Navigating Brazil’s New Data Transfer Regulation

I. Introduction

With the introduction of Resolution CD/ ANPD No. 19 (the “Regulation”) on August 23, 2024, the Brazilian Data Protection Authority (ANPD) has marked a pivotal development in data privacy regulations. It provides a detailed regulation on international data transfers and the ANPD-approved Standard Contractual Clauses (SCCs), as Annex I and II respectively.

The Regulation aims to align Brazil’s data protection measures with international standards while adhering to the General Data Protection Law (LGPD). It emphasizes safeguarding data subject rights, ensuring adequate protection levels, and maintaining transparency and accountability in data transfers. It also details the transfer mechanism for international data transfer, including adequacy decisions, standard contractual clauses (SCCs), specific contractual clauses, and binding corporate rules (BCRs).

Read on to learn all the specific details mentioned in the Regulation.

II. Definitions of Key Terms

Some of the key terms defined in the Regulation are as follows:

a. Exporter

A data processing agent located in Brazil or a foreign country that transfers data to an importer.

b. Importer

A data processing agent located in Brazil or a foreign country that receives transferred data from an exporter.

c. International Data Collection

Direct collection of personal data from the data subject by the data processing agent located outside Brazil.

d. International Data Transfer

Transfer of personal data to a foreign country or international organization of which Brazil is a member.

e. International Data Transfer Mechanisms

Circumstances specified in Article 33 of the LGPD which permits an overseas data transfer.

f. Transfer

A data processing action that involves transferring or sharing personal data from one data processing agent to another or making personal data accessible data available to another data processing agent.

III. Applicability of the Regulation

A. General Application

The Regulation applies to international data transfers when:

• Data processing occurs within Brazilian territory; or
• Personal data is collected in Brazil and is subsequently transferred internationally; or
• The processing aims to provide or offer goods or services to individuals in Brazil, regardless of where the processing occurs.

The applicability of the LGPD to international data transfers is independent of:

• the means used to transfer the data;
• the country of residence of the data processing agents; or
• the location of the data.

This provision guarantees that Brazilian data protection laws apply universally to personal data originating or processing in Brazil, regardless of the technical or geographic specifics of the data transfer. The Regulation also distinguishes between 'international transfers' and 'international collection'-the latter pertains to direct data collection by foreign entities that do not fall under ‘international transfers’ but is still subject to LGPD as outlined in Article 3.

B. Application to Personal Data Originating Abroad

The LGPD also applies to personal data that originates from outside Brazil but is processed within the country. However, there are exceptions where the law does not apply, including:

• Personal data merely passing through Brazil without being communicated or shared with a processing agent in Brazil is exempt from the LGPD.
• If personal data processed in Brazil is returned exclusively to its country or international organization of origin, the LGPD may not apply, provided:
  • the originating country or organization has an adequate level of protection recognized by the ANPD;
  • the applicable legislation or rules from the country of origin apply to the operation; and
  • the exception is expressly provided in the adequacy decision issued by the ANPD.

However, organizations must still comply with the LGPD to protect data subjects' rights even when an adequacy decision is issued. Additionally, they must adhere to other confidentiality, security, and public authority access laws, even if the LGPD does not apply.

IV. Duties under the Regulation

It is the duty of controllers to:

• Verify whether the transfer constitutes as international data transfer;
• Confirm that transfer is subject to LGPD jurisdiction; and
• Ensure that a valid legal basis and transfer mechanism are in place.

The processors, in turn, are bound to assist controllers by providing necessary information to ensure compliance with the regulation.

V. International Data Transfer Mechanisms

According to Article 9 of the LGPD, any international data transfer must serve a legitimate, specific, explicit, and informed purpose, and the subsequent processing of that data must align with the original purpose. The legal basis for such transfers is twofold:

1. Legal basis of processing
2. Transfer mechanism

The Regulation governs several mechanisms provided in the LGPD, ensuring that data protection aligns with the standards established by Brazilian legislation. These mechanisms include:

1. Adequacy Decision

The Regulation permits data transfers based on adequacy decisions, which are issued after assessing whether a foreign country or international organization provides an equivalent level of data protection as that provided by Brazil. Once an adequacy decision is made, data transfers can proceed without any further contractual measures.

a. Criteria for Evaluation and Issuance of Adequacy Decision

The ANPD considers several factors when assessing a country’s data protection framework, including:

• Existing general and sectoral laws affecting data protection in the other country.
• The type of data involved.
• Compliance with Brazil’s principles and data subject rights.
• Adoption of security measures to protect data and mitigate risks.
• Judicial and institutional guarantees for data protection, including regulatory bodies that oversee data compliance.

