that certain agencies of the Brazilian government are entitled to investigate compliance with the law.

Specifically with regard to the online environment, Brazilian law states that:

  • the National Telecommunications Agency is entitled to regulate and supervise violations to telecommunications regulations;
  • the National Consumers’ Office is entitled to supervise violations and enforce consumer regulations matters; and
  • the Administrative Council for Economic Defence is entitled to supervise violations to the national economic order.

These agencies can initiate administrative proceedings and, occasionally, impose administrative sanctions.

In addition, the Public Prosecutor’s Office is entitled to act in defence of consumers and other collective interests, carrying out investigations and filing collective actions against companies to impose obligations, to force compliance with the law or to seek redress for collective damages.

Government policy and regulatory approach

How would you describe the government’s policy and regulatory approach to digital business?

Brazilian law provides for freedom of business models in the online environment as long as they do not violate other legal principles. Regardless, it is common for stakeholders from traditional industries to pressurise the government into either regulating digital businesses restrictively or prohibiting them altogether. Digital businesses such as those providing movies streaming and intermediation between private drivers and riders have been recently subject to legislation imposing specific requirements and obligations, including of a tax nature.

Establishing digital businesses

Requirements

What regulatory and procedural requirements govern the establishment of digital businesses in your jurisdiction? To what extent do these requirements and procedures differ from those governing the establishment of brick-and-mortar businesses?

Consumer protection rules determine certain customer support obligations to e-commerce providers that do not apply to common retailers. First, consumers are allowed to withdraw from agreements entered online within seven days of the execution thereof or receipt of the product/service without any penalty. If the consumer exercises his/her right to forfeit the agreement, he/she is entitled to a prompt full indexed refund of amounts paid.

Consumers of e-commerce must also be provided with easy access to customer service, including through an adequate and efficient online support system that enables them to request information, clarify questions, solve complaints, suspend or cancel the service/purchase. Confirmation of receipt of all messages must be immediately communicated to consumers through the same means used by the consumer to provide the message and an answer must be provided within five days.

In addition, under local e-commerce rules:

  • a contract summary must be displayed prior to the user agreeing to the contract, with all information necessary for the full exercise by consumers of their right of choice, and with an emphasis on the provisions that restrict consumers rights;
  • consumers must be provided with effective tools to identify and immediately correct errors that might have occurred in the steps previous to the conclusion of the contract;
  • the agreement to the contract by consumers must be immediately confirmed, which may be accomplished by sending an e-mail to consumers or simply displaying a confirmation message;
  • a copy of the contract must be immediately provided to consumers, in a way that allows its preservation and reproduction, which can be accomplished by sending an e-mail or making the contract available for download;
  • consumers must be provided with prior clear and accurate information about the product, service and supplier;
  • consumers must be informed of any additional costs, such as delivery or insurance fees; and
  • consumers must be clearly informed about any restrictions on the fruition of the offer/service/product.

In addition to the above-mentioned rules, specific laws apply exclusively to the online environment. Thus, Law 12,965/2014 (Civil Rights Framework for the Internet Act or Internet Act) and its implementing decree (Federal Decree 8,771/2016) created rights and obligations for different stakeholders in the online environment and established some parameters as to the protection of user data. The main obligation arising out of the Internet Act pertains to data retention obligation, to data disclosure and to content takedown, but it does not regulate the services themselves or other aspects.

Further, specific types of business – such as the provision of internet applications that intermediate private drivers and riders – may be subject to state and municipal rules that defines the requirements for their operation, including obligations on payment of taxes, registration and collection of data from users.

Electronic contracts and signatures

Electronic contract availability

Are electronic contracts legally valid in your jurisdiction? If so, what rules and restrictions govern their formation (including any mandatory or prohibited provisions and contract formats)?

Electronic agreements are generally lawful, valid and enforceable in Brazil.

