Posted in Brazil Data Privacy Intellectual Property IP

Brazil enacts its first law to protect Brazilians’ personal data: top points

Brazil has taken a significant step to protect the personal data of Brazilians with the enactment of the first specific law on the subject. Bill of Law 53/2018, approved by the Senate on July 10, 2018, will be sent to the President for signing into law. The President will have 15 business days to sign it, but it is not yet clear whether whether any particular items in the law will be vetoed. After presidential signing, the law will take effect 18 months after its official publication.

Here are the main points of the law in the form approved by the Senate:

  • Application: The law will apply to any transaction or operation involving treatment of data that (i) is performed in Brazil; (ii) has the objective of offering or supplying goods and/or services to people located in Brazil; or (iii) is carried out with personal data collected in Brazil.
  • Exceptions: The law will not apply to the

treatment of personal data (i) carried out by individuals for private purposes; (ii) performed for journalistic, artistic or academic purposes; (iii) carried out for purposes of public safety, national security and defense or activities for investigation and deterrence of crimes (which will be the subject of a specific law); or (iv) with foreign provenance and that are not the target of communication, shares use with Brazilian data treatment agents or the object of transfer of data with another country that other than the country of provenance, provided such country provides a degree of protection adequate to the Brazilian Law.

  • Definition of data: The expression “personal

data” is defined as any data or information related to an identified or identifiable individual (called the “owner”), with “sensitive personal data” being data about racial or ethnic background, religious belief, political opinion, membership labor unions or religious, philosophical or political organizations, as well as referring to health or sexual life, genetic or biometric data.

  • Data treatment: “Treatment” is considered to

be all operations carried out with personal data,

such as collection, production, reception,

classification, utilization, access, reproduction,

transmission, distribution, processing, filing,

storage, elimination, evaluation, control,

modification, communication, transfer, diffusion or extraction of data or information.

Treatment agents: Agents fall into two categories: “controller,” defined as any individual or public or private legal entity responsible for the decisions related to the treatment of personal data, and “operator,” defined as the individual or legal entity that carries out the treatment of personal data at the behest of the controller.

  • Competent bodies: The law establishes the

creation of a National Data Protection Authority, a body of the indirect federal public administration, subject to a special independence regime and linked to the Ministry of Justice and the National Council for Protection of Personal Data and Privacy; among its responsibilities are to propose strategic guidelines; provide support for the formulation of the National Policy on Protection of Personal Data and Privacy; suggest actions and propose studies.

Principles: Important principles must be observed in treatment activity, such as:

(i) purposes − the treatment must be carried out for specific and legitimate purposes, without the possibility of subsequent treatment in a form incompatible with these purposes

(ii) adequacy − compatibility of the treatment with the purposes reported to the owner

(iii) need − limitation of treatment only to the extent necessary to achieve expressed purposes

(iv) free access − guarantee that the owners can consult, easily and at no cost, on the form and time frame of the treatment, as well as the integrity of their data

(v) quality of the data − guarantee of the precision, clarity, relevance and currency of the data

(vi) transparency − guarantee of clear information that is easily accessible by the owners

(vii) security − utilization of technical and administrative measures to protect the data from access by unauthorized parties

(viii) prevention − adoption of measures to prevent the occurrence of damages due to treatment of personal data

(ix) nondiscrimination − impossibility of treatment for purposes of discrimination and

(x) accountability − demonstration of effective means to observe and prove compliance with the rules on protection of personal data.

  • Requirements for treatment: The treatment may only be carried out (i) with consent; (ii) to

comply with a legal or regulatory obligation of the

controller; (iii) by the public administration, for treatment of data necessary for public policy purposes; (iv) for the purposes of study by a research entity, with guarantee of anonymization; (v) when necessary to perform a contract; (vi) for regular exercise of rights in a judicial, administrative or arbitral proceeding; (vii) for protection of the life or physical integrity of the owner or third parties; (viii) for protectio n of health, through a procedure carried out by professionals in the area of public health of by sanitary authorities; (ix) in the legitimate interests of the controller or third parties; and (x) for protection of credit.

  • Consent: Consent must be expressed in

writing (in the case of a contract, highlighted with respect to the other clauses) or by other means that demonstrate the manifestation of the owner’s will, with the controller having the burden of proving consent was obtained pursuant to the law. Generic consent will be deemed null and void, and treatment in cases of defective consent is forbidden.

Revocation of consent: Consent can be revoked at any time, by the owner, with ratification of any treatment performed under the consent provided previously.

