Digital Business in Brazil: Overview | Practical Law

Digital Business in Brazil: Overview | Practical Law

A Q&A guide to digital business in Brazil.

Digital Business in Brazil: Overview

Practical Law Country Q&A 5-618-1134 (Approx. 28 pages)

Digital Business in Brazil: Overview

by Marcela Waksman Ejnisman, Patrícia Helena Marta Martins, Antonio Marzagão Barbuto Neto, Jerry Levers de Abreu, Marcio Mello Silva Baptista, Carla do Couto Hellu Battilana, Bárbara Bassani de Souza and Bruna Borghi Tomé, TozziniFreire Advogados
Law stated as at 01 Apr 2023Brazil
A Q&A guide to digital business in Brazil.
The Q&A gives a high level overview of matters relating to: regulations and regulatory, legislative and industry bodies for doing business online; setting up an online business; running a business online, including electronic contracts and e-signatures; implications of running a business online, including data protection, privacy protection and cybersecurity; rules relating to linking, framing, caching, spidering and metatags; jurisdiction and governing law; domain names; advertising and marketing; tax; protecting an online business and users; insurance; and proposals for reform.

Regulatory Overview

1. What regulations apply for doing business online (for business-to-business and business-to-consumer)?
There is no specific legislation regulating business-to-business (B2B) activities. Online business-to-customer activities are regulated by the:
  • Consumer Protection Code (CDC) (Federal Law No. 8,078/1990).
  • Electronic Commerce Decrees (Decrees No. 7,962/2013 and No. 10,271/2020). These implemented Resolution GMC No. 37/2019, of July 15, 2019, which provides for consumer protection in e-commerce within MERCOSUR countries.
  • Brazilian Internet Act (Law No. 12,965/2014) (Internet Act).
  • Presidential Decree No. 8,771/2016.
  • Brazilian General Data Protection Law (Law No. 13,709/2018) (Lei Geral de Proteção de Dados) (LGPD).
  • Economic Freedom Act (EFA) (Law No. 13,874/2019).
  • Regulations issued by the Department of the Ministry of Justice for Consumer Protection and Defence (Departamento de Proteção e Defesa do Consumidor) (DPDC).
2. What legislative bodies are responsible for passing legislation in this area? What regulatory and industry bodies are responsible for passing regulations and codes in this area?
There is no specific authority responsible for regulating online business activities. Legislation in this area can be passed through the ordinary legislative process provided for in the Brazilian Federal Constitution (Constitution), on the approval of a bill of law by the Chamber of Representatives and the Federal Senate.
Currently, there are no bodies passing regulations and laws specifically in the area of online business.

Setting up a Business Online

3. What steps must a company take to set up an existing/new business online?
There are no specific steps to be considered by a company when setting up a business online, other than the ordinary measures that the implementation of a business of any other nature requires, such as:
  • The incorporation of an entity.
  • The entity obtaining the registrations necessary for it to:
    • pay taxes and issue invoices (mandatory registrations with the Federal and Municipal Tax Authorities and registration with the State Tax Authorities if the company sells goods);
    • hire employees (registrations with the Social Security and the Severance Pay Fund).
  • Other specific registrations, where necessary (for example, registration with the Brazilian Central Bank if the company has foreign direct investments).
  • Draft of the website’s terms of use and privacy policy to regulate how the services will be provided to customers.
4. What types of parties can an online business expect to contract with?
Anyone can enter into online agreements, whether individuals or legal entities of a private or public nature. The procedure of online contracting for public entities depends on the rules provided in the applicable bid notice.
Under Brazilian civil law, individuals over the age of 18 are deemed capable and, therefore, allowed to enter into agreements with third parties.
Individuals under the age of 18 are not legally eligible to enter into any type of agreement.
An agreement concluded by an under 16-year-old is null but it can be accepted if the underage individual is between 16 and 18 years and is assisted by their legal representative.
5. Is there any law or guidance that might affect the design of the website or app (for example, relating to access by disabled people or children)?
If access to a website or app is subject to age restrictions, users must generally be prompted to confirm that they comply with applicable age requirements before accessing the website or app.
It is also important to ensure that the offering and presentation of online products and services contains correct, clear, precise, and distinguishable information in Portuguese about the products and services' characteristics. '
See Question 22 and Question 23 for limitations that should be taken into account when designing a website.
6. What are the procedures for developing and distributing an app?
There are no specific procedures for developing and distributing an app under Brazilian law. However, the creation of an app in the form of software is in principle subject to copyright protection, which does not require registration with a public authority to be enforceable against third parties. However, it is advisable to prepare, before the app starts being downloaded by users, the app's terms of use, including applicable privacy provisions, and to require the user's agreement to those terms before download.
App developer agreements are usually entered into in with the purpose of establishing the rights and obligations between the parties, particularly concerning:
  • Allocation of liabilities.
  • Confidentiality duties.
  • Intellectual property ownership and licensing for the developed app.
  • Software maintenance obligations.
In addition, common issues addressed in these agreements include pricing, development schedule, and data privacy clauses (regarding the processing of the personal data shared by the parties).

Running a Business Online

Electronic Contracts

7. Is it possible to form a contract electronically? Are there any limitations?

Requirements

Although there is no law specifically governing electronic contracts, there is no risk that the execution of electronic contracts, whether these are interpersonal or interactive (click-wrap) contracts, will be prevented. As a rule, and if the requirements for execution of an agreement are fulfilled (such as able agent, legal purpose, and form requirements), electronic contracts are as enforceable as if they had a handwritten signature.
One of the most substantial risks in the enforceability of click-wrap and similar contracts is the ability to evidence who accepted it. If the validity of an electronic contract is questioned, the burden to demonstrate lack of consent generally falls on the questioning party. There are various options that can be used to help secure the necessary evidence, such as digital or electronic signatures or evidence of a previous commercial enrolment with the business.

Limitations

Electronic contracts cannot be used where Brazilian law requires specific formal procedures for a particular activity. In the state of Sao Paulo, wills in the form of a public deed, for example, cannot be signed electronically.
Terms of use are adhesion agreements which are defined under Brazilian case law as those with the following characteristics:
  • Standardisation, predetermination and inflexibility of the offer.
  • General and permanent proposal, applicable to all interested parties.
  • Economic advantage of one of the parties.
  • Impossibility of negotiating or amending any provisions of the agreement
The Brazilian Consumer Defence Code determines that adhesion agreements must be written in a way that eases the consumers' understanding and that the document should be presented with legible characters (the smallest acceptable font size is 12 point) and in the local language.
In addition, the provisions that limit consumers rights should be highlighted to facilitate understanding. In certain cases, when agreements were considered adhesion contracts, Brazilian courts have interpreted disadvantageous provisions against the party who wrote them and in favour of the other party (the user). Although adhesion agreements are mostly applied in B2C contracts, these rules also apply to B2B relationships, provided that one of the parties is at a disadvantage in relation to the other.
8. What laws govern contracting on the internet?
Electronic contracts are governed by all Brazilian laws that apply to ordinary contracts, as well as by the Federal Law No. 12,965/2014, which governs the principles, warranties, rights and duties concerning the internet in Brazil.
Specifically, when dealing with consumer relations, electronic contracts are also governed by:
  • The Consumer Protection Code (CDC) (Federal Law No. 8,078/1990).
  • Regulations issued by the DPDC.
  • The Electronic Commerce Decrees (see Question 1).
9. Are there any data retention requirements in relation to personal data collected and processed through electronic contracting?
There are no data retention requirements in relation to the execution of electronic contracts. However, the use of personal data (and consent to do so) for a given purpose (for example, formation of a database) must be grounded in one of the legal bases provided in the LGPD (see Question 16).
Under the Internet Act, websites must keep access registrations for six months, and under the LGPD, the processing of personal data must cease when the purpose of the data processing activity is achieved. Retention of personal data for an indefinite period of time is not permitted.
10. Are there any trusted site accreditations available to confirm that the website has complied with minimum cybersecurity standards?
There are no specific Brazilian accreditation authorities that evaluate whether a website has complied with minimum cybersecurity standards. However, the accreditation certificates from the International Organization for Standardization (ISO) on cybersecurity matters are generally accepted as best market practice. The ISO 27001 certification, for example, is known as a set of requirements for collecting, storing, processing, and sharing personal data to ensure information security in companies that work with personal data and sensitive information.
11. What remedies are available for breach of an electronic contract?
As electronic contracts are governed by the laws applicable to ordinary contracts, in general the remedies available for breach of ordinary contracts are also available for breach of electronic contracts.
Generally, execution proceedings cannot be filed in relation to electronic contracts, as these contracts do not fulfil the requirement to have two undersigned witnesses (Civil Procedure Code). However, the Brazilian Superior Court of Justice (Superior Tribunal de Justiça) (STJ), when ruling the interlocutory appeal to the Especial Appeal (AResp) No. 1173191, recognised the possibility of filing execution proceedings without this requirement, where the existence and authenticity of the contract can be verified by different means (such as e-signatures based on the Brazilian Public Key Infrastructure (Infraestrutura de Chaves Públicas Brasileira) (ICP-Brasil) (see Question 12)).

