I OVERVIEW

The regulatory landscape for the technology, media and telecommunications (TMT) industry in Brazil witnessed important changes in 2019. As services converge to distribution via the internet (i.e., 'over-the-top' – OTT), broadband infrastructure becomes increasingly critical for access to content and communication.

Furthermore, the Brazilian General Data Protection Act (LGPD) will come into force in August 2020 and will affect TMT companies on nuclear dimensions, dealing with issues common to all industries (such as data in HR departments) and more specific topics such as cookie policies or direct marketing.

Given their experience and knowledge, TMT companies are qualified to play a leading role in the discussions on the interpretation and regulation of LGPD's legal provisions. The conceptual framework of the LGPD leaves room for an enforcement attentive to both the necessary insertion of Brazil in international best practices regarding data protection and to specificities of the national context.

We present below an overview of the Brazilian landscape, detailing its main changes in 2019 and trends for 2020.

II REGULATION

i The regulators

TMT services are regulated by two different agencies in Brazil. The National Telecommunications Agency (Anatel) regulates telecom services, which include fixed telephony, mobile telephony and internet, fixed broadband and pay-TV distribution. Anatel has powers to grant (and forfeit) licences for regulated services, issue regulations and guidelines, control the use of spectrum and orbital slots, supervise the quality and safety of services and products, oversee compliance with net neutrality rules, authorise transfers of control among telecoms and impose fines for regulatory infringement.

The other agency regulating TMT in Brazil is the National Cinema Agency (Ancine). It regulates audiovisual services, which include making and distribution of films and production, programming and packaging of pay-TV content. Ancine manages the National Audiovisual Fund (FSA), providing resources to foster Brazilian audiovisual productions. The agency also has powers to fight piracy and impose fines for regulatory infringement.

Finally, free-to-air television and radio broadcasting are subject to the direct authority of the Ministry of Science, Technology, Innovations and Communications (MTIC).

ii Main sources of law

The main source of law for telecom services is the General Telecommunications Act (LGT).2 It was significantly altered by a bill signed into law in October 2019 (PLC 79).3 Regulations issued by Anatel are also an important source of rules regulating the industry.

For media services, the main sources of law are the SeAC Act4 (applicable to pay-TV) and the Brazilian Telecommunications Code5 (applicable to free-to-air television and radio broadcasting).

iii Regulated activities

Telecom services may be provided under public or private regimes. Those provided under the public regime require a type of licence called 'concessions', which are auctioned and heavily regulated, implying substantial costs. In turn, services provided under the private regime require 'authorisations', which are less regulated and generally do not need to be auctioned.

Until recently, fixed telephony had to be provided under the public regime, which imposed significant costs over telecommunication companies. However, PLC 79 addressed an old industry request and allowed telecommunication companies to ask Anatel to switch to the private regime, subject to Anatel's approval. As another requirement to switch to the private regime, companies must commit to use the resources they will save with this switch in broadband infrastructure expansion. Thus, all telecom services may be offered under the private regime now, a substantial change in the regulatory landscape.

To obtain an authorisation, companies must submit to Anatel a request with the required documentation. The agency provides specific requirements for each type of service. In general, companies must be in good standing regarding tax obligations and prove they fulfil certain legal, financial and technical qualifications. Authorisations are valid for 20 years and may be renewed for equal periods.

Use of spectrum is also conditioned on authorisations by Anatel, which are auctioned and valid for 20 years, renewable for equal periods. PLC 79 addressed another old industry request and allowed telecoms to transfer spectrum use authorisations among themselves (conditioned to approval by Anatel), thus creating a 'market' for spectrum use. The use of orbital slots is conditioned to a grant auctioned by Anatel and valid for 15 years.

Finally, the offer of free-to-air television and radio broadcasting is conditioned to concessions from the MTIC, which are auctioned and valid for 15 years, renewable for equal periods.

iv Ownership and market access restrictions

There are restrictions on foreign ownership of telecommunication companies in Brazil. First, under the LGT, only companies headquartered and incorporated under the laws of Brazil can obtain authorisations to offer telecommunication services.

Similarly, concessions for free-to-air television and radio broadcasting can only be obtained by companies headquartered in Brazil, incorporated under the laws of Brazil and with at least 70 per cent of voting capital owned by Brazilian citizens or companies headquartered and incorporated under the laws of Brazil.

