SPA/MF Ordinance No. 722, published in an extraordinary edition of the Official Gazette of the Union, establishes the criteria for sports betting and online gaming systems in Brazil. It is still being well understood by the market and little by little some points are being clarified.
Even though Law 14,790 established that betting systems and their respective data must be maintained in data centers physically located in Brazil, Ordinance 722 opens a loophole for them to continue to be based abroad.
In its art. 4, which establishes this requirement for the system to be located in Brazilian territory, § 1 points out:
§1º The systems and data referred to in the caput of this article may be located outside the national territory, in countries that have an International Legal Cooperation Agreement with Brazil, in civil and criminal matters jointly, provided that item VIII of the caput is observed. of art. 33 of Law No. 13,709, of 2018 [General Data Protection Law], and the following requirements are met cumulatively:
I - the holder must authorize, specifically and in advance, the international transfer of their personal data, with the operating agent being responsible for providing clear information regarding the purpose of the operation;
II - the responsible technical area of the Ministry of Finance must have secure and unrestricted access, remotely and in person, to systems, platforms and operation data;
III - the operating agent must replicate, in Brazil, its database and information, which will be updated continuously, ensuring that all instances of the database have the same content, and that they are tested periodically; and
IV - the operating agent must present an Information Technology business continuity plan, in the event of the occurrence of critical situations that could put the operation and data at risk, containing, at a minimum:
a) mapping of probable loss scenarios;
b) identification, analysis and assessment of risks;
c) prevention and mitigation actions; and
d) designation of those responsible.
With this flexibility, sports betting and online gaming houses will be able to maintain their platforms abroad, as is the case today, as long as they meet the requirements of Ordinance 722. However, they must present the reasons to the SPA of the Ministry of Finance for the maintenance of its systems outside Brazil.
Even with the flexibility, bettors must previously authorize the international transfer of their personal data to the platform abroad. In this case, bookmakers that continue with their systems abroad must provide the user with information that the data is being sent abroad and the user will have to authorize such transfer.
As defined in section II, technicians from the Ministry of Finance, through the Prizes and Bets Secretariat, must have secure and unrestricted access, both remotely and in person, to systems, platforms and operation data.
In addition to other technical demands and requirements, the data center used by the operator must have ISO 27001 certification (standard for information security management system).
Source: GMB
