News & Developments

ViewView

COGNITIVE SOVEREIGNTY IN THE AGE OF ARTIFICIAL INTELLIGENCE: CONTROL OVER THE INFRASTRUCTURES OF KNOWLEDGE AS A NEW FACTOR OF POWER

ABSTRACT: This article proposes cognitive sovereignty as a legal, economic and geopolitical category indispensable to understanding the Age of Artificial Intelligence. Its central thesis is that artificial intelligence shifts digital sovereignty toward a cognitive sovereignty, because power no longer resides in the command of data, in physical infrastructure or in computing capacity alone, but in control over the infrastructures that produce intelligence. Starting from the transition from a data economy to an intelligence economy — anticipated by the notion of surveillance capitalism — the article examines the concentration of cognitive infrastructures (compute, semiconductors, cloud and foundation models), the regulatory paradox whereby legitimate governance rules may entrench incumbents, and the problem of auditability, transparency and what is here termed the right to comprehension. It then discusses the effects on democracy, markets and the State, proposing a normative agenda capable of reconciling innovation, competition and institutional autonomy. The text engages with the literature on the digital economy, regulation and theory of the State and is grounded in recent data on investment, market concentration and public trust in artificial intelligence. Keywords: Cognitive sovereignty. Artificial intelligence. Cognitive infrastructure. Surveillance capitalism. Concentration of power. Algorithmic governance. Auditability. Regulation. Competition. Right to comprehension. Contents: Introduction - 1 The Birth of the Digital Age and the Transformation of the Nature of Power - 2 From the Data Economy to the Intelligence Economy - 3 Surveillance Capitalism and the Cognitive Turn - 4 The Concentration of Cognitive Infrastructures - 5 Cognitive Sovereignty as a Legal Category - 6 The Regulatory Paradox - 7 Auditability, Transparency and the Right to Comprehension - 8 Democracy, Markets and the State - 9 Conclusion: Toward a Normative Agenda for Cognitive Sovereignty - References Introduction Every historical order has organized itself around a dominant factor of power. Land structured agrarian societies; machines and coal, the industrial economy; energy, finance and information, the geopolitics of the twentieth century. The twenty-first century introduces a rupture of a different nature: the decisive strategic asset is no longer information, but intelligence — understood as the capacity to produce inferences, syntheses and decisions at scale. Whoever commands the means of producing intelligence occupies today the position once held by those who controlled land, industry or financial capital. The thesis of this article can be stated in a single sentence: artificial intelligence shifts digital sovereignty toward a cognitive sovereignty, because real power comes to reside in control over the infrastructures that produce intelligence. This is not a metaphor, but a verifiable change in the material structure of the economy and, consequently, in the distribution of authority among States, corporations and institutions. The prevailing legal debate still revolves around data protection, privacy and the control of algorithms. These are legitimate and necessary agendas, yet insufficient, for they assume that the essential problem is the collection of information, when the decisive problem is already a different one: who holds the capacity to transform information into intelligence, according to which criteria and for whose benefit. Shifting the focus from collection to production is the first step toward understanding the economy now taking shape. To sustain this argument, the text proceeds through nine movements: the birth of the Digital Age and the mutation of power; the transition from the data economy to the intelligence economy; surveillance capitalism as the antechamber of that turn; the concentration of cognitive infrastructures; cognitive sovereignty as a legal category; the regulatory paradox; auditability and the right to comprehension; the effects on democracy, markets and the State; and, finally, a normative agenda. The guiding thread is the conviction that new legal categories become necessary when the old ones cease to describe the reality they purport to govern. 1 The Birth of the Digital Age and the Transformation of the Nature of Power Digitalization is usually narrated as a mere succession of technical innovations. That description is impoverished. What electricity did for industry and the railways did for the circulation of goods, digital infrastructure did for information: it turned information into a universal input and, in doing so, reorganized the architecture of power. Manuel Castells had already shown that the network society does not merely accelerate exchange but redefines where authority is located — in the nodes that concentrate connectivity and processing capacity. Conceived as a calculating machine, the computer became, with the internet, cloud computing and mobility, the substrate of nearly all economic activity. The philosophy of technology offers a deeper key to interpretation. For Heidegger, modern technology is not a set of tools but a mode of revealing the world that reduces everything to a standing reserve available for use — what he called Gestell, enframing. Jacques Ellul and Lewis Mumford warned, by different routes, that technical systems tend to impose their own logic upon the institutions meant to govern them, and Gilbert Simondon insisted that to understand technology is the condition for not being subjected to it. Digitalization is the contemporary form of this process: it organizes experience according to patterns that largely escape the control of those who live it. In the first decades of the digital economy, the center of gravity was data. Firms competed for the capacity to collect, store and correlate records of behavior; the user, in browsing, paid with his own conduct. It was this dynamic that Shoshana Zuboff described as surveillance capitalism and that Nick Srnicek analyzed under the heading of platform capitalism — business models whose raw material is human experience converted into data, and data converted into prediction. The singularity of the present moment lies in the fact that this raw material has at last found an industry capable of refining it into something of higher value: intelligence. 2 From the Data Economy to the Intelligence Economy For years it was repeated that data would be the new oil. The image had didactic merit and an analytical limit. Oil is a raw material and is worth something only once refined; data occupy an identical position, for in isolation they mean little and become decisive only when organized, interpreted and converted into actionable knowledge. The stage that performs this conversion — and that captures most of the value — is intelligence. The data economy thus gives way to an intelligence economy. The great foundation models are the infrastructure of this stage. They do not merely store: they relate knowledge dispersed across millions of documents, synthesize arguments, recognize patterns imperceptible to the human eye, formulate hypotheses and assist decisions. Daron Acemoglu and Simon Johnson recall, in the register of political economy, that the direction of technical progress is not neutral and depends on institutional choices about who appropriates the gains in productivity. Kai-Fu Lee, observing the Sino-American race, shows that competitive advantage has migrated from access to data toward the quality of the model and the scale of computation. The figures give the measure of the shift. According to the 2026 Stanford AI Index, private investment in artificial intelligence reached roughly US$ 285.9 billion in the United States in 2025, approximately twenty-three times China's US$ 12.4 billion, with California alone accounting for more than three quarters of the U.S. total — although private data understate the Chinese effort, channeled through state guidance funds. Diffusion was the fastest ever recorded: generative artificial intelligence reached more than half of the world's population within three years, a pace exceeding that of the personal computer and of the internet. Productivity no longer grows merely through the automation of physical tasks but through the expansion of the cognitive capacity of organizations, which confers upon intelligence the status of a factor of production of a new kind. 3 Surveillance Capitalism and the Cognitive Turn Understanding the intelligence economy requires revisiting its antechamber. Surveillance capitalism, in Zuboff's formulation, is not content to know preferences: it aspires to predict and, ultimately, to modulate conduct, extracting from human experience a surplus that feeds prediction markets. Julie Cohen showed how law itself was reshaped to accommodate this informational logic, and Frank Pasquale, in his analysis of the black-box society, denounced the opacity of systems that decide on credit, reputation and opportunity without accountability. The cognitive turn radicalizes the picture. Whereas the surveillance economy captured data in order to sell predictions, the intelligence economy internalizes the very act of producing knowledge. Yochai Benkler had celebrated the promise of a social production of knowledge, distributed and collaborative; Lawrence Lessig had warned that code is law — that is, that technical architecture regulates conduct with force comparable to that of legal norms. The synthesis of these diagnoses is uncomfortable: knowledge continues to be produced socially — through billions of texts, images, decisions and inquiries — but the intelligence built upon that common patrimony becomes private infrastructure. Luciano Floridi describes the infosphere as the environment we have come to inhabit; it remains to be seen who designs it and who administers it. 4 The Concentration of Cognitive Infrastructures Intelligence, as a factor of production, rests upon an extraordinarily concentrated material base. This base — which may be termed cognitive infrastructure — brings together computing capacity, advanced semiconductors, energy, cloud, training datasets and foundation models. In each of these layers, concentration is the rule, not the exception. At the level of semiconductors, Taiwan accounts for roughly 92% of the world's leading-edge logic capacity, and TSMC alone for approximately 70% of global foundry revenue and for nearly all of the chips that train and operate the large models. In computing, Nvidia's graphics processing units hold more than 60% of the market, and the United States is estimated to concentrate about three quarters of global GPU capacity. In the cloud, three providers — Amazon, Microsoft and Google — control approximately two thirds of the world market, with switching costs that lock in most corporate workloads. At the model layer, the United States produced fifty of the notable systems of 2025, and China thirty; more than ninety percent of those models came from private companies. The concentration is not accidental. It results from network effects and increasing returns to scale long studied by the economics of competition. Jean Tirole demonstrated how platform markets tend toward the dominance of a few; Lina Khan and Tim Wu argued that the classical antitrust categories, centered on consumer price, capture poorly the power of the digital giants; Luigi Zingales warned of the capture of the political process itself by incumbents. The cycle is cumulative: more users generate more data and more revenue; more revenue finances more computation and better models; better models attract more users. Schumpeter saw in creative destruction the engine of capitalist renewal; the intelligence economy risks producing its opposite — a destruction that, instead of opening space for new entrants, seals acquired positions. Hence the leap from economic concentration to cognitive concentration, and from the latter to geopolitics. Joseph Nye taught that power is also exercised through attraction and through control of infrastructures; Henry Kissinger and Graham Allison foresaw artificial intelligence as an axis of competition among great powers; Ian Bremmer described the rise of technology companies to the condition of actors of quasi-sovereign stature. International rivalry ceases to turn solely on territory, energy and industry and comes to encompass research centers, supercomputers, semiconductors and the talent capable of designing them — talent whose mobility, the same Stanford AI Index records, has itself become a strategic variable, with a sharp decline in the pull of any single pole for researchers. 5 Cognitive Sovereignty as a Legal Category Sovereignty has always been redefined in step with the material transformations of power. In Bodin, it was supreme power over a territory; in Carl Schmitt, the competence to decide on the exception. Globalization added adjectives to it — economic, monetary, energy, food sovereignty — and the digital economy, more recently, spoke of digital sovereignty and data sovereignty. Artificial intelligence imposes a further shift: the object of sovereignty ceases to be technological infrastructure in general and becomes, specifically, the infrastructure that produces intelligence. By cognitive sovereignty is meant the capacity of individuals, organizations and States to preserve autonomy over the mechanisms of production, use, auditing and evolution of artificial intelligence. The definition is deliberately institutional, not autarkic. It does not postulate self-sufficiency — no State produces on its own all the technology it needs — nor does it reject international cooperation, on which innovation itself has always depended. What it asserts is the need to retain autonomy sufficient to prevent a permanent structural dependence. The distinction is legal before it is technical. A society may use foreign technology and still remain sovereign, provided it retains the capacity to understand, audit, adapt and, if necessary, replace the systems on which it depends. It loses cognitive sovereignty when that capacity is extinguished and decision-making — in health, justice, defense, finance or public administration — comes to rest upon infrastructures whose governance is inaccessible to it. Technological dependence then becomes decisional dependence, and the question migrates from the field of industrial policy to that of public law. Artificial intelligence is today a transversal infrastructure, for it cuts across education, industry, finance, defense, justice and science at once. Hannah Arendt defined power as the human faculty to act in concert, and its corruption as the substitution of plural action by imposition. When the capacity to decide is concentrated in a few centers that design the intelligence of all, the risk is not only economic: it is the erosion of the plurality that sustains public life. From this angle, cognitive sovereignty is a condition of institutional freedom, not a banner of closure. 