The SeAC Act also prohibits cross-ownership between content producers and telecom operators: free-to-air television broadcasters and pay-TV content producers cannot own more than 50 per cent of the capital of pay-TV distributors. Likewise, pay-TV distributors cannot own more than 30 per cent of the capital of free-to-air television broadcasters and pay-TV content producers. These restrictions have been subject to strong criticism recently and Congress is discussing a bill to eliminate them.6 Given the advanced stage of debates in Congress, some consider that a bill eliminating restrictions on cross-ownership may pass by the end of 2019 or the beginning of 2020.

v Transfers of control and assignments

Transfer of control over telecommunication companies (e.g., via mergers and acquisitions) requires clearance from Anatel. Under the agency's regulation, control means 'the powers to directly or indirectly, internally or externally manage the company's activities or operations'.7 Anatel also considers as 'controllers' any persons who have powers to indicate members in the board of directors and managers, veto rights, rights to stay deliberations in the board of directors or rights to cast separate votes to fulfil managing positions.

To obtain clearance from Anatel, companies must file a request with the required documentation showing they are in good standing regarding tax obligations and that the acquiring party fulfils certain legal, financial and technical qualifications. The agency will clear the transfer of control if all qualifications are fulfilled and the transaction is not likely to harm competition or degrade the quality of services provided to consumers. There is no time limit for Anatel to conclude its assessment and timing varies significantly according to the complexity of the case.

In contrast, transfer of control of free-to-air television and radio broadcasters does not require a formal clearance procedure and must only be notified to the MTIC.

Finally, it is important to highlight that transfers of control may also be subject to mandatory filing before the Federal Antitrust Agency (CADE). The Brazilian Competition Act8 establishes that notification of mergers, acquisitions, joint ventures and associative agreements is mandatory where:

  1. the corporate group of one party to the transaction had a turnover of at least 750 million reais in Brazil in the year preceding the transaction; and
  2. the corporate group of another party to the transaction had a turnover of at least 75 million reais in Brazil in the year preceding the transaction.

Parties must provide CADE with all documents and information necessary for the assessment of the transaction's impacts on competition. The proceeding at CADE is totally independent of the assessment carried out by Anatel and imposes a standstill obligation (parties must not consummate the deal before clearance). CADE has up to 240 days to rule on mergers but normally takes less than 30 days in cases eligible for fast-track review (e.g., low overlaps, lack of overlap or vertical integration, etc.).

III TELECOMMUNICATIONS AND INTERNET ACCESS

i Internet and internet protocol regulation

While the provision of internet access (via mobile or fixed broadband) is considered a telecommunication service and thus regulated by Anatel, internet and IP-based services (i.e., OTTs) are considered 'value added services' and are not subject to specific regulation. There are ongoing discussions concerning whether OTTs that deliver content in the format of live streaming of TV channels (instead of on-demand or library services) are subject to the same regulation applicable to pay-TV distributors (see Section V below for more detail).

Rights and obligations applicable to the use of internet were established by the 'Internet Bill of Rights' passed in 2014.9 Notably, the Bill of Rights established that internet providers must comply with net neutrality rules (i.e., they must treat equally all data packages irrespective of content, origin, destination, service, terminal or application). Traffic discrimination or degradation is only accepted to deal with technical requirements or to prioritise emergency services. Anatel has powers to oversee compliance with these rules.

Finally, it is worth mentioning that the Internet Management Committee (CGI.br), a multi-sectorial organisation, issues recommendations on technical standards for the internet, allocation of IP addresses and management of domain names. CGI is not a regulator and its decisions are not binding. Domain names ending in '.br' and IPv4/IPv6 addresses in Brazil are registered and maintained by NIC.br, a private entity created by CGI.br.

ii Universal service

While access to fixed and mobile broadband has increased significantly over the past decade, universalisation of access to broadband connection remains a challenge in Brazil. The Brazilian government and Anatel have jointly worked on plans to expand broadband infrastructure to peripheral areas, but there is a general perception that these plans achieved limited success.

Construction of broadband infrastructure is mostly handled by the private sector. PLC 79 is expected to spur investments in broadband infrastructure.

iii Restrictions on the provision of service

Generally, prices and conditions of services are freely established by telecommunication companies. However, services offered to the public cannot be unreasonably denied to specific customers. Furthermore, Anatel also issues regulations seeking to guarantee a minimum level of quality and continuity of telecommunication services.