General contractual rules apply to agreements entered by electronic means. Terms offered electronically in general bind the proponent and the contract is considered formed when the other party accepts the offer. In the absence of a contractual choice of law, the Introductory Act to the Brazilian Law System establishes that an obligation will be governed by the law of the country where it was undertaken and determines that contractual obligations are deemed undertaken in the country where the proponent resides. Nevertheless, if the agreement involves a consumer relationship, consumer authorities tend to determine that Brazilian law and venue apply.

Agreements (either executed by electronic means or otherwise) are in principle lawful, valid and enforceable in Brazil if they involve capable parties and a legal and determined or determinable object, and unless the law requires specific formalities (eg, the acquisition of real estate depends on the execution of a written public deed). So long as the criteria above are met, electronic agreements have the same validity as physical ones. The Brazilian Civil Procedure Code expressly acknowledges the validity of electronic documents as proof.

There are no requirements in relation to the form of execution of electronic agreements, as long as the party’s willingness is evidenced. Checkboxes, acceptance buttons, e-mail replies or the insertion of electronic signatures in electronic document are the most common practices. For practical purposes, it is important that both parties are able to demonstrate the contract execution and to verify if the person on the other side is capable and duly empowered to do so.

Click-wrap contracts may be characterised as adhesion contracts and, as such, must be worded clearly, and in legible print. When entered with consumers, there are rules related to the format and display of text that may apply.

According to the Brazilian Civil Code, the same means that were used for the execution of the agreement must be available for its termination. The e-Commerce Decree (7,962/2013) provides that if a supplier allows the consumer to enter the agreement online, the same supplier must grant the consumer the right to terminate the agreement also online.

Are there any limitations or restrictions on transactions that can be concluded through electronic contracts?

Yes. Some types of transaction cannot be completed through electronic contracts because the law requires specific formalities. For instance, the acquisition of real estate or a will depends on the execution of a written public deed.

In addition, physical contracts signed by the parties and by two witnesses may be subject to a fast-track enforceability procedure, which in principle is not applicable to electronic contracts that lack the witnesses’ signatures.

Data retention

Do any data retention requirements apply to electronic contracts?

There are no data retention requirements applicable specifically to electronic contracts under Brazilian law. There are data retention obligations applicable generally to internet application providers, in relation to the date time and internet protocol access of their platforms by users.

Remedies

Are any special remedies available for the breach of electronic contracts?

There are no special remedies available for the breach of electronic contracts. General contractual and civil laws will apply.

Electronic signatures

Are electronic signatures legally valid in your jurisdiction? If so, what rules and restrictions govern their use?

Yes. Electronic signatures are generally valid in Brazil.

Provisional Measure 2200-2/2001 (Brazilian Public Key Infrastructure Provisional Measure) created the Brazilian Public Key Infrastructure (Brazilian PKI), with the purpose of ensuring the authenticity, integrity and validity of electronic documents, as well as ensuring the performance of secure electronic commercial transactions. The Brazilian PKI is in charge of defining the rules and technical requirements that allow the offering of electronic certification services in Brazil.

Documents executed using certificates homologated by Brazilian PKI are presumed authentic and true, unless proved otherwise. Documents certified by other means, or simply not certified, are still valid, but not presumed authentic. This means that if their authenticity is challenged, an expert may have to be engaged to verify and attest it.

Electronic payments

Electronic payment systems

Are there any rules, restrictions or other relevant considerations regarding the use of electronic payment systems in your jurisdiction?

Yes. In Brazil, it is possible to execute payments by numerous methods, including wire transfer and the use of electronic payment instruments (debit, credit and stored value/pre-paid cards).

The electronic payments industry has an important role in the Brazilian economy as the acceptance of electronic payment instruments increased significantly over the past decade. Accordingly, the federal government enacted Law 12,685/2013 to regulate the players and transactions operated in the local payments industry (e-Payments Law).

The e-Payments Law provides the legal and regulatory framework for ‘payment arrangements’ (ie, the set of rules governing a payment scheme, such as credit or debit card transactions), and ‘payment agents’ (ie, any agent that issues a payment instrument or acquirers a merchant for payment acceptance).