6 The Regulatory Paradox No technology of comparable impact dispenses with regulation. The risks of artificial intelligence — algorithmic discrimination, disinformation, manipulation, bias, surveillance — justify robust legal frameworks. Yet a paradox persists, one well known to economic theory and confirmed by the history of regulation: rules conceived to protect society may, without that being the intention, entrench the very actors they purport to discipline. The mechanism is the economics of compliance. The more sophisticated the requirements of auditing, certification, documentation, compliance and cybersecurity, the higher the fixed costs of entry. Established firms absorb them; startups, universities and independent laboratories do not. George Stigler described, more than fifty years ago, the capture of the regulator by the regulated; artificial intelligence offers a contemporary illustration of it. The effect tends to be the raising of entry barriers and the reinforcement of incumbents — a concentration that, bearing on the production of intelligence, is also cognitive concentration. The normative landscape aggravates the problem through fragmentation. The European Union adopted, in the AI Act — in force since August 2024 and applied progressively in the following years — a risk-based approach; the Council of Europe opened for signature, in September 2024, the Framework Convention on Artificial Intelligence, the first legally binding international treaty on the matter, whose first anniversary was marked at a conference hosted by the Complutense University of Madrid. In the opposite direction, the United States revoked, in January 2025, the executive order that structured the federal governance of AI, replacing it with deregulatory guidelines oriented toward technological leadership. The Stanford AI Index records that, among the forty-seven countries with AI legislation in force, only twelve possess effective enforcement mechanisms, and that compliance costs vary by as much as eightfold across jurisdictions. The picture is one of discoordination, not convergence. To this is added public distrust. Still according to the same survey, only 31% of U.S. citizens trust their own government to regulate artificial intelligence, against a global average of 54%, and the gulf between experts and the public regarding the effects on employment is abyssal. Regulation without legitimacy and without enforcement capacity does not reduce risk: it merely redistributes advantage. The challenge lies not in choosing between regulating and innovating, but in designing a proportionate regulation that contains harm without turning compliance into a competitive moat. 7 Auditability, Transparency and the Right to Comprehension If concentration is the structural problem, opacity is its aggravating factor. Foundation models operate as architectures of extreme complexity, and the recent tendency is toward less, not greater, transparency: of the ninety-five significant models released in 2025, eighty were made available without their training code. Cathy O'Neil showed how opaque models can institutionalize discrimination under the appearance of objectivity; Frank Pasquale insisted that the black box is incompatible with the accountability required of those who exercise power. From this emerges what may be called the right to comprehension — a category that I had the opportunity to introduce and systematize in Brazilian legal scholarship in a study devoted specifically to the subject, published in the Revista dos Tribunais (vol. 1077, 2025). I argued, in that work, that the right to comprehension constitutes an evolution of the constitutional principles of publicity, transparency and the duty to give reasons: the decisions of public authorities must not only be public and transparent, for they must be comprehensible, rational and coherent — no one comprehends an arbitrary act. More than that, the right to comprehension is there built upon an infrastructure of structured legal databases, statistics and auditable artificial intelligence, capable of rendering public justification traceable, comparable and verifiable. In comparative terms, Sandra Wachter and Brent Mittelstadt discussed the scope and limits of a right to explanation in the face of automated decisions; Daniel Solove reconstructed privacy as a question of informational power, and not of mere secrecy; Cass Sunstein examined how choice architectures shape conduct without the subject perceiving it. The right to comprehension does not require that every citizen master the mathematics of the models; it requires that there be institutions — public and independent — capable of auditing them on behalf of all. The technical-normative framework for this is already beginning to take shape. The NIST AI Risk Management Framework of 2023 offers a grammar of risk management; the ISO/IEC 42001 and 23894 standards govern AI management and risk-treatment systems, alongside the information-security tradition of ISO/IEC 27001 and 27701; the UNESCO Recommendation on the Ethics of Artificial Intelligence of 2021 and the OECD Principles consolidate global parameters of trustworthy AI. What is lacking is not vocabulary, but the institutionalization of auditability as a condition of validity, rather than a mere recommendation. 8 Democracy, Markets and the State The consequences of cognitive concentration extend beyond the economy. For centuries, knowledge was produced in a relatively distributed manner: universities published, books circulated, patents expired, discoveries entered the common patrimony. Artificial intelligence keeps the production of knowledge collective but privatizes the intelligence extracted from it. Bernard Stiegler and Byung-Chul Han, in distinct keys, warned of the risk of a proletarianization of the mind — the loss, by the individual, of his very capacity to know and to decide — when cognition is delegated to systems he does not control. Constitutional democracy learned to distrust concentrations of power. It limited political power through the separation of functions and disciplined economic power through competition law. Artificial intelligence introduces a third dimension — cognitive power — which does not replace the former two but amplifies them. Whoever controls intelligence enlarges economic influence; economic influence converts into political capacity; political capacity favors technological expansion. The circle, if not institutionally interrupted, tends to close. The State, too, is transformed. Historically, it fell to the State to produce the norm; to the market, wealth; to the university, knowledge. These frontiers blur when private firms develop scientific capacities comparable to those of the foremost academic centers, supply models to governments and take part in defining the very standards meant to discipline them. Anne-Marie Slaughter described a world of networks that cut across the divide between public and private; the challenge is to ensure that such networks remain subject to democratic scrutiny. None of this warrants pessimism. Artificial intelligence is, in all likelihood, the greatest lever of productivity and of scientific progress of our era: it accelerates discovery, broadens access to knowledge, refines diagnoses and improves public administration. History shows that transformative technologies generate more consistent development when accompanied by institutions equal to them. The problem is not the technology, but the absence of institutions capable of distributing its benefits. 9 Conclusion: Toward a Normative Agenda for Cognitive Sovereignty Cognitive sovereignty is neither nationalist nostalgia nor a rejection of international cooperation. It is the recognition that, when intelligence becomes essential infrastructure, preserving autonomy over the mechanisms that produce it ceases to be a technological strategy and becomes a condition of the very autonomy of democracies, of markets and of the rule of law. A normative agenda equal to the problem may be organized around a few axes, without any claim to exhaust them. The first is a proportionate regulation that modulates requirements according to risk and materiality, containing harm without erecting barriers that only incumbents can surmount. The second is the institutionalization of auditability, with public and independent bodies endowed with the technical competence to inspect high-impact models, after the manner in which the law has already done with financial auditing and supervision. The third is the guarantee of interoperability and technological pluralism, as competition law did, in other eras, with telecommunications networks. The fourth is sustained public investment in computing capacity, the training of researchers and open research, without which autonomy is no more than rhetoric. The fifth is international cooperation grounded in rights — of which the Council of Europe's Framework Convention is the first binding example — capable of averting both the regulatory vacuum and the race to the bottom. The thread that unites these axes is the refusal of a false alternative. It is not a matter of choosing between innovation and control, between market and State, between openness and sovereignty, but of building the institutions that render these values compatible. Artificial intelligence has shifted the center of power toward control over the infrastructures that produce intelligence; it falls to the law to ensure that this power remains distributed, auditable and accountable. Cognitive sovereignty is the name of that task — and, perhaps, one of the categories indispensable if the Age of Artificial Intelligence is to remain compatible with democratic constitutionalism, the market economy and human freedom. References Scholarship ACEMOGLU, Daron; JOHNSON, Simon. Power and Progress: Our Thousand-Year Struggle over Technology and Prosperity. New York: PublicAffairs, 2023. ALLISON, Graham. Destined for War: Can America and China Escape Thucydides's Trap? Boston: Houghton Mifflin Harcourt, 2017. ARENDT, Hannah. The Human Condition. Chicago: University of Chicago Press, 1958. BENKLER, Yochai. The Wealth of Networks: How Social Production Transforms Markets and Freedom. New Haven: Yale University Press, 2006. BODIN, Jean. The Six Books of the Commonwealth [Les Six Livres de la République, 1576]. BREMMER, Ian. The Technopolar Moment. Foreign Affairs, vol. 100, no. 6, 2021. CASTELLS, Manuel. The Rise of the Network Society (The Information Age, vol. I). Oxford: Blackwell, 1996. COHEN, Julie E. Between Truth and Power: The Legal Constructions of Informational Capitalism. Oxford: Oxford University Press, 2019. ELLUL, Jacques. The Technological Society. New York: Alfred A. Knopf, 1964. FLORIDI, Luciano. The Fourth Revolution: How the Infosphere is Reshaping Human Reality. Oxford: Oxford University Press, 2014. HAN, Byung-Chul. Psychopolitics: Neoliberalism and New Technologies of Power. London: Verso, 2017. HEIDEGGER, Martin. The Question Concerning Technology. In: The Question Concerning Technology and Other Essays. New York: Harper & Row, 1977. KHAN, Lina M. Amazon's Antitrust Paradox. The Yale Law Journal, vol. 126, no. 3, 2017. KISSINGER, Henry; SCHMIDT, Eric; HUTTENLOCHER, Daniel. The Age of AI: And Our Human Future. New York: Little, Brown, 2021. LEE, Kai-Fu. AI Superpowers: China, Silicon Valley, and the New World Order. Boston: Houghton Mifflin Harcourt, 2018. LESSIG, Lawrence. Code: Version 2.0. New York: Basic Books, 2006. MUMFORD, Lewis. Technics and Civilization. New York: Harcourt, Brace & Co., 1934. NYE, Joseph S. The Future of Power. New York: PublicAffairs, 2011. O'NEIL, Cathy. Weapons of Math Destruction: How Big Data Increases Inequality and Threatens Democracy. New York: Crown, 2016. OSÓRIO, Fábio Medina. The Right to Comprehension in the Age of Technological Complexity: Constitutional, Statistical, and Algorithmic Foundations of Decision-Making Transparency. Revista dos Tribunais, São Paulo, vol. 1077, 2025. PASQUALE, Frank. The Black Box Society: The Secret Algorithms That Control Money and Information. Cambridge: Harvard University Press, 2015. SCHMITT, Carl. Political Theology: Four Chapters on the Concept of Sovereignty [1922]. Chicago: University of Chicago Press, 2005. SCHUMPETER, Joseph A. Capitalism, Socialism and Democracy. New York: Harper & Brothers, 1942. SIMONDON, Gilbert. On the Mode of Existence of Technical Objects [1958]. Minneapolis: Univocal Publishing, 2017. SLAUGHTER, Anne-Marie. A New World Order. Princeton: Princeton University Press, 2004. SOLOVE, Daniel J. Understanding Privacy. Cambridge: Harvard University Press, 2008. SRNICEK, Nick. Platform Capitalism. Cambridge: Polity Press, 2017. STIEGLER, Bernard. Technics and Time, 1: The Fault of Epimetheus [1994]. Stanford: Stanford University Press, 1998. STIGLER, George J. The Theory of Economic Regulation. The Bell Journal of Economics and Management Science, vol. 2, no. 1, 1971. SUNSTEIN, Cass R.; THALER, Richard H. Nudge: Improving Decisions about Health, Wealth, and Happiness. New Haven: Yale University Press, 2008. TIROLE, Jean. Economics for the Common Good. Princeton: Princeton University Press, 2017. WACHTER, Sandra; MITTELSTADT, Brent; FLORIDI, Luciano. Why a Right to Explanation of Automated Decision-Making Does Not Exist in the GDPR. International Data Privacy Law, vol. 7, no. 2, 2017. WU, Tim. The Curse of Bigness: Antitrust in the New Gilded Age. New York: Columbia Global Reports, 2018. ZINGALES, Luigi. A Capitalism for the People: Recapturing the Lost Genius of American Prosperity. New York: Basic Books, 2012. ZUBOFF, Shoshana. The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power. New York: PublicAffairs, 2019. Legal instruments and international documents BRAZIL. Law No. 13,709 of 14 August 2018 (General Personal Data Protection Law — LGPD). COUNCIL OF EUROPE. Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law (CETS No. 225). Vilnius, 2024. ISO/IEC 42001:2023 — Artificial Intelligence Management System; ISO/IEC 23894:2023 — AI Risk Management; ISO/IEC 27001 and 27701 — Information security and privacy. NIST. Artificial Intelligence Risk Management Framework (AI RMF 1.0). U.S. Department of Commerce, 2023. OECD. Recommendation of the Council on Artificial Intelligence (OECD AI Principles). Paris, 2019 (updated 2024). UNESCO. Recommendation on the Ethics of Artificial Intelligence. Paris, 2021. EUROPEAN UNION. Regulation (EU) 2024/1689 (Artificial Intelligence Act); Regulation (EU) 2016/679 (GDPR). UNITED STATES. Executive Order 14110 (2023, revoked in 2025); Executive Order 14179 — Removing Barriers to American Leadership in Artificial Intelligence (2025). Reports and empirical sources STANFORD HAI. Artificial Intelligence Index Report 2025 and 2026. Stanford Institute for Human-Centered Artificial Intelligence. OECD.AI Policy Observatory — indicators of AI policy and investment. SYNERGY RESEARCH GROUP; CANALYS. Cloud infrastructure market data, 2025–2026. TRENDFORCE; TSMC. Market-share reports and foundry results, 2025. PEW RESEARCH CENTER; EDELMAN TRUST BAROMETER. Surveys on public trust in and perception of artificial intelligence.