With regard to the provision of internet connection, the Internet Bill of Rights establishes that internet service providers can only discontinue customers' access in case of payment default. This led to debates in previous years on whether operators could impose data caps for use of fixed broadband connection. In 2016, Anatel issued an administrative order prohibiting data caps in fixed broadband connection until a regulation on this issue was enacted, but the matter has not evolved since then. Data caps on mobile broadband access are a common market practice and Anatel has not taken issue with that.

Moreover, as seen above, the Internet Bill of Rights establishes that internet service providers must comply with net neutrality rules, so they cannot favour certain services, content or applications. In 2017, CADE closed without charges a probe that investigated whether zero rating agreements infringed competition law.10 In this proceeding, Anatel and MTIC filed submissions indicating that zero rating does not violate net neutrality rules.

Finally, laws in several states prohibit telemarketing companies from making unsolicited calls to customers who put their phone numbers on lists asking not to be contacted.

iv Privacy and data security

In July 2018, the LGPD11 was approved. It was later amended by a Provisional Measure converted into law in July 2019.12

With the LGPD, Brazil positions itself in a global context of stricter policies regarding data protection. Its framework and principles are largely inspired by the European Data Protection Regulation (GDPR).

The LGPD will come into force in August 2020. Its application is transversal, reaching the most diverse industries. TMT companies will be affected on nuclear dimensions, both on issues common to all industries (such as data in HR departments) and more specific to their business activities (such as cookie policies or direct marketing).

Basic definitions

All processing of personal data, both online and offline, is subject to the LGPD.

Personal data is defined by the LGPD as any information related to an identified or identifiable natural person.13 This definition encompasses all information that can identify a living human being. If interpreted accordingly to the European experience (whose legislation presents similar wording), personal data means both objective and subjective information regarding an individual. For example, '[the employee] is the legal manager' or '[the employee] is a good professional and deserves promotion' would both qualify as personal data.

The more elements related to a natural person, the greater the chance that such individual is identifiable. Hence, the greater the risk associated with the use of this data. Age alone might not be enough information to identify an individual working at the legal department of a firm. But such information can be personal data if added to other pieces such as gender, position and remuneration.

'Sensitive' personal data is subject to stricter regulation under the LGPD, as discussed further below. It refers to health, sex life, genetic or biometric data, racial or ethnic origin, religious conviction, political opinion, union membership or religious, philosophical or political organisation.14

'Processing' (the LGPD uses the word 'treatment') means essentially any operation involving personal data, including 'collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction'.15

Anonymised data is defined as data related to a subject that cannot be identified, considering the use of reasonable technical means available at the time of its treatment.16 It is not considered personal data under the LGPD, except 'when the process of anonymisation to which they were submitted is reversed, using exclusively their own means, or when, with reasonable efforts, it can be reversed'.17

Finally, the 'processing agents' are defined in the LGPD as follows:18 (1) the controller is the natural person or legal entity responsible for the decisions regarding the processing of personal data; and (2) the processor (or 'operator') is the natural person or legal entity that carries out the processing of personal data on behalf of the controller.

Fundamental obligations and penalties

Under the LGPD, every processing (or 'treatment') of personal data must have a specific legal justification or basis, comply with data protection principles, respect the rights of data subjects (i.e., the individuals to whom the data relates) and follow governance rules.

One of the lawful bases for processing personal data is consent by the data subject. Consent must be free, informed and unequivocal.19 In addition to such stringent criteria, the data subject can revoke consent at any time.

Another lawful basis established in the LGPD is a contract entered into with the data subject.20 An employer that needs employees' financial data to process payment of salaries might base the collection of such data on the employment contract. Data processed under a contract (or consent) must be available in an electronic copy and in a format that allows its subsequent use in other processing operations.21 Such obligation triggers the right to portability, as discussed below.

A third lawful basis for processing personal data worth mentioning in the present chapter is legitimate interest. Under this justification, the interest of the controller or a third party must be weighed against the fundamental rights and freedoms of the data subject.22 Nevertheless, legitimate interest cannot serve as a basis to process sensitive personal data. A data protection impact assessment is recommended, as it can be requested by the Data Protection Authority (DPA).23

In addition to relying on one of the lawful bases for processing personal data, controllers and processors must act in good faith and observe other principles established by LGPD.24 Principles like purpose, adequacy and necessity determine that the processing shall have specific purposes and be compatible with such purposes. Processing must be limited to the minimum necessary for the accomplishment of specific purposes.

