TMT 2025

BRAZIL LAW AND PRACTICE Contributed by: Ricardo Barretto Ferreira da Silva, Ingrid Bandeira Santos, Sylvia Werdmüller von Elgg Roberto and Isabella da Penha Lopes, Azevedo Sette Advogados

Government Entities For over a decade, the Institutional Security Cabinet of the President’s Office has been issu - ing Complementary Norms ( Normas Comple- mentares ; NC) to regulate the use of technology within government agencies. The latest version (NC No 05/IN01/DSIC/GSIPR), addressing cloud computing security and data protection, prohib - its the processing of classified information on the cloud and mandates that agency-related data be stored in data centres located within national borders. The Institutional Security Cabinet of the President’s Office has issued various education - al materials since 2016, outlining best practices for federal entities when engaging with cloud services. Key contractual requirements include: • ensuring that agency data remains within Brazilian territory, including backups and replications; • using Brazilian jurisdiction to resolve legal disputes arising from contracts with cloud service providers; • guaranteeing the portability of data and applications, ensuring timely access without additional costs to promote business continu - ity; and • ensuring contractual confidentiality regarding information held by providers and prohibiting unauthorised third-party access. Finally, Digital Government Secretariat/Ministry of Management and Innovation in Public Ser - vices ( Secretaría de Gobierno Digital Secretaría de Gobierno Digital / Ministério da Gestão e da Inovação em Serviços Públicos ; SGD/MGI) Ordi - nance No 5,950 of 2023 established a template for federal public administration agencies to use when contracting software and cloud computing services. This ordinance is aimed at standardis - ing and streamlining the procurement process while emphasising the security, privacy, integrity

and governance of agency-held data. It speci - fies various aspects such as remuneration struc - tures, minimum service levels, product verifica - tion standards, acceptance criteria and security requirements. Compliance with this ordinance has been mandatory for contracts signed as of 30 April 2024. However, agencies may apply the standards to previous contracts as well. Con - tracts entered into before 1 November 2023 are exempt from this ordinance. Agencies must justify any deviations from the prescribed con - tracting models, submitting them for approval by the SGD. 3. Artificial Intelligence 3.1 Liability, Data Protection, IP and Fundamental Rights The use of AI is currently being discussed in Bra - zil through the deliberation of Bill No 3,592/2023, Bill No 2,338/2023 and Bill No 5,691/2019. Bill 3,592/2023 discusses the use of audiovisual rep - resentations of deceased people aimed at safe - guarding their dignity, privacy and rights after death. Bill No 2,338/2023 focuses on the use of AI in general. Bill No 5,691/2019 establishes the National Policy for Artificial Intelligence, with the goal of stimulating the formation of a favourable environment for the development of AI technolo - gies. This bill is the result of the unification of other previous bills. The National AI Policy establishes, as its core principles: • inclusive and sustainable development; • respect for ethics, human rights, democratic values and diversity; • protection of privacy and personal data; and • transparency, security and reliability.

CHAMBERS.COM