The State of Communication and Privacy Law in Brazil (2020)

  1. Is there a data protection law?
    yes iconyes

    Brazil’s data protection law was adopted in 2018. The provisions regarding the oversight authority entered into force in December 2018. The remainder part comes into effect in September 2020, except for the penalties section that was postponed to August 2021.

    See more
  2. Is there a data protection authority?

    The law creates the National Data Protection Authority (Autoridade Nacional de Proteção de Dados - ANPD). Although the provisions creating it came into effect in December 2018, the government introduced a decree implementing its structure one year and a half later. The implementation of the authority is in progress, after the approval of its board by the Brazilian Senate. Civil society groups have expressed concerns about the appointed directors. Three of the five directors are members of the Brazilian Army, mostly with limited experience in data protection.

  3. Does the data protection law apply to law enforcement activities?

    The processing of personal data solely for the purposes of public safety, national defense, state security or investigations, and prosecution of criminal offenses is out of the scope of Law 13.709/2018’s overall regime. The law sets out that specific legislation has to be approved to regulate the processing of personal data in such cases. Nonetheless, art. 4, paragraphs 2 to 4 of the Law 13.709/2018 are applicable to law enforcement activities once the data protection law enters in force.

    See more
  4. What are the criteria, if any, for the transfer of personal data to third countries under their data protection law?

    Chapter V of the Data Protection Law sets forth the criteria for the transfer of personal data to third countries. According to Article 33, the transfer is allowed, among others, to countries or international organizations that provide an appropriate degree of protection of personal data relative to the level of protection ensured by the Brazilian law.

    See more
  5. Brazil’s Federal Constitution protects the inviolability of correspondence, data, and telephone communications.

    Interception of communication - Prior judicial order is required.

    Access to the content of communications - Prior judicial order is required.

    Access to metadata - For online communications, prior judicial order is required; for telephone metadata, specific legislation allows direct access by law enforcement agents.

    Access to subscriber data - Prior judicial order is required except when specific legal rules lift this requirement.

    Location data - Prior judicial order is required for real-time access in specified legal cases; contentious for past location data, but prior judicial order should prevail due to constitutional safeguards.

    See more
  6. What’s the factual basis to access communications data?

    The factual basis for accessing communications data in Brazil includes:

    Articles 156, 240, and 282 of the Criminal Procedure Code

    Telephone Interception Law (Law 9.296/1996)

    Brazil’s Civil Rights Framework for the Internet (Law 12.965/2014) and its regulation (Decree 8.771/2016)

    Brazilian Supreme Court and Superior Court of Justice rulings

    For details on the above legislation and cases,

    See more
  7. In the context of a criminal investigation, the following authorities have the capacity to request access to communications data: (i) the Chief of the Civil Police (delegado de polícia) and (ii) public prosecutors.

    Parliamentary Committees of Inquiry also hold “investigative powers of the judicial authorities.”

    See more
  8. Does the country have provisions about access to data in cases of emergency?
    yes iconyes

    The Criminal Procedure Code allows the judge to order ex officio or following the parties’ request the production of urgent and relevant evidence before the criminal prosecution is initiated, according to necessary, adequate, and proportionate standards. Precedent set by the Superior Court of Justice states that the mere course of time is not enough to justify such anticipation.

    See more
  9. Is there any data retention mandate?
    yes iconyes

    Brazil has developed different data retention rules depending on the kind of service: fixed line, mobile phones, or Internet services.

    See more
  10. Are there any rules that authorize the use of malware?

    There are currently no laws that explicitly authorize the use of malware. However, there are indications that law enforcement agents have relied on the Telephone Interception Law to request judicial order for using malicious software in criminal investigations, which is at odds with a 2018 decision of the Superior Court of Justice.

    See more
  11. Is there any law that compels companies to provide direct access to their internal servers for law enforcement purposes?
    no

    To the best of our knowledge, there is no legal provision authorizing this kind of access in criminal investigations.

  12. Does the law compel companies to assist law enforcement agencies in their investigations?

    The police authority may require specialized services and specialist technicians to telephone companies for conducting interception measures. Telephone companies also have the legal duty to assist law enforcement authorities to access geolocation data in human trafficking cases and make call records available for investigations. Private companies and public bodies, as laid out in specific law, have the duty to provide subscriber data to law enforcement authorities.

    See more
  13. Does the State report on the number of requests to access communications data?
    yes iconyes

    Only partially. Brazil’s National Council of Justice (Conselho Nacional de Justiça) publishes a public database with statistical data on communications interception procedures authorized by courts.

    See more
  14. Is there any legal limitation that prohibits companies from publishing transparency reports?
    no

    To the best of our knowledge, no normative framework prohibits companies from publishing statistical data on the number of data requests made by the state in criminal or national security matters. On the contrary, Decree 8.771/2016 establishes that the highest authority of each federal public administration agency shall publish, on its website, yearly statistical reports about their requests for access to Internet users’ subscriber data.

    See more
  15. Do telecommunication companies publish transparency reports?

    Vivo/Telefónica- YES

    Claro/NET- NO

    Oi- NO

    TIM- NO

    SKY/AT&T- YES

    Algar- NO

    Vivo/Telefonica provides annual transparency reports. SKY/AT&T publishes regular transparency reports, but with few data regarding their operations outside the U.S. Claro/NET, Oi, TIM, and Algar do not disclose transparency reports.

    See more
  16. Can companies notify users about States’ data requests?

    Companies are not prevented from notifying when secrecy is not legally or judicially required. There is also no prohibition for subsequent notification. The secrecy requirement is previously set in the Telephone Interception Law. In other relevant statutes, the law gives a general authorization for the judge to determine it or not.

    See more