E-Signatures

12. Does the law recognise e-signatures or digital signatures?

Applicable Legislation and Use

The Brazilian courts are likely to accept the validity of an agreement signed electronically, provided that the parties included a contractual provision recognising the validity of the electronic signature.
However, such an agreement cannot be enforced without a court confirming the validity of a monetary claim by either party. In such a case, the parties must take part in a court action (ação monitória) to prove the enforceability of the agreement before receiving any claimed amount. In practical terms, it means that the parties will be subject to a longer and more costly litigation procedure.
Agreements with digital signatures (certified by the Brazilian Public Keys Infrastructure (Infraestrutura Brasileira de Chaves Públicas (ICP) are recognised as authentic under section 411 of the n Civil Procedure Code and are considered extra-judicially enforceable instruments. Because this process is more cumbersome and expensive, companies generally use electronic signature systems instead.
The following legislation applies:
  • Decree 10,278/2020, which establishes the technical requirements for the digitalisation of public and private documents to ensure they have the same legal effects as the original versions. This document also addresses the validity of electronic signatures provided that both parties agree to accept it.
  • Provisional Measure No. 2,200-2/2001, which created the Brazilian Public Key Infrastructure (Infraestrutura de Chaves Públicas Brasileira) (ICP Brasil) (see below, Definition of E-Signatures/Digital Signatures).
  • The EFA (which was further regulated by Decree No. 10,278/2020, specifically in relation to electronic signatures).
  • Law No. 14,063/2020, which regulates electronic signatures in interactions with public entities, in acts of legal entities, in health matters and on software licences developed by public entities.

Definition of E-Signatures/Digital Signatures

Electronic signatures are electronic mechanisms that evidence the acceptance of terms, but their authenticity may be subject to confirmation by the party, where there are reasonable doubts that the party’s legal representative was the individual executing the agreement.
Digital signatures are signatures certified by a digital certificate (within the ICP) and have legal authenticity.
Once a document is digitally signed, the document is bound to a visible certification key used that validates the signature and authenticates the execution of the agreement.
Digital signatures (those authenticated by the ICP-Brasil) have authenticity, integrity, reliability and cannot be repudiated. The author of a digital signature cannot, by either technological or legal means, deny their responsibility for such a signature. The digital signature stays linked to the signed electronic document. If the document is changed, the e-signature becomes invalid. For this reason, the enforcement of transactions with digital signatures is not subject to the proof of consent by the parties.
Any means of confirming the authorship, integrity and, if necessary, the confidentiality of electronic documents are valid, provided that they were chosen in common agreement by the parties (EFA). In view of this, future electronic signatures are likely to have a legal effect equivalent to digital ones.

Format of E-Signatures/Digital Signatures

E-signatures are electronic mechanisms which allow the identification of the mailer of an electronic message.

Use of E-Signatures

E-signatures (both electronic and digital) are not a legal requirement for any transaction, but are becoming more popular with the creation of e-signature platforms and due to the COVID-19 pandemic.
13. Are there any limitations on the use of e-signatures or digital signatures?
There is no limitation on the use of e-signatures (both electronic and digital) in electronic contracts. There are, however, limitations on the use of electronic contracts under Brazilian law (see Question 7).

Implications of Running a Business Online

Data Protection

14. Are there any laws regulating the collection or use of personal data? To whom do the data protection laws apply?
The LGPD, in force since September 2020, applies to any personal data processing operation carried out by an individual or public or private legal entity, regardless of the method, the country in which its headquarters is located or where the data is located, provided that:
  • The processing operation is carried out in the Brazilian territory and either:
    • the purpose of the processing activity is to offer or provide goods or services or to process data of individuals located in the Brazilian territory; or
    • the personal data being processed was collected in the Brazilian territory (personal data whose data subject was in the Brazilian territory at the time of collection).
The scope of the LGPD extends to any category of personal data, in both the online and offline environments.
The LGPD does not apply where the processing of personal data is carried out:
  • By a natural person for exclusively private and non-economic purposes.
  • Exclusively for journalistic, artistic, and academic purposes.
  • By public authorities, for public safety, national defence, state security and investigation and crime prevention activities.
  • By another country that is not subject to communication, shared use of the data with Brazilian processing agents or subject to international data transfer with a country other than the country of origin.
In relation to online platforms, data collection must also respect the specific provisions of the Internet Act.
15. How does the law define personal data or personal information?
The LGPD defines personal data as information that relates to an identified or identifiable natural person.
The LGPD also defines "sensitive personal data" as personal data relating to racial or ethnic origin, religious belief, public opinion, affiliation to a union or religious, philosophical or political organisation, health or sex life, or genetic or biometric data, when relating to a natural person.
The LGPD further defines "anonymised data" (which is not subject to the rules of LGPD) as data relating to a data subject, which cannot be identified, considering the use of reasonable technical means available at the time of its processing.
16. Are there any limitations on collecting, storing, or using personal data?
Any data processing activity involving personal data is regulated under the LGPD which authorises the use of such data for a given purpose, which governs personal data processed with the data subject’s free, informed and unequivocal consent for any of the following purposes:
  • Compliance with a legal obligation.
  • The exercise of rights or obligations by the public administration.
  • The enforcement of contractual or pre-contractual obligations with the data subject.
  • Carrying out studies by a research entity, if the anonymisation of the personal data is ensured (whenever possible).
  • The exercise of rights in a judicial, administrative or arbitration procedure.
  • The protection of:
    • the life and physical safety of the data subject or a third party;
    • the data subject’s health, in procedures conducted by health professionals or entities (except where the data protection rights of the data subject prevail).
  • The legitimate interest of the controller (except where the data protection rights of the data subject prevail).
  • The protection of credit (including in relation to the applicable law), which has the purpose of ensuring that debtors will not use the LGPD as a reason to avoid complying with their financial obligations in connection to loans and pending debts.
Under the LGPD, the collection of sensitive data generally requires the specific, informed, detached, and express consent of data subjects.
Consent is waived when the collection or processing of such data is required for any of the following:
  • Compliance with a legal obligation.
  • Data sharing necessary for the implementation by a public body of public policies provided for in laws or regulations.
  • Carrying out studies by a research entity if the anonymisation of the personal data is ensured (whenever possible).
  • The exercise of rights inclusively within an agreement and in judicial, administrative or arbitration procedures.
  • The protection of:
    • the life or physical safety of the data subject or a third party;
    • health, exclusively in a procedure conducted by health professionals or entities.
  • Prevnting fraud and ensuring the security of the data subject in the processes of identification and authentication of registration in electronic systems (except where the data protection rights of the data subject prevail).
  • The processing of the personal data of children must be carried out in their best interests, with the specific and separate consent of at least one of the parents or by the legal guardian.
  • A data processing activity must be interrupted when:
  • The purpose of the data processing activity has been achieved or the data is no longer necessary or pertinent to achieve the specific purpose intended.
  • The data processing period is over.
  • The data subject requests the interruption, including if the data subject revokes their consent.
  • A national authority determines the interruption due to a violation of the LGPD’s rules.
See Question 14 for requirements applicable to personal data collection under the Internet Act.
17. Can government bodies access or compel disclosure of personal data in certain circumstances?
The Brazilian Constitution protects the privacy of any citizen's and resident foreign national's personal data, and ensures the inviolability of the person's privacy and personal life (see Question 14).
Given these constitutional guarantees to privacy protection, any Brazilian citizen (or foreign national resident in Brazil) is entitled to the protection and privacy of their personal information, including correspondence, electronic communications and fiscal and banking information.
Government bodies are not generally authorised to access personal data without a court order authorising them to do so. However, administrative authorities with legal grounds/competence can request application and connection providers to disclose registration data (Internet Act) (see Question 15).

