The Brazilian Data Protection Authority (“ANPD”) published, on August 23, 2024, Resolution CD/ANPD No. 19/2024, which approved the new Regulation on International Transfer of Personal Data (“Regulation”). The Regulation details and sets specific obligations to enable the transfer of personal data by processing agents to other countries and international organizations, particularly the international transfer mechanisms listed in Article 33 of the Brazilian Data Protection Legislation (“LGPD”), which required regulation for full effectiveness.
This Regulation introduces a series of rules to ensure that international data transfers occur securely and in compliance with the data subjects’ rights and protection compatible with the LGPD, promoting a more reliable and consistent global data flow in terms of data protection.
International data transfer is only authorized for legitimate, specific, explicit, and informed purposes to the data subject, and the use of data for subsequent purposes incompatible with the initially informed ones is not allowed. Additionally, international data transfer should be limited to the minimum necessary to achieve its purposes, covering relevant, proportional, and not excessive data in relation to the purposes of data processing and supported by one of the legal bases provided in Articles 7 and 11 of the LGPD, in addition to using an appropriate mechanism provided in Article 33 of the LGPD.
The Regulation does not prevent transfers based on other hypotheses provided in Article 33 of the LGPD and that did not require regulation, such as (i) for international legal cooperation between public intelligence, investigation, and prosecution bodies, in accordance with international law instruments, (ii) for the protection of the life or physical integrity of the data subject or third party, (iii) when the transfer is necessary for the execution of public policy or legal attribution of the public service, (iv) when the data subject has provided specific and highlighted consent for such transfer, (v) when necessary for the controller to comply with a legal or regulatory obligation, (vi) when necessary for the execution of a contract or preliminary procedures related to a contract to which the data subject is a party, (vii) for the regular exercise of rights in judicial, administrative, or arbitration proceedings, among other hypotheses.
The choice of the most appropriate mechanism depends on compliance with the legal bases of each hypothesis and the observance of the particularities of each case.
However, the following mechanisms gain effectiveness at this time with the Resolution:
-
Standard Contractual Clauses: The standard contractual clauses approved by ANPD establish minimum guarantees and conditions for international data transfers. Annex II of the Regulation contains the text of these standard clauses, allowing them to be adapted to the roles of the exporter and importer, whether they are controllers or processors. Given the ease of implementation (as they do not depend on other ANPD approvals and have fixed content), these clauses are likely to be widely used. However, it is important to assess, case by case, their pertinence. In addition to implementing these clauses, when applicable, the controller must ensure transparency to the data subject, including the obligation to (i) provide, if requested, the full text of the contractual clauses used, respecting commercial and industrial secrets, and (ii) publish on its website, on a specific page or within the Privacy Policy, clear and accessible information about the international data transfer, such as details about the purpose, duration, destination country, and the data subjects’ rights.
Processing agents using contractual clauses for international data transfers have up to 12 months from the date of publication to update their contracts with the standard clauses approved by ANPD. The clauses must be used in their entirety.
ANPD may recognize the equivalence of standard contractual clauses from other countries with Brazil’s standard clauses, which will prevent the need for more than one applicable standard clause for a given processing agent.
-
Specific Contractual Clauses: This is a residual mechanism. These clauses are allowed when standard clauses are not feasible due to exceptional circumstances. They can be created by the processing agent but must be previously submitted for ANPD approval. ANPD will analyze (i) whether the specific clauses are compatible with the LGPD, ensure its applicability, and guarantee a level of data protection equivalent to national standard clauses; and (ii) the risks and benefits involved, as well as the impacts on international data flow, diplomatic relations, trade, and international cooperation. When submitting clauses for ANPD approval, the controller should adopt, whenever possible, the wording of the standard clauses and justify the need for specific clauses.
-
Global Corporate Rules: Intended for international data transfers between organizations of the same group or business conglomerate, binding the group members who subscribe to them. These rules have minimum content fixed by the Resolution, including the description of international data transfers to which the instrument applies, such as categories of personal data, processing operation and purposes, legal hypothesis, types of data subjects, identification of the countries to which data can be transferred, and delineation of processing responsibilities with the indication of the responsible entity. Additionally, these rules must be integrated into a privacy governance program that meets LGPD requirements. Global corporate rules must be submitted for ANPD approval to be used.
In addition to these mechanisms, the Resolution also provides parameters to be evaluated by ANPD for issuing an Adequacy Decision. The Adequacy Decision is how ANPD recognizes the equivalence of the level of personal data protection of a foreign country or international organization with national data protection legislation. Practically, processing agents transferring personal data to countries deemed adequate will no longer need to apply another international transfer mechanism. However, considering the general duty of controllers and processors that transfer data to adopt effective measures and demonstrate compliance with data protection rules and the effectiveness of these measures, it is important to include clauses in contracts regarding personal data protection even if an Adequacy Decision exists.
In analyzing the protection level of the third country, ANPD will consider factors such as (i) the general and specific rules of the destination country or international organization, (ii) the nature of the data, (iii) compliance with data protection principles and data subject rights, (iv) implemented security measures, (v) judicial and institutional guarantees, including the existence of an independent regulatory body, and (vi) other specific circumstances related to the transfer. The procedure for issuing the adequacy decision by ANPD can be initiated by the Board of Directors or by request from certain public entities, instructed by the competent technical area, and subject to final deliberation by the Board. The adequacy decision will be disclosed on ANPD’s website in due course.
To access the Regulation published by ANPD, click here.
