On August 23, 2024, the Brazilian Data Protection Authority (“ANPD”) published Resolution 19/2024, approving the Regulation on international data transfers and the content of standard contractual clauses (the “Regulation”). The Regulation implements the international data transfer framework under the Brazilian General Data Protection Law (“LGPD”).
Under the LGPD, international data transfers from Brazil to a third country are permitted if: (i) the ANPD recognizes the third country as providing adequate protection for personal data; (ii) the data exporter and data importer enter into standard contractual clauses (“SCCs”), binding corporate rules, or special contractual clauses; or (iii) one of the specific cases listed in the LGPD applies (e.g., the transfer is necessary to protect the life of the data subject, the data subject consents to the transfer, or the ANPD authorizes the transfer). The Regulation relates to the data transfer instruments mentioned in (i) and (ii).
Standard Contractual Clauses
The Regulation approves and publishes SCCs for the transfer of personal data outside of Brazil without ANPD’s authorization. The SCCs cover both controller-to-controller and controller-to-processor international data transfers. Like the EU SCCs, they are contracts signed between the data exporter (in Brazil) and the data importer (in a third country). The parties may not modify them. The ANPD may allow the transfer of personal data outside of Brazil on the basis of “equivalent SCCs” adopted by third countries, provided that they are compatible with the LGPD. The ANPD has not (yet) indicated that it would recognize the EU SCCs as equivalent.
Brazilian controllers that use contractual clauses to transfer personal data internationally must replace those contracts with the newly published SCCs by August 22, 2025.
Adequacy Decisions
The Regulation sets out the procedure that the ANPD must follow in order to make an adequacy decision, i.e., to recognize a third country as providing adequate protection for personal data. It requires the ANPD to consider, among other things, compliance with data protection principles, data protection rights, and legal and institutional safeguards for the protection of personal data (e.g., the independence of the regulator and judicial remedies for data subjects).
Specific Contractual Clauses and Binding Corporate Rules
The Regulation sets out the procedure for controllers to seek ANPD’s approval of:
- bespoke contract clauses (i.e., contract clauses that differ from the approved SCCs), for example, when the approved SCCs cannot be used due to “exceptional circumstances” to be assessed on a case-by-case basis; and
- binding corporate rules for data transfers within the same group of companies.
****
Covington & Burling regularly advises the world’s top technology companies on their most challenging regulatory and compliance issues around the globe. If you have any questions about the international data transfer framework, please do not hesitate to contact us.
(This blog post was written with the contributions of Alberto Vogel.)