Recently, the Brazilian Federal Revenue Service (“RFB”) issued COSIT Ruling No. 307/2023, which voids PIS/COFINS credits on expenses incurred for the implementation of the Brazilian General Data Protection Law (“LGPD” ). This Ruling appears to follow an interpretative line of the RFB interpretation limiting PIS/Cofins credits on several expenses, even if they are mandatory by law or essential for the companies' activities.

However, differently from the RFB, we understand that the concept of input defined by the Superior Court of Justice (“STJ”) in REsp nº 1,221,170 (Theme 779 of repetitive cases) should allow companies to benefit from PIS/COFINS credits on expenses related to all inputs. In our view, the concept defined in the STJ includes expenses with the implementation of data protection systems and procedures, as adherence to the LGPD guidelines is mandatory, in addition to being essential for carrying out activities.

The Judiciary has been ratifying a different understanding from that recently adopted by the RFB, reiterating that companies are entitled to PIS/COFINS credits on expenses related to the LGPD (in addition to other expenses required by law or essential to their activities).

Therefore, based on our understanding and the precedents that have been handed down by the Judiciary, we consider that the legality of the recent COSIT Ruling No. 307/2023 and others in the same sense is questionable, This is why we reiterate our recommendation that companies evaluate the impact of LGPD implementation costs, as well as other expenses that are mandatory by law or essential to their activities.

We also suggest that this review be carried out for both the future and the past, given the possibility of recovering PIS/COFINS credits in relation to the last 5 years, updated by the SELIC Rate.

By Henrique Erbolato