Dimensions of Cybersecurity in Brazil

Oppermann, Daniel

doi:10.1007/978-3-030-56405-6_2

CyberBRICS pp 35-65 | Cite as

Dimensions of Cybersecurity in Brazil

Authors
Authors and affiliations

Daniel Oppermann

Chapter

First Online: 05 January 2021

105 Downloads

Abstract

Cybersecurity is a term with a variety of meanings, a term that at this point has received little attention as a concept in academia, although it is used by countless organisations and individuals of different professional backgrounds. Observing debates on cybersecurity in diverging academic environments, it becomes clear that increasing understanding and acceptance of multidisciplinarity would improve the debates as they are taking place so far. This chapter is a reflection on an initial but not fully debated attempt to create subcategories for cybersecurity from a legal perspective in which the concept itself serves as the main category subdivided into data protection, consumer protection, cybercrime, public order and cyberdefence, all with a focus on Brazil as a national case.

This is a preview of subscription content, to check access.

Annex

Country Report: Brazil

A) Data Protection

Scope

1. What national laws (or other types of normative acts) regulate the collection and use of personal data?

The collection and processing of personal data is regulated by the Brazilian General Data Protection Law – LGPD (n. 13.709/18). But it is also important to note that such law is embedded in a set of rules that address, at least in some respect, issues relating to privacy and protection of personal data, as the following:

General Telecommunications Law (Federal Law n. 9472 of 1997)
Criminal Identification Law (Federal Law n. 12,037 of 2009)
Freedom of Information Act (Federal Law n. 12,527 of 2011)
Civil Rights Framework for the Internet (Federal Law n. 12,965 of 2014)

2. Is the country a part of any international data protection agreement?

Brazil is not part of any international data protection agreement.

3. What data is regulated?

The LGPD regulates personal data (online and offline). [Art. 1, Art. 3]

4. Are there any exemptions?

The law does not apply when data is treated by natural persons for private and non-economic interests.

The law does not apply when data is treated for the following reasons or interests: journalists, artistic, academic, public security, national defence, state security and criminal investigation/repression. [Art. 4]

5. To whom do the laws apply?

The LGPD will apply to all natural persons or legal entities incorporated or doing business in Brazil that collect personal data about Brazilian nationals. They will have to comply with the new law, as long as:

The processing operation is carried out in Brazil
The purpose of the processing activity is to offer or provide goods or services, or the processing of data of individuals located in Brazil
The personal data was collected in Brazil

The law will not apply to data processing:

Carried out by a natural person exclusively for private and non-economic purposes
Performed for journalistic, artistic or academic purposes
Carried out for purposes of public safety, national security and defence or activities of investigation and prosecution of criminal offences (which will be regulated by specific legislation)
Originated outside the Brazilian territory and are not the object of communication; shared data use with Brazilian processing agents or the object of international transfer of data with another country that is not the country of origin as long as the country of origin offers a level of personal data protection adequate to that established by LGPD. [Art. 3]

6. Do the laws apply to foreign entities that do not have physical presence in the country?

The law applies to any natural or legal person, irrespective of their location, whenever:

Processing is done in Brazilian territory
The processing activity aims at offering goods, services or data processing to individuals located in the country
The personal data used in the processing activities have been collected in national territory [Art. 3]

Definitions

7. How are personal data defined?

Personal data are defined as information related to an identified or identifiable natural person. [Art. 5]

8. Are there special categories of personal data (e.g. sensitive data)?

A specific classification is made for sensitive personal data being information related to specifically defined categories like race, ethnicity, religion, political orientation or activities and others. There is also a classification for anonymised data, which is defined as data relating to a data subject who cannot be identified, considering the use of reasonable technical means available at the time of the processed thereof. [Art. 5]

9. How are the data controller and the data processor/operator defined?

A data controller is a natural or legal person governed by public or private law, responsible for taking decisions on the processing of personal data.

A data operator is a natural or legal person governed by public or private law, executing the processing of personal data in the name of the data controller. [Art. 5]

10. What are the data protection principles and how are they defined?

The LGPD law lists the following data processing principles.

Purpose limitation: realisation of data processing for intentions that are legitimate, specific, explicit and with knowledge of the data subject, without the possibility of a later processing that does not consistent with these objectives.

Appropriateness: compatibility of the processing in accordance with the objectives informed to the data subject, in consistency with the context of the processing.

Necessity: limitation of the processing to the necessary minimum to achieve the objectives, covering the specific data in a proportional but not excessive manner in relation to the objectives of the data processing.

Free access: the guarantee for the data subject to easily and freely receive information regarding the manners and period of the processing, just as regarding the integrity of its personal data.

Data quality: the guarantee for the data subject regarding accuracy, clarity, relevance and actualisation of the data, according to the necessity and the compliance of the objectives of the processing.

Transparency: the guarantee for the data subject regarding clear, precise and easily accessible information about the data processing, about the respective agents of the process and the respect for commercial and industrial secrets.

Security: the utilisation of technical and administrative measures to protect personal data against unauthorised access and accidental or illicit situations of destruction, loss, alteration and communication of diffusion.

Prevention: adoption of measures to prevent the occurrence of harm in the context of personal data processing.

Non-discrimination: the impossibility of realising data processing for discriminatory, illicit or abusive objectives.

Responsibility and accountability: a demonstration of the agent regarding the adoption of efficient measures to prove the compliance of personal data protection norms and of the efficiency of those measures. [Art. 6]

11. Does the law provide any specific definitions with regard to data protection in the digital sphere?

Yes, the law defines a database as a structured set of personal data, established in one or several sites, in electronic or physical support. [Art. 5]

12. Is the data protection law based on fundamental rights (defined in Constitutional law or International binding documents)?

Yes, article 2 of the data protection law refers to fundamental rights, including (but not limited to) privacy, freedom of expression, free initiative and human rights.