These criteria ensure that the receiving country has the necessary safeguards in place, akin to those provided under Brazilian law. Beyond evaluating a country’s legal framework, Article 12 introduces additional factors, including:

• The ANPD will weigh the benefits of an adequacy decision, ensuring the protection of data subjects' rights and the potential impact on international data flows.
• Priority is given to countries that offer reciprocal data protection standards and facilitate free data flow with Brazil.

b. Issuing Adequacy Decision

The ANPD may initiate this procedure either through its own decision or upon request from public entities. The adequacy decision procedure involves:

• A technical team within the ANPD assesses the country’s data protection level and issues recommendations;
• The Federal Prosecutor’s Office offers legal opinions on the decision; and
• The ANPD’s Board of Directors makes the final decision, which is then published on the ANPD’s website.

2. Standard Contractual Clauses (SCCs)

Standard Contractual Clauses (SCCs) are pre-approved contractual agreements that define the obligations of data exporters and data importers in an international data transfer. Annex II of the Regulation includes ANPD-approved SCCs, which establish minimum guarantees and conditions for international data transfers. To ensure the validity of international data transfers, SCCs must be included fully and unaltered. These clauses must be incorporated into:

• A specific contract governing data transfer; or
• A broader contract with an addendum signed by both the data exporter and importer.

Equivalent Standard Contractual Clauses

In some cases, SCCs from foreign countries or international organizations may be recognized as equivalent to those approved by the ANPD. Article 18 allows for the recognition of such clauses, provided they meet the standards of Brazil’s data protection laws.

The process for recognition of equivalent SCCs involves:

1. Initiation of the Procedure: This can be done by the ANPD’s Board of Directors or at the request of interested parties.
2. Documentation: The request must be accompanied by the full text of the foreign SCCs, translated into Portuguese, as well as relevant legislation and a compatibility analysis with Brazilian law.
3. Approval Process: The ANPD considers the compatibility with the LGPD and the potential risks and benefits of the decision. Public consultations may also be conducted.

Decision on Equivalence

When the ANPD evaluates whether foreign SCCs are equivalent to those required under Brazilian law, it takes into consideration the following factors (Article 19):

• Compatibility with LGPD provisions.
• The level of protection provided to data subjects.
• Potential impacts on international data flows, trade relations, and cooperation between Brazil and other countries.

Once approved, the equivalent SCCs will be published on the ANPD’s website and can be used as a valid mechanism for international data transfers.

3. Specific Contractual Clauses

Specific contractual clauses provide a customized mechanism for international data transfers when SCCs cannot be used due to exceptional circumstances.

Controllers have the option to request ANPD approval for special contractual clauses if SCCs are unsuitable due to legal or factual circumstances. These clauses offer guarantees that the principles of data protection, data subject rights, and other obligations outlined in the LGPD will be adhered to in an international data transfer.

Key Consideration for Specific Contractual Clauses

• Specific contractual clauses are only used when a data transfer cannot be carried out using standard contractual clauses. This limitation is due to exceptional legal or factual circumstances, which must be duly proven by the controller seeking ANPD approval.
• Regardless of the circumstances, specific contractual clauses must provide for the application of Brazil’s data protection legislation to the international transfer, ensuring that the transfer is subject to the supervision of the ANPD.

Approval Procedure

To approve specific clauses, the ANPD will evaluate:

• Whether the specific clauses ensure an equivalent level of data protection to that provided by Brazilian standard contractual clauses.
• The potential risks and benefits of the proposed clauses, including their impact on international data flows, trade relations, and Brazil's international cooperation with other countries.

Additionally, the ANPD may prioritize specific clauses that can be applied broadly by other data processing agents for similar international data transfer scenarios.

Adopting Standard Clauses in Specific Contractual Clauses

Whenever possible, the controller should adopt the wording of standard contractual clauses in the creation of specific clauses. If specific clauses deviate from the standard language, the controller must provide justifications for the changes and prove their necessity based on the circumstances of the transfer.

