1. Home
  2. / Interesting facts
  3. / Brazil’s Sovereignty in Alert: Amazon Deal May Expose Brazilian Secret Data and Raises Red Flags Among Experts on Legal and Geopolitical Risks
Reading time 6 min of reading Comments 1 comment

Brazil’s Sovereignty in Alert: Amazon Deal May Expose Brazilian Secret Data and Raises Red Flags Among Experts on Legal and Geopolitical Risks

Written by Alisson Ficher
Published on 18/10/2025 at 23:54

Interesting facts

Google News
Acordo entre governo brasileiro e Amazon levanta alerta sobre soberania digital e risco de acesso dos EUA a dados secretos do país.
Acordo entre governo brasileiro e Amazon levanta alerta sobre soberania digital e risco de acesso dos EUA a dados secretos do país.
  • Reaction
  • Reaction
  • Reaction
  • Reaction
  • Reaction
7 people reacted to this.
React to this article

The possible agreement between the Institutional Security Cabinet of the Presidency (GSI) and Amazon Web Services (AWS) to host sensitive government data has reignited the debate about digital sovereignty and national security.

The negotiation came to light on October 16, according to a report published by The Intercept Brasil, which revealed talks between the parties and pointed out legal and geopolitical doubts associated with the use of infrastructure from a company based in the United States.

What Changed in the Government Cloud Rules

In the week prior to the report, the GSI published Normative Instruction No. 8/2025, which updates the guidelines for the handling of classified information in cloud computing environments.

ARTICLE CONTINUES BELOW
See also

The text allows data classified as restricted and secret to be processed in private or community clouds, provided they are in datacenters located in Brazil, operated by previously qualified and audited providers.

The use of public or hybrid clouds remains prohibited, and information classified as ultrasecret continues to be banned from cloud storage.

In parallel, there are restrictions on copies or backups outside the national territory.

The norm also establishes technical and organizational requirements, such as security certifications and access controls, for private suppliers to be accredited to serve public agencies.

According to the GSI, the measure aims to define security and governance standards for handling classified data in modern infrastructure, without relinquishing state control over protection requirements.

Why The Partnership With AWS Concerns Experts

The central concern is legal: as a company based in the United States, AWS is subject to laws such as the Cloud Act (2018), which allows American authorities to request data under the control of companies in the country, even when stored outside American territory.

There is also the FISA – especially Section 702, which authorizes the targeted collection of communications of foreigners abroad with the compulsory cooperation of communication service providers in the U.S. for intelligence purposes.

According to an investigation by The Intercept Brasil, these norms may put Brazil in a vulnerable situation because, even with servers located in national territory, American companies remain subject to court orders from the United States.

The newspaper also highlighted that the current geopolitical context and the rapprochement between major technology companies and U.S. President Donald Trump increase the risk of political interference regarding strategic data.

The concern is not theoretical.

At a hearing in the French Senate on June 10, 2025, Microsoft’s legal director in France admitted that the company “cannot guarantee absolute sovereignty over European data” in the face of possible demands from the U.S. government.

The statement was cited as evidence that American providers remain subject to extraterritorial orders, even if they operate local data centers.

In this scenario, experts consulted by the media believe that hosting the Brazilian state’s strategic information on the infrastructure of a U.S. big tech increases geopolitical risk.

Any orders based on the Cloud Act or FISA may affect sensitive data, despite contractual and technical barriers.

The Intercept Brasil also pointed out that the presence of a former CIA member in the AWS security leadership reinforces the warning about the strategic nature of the company.

What Amazon and GSI Say

AWS states that its customers, including governments, “maintain full control over their data” and that the company does not access, use, or move information without the owner’s permission.

The company also emphasizes multiple layers of security, isolation between customers, and tools for key management and encryption.

In public materials, AWS argues that the Cloud Act does not change its protection practices and that it has mechanisms to contest requests that conflict with laws from other jurisdictions.

