BRAZIL LAW AND PRACTICE Contributed by: Ricardo Barretto Ferreira da Silva, Ingrid Bandeira Santos, Sylvia Werdmüller von Elgg Roberto and Isabella da Penha Lopes, Azevedo Sette Advogados
communications by providers of connections/ applications; • The LGPD, which regulates personal data protection and processing, among other provisions; • ANATEL’s Resolution 740/2020 (the “Regula - tion of Cybersecurity Applied to the Telecom - munications Sector”), which establishes conduct and procedures to promote security in telecommunications networks and services and protect critical structures; and • ANATEL’s Act 77/2021, which provides cyber - security requirements for telecommunications equipment. In addition, reliable and stable networks are fun - damental for the IoT. In particular, 5G technol - ogy, implemented in Brazil in 2022, boosted the IoT market, fostered innovation and impacted the local economy and society. Importantly, the minimum security requirements for 5G networks set by the Office of Institutional Security of the Presidency of the Republic (NI 4/2020) are to be complied with. 4.2 Compliance and Governance Although the free circulation of data is inherent to the IoT market, compliance with enforceable legal provisions is required and, for this purpose, deep analysis is necessary. In general terms: • information security is of paramount impor - tance – protection of transmitted and stored data shall be ensured regardless of the num - ber of connected devices, avoiding unauthor - ised access and cyberattacks; • the collection and processing of personal data by IoT solutions shall be in accordance with the legislation on personal data protec - tion; • companies shall comply with specific laws and rules applicable to the sector in which IoT
solutions are implemented, ensuring regula - tory compliance; • providers shall take measures to mitigate the risk of hacker attacks, data theft, service interruptions and other negative impacts; and • providers shall identify, assess and manage risks that might affect IoT solutions, which is important to help ensure continuity of busi - ness. Proper policies, controls and processes should form part of companies’ corporate governance, fostering transparency and corporate responsi - bility. 4.3 Data Sharing Even though the huge amounts of data that IoT devices collect, process and share are neces - sary for achieving solutions and intended results, whenever there is any sharing of personal data, IoT companies become subject to the provisions of the LGPD. The LGPD stipulates that the processing of per - sonal data may only occur in certain circum - stances, such as when the data subject has provided express consent for personal data col - lection and processing; to enable the personal data controller to comply with legal or regulatory duties; or to protect the life or physical integrity of the data subject. The processing of sensitive personal data (ie, data related to racial or ethnic origin; religious convictions; political opinions, union member - ship or participation in a religious, philosophi - cal or political organisation; health or sex life; or genetic or biometric data) or data in the cat - egories of “children“ and “teenagers” is subject to further specific requirements. It is important to note that additional requirements may apply
22
CHAMBERS.COM
Powered by FlippingBook