Privacy Protection

18. Are there any laws regulating the use of cookies, other tracking technologies like digital fingerprinting, or online behavioural advertising?
There are no laws regulating cookies and other tracking technologies in Brazil, but the ANPD recently published a guide on cookies and data protection. This guidance is not legally binding, but is an important indication of the ANPD’s rationale and expectations.
After ANPD’s recommendations to practices related to the use of cookies on a government website (Gov.Br), a similar approach to cookies in the private sphere was expected. The recent guidance is the first specifically related to cookies in the Brazilian legal framework. Previously, both individuals and entities have relied on the general principles and warranties set out in the LGPD for the processing of personal data in Brazil, on the basis that cookies can be considered personal data.

Cybersecurity

19. What measures must contracting companies or internet providers take to guarantee internet transactions' security?
Payment institutions operating in Brazil must implement an operational risk management structure in accordance with Brazilian Central Bank (Banco Central do Brasil) (BACEN) Circular No. 3,681 of 4 November 2013 to cover potential losses from transactional failures, including, among others:
  • Protection mechanisms for stored, processed and transferred data.
  • Mechanisms for:
    • the authentication of users and for authorising payment transactions;
    • the monitoring and authorisation of payment transactions with the purpose of preventing fraud;
    • identifying and blocking suspicious payment transactions on a timely basis.
  • Notifications to users in relation to blocked payment transactions.
  • A mechanism that allows users to verify whether their payment transactions are conducted correctly.
Companies handling personal data must take various measures aimed at adapting their policies to the requirements of the LGPD. These include privacy by design and by default to ensure personal data protection in the development of products and services.
Privacy by design strategies include the adoption of the appropriate technical and organisational measures to ensure that the safeguards provided in the LGPD are followed at every step of the company's data processing activities.
Privacy by default techniques relate to privacy standards presented by the company to its audience. These should represent the strictest privacy settings (granting data subjects the power to allow a greater collection of their personal data only if they find it necessary).
Those dealing with private data must adopt security measures to protect the data from unauthorised access and/or accidental loss, destruction, modification or any other type of breach (LGPD). The ANPD has not yet defined the minimum technical standards required to comply with these requirements (see Question 14).
Guidelines (established under section 13 of Decree No. 8,771/2013) for connection and application providers in relation to security standards applicable to the custody, storage, and processing of personal data and private communications recommend the:
  • Establishment of strict controls over access to data, by instituting responsibilities for those who have access and exclusive access privileges for certain users.
  • Provision of authentication mechanisms for access to records, by using, for example, dual authentication systems to ensure the individualisation of those responsible for data processing.
  • Creation of detailed logs of access to connection and applications records, which must contain:
    • the time and duration of access;
    • the identity of the official or company-appointed administrator involved; and
    • the identification of the files accessed.
  • Use of records management solutions through techniques that guarantee the inviolability of the data, such as encryption or equivalent protection measures.
20. Is the use of encryption required or prohibited in any circumstances?
Brazilian law does not specifically require the use of encryption. However, if a set of presumably encrypted personal data ends up being decrypted, any destination intended for the decrypted data must be authorised under one of the legal bases provided in the LGPD (see Question 16).
There is a judicial debate about disclosure requests for encrypted private communications in criminal investigations. Generally, the n Internet Act establishes that the content of private communications could be disclosed in a court order if there is credible evidence that an illicit act occurred and the pertinence of the disclosure is demonstrated. Failure to comply with such an order can lead to the temporary suspension or prohibition of activities involving the collection, storage, and processing of personal data by connection and application providers.
These rules are being questioned in two leading cases pending decision by the Brazilian Supreme Court (Superior Tribunal de Justiça) (STF) (cases ADPF 403 and ADI 5527 (the "Whatsapp cases")). It is alleged, among other things, that the following amount to a violation of the fundamental right of freedom of communication provided in the Constitution:
  • Mandating disclosure of the content of private communications.
  • Suspending or prohibiting activities involving the collection, storage and processing of personal data by connection and application providers that do not comply with a disclosure request.
21. Are electronic payments regulated?
The Brazilian Payment System (Sistemas de Pagamento Brasileiro) (SPB) and the regulations applicable to payment institutions have been under constant review by the BACEN since the reform of the system in 2002. As a result of this review, Law No. 12,865 of 9 October 2013 (E-Payments Law) was enacted. It established that the SPB is under the supervision and regulation of the BACEN.
The following regulate the SPB:
  • National Monetary Council (Conselho Monetário Nacional) (CMN) Resolution No. 4,282 of 4 November 2021, as amended.
  • BACEN Resolutions No. 80 of 25 March 2021, as amended, and Resolution No. 81 of 25 March 2021, as amended.
To operate in the SPB, certain types of payment institutions must obtain authorisation with the BACEN depending on thresholds imposed by the BACEN regulations, as follows:
  • Electronic currency issuers operating from before 21 March 2021 if certain thresholds are reached.
    If operating after 21 March 2021, electronic currency issuers must be authorised by the BACEN regardless of any thresholds.
  • Post-paid payment instrument issuers: if operating with more than BRL500 million in payment transactions.
  • Acquirers: if operating with more than BRL500 million in payment transactions.
  • Payment initiators: from their establishment, regardless of any threshold amount.
The BACEN, while overseeing the SPB, constantly monitors the payments industry. Oversight includes the monitoring of aspects related to:
  • The efficiency and security of retail payment systems.
  • The existence of competition in the services provided.
  • The intensity of co-operation among market infrastructures.
Innovation in the development of new products that suit end users' needs is also taken into account.
Tthe BACEN collects information and data relating to the use of payment cards (credit, debit and prepaid) and other types of payment instruments, including data on:
  • Access channels usage, for example, automated teller machines (ATMs) (cash machines), internet, home and office banking, call centres, mobile phones and correspondent banking.
  • Pricing policies, supporting financial market infrastructures (FMIs), levels of co-operation and interoperability among market infrastructures.
The BACEN can request from payment institutions the disclosure of any documents, books of registry, and information, including data stored in electronic systems, for the purpose of overseeing payment institutions (E-Payments Law).
BACEN has also increased its policy of promoting Open Finance regulations to advance competitiveness and transparency in the sector. Currently, new data can be shared, as well as new data on products and services, such as contracting foreign exchange transactions, investments, insurance and private pensions.
Payment institutions operating in Brazil must implement operational, liquidity and credit risk management structures as described in BACEN Circular No. 3,681 of 4 November 2013. These risk management structures must include protection mechanisms for, among others:
  • Stored, processed, and transferred data.
  • Authentication of users and for authorising payment transactions.
  • The monitoring and authorisation of payment transactions with the purpose of preventing fraud.
  • Identifying and blocking on a timely basis suspicious payment transactions.
  • Notifications to users in relation to blocked payment transactions.
  • A mechanism that allows users to verify whether their payment transactions are conducted correctly.
All documents relating to risk management, governance strategies and related policies must be available to the BACEN at all times.
22. Do any specific rules or guidance apply to websites aimed at (or that might be accessed by) children?
There are no specific rules for sites aimed at children. There are, however, rules for advertising aimed at children. Section 37 of the Brazilian Advertising Self-Regulation Code provides guidelines for advertisers in relation to advertising to children, such as the prohibition of any advertisement that incentivises socially reprehensible behaviour or discrimination. These parameters can be considered to apply to sites aimed at children as well.
Sites aimed at children must not contain any references to certain industries and products aimed at adult audiences (such as alcohol beverages, tobacco, firearms and so on).
Under Brazilian law, a person under 16 years old is "totally incapable." A person aged between 16 and 18 years old is "relatively incapable." Transactions entered into by a totally incapable person are deemed null and void. Transactions entered into by a relatively incapable person are deemed valid if the person is assisted by their legal representatives (such as their parents).
In addition, the processing of personal data of children must be carried out in their best interests, through specific and separate consent of at least one of the parents or the legal guardian (LGPD).
Brazilian courts have ruled that parents are responsible for online transactions engaged by totally or partially incapable persons when they use their parents' account on a particular site or app, making it impossible for the site/app to identify that a minor person was actually responsible for the transaction. In such cases, it is the parents' responsibility to supervise the use of the site/app account.
The Constitution provides that the protection of children and teenager is a paramount priority and a duty of the family, society and the state. Considering this, there are a few administrative and judicial proceedings aiming to held application providers liable for any content that can be considered harmful to this public even if there is not an editorial control to user’s posts.
Although there is no binding decision on this topic, there are several decisions arguing that application providers should monitor their user’s content and could be considered liable if they host improper content or fail to act on a notice and takedown request. This is a controversial point in Brazil because the Internet Law does not apply a notice and takedown system and does not require application providers to advance monitor third party contents.
23. Are there any laws protecting companies within your jurisdiction that resell or market online digital content, services or software licences provided by a supplier outside the jurisdiction?
There are no laws protecting companies within Brazil that resell or market online digital content, services or software licences provided by a supplier outside Brazil. From a consumer perspective, the company will be held strictly liable for a defective product or service.