13. What are the rights of the data subjects according to the law?

Data subjects have the right to receive facilitated access to information regarding the treatment of their personal data.

Article 9 of the data protection law states the manner this information has to be provided including information on the objectives of the process, its duration, the identification of controllers and its contact information, information regarding data sharing, the responsibilities of the processing agents and the rights of the data subject.
Art. 17: Every natural person is assured ownership of her/his personal data, with the fundamental rights of freedom, intimacy and privacy being guaranteed, under the terms of this Law.
Art. 18: The personal data subject has the right to obtain the following from the controller, regarding the data subject’s data being processed by the controller, at any time and by means of request:
- I – confirmation of the existence of the processing
- II – access to the data
- III – correction of incomplete, inaccurate or out-of-date data
- IV – anonymisation, blocking or deletion of unnecessary or excessive data or data processed in noncompliance with the provisions of this Law
- V – portability of the data to another service or product provider, by means of an express request and subject to co-regulation of the controlling agency
- VI – deletion of personal data processed with the consent of the data subject, except in the situations provided in Art. 16 of this Law
- VII – information about public and private entities with which the controller has shared data
- VIII – information about the possibility of denying consent and the consequences of such denial
- IX – revocation of consent as provided in §5 of Art. 8 of this Law
- §1 The personal data subject has the right to petition, regarding her/his data, against the controller before the national authority.
- §2 The data subject may oppose the processing carried out based on one of the situations of waiver of consent, if there is noncompliance with the provisions of this Law.
- §3 The rights provided in this article shall be exercised by means of express request by the data subject or her/his legally constituted representative to the processing agent.
- §4 If it is impossible to immediately adopt the measure mentioned in §3 of this article, the controller shall send a reply to the data subject in which she/he may:
- I – communicate that she/he is not the data processing agent and indicate, whenever possible, who the agent is or
- II – indicate the reasons of fact or of law that prevent the immediate adoption of the measure.
- §5 The request as mentioned in §3 of this article shall be fulfilled without costs to the data subject, within the time periods and under the terms as provided in regulation.
- §6 The responsible shall immediately inform the processing agents with which she/he has carried out the shared use of data of the correction, deletion, anonymisation or blocking of data, so that they can repeat an identical procedure.
- §7 The portability of personal data referred to in Item V of the lead sentence of this article does not include data that have already been anonymised by the controller.
- §8 The right referred to in §1 of this article may also be exercised before consumer-defence entities.
- Art. 19: Confirmation of the existence of or access to personal data shall be provided by means of request by the data subject:
- I – in a simplified format, immediately or
- II – by means of a clear and complete declaration that indicates the origin of the data, the nonexistence of record, the criteria used and the purpose of the processing, subject to commercial and industrial secrecy, provided within a period of fifteen (15) days as from the date of the data subject’s request.
- §1 Personal data shall be stored in a format that facilitates the exercise of the right to access.
- §2 Information and the data may be provided, at the data subject’s discretion:
- I – by an electronic mean that is safe and suitable to this purpose or
- II – in printed form.
- §3 When processing originates from the consent of the data subject or from a contract, the data subject may request a complete electronic copy of her/his personal data, subject to commercial and industrial secrecy, in accordance with regulations of the national authority, in a format that allows its subsequent use, including for other processing operations.
- §4 The national authority may provide differently regarding the time periods provided in Items I and II of the lead sentence of this article for specific sectors.
- Art. 20: The data subject has the right to request review of decisions taken solely on the bases of automated processing of personal data that affects her/his interests, including decisions intended to define her/his personal, professional, consumer or credit profile or aspects of her/his personality.
- §1 Whenever requested to do so, the controller shall provide clear and adequate information regarding the criteria and procedures used for an automated decision, subject to commercial and industrial secrecy.
- §2 If there is no offer of information as provided in §1 of this article, based on commercial and industrial secrecy, the national authority may carry out an audit to verify discriminatory aspects in automated processing of personal data.
- Art. 21: Personal data concerning the regular exercise of rights by the data subject cannot be used to her/his detriment.
- Art. 22: The defence of the interests and rights of data subjects may be carried out in court, individually or collectively, as provided in pertinent legislation regarding the instruments of individual and collective protection.

Obligations and Sanctions

14. What are the obligations of the controllers and processors/operators?

Controllers need specific additional consent of the data subject before sharing their data with other controllers. [Art. 7, I and par. 5]

The controller has the responsibility to prove that consent was given by the user to process their data. [Art. 8, par. 2]

The controller needs to inform the data owner/subject regarding specific changes which are defined in Art. 9 (e.g. objectives and means of data processing, identification of controller, etc.). The data subject has the right to not accept the changes and withdraw his consent. [Art. 8, par. 6; Art. 9, par. 2]

The controller can only process data for legitimate objectives as defined in Art. 10 (e.g. promotional and service activities). In this context, processing is limited to those data which are necessary for the specific objective. The controller must adopt measures to guarantee transparency during the processing of data. [Art. 10]

Controllers are not allowed to share or communicate sensitive personal health care data with other controllers without consent of the data subject. [Art. 11, par. 4]

Controllers are obligated to have the consent of at least one parent or another legally responsible person before treating data of children (Art. 14, par. 1 and 5). In this context, controllers have to inform what data are collected and how they are used. This information has to be provided by the controller in a simple and clear manner to meet the needs and specific context and intellectual level of understanding of the users. This can include audiovisual means. [Art. 14, par. 6]

Exceptions are made in case data collection is necessary to protect children or to contact parents or legally responsible persons. [Art. 14, par. 3]

Controllers are not allowed to set access to personal data as a condition to children accessing games, Internet applications or other activities, unless the data is necessary to provide their services. [Art. 14, par. 4]

