Blog Viewer

Brazil updated: “GDPR” and Cloud Regulation Enacted

By Renato Blum posted 22 Aug, 2018 17:17


Brazil updated: “GDPR” and Cloud Regulation Enacted - Brief remarks of relevant aspects concerning data flow, privacy and protection in Brazil

By Renato Opice Blum, Caio Lima, and Camila Rioja

Originally published at the Information Law Journal


Technology is pushing away remaining physical boundaries between countries and people – either in terms of social contact or services rendering. However, conflicting interests strengthen the need for a coherent legislative framework to address contemporary challenges regarding data protection, ownership and cross border information flow.


The million-dollar question as regards technology surpassing existing physical frontiers -- as technological services can be rendered oceans apart from the contracting party or even in the cloud -- is how legislations can cope with such intricate new business models preserving their countries’ sovereignty and not hindering innovation in global markets. 


This article provides brief remarks of important aspects concerning data flow, privacy and protection, including: the recently enacted Brazilian “GDPR”; the current MLAT controversy; first impressions of the CLOUD Act and a Brazilian Central Bank cloud services regulation.


Legislation and Policies as a Barrier to Data Flow


As a bit of a background, Brazil’s very first legislation concerning the internet, the Law 12,965 from 2014[1], best known as “Internet Civil Landmark” is quite recent and underwent a lot of criticism. While still a draft bill[2], it included provisions regarding the so called “data localization”, which sets forth that information and data should be held in local servers exclusively, irrespective of the location of the parent company or other commercial decisions deemed applicable by the business.


Among other repercussions, such measure can hinder the development of data-driven business -- what virtually all major industries are, our will be, in a very near future. The excerpt, however, was crossed out from the approved version of the bill, although the impact of data localization is still subject to high caliber debates from different sources in Brazil and abroad[3].


The digital protectionism, outstandingly illustrated by China’s policy, is comparable with any physical barriers, according to a recent article by Alan Beattie[4]. His conclusions seem much appropriate in terms of understanding that although technology is overcoming physical barriers, legislation and policy are as effective in terms of hindering information flow. To support his finding, Mr. Beattie asserts that according to McKinsey “cross-border flows of goods, services and data added 10 per cent to global gross domestic product in the decade to 2015, with data providing a third of that increase[5]


From a business, economic and political standpoints, the relevance of considering cross-border information flow is of the essence. Innovation, cost allocation and sovereignty, respectively, are intrinsically connected to such concepts. In this regard, it is worth sharing the following illustration, which provides for information of the data flow by country and economy sector. 



Back to the Internet Civil Landmark, it should be noted that Article 11 subjects to compliance with the Brazilian legislation both the internet and the services provider, in case any of the following acts occur in Brazil: gathering, storage and treatment of registries, personal data or communications. Right to privacy, data protection and communications secrecy are among the provisions such entities must observe under the Brazilian legislation spectrum. 


In comparison, under the General Data Protection Regulation (“GDPR”), Article 3(1) sets forth that the Regulation “applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”. If the data subjects are in the Union, pursuant Article 3(2) – but not the controller or processor --, the action will still be subject to the Regulation irrespective of whether a payment of the data subject is required, as long as such data subjects in the Union or if the behavior monitored takes place within the Union[6].


From a consumer standpoint is surely easy to use the internet freely and find its own suppliers across the globe. Understanding and considering, from a legal perspective, the bureaucracy and intricacies related to the rights and conflicts that may arise from a legal standpoint when internet-related services are rendered by foreign providers – e.g. in case of content removal (including fake news and other offenses) or access to personal data kept abroad – is a whole different story.


Brazilian “GRPR” sanctioned in August 14, 2018


The Brazilian General Data Protection Law (“LGPD”) was sanctioned in Brazil as of August 14, 2018[7]. The process in Congress lasted more than 6 years, while in the civil society debates have been going on for the past 8 years. Brazil now can count on a high-level legislation in terms of personal data protection – greater than the current stage of sectoral treatment based on different legal provisions. Currently, there are over 30 legal provisions addressing the data protection subject in Brazil.


The law will come into force 18 (eighteen) months after its publication, which is the deadline for companies to comply with the LGPD. It may seem a long time but, considering all that needs to be done, it is actually a limited time-frame[8].


Broadly speaking, LGPD is strongly inspired by the General Data Protection Regulation (GDPR) and, like the European Union regulation, will bring about a paradigm shift in the way personal data are being processed. Thus, developing a data protection culture within all organizations is of paramount importance.


LGPD applies to the processing (including operations such as collection, use, storage, transmission and erasure) of personal data (any information relating to an identified or identifiable natural person, including but not limited to name, national identification numbers - RG and CPF, location data, tastes and interests) that takes place in Brazil or relates to data subjects who are in the country, even if by enterprises located abroad.


