Brazil is Learning Achieving Tech Sovereignty is Easier Said Than Done

Laís Martins is a fellow at Tech Policy Press.

This story has been updated with comments from the Brazilian cabinet office known as GSI.

Brazil, like much of the rest of the world, is learning that establishing tech sovereignty is easier said than done. In contrast to the country’s strong rhetoric around asserting independence and pushing back against United States-based digital platforms, two of its recent announcements underscore how tied up Brazil is with foreign technology — and the immense challenge it would be to wean itself off.

In early October, the Institutional Security Bureau (known as GSI in Brazil), an executive cabinet tasked with assisting Brazil’s president on matters of national security and defense policy, published an ordinance paving the way for a technical cooperation agreement with Amazon Web Services (AWS).

The agreement, which has been in discussion since 2023, involves the “pursuit of development and increased maturity in information and cybersecurity,” according to the ordinance. The bureau confirmed in an email that, under the partnership, the parties will hold thematic workshops and practical simulation exercises and benefit from what they called an exchange of positive experiences.

The day before the ordinance was published, AWS representatives visited public officials at the GSI, with members of other ministries also present. The agenda included an “immersion activity” on the “concepts and practices of digital sovereignty”.

The partnership alone raised alarm among cybersecurity and data protection experts, but a few days later, concerns deepened. The bureau published a directive allowing classified data to be hosted on private companies’ clouds, as long as the data is stored and processed in data centers located in Brazil. Prior policy prohibited secret information from being housed in private cloud environments.

There is no explicit indication so far that the GSI will host classified data on AWS servers, and the bureau said in an email the technical cooperation agreement is not a guarantee of future contracts.

In a statement published on its website on Thursday, GSI said the directive does not allow "private companies that operate public cloud services, like AWS, to host classified information." The bureau also added that the technical cooperation agreement does not entail AWS hosting any type of government data, including the GSI.

But the mere possibility of highly sensitive government data being vulnerable to intrusion by US authorities has sparked concern among experts.

“The GSI has a genuine concern with encrypting, locating and protecting the agency's data. The problem is that this is often outsourced, due to various factors, including socioeconomic factors, technical capacity, to private clouds, such as AWS”, said André Ramiro, a doctoral fellow at Hamburg University and a member of the Latin-American Network on Surveillance, Technology and Society studies, known as Lavits.

As Alexandra Geese, a member of the European Parliament, wrote in a recent Tech Policy Press article, “Europe can’t defend democracy on US servers” — and neither can Brazil.

Despite the bureau’s good intentions, such safeguards are not enough, said Ramiro. Concerns revolve around two legal US wrinkles: the 2018 Clarifying Lawful Overseas Use of Data Act, or CLOUD Act, which requires US companies to share data hosted on their servers, regardless of location, when subpoenaed, and the Foreign Intelligence Surveillance Act (FISA), which allows US intelligence agencies to request user data with little oversight or refusal.

AWS stated in July that it had not received any requests that led to the disclosure of data to the US government of “enterprise or government content data stored outside the US” since it began reporting the statistic in 2020. In response to a request from Tech Policy Press, the company said “AWS customers, including government entities, maintain full control over their data” and that it cannot “access, use, or move any customer information without their explicit permission”.

But other technology companies have publicly acknowledged that they cannot guarantee the US government will not access their data.

In June, during a sworn testimony before the French Senate during a hearing on digital sovereignty, Microsoft France’s director of public and legal affairs was asked if he could guarantee that French citizen data would not be sent to US authorities without clear authorization. He said he could not, and added that, under the CLOUD Act, companies can be forced to hand over data, regardless of where it is stored.

In early October, the Brazilian government announced it had begun tests with Microsoft to host its “sovereign cloud,” a federal program to locally host Brazilian data. According to Brazilian newspaper Folha de São Paulo, 11 federal government departments are in talks to transfer their data to the sovereign cloud. Under this partnership, the software being used is developed by public Brazilian technology companies, but the hardware comes from Big Tech companies, like Microsoft.

Under the Trump administration, concerns about the seizure of foreign data are well warranted, said Ramiro.

“Under the current circumstances, this [agreement] is naive and fragile, especially now during the Trump administration, which tends to persecute opponents and blackmail or assign [Justice Department] prosecutors precisely to prosecute whomever the president wants,” he said.

“This formula, combined with the CLOUD Act, is extremely worrying when we talk about Brazil's sovereign data, for example. We are facing ‘authoritarian legalism’: legal instruments created to legitimize authoritarian behavior,” he added.

Hosting government data on private clouds also leaves services vulnerable to outages, like the one experienced on Monday thanks to a global technical failure at AWS. Banks, streaming services, airlines and messaging apps were affected, and in the United Kingdom, government services were disrupted.

Moving forward with little-to-no alternatives

The Brazilian government’s partnering with AWS should be seen less as a lack of awareness of the risks than as a sign of a lack of alternatives. “There’s a competition issue in place, no one comes even near the infrastructure Amazon and Microsoft have”, said Ramiro. And going back to free software would require loads of persuasion, he said.

Brazil has a track record of developing free software, thanks to a movement that began during President Luiz Inácio Lula da Silva’s first term. For years, considerable sections of the administration ran on free software, like Linux. In 2016, when former President Michel Temer took over after Dilma Rousseff’s impeachment, the federal government began contracting with Microsoft. Ever since, the dependency has only become more entrenched.

A study published in July by researchers at the University of São Paulo, the University of Brasília and Fundação Getúlio Vargas, found that since 2014, Brazil has spent more than 23 billion reais (approximately $4.2 billion US dollars) in software, cloud and security licenses with companies such as Google, Microsoft and Oracle.

At the same time, little investments were made into developing homegrown solutions that would be especially necessary in times of geopolitical turmoil, such as now — when the United States government, with the alliance of tech platforms, is waging a commercial war on Brazil.

A recently announced measure to attract data center investments attempts to remediate this by mandating that companies who receive tax benefits designate 2% of the capital spent on equipment in projects that support the “industrial and technological development of the digital economy productive chain” in Brazil.

André Fernandes, director at the Law and Technology Research Institute of Recife (IP.rec), sees the data center's provisional measure, known as ReData, as insufficient. “An obligation to invest in research and development is very little for us to think about in this context of sovereign technologies and a state that really plans technological development as a state policy,” said Fernandes.

“ReData does not use other instruments, does not make it more flexible or dialogue with other instruments, including legal frameworks for innovation, science, technology and innovation, startups,” he added. etc.

One important aspect of the initiative Fernandes highlighted is that one of the obligations established by the government — that companies must allocate 10% of its computing capacity for the domestic market — is smaller for northern and northeastern Brazil. These regions have the advantage of greater availability of renewable energy, as well as a strategic location with submarine cables and proximity to the United States.

“It reduces the obligations precisely for the regions with more inequality. North and Northeast are undersupplied, while the South, Midwest and Southeast are fully supplied by the policy. In other words, the policy is deliberately a policy of inequality,” said Fernandes. In a country of continental proportions like Brazil, unequal policies end up weakening the sovereignty of the Brazilian state as a whole, he argued.

What is to be seen is whether such investments mandated in the policy can be enough to kickstart the development of Brazilian solutions that can serve as alternatives to host data locally. One lesson should be clear by now, though: no country can afford to wait any longer to start building alternatives to US technology products.