Medina Osorio Advogados - June 30 2026
Tax

TAXATION OF PROFITS AND DIVIDENDS AND THE SPECIAL LEGAL REGIME OF LAW FIRMS: CONSTITUTIONAL INTERPRETATION OF LAW NO. 15.270/2025

This article analyzes the applicability of Law No. 15.270/2025 — which introduced a new taxation system on profits and dividends distributed to individuals — to law firms established under the Brazilian Bar Association Statute (Law No. 8.906/94). Based on a systematic and teleological hermeneutics, the article argues that the new tax discipline cannot be automatically and unreservedly applied to law firms, given their special legal nature, the constitutional framework of legal practice as an essential function of Justice (art. 133 of the Brazilian Constitution), and the implicit functional institutional immunity derived therefrom. The conclusion advocates for a constitutional interpretation that excludes such entities from the subjective scope of the contested provision. Keywords: Dividend taxation. Law No. 15.270/2025. Law firms. Essential function of Justice. Constitutional interpretation. Implicit institutional immunity. Tax typicality. TABLE OF CONTENTS 1 Introduction. 2 Legal practice as an essential function of Justice (art. 133 of the Federal Constitution). 3 The legal nature of law firms. 4 Systematic and teleological interpretation of Law No. 15.270/2025. 5 Constitutional interpretation. 6 Prohibition against expansive interpretation in tax and sanctioning matters. 7 The organizational autonomy of the legal profession. 8 The implicit functional institutional immunity derived from art. 133 of the Federal Constitution. 9 The materially sanctioning legal nature of the mandatory withholding. 10 Potential violation of the ability-to-pay principle and competitive neutrality. 11 Favorable treatment for micro and small enterprises — autonomous subsidiary argument. 12 The ruling in ADI 7.917 (preliminary injunction) and its implications for the constitutional interpretation of Law No. 15.270/2025. 13 Strategies for constitutional review. 14 Conclusion. References.   1 INTRODUCTION The enactment of Law No. 15.270/2025 introduces a new taxation regime on profits and dividends distributed to individuals, establishing a mandatory 10% (ten percent) withholding tax at source on amounts exceeding BRL 50,000.00 (fifty thousand Brazilian reais) per month per beneficiary, in addition to a minimum annual income tax mechanism applicable to high-income earners. This article examines, objectively, whether such regulatory framework may be automatically and unreservedly applied to law firms duly organized under arts. 15 et seq. of Law No. 8.906/94 (the Brazilian Lawyers' Statute and the Brazilian Bar Association Act), or whether it must be subject to constitutional interpretation so as to exclude such entities from its subjective scope of application. The matter is far from trivial. It stands at the intersection of tax law, constitutional law, and the theory of institutional guarantees, calling upon the interpreter to engage in systematic and teleological hermeneutics fully committed to the maximum effectiveness of constitutional values. 2 LEGAL PRACTICE AS AN ESSENTIAL FUNCTION OF JUSTICE (ART. 133 OF THE FEDERAL CONSTITUTION) Art. 133 of the Federal Constitution provides that the attorney is indispensable to the administration of justice and is inviolable for his acts and statements in the exercise of the profession, within the limits of the law. The Brazilian Constitution does not treat legal practice as an ordinary economic activity. Rather, it qualifies it as an essential function of Justice, an integral part of the constitutional system of guarantees inherent to the Democratic Rule of Law. Legal practice does not constitute a mere regulated profession. It is embedded in the system of checks and balances of the Democratic Rule of Law, serving as the structural prerequisite for effective adversarial proceedings, equality of arms, and jurisdictional effectiveness. It represents, in sum, a structural institutional guarantee — and not a mere corporate prerogative —, which elevates the debate from the realm of ordinary tax law to the domain of structural constitutional law. 2.1 ADI 1.127/DF In the judgment of ADI 1.127/DF, the Brazilian Supreme Court (Supremo Tribunal Federal — STF) upheld the constitutionality of attorneys' prerogatives, affirming the institutional centrality of the legal profession to the effectiveness of judicial proceedings. The ruling, authored by Justice Marco Aurélio, expressly states: "The attorney is indispensable to the administration of Justice. [...] Professional immunity is indispensable so that the attorney may properly and fully exercise his public function. [...] The constitutional function exercised by the attorney justifies the guarantee of arrest only in flagrante delicto and in the case of non-bailable offenses." (STF — ADI 1.127/DF, Reporting Justice Marco Aurélio, Full Court, decided 17.05.2006) The ruling established, with unequivocal clarity, that professional immunity constitutes an inalienable prerequisite for the proper and full exercise of the public function that the constitutional order assigns to the attorney. The Court further recognized that this constitutional function justifies the extension of differentiated guarantees that are ontologically incompatible with the legal treatment afforded to the exercise of ordinary economic activities. These foundations apply directly to law firms — organizational instruments of that same constitutional function — which cannot be subjected, through expansive interpretation, to the same tax regime applicable to ordinary business structures. 2.2 ADI 3.026/DF In the judgment of ADI 3.026/DF, authored by Justice Eros Grau, the Supreme Court reaffirmed the institutional singularity of the Brazilian Bar Association (Ordem dos Advogados do Brasil — OAB). The ruling's headnote is categorical: "The OAB is not an entity of the Indirect Public Administration of the Union. The Bar is an independent public service, a unique category among the legal persons existing in Brazilian law. [...] Since it does not constitute an entity of the Indirect Public Administration, the OAB is not subject to the Administration's control, nor is it tied to any of its branches. This non-affiliation is formally and materially necessary." (STF — ADI 3.026/DF, Reporting Justice Eros Grau, Full Court, decided 08.06.2006) Justice Cezar Peluso, in his concurring opinion, added that the public character attributed to the Bar's service has an eminently protective purpose aimed at securing its institutional independence: "The public character of the service is recognized [...] less as a need to subject it to rules specific to the Public Administration [...] than as the fact that it cannot be subject to any interference in the performance of its functions, which bear the hallmark of independence." (Concurring Opinion of Justice Cezar Peluso — ADI 3.026/DF) This understanding prevents, as a matter of logical and legal consequence, the extension of prerogatives or regulatory impositions to law firms by mere analogy or expansive interpretation. If the OAB — and, by extension, the law firms that depend on it to exist and operate — cannot be equated with ordinary public administration entities for organizational regulation purposes, it equally cannot be so equated for tax purposes without an express and unequivocal statutory provision to that effect. The consolidated jurisprudence of the Supreme Court demonstrates, in sum, that legal practice occupies a differentiated normative position within the Brazilian legal order, a position that is binding upon both the interpreter and the enforcer of the law.   3 THE LEGAL NATURE OF LAW FIRMS Law firms are not ordinary business corporations. They are governed by special legislation — Law No. 8.906/94 — which restricts their scope exclusively to the provision of legal services, prohibits the commercialization of legal activity, establishes a specific liability regime, requires exclusive registration with the Brazilian Bar Association, and prohibits the adoption of typical corporate forms. A law firm constitutes an organizational instrument of the essential function of Justice. It is not a business structure oriented toward profit in the commercial sense, but a professional organization aimed at providing a constitutionally qualified activity. This distinction is legally essential and cannot be disregarded by the interpreter, on pain of subverting the constitutional model of legal practice and hollowing out the guarantees inherent to it.   4 SYSTEMATIC AND TELEOLOGICAL INTERPRETATION OF LAW NO. 15.270/2025 Law No. 15.270/2025 is part of a tax reform aimed at taxing dividends in business structures, combating abusive tax planning, and aligning the domestic legal order with international standards for income taxation. The teleological purpose of the statute is to reach business structures that have historically distributed profits under the tax exemption regime in effect since 1996 — and not to cover professional entities organized under a special legal regime whose nature is radically different from what motivated the reform. Not a single provision of Law No. 15.270/2025 makes express reference to law firms. In tax matters, the principle of strict legality applies, as set forth in art. 150, I, of the Federal Constitution. Normative interpretation cannot, therefore, expand the subjective scope of the statute to encompass entities not explicitly included by the legislature, on pain of direct violation of the constitutional text and the very foundations of the Rule of Law in fiscal matters.   5 CONSTITUTIONAL INTERPRETATION The technique of constitutional interpretation, enshrined in the Supreme Court's jurisprudence, requires that, when faced with multiple possible interpretations of an infra-constitutional provision, the one that renders it compatible with the constitutional text be adopted, preserving the norm within the legal order without violating the values and principles enshrined in the Constitution. Applying this technique to the present case, it becomes clear that Law No. 15.270/2025 admits two possible readings: one of a restrictive nature, according to which the statute is directed exclusively at ordinary business corporations; and another of an expansive nature, which would reach professional organizations endowed with a special legal regime, such as law firms. The expansive interpretation, however, generates a direct collision with art. 133 of the Federal Constitution, with the special legal regime governing legal practice, and with the institutional autonomy that characterizes the profession. In the face of this normative conflict, the restrictive interpretation is inexorably required — one that preserves the integrity of the constitutional model of legal practice and rules out the application of the new discipline to law firms.   6 PROHIBITION AGAINST EXPANSIVE INTERPRETATION IN TAX AND SANCTIONING MATTERS The Supreme Court has consolidated jurisprudence to the effect that tax rules do not admit extensive interpretation to expand taxable events not provided for by statute, and that, in sanctioning matters, the principle of strict typicality demands interpretation rigorously confined to the normative text. The mandatory withholding established by Law No. 15.270/2025 has a hybrid nature, being simultaneously a tax measure and potentially a sanctioning one, given the serious administrative consequences arising from its non-compliance. This prohibition has express statutory support in arts. 108, §1°, and 111 of the Brazilian Tax Code (Código Tributário Nacional — CTN), which prohibit the use of analogy to impose taxes not provided for by statute and require the literal interpretation of rules governing taxpayer liability. The classical doctrine of Brazilian tax law is consistent on this point. Paulo de Barros Carvalho[1], when addressing closed typicality, notes that the tax incidence hypothesis does not admit subjective expansion through hermeneutics; Geraldo Ataliba[2], in developing the theory of the tax incidence hypothesis, reinforces that the legislature exhaustively defines the criteria for identifying the taxpayer; and Roque Carrazza[3] argues that the principle of legality, in its tax dimension, requires specificity and completeness of the incidence rule, prohibiting extensive integration. Extensive or analogical interpretation to reach entities not expressly provided for in the statute is therefore inadmissible. The Brazilian Federal Revenue Service (Receita Federal do Brasil) cannot, through infra-statutory normative guidance or administrative interpretation, equate law firms with ordinary business corporations, on pain of violating tax legality, legal certainty, and the institutional autonomy of the legal profession — all values of constitutional standing.   7 THE ORGANIZATIONAL AUTONOMY OF THE LEGAL PROFESSION The compensation structure of law firms is an integral part of the organizational core of the profession, the constitutionally guaranteed professional freedom, and the institutional model of legal practice as outlined by the Federal Constitution of 1988. The automatic and unrestricted application of the new tax discipline may interfere with the internal organization of law firms, undermine the formation of technical reserves indispensable to the continuity of legal services, and affect the institutional sustainability of the legal profession as a whole. The Constitution does not authorize an interpretation that indirectly weakens a function that it itself has qualified as essential to Justice, even when the invoked normative instrument is of a tax nature. Constitutional teleology demands that the interpreter exercise maximum caution in the face of rules that may, directly or indirectly, compromise the full exercise of legal practice.   8 THE IMPLICIT FUNCTIONAL INSTITUTIONAL IMMUNITY DERIVED FROM ART. 133 OF THE FEDERAL CONSTITUTION Art. 133 of the Federal Constitution, by qualifying legal practice as an essential function of Justice, establishes not merely a corporate prerogative but a genuine institutional statute guaranteeing judicial proceedings. From this constitutional framework, it is necessary to recognize the existence of an implicit functional institutional immunity, which prevents the State from, through indirect taxation, structurally weakening legal activity as a pillar of the justice system. The recognition of implied immunities is not novel in the Supreme Court's jurisprudence. In the judgment of RE 601.720, the Court recognized that reciprocal immunity, although not exhaustively provided for all its incidence hypotheses, derives structurally from the federative principle — demonstrating that the Constitution can generate implicit protections from its structural values. The same reasoning applies, with even greater normative force, to legal practice: if art. 133 erects the advocacy function as an indissociable prerequisite of jurisdictional effectiveness, it would be logically contradictory to admit that the State could, through taxation, disorganize the structures through which that function is exercised. This thesis finds support in the constitutional doctrine of Konrad Hesse[4], for whom the principle of maximum effectiveness requires that constitutional norms be given the greatest possible normative force, and in the theory of institutional guarantees, according to which the legislature cannot, under the pretext of ordinary regulation, hollow out the essential core of constitutionally qualified institutions. In the elaboration of J.J. Gomes Canotilho[5], the institutional guarantee operates as a negative limit on the legislature, preventing infra-constitutional discipline from dissolving the substance of the institution protected by the Constitution. Legal practice, under art. 133, is one of these institutions — and its organizational substance must be preserved against any normative framework that, directly or indirectly, threatens it.   9 THE MATERIALLY SANCTIONING LEGAL NATURE OF THE MANDATORY WITHHOLDING The mandatory withholding obligation at source established by Law No. 15.270/2025 does not have an exclusively tax nature. From a material and functional perspective, it bears an autonomous sanctioning dimension, insofar as its non-compliance triggers automatic penalties of considerable severity, imposes onerous procedural obligations on law firms, and directly interferes with internal governance structures — such as the preparation of interim balance sheets, partners' meetings, and legally mandated profit allocation procedures within excessively tight deadlines. Given this hybrid nature, the following constitutional guarantees apply cumulatively to the normative provision: substantive due process of law (art. 5°, LIV, of the Federal Constitution), the principle of proportionality, strict legality in sanctioning matters, and the prohibition of analogy in malam partem, the latter recognized by the Supreme Court in HC 97.256. The Superior Court of Justice's jurisprudence is firm in holding that tax sanctions cannot assume a confiscatory character (REsp 1.325.709), and the Supreme Court, in RE 833.106, reaffirmed the requirements of due process of law in the domain of administrative sanctions. These premises reinforce, in the domain of sanctioning legal theory, the prohibition against expansive interpretation reaching law firms, since expanding the passive pole of the withholding obligation without express statutory provision constitutes a direct violation of the principle of strict typicality and the constitutional regime of due process of law.   10 POTENTIAL VIOLATION OF THE ABILITY-TO-PAY PRINCIPLE AND COMPETITIVE NEUTRALITY The indiscriminate application of the new tax discipline to law firms also raises a fundamental issue tied to the ability-to-pay principle (art. 145, §1°, of the Federal Constitution). The distribution of results in law firms is not structurally identical to the distribution of dividends in business corporations. Law firms do not operate under a purely commercial logic: the amounts distributed to partners correspond, to a large extent, to remuneration for the personal and non-transferable exercise of legal activity — activity that, by express statutory prohibition, cannot be organized in a corporate manner or transferred to third parties. Equating such distributions with corporate dividends for purposes of withholding at source implies disregarding the underlying economic reality of the professional organization of legal practice, in violation of the ability-to-pay principle in its material dimension. There is, moreover, a concrete risk of a breach of competitive neutrality. The application of the new discipline to law firms — but not necessarily to other forms of organization for the provision of legal services or to hybrid business structures — may generate an unjustifiable systemic asymmetry, placing law firms at a structural disadvantage relative to other forms of organization of legal activity. Such a distortion, in addition to being economically irrational, is constitutionally censurable from the perspective of tax equality (art. 150, II, of the Federal Constitution).   