New ordinance reveals some exceptions for data centres outside Brazil
Brazil’s Official Diary of the Union published Normative Ordinance No 722 last week. The new ordinance comes with Brazil clarifying its regulation after a four-part regulation rollout was announced in April. This follows Brazil passing legislation on 21 December to allow for sports betting and igaming. President Luiz Inacio Lula da Silva signed Bill 3,626/2023 into law later that month.
Normative Ordinance No 722 has outlined the rules around betting systems, such as the relevant technology and security requirements. Notably, the ordinance clarified special situations where it will permit data centres to be outside Brazil.
Special circumstances for data centres outside Brazil
The new ordinance outlines that data centres must be located in Brazil. However, specific conditions could allow for data to be transferred outside of the country.
The conditions for data centres to be located outside of the country include countries having an international legal cooperation agreement with Brazil on both civil and criminal matters. Data holders abroad must authorise the transfer of data in advance. The responsible technical area of the ministry of finance must also have secure and unrestricted access to the data.
Also, the operating agent must replicate its database and information in Brazil. The agent should also ensure all databases have the same content by updating continuously and testing periodically.
The operating agent must have a business continuity plan in the event of situations that put the data at risk. The plan should map out probable loss scenarios and a risk assessment. Additionally, the strategy should establish actions that both prevent and mitigate, as well as the designation of who is responsible for such actions.
Therefore, operators can maintain their platforms abroad should they adhere to Normative Ordinance No 722. However, operators must also present the SPA with an explanation for its systems being maintained outside Brazil. The data centre should also have ISO 27001 certification.
What else does Normative Ordinance No 722 include?
Operators will be required to gain certification of their platforms and systems from entities recognised by the ministry of finance. Gaming Laboratories International became the first laboratory to gain accreditation from the ministry of finance. eCOGRA has also achieved accreditation.
There will be strict technology and security standards for systems to comply with. These include the protection of consumers against potential fraud or unauthorised access.
The ordinance mandated systems to constantly update and be tested to ensure ongoing compliance with regulations, such as protection against new vulnerabilities to fraud. Systems should ensure the integrity of bets and results with transparency for users.
Operators must ensure their data processes are compliant with the General Data Protection Law (LGPD), with adequate security measures and explicit consent from users for data collection. Operators must also permit users to review and delete their data.
In regards to licensing, betting systems and platform must gain certificates that are valid for the time of authorisation granted. Operators should revalidate their system certifications every year, or when there is a change to the critical components of the system.
Potential concerns in Brazil
Normative Ordinance No 722 could pose significant barriers to entry or expansion of operators in Brazil.
The certification process will be costly and complex with regular audits and ongoing testing necessitated to ensure ongoing compliance.
For international operators, the need for data centres to be in Brazil barring exceptional circumstances could present a logistical issue, as well as being costly. For operators to gain a licence in the country, they must also have a Brazilian partner that holds at least 20% of the company’s capital in Brazil.
Additionally, frequent regulatory reviews to ensure compliance with licensing means operators must allow unfettered access to their systems, with aspects such as accessibility for users with disabilities required, adding further complexities for operators.
Future ordinances in Brazil
In April, lawyer Regis Dudena was named as SPA leader. He will oversee the regulation of betting in Brazil.
Among the new rules outlined already was Normative Ordinance No 615. The ordinance banned operators from accepting credit card or cryptocurrency payments. Financial transactions between bettors and operators must be made through electronic transfers. The Central Bank of Brazil must also authorise all accounts used in betting.
Today (7 May), the SPA published tax rules for the regulated betting and gaming market. This confirmed that taxation on bettors will sit at 15%, as decided by Brazil’s Economic Affairs Commission (CAE) in November last year.
Still to come in the four-part regulation rollout are processes on advertising and igaming requirements, which will be included in stage three. Phase four, meanwhile, will include procedures on the granting of industry contributions to socially responsible causes. The full announcement of regulations is expected to be done by the end of July.