Linking, Framing, Caching, Spidering, and Metatags

24. Are there any limitations on linking to a third-party website and other practices such as framing, caching, and spidering?
The Internet Act does not contain express limitations on linking to a third-party website, or other practices such as spidering, framing, caching, or using metatags. However, under section 3 the following principles (among others) are recognised:
  • Privacy.
  • User data protection.
  • Net neutrality.
  • Security.
  • Functionality preservation..
These principles are the basis of any limitations that can be applied on a case-to-case basis, until further regulation is issued.
In relation to copyright law, any reference to content published elsewhere must display information relating to its origin/authoring.
The general requirement to provide consumers with clear, correct and objective information obliges website owners to inform the consumer where results or listings are sponsored (section 36, Consumer Law). If the company receives any financial benefit for sponsored linking, it could be held strictly liable if the related product and service is defective. There are also some non-binding decisions indicating that liability could also be incurred where no financial benefit is received by the website displaying an advertisement based on the fact that there is a supply chain subject to the strict liability regime.
25. Are there any limitations on the use of metatags or advertising keywords?
There are no specific rules regarding metatags or keywords. However, the use of metatags or advertising keywords must not confuse consumers (sections 18, 27, 29, 30 and 32, Brazilian Advertising Self-Regulation Council (Conselho Nacional de Autorregulamentação Publicitária) (CONAR) Regulations and sections 6º, IV, 36 and 37, Brazilian Consumer Defence Code).
In addition, the National Council for Children and Adolescents (Conselho Nacional dos Direitos da Criança e do Adolescente) (CONANDA) published Resolution No. 163/2014, which deals with abusive advertising aimed at children. Metatags and keywords that may induce a child audience to access specific marketing and advertising content could be considered illicit. Examples include using, among others, the following aspects not related to public utility:
  • Children's language, special effects, and colour excess.
  • Soundtracks of children's voices or songs sung by children.
  • Representations of children.
  • People or celebrities that appeal to children.
  • Promotion with distribution of prizes, gifts or collectibles that appeal to children.
  • Promotional competitions or games that appeal to children.
Additionally, advertising and marketing communication within childcare and school institutions is considered unconscionable (section 2, Resolution No. 163/2014).
Further, it can be illegal to use metatags or advertising keywords for the opportunistic insertion of keywords to target a specific third-party brand.
Also, the use of brands as keywords to prioritise search results of their competitors can be considered illegal. Although there is no regulation on this matter, the case law is undecided, with some decisions finding such practices as illegal and deceptive while others finding that there is no illegality in these situations.
During periods when national and local government elections are being held, there are specific rules for advertisers relating to the use of the keyword "electoral propaganda", information about the tax ID of the entity responsible for the advert and the prohibition of boosting a content considered as a negative propaganda to a rival candidate. These rules apply only to the advertisers and not to the application providers.

Domain Names

26. What limitations are there in relation to licensing of domain names?
There is no specific legislation in Brazil concerning domain names.
Any company needs prior registry in the Brazilian domain name registry (Registro.Br) to request a domain name. Brazilian companies must submit:
  • Individual taxpayer registration (Cadastro de Pessoas Físicas) (CPF) or business taxpayer identification number (Cadastro Nacional da Pessoa Jurídica) CNPJ of the person or entity that will own the domain name.
  • Email address, business address and telephone number of the domain name owner.
A foreign company must have a legal representative and a registration with the Registro.br to be the owner of a domain name in Brazil. A company must provide the documents listed below to register on the Registro.Br database:
  • Power of attorney granting powers to a Brazilian legal representative to register domain names.
  • Evidence of commercial activity of the foreign company, stating the company’s corporate name, complete address, telephone, corporate object, activities and name and position of its legal representative.
  • Statement on behalf of the foreign company that it will establish its activities in Brazil within 12 months or declaring that such activities are already being exercised.
  • The company’s contact details (name, e-mail and telephone).
Domain names registered before Registro.Br are valid for a year and can be renewed to continue in force for longer periods.
27. Can use of a domain name confer rights in a word or phrase contained in it?
The owner of a domain name has no additional rights, such as priority in the registration of a corresponding trade mark.
Trade mark registration depends on a specific procedure before the Brazilian Patent and Trademark Office, a public authority that has no connections with Registro.Br, the private platform that registers domain names.
28. What restrictions apply to the selection of a business name, and what is the procedure for obtaining one?
In principle, a business name can be protected either as a:
  • Domain name. The registration of a domain name is made on the private platform Registro.BR (see Question 26).
  • Commercial name. The creation of a commercial name must be provided for by a corporate document of the relevant company registered with the Board of Trade.
Before registration of either a domain name or a commercial name, it is advisable to conduct a search on the databases of Registro.Br or the Board of Trade, as applicable, to check the existence of prior domain or commercial names.

