Legislation and regulation

Recognition of concept

Is cloud computing specifically recognised and provided for in your legal system? If so, how?

The Brazilian Central Bank’s Resolution No. 4,658 on 26 April 2018 sets forth requisites for processing and storing data and for cloud computing solutions for information collected by financial institutions.

In 2018 and 2016, respectively, the Information Security Cabinet of the President’s Office and the Ministry of Planning, Budget and Management (which is now part of the Ministry of Economy) issued a complementary norm and a general guideline with norms and best practices to be followed by federal entities in contracting cloud computing services. Cloud computing is defined in such documents as a computational model that allows access on-demand, independently of where it is located, to computational resources (eg, networks, servers, hosting, applications and services) provided and made available with minimal management efforts or interactions with the service provider.

In April 2019, the Ministry of Economy also issued Normative Instruction No. 1/2019, which provides that certain public entities must favour cloud-based services for their data centre infrastructure, and explicitly references the President Office’s complementary norm indicated above.

There are federal laws that apply specifically to internet operations and to data protection, which impact cloud computing and its providers.

The Brazilian Civil Rights Framework for the Internet (Federal Law No. 12,965/2014) (MCI), which was further regulated by Federal Decree No. 8,771/2016, provides for principles, rights and obligations regarding the use of the internet in Brazil, and sets forth obligations for internet connection and application providers, which are relevant for cloud computing solutions in general.

The Brazilian General Data Protection Act (Federal Law No. 13,709/2018) (LGPD) was sanctioned and its general provisions came into force in September 2020. The provisions of the LGPD regarding administrative penalties entered into force in August 2021. The LGPD applies irrespective of industry or business when personal data is collected or processed. Among other norms, it provides for user consent for the collection, processing and transfer of data (with specific provisions pertaining to cross-border transfers), data security and data breaches, sensitive personal data and situations for ceasing the processing of data.

Governing legislation

Does legislation or regulation directly and specifically prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

Brazilian legislation does not directly and specifically prohibit or restrict cloud computing services, either in or outside Brazil.

In 2018, the Brazilian Central Bank issued Resolution No. 4,658, which provides for precautions to be taken by financial institutions in contracting cloud services and for the responsibility of such institutions for the reliability, integrity, availability, security and confidentiality of the contracted cloud services. The financial institution must notify the Central Bank prior to contracting the services and certain requirements must be met for the cloud service to be rendered abroad.

If personal data is transferred, stored or otherwise processed abroad, the data processor shall rely on at least one cross-border transfer mechanism provided in the Brazilian General Data Protection Act after it comes into force.

If personal data is transferred, stored or otherwise processed abroad (eg, in or to a cloud server located in another country), the data importer and exporter shall rely on at least one cross-border transfer mechanism provided in the Brazilian General Data Protection Act.

What legislation or regulation may indirectly prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

The Brazilian Civil Rights Framework for the Internet (Federal Law No. 12,965/2014, the MCI) provides for rights and obligations for different stakeholders on the internet and sets forth parameters for the protection of user data. The MCI is applicable to internet connection and application providers in general. It provides a vague and broad definition of internet application providers – ‘a set of features that might be accessed through a computer connected to the internet’ – that potentially makes cloud computing services and their providers subject to such legislation.

General requirements are related to the following obligations and provisions:

  • access logs data retention by internet application providers;
  • users’ rights in connection with personal data;
  • agreement provisions that might be considered void under Brazilian law;
  • obligation to provide information on data processing activities;
  • data request by Brazilian authorities; and
  • liability for content created by third parties.

 

The LGPD applies irrespective of industry or business when it comes to the collection, processing, transfer and storing of personal data. Among other norms, it provides for legal bases that must be observed for the collection, processing, transfer (with specific provisions pertaining cross-border transfer) and storing of personal data, data security and data breaches, sensitive personal data and situations for ceasing the processing of data.

It is also worth mentioning Federal Decree No. 9,637/2018, which disciplined the National Information Security Policy and created the Information Security Management Committee, a government body that advises the Institutional Security Cabinet of the President’s Office in information security-related matters.

Breach of laws

What are the consequences for breach of the laws directly or indirectly prohibiting, restricting or otherwise governing cloud computing?

According to the MCI, if an internet application provider (in which category cloud computing providers are included) fails to comply with a takedown order issued by a court (or with an extrajudicial letter sent by an affected party in case of pornography or sexual content), it may be held liable for content created by third parties. Thus, the MCI established a safe harbour for such situations, by which an application provider is not held liable before it is notified, either by a party or by a judge.

If the application provider fails to comply with a court order or extrajudicial letter, it would likely be sentenced to pay indemnification for material or moral rights to the aggrieved party, depending on the facts of the case (there are several types of content that may be deemed unlawful under Brazilian law, the most common types being defamation, racism, child pornography, bullying, rights of publicity, and other personality rights).

The MCI also provides for penalties of warning; administrative fines of up to 10 per cent of the income of the economic group in Brazil, net of taxes, to be calculated according to the economic condition of the offender and the principle of proportionality between the severity of the offence and the intensity of the penalty; and suspension or prohibition of the activities pertaining to the collection, storage or processing of logs, personal data or communications.