Both payment arrangements and payment agents became part of the Brazilian Payments System (SPB, which includes all entities, systems and procedures for the processing and settlement of transactions involving fund transfer, foreign currencies, financial assets or securities) and subject to oversight by the Central Bank, which is responsible for implementing the policies adopted by the Monetary Council (CMN) and issuing regulations in accordance with such policies. The Central Bank is responsible for, among other things, authorising the operations and supervising the financial institutions’ activities in Brazil. As a result, the entire market of credit, debt and pre-paid cards became subject to the CMN and the Central Bank regulation and supervision. Until then, such market was not subject to any specific regulation. Payment agents, though, are not deemed to be financial institutions and are prohibited from engaging in activities that are exclusive to financial institutions (eg, lending and deposit taking).

Following the enactment of the e-Payments Law, the CMN and the Central Bank adoped a set of rules on payment arrangements and payment agents, which became effective in May 2014 and encompasses, among other things:

  • the definition of ‘payment accounts’ (which are broken down into pre-paid and post-paid accounts), the types of payment agent and the definition of arrangements excluded from the SPB;
  • the procedures for incorporation, organisation, authorisation and operation of payment agents, as well as for the transfer of control, subject to the Central Bank’s prior approval; and
  • consumer protection, anti-money laundering compliance and loss prevention rules that should be followed by payment agents and payment arrangers subject to Central Bank oversight.

Following discussions with market players and industry representatives, the Central Bank has been adjusting and improving the regulations over time, mainly to include operational and non-discriminatory tools to foster competition in the payments market. The regulation was most recently updated in early 2018.

Virtual currencies

Are there any rules or restrictions on the use of virtual currencies (eg, bitcoin)?

No. In Brazil, virtual or cryptocurrencies such as bitcoin are subject to the general treatment of assets established by Law 10,406/2002 (the Brazilian Civil Code). This is because cryptocurrencies are not considered currencies in Brazil and are therefore not regulated by the Central Bank. They are considered as assets.

Therefore, the transactions carried out in cryptocurrencies are subject to the general provisions of the Brazilian Civil Code. For instance:

  • the acquisition of cryptocurrencies using Brazilian reais will be considered an acquisition of assets and subject to all provisions applicable to the purchase and sale of movable assets; and
  • the use of cryptocurrencies for the ‘acquisition’ of other assets will be considered an exchange of assets and subject to all provisions applicable to the exchange of movable assets.

This treatment however is not applicable to any such assets that classify as a security under the Brazilian Securities Law (which is similar to the US definition).]

Data protection and cybersecurity

Collection, use and storage

What rules, restrictions and procedures govern the collection, use and storage of personal data in the course of digital business in your jurisdiction?

As general obligations, Brazilian Law requires internet service providers (ISPs, understood as companies that provide access to the internet) and application service providers (ASPs, understood as companies that offer internet-based applications) to:

  • respect the right to privacy and confidentiality of personal data, private communications and access logs;
  • disclose clear and comprehensive information in their terms of service, detailing how access logs are protected, as well as network management practices that may affect the quality of internet connection;
  • refrain from disclosing personal data to third parties unless users provide free, prior and informed consent for it or as authorised by law;
  • provide clear and complete information on collection, use, storage, treatment and protection of personal data, which can be used only for purposes that justify their collection, are in accordance to the law and are stated in the terms of service or privacy policy;
  • obtain express consent to collect, use, store and treat personal data, separately from other contractual clauses;
  • store access logs, which is the set of information covering the date and time when a certain internet application was used based on a specific IP address, for a period of six months, in a safe and controlled environment;
  • exclude personal data at the users’ request, upon termination of the relationship (except for the mandatory storage period applicable to access logs and connection logs); and
  • have strict control over the access to personal data.

International data transfers

What rules and restrictions apply to the cross-border transfer of personal data collected in the course of digital business?

There are no specific rules in Brazil governing the international transfer of data. Nevertheless, if such transfer occurs between distinct legal entities (even if covered by a corporate bond or part of the same economic group), the data owner must consent to the transfer.

