Paulo Cezar Aragão^[1]
BMA Advogados, São Paulo, Brazil
pca@bmalaw.com.br

Felipe Palhares^[2]
BMA Advogados, São Paulo, Brazil
felipe.palhares@bmalaw.com.br

Brazil enacted its first general data protection law, locally known as the LGPD, in August 2018, and it became effective on 18 September 2020. Similar to several data protection laws around the world, and largely inspired by the European Union General Data Protection Regulation (GDPR),^[3] the LGPD sets forth requirements for the processing of personal data.

One of the aspects regulated by the LGPD applies to carrying out international personal data transfers from Brazil to other countries. According to the law, international transfers are only allowed under certain circumstances in order to ensure that foreign recipients of personal data will comply with the principles, data subjects’ rights and level of protection established by the LGPD.

Most of the cases where international transfers are permitted can be burdensome for data controllers. For instance, binding corporate rules or specific contractual clauses, which are two mechanisms set out by the law as contractual safeguards that could be implemented to ensure compliance with the LGPD, require prior approval by the Brazilian Data Protection Authority (ANPD) before they can be used. As the Authority began functioning only recently and it is currently short-staffed, it may take quite a while to obtain such approval.

International data transfers may also be performed:

• where the transfer is necessary for international cooperation between intelligence, investigation or criminal persecution public bodies, according to international law treaties;
• where the transfer is necessary for protecting the life or physical well-being of the data subject;
• where the ANPD has authorised the transfer;
• where the transfer results from an international commitment or cooperation agreement;
• where the transfer is necessary for the performance of a public policy or legal attribution of the public service;
• where the data subject has given specific and separate consent after being informed of the international nature of the processing, distinguishing it from other purposes; or
• where the transfer is necessary for compliance with a legal or regulatory obligation, for the performance of a contract with the data subject or for the exercise of rights in judicial, administrative or arbitration proceedings.

There are other two mechanisms prescribed by the LGPD that are more practical and that data controllers can also rely upon to transfer personal data to third countries: (1) adequacy decisions issued by the ANPD, recognising that a country has data protection laws comparable to the LGPD, which would allow data transfers hassle-free; and (2) standard contractual clauses (SCCs) approved by the ANPD.

On 23 August 2024, the ANPD issued a regulation on international data transfers, mainly focused on adequacy decisions and contractual safeguards, and published the first set of approved standard contractual clauses. Below are details of the regulation.

Adequacy decisions

As regards adequacy decisions, the regulation states that the ANPD will take into consideration the following criteria before issuing a decision:

• the general and sectoral laws of the third country or international organisations that are in force and related to the protection of personal data;
• the nature of the data;
• alignment with the principles and data subjects’ rights available under the LGPD;
• the adoption of proper security measures to minimise the impact to civil liberties and data subjects’ fundamental rights;
• the existence of judicial and institutional guarantees for respect for personal data protection rights (such as the existence and effective functioning of an independent regulatory body, with the power to ensure compliance with data protection laws and guarantee the rights of data subjects); and
• other specific circumstances relating to the transfer.

The ANPD will prioritise the assessment of the level of data protection of foreign countries or international organisations that guarantee reciprocal treatment to Brazil and whose recognition of adequacy enables the expansion of the free flow of international transfers of personal data between them.

The procedure for issuance of an adequacy decision may take a long time. While that does not occur, international data transfers must be made upon a different mechanism provided by the law, even if the procedure is already ongoing.

Standard contractual clauses (SCCs)

The regulation also sets rules for contractual safeguards (standard contractual clauses, specific contractual clauses and binding corporate rules). There are five main things that data controllers should know about the Brazilian SCCs.

Take it or leave it

It might be the worst nightmare of lawyers, but in order to be valid as a transfer mechanism, the standard contractual clauses cannot be altered in any way. Besides filling out blank spaces left to be completed with information regarding the specifics of the transfer (ie purposes of the transfer, categories of personal data being transferred, retention periods etc), the language of the clauses cannot be modified. Furthermore, if an agreement between the data exporter and the data importer incorporates the SCCs, the other clauses of the agreement cannot, directly or indirectly, exclude, modify or contradict the SCCs.