4. Binding Corporate Rules (Global Corporate Rules)

Binding Corporate Rules (BCRs) are to facilitate data transfers within the same corporate group or conglomerate. These rules must adhere to privacy governance requirements outlined in Article 50 of the LGPD and must include the following:

• A description of the international data transfers covered by the instrument, outlining the categories of personal data, categories of data subjects, the purpose of data transfer, and its nature;
• List of countries to which data is to be transferred;
• The group's or conglomerate's organizational structure;
• Determination of the binding nature of the corporate rule;
• Outlining who is liable for what in terms of data processing obligations;
• A statement of the applicable data subjects' rights and how to exercise them;
• Guidelines for evaluating the legally binding corporate rules and a clause requiring prior ANPD approval; and
• A clause requiring notification to the ANPD of any modifications when a member of or conglomerate is facing a legal duty that hinders them from complying with the rules.

Approval Procedure

Before becoming valid, BCRs must be submitted to the ANPD for approval. This process ensures that the rules meet the necessary legal standards for data protection and are aligned with both domestic and international regulatory requirements.

VI. Transparency Measures

The Regulation introduces significant enhancements to transparency measures for international data transfers. These include:

1. Right to Access to Transfer Clauses

For BCRs, Specific Contractual Clauses, and SCCs, data controllers must provide data subjects with access to the full text of the relevant clauses used in international data transfers upon request. This requirement ensures that data subjects are informed about the legal instruments governing the transfer of their personal data. However, controllers are also required to observe any commercial and industrial secrecy when sharing this information.

The deadline to respond to such requests is 15 days unless the ANPD specifies a different timeframe.

2. Privacy Notice

Controllers are required to publish detailed and complete information related to international data transfers on their websites. Additionally, this notice needs to be in Portuguese, written in clear and accessible language, include:

• Form, duration, and specific purpose of the international data;
• The destination country;
• Identification and contact details of the controller responsible for the data transfer;
• Shared data use between the controller and other entities, including the purpose of sharing;
• The applicable data subject rights;
• Data subject rights and the means for exercising them, including a clear and accessible channel for submitting complaints to the controller.
• Data subjects should also be informed of their right to petition the ANPD if the controller does not address their concerns; and
• The duties of data processing agents.

3. Additional Transparency for BCRs and Specific Contractual Clauses

For Binding Corporate Rules and Specific Contractual Clauses, there are additional transparency measures that apply:

• The ANPD will publish a list of approved BCRs and Specific Contractual Clauses on its website, along with the applicant's name, the date of approval, and the decision made by the Board of Directors. In some cases, the full text of these clauses may be made public if they are suitable for use by other data processing agents, with commercial and industrial secrecy preserved.
• The controller must notify the ANPD in case any changes are made to the BCRs or Specific Contractual Clauses that could affect compliance with data protection laws.

VII. Effective Date

The Regulation became effective on the date of its publication. Companies must act promptly to assess their international data transfer agreements. Data processing agents who use contractual clauses to carry out international data transfers must incorporate the standard contractual clauses approved by the ANPD into their respective contractual instruments within a period of up to twelve (12) months from the date of publication of this Regulation.

VIII. What Do Businesses Need to Do

With the Regulation now in effect, organizations must ensure compliance with the ANPD's requirements for international data transfers. The first priority for organizations is to map their current and future international data flows, ensuring that each transfer aligns with one of the approved mechanisms, such as Standard Contractual Clauses, Binding Corporate Rules, or specific contractual clauses. While companies have a 12-month window (until August 2025) to implement SCCs, they should not delay in assessing which mechanism best fits their operations, especially since BCRs and specific contractual clauses require prior ANPD approval-a potentially time-consuming process.

Uncertainties remain, particularly around the level of detail needed for contractual transparency and the conditions under which specific clauses will be approved. Organizations may also face questions about whether additional safeguards are needed to ensure compliance, especially for SCCs. As the regulatory landscape evolves, organizations will need to remain agile and monitor ANPD guidance to adapt their compliance strategies for international data transfers.

IX. How Securiti Can Help

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. It provides unified data intelligence, controls, and orchestration across hybrid multicloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.

The Data Command Center provides organizations access to vital individual modules and solutions that will be critical in their quest to comply with the Regulation’s provisions and obligations.

Request a demo today and learn more about how Securiti can help you in this compliance journey.