  • Access to data: The owner shall be provided access to the data subject to treatment, and that access must be provided clearly, with reference to the purpose, form and duration of the treatment, identification of the controller and the corresponding contact information, explanation of the shared use of data and the purpose, responsibilities of the treatment agents, as well as explicit mention of the rights of the owner specified in Article 18 of the law (see next section).
  • Rights of the owner (Art. 18): The owner has the following rights: (i) confirmation of the existence

of treatment; (ii) access to data; (iii) correction

of incomplete or inexact data; (iv) anonymization, blockage or elimination of unnecessary or excessive data; (v) portability of the data; (vi) elimination of personal data treated with consent; (vii) information about the public or private entities with which the controller has carried out shared used of the data; (viii) information about the possibility of not providing consent and the consequences of denial; and (ix) revocation of consent.

  • Treatment of sensitive data: The treatment can only occur when the owner consents, specifically t, for specific purposes, or without consent of the owner in cases of need to carry out public policies by the public administration set forth in law; studies by research entities (with anonymization of sensitive personal data); regular exercise of rights; protection of the life or physical integrity of the owner; protection of public health; prevention of fraud; and security of the owner.
  • Anonymization of data: This is defined as data by which the owner cannot be identified, and which therefore is not considered to be personal.
  • Children and adolescents: The treatment of data on children and adolescents must be performed with the specific consent of at least one of the parents or legal guardians.
  • End of the treatment: The treatment of data must end

when the purpose has been attained or the data cease being necessary or pertinent; at the end of the treatment period, by communication from the owner; or by determination of a national authority. The data must be deleted after the end of the treatment, other than in case of specific exceptions.

Treatment of data by the public authorities: The treatment must be performed only to serve the corresponding public purpose and with the objective of satisfying the legal attributions of the public service, with observation of the conditions determined in law.

  • International transfer of data: The transfer of

personal data to other jurisdictions will be allowed only in cases set forth in law, such as (i) with the specific consent of the owner; (ii) to satisfy a legal or regulatory obligation, when necessary to perform contracts or for regular exercise of rights in a judicial, administrative or arbitral proceeding; (iii) to countries or international organizations that provide an adequate degree of protection of personal data as specified in law or determined by the competent entity; (iv) when the controller of the data proves it has guarantees of compliance with

the principles, rights of the owner and data

protection regime set forth in Brazilian law; (v) for protection of the life of physical integrity of the owner or a third party, among other situations.

  • Records of operations for treatment of personal data: The controller and operator must keep records of the operations they carry out for treatment of personal data, mainly when the treatment is based on their legitimate interest.
  • Report of the impact of protection of personal data: In relation with operations to treat data, the competent body can request the preparation of a “Report of the Impact of Protection of Personal Data,” which must state the types of data collected, the method used for their collection and the guarantee of their security, as well as analysis of the controller of the measures, safeguards and mechanisms for risk mitigation adopted.

Chief of treatment: the Chief of Data Treatment is the person responsible for accepting complaints and other communications from the data owner and competent authorities and for training employees about best practices, among others attributions. The Chief must be appointed by the controller and his/her identity and contact information must be disclosed clearly and objectively.

  • Joint and several liability: Other than in

exceptional cases identified in law, the operator and controller are deemed to be jointly and severally liable for the data with respect to pecuniary or moral damages, either individual or collective, caused by the date treatment.

  • Security measures: It is mandatory to adopt

technical and administrative security measures to protect the personal data from unauthorized access and accidental or illicit situations of destruction, loss, alteration, disclosure or any other form of inadequate or illicit treatment. The minimum technical standards must be disclosed by the competent body in a timely way, considering the specificities of the personal data and their treatment.

  • Communication in cases of cybersecurity incidents: The controller must report to the competent body and the owners when any cybersecurity incidents occur that can cause a relevant risk or damage to the owners of the personal data.
  • Administrative penalties: Infractions of the Law can subject the treatment agents to the

applicable administrative penalties by the

competent body, after an administrative proceeding that affords rebuttal and ample defense. Among the penalties are official warning, publicity of the infraction, partial or total suspension of use of the use of the database, single or daily fine (up to 2 percent of the gross revenue of a private company, business group or conglomerate in Brazil in the preceding year, excluding taxes, capped at R$50 million per infraction), or partial or total suspension of the activities related to the data treatment.

We will be monitoring this area of law to keep you informed about coming developments.



Paula Mena Barreto


Rio de Janeiro

T: +55 21 3262 3028F: +55 21 3262 3011

Posted in Brazil Tax

Administrative proceeding in State of Rio de Janeiro will allow the compliance of tax discrepancies

The State of Rio de Janeiro enacted the Resolution n° 265 on June 19, 2018, in order to allow taxpayers to regularize their tax debts before starting an official tax audit and to reduce the amount of credits in dispute before the administrative court.

The proceeding is called a “friendly warning” and encompasses tax debts not yet declared in ancillary obligations and also ancillary obligations not yet presented to tax authority by the taxpayers. Tax authority identifies possible outstanding tax debts and ancillary obligations not yet fulfilled by crossing electronic data available in its systems. Continue Reading

Posted in Brazil Tax Trade

Brazil introduces US-Brazil Agreement on Social Security

The Brazilian Government has enacted Decree No. 9,422/2018, which introduced into Brazilian law the Agreement on Social Security between the United States and the Federative Republic of Brazil, originally signed on June 30, 2015.