Personal data is to be deleted by the controller when data processing is completed. Exceptions can be defined by legal or regulatory obligations, in the case of research organisations (which are obliged to keep personal data anonymous if possible), data transfers to third parties or exclusive use by the controller (anonymisation required). [Art. 16]

When requested by the data subject, the controller has to inform the data subject about the existence of data treatment processes, to give access to the data, to correct incomplete or outdated data, to anonymise, block or delete data unnecessary or excessive data or data treated disrespecting the legal requirements. The controller must provide the data to other controllers if requested by the data subject. He has to delete personal data (unless deleting would interfere with other legal requirements), to inform the data subject about third controllers who received access to the data and to inform the data subject about the possibilities of not giving consent including possible consequences regarding this decision. Furthermore, controllers must inform data subjects about the right to withdraw consent upon request by the data subject. [Art. 18]

The data subject can hand in complaints at no charge about data controllers at the national data authority or consumer protection agencies. [Art. 18, par. 1ff]

The controller has the right to respond to complaints by the data subject at the national authority. [Art. 18]

The data subject has the right to request a review of decisions taken exclusively based on automated personal data treatment if the treatment affects his interests, including the definition of personal, professional, financial or consumer profiles.

Whenever requested by the data subject, the controller has to provide clear information regarding criteria and processes of automated decisions.

If the data controller does not provide the information, the national data authority can investigate the controller. [Art. 20]

The defence of the interests and rights of the data subject may be exercised in court, individually or collectively, in the form of the provisions of the applicable law, about the instruments of individual and collective protection. [Art. 22]

The controller and the operator must store records of personal data treatment conducted by them. [Art. 37]

If requested by the national data authority, the controller has to report on his data protection procedures. [Art. 38]

The operator has to conduct data processing as instructed by the controller. [Art. 39]

The controller has to nominate a person responsible for personal data treatment and communication with data subjects and national authorities. The controller has to provide the public with the name and contact of this person (e.g. on his website). The person is also responsible for informing employees and partners of the controller regarding personal data protection procedures. [Art. 41]

The controller and the operator are responsible to compensate for individual, collective, moral and patrimonial harm caused by personal data treatment. [Art. 42]

The controller has to inform the national data authority and the data subject in case of security incidents that could cause harm to the data subject. Article 48 defines further details of this procedure. [Art. 48]

The national data authority has to verify the seriousness of security incidents and if necessary take measures to inform the public and to reduce damage. [Art. 48, par. 2]

15. Is notification to a national regulator or registration required before processing data?

In specific situations, notification to a national regulator is required. This includes data transfer from public to private actors [Art. 26, par. 2] and modifications of specific procedures for international data transfers [Art. 36].

16. Does the law require privacy impact assessment to process any category of personal data?

The law establishes that the national authority may require the controller to prepare a data protection impact assessment, including sensitive data, relating to its data processing operations, as provided for by the regulations, with due regard for trade and industrial secrets. The report shall contain at least a description of the types of data collected, the methodology used for collection and as guarantee of security of the information, and an analysis of the controller in relation to the measures, safeguards and risk mitigation mechanisms adopted. [Art. 38]

17. What conditions must be met to ensure that personal data are processed lawfully?

The legal bases for data processing are:

Receiving consent from the data subject
To fulfil legal or regulatory requirements by the controller
For public administration to execute public policies
For the realisation of studies conducted by research organs
For the execution of contracts
For the execution of legal processes
To protect the life of data subjects and other individuals
To enable specific health care activities
To attend legitimate interests of controllers or others
For credit protection [Art. 7]

18. What are the conditions for the expression of consent?

Consent has to be given in a written or any other form that expresses the agreement of the data subject. The controller is obligated to prove that consent was given. The consent has to refer to specific objectives. Consent can be cancelled at any moment by the data subject. [Art. 8]

19. If the law foresees special categories of data, what are the conditions to ensure the lawfulness of processing of such data?

There are specific requirements for the treatment of sensitive personal data. This procedure can lawfully occur when the data subject or a legal representative gives consent to the specific objectives of the process. Exceptions are made in a number of cases, among them legal necessities of controllers and of public administration, for the purpose of research and medical treatment, for security reasons and others. [Art. 11]

20. What are the security requirements for collecting and processing personal data?

Data processing actors have to establish security measures to protect personal data. The national authority can define technical security standards for data processing actors. [Art. 46]

Data processing actors are obliged to guarantee security for personal data during and after processing them. [Art. 47]

The controller has to inform the national authority and the data subject in case of security incidents that could cause relevant harm to the data subject. In this context, the controller has to provide information including the nature of the affected data, the affected data subjects, the data protection measures taken, the risks related to the incident, an explanation in case of delayed communications and the measures taken to solve the situation.

The national authority will analyse the incident and, if necessary, take measures to protect the rights of the data subject. This can include (but is not limited to) a public announcement of the incident and measures to reduce harm caused by the incident. [Art. 48]

21. Is there a requirement to store (certain types of) personal data inside the jurisdiction?

There is no such requirement.

22. What are the requirements for transferring data outside the national jurisdiction?

The transfer of data to outside the national jurisdiction is allowed in case the receiving country or organisation offers adequate data protection measures as provided by the Brazilian law. The data controller has to provide guarantees to comply with the principles and the rights of the data subject and the data protection regime of the law.

