News and Business
EU prepares to recognize Brazil’s data protection legislation as adequate for international transfers
Preliminary version of the decision recognizes that Brazilian law guarantees a level of data protection equivalent to the European Union, initiating the adequacy process for international data transfers
Subjects
On September 5, 2025, the European Commission published a preliminary version of a future adequacy decision in which it will recognize that Brazil provides an equivalent level of personal data protection to European legislation for the purpose of international data transfers.
As with the EU’s General Data Protection Regulation (GDPR), the Brazilian Data Protection Law (LGPD) establishes that data can only be transferred internationally to countries or organizations with adequate levels of personal data protection, or when alternative mechanisms provided for in the LGPD are adopted (e.g., standard contractual clauses and binding corporate rules).
The EU assesses the degree to which countries protect personal data and their equivalence with European legislation via adequacy decisions.
Significance of the EU’s decision
The final version of the adequacy decision will facilitate the flow of personal data from the European Union to Brazil, as entities subject to European regulations will be able to freely transfer personal data to Brazil without the need to adopt other transfer mechanisms.
The decision will help establish Brazil as an international reference in data protection. It will facilitate the flow of information across borders, strengthen mutual trust between jurisdictions, and increase legal certainty for data controllers’ processes for protecting personal data.
Moreover, the decision is extremely important for investment in data centers in Brazil, as Brazilian servers will be considered processing agents in a jurisdiction with an equivalent degree of data protection to the European Union.
What comes next
Now that the preliminary version of the decision has been published, the relevant European bodies will move forward with the final procedures so the adequacy decision can be adopted in the future. This includes receiving an opinion from the European Data Protection Board (EDPB) and the appointment of a committee of representatives from the EU member states. Once these procedures have been concluded, Brazil will join a list of 16 other countries whose data protection measures have already been recognized as adequate, including the United Kingdom, Canada, Japan, South Korea, Argentina and Uruguay.
Adequacy decision to recognize EU legislation in Brazil
The Brazilian Data Protection Authority (ANPD) has already stated that it is working toward publishing an adequacy decision to recognize the equivalence of European legislation with the LGPD. According to the ANPD, a technical analysis is in its final stage. Once legal assessments have been conducted, the decision will be sent to the ANPD’s board for final deliberations, as provided for in the authority’s International Data Transfer Regulation. Mutual recognition between jurisdictions will further facilitate free flows between the two territories.
For more information on this topic, please contact Mattos Filho’s Data Protection & Cybersecurity practice.
