Brazil Software IP Protection: Lei 9.609, Moral Rights, and LGPD

Brazil Software IP Protection: What Founders Must Know

Brazil has one of the most comprehensive legal frameworks for software intellectual property protection in Latin America. Yet the framework's complexity — combining two distinct statutes, a specialized patent office, and a robust court system — regularly catches foreign founders by surprise. Understanding Brazilian software IP law is not optional for startups targeting the Brazilian market or raising capital from Brazilian investors.

The primary statute governing software protection in Brazil is Lei 9.609 de 1998, the Software Law. This statute was enacted specifically to regulate the protection of computer programs, complementing the broader copyright framework established by Lei 9.610 de 1998, the Copyright Law. Together, these two statutes define the scope of software IP rights in Brazil, the ownership rules applicable to employee and contractor-created software, and the remedies available for infringement.

Software Copyright Under Lei 9.609

Article 2 of Lei 9.609 establishes that computer programs are protected by copyright in the same manner as literary works. The protection term is 50 years from January 1 of the year following publication, or from the year of creation for unpublished software. This is shorter than the general copyright term of 70 years post-mortem auctoris applicable to other literary works under Lei 9.610.

The Instituto Nacional da Propriedade Industrial (INPI) provides a voluntary registration system for software. Unlike many other copyrightable works, software registration in Brazil is handled by INPI rather than the National Library. Registration creates a presumption of authorship and the registration date provides useful evidence in infringement disputes, though registration is not required to enjoy copyright protection.

A critical point for startups: Brazilian law grants software authors moral rights in addition to economic rights. Moral rights include the right of attribution (the right to have one's name associated with the work) and the right of integrity (the right to object to modifications that damage the author's reputation). Moral rights cannot be transferred or waived under Brazilian law. This has important implications for open source contributors and contractor relationships — even if a developer assigns all economic rights to the startup, they retain moral rights in their contribution.

Ownership Rules for Employee and Contractor Code

Article 4 of Lei 9.609 establishes the ownership rules for software created in the context of employment and service relationships. For software created by an employee in the exercise of their functions or using the employer's resources, the economic rights belong to the employer. This rule applies whether or not there is an explicit IP assignment clause in the employment contract — the statutory default favors the employer.

For independent contractors, the rule is different. Article 4, §2 of Lei 9.609 provides that when software is developed pursuant to a service contract, the economic rights belong to the contracting party (the company), not the contractor. However, this default rule applies only when a formal service contract exists and the software was developed specifically in fulfillment of that contract.

The recommended practice is to include an explicit IP assignment clause in every contractor agreement, regardless of the statutory default. The clause should assign all existing and future IP rights in works created for the company, including moral rights to the extent permitted by law (noting that moral rights cannot be assigned, but can be subject to a waiver of exercise). The WIPO model clauses provide a useful starting point for drafting these provisions.

Open Source Compliance in the Brazilian Context

Brazilian law does not create special rules for open source software — open source licenses are treated as ordinary copyright licenses under Lei 9.610. However, the strong moral rights framework has important implications for open source compliance. Attribution requirements in open source licenses (such as the requirement to retain copyright notices and attribution statements) have a moral rights dimension in Brazil — failure to comply may not only breach the license terms but also infringe the author's moral right of attribution.

GPL v3 and AGPL v3 compliance is particularly important in Brazil because the LGPD (Lei Geral de Proteção de Dados) adds a data protection layer to code that processes personal data. If a startup uses AGPL v3-licensed software that processes personal data, compliance requires both providing source code access (under AGPL v3) and implementing appropriate data protection measures (under LGPD). The intersection of these two frameworks creates a compliance challenge that requires coordinated legal and technical review.

Software Patents in Brazil

Brazil does not grant pure software patents. Article 10 of Lei 9.279/1996 (the Industrial Property Law) excludes abstract ideas, mathematical methods, business methods, and software programs "as such" from patentability. INPI's Resolution 158/2016 and subsequent normative instructions have defined the contours of patentable computer-implemented inventions — essentially, software that achieves a technical effect in the physical world may be patentable, but software itself is not.

In practice, Brazilian courts and INPI have been willing to grant patents for inventions that are implemented in software but achieve a technical effect beyond the software. Telecommunications equipment, medical devices, and industrial control systems implemented with software components have obtained patent protection. For deep tech startups, a freedom-to-operate analysis in Brazil should account for both pure software patents (not available) and computer-implemented invention patents (potentially available).

LGPD and IP Intersections

Brazil's Lei Geral de Proteção de Dados (LGPD), enacted in 2018 and effective since 2020, creates significant IP intersections for AI and data-driven startups. Training data for machine learning systems frequently constitutes personal data under LGPD, and the model trained on that data may incorporate representations of the personal data in ways that create both IP and data protection obligations.

