Brazilian firm Mattos Filho reports that, on August 23, 2024, the Brazilian Data Protection Authority (“ANPD”) published Resolution No. 19/2024, approving the Regulations on International Data Transfers (“Regulations”) and the content of standard contractual clauses in accordance with the Brazilian Data Protection Law (Law No. 13,709/2018 – “LGPD”). The Regulations are the result of a regulatory initiative the ANPD began in 2022, which involved collecting contributions, public consultations, and public hearings.
Objectives and Scope
The Regulations set forth rules and procedures for international data transfers, either to countries with adequate protection (as recognized by the ANPD) or through contractual clauses or global corporate rules. The Regulations do not rule out the possibility of international data transfers based on other mechanisms established by Article 33 of the LGPD, provided that certain legal requirements are met.
Definitions
Pursuant to the Regulations, international data transfers occur when personal data is transferred from a Brazil-based exporting agent to an importing agent located in another country.
“International data collection” is defined as the collection of personal data directly from the data subject by an entity located abroad. Such collection is not considered an international data transfer, although the entity collecting the personal data must comply with the provisions of the LGPD if it falls within the territorial scope established in Article 3 of the LGPD.
Both controllers and processors must adopt effective measures to ensure and demonstrate compliance with the Regulations. The effectiveness of such measures must be compatible with the level of risk associated with the data processing and the international transfer mechanism used.
Legal Bases and International Data Transfer Mechanisms
Pursuant to the Regulations, international data transfers are permitted only for legitimate, specific, explicit purposes of which the data subject is informed, and any further processing incompatible with such notified purposes is prohibited. International data transfers must be supported by one or more of the legal bases in Articles 7 and 11 of the LGPD, and controllers must use a valid mechanism, such as an adequacy decision recognized by ANPD, contractual clauses, or global corporate rules, in connection with such transfers.
Adequacy decisions
The ANPD may apply an adequacy decision to recognize that the level of personal data protection in a foreign country or international organization is equivalent to Brazilian legislation, in accordance with the LGPD and the Regulations.
In assessing the level of protection to personal data provided by the destination country or international organization, the LGPD may consider:
- The general and sector-specific rules and regulations of the destination country or international organization;
- The nature of the data;
- Compliance with data protection principles and data subjects’ rights;
- The security measures adopted by the destination country or international organization;
- Existing judicial and institutional guarantees, including the presence of an independent regulatory authority; and
- Other specific circumstances related to the transfer.
The following factors also will be considered:
- The risks and benefits of the adequacy decision;
- Impacts on international data flows; and
- Impacts on diplomatic relations, international trade and international cooperation.
Countries or organizations that offer reciprocal treatment to Brazil and can facilitate the free flow of data between the parties will be prioritized. The ANPD’s procedure for issuing an adequacy decision may be initiated by its board of directors or at the request of certain public law entities, subject to final deliberations from the board. The ANPD will publish adequacy decisions on its website.
Standard Contractual Clauses
The ANPD-approved standard contractual clauses establish minimum guarantees and valid conditions for international data transfers. The standard contractual clauses are contained within Annex II of the Regulations and contemplate the roles of the data exporter and importer, as either controller or processor.
The text of the clauses must be adopted in its entirety for the transfer to be valid (i.e., without amendments), and must be included in a contractual instrument signed between the exporter and the importer. This may be part of a specific or broader contract, provided that the standard clauses are not modified.
The controller must ensure transparency in relation to the data subject, including:
- Providing upon request the full text of the contractual clauses used, taking into account commercial and industrial secrets; and
- Publishing clear and accessible information about international data transfers on its website (either on a specific page or in its Privacy Policy), such as details on the purpose, duration, destination country, and the rights of the data subject with respect to such transfers.
Equivalent and Specific Standard Contractual Clauses
The ANPD may recognize the standard contractual clauses of other countries or international organizations to be equivalent, provided they are compatible with the provisions of the LGPD. This feature differs from other data protection regulations worldwide, such as the General Data Protection Regulation (GDPR), and is designed to provide more consistency in companies’ international data transfer practices.
Additionally, controllers may request the ANPD to approve specific contractual clauses for international data transfers, provided the controller can guarantee compliance with the principles and rights set forth in the LGPD.
Such clauses would be permitted when the standard clauses are not feasible due to exceptional circumstances, and would need to be subject to Brazilian law and ANPD oversight.
The ANPD will evaluate the following factors with respect to proposed equivalent and specific clauses:
- Whether the clauses are compatible with the LGPD and ensure a level of data protection equivalent to that of the Brazilian standard contractual clauses;
- The risks and benefits, as well as the impacts on international data flows, diplomatic relations, international trade and international cooperation.
Clauses that can be used by other agents in similar circumstances will be prioritized.
In the clauses submitted to the ANPD for approval, controllers must:
- Match (whenever possible) the wording of the standard clauses; and
- Justify the need for the clauses.
Global Corporate Rules
Global corporate rules are binding mechanisms for international data transfers between organizations within the same group or corporate conglomerate. They are valid for transfers between organizations or countries covered by these rules, which must be associated with a privacy governance program that meets the LGPD’s requirements.
Global corporate rules must provide details of the international data transfers, establishing:
- A description of the international data transfers, including data categories, processing operations, purposes, legal bases, and types of data subjects;
- The identification of countries to which the personal data may be transferred;
- The structure of the group or corporate conglomerate, with a list of associated entities, roles in processing, and contact information;
- A determination of the binding nature of global corporate rules for all group members, including employees;
- The entities responsible for the data processing;
- A description of data subjects’ rights and how to exercise such rights;
- Rules and procedures for the review and approval of global corporate rules by the ANPD; and
- Disclosures to the ANPD in the event of changes to data protection guarantees, especially if a group member is subject to laws of another country that prevent compliance with the rules.
Global corporate rules must include the obligation to notify the responsible entity if a group member is subject to laws that prevent compliance with the rules, except where such notification is legally prohibited.
Deadlines
The Regulations came into effect on the date of publication, August 23, 2024.
Data processing agents conducting international data transfers through contractual clauses have up to 12 months (until August 22, 2025) to incorporate the ANPD-approved standard clauses into their contracts.
A non-official English version of the Regulations is available here. The official text in Portuguese is available here.
For further information on this topic, please contact Mattos Filho’s Data Protection & Cybersecurity practice.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- U.S. State Privacy
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- Disclosure
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition
- Facial Recognition Technology
- FACTA
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Legislature
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Online Behavioral Advertising
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Paul Tiao
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- WeProtect Global Alliance
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code