In specific cases, international data transfer is allowed which includes international juridical cooperation, the protection of life, transfers authorised by the national authority, the compliance with international cooperation agreements besides others. [Art. 33]

The level of data protection of the foreign entity is evaluated by the national authority. [Art. 34]

23. Are data transfer agreements foreseen by the law?

Yes, the law has a chapter dedicated to international data transfer (Chapter V). Article 33 sets out the cases in which transfer is permitted, which are as follows:

I – to countries or international organisations that provide the appropriate level of protection of personal data provided for by the Brazilian Law
II – where the controller provides and demonstrates guarantees of compliance with the principles, rights of the data subject and data protection regime established in the Brazilian Law
III – where the transfer is required for international legal cooperation between government intelligence, investigation and police bodies, in accordance with the international law instruments
IV – where the transfer is required for life protection or physical integrity of the data subject or any third party

24. Does the relevant national regulator need to approve the data transfer agreements?

Yes, the national regulator needs to evaluate the level of data protection in the foreign country or entity. [Art. 34]

25. What are the sanctions and remedies foreseen by the law for not complying with the obligations?

The data protection law provides a number of sanctions and remedies including warnings, fines, publication of the occurrences and the temporary blocking or deletion of personal data. [Art. 52]

Actors

26. What actors are responsible for the implementation of the data protection law?

The national authority called “Autoridade Nacional de Proteção de Dados” (ANPD) is responsible for the implementation. [Art. 55]

27. What is the administrative structure of actors responsible for the implementation of the data protection law (e.g. independent authority, executive agency, judiciary)?

The ANPD is being created by the Presidency of the Republic. It has a transitory nature: at first it will be a branch of the Federal Government, but within 2 years it may be transformed into an independent Regulatory Agency. [Art. 55-A]

28. What are the powers of the actors responsible for the implementation of the data protection law?

ANPD has a series of powers, including oversight, elaborating guidelines and regulations, conducting or ordering audits and receiving complaints from data subjects against controllers, among others. [Art. 55-J]

B) Consumer Protection

Scope

29. What national laws (or other types of normative acts) regulate consumer protection?

Consumer protection is regulated by the Consumer Protection Law (Código de Defesa do Consumidor, 8078/1990). Decree 7962/13 is regulating electronic commerce.

30. Is the country a party of any international consumer protection agreement?

Brazil is part of the Santa Maria Protocol of the MERCOSUL which was signed in 1996 but not ratified yet. Brazil has signed the Montreal Convention (international carriage by air) and the Warsaw Convention of 1929.

31. To whom do consumer protection laws apply?

The consumer protection law applies to physical persons and corporate entities.

32. Do the laws apply to foreign entities that do not have physical presence in the country?

The law refers to foreign actors, for example, as producers or distributors [Art. 3, Art. 12] but has no specific reference to actors located outside the Brazilian jurisdiction.

Definitions

33. How is consumer protection defined?

The law does not provide a definition for consumer protection.

34. How are consumers defined?

The law defines consumers as physical persons and corporate entities who acquire products or services as final users.

35. How are providers and producers defined?

The law defines providers as physical persons and corporate entities, public or private, national or foreign, who produce, assemble, create, construct, transform, import, export, distribute or commercialise products or services.

36. Does the law provide any specific definitions with regard to consumer protection in the digital sphere?

The law does not contain definitions regarding the digital sphere.

Rights

37. Is the consumer protection law based on fundamental rights (defined in Constitutional law or International binding documents)?

Yes, the consumer protection law refers to articles 5, 48 and 170 of the Brazilian Constitution.

38. What are the rights of the consumer defined by the law with reference to digital goods and services?

The consumer protection law does not refer to rights of the consumer in reference to digital goods and services. However, decree 7962/13 (e-commerce law) states that consumers have the right to choose [Art. 4] and the right of withdrawal [Art. 5].

39. Is the consumer protection law applicable to users of zero-price services, i.e. free of charges?

Neither the consumer protection law nor the decree on e-commerce refers to zero-price services.

Obligations and Sanctions

40. Does the law establish specific security requirements to provide digital services or goodies?

The consumer protection law does not refer to activities in the digital sphere. However, it does mention security aspects in a general sense. Therefore, products and services shall not present a security issue for consumers [Art. 8]. Providers have to inform consumers about potential security issues [Art. 9]. Providers are not allowed to offer products or services that contain high security risks [Art. 10]. Public authorities on all levels are obligated to inform consumers regarding security issues with products and services whenever they take notice. Decree 7962/13 on the regulation of electronic commerce states that commercial websites need to inform consumers on possible security risks of products and services [Art. 2]. Article 4 of the same decree demands providers to apply secure measures for payment options and consumer data processing.

41. What are the sanctions and remedies foreseen by the law for not complying with the obligations?

Article 56 of the consumer protection law specifies the following sanctions and remedies: fines; product confiscation; product destruction; confiscation of product licences; prohibition of product manufacturing; suspension of product supply; temporary suspension of professional activities; suspension of permissions or concessions of usage; suspension of licences of establishments or activities; prohibition of establishments, constructions or activities; and administrative interventions and imposition of counter statements. The same article furthermore informs that other methods including criminal and civil prosecutions are possible.

Actors

42. What bodies are responsible for the implementation of the consumer protection law?

Article 39 states that specific organs are responsible for technical product standards required to provide products and services, which include Brazilian Technical Norms Association (ABNT) or another entity accredited by the National Metrology, Normalization and Industrial Quality Council (Conmetro). Article 82 of the consumer protection law defines the following bodies for being responsible for the implementation of consumer protection: Public Prosecution Service (Ministério Público), the Union, the states, the municipalities, the Federal District, different organs of public administration and consumer protection associations. Article 105 specifies that the National System of Consumer Protection is made up of federal, state and municipal organs, the Federal District and private consumer protection entities. It furthermore lists the National Department of Consumer Protection (Departamento Nacional de Defesa do Consumidor) at the Ministry of Justice as the coordinating organ of national consumer protection.

43. Is there a specific consumer protection body? If so, what is its administrative structure?

Article 105 of the consumer protection law defines the National Department of Consumer Protection (Departamento Nacional de Defesa do Consumidor) at the Ministry of Justice as the coordinating organ of national consumer protection policies. This is the structure stipulated in the 1990 Consumer Code, but there have been changes over the years, such as the creation of the National Consumer Secretariat (Senacon) and the rebranded Department of Consumer Protection and Defence.