11 FAVORABLE TREATMENT FOR MICRO AND SMALL ENTERPRISES — AUTONOMOUS SUBSIDIARY ARGUMENT The Supreme Court recognizes that the favorable treatment for micro and small enterprises, established in arts. 170, IX, and 179 of the Federal Constitution and specified in Complementary Law No. 123/2006, carries binding normative density. It does not constitute a mere option granted to the ordinary legislature but a true constitutional mandate of mandatory compliance (ADI 4.033). This understanding was reiterated in ADI 1.643 and speaks directly to the situation of law firms enrolled in the Simples Nacional simplified tax regime. Even if one were to argue — which is entirely rejected here — the general validity of applying Law No. 15.270/2025 to law firms, it would be necessary to recognize, as an autonomous subsidiary argument, the impossibility of its application to those enrolled in the Simples Nacional regime. This differentiated tax regime constitutes public policy of constitutional standing, the circumvention of which by ordinary legislation entails direct violation of art. 179 of the Federal Constitution. The application of the new discipline to such firms, without any transitional rules or adjustments to the simplified regime, imposes a disproportionate procedural burden on recognized simplified organizational structures, in manifest violation of the principle of reasonableness and the constitutionally mandated differential treatment they are owed.   12 THE RULING IN ADI 7.917 (PRELIMINARY INJUNCTION) AND ITS IMPLICATIONS FOR THE CONSTITUTIONAL INTERPRETATION OF LAW NO. 15.270/2025 The recent ruling issued by Justice Nunes Marques in the preliminary injunction proceedings of ADI 7.917, filed by the Federal Council of the Brazilian Bar Association, carries central hermeneutic relevance for the proper interpretation of Law No. 15.270/2025. Although the specific preliminary relief requested by the CFOAB was denied at that procedural stage, the ruling contains reasoning that significantly reinforces the need for a systematic and constitutionally oriented interpretation of the contested statute — particularly with respect to micro and small enterprises and, most notably, law firms enrolled in the Simples Nacional regime. 12.1 The express recognition of constitutional limits on the power to tax The Reporting Justice begins his reasoning by reaffirming that the principles of legal certainty, legitimate expectations, non-surprise, legality, and reasonableness constitute genuine postulates limiting the State's power to tax and, consequently, protecting taxpayers. This recognition reiterates the Supreme Court's consolidated jurisprudence, according to which the taxing power is not absolute and must be exercised in strict accordance with legal certainty (art. 1° of the Federal Constitution), substantive due process (art. 5°, LIV), ability to pay (art. 145, §1°), and favorable treatment for micro and small enterprises (arts. 170, IX, and 179 of the Federal Constitution). These constitutional vectors are fully applicable to the analysis of the new discipline's incidence on law firms, whose special legal regime must be preserved against any attempt at equating them with ordinary business corporations. 12.2 The recognition of the special vulnerability of small structures The ruling is particularly incisive in examining the impact of the new system on micro and small enterprises. The Reporting Justice expressly notes: "The imposition of such a tight deadline may affect small enterprises and those enrolled in the SIMPLES Nacional regime in an even more onerous manner. Such taxpayers, who are so important from a social and economic standpoint for the country, are characterized by simplified business structures, rarely possessing teams dedicated exclusively to legal and accounting matters. Thus, the requirement to comply with various internal measures, interim and final balance sheets, partners' meetings, and legally mandated deliberative procedures within such a short timeframe proves incompatible with the operational reality of such taxpayers, imposing a disproportionate procedural burden." (ADI 7.917 MC/DF, Justice Nunes Marques, decided 26.12.2025) The Supreme Court authoritatively reaffirms that favorable treatment for small enterprises does not constitute a mere option granted to the ordinary legislature but a genuine constitutional mandate of mandatory compliance, expressly invoking the precedents established in ADIs 4.033 and 1.643. This understanding speaks directly to the situation of law firms enrolled in the Simples Nacional regime, which have simplified organizational structures and perform, above all, a constitutionally qualified function under art. 133 of the Federal Constitution. 12.3 The hermeneutic opening left by the denial of preliminary relief The denial of the preliminary injunction in ADI 7.917 does not represent a final ruling on the constitutionality of Law No. 15.270/2025. The Reporting Justice himself notes that "the remaining merits issues raised in the direct actions, particularly regarding the legitimacy of the taxation inserted into the legal order by arts. 2° and 3° of Law No. 15.270/2025, prove to be controversial." He further records: "A potential ruling on the unconstitutionality of the new profit and dividend distribution taxation model will, as a rule, entail the removal of the provision from the legal order with retroactive effect to the date of its publication. As a result, the tax assessments made under Law No. 15.270/2025 would be annulled, allowing for the restitution of any amounts already paid by taxpayers." (ADI 7.917 MC/DF, Justice Nunes Marques, decided 26.12.2025) There was, therefore, no definitive validation of the tax model established by the new statute, nor any dismissal of the constitutional arguments put forward by the Brazilian Bar Association. The merits remain entirely open, which preserves, in full, the possibility of constitutional interpretation in the final judgment. 12.4 The ruling as reinforcement of the prohibition against expansive interpretation The ruling demonstrates concrete legal concern with the legal uncertainty generated by the new legislation. The Reporting Justice points out that the brevity of the statutory deadline "evidences the lack of reasonableness and proportionality of the norm, in its sense of substantive due process (Federal Constitution, art. 5°, LIV), as well as the violation of legal certainty, a postulate of the Rule of Law (Federal Constitution, art. 1°), more specifically in its dimension of predictability and legitimate expectations." He invokes, to this end, the jurisprudence established in ARE 713.196 AgR, according to which the Supreme Court requires the provision of a reasonable period for taxpayers to adapt to regulatory changes in tax matters, and RE 566.621, in which the Full Court held that the retroactive or immediate application of new tax discipline, without transitional safeguards, violates the principle of legal certainty in its dimensions of protection of legitimate expectations and guarantee of access to Justice. In tax and sanctioning matters, expansive interpretation unfavorable to the taxpayer is prohibited, strict legality is inviolably applicable, and the principle of closed typicality is mandatory. The Revenue Service cannot, through infra-statutory acts or administrative guidance, automatically equate law firms with ordinary business corporations when such equivalence implies disregarding the special legal regime established by the Federal Constitution and Law No. 8.906/94. 12.5 Reconciling the ruling with art. 133 of the Federal Constitution The ruling in ADI 7.917 examined the contested statute from the perspective of micro and small enterprises in general, without yet addressing in depth the institutional dimension of legal practice as an essential function of Justice under art. 133 of the Federal Constitution. This point remains open for definitive examination in the merits judgment. Legal practice, as outlined by the current constitutional order, is not an ordinary economic activity, does not constitute a mere business organization, and forms part of the constitutional justice system as an indissociable prerequisite of jurisdictional effectiveness. The automatic and indiscriminate application of the new discipline to law firms disregards their institutional nature, improperly places them on the same footing as ordinary business corporations, and undermines the constitutional model of legal practice in its entirety. The preliminary ruling does not obstruct this reading; on the contrary, by vigorously reaffirming the constitutional limits on the power to tax, it provides a solid principiological basis for the restrictive interpretation advanced in this article. 12.6 Hermeneutic synthesis The ruling in ADI 7.917 reveals three fundamental elements that converge, consistently, with the thesis advanced herein: the express recognition of the constitutional limits on the State's power to tax; the emphasis on differentiated treatment for small structures as a constitutional mandate rather than a mere legislative option; and the absence of a definitive ruling on the constitutionality of the new taxation introduced by Law No. 15.270/2025. In light of this normative and jurisprudential framework, a systematic and constitutionally oriented reading is required, according to which the said statute cannot be interpreted expansively to reach law firms, on pain of violating art. 133 of the Federal Constitution, the special legal regime of the legal profession, the constitutional protection afforded to small enterprises, and the principles of legal certainty and legitimate expectations.   13 STRATEGIES FOR CONSTITUTIONAL REVIEW The institutional thesis developed herein is susceptible to multiple avenues of constitutional review, which may be pursued by the Federal Council of the Brazilian Bar Association in a coordinated and strategically graduated manner. In the domain of concentrated judicial review, the primary avenue is the direct action of unconstitutionality (ação direta de inconstitucionalidade) with a request for constitutional interpretation, pursuant to art. 28, sole paragraph, of Law No. 9.868/99, by which the Supreme Court would be requested to declare, without textual reduction, the unconstitutionality of any interpretation that subjects law firms to the mandatory withholding regime established by Law No. 15.270/2025. Alternatively, a declaration of partial unconstitutionality with textual reduction may be sought, or a request for temporal modulation of the decision's effects may be filed pursuant to art. 27 of the same statute, in order to preserve consolidated legal situations based on the legitimate expectation of exemption. In the domain of diffuse constitutional review, the strategic filing of collective writs of mandamus on behalf of Bar-affiliated law firms before the federal regional courts is recommended, with the aim of suspending the enforceability of the withholding requirement pending the Supreme Court's final ruling. In any tax enforcement proceedings that may be initiated by the Revenue Service based on the new discipline, the constitutional question may be raised incidentally, enabling the formation of precedents in the domain of diffuse review and the subsequent assignment of the matter to the repetitive appeals track before the Superior Court of Justice or to the general repercussion regime before the Supreme Court. Finally, in the domain of preventive administrative action, the Federal Council of the Brazilian Bar Association may issue binding interpretive guidance within its institutional competence, instructing law firms on the legal impossibility of automatic compliance with the new discipline and documenting, from the outset, the institutional resistance that will underpin any future request for preliminary relief based on the risk of irreversible institutional harm to the justice system.   14 CONCLUSION In light of art. 133 of the Federal Constitution, the Brazilian Lawyers' Statute and the Brazilian Bar Association Act (Law No. 8.906/94), the consolidated jurisprudence of the Supreme Court in the judgments of ADIs 1.127, 3.026, and 7.917 and related precedents, the constitutional prohibition against expansive interpretation in tax and sanctioning matters, the principle of closed tax typicality enshrined in arts. 108, §1°, and 111 of the Brazilian Tax Code, and the technique of constitutional interpretation, the following conclusions are warranted. Law No. 15.270/2025 cannot be automatically applied to law firms; a systematic and teleological interpretation is required that excludes such entities from the scope of the profit and dividend taxation established therein. The Brazilian Federal Revenue Service cannot promote an expansive interpretation aimed at equating law firms with ordinary business corporations, particularly those enrolled in the Simples Nacional regime, whose differentiated legal regime derives directly from the essential character of legal practice to Justice and the Democratic Rule of Law. The distribution of results in law firms is not structurally equivalent to the distribution of corporate dividends, which is why the application of the new discipline, without express statutory provision, violates the ability-to-pay principle and breaks the constitutionally required competitive neutrality. The implicit functional institutional immunity derived from art. 133 of the Federal Constitution additionally prevents the State from, through indirect taxation, undermining the organizational structures through which legal practice discharges its constitutional function as a guarantee of judicial proceedings. The ruling in ADI 7.917, far from weakening the institutional position of the Brazilian Bar Association, reinforces the need for constitutional interpretation, particularly with respect to the prohibition against disproportionate treatment of small structures, the protection of taxpayers' legitimate expectations, and the material limits on the State's taxing power. In this context, the Federal Council of the Brazilian Bar Association holds full institutional standing to issue binding interpretive guidance, to file a direct action of unconstitutionality with a request for constitutional interpretation, to bring collective writs of mandamus, and to pursue the other constitutional review strategies discussed in this article, thereby preserving the special legal regime of the legal profession as an inalienable prerequisite of the Democratic Rule of Law.   Brasília, Federal District, February 21, 2026.   REFERENCES ATALIBA, Geraldo. Hipótese de Incidência Tributária [Tax Incidence Hypothesis]. 6th ed. São Paulo: Malheiros, 2002. BARROSO, Luís Roberto. Interpretação e Aplicação da Constituição [Interpretation and Application of the Constitution]. 7th ed. São Paulo: Saraiva, 2009. CANOTILHO, J.J. Gomes. Direito Constitucional e Teoria da Constituição [Constitutional Law and Theory of the Constitution]. 7th ed. Coimbra: Almedina, 2003. CARRAZZA, Roque Antonio. Curso de Direito Constitucional Tributário [Course on Constitutional Tax Law]. 31st ed. São Paulo: Malheiros, 2017. CARVALHO, Paulo de Barros. Curso de Direito Tributário [Course on Tax Law]. 30th ed. São Paulo: Saraiva, 2019. DI PIETRO, Maria Sylvia Zanella. Direito Administrativo [Administrative Law]. 35th ed. Rio de Janeiro: Forense, 2022. FERREIRA, Daniel. Teoria Geral da Infração Administrativa [General Theory of Administrative Offenses]. Belo Horizonte: Fórum, 2009. HESSE, Konrad. A Força Normativa da Constituição [The Normative Force of the Constitution]. Translated by Gilmar Ferreira Mendes. Porto Alegre: Sergio Antonio Fabris, 1991. MOREIRA, Egon Bockmann. Processo Administrativo [Administrative Procedure]. 5th ed. São Paulo: Malheiros, 2017. OLIVEIRA, Rafael Carvalho Rezende. Curso de Direito Administrativo [Course on Administrative Law]. 9th ed. Rio de Janeiro: Método, 2021. OSÓRIO, Fábio Medina. Direito Administrativo Sancionador [Administrative Sanctioning Law]. 6th ed. São Paulo: Thomson Reuters Brasil, 2019. [1]CARVALHO, Paulo de Barros. Curso de Direito Tributário [Course on Tax Law]. 30th ed. São Paulo: Saraiva, 2019. [2]ATALIBA, Geraldo. Hipótese de Incidência Tributária [Tax Incidence Hypothesis]. 6th ed. São Paulo: Malheiros, 2002. [3]CARRAZZA, Roque Antonio. Curso de Direito Constitucional Tributário [Course on Constitutional Tax Law]. 31st ed. São Paulo: Malheiros, 2017. [4]HESSE, Konrad. A Força Normativa da Constituição [The Normative Force of the Constitution]. Translated by Gilmar Ferreira Mendes. Porto Alegre: Sergio Antonio Fabris, 1991. [5]CANOTILHO, J.J. Gomes. Direito Constitucional e Teoria da Constituição [Constitutional Law and Theory of the Constitution]. 7th ed. Coimbra: Almedina, 2003.