Free access, quality and transparency must also be observed in processing personal data. They mean that the data subject may require information about the processing free of charge and that accuracy of the data must be guaranteed.

According to the principles of security and prevention, technical and administrative measures must be adopted to protect data from unauthorised access and accidents. Measures should also be taken to prevent damage due to the processing of personal data.

The LGPD also establishes the principle of non-discrimination, which means processing may not be carried out for unlawful or abusive discriminatory purposes.

An overarching principle of the LGPD is accountability: controllers and processors must demonstrate they have adopted effective measures to comply with data protection regulation.

There are several subject rights in the LGPD that relate to such principles and obligations. The data subject has the right, for example, to obtain confirmation of processing (when and why the processing has occurred and who it has been carried out by) and to correct incomplete, (objectively and subjectively) inaccurate or outdated data.

A right that should be emphasised is the right to data portability. Upon express request of the data subject, the controller must make the data available to subsequent use by other organisations. Most likely, the right to data portability will not embrace inferences or analysis made by the controller using the data.

To comply with such obligations, controllers and operators shall formulate rules of good practice and governance that establish several aspects related to processing of personal data.25 Among such aspects are safety standards, educational actions, and internal mechanisms of supervision and mitigation of risks.

In the case of violation of the LGPD, controllers and operators are subject to fines of up to 2 per cent of turnover limited to 50 million reais, as well as publication of the infraction, blocking or elimination of personal data.26 Recently, a veto to the sanction of suspension of processing activities was overturned by Congress, so controllers and operators may also have their processing activities suspended if they fail to comply with the LGDP.

The LGPD also provides that, when calculating the fine, the DPA may consider the total turnover of a group when the turnover 'in the area of business activity in which the violation occurred' is not available.27 Such provision will likely trigger relevant discussions as to how to define 'the area of business activity'. The experience of the Brazilian antitrust agency (CADE) with this matter should not be overlooked.

The infringement of the LGPD may lead to collective and individual actions by injured parties for damage compensation. The data subject also has the right to petition to consumer protection authorities. Controllers and processors can be held jointly liable under certain conditions of Article 42.

Issues regarding technology, media and telecommunications

The conceptual framework of the LGPD leaves room for an enforcement attentive to both the insertion of Brazil in international best practices and to specificities of the national context. The TMT industry has the potential to play a leading role in the discussion on the interpretation and regulation of the LGPD's legal provisions.

To achieve an effective and balanced enforcement, the Brazilian DPA should observe the requirement of minimum intervention, as established in Article 55-J, Section 1º of the LGPD. Enforcement should be oriented to preserve incentives to innovation and the essence of regulated sectors.

The LGPD's transversal application to several sectors raises areas of possible conflicts. The right to petition to consumer protection authorities is an example – Article 18, Section 8º of the LGPD ensures consumers of media services, for instance, the right to petition 'with regard to their data' to consumer authorities. Enforcement of the law will need to establish limits and a productive dialogue in the relationship between data and consumer protection authorities.

Another example is the interface between data protection and competition law. There could be allegations of LGPD violations that supposedly represent harm to competition, such as the Facebook case in Germany.28 For example, one could argue that a TMT firm that obtains a large amount of data in violation of the LGPD could behave in ways that harm consumers and competitors. CADE will need to carefully assess whether there is reason to incorporate violations of the LGPD as an antitrust concern.

Moreover, concerns with privacy are not a novelty in the Brazilian legal landscape. In addition to the Federal Constitution and the Internet Bill of Rights,29 the LGT30 provides, in its Article 3, IX, that the user of telecommunication services is entitled to the respect of their privacy in the billing documents and in the use of personal data by the service provider. The duties of Anatel in observing such obligation should be harmonised with the DPA's responsibilities on the same matter.

Specific matters relating to internet technology and communications, as well as direct marketing, will need to be defined in Brazil. The Brazilian DPA will need to define whether prior consent is necessary for using cookies and whether internet users can be deemed to have consented by using a browser that allows cookies. It will also regulate whether there is a difference between first-party cookies (used to advertise an operator's own products or to tailor its own website) and third-party cookies (sent by an entity other than the website operator).

Another matter to be defined is the disclosure of personal data through social network services (SNS). The LGPD states that the requirement of consent is waived for general data made manifestly public by the data subject. One will need to interpret what 'making manifestly public' means in the context of SNS, as well as its extension to sensitive data.