The Autoridade Nacional de Proteção de Dados (ANPD) has issued guidance on data processing for research and development purposes. Startups training AI models on Brazilian user data should ensure their LGPD compliance framework addresses the IP dimensions of training data — including the rights of data subjects to object to processing, the obligations around data subject access requests, and the restrictions on data transfers outside Brazil.

Enforcement and Remedies

Brazilian IP enforcement is robust. Criminal sanctions for software piracy are established in Article 12 of Lei 9.609, with imprisonment terms of three months to one year plus fines for unauthorized reproduction and two to four years plus fines for commercial-scale infringement. Civil remedies include injunctions, damages calculated as lost profits or a reasonable royalty, and disgorgement of infringer profits.

The specialized IP courts (Varas Especializadas de Propriedade Intelectual) in São Paulo have developed significant expertise in software IP cases. Brazil is party to the TRIPS Agreement and the Berne Convention, ensuring that foreign copyright holders can enforce their rights in Brazilian courts with the same standing as Brazilian nationals.

Frequently Asked Questions

LATAM IP and Regulatory Resources

The following authoritative sources provide the legal and regulatory foundation for the topics covered in this guide. All LATAM jurisdictions are signatories to the WIPO treaties that form the international IP framework, and domestic laws implement TRIPS Agreement minimum standards.

• TRIPS Agreement — WIPO — The foundational international IP treaty binding all WTO member states, including Argentina, Brazil, Mexico, Colombia, Chile, and Peru.
• INPI Brazil — Brazil's National Institute of Industrial Property; administers software registration, patents, and trademarks under Lei 9.279/1996 and Lei 9.609/1998.
• INPI Argentina — Argentina's IP office; manages software registration under Ley 11.723 and trademark protection.
• Open Source Initiative License List — Authoritative catalog of OSI-approved open source licenses including GPL v2, GPL v3, AGPL v3, MIT, and Apache License 2.0.
• SPDX License List — Machine-readable license identifiers used in Software Bill of Materials (SBOM) generation and CI/CD compliance tooling.
• IMPI Mexico — Instituto Mexicano de la Propiedad Industrial; administers patents and trademarks under the LFPPI.

For startups operating across LATAM, compliance with LGPD (Brazil), LPDP (Argentina — Ley 25.326), LFPDPPP (Mexico), and the TRIPS Agreement framework is not optional. Each framework creates distinct obligations that require jurisdiction-specific legal review. Our fixed-price audit packages provide this review with 48-hour delivery, so your team can move quickly without sacrificing legal certainty.

Practical Steps for Brazil IP Compliance

For startups building in Brazil or expanding into the Brazilian market, a systematic Brazil IP compliance program should include the following components. First, register all core software with INPI Brazil under Lei 9.609. The registration creates a public record, establishes a timestamp for priority disputes, and provides investor-comfort documentation for Series A due diligence. INPI Brazil's software registration process is straightforward — submit the source code (kept confidential), a description, and the applicable fees. The entire process typically completes within 60 days.

Second, execute IP assignment agreements with all Brazilian contractors. Under Lei 9.609, the default rule for contractor-created software is nuanced: Article 4 provides that economic rights belong to the contracting party when a formal service contract exists. But this default has limits — it applies to works created specifically in fulfillment of the contract, not to pre-existing IP or works created outside the contract's scope. An explicit IP assignment clause eliminates ambiguity and ensures the company's IP ownership position is defensible under LGPD data governance audits as well as investor due diligence.

Third, implement open source compliance automation. Brazil's strong copyright enforcement environment — backed by Lei 9.609's criminal sanctions and the specialized IP chambers in Brazilian courts — makes open source compliance a genuine legal obligation, not just best practice. A startup that uses AGPL v3-licensed components in a SaaS product without complying with the source disclosure requirements is in violation of Lei 9.610 as well as the AGPL v3 license terms. The Open Source Initiative's license catalog and the SPDX license list provide the reference frameworks for a compliance program. CI/CD integration via FOSSA or equivalent tools automates the ongoing monitoring that manual periodic audits cannot provide at scale.

Brazil's LGPD, enforced by the ANPD with fines up to 2% of gross revenue (maximum BRL 50 million per violation), adds a data protection dimension to IP compliance that AI and data-intensive startups cannot ignore. Training data consent, model ownership, and data processing agreements with contractors and cloud providers are all dimensions of an integrated Brazil IP and privacy compliance program. Our GitHub IP Audit Standard at $299 provides the open source compliance layer; our Full IP Due Diligence at $1,200 covers the complete program including LGPD-relevant contractor documentation and INPI registration strategy.