Brazilian firm Mattos Filho reports that, on August 23, 2024, the Brazilian Data Protection Authority (“ANPD”) published Resolution No. 19/2024, approving the Regulations on International Data Transfers (“Regulations”) and the content of standard contractual clauses in accordance with the Brazilian Data Protection Law (Law No. 13,709/2018 – “LGPD”). The Regulations are the result of a regulatory initiative the ANPD began in 2022, which involved collecting contributions, public consultations, and public hearings.
Objectives and Scope
The Regulations set forth rules and procedures for international data transfers, either to countries with adequate protection (as recognized by the ANPD) or through contractual clauses or global corporate rules. The Regulations do not rule out the possibility of international data transfers based on other mechanisms established by Article 33 of the LGPD, provided that certain legal requirements are met.
Definitions
Pursuant to the Regulations, international data transfers occur when personal data is transferred from a Brazil-based exporting agent to an importing agent located in another country.
“International data collection” is defined as the collection of personal data directly from the data subject by an entity located abroad. Such collection is not considered an international data transfer, although the entity collecting the personal data must comply with the provisions of the LGPD if it falls within the territorial scope established in Article 3 of the LGPD.
Both controllers and processors must adopt effective measures to ensure and demonstrate compliance with the Regulations. The effectiveness of such measures must be compatible with the level of risk associated with the data processing and the international transfer mechanism used.
Legal Bases and International Data Transfer Mechanisms
Pursuant to the Regulations, international data transfers are permitted only for legitimate, specific, explicit purposes of which the data subject is informed, and any further processing incompatible with such notified purposes is prohibited. International data transfers must be supported by one or more of the legal bases in Articles 7 and 11 of the LGPD, and controllers must use a valid mechanism, such as an adequacy decision recognized by ANPD, contractual clauses, or global corporate rules, in connection with such transfers.
Adequacy decisions
The ANPD may apply an adequacy decision to recognize that the level of personal data protection in a foreign country or international organization is equivalent to Brazilian legislation, in accordance with the LGPD and the Regulations.
In assessing the level of protection to personal data provided by the destination country or international organization, the LGPD may consider:
- The general and sector-specific rules and regulations of the destination country or international organization;
- The nature of the data;
- Compliance with data protection principles and data subjects’ rights;
- The security measures adopted by the destination country or international organization;
- Existing judicial and institutional guarantees, including the presence of an independent regulatory authority; and
- Other specific circumstances related to the transfer.
The following factors also will be considered:
- The risks and benefits of the adequacy decision;
- Impacts on international data flows; and
- Impacts on diplomatic relations, international trade and international cooperation.
Countries or organizations that offer reciprocal treatment to Brazil and can facilitate the free flow of data between the parties will be prioritized. The ANPD’s procedure for issuing an adequacy decision may be initiated by its board of directors or at the request of certain public law entities, subject to final deliberations from the board. The ANPD will publish adequacy decisions on its website.
Standard Contractual Clauses
The ANPD-approved standard contractual clauses establish minimum guarantees and valid conditions for international data transfers. The standard contractual clauses are contained within Annex II of the Regulations and contemplate the roles of the data exporter and importer, as either controller or processor.
The text of the clauses must be adopted in its entirety for the transfer to be valid (i.e., without amendments), and must be included in a contractual instrument signed between the exporter and the importer. This may be part of a specific or broader contract, provided that the standard clauses are not modified.
The controller must ensure transparency in relation to the data subject, including:
- Providing upon request the full text of the contractual clauses used, taking into account commercial and industrial secrets; and
- Publishing clear and accessible information about international data transfers on its website (either on a specific page or in its Privacy Policy), such as details on the purpose, duration, destination country, and the rights of the data subject with respect to such transfers.
Equivalent and Specific Standard Contractual Clauses
The ANPD may recognize the standard contractual clauses of other countries or international organizations to be equivalent, provided they are compatible with the provisions of the LGPD. This feature differs from other data protection regulations worldwide, such as the General Data Protection Regulation (GDPR), and is designed to provide more consistency in companies’ international data transfer practices.
Additionally, controllers may request the ANPD to approve specific contractual clauses for international data transfers, provided the controller can guarantee compliance with the principles and rights set forth in the LGPD.
Such clauses would be permitted when the standard clauses are not feasible due to exceptional circumstances, and would need to be subject to Brazilian law and ANPD oversight.
The ANPD will evaluate the following factors with respect to proposed equivalent and specific clauses:
- Whether the clauses are compatible with the LGPD and ensure a level of data protection equivalent to that of the Brazilian standard contractual clauses;
- The risks and benefits, as well as the impacts on international data flows, diplomatic relations, international trade and international cooperation.
Clauses that can be used by other agents in similar circumstances will be prioritized.
In the clauses submitted to the ANPD for approval, controllers must:
- Match (whenever possible) the wording of the standard clauses; and
- Justify the need for the clauses.
Global Corporate Rules
Global corporate rules are binding mechanisms for international data transfers between organizations within the same group or corporate conglomerate. They are valid for transfers between organizations or countries covered by these rules, which must be associated with a privacy governance program that meets the LGPD’s requirements.
Global corporate rules must provide details of the international data transfers, establishing:
- A description of the international data transfers, including data categories, processing operations, purposes, legal bases, and types of data subjects;
- The identification of countries to which the personal data may be transferred;
- The structure of the group or corporate conglomerate, with a list of associated entities, roles in processing, and contact information;
- A determination of the binding nature of global corporate rules for all group members, including employees;
- The entities responsible for the data processing;
- A description of data subjects’ rights and how to exercise such rights;
- Rules and procedures for the review and approval of global corporate rules by the ANPD; and
- Disclosures to the ANPD in the event of changes to data protection guarantees, especially if a group member is subject to laws of another country that prevent compliance with the rules.
Global corporate rules must include the obligation to notify the responsible entity if a group member is subject to laws that prevent compliance with the rules, except where such notification is legally prohibited.
Deadlines
The Regulations came into effect on the date of publication, August 23, 2024.
Data processing agents conducting international data transfers through contractual clauses have up to 12 months (until August 22, 2025) to incorporate the ANPD-approved standard clauses into their contracts.
A non-official English version of the Regulations is available here. The official text in Portuguese is available here.
For further information on this topic, please contact Mattos Filho’s Data Protection & Cybersecurity practice.