The National Consumer Secretariat (Senacon) is part of the Ministry of Justice, and its duties are established in the Consumer Protection Code.

Structure: National Consumer Protection secretary, Chief of Staff, General Coordination of, Administration, Budget and Finance, General Coordination of Articulation and Institutional Relations, National Council on Combating Piracy and Intellectual Property Crimes,

The Department of Consumer Protection and Defence has its competence established in art. 18 of Decree n° 9.662, of January 1, 2019, Annex I, with the following structure: Board of the, Department of Consumer Protection and Defence, General Coordination of Market Studies and Monitoring, General Coordination of Technical Consultancy and Administrative Sanctions, General Coordination of the National.

The National Consumer Secretariat is responsible for:

Formulate, promote, supervise and coordinate the national consumer protection and defence policy
Integrate, articulate and coordinate the National Consumer Protection System
Articulate with federal public administration bodies with attributions related to consumer protection and defence
Guide and coordinate actions for consumer protection and defence
Prevent, investigate and prosecute violations of consumer protection rules
Promote, develop, coordinate and supervise actions to disseminate consumer rights, with a view to the effective exercise of citizenship
Promote actions to ensure the rights and interests of the consumer
Inspect and apply the administrative sanctions provided for in Consumer Defence Code and in other rules relevant to consumer protection
Adopt measures to maintain and expand the national consumer protection information system and guarantee access to information
Receive and forward consultations, complaints or suggestions made by consumers, representative entities or legal entities governed by public or private law
Enter into agreements with public bodies and entities and with private institutions to execute plans and programmes, in addition to acting in defence of compliance with federal rules and measures
Encourage, even with financial resources and special programmes, the creation of state, district and municipal consumer protection agencies and the formation, by citizens, of entities with this objective
Enter into conduct adjustment commitments, as provided by law
Exercise the powers established in Consumer Defence Code
Elaborate and disclose the complementary list of contractual clauses and unfair practices, under the terms of Consumer Defence Code
Direct, guide and evaluate actions for training in consumer protection aimed at members of the National Consumer Protection System
Determine consumer market monitoring actions to support public consumer protection and defence policies
Request the collaboration of bodies and entities of notable technical-scientific specialisation to achieve their objectives
Monitor regulatory processes, with a view to the effective protection of consumer rights
Represent the Ministry of Justice in the participation in national and international bodies, forums, commissions and committees that deal with consumer protection and defence or with matters of interest to consumers, unless there is a specific designation of the Minister of State that provides otherwise

44. What are the powers of the bodies responsible for the implementation of the consumer protection law?

Article 106 defines the following powers of the National Department of Consumer Protection:

Planning, elaborating, proposing, coordinating and executing national data protection policies
Receive, analyse, evaluate and send consultations, incriminations or suggestions presented by representative entities or legal persons of public or private law
Advice consumers regarding rights and guaranties
Inform, raise awareness and motivate consumers through different means of communication
Request the initiation of police investigations in case of delicts against consumers
Inform responsible organs about infractions violating consumer interests
Work with public prosecution to adopt procedural measures where necessary
Overseeing prices, supply, quantity and security of goods and services
Encourage the creation of consumer protection organisations by citizens and public entities on the state and municipality levels

C) Cybercrime

Scope

45. What national laws (or other types of normative acts) regulate cybercrime?

Brazil does not have a general cybercrime law, only the sparse prediction of several crimes that mention electronic means. These are the federal laws that establish such crimes:

Law 7.716/1989 (as amended by Law 9.459/1997, Law 12.288/2010, Law 12.735, 2012)
Child and Adolescent Statute – Law 8.069/1990 (as amended by Law 11.829, of 2008)
Law 9.296/1996 (as amended by Law 13.964/2019)
Law 9.504/1997 (Electoral Law)
Law 9.983/2000 (inserted in the Penal Code)
Law 10.695/2003 (inserted in the Penal Code)
Law 12.737/2012 (inserted in the Penal Code)
Law 13.772/2018 (inserted in the Penal Code)

46. Is the country a part of any international cybercrime agreement?

Brazil has not signed any international cybercrime agreement.

47. What cybercrimes are regulated?

Law 7.716/1989 (as amended by Law 9.459/1997, Law 12.288/2010, Law 12.735, 2012) addresses the practice of neo-Nazism and measures to stop the disclosure of such crime content resulting from racial or colour prejudice.
The Child and Adolescent Statute – Law 8.069/1990 (as amended by Law 11.829, of 2008) addresses pornographic material of children and adolescents and online sexual grooming.
Law 9.296/1996 (as amended by Law 13.964/2019) addresses illegal interception of communications.
Law 9.504/1997 addresses unauthorised access to electoral data systems.
The Penal Code (as amended by Law 9.983/2000) addresses false data entry into information systems as well as unauthorised modification or alteration of information systems performed by public servants against public administration.
The Penal Code (as amended by Law 10.695/2003) addresses copyright infringement.
The Penal Code (as amended by Law 12.737/2012) addresses illicit access (hacking) of IT equipment and networks. This law also regulates the establishment of police units investigating cybercrime.
The Penal Code (as amended by Law 13.772/2018) addresses unauthorised record and disclosure of sexual intimacy.

48. To whom do the laws apply?

Only Law 9.983/2000 has a specific target, regulating crimes committed by public servants. All the other laws are applicable to all citizens.

Definitions

49. Do the laws apply to foreign entities that do not have physical presence in the country?

The law does not address this question.

50. How is cybercrime generally defined by the national law?

The law does not address this question.

51. What are the cybercrimes provided for by the law and how are they defined?

The cybercrime law addresses illicit access to IT devices and electronic communications.