Jurisdiction and Governing Law

29. What rules do the courts apply to determine the jurisdiction and governing law for internet transactions (or disputes)?

Jurisdiction

Brazilian courts have jurisdiction to process and decide actions where any of the following apply:
  • The defendant is domiciled in Brazil (irrespective of the defendant's nationality).
  • The obligation is to be performed in Brazil.
  • The grounds arise from facts occurring or acts undertaken in Brazil.
(Civil Procedure Code.)
While the general rule provides that lawsuits are filed before the courts where the defendant is domiciled, the Consumer Protection Code authorises consumers to file lawsuits with the courts where those consumers are domiciled, irrespective of whether the provider of services and goods is located elsewhere.

Governing Law

Parties to a B2B transaction can technically choose the substantive law to govern potential disputes (particularly in the context of an arbitration clause). However, the Brazilian Consumer Protection Code has mandatory application when the underlying transaction (or dispute) involves consumer-related issues. If there is no arbitration clause, courts usually apply Brazilian law to disputes, including those arising from B2B transactions.
30. Are there any alternative dispute resolution/online dispute resolution (ADR/ODR) options available to online traders and their customers?

ADR/ODR Options

Arbitration and mediation are generally available in Brazil and courts permit these alternative means of dispute resolution, including in B2B transactions, provided that parties either:
  • Use a properly drafted arbitration and/or mediation clause.
  • Voluntarily submit their dispute to arbitration or mediation in the absence of a prior agreement to arbitrate.
In consumer-related contracts containing arbitration clauses, arbitration is only possible if the consumer takes the initiative to begin proceedings (as a claimant), or expressly agrees to arbitration where the relevant provider of services or goods commences it. For B2C transactions, the use of an ODR service called consumidor.gov is encouraged by the Ministry of Justice and is mandatory for certain categories of companies, including:
  • Companies developing activities involving public services and activities at the national or local levels.
  • Online digital platforms dedicated to the individual or collective transportation of passengers or food delivery.
  • Digital platforms and marketplaces that promote, offer, sell or intermediate their own products or third-party products, or commercialise advertisement or publicity, as well as connection, application and content providers and other not-for-profit social networks.
  • Economic agents listed among the top 200 in the annual complaints list on the National Consumer Protection Information System, maintained by the National Consumer Secretary of the Ministry of Justice.
There are also many other private options for ODR.

Remedies

All remedies that are available in court actions are available in ADR/ODR. Enforcement is conducted in judicial courts.

Advertising/Marketing

31. What rules apply to advertising goods/services online or through social media and mobile apps?
The Consumer Protection Code applies to advertising goods and services online, as well as through social media. The Brazilian Advertising Self-Regulation Code is voluntarily and largely adopted by advertisers, media companies and agencies. It also contains specific provisions, particularly on comparative advertising, but they are largely based on the Brazilian Consumer Protection Code.
The Electronic Commerce Decrees (see Question 1) and rules relating to certain goods (such as firearms, medicines, drugs, and pesticides) also apply to online advertising.
32. Are any types of services or products specifically regulated when advertised or sold online (for example, financial services or medications)?
Certain industries and products are addressed in the annexes of the Brazilian Advertising Self-Regulation Code, for example:
  • Alcoholic beverages.
  • Investments.
  • Loans and securities market.
  • OTC pharmaceutical products.
  • Tobacco.
  • Real estate.
  • Hospital services.
  • Firearms.
  • Pesticides.
33. Are there any rules or limitations relating to text messages or spam e-mails?
There are no specific rules in force regarding text messages and spam e-mails, but there are Bills pending before the Brazilian Congress (for example, Bills No. 2,186/2003, No. 2,423/2003 and No. 3,731/2004) that are specific to digital business and the permissibility of spam messages.
Under the Criminal Code, the breach of security protocols to gain access to computers and the installation of malware for illicit purposes are criminal offences.
A company is prohibited from sending any product or providing any service to consumers without previous requisition and consent (section 39, Item III, Brazilian Consumer Defence Code), which applies to text messages or spam e-mails.
Pecuniary damages and pain and suffering may be claimed, but they must be proved in court. A claimant will have to provide evidence of a pecuniary loss and a causation link showing the illegal act taken by the company. There are decisions from appelate courts and from the Superior Court of Justice denying pain and suffering indemnification in cases related to spam e-mails.
34. Does your jurisdiction impose any language requirements on websites that target your jurisdiction or whose target market includes your jurisdiction?
The offer and the presentation of products and services, including those offered/sold online, in Brazil must contain information in Portuguese (section 31, Brazilian Consumer Defence Code). (section 2, item III, Law No. 10,062/2004).

Tax

35. Are sales concluded online subject to tax?
For Brazilian tax purposes, online sales of merchandise are deemed regular sales of goods and subject to state value added tax (VAT) (Imposto sobre Operações relativas à Circulação de Mercadorias e sobre Prestações de Serviços de Transporte Interestadual e Intermunicipal e de Comunicação) (ICMS) (see Question 36).
Following digital tax trends, in September 2017 the Brazilian states signed an agreement (Convênio ICMS No. 106/2017) (ICMS Agreement 106) regulating the procedures for collecting the ICMS levied on transactions in digital goods (such as software, electronic games, electronic files and so on).
This agreement was challenged before the STF and as a result of a judgment relating to the ICMS levy on software related transactions, in practice its terms are no longer valid although it has not yet been formally revoked (see Question 36).
36. Where and when must online companies register for value added tax (VAT) (or equivalent) and other taxes? Which country's VAT (or equivalent) rate applies?

Registration

Since sales of merchandise concluded online are deemed regular sales for Brazilian tax purposes, online companies must follow the rule applied to other ICMS taxpayers and register for ICMS and other taxes with the state in which they do business and and/or where their main place of business is located (see Question 35).
If the company intends to do business from various states, registration for ICMS is required for each state. This is based on the general rule that the ICMS belongs to the state where the seller's establishment is located (that is, the location from which the merchandise sold is to be invoiced and shipped to the final customer). Exceptions to this rule are the sale to final customers and supply of digital goods, which follow destination-based taxation (see below, Collection).

Collection

In relation to the sale to final customers, since 2019 the ICMS due on the transaction must be collected in the state of the goods' destination. If the final customer is a non-ICMS taxpayer, the responsibility to collect the ICMS still rests with the seller, but when the final customer is an ICMS taxpayer, the responsibility to collect the ICMS is transferred to this final customer.

ICMS Agreement 106

ICMS Agreement 106exempted all digital goods transactions before the final transaction with the end user/acquirer and determined that the ICMS will be paid to the state where the end user/acquirer is domiciled or located. Based on this provision, the Sao Paulo state secretariat enacted Ordinance No. 24 (Portaria CAT No. 24/2018), requiring companies engaged in the supply of digital goods to register with the state for ICMS collection purposes even if they do not have a physical presence in the state or in Brazil.
In June 2018, the Brazilian Association of Information Technology and Communication Companies (Brasscom) filed a Direct Unconstitutionality Action (Ação Direta de Inconstitucionalidade) (ADIN) before the STF to challenge the constitutionality of ICMS Agreement 106. The relevant ADIN is pending judgment.
When deciding two other ADINs that challenged the ICMS levy on software, the STF ruled on 18 February 2021 that the ICMS does not apply to software, and the city service tax (ISS) applies instead. Seven out of 11 STF justices voted against ICMS. Due to this outcome, STF:
  • Decided to not analyse the merits of the ADIN filed by Brasscom (see above) because in the court’s view the ADIN lost its cause of action.
  • Ruled that ICMS Agreement 106 had lost its legal effectiveness.
  • Pointed out that the tax administration must comply with STF ruling and its binding effects.

