Last review date: 3 January 2025
No generally speaking, except for a few specific sectoral regulations.
☒ other
While there are no general data residency/localization obligations, there may be such data residency/localization requirements if classified State information (not limited to personal data), or data related to the Federal Public Administration is processed.
Also, there might be restrictions on the storage/transfer to foreign jurisdictions for certain types of information. For instance, according to CMN's Resolution no. 4,893/2021, which provides for requirements for the agreements between cloud providers and financial institutions, financial data does not necessarily need to be stored in Brazil, but the financial institution must ensure the access of the Brazilian Central Bank to the financial data. The access may be supported by the presence of a cooperation agreement between the Brazilian Central Bank and the supervisory authority from the jurisdiction where the data is stored. In case the data is stored in a jurisdiction where there is no such cooperation agreement, the agreement between the financial institution and the cloud provider must be submitted for the Brazilian Central Bank's approval.
Last review date: 3 January 2025
☒ Obligation for public sector organizations to share or make accessible non-personal data
Law No. 12,527/2011 (Brazilian Information Access Law) regulates access to public information held by government bodies. It aims to ensure transparency and accountability in public administration by providing citizens with the right to access information.
☒ Obligation for private organizations to share or make accessible non-personal financial data
BACEN and CVM Joint Resolution No. 6/2023 establishes the requirements that must be observed by financial institutions, payment institutions, and other entities authorized to operate by BACEN in the sharing of data and information on indications of fraud. The resolution mandates these institutions to share, through an electronic system, any data and information that support their fraud prevention procedures and controls. Institutions must obtain the prior and general consent of the customer to allow the registration and sharing of this data.
☒ Obligation for private organizations to share or make accessible other non-personal data
If so, please provide brief details of the relevant law or regulation.
Internet Legal Framework - Law No. 12,965/14 contains provisions regarding internet users' rights to the protection of logs, personal data and private communications. It includes, among others, obligations for internet application and connection providers to disclose internet access and connection logs upon receipt of a court order.
ANATEL’s Resolution No. 740/2020, amended by Resolution No. 767/2024, establishes guidelines and procedures to promote security in telecommunications networks and services, including the protection of critical infrastructures. The resolution requires telecommunications companies to retain and, in some cases, share certain types of data for regulatory and security purposes. This can include non-personal data related to network operations and usage.