Brazil and the European Union have equivalent levels of data protection

Brazil and the European Union will formalize the reciprocal recognition of the adequacy of their respective personal data protection regimes. This initiative signals that both jurisdictions consider their legal frameworks – the LGPD (Law No. 13,709/2018) and the GDPR (General Data Protection Regulation) – to provide essentially equivalent levels of protection.

In practice, this recognition will enable more streamlined and legally secure international transfers of personal data between Brazil and EU Member States, generally eliminating the need for additional transfer mechanisms such as Standard Contractual Clauses (SCCs).

The official announcement took place on January 27, 2026, at a ceremony at the Brazilian Presidential Palace, and the official legal instruments have been published by both the European Commission and the Brazilian National Data Protection Agency (ANPD).

Below are key questions and answers to support an immediate understanding of the matter.

What is an adequacy decision?

An adequacy decision is one of the legal mechanisms provided under both the LGPD and the GDPR that permits the transfer of personal data to another jurisdiction when the destination country or international organization is deemed to ensure a level of protection essentially equivalent to that of the originating jurisdiction.

What was announced between Brazil and the EU?

The mutual recognition of the adequacy of data protection regimes was announced through unilateral, legally autonomous decisions that were coordinated between the two jurisdictions.

Does this mean data may now flow freely between Brazil and the EU?

With the official publication of the adequacy decisions by both the ANPD and the European Commission – a milestone in mutual recognition – personal data may flow between Brazil and the EU without the need for additional transfer mechanisms. Organizations should ensure their internal documentation and records reflect the new legal grounds applicable to these bilateral transfers.

What are the main expected benefits for companies and for the jurisdictions involved?

Mutual recognition of adequacy tends to generate significant benefits for both companies and the regulators and governments of the jurisdictions involved. Among the main positive impacts are:

For companies:

• Reduced compliance costs and administrative burden, since additional transfer mechanisms (such as SCCs, specific clauses, or transfer impact assessments) will generally no longer be required.
• Enhanced legal certainty, with reduced exposure to regulatory enforcement risks associated with cross-border data transfers.
• Streamlined digital operations, including cloud services, human resources systems, CRM platforms, marketing technologies, and cross-border IT infrastructure.
• Increased capacity for innovation, supporting data-driven business models, artificial intelligence, and machine learning applications that rely on stable cross-border datasets.
• Facilitated commercial partnerships and foreign investment, particularly for EU companies evaluating the Brazilian market and for Brazilian companies expanding into the EU.
• Simplified multinational corporate groups, enabling greater harmonization of internal policies, contractual templates, and global compliance frameworks.

For the jurisdictions involved (Brazil and the European Union):

• Strengthened regulatory cooperation, fostering greater interpretive alignment between the ANPD and European supervisory authorities.
• Stimulation of investment and international trade through the reduction of regulatory barriers related to the digital economy.
• Integration into global value chains, particularly in sectors reliant on continuous data flows, such as technology, financial services, healthcare, and mobility.

Are there any exceptions or limitations?

Yes. Like the GDPR, the LGPD establishes specific exemptions. Notably, personal data transfers undertaken exclusively for purposes of public security, national defense, State security, or activities related to the investigation or prosecution of criminal offenses are not within the scope of the LGPD. Consequently, these transfers are not covered by adequacy decisions.

What should companies transferring data between Brazil and the EU do now?

With the adequacy decisions between Brazil and the EU finalized and published, organizations may rely on them for bilateral data transfers between those jurisdictions. Companies should update their data-mapping documentation, internal governance policies, and contractual frameworks to reflect the new regulatory scenario.

For more information about the ANPD’s activities, please contact Mattos Filho’s Data Protection & Cybersecurity practice area.