The provisions explained above stress that that the LGDP provides for extraterritorial effects. All companies that treat or aim at Brazilian data will be subject to its provisions. Another important provision regards cross-border data transfer, which will be made easier among countries that meet adequate data protection standards.


The legislation sets principles which should guide the processing, including lawfulness; purpose limitation; data minimization; transparency; non-discrimination; safety; damage control; responsibility and accountability; free access; and data accuracy. Also, security by design; data portability; the drafting of personal data protection impact reports and the presence of a data protection office are examples of a new reality controllers will have to face, as soon as the legislation comes into full effect.


Side by side with such provisions, users' rights rise, with emphasis on the right of access (i.e. data subjects can request access to all personal information held by controllers), which entails the right of rectification and information updating.


As regards pecuniary fines, these may reach as high as 2% (two percent) of the total revenues earned by the company, economic group or conglomerate in Brazil in fiscal year preceding the commencement of the investigation, excluding taxes, but limited to a BRL 50 million cap per infringement (roughly USD 13 million).



MLATs in Brazil – Current Controversy


In order to ease the process of obtaining data and information from service providers located abroad, many countries are signatories of Mutual Legal Assistance Treaties (“MLATs”). Through such, countries rely upon a mechanism similar to a letter rogatory to obtain information located in foreign countries – i.e. by means of judicial assistance based on the communication between foreign authorities.


In opposition to such model, some judges in Brazil are requesting information directly to any subsidiary of the service provider located within the country, as a measure to expedite the procedure. In some cases, when companies refuse to provide the requested information, courts are defining daily penalties a high as BRL 1 million (roughly USD 285,000).


The Federação das Associações das Empresas de Tecnologia da Informação (“Assespro Nacional”), or Confederation of the Information Technology Companies in free translation filed a motion (“ADC 51”)[9] before the Brazilian Supreme Court (“STF”), aiming at recognizing the MLATs and the letter rogatory procedure as the only valid mean to obtain information from companies whose data is located outside the Brazilian territory. Facebook and Yahoo filed petitions to act as a friend of the court, or amicus curiae in the legal jargon, providing similar arguments to the thesis sustained by the Assesspro Nacional.


In such context, it is important to stress that the MLAT procedure is under heavy criticism due to its inefficacy. The Brazilian entity responsible for the MLAT procedure, the Coordenação-Geral de Recuperação de Ativos do Departamento de Recuperação de Ativos e Cooperação Jurídica Internacional (“DRCI”), or, in free translation, General-Coordination of Assets Recovery from the Department of Assets Recovery and International Legal Cooperation, provided the following insights about the MLAT procedure when provoked in the ADC 51[10]:


  • Bureaucracy related to the drafting, translation, processing and implementation of the cooperation under the MLAT procedure makes it a lengthy process. The receipt of information forwarded by collaborating countries is often outdated or useless.


  • Only a fraction of the requests made by Brazil is addressed by foreign countries.


  • Experience shows that criminal groups are deliberately choosing providers located abroad to benefit from the fact information is not easily nor timely shared by foreign officials.


  • From 2014 to 2017, 108 requests for cooperation under the MLAT procedure were directed to the United States (re. confidentiality breach and telematics data). Only 18 requests were granted, and the average response time was of 13 (thirteen) months.

Not only the Brazilian authorities are aware that the MLAT procedure is subject to flaws. Google has been advocating for reliable information sharing mechanisms, also by means of a public speech made by Google’s General Counsel Kent Walker, at The Heritage Foundation in Washington, D.C. A version of the speech given on June 22, 2017, is available at the company’s website[11].


In general lines, the company understands that current laws hinder law enforcement and user privacy. Another concern stated is that the extraterritorial authority exercised by some countries (e.g. direct requests) may potentially put companies in a situation risking to violate either the law of the requesting country or the local law from which it is headquartered.


CLOUD Act - An Open Question


Given the relevance of the privacy issue and the cross border information sharing mechanisms, major companies in the cyberspace supported the enactment of the Clarifying Lawful Overseas Use of Data Act (“CLOUD”). By means of a public letter dated February 06, 2018[12], Apple, Facebook, Google, Microsoft and Oath expressed their view. In general lines, companies state that the CLOUD Act reflects a growing consensus and a logical solution for governing cross-border access to data, and “an important step toward enhancing and protecting individual privacy rights, reducing international conflicts of law and keeping us all safer”.

The United Stated Senate recently approved the CLOUD Act, sanctioned as of March 23, 2018, by President Trump as part of the omnibus spending bill. The legislation provides that requests based on the Electronic Communications Privacy Act ("ECPA") will affect data regardless of its physical location. As regards foreign requests for data located in the United States, the CLOUD Act provides that by means of a bilateral agreement, nations should be able to request the provider directly in the United States for information, without having to follow the MLAT procedures - scrutiny of the United States Department of Justice.