52. How is a computer system defined?

Marco Civil da Internet defines “Terminal” as the computer or any device that connects to the Internet.

53. How are computer data defined?

The law does not address this question.

54. How are forensic data defined?

The law does not address this question.

55. How are service providers defined?

The law does not provide any specific definition of providers. However, Brazilian law (Marco Civil) deals specifically with two types of providers: Internet connection providers and Internet application providers.

56. Does the national law provide any other definitions instrumental to the application of cybercrime legislation?

The cybercrime law does not provide further definitions.

Rights

57. Is the cybercrime law based on fundamental rights (defined in Constitutional law or International binding documents)?

The cybercrime law does not provide further definitions.

58. What are the rights of the victim and the accused?

Majorities of rights related to crimes are established in general legislation, such as the Penal Code and the Code of Criminal Procedure, and are applicable to all crimes, cyber or analog.

Nevertheless, the Child and Adolescent Statute states the following:

Art. 3. Without prejudice to the full protection treated of in this Law, the child and adolescent enjoy all the fundamental rights inherent to the human person and, by law or other means, are ensured of all opportunities and facilities so as to entitle them to physical, mental, moral, spiritual and social development, in conditions of freedom and dignity.
Art. 5. No child or adolescent will be subject to any form of negligence, discrimination, exploitation, violence, cruelty and oppression, and any violation of their fundamental rights, either by act or omission, will be punished according to the terms of the Law.

Procedures

59. Is there a specific procedure to identify, analyse, relate, categorise, assess and establish causes associated with forensic data regarding cybercrimes?

The cybercrime law does not define any of these procedures.

60. In case of transnational crimes, how is cooperation between the national law enforcement agency and the foreign agents regulated?

Brazil (e.g. the Federal Police) is cooperating with foreign agents based on cooperation agreements including MLATs. In 2016, the Federal Police inaugurated the cooperation centre CCPI to enhance its international joint investigations.

61. Are there any exceptions to the use of mutual legal assistance procedure to investigate the crime?

The law does not address this question.

62. Does the national law require the use of measures to prevent cybercrimes? If so, what are they?

The law does not address this question.

Obligations and Sanctions

63. What obligations do law enforcement agencies have to protect the data of the suspect, the accused and the victim?

The cybercrime law does not address this question. Further processes are defined in the data protection law.

64. What are the duties and obligations of the National Prosecuting Authorities in cases of cybercrime?

The law does not address this question.

65. Does the law impose any obligations on service providers in connection with cybercrime?

The law does not address this question.

66. To which extent can a legal person be held liable for actions in connection with cybercrimes?

The law does not address this question.

Actors

67. What bodies implement the cybercrime legislation?

Brazil has established a number of cybercrime police agencies as defined in Law 12735/2012.

68. Is there a special public prosecutor office for cybercrime? If so, how is it organised?

The law does not address this question.

69. Does the cybercrime legislation create any specific body?

Law 12735/2012 has established cybercrime police agencies.

D) Public Order

Definitions

70. How are public order, threats to public order and the protection of public order defined?

Law 7170/1983 (National Security Law) does not define any of those concepts.

71. Is the protection of public order grounded in constitutional norms?

The law falls under the rule of military justice.

Measures

72. What cyber measures address threats to public order?

The law does not address this question.

Actors

73. What public authorities are responsible for the implementation of surveillance techniques?

The law does not address this question.

74. What are the obligations of these public authorities?

The law does not address this question.

75. Can private actors be involved in the implementation of cyber measures to address threats to public order?

The law does not address this question. Generally speaking, private actors are providing technology and services to public institutions in Brazil.

E) Cyberdefence

Scope

76. Is there a national cyberdefence strategy or is cyberdefence mentioned in the national defence strategy?

In 2012, Brazil has published Cyberdefence Policies (Política Cibernética de Defesa). In 2014, Brazil has published a Military Doctrine on Cyberdefence (Doutrina Militar de Defesa Cibernética).

77. What is the legal status of the national defence or cyberdefence strategy?

Both the Brazilian cyberdefence policy and the military doctrine are normative regulations (portaria normativa) issued by the Ministry of Defence.

78. What national laws or other normative acts regulate cyberdefence in the country?

Brazil has no specific law on cyberdefence. Other relevant documents are mentioned above.

79. Is the country party of any international cooperation agreement in the sphere of cyberdefence?

Brazil is not part of international cyberdefence agreements.

80. Does the national cyberdefence strategy provide for retaliation?

Neither the cyberdefence policies nor the military doctrine covers the topic of retaliation.

Definitions

81. How are national security and national defence defined?

The 2012 National Defence Policies (Política Nacional de Defesa) define security as the condition that permits the country to preserve its sovereignty and territorial integrity, to promote its national interests, free of pressures and threats, and to guarantee its citizens the exercise of constitutional rights and obligations. In the same document, national defence is defined as the entirety of measures and activities of the state, focused on the field of the military, to defend territory, sovereignty and national interests against potential or clear predominantly external threats.

82. How are cybersecurity and cyberdefence defined?

The 2012 military doctrine defines cybersecurity as the art of assuring the existence and continuation of a nation’s information society, guaranteeing and protecting in cyberspace, its information assets and its critical infrastructure. The same document defines cyberdefence as the entirety of offensive, defensive and exploratory actions realised in cyberspace, in the context of national and strategic planning coordinated and integrated by the Ministry of Defence, with the objective to protect the information systems of national defence, obtain data to produce intelligent knowledge and to harm the opponent’s information systems.

83. How are threats to national security and cyberthreats defined?

The military cyberdefence doctrine defines cyberthreats as potential events of an undesired incident which could harm interests in cyberspace.

