Decoding the Regulation of Cross-Border Data Transfers under the Brazilian Data Protection Law
The Brazilian National Data Protection Authority (ANPD) has issued new Regulations for international data transfers under Brazil's General Personal Data Protection Act (LGPD). These regulations establish the criteria for any organization to transfer personal data between Brazil and other countries or international organizations with an adequate level of data protection.
Brazil’s LGPD regulates international data transfers under Articles 33 to 36. Under Article 33, transfers are allowed if specific conditions are met, such as contractual guarantees, legal necessity, or ANPD authorization. However, many of these mechanisms, like the framework for standard contractual clauses, were not fully detailed in the LGPD, making it difficult for data controllers to apply them effectively without further guidance from the ANPD. The new regulations provide more detailed mechanisms, including standard contractual clauses, giving data controllers clearer tools to manage cross-border transfers, an area previously lacking guidance.
Key Legal Mechanisms for Cross-Border Data Transfers:
Under the new regulations, international data transfers can occur through mechanisms such as adequacy decisions, standard contractual clauses (SCCs), and binding corporate rules (BCRs). Article 10 provides that adequacy decisions apply when a country or organization offers data protection levels equivalent to the LGPD. If an adequacy decision is not available, SCCs provide standardized terms to govern international transfers between exporters and importers. Article 21 provides that in exceptional cases, specific contractual clauses can be proposed to the ANPD for approval, offering flexibility for data controllers in unique situations.
Adequacy Decisions and Standard Contractual Clauses:
The ANPD can issue adequacy decisions recognizing that a foreign country’s data protection standards are equivalent to Brazil’s LGPD. Factors considered include the destination country’s laws, adherence to data protection principles, and the presence of institutional safeguards. The regulation provides that SCCs provide standardized terms to govern transfers. These clauses, found in Annex II of the regulations, outline minimum guarantees for the lawful transfer of personal data. They must be adopted without modification and included in the contractual agreement between the exporter and importer.
Binding Corporate Rules (BCRs) and Other Mechanisms:
Binding corporate rules (BCRs) are binding mechanisms that facilitate international data transfers within multinational organizations. Article 25 of the regulation provides that BCRs allow cross-border data flows within a corporate group, provided they meet LGPD’s privacy governance standards. These rules must define data transfer processes, establish accountability, and ensure data subject rights. Additionally, transfers may occur under legal cooperation, consent, or public interest, offering flexibility for organizations operating globally.
Compliance Deadlines and Next Steps
The new regulations took effect immediately upon publication. Organizations conducting international data transfers through contractual clauses have until August 22, 2025, to incorporate ANPD-approved SCCs into their contracts. While other mechanisms like BCRs and adequacy decisions are already in effect, companies are encouraged to review and adapt their data transfer processes to ensure compliance. Transparent communication with data subjects about the international transfer mechanisms used is also required.
Conclusion:
The new ANPD regulations provide clearer guidelines for international data transfers under Brazil’s LGPD. Organizations must now adopt approved mechanisms like adequacy decisions, SCCs, or BCRs to ensure compliance. Companies should review and adapt their data transfer practices by August 2025 to meet these regulatory requirements.
If you’re an organization dealing with copious amounts of data, do visit www.tsaaro.com.
News of the Week
1. Europol Dismantles Ghost Communication Platform Used by Criminal Networks
An international law enforcement operation successfully took down Ghost, an encrypted communication platform known for facilitating drug trafficking and money laundering on a large scale, Europol announced on Wednesday. The operation resulted in the arrest of 51 individuals across several countries, with more arrests anticipated. Criminal organizations had widely adopted the platform due to its advanced security features, and its dismantling is considered a major victory against global organized crime.
Recommended by LinkedIn
2. Enforcement of Personal Data Protection Law in Saudi Arabia
On 14 September 2023, Saudi Arabia's Personal Data Protection Law (PDPL) was enacted as the primary regulation overseeing personal data usage within the Kingdom. Organizations had until 14 September 2024 to align with the PDPL and its accompanying regulations, at which point full enforcement has begun. Both public and private sectors are required to comply with the law and its regulatory framework.
3.MLB Players Union Sues Sports Betting Companies Over Unauthorized Use of Player Likeness
The Major League Baseball (MLB) players union filed lawsuits against DraftKings, FanDuel, and two other sports betting companies, accusing them of using players' names and likenesses on their platforms without consent. The lawsuits seek compensatory and punitive damages from DraftKings and bet365 Group in Philadelphia federal court, and from FanDuel and Underdog Fantasy in a New York state court.
4. Europol Hosts 13th EDEN Conference on Data Protection and Cybersecurity in Law Enforcement
On 16-17 September 2024, Europol's headquarters in The Hague hosted Europe’s premier event on data protection in law enforcement, co-organised by the Academy of European Law (ERA). The 13th Europol Data Protection Experts Network (EDEN) event focused on the theme "Data Protection & Cyber Security as Law Enforcement Core Business," emphasizing how law enforcement can adopt emerging technologies while upholding ethical and legal standards. Discussions covered the impact of quantum computing, AI in policing, strategies to counter disinformation, and the balance between security and individual rights.
5. Digital Personal Data Protection (DPDP) Act Rules to Be Released for Public Consultation Soon
Government officials have announced that the rules for implementing the Digital Personal Data Protection (DPDP) Act have been finalized and are expected to be released for public consultation by the end of this month. Although the Act was passed a year ago, its implementation has been delayed due to the lack of accompanying rules. The release of these rules was part of the government’s 100-day agenda, which concluded on Tuesday. The consultation process for these rules is expected to last for over a month, according to officials.
Global Expert in Quality engineering management, Auditing, and Regulatory Compliance, SQE. Delivering results for process design for SaaS 3rd party certification Low risk devices Importers Distributors
2moGreat collection on Global data privacy. Thx for posting