Apart from administrative fines that may be imposed according to the MCI, courts can also impose fines for non-compliance with preliminary injunctions or final decisions ordering the removal of content or the production of data. There is no limit on such penalties, which are set by judges on a case-by-case basis. Courts may also award damages if the company fails to obey the court order to remove the content.

If the company does not take down a specific content after a court order, this could be considered a crime of disobedience (article 330 of the Brazilian Criminal Code), the penalty for which is 15 days to six months imprisonment (for officers or administrators) and a fine. The risk of criminal liability is higher in matters involving criminal organisations or child pornography.

Regarding infringements to the provisions of the LGPD, in addition to liability for moral and material damages, data-processing agents are subject to the following administrative sanctions:

  • a warning with a deadline implementing corrective measures;
  • fines of up to 2 per cent of the revenues earned by the legal entity, group or conglomerate in Brazil in the preceding year, net of taxes, capped at 50 million reais per offence;
  • a daily fine, subject to the cap referred to above;
  • disclosure of the offence after the occurrence having being investigated and confirmed;
  • blocking access to the personal data to which the offence refers, until the processing activity is regularised; and
  • deletion of the personal data related to the infringement.

 

Consumer protection measures

What consumer protection measures apply to cloud computing in your jurisdiction?

Legal consumer relations in Brazil are regulated by Law No. 8,078/1990 (the Consumer Protection Code (CDC)), which governs all consumer relationships, including cloud computing products or services where there is a supplier on one side and a consumer on the other side. ‘Consumer’ for this purpose is defined as any individual or legal entity that acquires or uses products or services as an end-user.

The CDC protects consumers and, in general, its language allows consumers to file claims against companies involved in the supply chain. If an entity is not directly responsible for damage suffered by the consumer, such a company may seek the amount paid by it to the consumer from the other liable company.

The CDC sets forth a 30-day or 90-day deadline for the consumer to file a suit pertaining to a defective product or service and a five-year period for damages caused to the consumer’s physical or mental health.

The supplier (where the consumer is an individual) cannot disclaim or limit its liability for product or service defects, and all contractual clauses with this language will be null and void. The agreement also cannot include clauses impairing, disclaiming or mitigating obligations to indemnify. There is no legal restriction on the warranty term apart from the 30-day or 90-day terms counted from the delivery of the product or from the rendering of the service, by any contractual warranty must be clear, precise and additional to the legal warranty.

The CDC also provides for a right to regret, by which consumers have the prerogative to return a product or a service contracted outside the point of sale within seven days of delivery. Currently, this rule applies to purchases made through the internet, where the consumer has no physical contact with the product or service.

Choice of foreign law and arbitration or foreign venue clauses in consumer contracts are often held null and void by Brazilian courts, especially small claims courts, because they tend to complicate the consumer’s pursuit of his or her rights. However, in a 2018 decision, the Superior Court of Justice considered that the nullity of a choice of venue clause (where the elected venue was a different city of the same Brazilian state) was contingent on the proof of harm to the consumer’s ability to claim his or her rights.

Sector-specific legislation

Describe any sector-specific legislation or regulation that applies to cloud computing transactions in your jurisdiction.

The Brazilian Central Bank issued Resolution No. 4,658 on 26 April 2018, which sets forth requisites for processing and storing data and for cloud computing activities related to information collected by financial institutions.

Resolution No. 4,658/18 sets forth that the outsourcing of relevant data processing, storage and cloud computing services must be communicated in advance by the financial institution to the Central Bank. Such communication must comprise the name of the service provider, the service being outsourced and the indication of the countries where the services may be rendered and the data may be stored and processed.

The financial institution contracting cloud services must implement procedures to verify the service provider’s ability (companies that offer cloud computing, data storage and processing services to financial institutions) to ensure:

  • compliance with prevailing laws and regulations;
  • the institution’s access to the data and information to be processed or stored by the service provider;
  • the confidentiality, integrity, availability and recovery of data and information being processed or stored by the service provider;
  • the service provider’s adherence to certifications required by the institution for the outsourcing of the corresponding services;
  • the institution’s access to reports prepared by an independent expert audit company hired by the service provider concerning the controls and procedures being adopted for outsourced services;
  • the availability of management information and resources competent for monitoring the outsourced services;
  • the identification and segregation of data belonging to the institution’s clients, via physical or logical controls; and
  • the quality of access controls targeted at protecting the data and information referring to the institution’s clients.

 

For contracts with entities of the public administration regarding services related to data centre infrastructure, there are rules favouring the contracting of cloud-based solutions.

Insolvency laws

Outline the insolvency laws that apply generally or specifically in relation to cloud computing.

There are no insolvency laws in the Brazilian legal system that apply specifically to cloud computing. The general provisions governing liquidation and recovery in insolvency proceedings are provided for in Federal Law No. 11,101/2005 (the Insolvency Act).

The Insolvency Act sets forth which credits or creditors have precedence over others in insolvency or credit recovery, and a Brazilian customer seeking to enforce rights against an insolvent cloud computing provider would have to follow the regular procedures, being in general a regular creditor (unless there is a specific guarantee with respect to the services provided). Micro or small companies have certain benefits (eg, representation in general meetings) and their credits come before general unprivileged credits.