Brazil is the world’s eighth largest economy in terms of GDP, and by far South America’s most populous and powerful state. While the country has suffered economic and political crises since 2014, it has made significant advances in domestic digitization and played a pivotal, albeit ambiguous role in international negotiations on cyberspace. Brazil has the world’s fifth largest internet user base, after China, India, the United States and Indonesia, and is a leading country in South America when it comes to ICTs usage. The share of Brazilians using the internet has increased from less than 3% of the population in 2000 to more than 68% in 2019. As such, Brazil remains a critical partner for the EU’s efforts to build a secure, stable and rights-based cyberspace.

According to the International Telecommunications Union (ITU), as of 2021, Peru had an internet penetration rate of around 71.1 %. However other indexes place this number in the mid 60’s. Although many improvements were made in the past few years, Peru still possesses low network coverage, especially in rural areas and a relatively low network performance.
The government of Peru has been implementing initiatives to increase connectivity in rural areas, including a national broadband plan and a program to deploy free Wi-Fi hotspots in public spaces, with a year-on-year increase of almost 100 %.
Peru ranked 86 out of 182 countries surveyed in the ITU’s Global Cybersecurity Index in 2020.

As of 2009, Ukraine has been a member of the Eastern Partnership (EaP) and a strategic partner for the EU. On the basis of the EU-Ukraine Association Agreement (AA) signed in 2014, the country has engaged in legislative and policy reforms aiming at gradual convergence with the EU acquis, including on digital economy. During the past two years, digitalisation has become a “flagship topic” in Ukraine, with a growing focus on e-government, digital citizenship, and state support for the local IT industry. Ukraine suffered large-scale cyberattacks during the 2014 presidential elections [x], distributed denial of service (DDoS) attacks during the Russian invasion of Crimea in 2014 [x], malware attacks on its power grid in 2015 [x], and was also heavily impacted by the devastating global-scale NotPetya attack in 2017. This explains why Ukraine prioritised capacity building efforts to strengthen its cyber resilience.

In accordance with the output produced by the 2013, 2015, and 2021 consensual reports of the United Nations Groups of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UNGGE), Brazil believes that international law enjoys general applicability in cyberspace. For Brazil, this also includes international humanitarian law and international human rights law. Nevertheless, Brazilian delegations have expressed concern that unqualified transfers of international humanitarian law and an unlimited right of self-defence could legitimise cyberspace as a military domain, while also challenging the protective value of sovereignty and cementing a Western-biased status quo.

Peru is one of the Latin American countries to have signed and ratified the Council of Europe’s Convention 108+.
The country has also participated in the United Nations Open-ended Working Group (OEWG) on Developments in the Field of Information and Telecommunications in the Context of International Security. As a matter of fact, after the third substantive session of the OEWG, Peru issued a statement supporting the primacy of the UN Charter and the application of international law in the use of ICTs and in cyberspace, as well as the future establishment of legally binding obligations.
On the other hand, Peru along with Chile and the United States of America, has a divergent view on the notion of cyber attack and the applicability of international law. Peru states that in order for a cyber operation to be considered an attack, it results in direct death, injury or physical harm.

-

Brazilian diplomats portray Brazil’s role in the often polarised debates on norms of responsible state behaviour as that of a broker or strategic bridge-builder between the different camps rather than a mere ‘swing state’ and highlight that balancing between both camps serves to maintain an independent foreign policy. Brazil sought to focus its chairmanship of UN GGE’s third and fourth iterations on three issues: the role of civilians in cyber conflict, the right to respond, and attribution. Since the 2013 Snowden revelations, the country has been a stark champion of data protection, showcasing exceptional norm entrepreneurship
in relation to cyber-surveillance norms. Brazil has also expressed support for the proposal of adopting a legally binding instrument in the medium to long-term to prevent the militarisation of cyberspace.