The SCCs may be incorporated to an agreement that is solely focused on creating rules for international data transfers (such as a data processing agreement) or to a broader agreement (such as a service agreement), as long as the standard contractual clauses are not modified.

Transparency measures

Data controllers are required to make available a copy of the standard contractual clauses to data subjects, upon their request, within 15 days. This is a right which was created by the regulation and was not prescribed in the LGPD, and it is aimed at providing a greater level of transparency to international data transfers.

Data controllers must also publish on their websites clear, precise and easily accessible information, in Portuguese, regarding the international data transfers carried out, including, among others, details on the purposes for the transfer, the countries to which data will be transferred to and the rights available to data subjects.

Portuguese only

There is no English version of the standard contractual clauses (at least for now) and the ANPD has not provided guidance on how it expects the market to proceed. From the transparency obligations above-mentioned, it seems safe to assume that the agreements with the SCCs will have to adopted either in Portuguese or in a Portuguese/English version, where the Portuguese version will always prevail over the translated one.

When it was discussing a draft version of the SCCs, the ANPD made available an English version of the draft. Therefore, it may well be the case that an official English version will be provided by the ANPD in the future, but it is not possible to ascertain when (or if) that will occur.

Transfer risk assessment

Data importers are required to represent and warrant that they did not identify any local laws or administrative practices that prevent them from complying with the obligations set forth in the standard contractual clauses. This requirement implies that data importers will have to carry out a transfer risk assessment to ensure this statement is true, although the regulation does not make that clear.

The strategy adopted by the ANPD in this respect is interesting as it differs significantly from the one of the European Union (EU) and the United Kingdom (UK). In those jurisdictions, and in light of the decision issued by the Court of Justice of the European Union in the Schrems II case,^[4] the data exporter is the one required to carry out a transfer impact assessment to ensure that the data importer would be able to comply with the agreed clauses considering the laws and practices of the third country.

Deadline for implementation

Data controllers and data processors that currently use contractual clauses drafted by them as safeguards for international data transfers must adopt the SCCs by 23 August 2025 if they intend to use this mechanism for ensuring compliance with the LGPD. Although the ANPD is not prohibited from enforcing the law before that date, it is likely that it will focus its enforcement powers regarding international data transfers mainly after that deadline.

Specific contractual clauses

An alternative for the standard contractual clauses issued by the ANPD are specific contractual clauses, drafted by the parties themselves. However, this mechanism tends to be more complex than for adopting SCCs, as the specific clauses must be approved by the ANPD prior to its use.

Under the regulation, it is clear that specific contractual clauses are a last resort in the ANPD’s view. In order to be approved, the parties must show that the standard contractual clauses are not adequate for that specific transfer considering the exceptional circumstances of the case. Otherwise, the ANPD expects that SCCs will be used, and that there is no need for a specific contractual clause to be accepted.

The ANPD will prioritise the evaluation of specific contractual clauses that can also be used by other data controllers and data processors in similar conditions. The full text of the specific contractual clauses approved will be made public by the ANPD on its website, except for any parts that are protected by commercial or industrial secrecy.

Binding corporate rules

The last mechanism addressed by the regulation is binding corporate rules (BCRs), which can only be used for international transfers of personal data between companies of the same economic group.

Similarly as specific contractual clauses, BCRs need to be approved by the ANPD. The following must be presented by data controllers for the assessment of BCRs by the ANPD:

• a copy of the binding corporate;
• articles of association/incorporation of the data controllers and data processors of the economic group;
• if applicable, a copy of the decision of other data protection authority that has approved the BCRs in a different jurisdiction; and
• demonstration of compliance with all requirements set forth in the regulation.

Approved BCRs will be published on the ANPD’s website.

The market expectation is that the ANPD may soon issue adequacy decisions to the EU and the UK. Whilst this is not currently the case, using the Brazilian standard contractual clauses may be the easiest way to comply with the LGPD when it comes to international data transfers.

It should be noted that transfers of personal data from other countries to Brazil will be subject to the requirements set out in the laws of the jurisdiction of the data exporter, which can vary significantly depending on the countries involved. Aside from narrow exceptions, personal data received in Brazil will generally be subject to all requirements presented in the LGPD.