Medina Osorio Advogados - June 30 2026
White-collar Crime

THE CNMP NATIONAL DATABASE IN THE AGE OF INVESTIGATIVE COMPLEXITY: CONSTITUTIONAL, STATISTICAL AND ALGORITHMIC FOUNDATIONS OF CRIMINAL TRACEABILITY

The CNMP National Data Repository in the Age of Investigative Complexity: Constitutional, Statistical, and Algorithmic Foundations of Penal Traceability Fábio Medina Osório Managing partner of Medina Osório Advogados. PhD in Administrative Law from the Complutense University of Madrid (Spain). Master's degree in Public Law from the Faculty of Law of the Federal University of Rio Grande do Sul (UFRGS). Former Prosecutor in Rio Grande do Sul. Former Assistant Secretary of Justice and Public Security of the State of Rio Grande do Sul. Former Chief Minister of the Attorney General's Office. President of the Special Commission on Administrative Sanctioning Law of the Federal Council of the OAB. Advisor to the MDA – Advocacy Defense Movement. President of the International Institute of State Law Studies (IIEDE). This article expresses the academic opinion of the author and not of any institution of which he is part or has been a member. Summary This essay examines the institutional need for a National Database under the governance of the National Council of the Public Prosecutor's Office (CNMP), conceived as an infrastructure for traceability, coherence and self-criticism in criminal prosecution. It is argued that the private ownership of public criminal action, the external control of police activity and the investigative power of the Public Prosecutor's Office, when interpreted in the context of the Digital Age, presuppose material conditions of intelligibility that cannot be achieved without structured bases, semantic standardization and systemic auditability. In data-driven investigation, the efficiency and integrity of the criminal justice system depend on uniform methodology for collecting, normalizing, resolving identity, and recording decisional and access trails. The article demonstrates — based on comparative evidence extracted from the national and international specialized literature — that the current Brazilian scenario is marked by severe fragmentation: twenty-seven distinct criminal statistical systems, absence of a national semantic standard, refusal of states to share microdata, and documented episodes of vulnerability of databases to criminal actors. Thus, a model of "informational unit" of the Public Prosecutor's Office is proposed, which does not replace national banks of the Executive (nor does it intend to absorb state banks), but organizes the data core of the Public Prosecutor's Office and establishes governed interoperability with external systems, according to standards of quality, security and algorithmic governance. The proposal is contextualized in the light of the General Data Protection Law (LGPD – Law 13,709/2018), CNMP Resolution 318/2025 (BDP/MP), MJSP Ordinance 1,123/2026 (Sinic) and relevant international regulatory frameworks. Keywords: National database — CNMP — Public Prosecutor's Office — External control — Statistics — Artificial intelligence — Auditability — Traceability — LGPD — Data protection. Abstract This essay discusses the institutional need for a National Data Repository governed by Brazil's National Council of the Public Prosecutor's Office (CNMP), conceived as infrastructure for traceability, coherence, and institutional self-critique in criminal prosecution. It argues that the Prosecutor's exclusive authority to bring public criminal actions, its external oversight of police activity, and its investigative powers, when interpreted in the Digital Age, require material conditions of intelligibility that cannot be achieved without structured databases, semantic standardization, and systemic auditability. In data-driven investigations, efficiency and integrity depend on uniform methodologies of collection, normalization, entity resolution, and robust trails for access and decision-making. Drawing on comparative evidence from national and international specialized literature, the paper demonstrates that the current Brazilian landscape is characterized by severe fragmentation — twenty-seven distinct criminal statistics systems, absence of national semantic standards, states refusing to share microdata, and documented episodes of database vulnerability to criminal actors. The paper proposes an informational unity model for the Public Prosecutor's Office, which does not replace Executive-branch national databases nor absorb state police databases, but organizes the Prosecutor's own core data and enables governed interoperability with external systems under quality, security, and AI governance standards. The proposal is contextualized in light of Brazil's General Data Protection Law (LGPD — Law 13,709/2018), CNMP Resolution 318/2025 (BDP/MP), Ministry of Justice Ordinance 1,123/2026 (Sinic), and relevant international normative frameworks. Keywords: National data repository — CNMP — Public Prosecutor — External oversight — Statistics — Artificial intelligence — Auditability — Traceability — Data protection — LGPD. Summary 1 Introduction — 2 External control, criminal prosecution and investigative power: the constitutional tripod of traceability — 3 Investigation as an informational phenomenon: when efficiency depends on language and method — 4 National database of the CNMP and national banks of the Executive: necessary distinctions — 5 Metric transparency in criminal prosecution: statistics as institutional listening — 6 Algorithmic standardization and auditability: from search to graph — 7 Public data infrastructure,  Interinstitutional Agreements and Informational Sovereignty — 8 Protection of Personal Data and Safeguards in Criminal Prosecution — 9 Conclusion: A New Architecture of External Control — 10 Bibliographic References — 11 Legislative References 1. Introduction The 1988 Constitution enshrined a set of classic guarantees — publicity, transparency, reasoning, due process, adversarial proceedings, ample defense — which, historically, were read as requirements oriented to the final decision-making act: the sentence, the judgment, the sanctioning administrative act. The Digital Age has shifted the center of gravity of this debate. Today, the concrete restriction of rights, in the criminal sphere, often materializes before the trial: in the investigative choices, in the criteria for prioritizing targets, in the construction of evidentiary narratives, in intelligence records, in the selection of what is sought and what is ignored. In other words: the decision, in the contemporary world, is composed of a chain of micro-decisions, often invisible, whose legitimacy depends on traceability. This scenario requires recognizing a methodological premise: one does not understand what cannot be reconstructed. Formal publicity of acts and classic transparency are no longer enough when criminal prosecution becomes dependent on massive databases, structured searches, and algorithmic correlations. If information is fragmented, if records are semantically incompatible between states, if there are no audit trails, the very rationality of the system loses density: the investigation may produce results, but it does not produce intelligibility; it can generate criminal action, but weakens the capacity for critical review; it can condemn, but it dissolves the legitimacy of the course.[1] The empirical diagnosis confirms this premise with force. A comprehensive survey on the situation of public security technologies in the Brazilian Federation Units revealed that twelve states do not even use disruptive technologies and another nine did not respond to requests for information during the survey.[2] The 2023-2024 Public Security Statistical Yearbook, prepared jointly by Ipea and the National Public Security Secretariat (Senasp/MJSP), is even more accurate: Brazil has twenty-seven different criminal statistics systems among civil police forces alone, and the country "still does not have a structured public security information system, with reliable data."[3] The regulatory vacuum is also documented: the General Data Protection Law (LGPD – Law No. 13,709/2018) provides, in its article 4, an exception for public security and criminal prosecution activities, but this exception, in the absence of a specific law that disciplines it, becomes a zone of opacity, making it difficult to control and be transparent about how data is treated by state agencies.[4] In this context, it is important to observe the role of the National Council of the Public Prosecutor's Office (CNMP) which, according to its own official definition, carries out the administrative, financial and disciplinary oversight of the Public Prosecutor's Office in Brazil and its members, respecting the autonomy of the institution. The body, created on December 30, 2004 by Constitutional Amendment No. 45, had its installation completed on June 21, 2005, with headquarters in Brasília-DF. Formed by 14 members representing different sectors of society, the CNMP aims to imprint a national vision to the MP, which is a result of the constitutional principle of institutional unity. The Council is responsible for guiding and supervising all branches of the Brazilian Public Prosecutor's Office: the Federal Public Prosecutor's Office (MPU), composed of the Federal Public Prosecutor's Office (MPF), the Military Public Prosecutor's Office (MPM), the Labor Public Prosecutor's Office (MPT) and the Federal District and Territories (MPDFT); and the Public Prosecutor's Office of the States (MPE). Chaired by the Attorney General of the Republic, the Council is composed of four members of the MPU, three members of the MPE, two judges appointed one by the Federal Supreme Court and the other by the Superior Court of Justice, two lawyers appointed by the Federal Council of the Brazilian Bar Association, and two citizens of notable legal knowledge and unblemished reputation, one appointed by the Chamber of Deputies and the other by the Federal Senate. Before taking office at the CNMP, the names presented are considered by the Commission on Constitution and Justice and Citizenship (CCJ) of the Federal Senate, then go to the Senate Plenary and go to the sanction of the President of the Republic. Guided by the control and administrative transparency of the Public Prosecutor's Office and its members, the CNMP is an entity open to social control and to Brazilian entities, which can forward complaints against members or bodies of the Public Prosecutor's Office, including against its auxiliary services. Such principles must be interpreted in harmony with the principles of efficiency, impersonality, legality, due process, economy, administrative morality, prohibition of arbitrariness by public authorities and the right to understand the content of decisions taken by public authorities.[5] The implementation of the institutional unity of the Public Prosecutor's Office, in the criminal sphere and in the fight against violent and organized crime, involves national control of the exercise of the institution's investigative power and external control of the police in an integrated and harmonious manner, through strategic and nationally articulated planning. It is at this point that the constitutional architecture of the Public Prosecutor's Office gains centrality. The CNMP must ensure institutional unity in the management of intelligence of the Brazilian Public Prosecutor's Office and, above all, this management should have a first major impact on public security and criminal investigations throughout the national territory. The Public Prosecutor's Office is not only the private holder of public criminal action (article 129, I, of the Federal Constitution), but also exercises external control of police activity (article 129, VII), in addition to holding requisition powers and, in the jurisprudential horizon consolidated by the Federal Supreme Court (RE 593.727, Topic 184), investigative powers compatible with the Constitution,  as long as it is under guarantees. The tripod accusation-control-investigation puts the Public Prosecutor's Office in an inevitable position: it is the recipient and inspector of the investigative product. However, recipient and controller can only operate in a data environment if they have adequate infrastructure. The absence of this infrastructure produces an essential contradiction: the Public Prosecutor's Office carries increasing constitutional responsibilities, but inherits a dispersed, heterogeneous and often opaque informational universe. Hence the hypothesis of this essay: external control, although not hierarchical, has a conformative nature in the digital world. It conforms to the minimum of registerability, auditability and semantic standardization required for police activity to be controllable, comparable and correctable, and for the ownership of the criminal action to be exercised with national coherence. From this perspective, the CNMP's National Database emerges as an infrastructure of the Public Prosecutor's Office itself: an institutional memory center, a standardization base, and a bridge of governed interoperability with external systems. It is essential, however, to delimit the object to avoid misunderstandings. The National Bank of the CNMP does not intend to replace national banks of the Executive Branch. The Ministry of Justice and Public Security (MJSP) established the National Criminal Information System (Sinic), by Ordinance No. 1,123/2026, as the official basis for consolidating and making criminal information available. The recent legislative environment — based on the SUSP Law (Law No. 13,675/2018) — also designs thematic national databases in the fight against organized crime, with a federative logic of interoperability. The CNMP Bank has its own vocation: to organize the data center of the Public Prosecutor's Office and allow controlled, auditable and finalistic interoperability — without indiscriminate absorption of state police databases. 2. External control, criminal action and investigative power: the constitutional tripod of traceability External control is not an administrative command. This statement, although correct, is often misused: as if the absence of hierarchy implies the absence of institutional power. In the Digital Age, precisely the opposite occurs. When police activity materializes in systems, records, and information chains, external control needs to focus on what makes the activity verifiable: minimal records, metadata integrity, traceability of changes, preservation of versions, minimum standardization of remittance, and the ability to reconstruct investigative decisions. The private ownership of the public criminal action imposes on the Public Prosecutor's Office the responsibility for organizing the accusation based on comprehensible and criticizable evidence. This increasingly requires that investigative acts reach the Public Prosecutor's Office accompanied by essential metadata and trails that allow subsequent measurement. Each piece of a police investigation sent to the Public Prosecutor's Office carries, in the digital age, implicit metadata — timestamps, terminal identifiers, access logs, history of changes — which, when preserved, allow the evidential integrity to be assessed, and, when suppressed or corrupted, make control unfeasible. Investigation, in turn, cannot be conceived as an administrative "black box": it is the field where fundamental rights are under tension on a daily basis. External control gains density when it becomes a requirement for auditability, and this auditability, in an informational environment, is always a standard phenomenon. Forensic analysis systems that apply large-scale language models (LLMs) to evidence extracted from mobile devices—such as the framework developed by the South Korean National Police Agency—demonstrate that minimal metadata structuring is a condition of epistemic validity: without precise identification of sender, recipient, timestamp, and conversational context,  Digital evidence loses the chain of custody that makes it usable in prosecution.[6] The inter-organizational dimension of this challenge is equally relevant. In Brazil, investigative powers are distributed among the civil police, the federal police, the military police (in some states), and the Public Prosecutor's Office itself — with shared attributions that historically generate distortions in the production and sharing of intelligence.[7] The absence of a structured data-driven intelligence model — such as the Intelligence-Led Policing (ILP) practiced in the United Kingdom (National Intelligence Model) and adopted as a guideline by the Public Security Intelligence Subsystem (SISP) in Brazil — results in intuition-based patrolling, historically low case resolution rates, and inability to detect criminal networks with interstate operations.