Brazil’s New International Data Transfer Regulations
Practical Steps for Complying with New International Data Transfer Regulations published by the Brazilian DPA
Subjects
On August 23, 2024, the Brazilian Data Protection Authority (ANPD) issued Resolution No. 19/2024, introducing new regulations for international data transfers. These regulations provide much-needed guidance to businesses involved in cross-border data flows under the Brazilian Data Protection Law (Law No. 13,709/2018 – LGPD). Moves toward issuing these regulations began in 2022 when the ANPD initiated a series of public consultations and hearings to gather input from stakeholders. As global operations expand, these regulations represent a crucial step both toward facilitating international data flows and protecting data subjects’ rights in Brazil.
Overview of International Data Transfers under the LGPD
Data processing agents must comply with the LGPD’s requirements (Section 33) to legally transfer personal data outside Brazil. While the LGPD offers a general framework for such transfers, its provisions are often vague. Generally, personal data can be transferred internationally under the following conditions: (i) when the destination country ensures an adequate level of data protection; (ii) when standard contractual clauses (SCCs), binding corporate rules (BCRs), or other safeguards (such as seals or certificates) are in place; (iii) if the transfer is necessary for international legal cooperation between public authorities; (iv) when the transfer protects the life or physical safety of the data subject or a third party; (v) when the data subject has given their prior consent; or (vi) when the transfer is necessary to meet legal or regulatory obligations, execute a contract, or defend rights in judicial, administrative, or arbitration proceedings.
International Data Transfer Regulations
The newly issued regulations provide greater clarity on the international data transfer mechanisms established by the LGPD. As per the regulations, international transfers occur when personal data is sent from a Brazil-based entity to a foreign one.
With the LGPD and new regulations in place, companies must take several steps to ensure compliance:
1. Map out data transfers:
The first step involves mapping out all personal data transfers from Brazil to foreign entities. This includes identifying what categories of personal data are transferred, the purpose of the transfer, the destination countries, and the recipients. A clear understanding of these data flows is crucial to ensuring compliance and adequate risk management.
2. Ensure compliance with LGPD principles:
Companies must ensure that all transfers are carried out for legitimate, specific, and explicit purposes and that these have been communicated to the relevant data subjects. Any processing that deviates from these purposes is prohibited. This step involves confirming that the transfer aligns with key LGPD principles, such as necessity, adequacy, transparency, and non-discrimination.
3. Determine the appropriate legal basis:
Controllers must identify a legal basis for the transfer. The LGPD provides ten possible legal bases for processing personal data (including the data subject’s consent, compliance with legal and regulatory obligations, the performance of a contract, and legitimate interests), and companies must carefully assess which is most suitable for each transfer. Factors such as the nature/category of the data, the transfer’s purpose, and the reasonable expectations of the data subject should be considered.
4. Assess the appropriate international data transfer mechanisms:
Data controllers must determine if the ANPD has recognized that the countries they transfer data to provide an adequate level of data protection. If transferring data to a country with an adequacy decision, companies must ensure that their practices meet the recognized standards. Since no other countries have been recognized for adequacy in relation to Brazil thus far, companies must rely on other LGPD mechanisms to justify their international data transfers. Key options include:
- ANPD-approved standard contractual clauses (SCCs): These clauses (included in Annex II of the new regulations) outline minimum protections for data transfers. The standard clauses contemplate the positions of the exporter and the importer, whether as controllers or processors. These clauses must be adopted in full without changes and incorporated into contracts. Companies have until August 22, 2025, to incorporate them into their contracts or sign a standalone agreement with the standard contractual clauses.
- Equivalent standard contractual clauses: The ANPD may recognize SCCs from other jurisdictions as equivalent, although no such clauses have been approved yet. This aspect of the LGPD innovates upon other existing data protection regulations, such as the General Data Protection Regulation (GDPR).
- Specific contractual clauses: When the standard clauses are impractical, companies may request the ANPD approve tailored clauses, provided they can justify the need for them. These clauses should still follow the wording of the standard clauses as closely as possible.
- Global corporate rules (BCRs): BCRs provide a framework for intra-group data transfers in multinational corporations. These rules must comply with LGPD standards, clearly outline data transfer procedures, establish responsibilities, and include ANPD oversight. All entities within the group must be bound by these rules.
With the new regulations taking effect immediately, companies are expected to assess and adjust their data transfer mechanisms as necessary to meet the new compliance standards.
Additional Compliance Considerations
Companies engaging in international data transfers should also take the following steps:
- Emphasize transparency: Companies must inform individuals about how their data is being transferred, the legal basis for the transfer, and the safeguards in place to protect their data. This information should be readily accessible to the public, ideally via the company’s website.
- Stay informed regarding adequacy decisions: As the ANPD begins recognizing countries with adequate data protection standards, companies should keep up to date with these developments.
- Stay in open communication with the ANPD: Businesses planning to submit specific contractual clauses for approval should stay in open communication with the ANPD.
- Conduct regular audits and training: Ongoing audits, employee training, and updates to internal data protection policies are essential to ensuring compliance in Brazil’s evolving regulatory landscape.
By following these steps, companies can ensure they meet the ANPD’s new standards for international data transfers, protecting personal data and maintaining stakeholder trust. The new regulations mark a significant step forward in Brazil’s data protection framework, bringing it closer to global standards and strengthening individuals’ rights when data crosses borders. For companies, the challenge now lies in evaluating their data transfer practices and adapting their contracts and procedures to align with these new requirements.