On 23 August 2024, the Brazilian Data Protection Authority (ANPD) approved Resolution CD/ANPD No. 19, introducing a comprehensive regulation for international data transfers and Standard Contractual Clauses (SCCs). The resolution marks a significant advancement in Brazil’s commitment to data protection and privacy by offering a structured approach to transferring personal data across borders.
The resolution comes into force immediately, and the covered entities have a twelve-month period (until August 22, 2025) to incorporate the ANPD-approved SCCs into their data transfer agreements.
Objective and Scope of the Regulation
The regulation establishes procedures and rules for handling international data transfers while maintaining protection. It allows data transfer to countries with adequate protection or through legally binding agreements (SCCs, specific clauses, or BCRs). It aims to align international data transfers with Brazil's General Data Protection Law (LGPD) while maintaining transparency and accountability.
The regulation defines ‘international transfer’ as the transmission, sharing, or granting of access to personal data to a foreign country or international organization of which Brazil is a member. The regulation is applicable when:
- Data processing occurs within Brazilian territory; or
- Personal data is collected in Brazil and is subsequently transferred internationally; or
- The processing aims to provide or offer goods or services to individuals in Brazil, regardless of where the processing occurs.
Notably, the regulation broadens the scope of international transfers to include data shared between foreign countries if it relates to Brazilian individuals. Even in cases where there is no direct transfer from Brazil, compliance with international transfer mechanisms, such as SCCs, is still required.
International Transfer Mechanisms
The international data transfer must be for legitimate and specific purposes per Articles 7 and 11 of the LGPD. The regulation outlines several valid mechanisms for international data transfers, including:
- An adequacy decision issued by the ANPD that provides a level of data protection deemed adequate in comparison to the LGPD standards;
- Standard Contractual Clauses (SCCs) must be adopted in their entirety, without modification, and are designed to guarantee that both data exporters and importers comply with the principles and rights outlined in the LGPD;
- Binding Corporate Rules (BCRs) adopted by multinational companies that allow for the safe transfer of personal data within the corporate group, across borders;
- Specific contractual clauses approved by the ANPD and used when standard mechanisms like SCCs or BCRs are not suitable for a particular transfer; and
- Derogations, as detailed in Article 33(III)-(IX) of the LGPD, include legal obligations, consent from the data subject, and contract execution.
The regulation includes criteria and procedures for evaluating the data protection adequacy of countries or international organizations with that of the LGPD. Likewise, Annex II of the regulation contains ANPD-approved SCCs that establish minimum guarantees and requirements to carry out international data transfers. Additionally, the regulation clarifies that a controller may get specific contractual clauses approved by the ANPD that align with the principles of LGPD for data transfers. Similarly, the approval criteria and procedure for organizations to get Binding Corporate Rules (BCRs) approved by the ANPD are also covered in the regulation.
Enhanced Transparency Measures for International Data Transfer
The regulation introduces a new data subject right of “Right to Information” not included in the existing set of data subjects under Article 18 of the LGPD. This right allows data subjects to request complete text of the clauses used in executing international data transfer while maintaining commercial and industrial secrecy. This right ensures transparency and allows individuals to understand how their data is being transferred and what safeguards are in place. Controllers are obliged to fulfill the request within 15 days, except if a different deadline is mentioned in the ANPD regulations.
Enhanced Privacy Notice Requirements
The regulation enhances the privacy notice, requiring controllers to publish a document on their website that provides information regarding the execution of the international data transfer. This information must be in Portuguese, in “simple, clear, precise, and accessible language” and must include the following information:
- the form, duration, and specific purpose of the international transfer;
- the country to which data is being transferred;
- the controller’s identity and contact details;
- the shared use of data by the controller and the purpose;
- the agents’ responsibilities who will be processing the data and the security measures taken by them; and
- the rights of the data subject and the means for exercising them, including an easily accessible channel and the right to petition against the controller before the ANPD.
Looking Forward
As the global data protection landscape continues to evolve, Brazil’s new regulation on international data transfers is a timely response to the growing need for safe and secure cross-border data exchange. By aligning with international standards and prioritizing transparency and accountability, it aims to facilitate the free and unhindered flow of data while protecting personal information.
Organizations must prepare for compliance by integrating the ANPD-approved SCCs and ensuring the adherence of international data transfer practices to the new requirements. This proactive approach enhances data protection, strengthening Brazil’s position in the global data privacy realm.
The unofficial English translation of the Resolution can be accessed here.