New rules just took effect in Brazil regulating international data transfers, and employers doing business in the country must take note. Covered data processing agents – such as companies in Brazil that transfer data to entities abroad, foreign countries, and international organizations – now must either have a favorable “adequacy decision” from Brazil’s data protection authority or certain contractual mechanisms in place before carrying out international data transfers. This will even affect companies that are not based in Brazil and do not operate there directly, as long as they receive personal data from Brazil. We’ll explain everything and give you six steps you should consider taking next.
Quick Background
The Brazilian Data Protection Authority (ANPD) published the new regulation (Resolution CD/ANPD No. 19) on August 23 to complement the international data transfer rules under the Brazilian General Data Protection Law (LGPD). The new rules, which took effect immediately, generally apply to data processing agents transferring or receiving personal data from Brazil, including:
- controllers – for example, a Brazilian business responsible for decisions regarding the processing of personal data; and
- processors – for example, a U.S. business that processes personal data on behalf of a controller.
Now, international data transfers must be supported by either an “adequacy decision” or an approved contractual mechanism.
Adequacy Decisions
The ANPD may recognize, through an adequacy decision, the equivalence of the level of personal data protection in a foreign country or international organization to Brazil’s data protection standards. The transfer of data to countries or organizations deemed adequate is likely to be faster and more straightforward. There are several criteria for this evaluation, such as:
- the current rules that impact the protection of personal data in the foreign country or international organization;
- compliance with the general data protection principles provided under the LGPD; and
- whether there are safety measures and judicial guarantees that protect personal data.
The ANPD previously did not issue adequacy decisions for any country or international organization. According to the regulation, priority will be given to countries or organizations that offer reciprocal treatment to Brazil, promoting the free flow of data between the parties. There is no estimated date or period when the ANPD will issue its first adequacy decision.
Contractual Mechanisms
Alternatively, an international data transfer may be supported by certain contractual mechanisms.
Standard Contractual Clauses
The regulation provides standard contractual clauses that must be used when carrying out international data transfers. The standard contractual clauses, which provide minimum safeguards to ensure compliance with Brazilian data protection standards, may be integrated in a contract specifically regulating international data transfers or in a contract with a broader scope (or even in an amendment to a pre-existing agreement). Here are two key points to know:
- Compliance Deadline for Existing Agreements. Companies that already use contractual clauses to transfer data internationally must incorporate the regulation’s standard contractual clauses into their agreements by August 23, 2025.
- Consequences of Non-Compliance. Modifying the standard wording will give cause to the invalidation of the data transfer and, potentially, the application of fines.
Specific Contractual Clauses
A controller may request the ANPD to approve a specific contractual clause, which must comply with Brazilian data protection standards and be subject to the application of Brazilian law. Specific contractual clauses can be used only when the international data transfer cannot be accomplished by using the standard clause due to exceptional circumstances (as properly proven by the controller). The approval proceeding is detailed in the regulation.
Global Corporate Rules
The ANPD may approve binding corporate rules for international data transfers between organizations of the same group or conglomerate of companies. These rules must be tied to the implementation of privacy-related governance programs, as determined by the LGPD. They also must contain certain information, such as:
- a description of the international data transfer to which the rule applies;
- the purpose of the data transfer;
- the countries where data can be transferred; and
- the binding nature of the corporate rule for all members of the group or conglomerate, including their employees.
The approval proceeding for a global corporate rule is detailed in the regulation.
Transparency Measures (Controllers Only)
Upon request, a data controller must make certain information (such as the full text of the contractual clauses used to execute the data transfer) available to the data subject within a specified timeframe. A controller also must publish on its website a document containing information on an international data transfer, such as:
- the country where data is being sent;
- the purpose of the transfer; and
- the data subjects’ rights.
This document must be in Portuguese and use simple, clear, precise, and accessible wording.
What’s Next?
To stay compliant with this new regulation, you should consider taking these six steps:
- Review your current policies and agreements to identify those containing provisions on international data transfers from Brazil.
- Amend existing policies and agreements to include the standard contractual clauses. Remember to use the exact wording provided in the regulation and to make this change by August 23, 2025.
- Adopt the standard contractual clauses (either in a specific agreement for the international data transfer or as part of a broader agreement) to cover your international data transfers going forward.
- Request approval from the ANPD if you wish to use specific contractual clauses or a global corporate rule for the international data transfer.
- Look out for the ANPD to start issuing adequacy decisions that might apply to you.
- Implement transparency measures (controllers only) by publishing a compliant document on your website when required and timely responding to data subjects’ requests for information as required.