Peru stresses the need to make a distinction between 'cyber attacks' (which involve 'damage being caused to a militarily relevant target, which may be totally or partially destroyed, even captured or neutralised') and an 'abrupt disruption of communications in cyberspace', i.e. cyber operations that cause inconvenience, even extreme inconvenience, but not direct injury or death, or destruction of property. Accordingly, Peru emphasises the determination of the legality of cyber operations in the context of the use of force by taking into account whether they may result in death or injury to persons or property.
Peru has noted the difficulty of attribution in cyberspace. Coinciding with other American states, Peru has focused on the state's duty to ensure that its territory is not used by non-state actors to launch attacks. In this regard, Peru states that the inertia of a state towards a non-state actor that could unleash a cyber-attack on another state and that it was in a position to control could make its behaviour attributable to the state.
In any case, Peru highlights the validity of various human rights in cyberspace, including 'the right to privacy and intimacy, freedom of information, freedom of expression, free and equal access to information, bridging the digital divide, intellectual property rights, free flow of information, the right to secrecy of communications'.

-

Brazil’s 2020 National Cybersecurity Strategy (E-Ciber) outlines ten strategic actions to be undertaken in relation to cyber resilience, which include the extension of international cooperation and the enhancement of protection for critical infrastructure. The Strategy pledges Brazil to encourage international cooperation in cybersecurity, participate in joint cyber resilience events and exercises, and expand cybersecurity cooperation agreements. On the level of discourse, Brazil remains committed to international cyber cooperation in resilience, staying true to its traditional stance in favour of multilateral solutions.

The Personal Data Protection Law N° 29733 (PDPL) was enacted in June 2011. In March 2013, the Supreme Decree N° 003-2013-JUS-Regulation of the PDLP (Regulation) was published in order to develop, clarify and expand on the requirements of the PDPL and set forth specific rules, terms and provisions regarding data protection.
Together, the PDLP and its Regulation are the primary data protection laws in Peru.
As of 2021, Peru approved the Bill that creates the National Authority for Transparency, Access to Public Information and Protection of Personal Data.
Peru possesses a Digital Trust Framework, as a means to establish certain obligations for public or private entities acting as digital service providers. These include reporting when a digital security incident involving personal data occurs, as well as implementing technical, organisational, and legal security measures to guarantee the confidentiality of information transmitted through its communications services.
Over the last decades, the Peruvian state has made efforts to promote digital transformation, both within its institutions and in the services it offers to citizens and has outlined a Digital Agenda in 2021 for Digital Transformation.

-

Brazil originally refrained from signing the Budapest Convention on Cybercrime and had expressed scepticism in response to invitations to accede. The argument advanced was that the treaty is Western-biased and lacking in inclusivity, given that Brazil was not part of the original drafting process. During voting for UNGA Resolution A/74/401, the Russian-sponsored proposal for a new binding Cybercrime Convention, Brazil abstained; during meetings with the BRICS leaders, however, Brazil had endorsed Russian pleas for a new cybercrime instrument to replace the Budapest regime. Upon invitation by the Council of Europe, Brazil finally initiated the process of accession to the Convention in December 2019 and is now an observer country.

Peru’s signature and ratification of the Budapest Convention on Cybercrime, which is the only binding international instrument dealing with cybercrime, was a great step towards advancing a cyber agenda.
In 2019, Peru passed a Cyber Defence Act, with the objectives of defending and protecting sovereignty, national interests, critical national assets and key resources to maintain national capabilities against threats or attacks in and through cyberspace, when these affect national security.Peru has also passed a Cybersecurity Framework for the private sector, with the objective of identifying and protecting information assets, detecting security events, and providing for response and recovery from cybersecurity incidents.
In this context, there are more and more reports of cybercrime in the country. According to data from the Public Prosecutor's Office, in 2021 they received 18,596 reports of cybercrime cases, which represents a percentage increase of 92.9% compared to 2020, with phishing and ransomware being the most common attacks.

-