 The Agreement was enacted in late June 2018; its enforceability shall commence on October 1, 2018 and shall be applicable to (i) individuals currently or previously covered under US or Brazilian laws, and/or (ii) individuals who, under the laws of either contracting state, may derive rights by virtue of their relationship to an individual subject to the laws of the US or Brazil. Continue Reading

Posted in Brazil Tax

State of Rio de Janeiro Grants New Audit Power to Tax Auditors

The State of Rio de Janeiro has enacted Law 7,988, effective from June 14, 2018, in order to grant powers to its state tax auditors to reject operations or transactions performed by taxpayers who are suspects of intending  to disguise tax-triggering events or the features of the tax liabilities during the course of tax audits.

Law 7,988/2018 was enacted to regulate the sole paragraph of Section 116 of the Brazilian National Tax Code which Brazilian courts have declared by decisions not self-applicable.

The most relevant taxes entitled to be collected by states in Brazil are VAT (the so-called ICMS) and the Tax on Inheritance and Donation of any property or right (ITCMD).

Law 7,988/2018 sets forth requirements that shall be fulfilled by state tax auditors to reject operations or transactions performed by taxpayers:

  • the disregard must be written and justified by the state tax auditors and
  • the taxpayer shall be notified to present clarifications and information within 30 days regarding the facts, causes, reasons and circumstances that support the operations and transactions accused of being disguised.

If the state tax auditors decide to disregard operations or transactions performed by taxpayers, they must (i) detail the elements considered as performed by the taxpayers with the intent to disguise tax-triggering events or the features of the tax liabilities and (ii) describe the acts and transactions to be taxed, citing applicable legislation.

Moreover, the state tax auditors shall present the impacts of the disguised tax triggering events or the features of the tax liabilities with the specification of taxes to be levied, calculation basis, applicable rates and legal accruals.

Taxpayers will have the right to present defenses and appeals against a tax assessment notice issued by the state tax auditors.

Law 7,988/2018 entered into force on June 15, 2018.

The issuance of Law 7,988/2018 strengthens the need for technical support to address tax audits, in order to highlight the business purposes of operations and transactions and to ensure that taxpayer rights are respected by the tax authority.

For more information please contact the author

Renato Lopes da Rocha

+55 11 3077 3593

M +55 11 97269 2831

M +55 21 99610 1172


Av. Presidente Juscelino Kubitschek, 360 – 10º andar
Vila Nova Conceição – São Paulo, SP – Brasil 04543-000







Posted in Arbitration

Scope of powers of the Arbitration Tribunals or the ad hoc Committees when deciding annulment requests and other post-award remedies and procedures in ICSID dispute settlements

By Marlon Meza

Abstract:  This paper will address the post–award remedies and procedures against ICSID awards, from a simple request of supplementation or error rectification (which the arbitration tribunal can resolve), through interpretation and revision requests, finally focusing on petitions for annulment that are settled by some ad hoc Committees − which are sometimes criticized for lack of coherence and uniformity. Plenty of debates have taken place regarding the nature of such annulments, even though the ICSID Convention clarifies that annulments are not appeals, and article 52 enshrines specific annulment grounds. This last statement helps qualify the annulment mechanism as an extraordinary remedy, different from the appeal. This does not mean that ad hoc Committees cannot revise—even in a restricted manner—the merits of awards. What they cannot do is modify them; their action must be limited to the declaration of an award’s invalidity or its denial. On the other hand, there cannot be automatic nullities, nor can decisions bear the discretional nature that some ad hoc Committees have held they possess in order to decide. Then, it is necessary to weigh the nullity grounds to avoid excesses and to ensure that decisions on annulments are rendered according to the most modern procedural tendencies. The credibility of the ICSID system could depend greatly on this in the future.

Read more here.


Posted in Uncategorized

Brazil Fundraising

By Marcus Bitencourt, Alex Jorge, Renata Amorim, Marcelo Siqueira and Tatiana Pasqualette


The Brazilian private equity fundraising sector has consolidated itself over the past decade and has shown significant growth since 2003, even compared with other BRIC countries.

In addition to Brazil’s economic development over this period, such evolution can also be attributed to the improvement of the regulatory structures of our capital market, mainly regarding the main type of investment vehicle for the private equity segment, equity investment funds (FIPs).

As a result of this evolution, the Brazilian Securities Commission (CVM) has been constantly concerned in regulating and updating specific rules for such funds, as per the issuance of CVM Instruction 578/16, on 30 August 2016, which replaced CVM Instruction 391/03 and modernised the rules regarding the formation, operation and management of private equity funds, as will be further explored.