Consumer rights

What rights are afforded to consumers in relation to their personal data?

Users have the following rights in relation to their personal data in the online environment:

  • Right to request ASPs to delete their personal data after termination of the agreement, except for data under the mandatory storage period;
  • Right to inviolability of their private life, as well as to indemnification for damages arising out of violations thereof;
  • Right to inviolability of private communications, unless ordered by a court;
  • Right to clear and complete information on collection, treatment and protections of their personal data; and
  • Right to not have their personal data shared with third parties without their free, express and informed consent.

In addition, consumer law provides that consumers shall have access to any credit information on record, cards and registers, and personal and consumer data filed regarding them, as well as to demand immediate correction of inaccurate information, which shall be implemented and communicated by the supplier within five business days.

Cookies

How is the use of cookies regulated?

There is no specific regulation about the use of cookies in Brazil. However, to the extent that the use of cookies comprises the processing of any personal data of internet users, it requires compliance with the rules applicable to the processing of such type of information, including data subject’s consent.

Data breach

What rules and standards govern digital operators’ response to data breaches? Are they subject to any notification requirements in the event of a data breach? What precautionary measures should be taken to avoid data breaches?

There are no express legal provisions in Brazil setting forth a general reporting obligation with respect to violations of networks, databases or files containing personal data or third-party information. As a rule, the relevance of reporting such events to the authorities and third parties must be analysed on a case-by-case basis, taking into account the fact that the liability for redress of damage resulting from any failure to act or omission may be imputed to the company that suffered the intrusion, depending on the circumstances.

In addition, the Brazilian legal system does not establish specific precautionary measures that should be taken to avoid data breaches. There are, however, legal provisions stating that ISPs and ASP, when dealing with personal data and/or private communications of internet users, must observe the following safety standards guidelines:

  • establish strict control over data access, by defining the responsibilities of individuals who will have access to user personal data (ie, data security policies, access restrictions, etc);
  • create authentication mechanisms for access logs, using, for instance, dual authentication systems to ensure the individualisation of the person responsible for the processing of records;
  • create a detailed inventory of access to access logs, containing the moment, duration, identity of the employee or the person designated by the company and the file accessed; and
  • implement technical security measures (ie, firewalls, encryption, etc).

Cybersecurity

What cybersecurity regulations and/or standards apply to the conduct of digital business?

Brazilian law does not contain general cybersecurity rules at federal level that establish conditions and requisites for safeguarding communication systems, networks or databases.

That said, Brazilian law establishes certain safety standards guidelines that ISPs and ASPs must observe when they collect, store and treat personal data or private communications, such as:

  • establish strict control over data access, by defining the responsibilities of individuals who will have access to user personal data (ie, data security policies, access restrictions, etc);
  • create authentication mechanisms for access logs, using, for instance, dual authentication systems to ensure the individualisation of the person responsible for the processing of records;
  • create a detailed inventory of access to access logs, containing the moment, duration, identity of the employee or the person designated by the company and the file accessed; and
  • implement technical security measures (ie, firewalls, encryption, etc).

Some specific types of business – such as the provision of internet applications that intermediate private drivers and riders – may be subject to state and municipal rules that provides for cybersecurity.

Is cybersecurity insurance available and commonly purchased?

A few insurers offer cybersecurity insurance in Brazil. Although this product is not yet commonplace, companies started to look for such coverage after recent ransomware attacks.

Encryption

Are there regulations or restrictions on the use of encryption?

There are no general regulations or restrictions on the use of encryption in Brazil.

Government interception/retention

What rules and procedures govern the authorities’ interception of communications and access to consumer data?

Brazilian law establishes that ISPs and ASPs shall be required to disclose personal data, access logs or connection logs to identify users only upon a court order. In such case, the applicant must meet certain legal requirements for the disclosure request to be granted, such as the presence of indications that an illicit act has taken place. As an exception, in the scope of investigating certain crimes, administrative authorities with enforcement powers are entitled to request and have access to internet users’ simple registration data (ie, name, marital status, profession, address and name of parents) irrespectively of a court order. That said, digital businesses are under no obligation to collect such data and those that do not collect are therefore under no obligation to disclose it.