GSI, in turn, argues that the new instruction does not violate sovereignty, as it defines safeguards for the handling of restricted and secret data exclusively within Brazilian territory, under qualified and audited providers by the government.

The official position emphasizes that, in addition to prohibiting public and hybrid clouds, the norm maintains the ban on ultrasecret data in cloud environments, preserving full control over this type of information.

The conflict of laws is the knot.

The existence of data centers in Brazil operated by a qualified private company is a necessary condition but not sufficient to neutralize the application of American norms to corporations based in the U.S.

In various international forums, legal experts have pointed out that the tension between the Cloud Act and foreign privacy frameworks persists, despite contractual measures, encryption, and segmentation of environments.

Meanwhile, recent decisions and debates regarding FISA 702 keep the discussion about the scope of orders directed at American providers alive.

On the technical side, end-to-end encryption with key management by the client, identity controls, and workload segregation can reduce the operational risk of unauthorized access.

Still, experts remind that legal orders can compel the provider to act as a compliance point, depending on the design of the service, the keys, and the jurisdiction involved.

This is why European authorities and public agencies worldwide have been reviewing models of “sovereign cloud”, with reinforced requirements for residency, governance, and technological autonomy.

Who Is Sean Roche and Why Is He Cited

Another highlighted element in the debate is the profile of Sean Roche, AWS’s security and national security executive for the international public sector and former number two at the CIA’s Digital Innovation Directorate.

According to The Intercept Brasil, Roche’s tenure at the U.S. agency reinforces the connection between the company and the defense and intelligence structures of the United States.

For researchers and analysts, this makes the partnership particularly delicate for a country seeking to preserve its informational sovereignty.

And The National Data Protection Authority

The ANPD has expanded its regulatory and oversight activities since 2024, including guidelines for international data transfer and monitoring of security incidents.

Although the GSI’s norm addresses classified information — a matter of state security — any handling involving personal data remains subject to the LGPD and the sanctioning power of the Authority.

In principle, if there is a violation of data protection rules or irregular transfer, the ANPD can intervene.

So far, the entity has only stated that it did not participate in the preparation of the normative instruction that changed the storage rules but may take action if it identifies irregularities.

What To Observe From Now On

The confirmation of the agreement, its contractual terms, and the technical protection model will be decisive in assessing the level of exposure.

Points such as who holds and operates the cryptographic keys, the degree of physical and logical segregation of the infrastructure, the mechanisms of government audit, and the conflict of laws clauses will indicate whether the promised controls are sufficient to withstand extraterritorial legal pressures.

The recent experience in Europe, where Microsoft itself acknowledged limits to the promise of “total sovereignty”, will serve as a thermometer for the Brazilian framework.

Ultimately, the discussion is not about choosing a specific supplier but about what architecture of power and law Brazil intends to adopt to protect sensitive state information in a cloud environment.

Given the progress of negotiations and the legal doubts raised, the question that remains is: Is Brazil ready to trust its strategic data to a foreign company, even under new guarantees of digital sovereignty?

Sign up
Notify of
guest
1 Comment
most recent
older Most voted
Built-in feedback
View all comments
Office 2024 Pro Plus Satın Al
Office 2024 Pro Plus Satın Al
#183721
19/10/2025 01:08

Office 2024 Professional Plus, Microsoft’un en gelişmiş ofis yazılım paketidir.

0
0
Respond
Tags
Alisson Ficher

A journalist who graduated in 2017 and has been active in the field since 2015, with six years of experience in print magazines, stints at free-to-air TV channels, and over 12,000 online publications. A specialist in politics, employment, economics, courses, and other topics, he is also the editor of the CPG portal. Professional registration: 0087134/SP. If you have any questions, wish to report an error, or suggest a story idea related to the topics covered on the website, please contact via email: alisson.hficher@outlook.com. We do not accept résumés!

Share in apps
1
0
I'd love to hear your opinion, please comment.x