New ANPD Regulation International Data Transfers
- Cristiane Manzueto,
- Rodrigo Leal,
- Ana Leticia Allevato,
- Diego Semeraro,
- Vítor Montovani
Scope of the Regulation
On August 23, 2024, the Brazilian Data Protection Authority (ANPD) published Resolution CD/ANPD No. 19/2024 (the “Regulation”), which addresses international transfers of personal data.
The Regulation establishes guidelines for scenarios outlined in Article 33 of the Brazilian General Data Protection Law (Law No. 13,709 of 2018, the “LGPD”) that require specific ANPD guidance, such as adequacy decisions, specific contractual clauses, Standard Contractual Clauses (SCCs), and binding corporate rules (BCRs). Notably, the Regulation does not mention seals, certifications, or codes of conduct despite being established in Item D of Subsection II of Article 33 of the LGPD.
The Regulation makes it clear that both the data controller and processor are responsible for proving compliance with the Regulation. Thus, if a foreign processor receives personal data from Brazil as an importer, it is also responsible for documenting the transfer and its compliance with the LGPD.
Characterization of an International Transfer
The Regulation covers international transfers, defined as:
- Transfers (transmission, sharing, or granting of access) of personal data from Brazil abroad; or
- Transfers abroad occurring directly between one or more countries when (i) the processing activity aims to offer or provide goods or services in Brazil; (ii) the processing activity aims to process data of individuals located in Brazil; or (iii) the personal data were collected within the Brazilian territory.
This definition expands the commonly used definition of international transfers because, technically, data sharing that does not result from a prior transfer from Brazil (onward transfers) between two foreign countries—for example, to profile an individual located in Brazil—would be considered an international transfer under this Regulation, requiring the use of one of the mechanisms provided for in Article 33 of the LGPD. In this example, the extraterritorial application of the LGPD—based on Article 3, Subsection II—could be an issue. However, according to the Regulation, it would still be an international transfer (requiring, for instance, the use of SCCs), bringing a different, and potentially more stringent, compliance scenario under the ANPD.
On the other hand, the following do not fall under the scope of the Regulation and are not considered international transfers:
- Mere access to personal data located in Brazil from abroad.
- The collection of personal data, from a foreign country, directly from the data subject located in Brazil.
When access or collection directly from abroad does not qualify as an international transfer under the LGPD, foreign controllers and processors should still be aware of the potential extraterritorial application of the LGPD as outlined in Article 3. This includes scenarios such as offering products or services to individuals in Brazil.
The Regulation outlines a specific scenario where the LGPD does not apply: the return of personal data to a foreign country, provided that the data originated abroad for a specific processing purpose in Brazil. This exemption applies if (i) the country from which the data originates is recognized as adequate by the ANPD, and this exceptional situation is explicitly stated in the adequacy decision, and (ii) the originating country has passed legislation governing the return of personal data.
The Regulation also specifies that the ANPD will not exempt the application of the LGPD if the transfer could “violate or jeopardize the observance of the general principles of personal data protection and the rights of data subjects as provided in Brazilian legislation.” Determining when this scenario applies can be challenging. However, it likely pertains to transfers for public interest purposes conducted by governmental bodies, which should be specifically highlighted in ANPD’s adequacy decisions.
Mechanisms for International Transfers
Adequacy Decisions
The Regulation establishes several criteria for ANPD’s analysis regarding the equivalent level of personal data protection in a foreign country or international organization with the Brazilian data protection framework. To date, no adequacy decision has been issued. There are high expectations that the European Union will be recognized as adequate, as well as countries similarly recognized by the Union, such as Argentina and Uruguay, which have close commercial and diplomatic ties with Brazil. Once deemed adequate, the parties will not need to implement any contractual measures, significantly easing data transfers.
Worth highlighting is that only public legal entities can request the initiation of procedures for recognizing a particular jurisdiction as adequate.
Standard Contractual Clauses
The SCCs are included with this update. They must be adopted in their entirety, to be modified only where expressly permitted, and can be part of either a specific international transfer agreement or a broader agreement covering other aspects. However, in the latter case, the Regulation makes it clear that no other provision of the agreement may exclude, modify, or contradict—directly or indirectly—the content of the SCCs.
The full text of the clauses must be made available to the data subjects upon request within 15 calendar days.
The Regulation allows the ANPD to recognize SCCs from other countries or international organizations as equivalent (e.g., the European Commission’s SCCs). Any interested party, including private entities, can request the recognition of such equivalence. Once the ANPD recognizes a clause from another country as equivalent, it can be used to the same extent as the standard contractual clause published by the ANPD in the Regulation.
This could be an important tool to avoid amending contracts that already contain SCCs issued by the European Commission, for example. However, given that the inclusion of the ANPD's standard contractual clauses must be completed by August 23, 2025, the potential delay in publishing the decision on the equivalence of clauses by the ANPD should be taken into consideration when evaluating whether it’s worth seeking ANPD recognition of these SCCs as equivalent with the LGPD.
