Brazilian Data Protection Authority intensifies data privacy regulation
International data transfers and the scope of legitimate interest are both on the authority’s priority agenda
International data transfers
On August 15, 2023, the Brazilian Data Protection Authority (ANPD) opened a public consultation for suggestions regarding its proposed regulation of international data transfers and standard contractual clauses. Interested parties have until September 14, 2023, to submit their contributions to the ANPD.
The ANPD previously opened another public consultation for contributions to international data transfers in May 2022. At the time, it published a list of questions to guide the public in contributing to the ANPD’s preparation of a draft regulation.
This time, the ANPD’s draft is included in the public consultation. It establishes both the main rules for international data transfers as per Brazilian legislation and a series of standard contractual clauses that would have to be included in agreements between data importers and exporters. Moreover, the draft regulation determines requirements for other specific situations involving international data transfers.
The ANPD’s proposal addresses the following key aspects:
- Definitions of specific terms applicable to data transfers – including exporter, importer, transfer, international data collection and corporate group.
- General guidelines and requirements for international data transfers, including obligations applicable to data controllers and processors.
- Definitions and limitations on situations where international data transfers may occur. The draft explicitly states that the international collection of personal data does not constitute an international data transfer.
- How international data transfer mechanisms can be applied in relation to the legal bases provided for in Sections 7 and 11 of the Brazilian Data Protection Law (LGPD); and
- Criteria the ANPD would have to consider when deciding whether regulations in other countries are adequate, as well as the procedure for publishing these decisions.
The proposed draft also provides for regulating contractual mechanisms that may be adopted as additional safeguards for international data transfers, including:
- Standard contractual clauses. The ANPD provides templates of standard contractual clauses in Annex II of its proposal. The draft also:
- Establishes that these clauses must be adopted in full to be considered valid, and there must be no changes to their wording;
- Establishes an obligation to make the agreement available to data subjects upon request; and
- Determines how these clauses can be implemented (e.g., as part of a specific agreement to regulate international data transfers) and made available (e.g., on the processing agent’s website).
- Equivalent standard contractual clauses. According to the draft, the ANPD could approve clauses equivalent to standardized clauses in Annex II through a specific proceeding, that could be initiated either by the ANPD itself (if deemed necessary) or upon request of interested parties.
- Specific contractual clauses. Data controllers would be able to request the ANPD to approve clauses concerning transfers that cannot be made under the standard contractual clauses if they can demonstrate the specific nature and possible exceptional circumstances regarding the transfer.
- Binding corporate rules. The ANPD would be able to approve the rules for international transfers between organizations in the same corporate group. The draft also provides minimum content requirements for the binding corporate rules. Furthermore, the proceeding to approve these binding corporate rules would be similar to the one for approving specific contractual clauses.
Following the call for contributions on International data transfers, the ANPD opened a second consultation on August 16, 2023, this time on a preliminary study regarding the legal basis of ‘legitimate interest’ provided for in the LGPD. Contributions to this consultation can be submitted to the ANPD until September 15, 2023.
The legitimate interest legal base authorizes (non-sensitive) personal data to be processed when necessary to meet the legitimate interests of the data controller or third parties, provided that such interests do not violate data subjects’ fundamental rights and freedoms.
Due to its subjective nature, data processing agents’ use of this legal basis has often led to certain doubts and uncertainty. As such, the study seeks to provide further detail and clarify important issues related to what classifies as the controllers’ and third parties’ legitimate interests. It provides practical examples of how the ANPD believes this legal basis can be applied, also introducing a Legitimate Interest Assessment (LIA) template for processing agents to assess the suitability and related risks of the legal basis in regard to its processing activities.
Together with the preliminary study, the contributions provided to this consultation will support future guidelines on the legal basis in question, aiming at providing data processing agents with more legal certainty when processing data according to their legitimate interests.
Mattos Filho has prepared an unofficial English translation of the ANPD’s draft – including Annex II (standard contractual clauses).
For further information on the ANPD’s activities and other aspects of data protection, please contact Mattos Filho’s Data Protection & Cybersecurity practice area.