Brazilian law requires a court order for disclosure of stored content relating to private communications. As for real time interception of communications flow, Brazilian law allows it only in criminal proceedings and upon a valid court order. Regardless, law enforcement authorities must meet several requirements for a court to allow the interception:

  • There must be evidence of participation in criminal offences;
  • The evidence cannot be obtained by other means; and
  • The criminal offence is punishable by more than a penalty of detention.

Advertising and marketing

Regulation

What rules govern digital advertising and marketing in your jurisdiction?

The main law regulating advertising in Brazil is the Consumer Protection Code, which is enforced by the Public Prosecutor’s Office and by civil associations that represent consumers.

Advertising in Brazil is also subject to the ethical rules provided by the Brazilian Advertising Self-regulation Council (Conar), a non-governmental agency composed primarily of advertising agencies, media vehicles, advertisers, consumers and representative associations. Although Conar and its norms and rulings are of a private nature, the judiciary and other branches of the administration commonly consider its principles and precedents in applying consumer law in Brazil.

Are there any specific regulations governing the use of targeted advertising?

Besides rules related to data privacy, there are currently no specific regulations governing targeted advertising in Brazil.

Restrictions

Are there any restrictions or limitations on goods and services that can be advertised, marketed and sold online?

There are no specific restrictions to or limitations on the online sales or advertising of goods and services. There are, however, under Brazilian law general limitations on the advertising or sale of certain products or services (either online or offline), such as tobacco-related products, alcohol and products for infants.

Spam messages

What rules and restrictions govern the sending of spam messages?

Messages sent by e-mail for advertising purposes must contain clear and detailed information about the referred product/service, as well as concerning the supplier sponsoring the advertisement. The advertiser’s information must include its corporate name, tax enrolment number, physical and electronic address. Best practices recommend that users must be given the ability to stop receiving messages by e-mail at any moment and at users’ sole discretion (unsubscribing). Some Brazilian states have enacted ‘do not call/spam’ regulations. Under these regulations, consumers are entitled to enrol their contacts in a list that should not be reached for marketing purposes. These lists are regulated by state laws, which vary in scope and are maintained and supervised by the state consumer protection offices. In some states the list is related only to phone calls and SMS from telemarketers, while in others the list also applies to emails.

Digital content and IP issues

Required notices

Are websites and any other digital content required to display certain legal notices or other information in your jurisdiction?

Websites are not required to display any legal notice unless the content available, or product or service being sold or advertised through the website, requires itself a legal notice or disclaimer under the law. For instance, websites containing financial and medical content may require legal notices.

In addition, websites or other electronic means offering services or products to consumers must display complete information about the services or products (including essential characteristics, health and safety risks, prices, fees, expenses, delivery conditions, and other relevant information) and the supplier (including the company’s name, tax enrolment number, physical and electronic address, and location and contact information).

Liability for content

What rules govern liability for online or other digital content that is defamatory or infringes another party’s IP rights?

Digital businesses are liable for digital content that is defamatory or that infringes third-party IP rights when they themselves publish the content or when they exert editorial control over user-generated content (ie, when they review and approve the content to be published). In these cases, digital businesses are liable if all requirements for at-fault liability are present.

Application service providers (ASPs, understood as companies that offer internet-based applications) may also be liable for user-generated content deemed as defamatory or otherwise illegal if they fail to comply with a court order determining the takedown of such content.

There are however two special cases regarding liability for user-generated content in which the notice and takedown regime applies and ASPs may be liable for user-generated content if they fail to take it down, as follows:

  • User-generated content portraying sexual acts or nudity, due to express legal obligation; and
  • User-generated content infringing copyright, based on legal precedents.

How can liability be excluded or limited?