[8] 3. Investigation as an informational phenomenon: when efficiency depends on language and method The investigative inefficiency in Brazil is not explained only by the scarcity of human or technological resources. It is explained, in a significant part, by the absence of a common language between databases. Data-driven investigation relies on finding relationships between scattered records—people, addresses, vehicles, weapons, corporate ties, communications, georeferences. When each state registers in its own language, the national system does not see networks — it sees fragments. This phenomenon produces a paradox: the investigation is digitized, but the analog logic of the record is preserved. The consequences are predictable: the search does not work, the correlation is precarious, homonyms proliferate, duplicity sets in, and statistical analysis loses validity. The quality of the data is no longer a technical detail and becomes a requirement of efficiency and legitimacy. The 2023-2024 Public Security Statistical Yearbook documents this paradox accurately: most states use their own collection systems (such as RAI in Goiás, SROP in Mato Grosso, and Millenium in the Federal District) and then export spreadsheets or employ Business Intelligence tools to pass on statistical data to the federal government via Sinesp VDE. Some states refuse to send microdata alleging barriers linked to the LGPD "inadequately", compromising the statistical validity and, by extension, the rationality of public policies based on this data. International research on disruptive technologies in public security provides instructive contrast. The SafetySmart platform, operated by SoundThinking, Inc. in the United States, processes more than 1.3 billion structured and unstructured records from multiple jurisdictions through a federated search engine, CrimeTracer, which allows it to "access and cross-reference crucial information from multiple IT agencies across cities, counties, states and across the country." The CaseBuilder module digitally structures all case information in a unified format, eliminating manual processes and siloed systems. The comparison is not a recommendation for the privatization of criminal intelligence – a model that raises serious objections of informational sovereignty and democratic control, as discussed later – but a demonstration that semantic standardization and federated search are technically feasible and operationally transformative. At the level of evidentiary microanalysis, recent research demonstrates that structuring the metadata of messages extracted from smartphones—with standardized fields of sender, recipient, timestamp, chat room identifier, and message type—allows language models (such as GPT, in its more advanced versions, and Claude, in its more advanced versions) to automate reading,  understanding context and extracting hidden criminal evidence, dramatically reducing the time required to analyze massive volumes of data in strict procedural timelines. The Italian study on Knowledge Graphs and NLP applied to the analysis of messages from real fraud and corruption investigations points in the same direction: the structuring of metadata (list of participants, times, senders, attachments, entities identified by NER – Recognition of Named Entities) is a precondition for investigators to extract insights without manually reading all the seized material. "Contestable AI" — a concept proposed by German researchers at the Federal University of the Bundeswehr in Munich — goes further: it proposes that criminal intelligence analysis systems are not only explainable, but contestable, allowing the human investigator to question, correct, and refine algorithmic outputs through semantic modeling and structured human supervision.[9] These developments converge on the same conclusion: the quality of the input data—its completeness, semantic standardization, traceability, and completeness—determines the quality ceiling of the output analysis, whether done by humans or algorithms. 4. National bank of the CNMP and national banks of the Executive: necessary distinctions CNMP Resolution No. 318/2025 establishes the Procedural Database of the Public Prosecutor's Office (BDP/MP) and establishes rules for treatment, governance, and use. It is the institutional core of the CNMP's National Bank: procedural and extrajudicial data of the MP, organized under national standards and its own governance. The basis is justified by the constitutional nature of the Public Prosecutor's Office as the holder of criminal and fiscal action in the legal system: without a structured institutional memory, the exercise of these functions is systematically dependent on information produced by third parties — which compromises both functional independence and the quality of prosecution. Sinic, in turn, was established by the MJSP, by Ordinance No. 1,123/2026, as the official basis for consolidating and making available criminal information — indictments, complaints, and convictions — with the vocation of becoming the "single source" for issuing the National Criminal Certificate and the Criminal Records Sheet, progressively replacing the fragmented systems of courts, civil police, and identification institutes of the Federation Units.[10] The SUSP ecosystem (Law No. 13,675/2018) provides the legal framework for national integration of public security data, with Sinesp as the reference system for police statistics.[11] Thus, the CNMP Bank should be designed as: (i) the national base of the Public Prosecutor's Office (nucleus), comprising the procedural and extrajudicial data produced by the Public Prosecutor's Office in all spheres; (ii) governed interoperability with federal and state bases (bridge), through technical protocols, sharing agreements and audit trails; and (iii) analytical and statistical layer (institutional intelligence), which allows the CNMP to exercise its function of planning, evaluating, and controlling criminal prosecution. The legitimacy of the project depends precisely on this distinction: not to duplicate, not to absorb indiscriminately, but to integrate with governance. The distinction between controller and operator, under the terms of the LGPD (Law No. 13,709/2018), is essential here. The CNMP, as the public controller of BDP/MP's data, defines the purposes and means of processing; the police and other agencies that feed the system operate as sources; and any technology companies hired to develop state connectors and normalize data act as technical operators, subject to the controller's instructions and subject to periodic audits. This responsibility architecture is a condition of compliance with article 23 of the LGPD, which imposes on the Government the duty to publish its processing rules and to appoint the Data Protection Officer (DPO). Sinic incorporates, as an express normative guideline, records of people convicted of being part of criminal organizations or factions — which densifies criminal intelligence against organized crime at the national level. The experience of the Integrated Network of Genetic Profile Banks (RIBPG), which already accumulates more than 254 thousand genetic profiles in federated architecture (23 state banks connected to the National Bank of Genetic Profiles – BNPG), demonstrates that this interoperability is technically feasible and institutionally sustainable.[12] The RIBPG model — with a technical standard defined in the Manual of Operational Procedures, standardized software (CODIS) and connectivity to the INTERPOL base — offers a template for the CNMP Bank: federated architecture, centralized technical standard, public governance and external auditability. 5. Metric transparency in criminal prosecution: statistics as institutional listening In criminal prosecution, statistics should not be reduced to annual reports or occurrence counts. In the Age of Complexity, statistics is the scientific form of institutional listening: it identifies patterns, reveals anomalies, detects inequalities, and allows for self-criticism. This function is only possible with comparable data and with measurable quality. The 2023-2024 Statistical Yearbook of Public Security documents that organized crime (such as PCC and CV) operates strongly in border regions (North and Midwest), using transnational routes for the flow of drugs and weapons, but "there is currently no federal initiative or single and consolidated database that integrates the various institutions (Senappen, CNJ, Federal Police,  Coaf, Abin) for a comprehensive diagnosis of organized crime". The absence of an integrated database forces researchers to construct proxies — indirect markers — using existing databases (Sinesp), such as the ratio between completed and attempted homicides, seizures of large-caliber weapons, and rates of intentional deaths within the prison system. International frameworks of statistical quality gain relevance here. The IMF's Data Quality Assessment Framework (DQAF) and the United Nations Fundamental Principles of Official Statistics (UN Resolution 68/261) enshrine integrity, reliability, confidentiality, and responsible use as conditions of public trust.[13] These principles have direct implications for the CNMP Bank: (i) UN Principle 6 determines that individual data collected by statistical agencies must be "strictly confidential and used exclusively for statistical purposes", which imposes a structural separation between the aggregated analytical layer of the database and the individual procedural data, with differentiated access controls; (ii) Principle 8 prescribes that "coordination between statistical agencies within countries is essential to achieve consistency and efficiency in the statistical system", justifying the role of the CNMP as national coordinator of statistics of the Public Prosecutor's Office; and (iii) Principle 9 defends the international standardization of concepts and classifications, guiding the choices of schema and legal ontology for the system. Research on predictive policing in Brazil reveals that states and municipalities have adopted "self-regulation" in the application of algorithms, "subjecting public security to methodological flaws, government discretion, data leakage, and discriminatory bias."[14] This fragmentary self-regulation compromises not only investigative efficiency, but the legitimacy of the statistics produced: when a state's algorithm is fed with data that "portrays the selectivity of the public security and criminal justice system," statistical inferences amplify bias rather than correct it. The Court of Auditors of the State of São Paulo, when auditing the Detecta system, found "conflicts between operational systems, lack of infrastructure and training", which illustrates that the absence of structured governance affects both the operational validity and the statistical reliability of the data. A documented episode dramatically illustrates the risk of the absence of governance: in 2023, an investigation by the Federal Police revealed that the PCC (First Command of the Capital) was able to access the Detecta camera system, using the state database to monitor an unmarked Civil Police vehicle in the midst of an assassination plot.[15] The episode demonstrates that public security databases without adequate access controls, authentication, anomaly monitoring, and vulnerability management can be instrumentalized by organized crime itself — converting it from a protection tool into a threat vector. 6. Algorithmic standardization and auditability: from search to graph Algorithmic standardization does not mean imposing a single software on states. It means enforcing minimal properties: (i) versioned canonical schema — data structure with defined fields and types, version-controlled to ensure backward compatibility; (ii) semantic dictionary — controlled vocabulary of legal and criminological terms that ensures that the same phenomenon is described in the same way in all systems; (iii) identity resolution rules — algorithms that identify whether two records refer to the same individual, entity, or event, eliminating duplicates and homonyms; (iv) immutable logs — access and operation records that cannot be changed retroactively, essential to the digital chain of custody; (v) transformation trails (data lineage) — tracking of all transformations undergone by the data from collection to analytical use; and (vi) quality metrics by source and by state — measurable indicators of completeness, consistency, accuracy, and timeliness. AI risk governance, as emphasized by the NIST AI RMF 1.0 (Artificial Intelligence Risk Management Framework), is based on the premise that risks emerge from the interaction between technical components and social and institutional factors, requiring documentation, control, and continuous management.[16] The framework organizes the governance of AI systems into four functions — Govern, Map, Measure, and Manage — directly applicable to the life cycle of the algorithms used in the search, correlation, and analysis of criminal data. The European AI Act (Regulation (EU) 2024/1689) enshrines risk management, transparency and governance obligations that are especially relevant when systems impact fundamental rights and enforcement activities.[17] The regulation classifies AI systems aimed at law enforcement as high-risk, requiring impact assessment on fundamental rights before deployment, structured human oversight, accuracy testing, and assessment of demographic disparities. Although it is a rule of European law, the AI Act works as a reference parameter for the governance of similar systems in Brazil, especially in the absence of specific legislation for AI applied to public security. The U.S. Department of Justice's Final Report on AI and Criminal Justice (2024) — prepared in compliance with Section 7.1(b) of Executive Order 14.110 (repealed on January 20, 2025 by President Trump, without prejudice to the documents produced during its validity) — points out that AI tools used to "identify criminal suspects, predict crimes,  apply digital forensics techniques, monitor social networks, or track the physical location of individuals" must be subject to AI Impact Assessments and structured risk management practices, with procedures to audit input data and avoid discriminatory feedback loops.[18] White House Memorandum M-25-21 (OMB, 2025) reinforces this guidance, mandating that Chief AI Officers and Chief Data Officers coordinate cross-agency interoperability criteria and invest in "quality data assets, technology infrastructure, and governance in the collection, curation, and preparation of information."[19] These milestones help give contemporary density to the central argument: databases and algorithms are not just tools; they are infrastructures of power that require auditability. UNESCO's Recommendation on the Ethics of Artificial Intelligence (2021) is explicit in prohibiting the use of AI for "social scoring or mass surveillance" and in requiring systems deployed by States for law enforcement to submit to independent oversight mechanisms, ensuring that training data "does not reinforce bias, inequalities or discrimination".[20] On the technical level, the Knowledge Graph architecture — as proposed in the Neo4j-based system for analyzing messages from criminal investigations — offers an alternative to the classical relational model to represent the complexity of the investigated networks: instead of tables, the graph represents entities (people, organizations, places) and their relationships (communicated with, transferred money to,  appeared in the same place as) with semantic enrichment by NER (Named Entity Recognition) and automatic transcription of audios. The FEDLEGAL benchmark, discussed in the Computational Law literature, proposes Federated Learning as an alternative architecture to train AI models on sensitive legal data without physically centralizing the data — preserving the privacy of distributed databases and, at the same time, allowing collective learning.[21] 7. Public data infrastructure, interinstitutional agreements and informational sovereignty The viability of the CNMP Bank, on a federative scale, presupposes interoperability agreements and protocols with state systems, with the MJSP SINIC, with Sinesp and with thematic bases such as the RIBPG. These instruments must define: (a) the types of data being shared (category, purpose and sensitivity); (b) the legal bases applicable in each case (article 7, III or VI; article 11, II, f; and article 23 of the LGPD, depending on whether or not the data is of a sensitive nature); (c) the technical safeguards required (encryption at rest and in transit, role-based access control, multi-factor authentication, immutable access logs); (d) the responsibilities of each party (controller, co-controller or processor); and (e) the audit and accountability mechanisms. The company eventually hired by the CNMP must act as a technical operator, implementing state connectors and normalizing data to the national standard, under the governance of the public controller. This relationship must be governed by a data processing agreement (article 39 of the LGPD), with periodic audit clauses, prohibition of the use of data for purposes other than the contract, mandatory notification in the event of a security incident (article 48 of the LGPD) and secure termination of the processing at the end of the contract. The model is not one of privatization of criminal intelligence — which raises serious objections of informational sovereignty and democratic accountability — but of technical outsourcing with public responsibility preserved. International experience provides relevant parameters. The US Tribal Law and Order Act of 2010 demonstrates that the integration of databases between entities from different spheres can be made possible by "gradual access" mechanisms, conditioned to the fulfillment of technical and legal requirements.[22] The model of American fusion centers — centers where criminal agencies at the local, state, and federal levels integrate and share intelligence — offers a reference for the articulation between the CNMP Bank and the intelligence centers of the state and federal police. At the global level, INTERPOL's architecture demonstrates that criminal intelligence databases with transnational reach are viable under strict governance: all data shared by member countries "comply with strict international standards, with a legal basis and built-in security features", with structured access through the secure I-24/7 system and the ability to simultaneously consult the national databases and the central database,  in real time.[23] This reinforces that informational sovereignty is not incompatible with interoperability — as long as access is controlled, the purpose is defined, and the data remains under the governance of public authority. The objective of the CNMP Bank is not to "copy everything", but to create an auditable bridge that allows search and correlation on a national scale, with preservation of functional confidentiality and compliance with the LGPD. Criminal intelligence data, communications protected by professional secrecy, defendants' mental health data, information on victims of sexual crimes, and protected witness data require differentiated treatment, with more restrictive access controls and more narrowly defined purposes. 