Rates

There are various tax benefits which can reduce the applicable tax rate.
ICMS rates applied on goods are between 7% and 25%, depending on whether the goods are considered essential according to Constitutional principles. VAT rates on interstate transactions are between 4% and 12%.

Protecting an Online Business and Users

Liability for Content Online

37. What restrictions are there on what content can be published on a website (for example, laws regarding copyright infringement, defamatory content or harmful content)?
The Constitution provides for freedom of speech and for prohibiting censorship. Any content can generally be published on a website, subject to a judicial takedown request initiated by the offended user if it violates the legislation in place and is understood as abusive. There is no exhaustive definition of abusive content, and therefore any material can be required to be taken down, considering the balance between the principle of freedom of speech and the right to honour and dignity, which can only be decided by a Brazilian court.
It is also possible to directly administratively require an application provider to take down content that is prohibited by its internal policies (such as terms of use and guidelines).
38. Who is liable for website content that breaches these restrictions (including, for example, illegal material or user-generated material that infringes copyright or other laws, such as the law of defamation)?

Civil Liability for Damages

Internet application providers (IAPs) are only held civilly liable for damages resulting from content generated by third parties if, after receiving a specific court order, they do not take steps (within the technical limits of their service and within the time period provided) to take down the relevant content (Article 19, Internet Act) posted. If the platform has editorial control, it could also be held liable.
However, as outlined in Question 22, there is persuasive decision (with no binding effect) arguing that application providers should monitor content and could be considered liable if they do not avoid improper content aimed at children and teenagers or fail to act on a notice and takedown request referring to minors.

Violation of Privacy

IAPs that make available content created by third parties can be secondarily liable for the violation of privacy resulting from unauthorised disclosure of images, videos and other materials containing nudity or sexual acts of a private nature. Liability applies if, after receiving notice from the participant or the participant's legal representative, the application provider fails to promptly to remove the content from its service (Article 21, MCI).

Violation of Copyright

IAPs are not obliged to proactively monitor, and cannot be judicially compelled to monitor, content published by its users.
The civil liability regime for IAPs concerning copyright violations online will be regulated through a specific federal law (which has not yet been enacted). Section 31 of the MCI states that, until this specific federal law is enacted, the Brazilian Copyright Law (BCL) must be applied. Therefore, an IAP can be held liable for copyright-violating content, jointly with the users who posted the content (section 104, BCL), if it has editorial control or if it does not remove the content once aware of its existence (through a report submitted through the tools available for that purpose on its platform, or through an extrajudicial notice highlighting the copyright violation) (section 19(2), MCI).
Brazilian State Appeal Courts tend to follow these principles (for example, Court of Appeals of Rio Grande do Sul, Appeal No. 50329008820208210001, 4 April 2021 and Court of Appeals of São Paulo, Lawsuit No. 1095672-19.2017.8.26.0100, 8 October 2020), although there is no binding decision in this regard.
In addition, the STJ ruled that a social media platform was not a platform that triggered copyright infringement, as it did not practice one of the conducts mentioned in section 104 of the BCL (STJ, Resp No. 1512647/MG, Reporting Justice Luis Felipe Salomão, 8 August 2015). However, this is not binding and a different decision could result depending on the individual case.

Liability in a Supply Chain

The Consumer Law provides for the joint and strict liability of all suppliers in a supply chain. Although the case law is controversial and there is no binding decision on this issue, IAPs' liability can generally be defined as follows:
  • If it is merely an internet intermediary, it should not be held liable unless it does not comply with a court order.
  • If it is an essential player in the e-commerce chain, retaining financial benefit, it should share strict and joint liability with the seller.
A merely internet intermediary not retaining any financial benefit can be held liable if it participates in the supply chain.
39. What legal information must a website operator provide?
A B2C website must provide the information required by:
  • Sections 2, 3, and 5 of Decree No. 7,962/2013
  • Sections 2 and 3 of Decree No. 10,271/2020, regarding transactions within MERCOSUR.
  • Chapter II, section 3 of the Guidelines issued by the Department of Economic Rights, Consumer Protection and Defence Office.
Information that must be provided to consumers include, among others, the company's address and other contact information.
For other website operators, sites must comply with the general principles of information and transparency set out by the Internet Act (sections 7 (VI and VIII), 9 (§2, item III), 10 (§4) and 20).
40. Who is liable for the content a website displays (including mistakes)?
In connection with B2C websites, there is strict liability under the Consumer Law for any misleading information or failure to comply with a legal or contractual obligation. .
With regard to social media websites, including blogs, the user who inserts the content is liable for it. The application provider is generally only liable if it does not remove the content when judicially ordered (see Question 39). The IAP is, however, liable without a judicial order if the provider does not remove content related to nudity and sexual private scenes involving the person requesting the removal. Failing to avoid improper content to children and teenagers can also lead to liability although this controversial as it violates the "safe harbour" clause (Article 19, MCI).
41. Can an internet service provider (ISP) shut down (or be compelled to shut down) a website, remove content, or disable linking due to the website's content, without permission?
ISPs cannot interfere in the flow of communications. Chapter 3, section 9 of the Internet Act sets out rules that guarantee net neutrality, in accordance with the Act's principles. Net neutrality means ISPs must treat equally data packets of any kind, origin, destination, service or application. In addition, ISPs are forbidden to block, monitor, filter or analyse the contents of data packets.
However, an exception can be made where discrimination or degradation of traffic is allowed for:
  • Mandatory technical requirements.
  • Prioritisation of emergency services.
(Section 9 (§2), Internet Civil Act.)
Mandatory technical requirements are restricted to:
  • Network security matters (for example, anti-spam mechanisms and control of denial of service attacks).
  • The treatment of network congestion matters (for example, for the sake of load redistribution, alternative routes in case of interruption of the main route and management in emergency situations).
(Presidential Decree No. 8,771/2016.)
Management of networks to maintain their stability, security and functionality is allowed, if it is done in accordance with the:
  • International standards.
  • Regulatory parameters of the Brazilian Telecommunications Agency (Agência Nacional de Telecomunicações) (ANATEL).
  • Guidelines from the Brazil's Internet Management Committee (Comitê Gestor da Internet no Brasil) (CGIbr).
The users must also be informed of the reasons, effects and description of these practices.
Courts can issue total or partial site blocking or removal orders to ISPs based on the Internet Civil Act. The decision is enforceable by means of imposition of a daily penalty for non-compliance with the court order. Other coercive measures can be imposed by the judiciary as well.
However, an IAP can remove a content or ban a user if it violates the previously established policies such as the Terms of Service/Use or Guidelines.