The only way to exclude liability for user-generated content that is defamatory or that violates a third party’s IP rights is to comply with a takedown order or, when applicable, with an extrajudicial notice.

In general, contractual clauses for exclusion or limitation of liability are accepted in contracts only when they pertain to disposable rights and when it is set by means of bilateral consent. Brazilian law deems such clauses null and void when imposed unilaterally or in the context of a business-to-consumer (individual) relationship.

Which parties can be held liable for defamatory or infringing content? Can contingent liability be extended to internet service providers (ISPs)?

In case of user-generated content, the user who published the content is directly liable, but ASPs might become liable if they fail to comply with an occasional takedown order or, when applicable, with an extrajudicial notice.

If the content was published by the digital business, the digital business would be the party held liable.

In addition, Brazilian law expressly excludes liability of ISPs for user-generated content.

Content takedowns

What rules and procedures govern content takedowns? Can ISPs remove defamatory or infringing content without permission?

As a rule, any natural person is entitled to request ASPs to take down content portraying sexual acts or nudity involving him or her. Such request can be made via an extrajudicial notice that identifies the content and provides a mean to locate it unequivocally, usually by providing its URL. The same proceeding applies to content infringing copyright as determined by case law.

For other types of content, a court order declaring the content unlawful and determining its removal is necessary so as to preserve freedom of speech and avoid censorship.

ASPs can – although they are not legally obliged to – remove defamatory or infringing content regardless of a court order, based on contractual stipulation. If ASPs reserve such right in their terms of service and deem that the content violates their terms of service, they are entitled to take down such content.

Domain names

What rules, restrictions and procedures govern the licensing of domain names?

The allocation of internet addresses and the registration of ‘.br’ domain names are performed by an executive arm of the Brazilian Steering Committee (CGI.br) named the Brazilian Network Information Centre or NIC.br. Domains are registered in a first-come, first-served basis, without review of potential conflicts with any third party’s rights.

Brazilian domains (‘.br’) can be registered by Brazilian individuals or legal entities established in Brazil or by foreign companies represented by a local attorney in fact, provided that the foreign company signs a commitment letter assuring it will definitively establish activities in Brazil and register with the Brazilian National Register of Legal Entities within 12 months, and further provided that it informs a local billing address.

How are domain name disputes resolved in your jurisdiction?

CGI.br has implemented an administrative proceeding (to precede judicial litigation) in order to resolve disputes involving domain names registered in bad faith (applicable only to complaints against domains for which registration was requested after 1 October 2010).

Under these rules, a domain will be challengeable when it was registered or is used in bad faith (eg, with the intention to be sold to a trademark owner or to harm a competitor) and:

  • is identical or similar enough to cause confusion with a trademark that had been filed for registration in Brazil before the domain name was registered or with a trademark already registered in Brazil;
  • is identical or similar enough to cause confusion with a well-known trademark in the same industry, even if that trademark is not registered in Brazil; or
  • is identical or similar enough to cause confusion with another domain name, or with a corporate name, family name, well-known pseudonym or artistic name, among others.

The administrative proceedings can lead to decisions maintaining, cancelling or transferring; they cannot impose penalties and may be challenged in court.

What special measures and safeguards should rights holders consider in protecting their online/digital content?

Remedies available to content holders upon unauthorised use of their copyrighted content include injunctions, right to indemnification and criminal remedies.

Restraining orders determining the temporary suspension of the infringement may be issued in specific situations, even before the violator is served process. Copyright owners may also obtain a court order for the seizure of unauthorised copies or the suspension of their publication and for the suspension of content transmission by any means, subject to daily fines. Equipment used for unlawful purposes may also be seized and destroyed. Copyright owners may also have their right to attribution publicised in wide circulation newspapers or on television, at the cost of the infringer.

Tax issues

Online sales

How are online sales taxed?

The taxation of online sales, when related to physical goods (traditional e-commerce), is subject to the tax on goods and communication and transport services (ICMS). A new rule was introduced in 2016 for such taxation, which determined that the ICMS due should be divided between the state of origin (where the vendor is located) and the state of destination of the goods (where the buyer is located).

