Brazilian Data Protection Authority regulates international data transfers
New ANPD resolution establishes rules and procedures for international data transfer operations in consideration of the LGPD and the content of standard contractual clauses
On August 23, 2024, The Brazilian Data Protection Authority (ANPD) published Resolution No. 19/2024, approving the Regulations on International Data Transfers (Regulations) and the content of standard contractual clauses in accordance with the Brazilian Data Protection Law (Law No. 13,709/2018 – LGPD).
The Regulations are the result of a regulatory initiative the ANPD began in 2022, which involved collecting contributions, public consultations, and public hearings.
As global operations continue to expand, the publication of the Regulations represents an important step in strengthening and enabling data flows between countries, while also ensuring the protection of data subjects’ rights in Brazil.
Objectives and scope
The Regulations define rules and procedures for international data transfers either to countries with adequate protection (as recognized by the ANPD) or when the controller demonstrates it complies with the LGPD through contractual clauses or global corporate rules. The Regulations do not rule out the possibility of transfers based on other mechanisms established by Article 33 of the LGPD, provided that legal requirements and the specificities of the case are met.
Definitions
International data transfers occur when personal data is transferred from a Brazil-based exporting agent to an importing agent located in another country.
International data collection is defined as the collection of personal data directly from the data subject by an entity located abroad. It is not considered an international transfer, although it must comply with the provisions of the LGPD if it falls within the territorial scope established in Article 3 of that law.
Both the controller and the processor must adopt effective measures to ensure and demonstrate compliance with data protection regulations. The effectiveness of such measures must be compatible with the level of risk associated with the data processing and the international transfer mechanism used.
Legal bases and transfer mechanisms
International data transfers may only be carried out for legitimate, specific, explicit purposes that the data subject is informed of, and any further processing incompatible with this is not permitted. It must be supported by one of the legal bases provided for in Articles 7 and 11 of the LGPD. It must use a valid mechanism, such as an adequacy decision recognized by ANPD, contractual clauses, and global corporate rules, which are detailed below.
Adequacy decisions
The ANPD may apply an adequacy decision to recognize that the level of personal data protection in a foreign country or international organization is equivalent to Brazilian legislation, in accordance with the LGPD and the Regulations.
In assessing the level of protection, criteria such as the following will be considered:
- The general and sector-specific rules and regulations of the destination country or international organization;
- The nature of the data;
- Compliance with data protection principles and data subjects’ rights;
- The security measures adopted;
- Existing judicial and institutional guarantees, including the presence of an independent regulatory authority; and
- Other specific circumstances related to the transfer.
The following will also be considered:
- The risks and benefits of the adequacy decision;
- Impacts on international data flows;
- Diplomatic relations, international trade and cooperation.
Countries or organizations that offer reciprocal treatment to Brazil and can facilitate the free flow of data between the parties will be prioritized.
The ANPD’s procedure for issuing an adequacy decision may be initiated by its board of directors or at the request of certain public law entities, analyzed by the competent technical area, and subject to final deliberations from the board. The adequacy decision will be published via a resolution on the ANPD’s website.
If another country or international organization starts a process to consider whether Brazil is an adequate country, the same procedures above will be followed within the ANPD.
Standard contractual clauses
The ANPD-approved standard contractual clauses establish minimum guarantees and valid conditions for international data transfers.
The standard clauses are contained within Annex II of the Regulations and contemplate the positions of the exporter and the importer, whether as controllers or processors.
The text of the clauses must be adopted in its entirety for the transfer to be valid (i.e., without amendments), and must be included in a contractual instrument signed between the exporter and the importer. This may be part of a specific or broader contract, provided that the standard clauses are not modified.
The controller must ensure transparency in relation to the data subject, including:
- Providing (if requested) the full text of the contractual clauses used, in observance of commercial and industrial secrets;
- Publishing clear and accessible information about the international data transfer on its website (either on a specific page or directly in its Privacy Policy), such as details on the purpose, duration, destination country, and the rights of the data subject.
Equivalent standard contractual clauses
The ANPD may recognize the standard contractual clauses of other countries or international organizations to be equivalent, provided they are compatible with the provisions of the LGPD. This is an innovation of the LGPD compared to other data protection regulations worldwide, such as the General Data Protection Regulation (GDPR), and it is expected to assist data processing agents in achieving more consistency in their global practices.
The equivalence decision will consider the following:
- Whether the clauses are compatible with the LGPD and ensure a level of data protection equivalent to that of the Brazilian standard contractual clauses; and
- The risks and benefits, as well as the impacts on international data flows, diplomatic relations, international trade and cooperation.
Specific contractual clauses
The controller may request the ANPD approve specific contractual clauses for international data transfers, so long as it can guarantee compliance with the principles and rights provided for in the LGPD.
These clauses are permitted when the standard clauses are not feasible due to exceptional circumstances. They must also provide for the application of Brazilian law and submission to ANPD oversight.
The ANPD will evaluate the following:
- Whether the specific clauses are compatible with the LGPD and ensure a level of data protection equivalent to that of the Brazilian standard contractual clauses;
- The risks and benefits, as well as the impacts on international data flows, diplomatic relations, international trade and cooperation.
Clauses that can be used by other agents in similar circumstances will be prioritized.
In the clauses submitted to the ANPD for approval, the controller must:
- Match (whenever possible) the wording of the standard clauses; and
- Justify the need for specific clauses.
Global corporate rules
Global corporate rules are binding mechanisms for international data transfers between organizations within the same group or corporate conglomerate. They are valid for transfers between organizations or countries covered by these rules, which must be associated with a privacy governance program that meets the LGPD’s requirements.
Global corporate rules must provide details of the data transfers, establishing:
- A description of international data transfers – including data categories, processing operations, purposes, legal bases, and types of data subjects;
- The identification of countries that data may be transferred to;
- The structure of the group or corporate conglomerate, with a list of associated entities, roles in processing, and contact information;
- A determination of the binding nature of global corporate rules for all group members, including employees;
- Delimited responsibilities in regard to the data processing, indicating the responsible entity;
- An indication of data subjects’ rights and the means for exercising them;
- Rules for the review process for global corporate rules and provisions to submit them to ANPD approval;
- Disclosures to the ANPD in the event of changes to data protection guarantees, especially if a group member is subject to laws of another country that prevent compliance with the rules.
These rules must include the obligation to notify the responsible entity if a group member is subject to laws that prevent compliance with the rules, except in cases of legal prohibition of notification.
Validity and deadlines for adapting to standard contractual clauses
The Regulations came into effect on the date of publication.
Data processing agents conducting international data transfers through contractual clauses have up to 12 months (until August 22, 2025) to incorporate the ANPD-approved standard clauses into their contracts.
A non-official English version of the Regulations is available here. The official text in Portuguese is available here.
For further information on this topic, please contact Mattos Filho’s Data Protection & Cybersecurity practice area.