Liability for Products/Services Supplied Online

42. Are there any specific liability rules applying to products or services supplied online?
In general, rules applied to the ordinary acquisition of products and services are also applicable to products and services supplied online. Products and services supplied to consumers are subject to the rules established in the:
  • Consumer Protection Code.
  • Electronic Commerce Decrees (see Question 1).
  • Regulations issued by the DPDC.
The customer, in cases of products purchased out of the store, can cancel the purchase within seven days from the signing of the agreement or the subscription of the service (section 49, Consumer Protection Code).
All participants in the supply chain are jointly and severally liable for a defective product or service, and the consumer can choose who to seek redress from in the supply chain (Consumer Protection Code).
For sites that offer a sales platform for third parties, court decisions are not uniform. Some consider the sites severally and jointly liable for the products offered and others mitigate the sites' liability in certain cases.
In a decision issued in 2014, the São Paulo State Appeals Court determined that sites are responsible for the products offered when they receive any kind of remuneration for the transactions engaged between third parties (that is, when the site receives a percentage of sales made through its platform). This liability, however, does not cover the quality of the product sold, as the site is not responsible for the actual product. See Question 38.

Insurance

43. What types of insurance does an online business usually need?
The type of insurance that should be entered into by a business in Brazil depends mainly on:
  • The nature of the company's activities.
  • Whether any legal provision regarding insurance coverage is applicable to the company and/or its activities.
However, there is no specific class of insurance directed solely at online companies or businesses.
Generally, most companies are only legally compelled to insure all assets, whether real or personal property, against fire, regardless of the activities being developed by the company. In practice, most companies enter into a multi-risk property insurance policy, which includes the mandatory fire coverage. It is very common for multi-risk property insurance products to expressly exclude damages to software, hardware, electronic data and/or IT systems from their coverage, so online companies should pay attention to the terms and conditions of the contracted policies and whether they adequately cover their main assets.
Depending on the nature of an online company's operations, entering into liability insurance may be recommended given the highly litigious consumer and labour relations in Brazil, particularly if the operations involve sales to a final consumer or depend heavily on contracted personnel. For the same reason, a directors and officers (D&O) or errors and omissions (E&O) policy may also be recommended.
Cyber insurance (although not required) is also recommended to secure online business from internet-related risks such as data theft and data loss, business interruptions caused by cyberattacks, crisis management, and more generally from risks relating to information technology infrastructure and activities.

Reform

44. Are there any proposals to reform digital business law in your jurisdiction?
There are more than 70 proposals for reforming the law or regulating digital business in Brazil. Most of them are linked to Bill No. 4,906/2001, aimed at changing the Brazilian Consumer Defence Code and other specific legislation to establish rules concerning e-commerce.
Further, a recent proposed tax legislation (No. 3,887/2020) aims to apply a contribution (Contribuição sobre Bens e Serviços) to apps used for shopping and marketplaces.
See also Question 14.

Contributor Profiles

Marcela Waksman Ejnisman, Partner

TozziniFreire Advogados

T+55 11 5086 5471
F +55 11 5086 5555
E [email protected]
W https://tozzinifreire.com.br/en/advogados/marcela-waksman-ejnisman
Professional Qualifications. LLM (Cornell University), US, 1998; International Business and Business Law (University of California), US, 1995; Graduate Law School (PUC-SP), 1992.
Areas of Practice. Corporate law and foreign investment; mergers and acquisitions; media and entertainment; IP; telecommunications/information technology; fashion law; cybersecurity and data privacy; technology and innovation.
Professional Associations/Memberships. Events Director of the Brazilian Association of Information Technology and Telecommunications Law (ABDI); member of the American Bankruptcy Institute, the International Trademark Association (INTA) and the International Technology Law Association (ITechLaw); Lecturer at the Data Governance, AI and Corporate Sustainability (ESG) course, held by Finted (Finance, Technology and Law) jointly with Abrasca (Brazilian Association of Publicly-Held Companies).
Languages. Portuguese, English.
Publications
  • Co-author, "Brazil: Privacy" chapter. In Insight Handbook. London: Global Data Review, 2022.
  • Author, "Contagem regressiva para o fim da concessão" (Countdown to the end of concession), published by Valor Econômico newspaper on 7 January 2020.
  • Co-author, "Um mês após entrar em vigor, a LGPD já afeta a dinâmica do mercado" (One month after becoming effective, the LGPD already affects the dynamics of the market), published by ESTADÃO in October 2020.

Patrícia Helena Marta Martins, Partner

TozziniFreire Advogados

T +55 11 5086 5439
F +55 11 5086 5000
E [email protected]
W https://tozzinifreire.com.br/en/advogados/patricia-helena-marta-martins
Professional Qualifications. Business Management (Business School São Paulo), 2007; Consumer Law (PUC-SP), 2001; Graduate Law School (PUC-SP), 1998.
Areas of Practice. Litigation; consumer affairs; automotive; life sciences and healthcare; cybersecurity and data Privacy; technology and innovation; business and digital election law; gaming and e-sports; fashion law.
Professional Associations/Memberships. Member of the Consumer Committee of the Brazilian Institute of Studies on Competition, Consumer Affairs and International Trade (IBRAC), the Consumer Committee of the Association of Brazilian Law Firms (CESA) and the Digital Law Committee of the Association of Brazilian Law Firms (CESA); contributor to the Superior Electoral Court regarding electoral regulation about electoral ads on the internet.
Languages. Portuguese, English.
Publications
  • Co-author, "Brazil: Privacy" chapter. In Insight Handbook. London: Global Data Review, 2022.
  • Author, "Proteção de Dados Pessoais em 2020", published by Valor Econômico in January 2020.
  • Author, "LGPD: A importância de prevenir litígios envolvendo segurados" (The Brazilian General Data Protection Act - LGPD: The importance of preventing disputes involving policyholders), published by Apólice magazine on 29 February 2020.
  • Co-author, "A internet deu voz às pessoas. Mas como o Direito regula a liberdade de expressão online? Uma análise da regulação brasileira", in Direito Exponencial: O Papel das Novas Tecnologias no Jurídico do Futuro, published by Editora Revista dos Tribunais in 2020.
  • Frequently publishes articles on technology and data privacy in major national and international publications.

Antonio Marzagão Barbuto Neto, Partner

TozziniFreire Advogados

T +55 11 5086 5245
F +55 11 5086 5555
E [email protected]
W https://tozzinifreire.com.br/en/advogados/antonio-marzagao-barbuto-neto
Professional Qualifications. Business Management (Business School São Paulo), 2007; LLM General Studies (New York University (NYU) Law School), United States, 2005; Graduate Law School (University of São Paulo School of Law (USP-SP), 2001.
Areas of Practice. Litigation; arbitration; education.
Languages. Portuguese, English.
Professional Associations/Memberships. Admitted to the New York State Bar Association; member of the New York State Bar Association (NYSBA), the Mediation and Arbitration Committee of the Brazilian Bar Association - São Paulo section (OAB-SP) and the International Center for Dispute Resolution.
Publications
  • Co-author, “Practical Law - Digital Business in Brazil: Overview”, London: Thomson Reuters, 2015 and 2018.
  • Co-author, "A prática, a construção e a solidificação da arbitragem", of the book 40 Anos de Direito Empresarial no Brasil. São Paulo: Quartier Latin, 2016, p. 65-79.
  • Co-author, "Brazil". In Corporate Internal Investigations. Oxford: Oxford University Press, 2013.
  • Co-author, "Arbitration". In Latin Lawyer Reference, 2012, 2013 and 2014.

Jerry Levers de Abreu, Partner

TozziniFreire Advogados

T +55 11 5086 5354
F +55 11 5086 5555
E [email protected]
W https://tozzinifreire.com.br/en/advogados/jerry-levers-de-abreu
Professional Qualifications. Academy of American and International Law (Center for American and International Law), US, 2014; Tax Law (PUC-SP), 2009; Graduate (Faculdade de Direito da Universidade São Francisco), 1999.
Areas of Practice. Tax; automotive; construction; education; life sciences and healthcare; technology and innovation; agribusiness; private equity and venture capital.
Languages. Portuguese, English.
Publications
  • Co-author, “Practical Law - Digital Business in Brazil: Overview”, London: Thomson Reuters, 2015 and 2018.
  • Co-author, "Brazil". In Transfer Pricing Forum. Bloomberg BNA, December 2019.
  • Frequently publishes articles on tax law in major national and international publications.