The increasing use of the internet of things (IoT) will also raise issues regarding the appropriate security measures to ensure networks connected to IoT objects, as well as the need to consent to the processing of personal data in this context. The Brazilian DPA will certainly need to face such challenges.

As to direct marketing, there will be discussions about whether opt-in is required or opt-out is sufficient, considering eventual differences between means such as postal marketing, telephone marketing and marketing by electronic mail. Programmatic media and online behavioural advertising will add complexity to the analysis of the DPA.

Technology, media and telecom organisations must be alert to the development of such matters in the Brazilian context. Reputational damage tends to be significant in the event they fail to comply with data protection requirements, especially to firms inserted in a digital economy highly based on trust. An image of careless data processing might be fatal to trust from consumers and employees.

IV SPECTRUM POLICY

i Development

Use of spectrum is conditioned to authorisations auctioned by Anatel. As seen in Section II, the most significant change regarding spectrum policy was the creation of a 'market' of authorisations by PLC 79.

Moreover, Anatel introduced new rules limiting ownership of spectrum bands in late 2018. Under these rules, a telecommunication company cannot control more than 35 per cent of bands below 1GHz and 30 per cent of bands between 1GHz and 3GHz. Anatel is considering similar limitations on control over bands above 3GHz.

ii Flexible spectrum use

Anatel started considering how to regulate flexible spectrum use in 2018, but this matter has not developed since then. Related to flexible use, radio access network (RAN) sharing agreements are lawful, but subject to approval by Anatel.

iii Broadband and next-generation services spectrum use

In previous years, the 450MHz, 700MHz, 1.9GHz, 2.1GHz and 2.5GHz bands were auctioned for use by 3G and 4G broadband technology services. In May 2019, Anatel established that the 2.3GHz and 3.5GHz bands will be used for 5G broadband technology services. The agency plans to auction these bands in the first quarter of 2020. Leftover spectrum in other bands may also be auctioned for next-generation services in the future.

iv Spectrum auctions and fees

As seen above, Anatel plans to auction the 2.3GHz and 3.5GHz bands for 5G broadband technology services in the first quarter of 2020. Telecoms must pay a fee to acquire spectrum-use rights.

V MEDIA

i Regulation of media distribution generally

Pay-TV delivered via networks (cable, satellite, MMDS, etc.) is subject to several service and content obligations. Among other obligations, network operators must:

  1. carry for free some channels considered of public interest;
  2. carry channels programmed by independent Brazilian producers;
  3. carry channels programmed by free-to-air TV broadcasters; and
  4. offer a 'basic package' containing only channels of mandatory distribution.

Pay-TV content producers, for their part, must include content produced by Brazilian independent producers on certain channels and cap advertising at 25 per cent of programming. Similarly, free-to-air television broadcasters must include educational programmes in their channels and cap advertising at 25 per cent of programming.

Distribution of content via the internet (OTT) is often considered a 'value added service' and subject to no specific regulation. However, there are ongoing discussions regarding whether content in the format of TV channels delivered via the internet should be subject to the regulations applicable to pay-TV distributors (see below).

ii Internet-delivered video content

Over recent years, subscription to video on demand services has significantly increased while pay-TV subscriptions are shrinking. OTTs have enjoyed a near total lack of regulation in Brazil and normally pay fewer taxes than network operators. As a result, telecommunication companies providing pay-TV services have argued they face unfair competition from OTTs. Furthermore, some players argued that the lack of regulation over OTTs threatens Brazilian independent content producers given only pay-TV distributors have must-carry obligations regarding Brazilian content. Congress is considering bills to regulate distribution of content by OTTs.31

By the end of 2018, Claro (a major telecom company owned by América Móvil) filed complaints before Anatel32 against Fox (currently owned by the Disney group) and Topsports (owned by the Warner Media group) arguing that the SeAC Act applies to all distributors of linear content in the format of a channel, irrespective of the technology employed in distribution. According to Claro, as OTTs streaming linear content in the format of TV channels, Fox and Topsports should be subject to the regulation applicable to pay-TV distributors.

In July 2019, Anatel issued a provisional measure ordering Fox and Topsports to cease delivery of content in the format of TV channels via the internet until the release of a final decision on the matter. However, Anatel's order was subsequently reversed by a federal court. Congress is considering changes to the SeAC Act to either expressly exclude or include OTTs that deliver content in the format of TV channels in the pay-TV regulation.33 In parallel, Anatel has yet to reach a final decision on the matter.