Due to the new legislation enacted, the Unites States Supreme Court decided in the first weeks of April, 2018[13] not to rule on an iconic national case regarding Microsoft digital data stored in Ireland. The core of the discussion lied on the reach of the Stored Communications Act, with Microsoft asserting that the United Stated authority should be restricted to its territorial boundaries. This question is now surpassed by the CLOUD Act. Thus, the world is certainly watching and eager to get a better grasp the developments and applications of the CLOUD Act.


Brazilian Central Bank Regulation on Cloud Services


Amidst of the international scenario regarding cross border data transfer, the Brazilian Central Bank made public late April the Regulation no. 4,658/2018, which sets forth rules for the hiring of relevant cloud computing services, data processing and storage, and cyber security policies. All financial institutions and/or those authorized to operate by the Brazilian Central Bank are subject to the requirements[14].


From an international perspective, the most interesting aspect of the Regulation is the green light for the hiring of relevant cloud computing services, data processing and storage from foreign providers – irrespective of their location, or the location of the services rendering. Foreign providers will be subject to a higher standard of requirements, from which we highlight:

  • The existence of an information exchange agreement between the Brazilian Central Bank and the regulatory authorities of the countries where the services will be provided.


  • In any case, the hiring must be submitted a priori to the analysis of the Brazilian Central Bank.

The hiring institution must:


  • Ensure that the provision of services does not cause any damage to its regular functioning nor harm in any way the performance of the Brazilian Central Bank.


  • Decide, a priori, which countries and regions can provide services.
  • Countries that limit or impede the access, by the Brazilian Central Bank, to the information provided, are illegible.


  • Provide for alternatives in case the agreement cannot be maintained or is terminated.

The Regulation also addresses other sensitive points, such as: (i) privacy by design; (ii) an incident response plan, considering the reality of each institution; and, finally, (iii) the inclusion of mechanisms to disseminate the cyber security culture to clients and users.


An obligation to share relevant incidents information was replaced by a suggestion to recommend initiatives to share such information in a way to secure free competition and secrecy.


In view of the above, and due to the sensitivity of the Brazilian financial institutions data, international legislation should be definitively a relevant topic when deciding which service providers should be considered for such services.  




In view of the above, it is clear that the decision of the Brazilian Supreme Court in the ADC 51 will have much impact in controversies arising from cloud services rendering in view of services provision under the new Brazilian Central Bank regulation. In addition, upcoming developments of the Cloud Act will be on spotlight as regards the length of its application. Moreover, Brazil achieved a milestone as regards data protection with the enactment of its own version of the GDPR. Thus, the international community can certainly count on relevant developments regarding data flow, privacy and protection in the upcoming years by the Brazilian legislators and businesses’. 

[1]For the Internet Civil Landmark bill (Portuguese only) please refer to (last visited May 10, 2018).

[2]For information on the legislative process of the draft bill 2,126/2011 (Portuguese only), which originated the Internet Civil Landmark, please refer to the Brazilian Chamber of Deputies website (last visited May 10, 2018).

[3]See Bret Cohen, Britanie Hall and Charlie Wood “Data Localization Laws And Their Impact on Privacy, Data Security And the Global Economy” (2017), (last visited May 15, 2018); and several articles featured by the the International Association of Privacy Professionals (“IAPP”), such as: (i) ShanShan Pa “On the European Commission's proposal for a regulation on the free flow of non-personal data”, (last visited May 15, 2018) and (ii) Sam Pfeife “Is the GDPR a data localization law”, (last visited May 15, 2018).

[4]See Alan Beattie “Data protectionism: the growing menace to global business”, (last visited May 15, 2018).

[5]See Alan Beattie “Data protectionism: the growing menace to global business”, (last visited May 15, 2018).

[6]Please refer to for a full version of the Regulation (last visited May 15, 2018).

[7] Approval was accompanied by partial vetoes to the creation of the National Data Protection Authority, some provisions on data processing by public authorities and some penalties for infringement of the law - such as suspension of operations of the offender’s database.

[8] In Europe, for example, where regulations were already in place, companies had 2 years to adjust to the new regulations (GDPR), which in many cases proved not enough.

[9]The case can and its documents be accessed in the Brazilian Supreme Court website ( (Portuguese only).

[10]The case can and its documents be accessed in the Brazilian Supreme Court website ( (Portuguese only).

[11]Please refer to (last visited May 15, 2018).

[12]Please refer to (last visited May 15, 2018).

[13]Please refer to (last visited May 15, 2018).

[14]Companies will have until 10.23.2018 to provide an adequacy schedule for services already hired abroad and domestically. Schedule must be fully implemented prior to December 31st, 2021.