84. How is a cyberattack defined?

The military cyberdefence doctrine defines cyberattacks as actions to interrupt, reject, degrade, corrupt or destroy information or computational systems stored on devices and computational and communication networks of an opponent.

85. Does the national law provide any other definitions instrumental to the application of cyberdefence legislation?

The military cyberdefence doctrine provides definitions for cyber artefacts, information assets, cybernetic, day-zero, operational dominions, cyberspace, cybersource, cyberwar, critical information infrastructure, critical infrastructures, information operation, cyber power, cyber resilience, cyber risk, information and communication security, cyber protection and cyber exploration.

National Framework

86. Is cyberdefence grounded on the constitutional provisions and/or international law?

The military cyberdefence doctrine is based on the Brazilian constitution.

87. Which specific national defence measures are related to cybersecurity?

The military cyberdefence doctrine includes the following cyberdefence measures: offensive, defensive and exploratory actions in cyberspace, striking against opponents’ critical infrastructure, different forms of cooperation to produce knowledge and intelligence (also with actors outside the Ministry of Defence) and exploring weaknesses in opponents’ information systems. Furthermore, the doctrine refers to cyberattacks (as defined above), cyber protection measures to neutralise attacks and cyber explorations to collect data.

88. Is there a national defence doctrine and does the law or strategy refer to it?

Brazil has a military cyberdefence doctrine.

89. What measures are mentioned in the national law and strategy in order to implement cyberdefence?

(see 87)

90. How can Internet users’ online activities be limited for the reasons of protection of national security and cyberdefence?

No such measure is defined at this moment.

91. Does the national law or strategy foresee any special regime to be implemented in case of emergency in the context of cyberdefence?

No such measure is defined at this moment.

92. Is there any specific framework regulating threats to critical infrastructure?

Decree 9573/18 is regulating national policies for critical infrastructure security.

Actors

93. What actors are explicitly mentioned as playing a role regarding cyberdefence in the law or national cyberdefence strategy or defence strategy?

The overall responsible actor for cyberdefence is the Ministry of Defence. The military cyberdefence doctrine defines the armed forces to be the main actor responsible for cyberdefence. Also mentioned in the doctrine are the Office of the President, the Brazilian Internet Steering Committee (CGI), the Cyberdefence Centre (Centro de Defesa Cibernética, CDCiber), the CTIRs (Centros de Tratamento de Incidentes de Redes), CERT.br, CTIR Gov, ministries and governmental agencies (without further specification).

94. Is there a specific cyberdefence body?

Following the military cyberdefence doctrine, a number of public organs are establishing cyberdefence departments. At this moment, the CDCiber is the most elaborated cyberdefence body in Brazil.

95. What are the tasks of aforementioned actors?

CDCiber is responsible for observing and securing national networks, developing capacity building programmes, conducting research and the development of security tools.