Marcio Mello Silva Baptista, Partner

TozziniFreire Advogados

T +1 212 698-1445
F +1 212 698-1144
E [email protected]
W https://tozzinifreire.com.br/en/advogados/marcio-mello-silva-baptista
Professional Qualifications. LLM Comparative Jurisprudence (New York University), 1997; Specialised degree in Comparative Law (University of Wisconsin), 1989; Master's degree in International Law (USP); Graduate, Law School (PUC-SP).
Areas of Practice. Corporate law and foreign investment; mergers and acquisitions; insurance and reinsurance; private equity and venture capital; German desk; Japan desk.
Languages. Portuguese, English, French, Spanish, German.
Professional Associations/Memberships. Chair of the Membership Committee of the Pacific Rim Advisory Council; Board member of the Brazilian American Chamber of Commerce in New York; Vice-Chair of the Latin America & Caribbean Committee of the American Bar Association; Member of the New York City Bar Association; member of the New York State Bar Association (NYSBA) and the International Bar Association (IBA).
Publications
  • "Brazil" chapter from the publication From Bid to Closing, Mergers and Acquisitions Handbook. London: Global Counsel, 2001.
  • "The electric power industry in Brazil" chapter from the publication International Power Finance Review. Ontario: International Press Publications, 1998.
  • "Foreign investments in Brazil" chapter from the publication Doing Deals in Latin America 2013. Practising Law Institute, 2013.

Carla do Couto Hellu Battilana, Partner

TozziniFreire Advogados

T +55 11 5086 5289
F +55 11 5086 5555
E [email protected]
W https://tozzinifreire.com.br/en/advogados/carla-do-couto-hellu-battilana
Professional Qualifications. Certified DPO (ECPC-B by Maastricht). FIP (Fellow of Information Privacy), CDPO/BR (Certified Data Protection Officer – Brazil), CIPM (Certified Information Privacy Management) and CIPP/E (Certified Information Privacy Professional/Europe) by International Association of Privacy Professionals.
LLM (University of Chicago), 2015; Specialisation, Corporate Law (Instituto Internacional de Ciências Sociais), 2011; Graduate Law School (PUC-SP), 2006.
Areas of Practice. Corporate law and foreign investment; mergers and acquisitions; media and entertainment; IP; gaming and e-sports; fashion law; telecommunications/information technology; cybersecurity and data privacy; technology and innovation; private equity and venture capital.
Professional Associations/Memberships. Member of IAPP (International Association of Privacy Professionals).
Languages. Portuguese, English.
Publications
  • Co-author, "Brazil: Privacy" chapter. In Insight Handbook. London: Global Data Review, 2022.
  • Co-author, "Um mês após entrar em vigor, a LGPD "já afeta a dinâmica do mercado" (One month after becoming effective, the LGPD already affects the dynamics of the market), published by ESTADÃO in October 2020.
  • Co-author, "LGPD em vigor: e agora, o que priorizar" (The LGPD is effective: what to prioritize), published by ESTADÃO in October 2020.
  • Co-author, "An introduction to Brazil's new data protection law", published by SCCE's CEP Magazine in May 2019.
  • Frequently publishes articles on technology and data privacy in major national and international publications.

Bárbara Bassani de Souza, Partner

TozziniFreire Advogados

T +55 11 5086 5503
F +55 11 5086 5555
E [email protected]
W https://tozzinifreire.com.br/en/advogados/barbara-bassani-de-souza
Professional Qualifications. Doctoral Civil Law (Universidade de São Paulo), 2018; Master Law (USP), 2015; Specialisation, Civil Law (Universidade Presbiteriana Mackenzie), 2011; Graduate Law School (Universidade Presbiteriana Mackenzie), 2009.
Areas of Practice. Insurance and reinsurance.
Professional Associations/Memberships. Member of the Insurance Law Committee of OAB/SP (Brazilian Bar Association, São Paulo section), 2018 and of AIDA (International Insurance Law Association) since 2012, serving as Director Vice-President of International Relations (2022-2024); Assistant Professor in the in-company Insurance MBA program organized by FGV (Fundação Getulio Vargas) held at Mapfre Seguros, 2014; Professor of Insurance Regulatory Environment in the Insurance Regulatory specialisation programme at Universidade Positivo, in Curitiba, 2018; Professor of Insurance Regulatory Law in the Legal Management MBA programme at ENS (Brazilian School of Insurance), in Insurance Regulatory Law and, currently, in Personal Insurance.
Languages. Portuguese, English, Italian.
Publications
  • Author, As Polêmicas que Permeiam o Seguro de Responsabilidade Civil e a Busca por uma Solução. São Paulo: Editora Roncarati, 2019.
  • Co-author, article "LGPD e (Re) Seguros". In Revista Opinião.Seg. São Paulo: Editora Roncarati, 2019.
  • Co-author, "Digital Business in Brazil: Overview". In Practical Law. London: Thomson Reuters, 2018.
  • Co-author, "Da tutela provisória de urgência e da evidência" chapter. In Aspectos Jurídicos dos Contratos de Seguro V. Porto Alegre: Editora Livraria do Advogado, 2017.

Bruna Borghi Tomé, Partner

TozziniFreire Advogados

T +55 11 5086 5503
F +55 11 5086 5591
E [email protected]
W https://tozzinifreire.com.br/en/advogados/brunaborghi-tome
Professional Qualifications. Master Civil Procedural Law (PUC-SP), 2020. Specialisation, Civil Procedural Law (PUC-SP), 2012; Graduate Law School (PUC-SP), 2010.
Areas of Practice. Litigation; cybersecurity and data privacy; technology and innovation, business and digital election law, consumer affairs.
Professional Associations/Memberships. Member of ABRADEP (Brazilian Academy of Electoral and Political Law); Professor in the LGPD and Litigation programme at Finted Tech School, 2020 and 2021; Professor in the LGPD and Elections programme in partnership with the Data Privacy Brazil Association, 2020; co-ordinator of the Digital Law Committee of CESA (Association of Brazilian Law Firms); member of AASP (Association of Lawyers of São Paulo).
Languages. Portuguese, English, Spanish.
Publications
  • Co-author, "Brazil: Privacy" chapter. In Insight Handbook. London: Global Data Review, 2022.
  • Author, Article "Uso de tecnologia para as pessoas com deficiência: regulação e "políticas públicas" (Use of technology for people with disabilities: regulation and public policies). In Direito Exponencial: O Papel das Novas Tecnologias no Jurídico do Futuro published by Editora Revista dos Tribunais in 2020.
  • Co-author, "A internet deu voz às pessoas. Mas como o Direito regula a liberdade de expressão online? Uma análise da regulação brasileira"" (The Internet gave people a voice. But how does the Law regulate freedom of expression online? An analysis of Brazilian regulation). In Direito Exponencial: O Papel das Novas Tecnologias no Jurídico do Futuro, published by Editora Revista dos Tribunais in 2020.
  • Co-author, "A responsabilidade das redes sociais" (The responsibility of social media). In Panorama Legal sobre as Relações de Consumo na Era Digital. São Paulo: Singular, 2018.
  • Frequently publishes articles on technology and data privacy in major national and international publications.