Brazil Enforces New Rules for International Data Transfers Under LGPD

September 19, 2024

In a significant move to bolster data protection, the Brazilian Data Protection Authority (ANPD) has released Regulation 19/2024, governing international data transfers in compliance with Brazil’s General Data Protection Law (LGPD). This regulation is a cornerstone for establishing standardized mechanisms such as standard contractual clauses (SCCs) and adequacy decisions, making it a critical framework for international data management.

Permissible International Data Transfers

Conditions for Data Transfers

Under the new regulation, the ANPD mandates specific conditions for international data transfers from Brazil to other countries. Such transfers are permissible if the receiving country is recognized by the ANPD as providing adequate data protection. This determination involves assessing whether the third country maintains an equivalent level of data protection to that of the LGPD. An adequacy decision serves as a green light for data transfers without requiring additional safeguards.

Transfer mechanisms become indispensable where adequacy recognition is not achievable. The regulation allows for the use of SCCs, binding corporate rules (BCRs), or specially tailored contractual clauses. These tools must guarantee that the data transferred is subject to protective measures compliant with the LGPD. In addition, certain exceptions can permit data transfers, including explicit consent from the data subject or scenarios requiring data transfer for the protection of a life.

Specifics of Standard Contractual Clauses

One notable aspect of Regulation 19/2024 is the introduction of new SCCs approved by the ANPD, which will enable streamlined controller-to-controller and controller-to-processor data transfers. The innovation here lies in their compatibility with Brazilian laws, as they mirror the constructs found in the European Union’s regulations but are customized to fit the LGPD framework. Brazilian companies are mandated to update their existing transfer agreements to these new SCCs by August 22, 2025, aligning them with the current legal standards.

The ANPD’s role extends to potentially recognizing SCCs from other jurisdictions, provided they align with the LGPD’s intricacies. This provision adds an element of flexibility for businesses engaged in transnational data flows. However, as of now, the ANPD has yet to recognize the SCCs of the European Union, indicating a cautious and deliberate approach in ensuring rigorous safeguards are maintained.

Framework for Adequacy Decisions

Assessment Criteria

Adequacy decisions form another crucial pillar of Regulation 19/2024. In making these decisions, the ANPD must thoroughly evaluate the third country’s adherence to data protection principles, rights, and legal safeguards. This assessment ensures that personal data enjoys a level of protection equivalent to that under Brazilian law, thereby protecting the fundamental rights of data subjects when their data is transferred abroad.

An adequacy decision involves a comprehensive review of the legal framework of the recipient country, including its data protection norms, enforcement mechanisms, judicial redress options for data subjects, and the overall effectiveness of such measures. This rigorous process underscores the ANPD’s commitment to maintaining high standards of personal data protection, even beyond national borders.

Procedures for Customized Clauses and BCRs

Apart from standard mechanisms, the regulation provides for the use of customized contractual clauses and BCRs in exceptional circumstances. Organizations may seek ANPD approval for bespoke clauses when standard SCCs are found inadequate due to specific operational contexts. These contractual clauses must nonetheless offer equivalent protections as those stipulated under the LGPD.

Binding corporate rules (BCRs) are another alternative for data transfers within corporate groups. Regarded favorably by multinational corporations, BCRs provide a comprehensive internal data protection policy, ensuring that intra-group transfers meet the requisite legal standards. Such rules must be legally binding and enforceable across all subsidiaries, maintaining LGPD-compliant protection levels. The ANPD’s role in approving these mechanisms ensures that organizational-specific needs are balanced with rigorous data protection standards.

The Broader Impact of Regulation 19/2024

Implications for Brazilian Companies

Regulation 19/2024 represents a significant advance in Brazil’s data protection landscape, reflecting a balanced approach to facilitating international data flows while maintaining stringent data protection standards. For Brazilian companies, this regulation introduces new compliance requirements but also provides clear guidelines to facilitate data transfers. Companies must undertake thorough reviews and updates of their existing data transfer agreements to align with the new SCCs by the stipulated deadline in 2025.

The regulation’s flexibility in accepting international SCCs, provided they are LGPD-compatible, offers Brazilian businesses an adaptable framework for international operations. However, the ANPD’s selective recognition process fosters an environment of cautious trepidation. As businesses navigate this regulatory landscape, they must remain vigilant, ensuring that cross-border data transfers do not compromise data protection principles.

The ANPD’s Commitment to Data Protection

In a crucial step to enhance data protection measures, the Brazilian Data Protection Authority (ANPD) has introduced Regulation 19/2024, which addresses international data transfers under Brazil’s General Data Protection Law (LGPD). This new regulation aims to create uniform procedures and legal frameworks to manage international data flows securely and effectively. It includes the implementation of standard contractual clauses (SCCs) and making adequacy decisions, both of which are essential for ensuring that data transferred out of Brazil meets rigorous privacy standards.

Regulation 19/2024 serves as a foundational pillar for organizations engaged in cross-border data activities, providing them with clear guidelines to comply with legal mandates and safeguard personal data. The regulation outlines the necessary conditions and safeguards that must be in place for international data transfers, ensuring that personal data enjoys a similar level of protection abroad as it does within Brazil. This move not only fortifies Brazil’s data protection landscape but also aligns it with global best practices, fostering greater trust and cooperation in the international data ecosystem.

Subscribe to our weekly news digest!

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for subscribing.
We'll be sending you our best soon.
Something went wrong, please try again later