Brazil

Overview

Brazil’s 1988 Constitution establishes privacy as a fundamental right, strengthened by Amendment EC 115/2022 explicitly protecting personal data including in digital media. The LGPD (Lei Geral de Proteção de Dados, 2018) provides GDPR-influenced data protection, and in January 2026, Brazil became the first Latin American country to receive EU mutual adequacy recognition.^[1]

Behind this framework, the Parallel ABIN scandal (2019–2021) revealed that ABIN Director Alexandre Ramagem conducted 60,000+ illegal surveillance searches targeting journalists, STF justices, and opposition politicians using Cognyte First Mile spyware. Ramagem was convicted and sentenced to 16 years. The 2013 Snowden revelations that the NSA intercepted President Rousseff’s communications and hacked Petrobras directly motivated the EllaLink cable project to bypass US routing. Brazil is not an Eyes alliance member but is a BRICS founder.^[2][3]

Privacy Framework

The ANPD was transformed into a fully independent agency (September 2025). Maximum penalty: 2% of revenue (capped at R$ 50M per violation). The LGPD grants the Central Government power to exempt any agency for national security (Article 4(III)). Rule of law under the Marco Civil da Internet (2014): court orders required for data access; Article 19 was partially declared unconstitutional (June 2025 STF ruling) for platform liability for hate speech and CSAM.^[4]

Surveillance and Intelligence

ABIN and SISBIN

ABIN (created 1999) reports to the President and coordinates SISBIN (Brazilian Intelligence System) across federal agencies. ABIN cannot intercept communications but can access SISBIN member databases. The Federal Police conducts wiretapping under judicial authorisation (Law 9,296/1996). Parliamentary oversight via CCAI (widely criticised as lacking staff and technical capacity).^[5]

The Parallel ABIN Scandal (2019–2021)

Under Director Ramagem, a “parallel intelligence” structure used Cognyte First Mile spyware (purchased 2018 for R$ 5.7M) to track real-time geolocation of up to 10,000 targets per year. 60,000+ illegal searches targeted 12+ journalists, STF Justices, politicians, IBAMA officials. Nine state security departments separately purchased Cognyte totalling R$ 65.7 million. Federal Police Operation Last Mile (2023) led to Ramagem’s conviction (September 2025, 16-year sentence) for illegal surveillance and the 2022–2023 coup plot. He fled to the US before arrest.^[2][6]

The NSA Spying Scandal (2013)

Snowden documents revealed the NSA intercepted President Rousseff’s personal communications, hacked Petrobras, and monitored 29 government phone numbers. Rousseff cancelled a state visit to Washington and addressed the UN General Assembly to condemn US surveillance. The revelations directly motivated EllaLink and accelerated the Marco Civil da Internet.^[3]

Commercial Surveillance and Facial Recognition

Cellebrite: Federal Police use UFED for mobile forensics. Chinese technology: Huawei, Hikvision, Dahua, ZTE donated 4,000+ cameras for São Paulo’s City Cameras programme. Facial recognition: deployed in São Paulo (plans for 20,000 cameras), Rio de Janeiro (AI drones at Carnival 2025, 63% false positive rate in Maracanã pilot), and Salvador (209 fugitives arrested). Racial bias: more than 90% of FRT arrests target Black Brazilians (CESeC study). No legal framework governs deployment.^[7]

Submarine Cable Infrastructure

Brazil is a major cable hub with 14 landing stations at Fortaleza, Rio, Santos, and Salvador. EllaLink (2021, 100 Tbps, direct Portugal-Fortaleza, explicitly bypassing US routing), SACS (2018, first direct South America-Africa), Monet (2017, Google), BRUSA (Rio-Fortaleza-Puerto Rico-Virginia), Firmina (2025, Google, 14,517 km), SAIL (2018, China Unicom). Previously targeted by NSA FAIRVIEW and STORMBREW upstream collection when traffic routed through US nodes.^[8]