The Regulation grants a 12-month grace period for data processing agents (controllers or processors) to amend existing contracts by adding the new clauses, which means the deadline is August 23, 2025.
Binding Corporate Rules
According to the Regulation, Binding Corporate rules (BCRs) are intended for international transfers between organizations within the same economic group or conglomerate, and are binding on all members who subscribe to them. The Regulation introduced a series of formal requirements for requesting ANPD approval of BCRs. During the approval process, the ANPD may conduct inspections to verify the personal data processing operations covered by the rules and may also request a series of documents and information.
The Regulation defines what constitutes a group or conglomerate of companies as: “a group of companies, either de facto or de jure, with their own legal personalities, under the direction, control, or administration of a person or group of persons, whether legal or natural, who hold, individually or jointly, control over all the others.” However, the Regulation requires that the companies within a conglomerate demonstrate integrated interest, effective commonality of interests, and joint operation.
The BCRs must include, among other aspects:
- A commitment to implementing a privacy governance program that meets the minimum requirements of Section 2 of Article 50 of the LGPD, which provides for, among other things, the need to establish appropriate policies and safeguards based on a systematic assessment of privacy impacts and risks, including incident response and remediation plans, and continuously update the privacy governance program based on information obtained from ongoing monitoring and periodic evaluations;
- A description of the international data transfers to which the rules apply (e.g., categories of data and data subjects, purposes for processing, and legal bases for processing);
- Identification of the recipient jurisdictions;
- A list of the entities that form the conglomerate or group of companies, highlighting the role of each entity and providing the contact information for each organization processing personal data;
- Allocation of responsibilities for processing, indicating the entity responsible for each processing operation;
- Data subjects’ rights and the means to exercise them; and
- An obligation to notify the ANPD of any changes in the guarantees presented as sufficient to comply with the principles of data subject rights and the LGPD’s protection regime, especially if a group member is subject to legal requirements that prevent compliance with the BCRs.
The full text of the approved BCRs must be provided to data subjects upon request within 15 calendar days. If a trade or industrial secret is present in the rules, the controller may remove them before making them available to the data subjects.
Any changes to the content of the approved BCRs must be submitted for prior approval by the ANPD.
Specific Contractual Clauses
A controller may request the ANPD's approval of specific contractual clauses that, according to the Regulation, must offer and demonstrate guarantees of compliance with the principles, data subject rights, and the protection regime provided in the LGPD. There are also a series of formal requirements for this request.
Similarly to the approval of BCRs, during the approval process, the ANPD may conduct inspections to verify the personal data processing operations covered by the clauses, and may also request a series of documents and information.
It is important to note that specific contractual clauses can only be requested if the ANPD's SCCs cannot be adopted due to exceptional circumstances, which must be proven to the ANPD in the request.
The Regulation leaves room for this approval of specific contractual clauses to be extended to other controllers performing international transfers in similar circumstances—the ANPD will even publish these specific clauses, respecting trade and industrial secrets if necessary, so that they may be used by third parties.
If a controller, in the absence of SCCs, had been adopting a specific clause to support their international transfers, requesting its approval from the ANPD could be a way to avoid amending all of their existing contracts. However, timing is crucial, as the probable delay in the ANPD's approval could jeopardize compliance with the Regulation's 12-month grace period to harmonize existing contracts with the ANPD’s new SCCs.
The full text of the specific contractual clauses approved by the ANPD must be made available to the data subjects upon request within 15 calendar days. If there are any trade or industrial secret in the clauses, the controller may remove them before providing them to data subjects.
Any changes to the content of the approved specific clauses must be submitted for prior approval by the ANPD.
Specific Transparency Measures
The Regulation introduced a requirement for any new privacy notice or policy specifically for international transfers to be made available on the controller's website in Portuguese, using clear, precise, and accessible language. This document on international transfer transparency can be published either on a specific page or integrated into the existing notice or policy. This notice for international transfers must include at least:
- The means, duration, and specific purposes of the international transfers being carried out;
- The destination jurisdictions of the personal data;
- The controllers’ identification and contact details;
- Information on data sharing by the controller and its purposes (the ANPD did not specify how this differs from the first point);
- The responsibilities of the processing agents in terms of identifying whether the recipients are controllers and/or processors;
- The security measures adopted while transferring personal data internationally; and
- The rights of the data subjects, through an easily accessible channel (e.g., email), highlighting the right to petition the ANPD against the controller.
The Regulation does not specify any timeframe for implementing these measures, meaning that, as a general rule, the new specific notices regarding international transfers should be made available on the controllers’ websites as soon as possible.
Conclusion
The Regulation imposes several challenges for controllers and processors, both in terms of implementing the mechanisms mentioned above and concerning the required transparency measures. Although the Regulation does not impose a specific impact assessment obligation, it is advisable for controllers to also assess the risks involved under the legislation of the destination countries, as is already practiced in the European Union.
We will be monitoring the next steps of the ANPD, particularly the volume and speed of approval of BCRs and SCCs.