8. Protection of personal data and safeguards in criminal prosecution The articulation between public security and personal data protection is one of the most complex knots in the contemporary Brazilian legal system. The LGPD (Law No. 13,709/2018), in its article 4, III, excludes from its scope of application the processing of data for the exclusive purposes of public security, national defense, State security, and activities of investigation and prosecution of criminal offenses — excluding such processing operations from the general incidence of the law and referring them to the specific law to be enacted. This exception, however, does not equate to the absence of protection. Two converging arguments support this assertion. First, the constitutional argument: the fundamental rights to privacy (article 5, X), data protection (article 5, LXXIX, with EC No. 115/2022) and due process of law (article 5, LIV) constitute insurmountable limits even for criminal prosecution, regardless of ordinary law. Second, the systemic argument: the absence of a specific law does not create an absolute normative vacuum, since the following affect the matter: (i) the Code of Criminal Procedure (CPP), which regulates the production of evidence and the integrity of chains of custody; (ii) the CNMP resolutions on data handling and functional secrecy; (iii) Convention 108+ of the Council of Europe, to which Brazil is not a party, but which functions as an interpretative parameter for data protection in law enforcement contexts; and (iv) UNESCO's guidelines on ethics in AI, which impose specific safeguards for data relating to offences, criminal prosecutions and convictions. For the purposes of application to the CNMP Bank, the principles of data protection operate as follows. The principle of purpose determines that each type of data can only be processed for the purpose that justified its collection — data collected for criminal identification purposes cannot be reused for the purposes of behavioral profiling or continuous surveillance. The principle of necessity imposes that the bank collects only the minimum amount of data indispensable for the defined purposes, prohibiting the speculative collection or storage of unnecessary data. The principle of adequacy requires that the means of processing be proportionate to the purpose pursued. The principle of transparency requires the publication of processing rules and the designation of a data officer (DPO). The principle of security requires the adoption of technical and administrative measures to protect data against unauthorized access, destruction, loss and alteration. The principle of accountability imposes on the controller the obligation to demonstrate compliance and to respond for damages caused as a result of the processing. These principles impose, in practice, a set of operational safeguards for the CNMP Bank: (a) mapping of data categories and sensitivity assessment (data related to infractions, racial origin, health, sexual orientation and private life receive reinforced protection); (b) role-based access control (RBAC), with differentiated profiles for intelligence consultants, prosecutors, system administrators, and auditors; (c) immutable access logs, periodically audited by an external body; (d) anonymization or pseudonymization of data for statistical and analytical purposes, preserving the identified data only for specific procedural purposes; (e) Data Protection Impact Assessment (DPIA) prior to the deployment of new analytics modules, especially those using AI; and (f) incident response plan, with notification to the CNMP, the National Data Protection Authority (ANPD) and, when applicable, to the subject of the affected data. One specific risk deserves attention: algorithmic bias. When the data that feeds a criminal AI system were collected in the context of selective policing — with overrepresentation of certain population groups in the records of suspects, infractions, and convictions — the algorithms trained on this basis reproduce and amplify structural discrimination, violating the principles of equality (article 5, I, of the FC) and non-discrimination. Mitigation requires: (i) bias audit on the input data and on the outputs of the system; (ii) demographic disparity tests in analytical results; (iii) documentation of the model's design choices and limitations; and (iv) mandatory human oversight over decisions that impact individual rights. 9. Conclusion: A New External Control Architecture External control, in the digital world, is not limited to inspections and recommendations. It is realized as a requirement for traceability. Traceability, in turn, depends on common language, collection methodology, data quality, and auditability of accesses and transformations. Without these conditions, external control remains rhetorical — a formal guarantee that does not reach the field where decisions are actually made: in the chain of investigative micro-decisions that precede the accusatory act. The construction of the CNMP's National Database, based on the BDP/MP and articulated with the national databases of the Executive — especially Sinic — through governed interoperability, represents an institutional architecture capable of increasing investigative efficiency, strengthening fundamental rights, and allowing self-criticism of the criminal justice system. This architecture is necessary, but not sufficient: it needs to be accompanied by a specific law for the processing of data in criminal prosecution (to be approved in the manner required by article 4, paragraph 1, of the LGPD), a National Data Protection Authority (ANPD) strengthened in its capacity to oversee the Public Power, and an institutional culture of data governance that still needs to be built in Brazilian public security organizations. The international literature converges, with variations of emphasis, around five fundamental lessons for the construction of this type of infrastructure: (i) data fragmentation is the main obstacle to effective criminal intelligence, and semantic standardization is a precondition for integration; (ii) the centralization of data without adequate governance creates risks of abuse, discrimination, and instrumentalization by criminal actors; (iii) human oversight is irreplaceable — algorithms identify patterns, but do not exercise judgment; (iv) external accountability (auditing, parliamentary oversight, judicial control) is a condition for legitimacy; and (v) federated interoperability — an architecture in which data resides in the agencies of origin and is accessed by controlled consultation, as in the RIBPG and INTERPOL model — is more compatible with Brazilian federalism and data protection principles than unrestricted physical centralization. The Public Prosecutor's Office, as the holder of the criminal action and guardian of the Democratic Rule of Law (article 127, caput, of the Federal Constitution), is responsible for leading this process – not because the National Bank is its exclusive property, but because no other institutional actor has the same constitutional scope as the mandate to accuse, control and investigate. The informational unity of the Public Prosecutor's Office is not centralism; It is the epistemic presupposition of a criminal prosecution that aspires to coherence, equity and the possibility of being corrected. 10. Bibliographic references AMBROSIO, Gleiner Pedroso Ferreira; BARBOSA, André Luis Jardini. The paradigm of the implementation of artificial intelligence in Brazilian public security: regulation versus efficiency. Journal of Legal Studies of UNESP, v. 28, n. 48, 2024. ARRIETA, Alejandro Barredo et al. Explainable Artificial Intelligence (XAI): concepts, taxonomies, opportunities and challenges toward responsible AI. Information Fusion, v. 58, p. 82-115, 2020. CHMIELINSKI, Kasia et al. The CLeAR Documentation Framework for AI Transparency: recommendations for practitioners and context for policymakers. Cambridge, MA: Shorenstein Center/HKS, 2024. GROSSI, Alexandre Viezzer. The application of Artificial Intelligence in Brazilian public security: the case of São Paulo and the analysis of PL No. 2338/2023. Journal of Public Policies & Cities, v. 14, n. 4, 2025. ISSN: 2359-1552. DOI: https://doi.org/10.23900/2359-1552v14n4-72-2025. INTERPOL. Rules on the Processing of Data (RPD). Lyon: INTERPOL, 2019. INTERNATIONAL MONETARY FUND (IMF). Data Quality Assessment Framework (DQAF). Washington, D.C.: IMF, 2012. IPEA; SENASP/MJSP. Statistical Yearbook of Public Security 2023-2024. Brasília: Ipea, 2025. DOI: https://dx.doi.org/10.38116/ri-anuario-estatistico-2023-2024. KERDVIBULVECH, Chutisant. Big Data and AI-driven evidence analysis: a global perspective on citation trends, accessibility, and future research in legal applications. Journal of Big Data, v. 11, n. 180, 2024. KIM, Kyung-Jong; LEE, Chan-Hwi; BAE, So-Eun; CHOI, Ju-Hyun; KANG, Wook. Digital forensics in law enforcement: A case study of LLM-driven evidence analysis. Forensic Science International: Digital Investigation, v. 54, art. 301939, 2025. DOI: https://doi.org/10.1016/j.fsidi.2025.301939. KÜÇÜK, Dilek; CAN, Fazli. Computational law: datasets, benchmarks, and ontologies. arXiv, 2025. Preprint 2503.04305v2. MAORO, Falk; GEIERHOS, Michaela. Contestable AI for criminal intelligence analysis: improving decision-making through semantic modeling and human oversight. Frontiers in Artificial Intelligence, v. 8, art. 1602998, 2025. DOI: 10.3389/frai.2025.1602998. MJSP/CG-RIBPG. XXII Report of the Integrated Network of Genetic Profile Banks (RIBPG): Statistical data and results — Nov/2024 to May/2025. Brasília: MJSP, May 2025. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST). Artificial Intelligence Risk Management Framework (AI RMF 1.0). Gaithersburg, MD: NIST, 2023. (NIST. AI.100-1). DOI: https://doi.org/10.6028/NIST.AI.100-1. ORGANISATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT (OECD). Recommendation of the Council on Artificial Intelligence. Paris: OECD, 2019 (revisada em 2024). OSÓRIO, Fábio Medina. The right to understanding in the era of technological complexity: constitutional, statistical and algorithmic foundations of decision-making transparency. Revista dos Tribunais, v. 1077/2025, jul. 2025. DTR\2025\7689. PADIU, Bogdan; IACOB, Radu; REBEDEA, Traian; DASCALU, Mihai. To what extent have LLMs reshaped the legal domain so far? A scoping literature review. Information, v. 15, n. 11, 2024. POZZI, Riccardo; BARBERA, Valentina; PRINCIPE, Renzo Alva; GIARDINI, Davide; PALMONARI, Matteo. Combining Knowledge Graphs and NLP to Analyze Instant Messaging Data in Criminal Investigations. In: Proceedings of WISE 2024. Springer, 2024. DOI: https://doi.org/10.1007/978-981-96-0567-5_30. PYTLOWANCIV, Diogo Fernando Sampaio. Intelligence-Led Policing and its Possibility of Implementation in Brazil. Brazilian Journal of Police Sciences, v. 15, n. 1, p. 103-123, Jan./Apr. 2024. ISSN: 2318-6917. RIGANO, Christopher. Using Artificial Intelligence to Address Criminal Justice Needs. NIJ Journal, n. 280. Washington, D.C.: National Institute of Justice, jan. 2019. NCJ 252038. SOUNDTHINKING, INC. Form 10-K: Annual Report Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934 (Fiscal Year Ended December 31, 2024). U.S. Securities and Exchange Commission, 2025. Commission File Number 001-38107; Nasdaq: SSTI. TSUNODA, Denise Fukumi; CÂNDIDO, Ana Clara; GUIMARÃES, André José Ribeiro. Disruptive technologies in public security: a Brazilian situational analysis. Revista Tecnologia e Sociedade, v. 20, n. 61, p. 317-333, jul./set. 2024. DOI: 10.3895/rts.v20n61.18408. UNESCO. Recommendation on the Ethics of Artificial Intelligence. Paris: UNESCO, 2021. Código SHS/BIO/REC-AIETHICS/2021. UNITED NATIONS. Fundamental Principles of Official Statistics. Resolution 68/261. New York: United Nations Statistics Division, 2014. A/RES/68/261. UNITED STATES DEPARTMENT OF JUSTICE. Artificial Intelligence and Criminal Justice: Final Report. Washington, D.C.: U.S. DOJ, 3 dez. 2024. VOUGHT, Russell T. M-25-21: Accelerating Federal Use of AI through Innovation, Governance, and Public Trust. Washington, D.C.: Executive Office of the President, Office of Management and Budget, 3 abr. 2025. 11. Legislative references BRAZIL. Constitution of the Federative Republic of Brazil of 1988. BRAZIL. Constitutional Amendment No. 115, of February 10, 2022. It includes the protection of personal data among the fundamental rights and guarantees (art. 5, LXXIX, FC). BRAZIL. Law No. 13,675, of June 11, 2018. Establishes the Unified Public Security System (SUSP). BRAZIL. Law No. 13,709, of August 14, 2018. General Law for the Protection of Personal Data (LGPD). BRAZIL. Federal Supreme Court. RE 593.727 (Topic 184). Investigative powers of the Public Prosecutor's Office. Brasília: STF. CNMP. Resolution No. 318, of October 28, 2025. Procedural Database of the Public Prosecutor's Office (BDP/MP). MJSP. Ordinance No. 1,122, of January 5, 2026. National Protocol for the Recognition of Persons in Criminal Proceedings. MJSP. Ordinance No. 1,123, of January 5, 2026. National Criminal Information System (Sinic). EUROPEAN UNION. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 (Artificial Intelligence Act). Official Journal of the European Union, L 2024/1689. ELI: http://data.europa.eu/eli/reg/2024/1689/oj. UNITED STATES OF AMERICA. Executive Order 14110: Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. Federal Register, 30 out. 2023. Revogada pelo Presidente Trump em 20 de janeiro de 2025. UNITED STATES OF AMERICA. Tribal Law and Order Act of 2010. Pub. L. 111-211, 124 Stat. 2258. [1]By the way, check out the article I wrote on the subject: OSÓRIO, Fábio Medina. The right to understanding in the era of technological complexity: constitutional, statistical and algorithmic foundations of decision-making transparency. Revista dos Tribunais, v. 1077/2025, jul. 2025. DTR\2025\7689. [2]TSUNODA, Denise Fukumi; CÂNDIDO, Ana Clara; GUIMARÃES, André José Ribeiro. Disruptive technologies in public security: a Brazilian situational analysis. Revista Tecnologia e Sociedade, v. 20, n. 61, p. 317-333, jul./set. 2024. DOI: 10.3895/rts.v20n61.18408. The authors note that "it is essential to establish unified databases, standardize the processes of collecting and recording information in all federative units" so that it is possible to "carry out research and analysis in an appropriate way", identifying that twelve Brazilian states do not even use disruptive technologies and another nine did not provide information during the research. [3]IPEA; SENASP/MJSP. Statistical Yearbook of Public Security 2023-2024. Brasília: Ipea, 2025. DOI: https://dx.doi.org/10.38116/ri-anuario-estatistico-2023-2024. The document explains that "Brazil still does not have a structured public security information system, with reliable data," describing the existence of "27 distinct systems of criminal statistics, considering only the civil police." The Yearbook documents that the refusal of some states to disclose microdata, under the justification of LGPD protection, is a serious obstacle to national integration. [4]AMBROSIO, Gleiner Pedroso Ferreira; BARBOSA, André Luis Jardini. The paradigm of the implementation of artificial intelligence in Brazilian public security: regulation versus efficiency. Journal of Legal Studies of UNESP, v. 28, n. 48, 2024. The authors point out that the LGPD "has an exception in its article 4, determining that the law does not apply to the processing of data carried out for the exclusive purposes of public security, national defense, or criminal investigation and prosecution activities," warning that this exception "creates a regulatory vacuum, making it difficult to control and transparency over how this data is managed by state agencies." The study also notes that the Global Organized Crime Index (2023) places Brazil in an alarming position (22nd overall and 8th in criminal markets), with low institutional resilience. [5]OSÓRIO, Fábio Medina. The right to understanding in the era of technological complexity: constitutional, statistical and algorithmic foundations of decision-making transparency. Revista dos Tribunais, v. 1077/2025, jul. 2025. DTR\2025\7689. [6]POZZI, Riccardo; BARBERA, Valentina; PRINCIPE, Renzo Alva; GIARDINI, Davide; PALMONARI, Matteo. Combining Knowledge Graphs and NLP to Analyze Instant Messaging Data in Criminal Investigations. In: Proceedings of WISE 2024 (Web Information Systems Engineering). Springer, 2024. DOI: https://doi.org/10.1007/978-981-96-0567-5_30. The paper describes a message analysis pipeline extracted from seized smartphones that integrates Knowledge Graphs (stored in Neo4j) and NLP models, with metadata extracted by a parser that identifies "participant list, phone numbers, start and end times, sender, and attachments." The authors demonstrate that semantic enrichment through the NEEL (Named Entity Recognition and Linking) pipeline is essential for prosecutors and law enforcement to be able to search and extract insights without manually reading all the material. KIM, Kyung-Jong; LEE, Chan-Hwi; BAE, So-Eun; CHOI, Ju-Hyun; KANG, Wook. Digital forensics in law enforcement: A case study of LLM-driven evidence analysis. Forensic Science International: Digital Investigation, v. 54, art. 301939, 2025. DOI: https://doi.org/10.1016/j.fsidi.2025.301939. The study demonstrates that the structured database generated from a mobile phone "contains up to 31 detailed columns, including fundamental metadata such as: source application, message type, content, unique chat room ID, name and phone number of the sender and recipient, and the time stamp," and that, before feeding the investigation algorithms,  this data is "anonymized (names are masked by Named Entity Recognition – NER, and phone numbers are randomized) to avoid leakage of sensitive data and violation of constitutional rights". [7]IPEA; SENASP/MJSP, op. cit. The Yearbook records that Sinesp VDE started to collect 28 standardized indicators as of 2023 and that only 11 Federation Units use Sinesp PPE (Electronic Police Procedures), with most states using their own systems and exporting spreadsheets or Business Intelligence tools. The work documents that some states refuse to send microdata alleging barriers linked to the LGPD "inadequately", compromising the statistical validity of the national system. PYTLOWANCIV, Diogo Fernando Sampaio. Intelligence-Led Policing and its Possibility of Implementation in Brazil. Brazilian Journal of Police Sciences, v. 15, n. 1, p. 103-123, Jan./Apr. 2024. Electronic ISSN 2318-6917. The author points out that Brazil has "police forces with shared attributions (separate ostensive police and judicial police)", generating distortions in the application of intelligence, and that the success of the Intelligence-Led Policing model "requires greater institutional