Age Verification: Identity Infrastructure as Surveillance

The ECA Digital (Law 15,211/2025), enacted September 17, 2025 and effective March 17, 2026, establishes comprehensive digital child protection. Platforms must implement age verification using “highly effective and auditable” technology — self-declaration explicitly banned. Accounts for under-16s must link to a guardian’s account. Behavioral advertising profiling of children is banned. Paid loot boxes prohibited for minors. Fines up to BRL 50 million or 10% of Brazilian revenue per violation. The ANPD enforces.^[9]

The law applies to any digital product “aimed at or likely to be accessed by” minors in Brazil regardless of company location, creating extraterritorial reach. The mandatory age verification infrastructure — linking all under-16 accounts to guardian accounts with identity verification — creates a surveillance-capable architecture mapping parent-child relationships to platform access at national scale.

Data Retention

Marco Civil da Internet: Connection logs (ISPs): 1 year; application access logs: 6 months. Court order required for all access. ANATEL Resolution 738/2020: Subscriber/billing/call records: 5 years; internet connection records: 1 year. LGPD Article 4(III) exempts national security activities, meaning exempted agencies face no statutory retention limitation.^[10]

International Data Sharing Agreements

Mutual Legal Assistance: 30+ Bilateral Treaties

Brazil maintains bilateral MLATs with approximately 30 countries including: United States (signed October 14, 1997, in force February 21, 2001), Canada, Chile, China, Colombia, Ecuador, Germany, Grenada, Guyana, Hong Kong, India, Ireland, Italy, Jordan, Kazakhstan, Mexico, Morocco, Netherlands, Nigeria, Panama, Paraguay, Philippines, Romania, Spain, Sweden, Thailand, Ukraine, UAE, Uruguay, and Vietnam. Brazil is also party to the Inter-American Convention on MLA in Criminal Matters and the Mercosur MLA Protocol.^[11]

BRICS and EU Adequacy

BRICS: Founding member; 2025 presidency; Working Group on ICTs for real-time threat intelligence exchange. EU mutual adequacy (January 26, 2026): Reciprocal recognition — first Latin American country. Mercosur: EU-Mercosur Partnership Agreement signed early 2026.^[1]

The Privacy Backdoor Effect

Despite LGPD protections and EU adequacy, alternative access exists:

• NSA Upstream: The 2013 revelations showed NSA specifically targeted Brazilian government communications; LGPD does not constrain NSA collection outside Brazil
• ABIN Article 4(III): LGPD explicitly exempts national security; any exempted agency has no data protection constraints
• 30+ MLATs: Extensive bilateral treaty network enabling foreign law enforcement data requests
• Cable transit: Despite EllaLink, some traffic still transits US nodes subject to FAIRVIEW/STORMBREW
• SWIFT/PNR: Financial and travel data subject to US access

Recent Developments

Ramagem Conviction (September 2025): Former ABIN Director convicted by STF (4-1) for Parallel ABIN illegal surveillance and coup plot. 16-year sentence. Fled to US.^[2]

EU Mutual Adequacy (January 2026): First Latin American country. Reciprocal arrangement with the EU-Mercosur Partnership Agreement.^[1]

ECA Digital (Law 15,211/2025) — Now in Force: Became effective March 17, 2026, with implementing decree published March 18. Mandatory age verification replacing self-declaration, profiling and targeted advertising banned for all under-18s, paid loot boxes prohibited in products accessible to minors, under-16 accounts must link to parent/guardian. Establishes National Notification Screening Center (Federal Police) for digital crimes against minors. ANPD enforces with fines up to BRL 50M or 10% of Brazil revenue.^[9][12]

ANPD Independence (September 2025): Transformed to full independent regulatory agency with financial/administrative autonomy.^[4]

Facial Recognition Racial Bias: 90%+ of FRT arrests target Black Brazilians. No legal framework governs deployment despite expansion across São Paulo, Rio, and Salvador.^[7]

Sources