VI THE YEAR IN REVIEW

The main change in legislation for the TMT industry passed in 2019 was PLC 79 (see Section I.ii). Key mergers that closed in 2019 were the acquisition of Fox by Disney and the acquisition of Nextel (a mobile telephony company) by Claro.

Another highlight is the amendment of the LGPD by a Provisional Measure converted into law in July 2019. The LGPD will come into force in August 2020. As discussed above, TMT companies will be affected on nuclear dimensions by the law, both on issues common to all industries and more specific ones.

Several bills affecting the TMT industry are being discussed by Congress, so the landscape may see further changes soon, especially with regard to restrictions on cross-ownership and delivery of pay-TV and audiovisual content over the internet.

VII CONCLUSIONS AND OUTLOOK

With the passing into law of PLC 79, telecom operators saw an improvement in the regulatory landscape as changes introduced in the LGT are expected to reduce regulatory costs and boost investments in broadband infrastructure. Nevertheless, several hurdles remain, such as the heavy taxation of telecom services and the significant market concentration in the TMT industry.

The LGPD will come into force in August 2020. The TMT industry should not only hurry to comply with the LGPD, but also seek to play a leading role in influencing its future enforcement and regulation. Under the LGPD, every processing of personal data must have a legal ground, comply with data protection principles, respect the rights of data subjects and follow governance rules.

In the case of violation of the LGPD, controllers and operators are subject to fines of up to 2 per cent of turnover limited to 50 million reais, as well as publication of the infraction, blocking or elimination of personal data and suspension of processing activities.

Damage to reputation tends to be immeasurable in the event of TMT companies failing to comply with data protection requirements, especially for firms inserted in a digital economy highly based on trust. An image of careless data processing will be fatal to trust from consumers and employees.

Therefore, the TMT industry should be alert to issues regarding conflict of jurisdiction between the DPA and other authorities, such as consumer and antitrust authorities or Anatel. Also, TMT companies would do well in seeking to influence specific issues related to direct marketing and internet technology and communications, such as cookie policies, search engines, social network services and IoT.

Several bills affecting the TMT industry are being discussed by Congress, so the landscape may see further changes soon. It remains to be seen whether the more business-friendly approach advocated by President Bolsonaro's Economy Minister will lead to a fresh agenda for the industry.


Footnotes

1 Ademir Antonio Pereira Junior is a partner, Luiz Felipe Rosa Ramos is a senior associate and Yan Villela Vieira is an associate at Advocacia José Del Chiaro.

2 Law No. 9,472/1997.

3 PLC 79 was signed into Law No. 13,879/2019.

4 Law No. 12,485/2011.

5 Law No. 4,117/1962. Decree No. 52,795/1963 provides additional regulation based on this statute.

6 Bill No. 3,832/2019 and Bill No. 5,322/2019.

7 As provided by Anatel Regulation No. 101/1999.

8 Law No. 12,529/2011.

9 Law No. 12,965/2014.

10 Proceeding No. 08700.004314/2016-71.

11 Law No. 13,709/2018.

12 Law No. 13,853/2019.

13 Law No. 13,709/2018 (Article 5, I).

14 Law No. 13,709/2018 (Article 5, II).

15 Law No. 13,709/2018 (Article 5, X).

16 Law No. 13,709/2018 (Article 5, III).

17 Law No. 13,709/2018 (Article 12).

18 Law No. 13,709/2018 (Article 5, VI and VII).

19 Law No. 13,709/2018 (Article 7, I).

20 Law No. 13,709/2018 (Article 7, V).

21 Law No. 13,709/2018 (Article 19, Section 3º).

22 Law No. 13,709/2018 (Article 7, IX).

23 Law No. 13,709/2018 (Article 10, Section 3º).

24 Law No. 13,709/2018 (Article 6).

25 Law No. 13,709/2018 (Article 50).

26 Law No. 13,709/2018 (Article 52).

27 Law No. 13,709/2018 (Article 52, Section 4º).

28 Bundeskartellamt, Facebook, Exploitative business terms pursuant to Section 19(1) GWB for inadequate data processing (6 February 2019), B6-22/16, 2.

29 Law No. 12,965/2014.

30 Law No. 9,472/1997.

31 Bill No. 57/2018 and Bill No. 8,889/2018.

32 Proceedings Nos. 53500.056473/2018-24 and 53500.057279/2018-66.

33 Bill No. 5,322/2019, Bill No. 4,292/2019, Bill No. 4,389/2019 and Bill No. 4,330/2019.