integration, correlation of information sharing and proximity between different agencies". [8]SOUNDTHINKING, INC. Form 10-K: Annual Report Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934 (Fiscal Year Ended December 31, 2024). United States Securities and Exchange Commission, 2025. Commission File Number 001-38107; Nasdaq: SSTI. The report describes CrimeTracer as capable of processing "more than 1.3 billion structured and unstructured data from multiple jurisdictions," operating through "federated search of structured fields" and cross-referencing local data with "billions of public data records" via integration with the Thomson Reuters CLEAR platform. The system demonstrates "The Power of the Network," allowing "access to crucial information not only from a specific agency's IT systems, but across local, county, state, and national borders," with ties to federal bases such as NIBIN and NCIC. The report identifies as critical gaps in current public security "the underreporting of violent crimes, gut-based patrolling and very low case resolution rates, which have reached the worst level in 40 years (less than 50% for homicides)". [9]MAORO, Falk; GEIERHOS, Michaela. Contestable AI for criminal intelligence analysis: improving decision-making through semantic modeling and human oversight. Frontiers in Artificial Intelligence, v. 8, art. 1602998, jul. 2025. DOI: 10.3389/frai.2025.1602998. The authors propose a "contestable AI" model for criminal intelligence analysis that integrates "semantic modeling and human oversight," requiring that "models be auditable, fair, and free of human bias." The study demonstrates how entity extraction by NLP and NER can transform free text from police reports into structured metadata (JSON format), overcoming the problem of "free-text narrative reports filled out by police officers, which are noisy, full of grammatical errors, and difficult to mine." [10]BRAZIL. Ministry of Justice and Public Security. The Government of Brazil formalizes a new system and protocol to strengthen the collection, management and use of criminal information in the country. Portal Gov.br, 06 Jan. 2026 (updated on 24 Jan. 2026). The document clarifies that Sinic "will become the single source for the issuance of the National Criminal Certificate and the Criminal Records Sheet", progressively replacing the fragmented systems of "courts, civil police and identification institutes of the Federation Units". The ordinance determines that adherence to the National Protocol for the Recognition of Persons will be a technical criterion to prioritize "the transfer of resources from the National Public Security Fund". [11]MJSP/CNMP. CNMP Resolution No. 318, of October 28, 2025 (BDP/MP); MJSP. Ordinance No. 1,123, of January 5, 2026 (Sinic). The articulation between these two normative instruments is the core of the proposal for governed interoperability supported in this article: the CNMP governs the procedural data of the Public Prosecutor's Office, while Sinic consolidates the criminal history in the bodies of the Executive. Interoperability between these databases — under agreed technical protocols and with audit trails — is a condition for systemic intelligibility. [12]MJSP/CG-RIBPG. XXII Report of the Integrated Network of Genetic Profile Banks (RIBPG): Statistical data and results — Nov/2024 to May/2025. Brasília: MJSP, May 2025. The report describes that the RIBPG adopts "a (federated) network architecture: there are 23 local Genetic Profile Banks (BPGs), managed by state, district and Federal Police forensic units, which are connected and processed centrally by the BNPG". The bank has already accumulated "more than 254,000 genetic profiles", with a hit rate of 7.08%, and carries out "international sharing of genetic profiles through INTERPOL", with Brazil having sent "more than 32,900 profiles of traces of crimes and more than 11,100 profiles of human remains to the global database" by May 2025. The RIBPG model demonstrates that the federated architecture — with strict technical standards, central governance, and international interoperability — is compatible with Brazilian federalism and can be replicated in other spheres. [13]NATIONS UNIES. Résolution 68/261: Principes fondamentaux de la statistique officielle. A/RES/68/261, 29 Jan. 2014. Principle 6 states that "individual data collected by statistical agencies (whether referring to natural or legal persons) shall be strictly confidential and used exclusively for statistical purposes," imposing a structural separation between official statistical data and data for criminal investigation. Principle 8 states that "coordination between statistical agencies within countries is essential to achieve consistency and efficiency in the statistical system". Principle 9 advocates the "international standardization of concepts, classifications and methods to ensure the consistency of systems". These principles provide the multilateral normative ballast for the quality, integrity and confidentiality requirements applicable to the statistical component of the CNMP Bank. [14]GROSSI, Alexandre Viezzer. The application of Artificial Intelligence in Brazilian public security: the case of São Paulo and the analysis of PL No. 2338/2023. Journal of Public Policies & Cities, v. 14, n. 4, 2025. ISSN: 2359-1552. DOI: https://doi.org/10.23900/2359-1552v14n4-72-2025. The author notes that "states and municipalities have been adopting self-regulation in the application of algorithms," subjecting public security to "methodological flaws, government discretion, data leakage, and discriminatory bias." The text argues that "before seeking unrestricted efficiency, prior national regulation (inspired by regulations such as the Brazilian LGPD and the European AI Act) is indispensable to ensure the legitimacy of technological use in the national territory". [15]AMBROSIO; BARBOSA, op. cit. The text narrates that, "in 2023, an investigation by the Federal Police revealed that the PCC (First Command of the Capital) was able to access the Detecta camera system", using the state database "to monitor an unmarked Civil Police vehicle, collecting data such as chassis and owner, in the midst of an assassination plan against Senator Sérgio Moro". The episode demonstrates that the absence of adequate technical and regulatory controls can transform state databases into operational instruments of organized crime. [16]NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST). Artificial Intelligence Risk Management Framework (AI RMF 1.0). Gaithersburg, MD: NIST, 2023. (NIST. AI.100-1). DOI: https://doi.org/10.6028/NIST.AI.100-1. The framework is based on the "premise that risks emerge from the interaction between technical components and social and institutional factors, requiring documentation, control, and continuous management" through the Govern, Map, Measure, and Manage functions. NIST AI RMF emphasizes the importance of "cleaning data, documenting metadata, and adopting privacy-enhancing technologies when training automated systems" and warns that "biased collection or loss of original context of data can make AI untrustworthy." The document calls for "data traceability" as the ability to "internally track and audit the datasets used by AI and their essential metadata." [17]EUROPEAN UNION. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 (Artificial Intelligence Act). Official Journal of the European Union, L 2024/1689. ELI: http://data.europa.eu/eli/reg/2024/1689/oj. The AI Act classifies AI systems aimed at law enforcement as high risk, requiring risk management, transparency, human oversight, and registration in the European Commission's database. The regulation prohibits real-time remote biometric identification in public spaces as a general rule, admitting exceptions only upon judicial authorization for terrorist threats or serious organized crimes (human trafficking, terrorism, organized environmental crimes, sabotage, belonging to a criminal organization). The AI Act mandates that systems integrated into the EU's interoperability frameworks (Schengen Information System, Eurodac, ECRIS-TCN, Visa Information System) must be compliant by the end of 2030. [18]UNITED STATES DEPARTMENT OF JUSTICE. Artificial Intelligence and Criminal Justice: Final Report. Washington, D.C.: U.S. DOJ, 3 Dec. 2019. 2024. Prepared pursuant to Section 7.1(b) of Executive Order 14110 (repealed January 20, 2025). The report identifies as high-impact AI applications in criminal justice "identifying criminal suspects, predicting crimes, applying digital forensics techniques, monitoring social networks, or tracking the physical location of individuals," requiring for these systems "AI Impact Assessments and risk management practices." The DOJ acknowledges that "criminal data collection is historically flawed, requiring structured procedures to audit input data, avoid discriminatory feedback loops, and structure clean and representative databases." The report also details that crime prediction models integrate "metadata outside the scope of law enforcement, such as public health data (CDC), land elevation, zoning, weather, and proximity to public transportation." [19]VOUGHT, Russell T. M-25-21: Accelerating Federal Use of AI through Innovation, Governance, and Public Trust. Washington, D.C.: Executive Office of the President, Office of Management and Budget, 3 Apr. 2025. The memo encourages "the sharing of data, algorithmic models, and source code among Federal Government agencies" and recommends that "Chief AI Officers and Chief Data Officers actively coordinate data interoperability criteria between government agencies." The document encourages "standardization of data formats and interoperability across the federal government to facilitate the adoption and algorithmic integration of AI." [20]UNESCO. Recommendation on the Ethics of Artificial Intelligence. Paris: UNESCO, 2021. Code SHS/BIO/REC-AIETHICS/2021. The Recommendation establishes that "data relating to offences, criminal proceedings and convictions, and related security measures" are sensitive data whose disclosure "may cause exceptional harm to individuals", requiring "full security for personal and sensitive data". The document expressly prohibits the use of AI for "social scoring or mass surveillance" and determines that when States acquire AI systems for law enforcement and judicial systems, "independent mechanisms must be created to monitor the social and economic impact of such systems." The Recommendation requires that "datasets used to train AI systems be of high quality and do not reinforce bias, inequalities, or discrimination." [21]KÜÇÜK, Dilek; CAN, Fazli. Computational Law: Datasets, Benchmarks, and Ontologies. arXiv, 2025. Preprint 2503.04305v2. The article presents a comprehensive survey of datasets and ontologies for natural language processing in the legal domain, discussing the FEDLEGAL benchmark as an architecture in which "machine learning models are trained on distributed databases (which contain sensitive legal documents) without this local data needing to be centralized on a single server, mitigating privacy problems in the prediction of legal cases and sentences". Federated Learning offers a federalism-compliant distributed training model and the protection of sensitive data. [22]PYTLOWANCIV, op. cit. The author describes that in the USA, after the September 11 attacks, the National Criminal Intelligence Sharing Plan was created, which "established guidelines for information sharing, infrastructure standards, and the creation of fusion centers to strengthen interagency knowledge sharing." In Brazil, the author cites the Public Security Intelligence Subsystem (SISP) and the National Public Security Intelligence Policy (Pnisp), emphasizing that the main role of Intelligence-Led Policing should be directed to the mitigation of threats such as criminal organizations and extremist groups. [23]INTERPOL. Rules on the Processing of Data (RPD). Lyon: INTERPOL, 2019. The document establishes that "the success of international police investigations intrinsically depends on the availability of up-to-date global data" and that "all data shared complies with strict international standards, with a legal basis and built-in security features." INTERPOL manages specialized databases (Nominal Data with criminal history, photos and fingerprints; DNA profiling; child sexual exploitation material; Stolen or Lost Travel Documents; Stolen Vehicles and Works of Art; weapons tracked via iARMS and Ballistic Information Network) accessible by the I-24/7 system. INTERPOL's architecture demonstrates that "frontline officers (such as border guards) can simultaneously submit a query to both the national database and the INTERPOL database, obtaining cross-checks on both in a matter of seconds."
Medina Osorio Advogados - June 30 2026

The KYC challenges faced by luxury entities in Brazil: A recent COAF investigation and the limits of formal compliance

Know Your Client ("KYC") procedures have assumed an increasingly central role in anti-money laundering and counter-terrorism financing (“AML/CFT”) compliance programs. Entities are expected not only to identify their customers, but also to understand the nature of their activities and to assess whether transactions are consistent with the customer's financial profile, and to identify any red flags that may trigger an obligation to report to the authorities. In Brazil, Federal Law No. 9,613/1998 (the “Brazilian AML Law”) provides the primary AML/CFT framework, imposing a range of obligations on entities that operate in high-risk sectors (the “regulated entities”) to prevent, detect, and report potentially unlawful activity. The subject has gained renewed relevance following reports of an investigation into the Brazilian operations of a leading global luxury fashion conglomerate and its alleged failure to report a high-value transaction to the Financial Activities Control Council ("COAF"). The case offers a timely illustration of the practical challenges that KYC poses for regulated entities. The investigation According to publicly available reports, the Brazilian Federal Police is investigating whether transactions carried out at the Brazilian operations of a leading global luxury fashion conglomerate should have triggered the filing of a suspicious transaction report to COAF. The investigation centers on a purchase of approximately BRL 196,000 (one hundred and ninety-six thousand reais), allegedly made by an individual with declared share capital of BRl 6,000 (six thousand reais) who is registered as a microentrepreneur. Investigators also found that the same individual reportedly received transfers totaling approximately BRL 180,000 (one hundred and eighty thousand reais). Those funds allegedly originated from a production company linked to a musician who is himself under investigation in a separate federal police operation targeting an alleged criminal network accused of laundering billions of reais derived from drug trafficking and illegal online gambling schemes. The conglomerate, like any regulated entity, should have identified this red flag. The disparity between the value of the purchase and the customer’s publicly known financial profile, that of a microentrepreneur with minimal declared capital, is precisely the kind of indicator that a risk-based KYC framework is designed to capture. The situation is all the more serious because the entity had reportedly been sanctioned by COAF on a previous occasion for failures in customer identification and suspicious transaction reporting. KYC and the risk-based approach KYC procedures serve a function that extends well beyond the mere collection of customer identification data. A well-designed KYC framework requires entities to assess whether a given transaction is consistent with the customer's known economic and financial profile, and to apply enhanced due diligence wherever risk indicators emerge. This is, ultimately, the risk-based approach recommended by the Financial Action Task Force (“FATF”). Entities operating in sectors such as luxury retail, art, and high-value goods are expected to calibrate their controls in proportion to the specific risks they face. A transaction above the threshold COAF sets at BRL 10,000 (ten thousand reais), carried out by a customer whose financial profile is inconsistent with that amount, or who is connected directly or indirectly to a known criminal investigation, will call for enhanced due diligence to verify the legitimacy of the ultimate beneficial owner (“UBO”) and to assess whether a report to COAF is necessary. Equally important is the temporal dimension of KYC. An effective framework does not end at client’s onboarding. Ongoing transaction monitoring, and the capacity to identify anomalies against established customer profiles, are key components of a functioning AML/CFT compliance program. The case illustrates a specific vulnerability in this respect: the use of third-party transfers as a payment mechanism, where the UBO of the funds goes unverified, creates an exposure that a static KYC assessment would fail to capture. It is worth noting that the reporting threshold is lower than many entities assume, and that there is no need to prove the funds are illicit in order to trigger the reporting obligation; reasonable suspicion is enough. Conclusion The investigation is a concrete illustration of the compliance risks that arise when KYC frameworks are applied as a formality rather than as a substantive, risk-based management tool. The gap between a customer's declared financial profile and the value of a transaction, particularly where third-party fund flows and criminal associations are present, is precisely the kind of indicator that a robust KYC program must be designed to detect and escalate. In our experience, the most consequential KYC decisions are not made at the moment of onboarding, but in the ongoing monitoring of transactions and the readiness to act on red flags as they emerge. For precisely this reason, entities increasingly choose to work alongside specialized outside counsel, both to strengthen their compliance and AML frameworks and to manage regulatory and reputational risks that are, ultimately, as foreseeable as they are avoidable. Authors: Salim Saud, Caroline Rosa, Leonardo Kozlowski, Maria Clara Hardman.
Saud Advogados - June 26 2026