However, the online sale of digital goods is more controversial, with municipalities, which collect the tax on services (ISS), and the states, which collect the ICMS, both making a claim on them.

Municipalities can impose an ISS rate up to 5% calculated on the service price, while the states can establish an ICMS rate up to 25% calculated on the amount charged on the product acquired online. That said, the state of Sao Paulo, for example, established a 5% ICMS rate in order to remain competitive compared to municipalities.

At a federal level, internal sales are taxed by the Programme of Social Integration (PIS) and COFINS (Contribution for the Financing of Social Security). If the seller is located abroad, remittances might be subject to withholding income tax and PIS and COFINS, depending on the type of sale.

Other taxes

What other tax liabilities arise in respect of the conduct of digital business in your jurisdiction?

In addition to the collection of taxes, companies must also fulfil ancillary obligations, such as issuance of invoices and providing information to the tax authority, which may include the implementation of specific systems compatible with the authority’s requirements and which can vary depending on the municipal, state or federal rule.

It is also worth mentioning that in the state of São Paulo, under CAT Ordinance 156/2010 marketplaces must present a report to the tax authorities informing the transactions or services provided by their customers, under penalty of being jointly responsible for the payment of the ICMS due over the sales.

Jurisdiction, governing law and dispute resolution

Jurisdiction and governing law

How do the courts determine jurisdiction and governing law in relation to online/digital transactions and disputes?

As a rule, Brazilian courts have jurisdiction to review any claims falling under the following broad requirements:

  • When the defendant, whatever his/her nationality, is domiciled in Brazil;
  • When the obligation has to be fulfilled in Brazil; and/or
  • When the subject matter is a fact that occurred in Brazil.

With regard to the choice of jurisdiction, Brazilian law sets forth that clauses in adhesion agreements are null if they do not offer the contracting party the option to have a Brazilian court review disputes resulting from services provided in Brazil. Therefore, the establishment of a foreign court for dispute resolution in the scope of an internet-based service in Brazil is null and unenforceable.

As for governing law, consumer provisions state that the defence of consumers’ interests must be facilitated, meaning that courts usually apply Brazilian law to any disputes arising from business-to-consumer relationship. In addition, legal precedents state that the choice of foreign law to govern disputes resulting from services provided in Brazil is not valid when it has not been stipulated within the full exercise of contractual freedom and independent will of both parties, under equal conditions.

Brazilian law also states that it is applicable when digital businesses collect, store or otherwise process data in Brazil. This is applicable even to foreign companies when they offer services to Brazilians or when there is a company from the same economic group in Brazil.

Courts

Are there any specialist courts in your jurisdiction which deal with online/digital issues and disputes?

No, Brazil has no specialist courts that deal with digital issues.

Alternative dispute resolution

What alternative dispute resolution (ADR) methods are available for online/digital disputes? How common is ADR for online/digital disputes in your jurisdiction?

As a rule, ADRs cannot apply to disputes involving non-disposable rights. For disputes involving disposable rights, Brazilian law accepts mediation, conciliation and arbitration.

Mediation and conciliation are common in legal proceedings of a civil nature, as Brazilian law expressly establishes them as a step in such legal proceedings. Therefore, before a judge renders a decision, the parties have the opportunity to solve the dispute through mediation or conciliation.

Arbitration is also a possibility and parties capable of entering into agreements can choose to use arbitration for dispute resolution by signing an arbitration agreement or by agreeing to an arbitration clause. In adhesion contracts, an arbitration clause is valid only when the adhering party actively asks for it by signing a separate agreement or by signing off the specific clause.

However, Brazilian law deems null any clause or arbitration agreement determining the compulsory use of arbitration for dispute resolution in business-to-consumer relationships. As a result, arbitration is more common in relation to business-to-business relationships. In the online environment, ADR is more commonly used in Brazil to solve disputes regarding domain name ownership.