References

Agência Senado (2019). Lei que cria Autoridade Nacional de Proteção de Dados é sancionada com vetos. 09 julho 2019. <https://www12.senado.leg.br/noticias/materias/2019/07/09/lei-que-cria-autoridade-nacional-de-protecao-de-dados-e-sancionada-com-vetos>. Accessed 12 Sep 2019.
Bezerra, M. & Araújo, E. (2011). Reflexões epistemológicas no contexto do Orkut: ética da informação, sociabilidade, liberdade e identidade. Perspectivas em Ciência da Informação, 16(2), 50–66.CrossRefGoogle Scholar
Brasil (2012). Livro Branco de Defesa Nacional. Brasil. <https://www.defesa.gov.br/estado-e-defesa/livro-branco-de-defesa-nacional>. Accessed 12 Sep 2019.
Caram, B. & Fernandes, T. (2018). Temer sanciona lei de proteção de dados e veta autoridade fiscalizadora. Folha de São Paulo. 14 Aug 2018. <https://www1.folha.uol.com.br/mercado/2018/08/temer-sanciona-lei-de-protecao-dados-e-veta-autoridade-fiscalizadora.shtml>. Accessed 12 Sep 2019.
CERT.br (2018a). Estatísticas dos Incidentes Reportados ao CERT.br. <https://www.cert.br/stats/incidentes/>. Accessed 12 Sep 2019.
CERT.br (2018b). Incidentes Reportados ao CERT.br. Janeiro a Dezembro de 2018. <https://www.cert.br/stats/incidentes/2018-jan-dec/tipos-ataque.html. Accessed 12 Sep 2019.
CERT.br (2018). TIC Domicílios 2018. Indicador C2A. Usuários de Internet. <https://cetic.br/pesquisa/domicilios/indicadores>. Accessed 12 Sep 2019.
Instituto Brasileiro de Geografia e Estatística (2019). Estimativas da População. <https://www.ibge.gov.br/estatisticas/sociais/populacao/>. Accessed 12 Sep 2019.
Instituto Igarapé (n.d.). Reconhecimento Facial no Brasil. Instituto Igarapé Website. <https://igarape.org.br/infografico-reconhecimento-facial-no-brasil/>. Accessed 30 Sep 2019.
Mandarino Jr., R. & Canongia, C. (2010). Livro Verde: Segurança Cibernética no Brasil. Presidência da República. Gabinete de Segurança Institucional. Secretaria Executiva. Departamento de Segurança da Informação e Comunicações. <http://www.biblioteca.presidencia.gov.br/presidencia/dilma-vana-rousseff/publicacoes/orgao-essenciais/gabinete-de-seguranca-institucional/livro-verde-seguranca-cibernetica-no-brasil/view>. Accessed 12 Sep 2019.
Ministério da Defesa (2012a). Estratégia Nacional de Defesa. 2a ed. Brasil. <https://www.defesa.gov.br/estado-e-defesa/estrategia-nacional-de-defesa>. Accessed 12 Sep 2019.
Ministério da Defesa (2012b). Política Cibernética de Defesa. MD31-P-02. 1a ed. Brasil. <https://www.defesa.gov.br/arquivos/File/legislacao/emcfa/publicacoes/md31_p_02_politica_cibernetica_de_defesa.pdf>. Accessed 12 Sep 2019.
Ministério da Defesa (2014). Doutrina Militar de Defesa Cibernética. MD31-M-07. Brasil. <https://www.defesa.gov.br/arquivos/legislacao/emcfa/publicacoes/doutrina/md31_m_07_defesa_cibernetica_1_2014.pdf>. Accessed 12 Sep 2019.
NIC.br (2018). Survey on the use of information and communication technologies in Brazilian households: ICT households 2017. São Paulo: Comitê Gestor da Internet no Brasil, 2018. <https://cetic.br/publicacao/pesquisa-sobre-o-uso-das-tecnologias-de-informacao-e-comunicacao-nos-domicilios-brasileiros-tic-domicilios-2017/>. Accessed 18 Sep 2019.
Oppermann, D. (2014). Internet Governance and Cyber Security in Brazil. Multilateral Security Governance, KAS, Rio de Janeiro, 167–181. <https://www.kas.de/documents/252038/253252/7_dokument_dok_pdf_39113_2.pdf>. Accessed 12 Sep 2019.
Presidência da República (1940). Casa Civil. Subchefia para Assuntos Jurídicos. Código Penal. Law 2848. 07 Dec 1940. <http://www.planalto.gov.br/ccivil_03/decreto-lei/del2848compilado.htm>. Accessed 12 Sep 2019.
Presidência da República (1990a). Casa Civil. Subchefia para Assuntos Jurídicos. Estatuto da Criança e do Adolescente. Law 8069. 13 Jul 1990. <http://www.planalto.gov.br/ccivil_03/leis/l8069.htm>. Accessed 12 Sep 2019.
Presidência da República (1990b). Casa Civil. Subchefia para Assuntos Jurídicos. Proteção do Consumidor. Law 8078. 11 Sep 1990. <http://www.planalto.gov.br/ccivil_03/leis/l8078.htm>. Accessed 12 Sep 2019.
Presidência da República (2012a). Casa Civil. Subchefia para Assuntos Jurídicos. Law 12735. 30 Nov 2012. <http://www.planalto.gov.br/ccivil_03/_Ato2011-2014/2012/Lei/L12735.htm>. Accessed 12 Sep 2019.
Presidência da República (2012b). Casa Civil. Subchefia para Assuntos Jurídicos. Law 12737. 30 Nov 2012. <http://www.planalto.gov.br/ccivil_03/_ato2011-2014/2012/lei/l12737.htm>. Accessed 12 Sep 2019.
Presidência da República (2013). Casa Civil. Subchefia para Assuntos Jurídicos. Decree 7962. 15 Mar 2013. <http://www.planalto.gov.br/ccivil_03/_Ato2011-2014/2013/Decreto/D7962.htm>. Accessed 12 Sep 2019.
Presidência da República (2014). Casa Civil. Subchefia para Assuntos Jurídicos. Marco Civil da Internet. Law 12965. 23 Apr 2014. <http://www.planalto.gov.br/ccivil_03/_ato2011-2014/2014/lei/l12965.htm>. Accessed 12 Sep 2019.
Presidência da República (2018). Secretaria-Geral. Subchefia para Assuntos Jurídicos. Lei Geral de Proteção de Dados Pessoais (LGPD). 14 Aug 2018. <http://www.planalto.gov.br/ccivil_03/_Ato2015-2018/2018/Lei/L13709.htm>. Accessed 12 Sep 2019.
Israel, E. (2013). Brazil aims to bring order to lawless cyberspace. Reuters. 26 Feb 2013. <https://www.reuters.com/article/brazil-cyberfraud/brazil-aims-to-bring-order-to-lawless-cyberspace-idUSL1N0BP52J20130226>. Accessed 04 Nov 2019.
Sales, S. & Paraíso, M. (2010). Escola, Orkut e juventude conectados: falar, exibir, espionar e disciplinar. Pro-Posições, 21(2), 225–242.CrossRefGoogle Scholar
Silva, R.; Nichel, A.; Martins, A. & Borchardt, C. (2011). Discursos de ódio em redes sociais: jurisprudência brasileira. Revista Direito GV, 7(2), 445–468.CrossRefGoogle Scholar
United Nations (2010). Salvador Declaration on Comprehensive Strategies for Global Challenges: Crime Prevention and Criminal Justice Systems and Their Development in a Changing World. n.d. <https://www.unodc.org/documents/crime-congress/12th-Crime-Congress/Documents/Salvador_Declaration/Salvador_Declaration_E.pdf>. Accessed 10 Oct 2019.
United Nations (2015). Non-paper submitted by Brazil reflecting its views on the issue of cybercrime. Commission on Crime Prevention and Criminal Justice. E/CN.15/2015/CRP.5. 18 May 2015. <https://www.unodc.org/documents/commissions/CCPCJ/CCPCJ_Sessions/CCPCJ_24/ECN152015_CRP5_e_V1503408.pdf>. Accessed 30 Sep 2019.
Valente, J. (2019). Tecnologias de reconhecimento facial são usadas em 37 cidades no país. Agência Brasil. 19/09/2019. <http://agenciabrasil.ebc.com.br/geral/noticia/2019-09/tecnologias-de-reconhecimento-facial-sao-usadas-em-37-cidades-no-pais>. Accessed 12 Sep 2019.

Copyright information

Authors and Affiliations

Daniel Oppermann
- 1
View author's OrcID profile

1.Institute of Strategic Studies (INEST)Fluminense Federal University (UFF)NiteróiBrazil

Dimensions of Cybersecurity in Brazil

Abstract

References

Copyright information

Authors and Affiliations

Personalised recommendations

Cite chapter