Read more here.

Posted in Brazil Tax

Brazil and Switzerland sign DTT, reflecting Brazil’s effort to expand its network of tax agreements

By: Renato Lopes da Rocha

Following the execution of an agreement with Switzerland, on May 7, 2018 by virtue of the visit from the Brazilian Minister Aloysio Nunes to Singapore, the Brazilian and Singaporean governments signed the Agreement for Elimination of Double Taxation with Respect to Taxes on Income and the Prevention of Tax Evasion and Avoidance (DTT). This development reflects Brazil’s continuous efforts to expand its network of tax agreements. The DTT requires approval by the national Congress and ratification by the President to take effect in Brazil. Once in place, which shall facilitate investments and provide more certainty on business transactions between the taxpayers of the two countries.

Among other relevant provisions, the following aspects of DTT are particularly worth noting:

(i) In line with the agreement signed with the Swiss government, the DTT also has a specific article regulating the taxation of technical services, which may indicate a new trend for the treaties entered into by Brazil. Under Article 13 of the DTT fees for technical services will be subject to a maximum 10 percent withholding income rate in case the beneficial owner is a resident of the other contracting state. The definition of technical services is quite broad, as it includes any service of a managerial, technical or consulting nature, with a few exceptions.

Even though Article 13 provides for a 10 percent rate (lower than the statutory rate of 15 percent for non-tax haven jurisdictions), it may be seen as a clear attempt by the Brazilian government to depart from court rulings favorable to taxpayers in which consulting and technical services were considered business profits under Article 7 of other DTTs, taxed only by the contracting state providing such services (no withholding income tax applied). Once the DTT enters into force, it shall lead to interesting discussions between tax authorities and taxpayers in Brazil.

(ii) A robust Limitation of Benefits clause (Article 28) aiming to exclude from the treaty benefits entities operating as holding companies and cash pooling companies.

(iii) A 10 percent royalty rate (except trademarks).

(iv) Reduced rate of 10 percent on interest to banks granting funding for capital investments under certain conditions.

(v) A broader definition of permanent establishment, which includes consultancy services provided in one contracting state by a company of the other contracting state for a period of more than 183 in a 12-month period.

Observers are noting that Singapore had been included in Brazil’s blacklist as a tax haven. It was not until November 2017 that Singapore was removed from the list upon its latest update (Normative Instruction 1,773/2017 issued by the Brazilian federal tax authorities). Certain Singaporean entities remain on the Brazilian grey list as privileged tax regimes subject to transfer pricing rules and stricter deductibility rules.


Posted in Arbitration Mexico NAFTA

Mexico showcases its commitment to investment protection in general – whether through arbitration or not

By: Andrea Lapunzina Veronelli & Paola Aldrete

Mexico has been a long-time player in the investment arbitration system. At this writing, Mexico is party to 30 bilateral investment treaties (BITs) in force and is signatory to three other BITs that are not yet in force. It is also party to a number of treaties with investment provisions, of which the best-known example is the North America Free Trade Agreement (NAFTA). (SEE BELOW FOR SPANISH AND FRENCH VERSIONS). Continue Reading

Posted in Brazil International Trade Tax tax exemptions Trade transfer pricing

Brazil and Switzerland sign Convention for Elimination of Double Taxation – highlights

The Governments of Brazil and Switzerland have signed the Convention for Elimination of Double Taxation with Respect to Taxes on Income and the Prevention of Tax Evasion and Avoidance (DTT). In line with Brazil’s commitments under the G20, the DTT, signed on May 3, 2018, incorporates certain minimum standards of the Organization for Economic Cooperation and Development (OECD) Project on Tax Erosion and Transfer of Profits (BEPS Project). It also includes an anti-abuse clause as well as an administrative assistance clause in accordance with the current international standard for exchange of information. Continue Reading

Posted in Puerto Rico

Puerto Rico’s Dealers Act: what every principal should know before selling products or services in Puerto Rico

By Nikos Buxeda and Camille Álvarez

Puerto Rico’s Act 75 of June 24, 1964 was enacted to protect Puerto Rican distributors or dealers from arbitrary terminations to a distribution agreement. It essentially provides that, regardless of any contractual provision to the contrary, a dealer or distribution agreement may not be terminated, impaired or not renewed by the principal, unless there is “just cause” (as defined in Act 75) for such termination.

Moreover, if the distribution agreement is terminated without “just cause,” the principal is liable for damages pursuant to a statutory formula that includes five years of profits and the goodwill of the distributor.

As a result, distribution agreements in Puerto Rico are evergreen. In addition, the distributor can allege constructive termination (impairment) if it believes the principal is treating it unfairly and seek damages.

Act 75 provides Puerto Rican distributors with powerful protections and has been the source of substantial litigation over the years.

Find out more about the implications of Act 75.