On 23 Aug., Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, published its long-awaited International Data Transfer Regulation.

The ANPD began drafting the regulation in May 2022, initiating the process with a call for contributions, followed by a public consultation and public hearing.

Publication of the regulation comes amid discussions of creating a "sovereign cloud" as part of Brazil's Artificial Intelligence Plan, which aims to ensure government data is stored within national borders, avoiding reliance on foreign infrastructure.

Brazil's General Data Protection Law allows international data transfers only under specific circumstances and through legally defined and independent mechanisms. However, many of these mechanisms were not fully outlined by the LGPD — including the framework for standard contractual clauses — preventing data controllers from effectively implementing them until the ANPD provided necessary guidelines.

Now, under the International Data Transfer Regulation, data controllers can rely on a wider array of mechanisms provided by the LGPD for their cross-border activities, such as the newly delineated contractual instruments, which advance an area that needed development.

Adequacy decisions

Brazilian law permits international data transfers when the third country provides an adequate level of protection comparable to the LGPD.

While what constituted an adequate level of protection was previously uncertain, the new regulation clarifies the ANPD is seeking "equivalence in the level of personal data protection," meaning the authority will look for a protective framework similar or comparable, though not necessarily identical, to Brazil's.

In assessing adequacy, the ANPD will consider factors such as the third country's general and sectoral laws, the nature of the data, adherence to data protection principles and data subject rights, implementation of adequate security measures, and the existence of judicial and institutional safeguards, among others.

While the ANPD has not yet issued any adequacy decisions, it stated it will consider the impact of such decisions on international data flows and prioritize countries that provide reciprocal treatment to Brazil.

Contractual instruments

The LGPD also permits cross-border transfers when data controllers provide and demonstrate adequate guarantees of compliance with data protection principles, data subject rights and the overall protection regime set forth in the law.

Currently, this can be achieved through SCCs, specific contractual clauses or binding corporate rules.

The ANPD introduced a rigid model for SCCs, drawing inspiration from frameworks in the EU, U.K., New Zealand and Singapore. Brazil's SCCs can be part of a stand-alone contract or attached to a broader agreement, provided they are adopted in full by the parties, with no modifications to the text.

The SCCs are divided into four sections: general information, mandatory clauses, security measures, and additional clauses and annexes. Unlike the European Commission's clauses, Brazilian SCCs do not feature specific modules but instead offer customizable fields, with the exception of the mandatory clauses section. This flexibility allows for adjustments to accommodate the particular circumstances of the transfer or the parties involved.

Notably, the ANPD may recognize the equivalence of foreign SCCs through a procedure initiated by the ANPD board or requested by any interested party. For the SCCs to take effect, the board must approve and publish them on the ANPD website, assessing compatibility with Brazil's SCCs.

If a transfer cannot be carried out using SCCs, organizations may rely on specific contractual clauses as a subsidiary mechanism. These clauses should mirror the language of the SCCs as much as possible, be presented in exceptional and justified cases, and be submitted to the ANPD for prior approval.

However, the ANPD has not yet clarified the circumstances in which the specific contractual clauses would apply. Their subsidiary and exceptional nature was questioned during the consultation and public hearing phases, given the LGPD does not establish a hierarchy among data transfer mechanisms.

As for intragroup international data transfers, organizations may use BCRs. This also requires a prior assessment from the ANPD, and data controllers must demonstrate compliance with several requirements to gain approval, including the implementation of a data privacy governance program.

According to the regulation, all contractual instruments are subject to additional transparency measures, which impose two obligations on data controllers. Upon the data subject's request, controllers have 15 days to provide the full text of the contractual instruments used for the transfer, excluding any trade secrets. Controllers must also publish information on international data transfers in their privacy notice or another publicly accessible document on their website.

Finally, while the LGPD also allows for the use of seals, certificates or codes of conduct as transfer mechanisms, the ANPD has chosen to regulate these later.

Other mechanisms

In addition to adequacy decisions and contractual instruments, the LGPD permits international data transfers under specific circumstances.

These include international legal cooperation or international cooperation agreements, to protect life or physical safety, upon the ANPD's prior authorization, to execute public policy, data subjects' consent, compliance with legal or regulatory obligations, contractual necessity, and regular exercise of rights.

Although the ANPD's regulation does not go into detail on these circumstances, it confirms they remain valid and independent mechanisms for international data transfers — distinguishing them from EU General Data Protection Regulation derogations, as they are not considered exceptional measures but part of the legal framework for data transfers.

Next steps for organizations

With the regulation now in effect, the ANPD will oversee and enforce compliance for international data transfers. Organizations have 12 months to implement SCCs, but the other regulated mechanisms are already in force.

Thus, the ANPD may issue adequacy decisions and receive requests for approval of specific contractual clauses or BCRs. Foreign entities may also request the ANPD to recognize the equivalence of their own country's SCCs.

Organizations subject to the LGPD should map their international data transfers and select the most appropriate mechanisms to validate them. Given that specific contractual clauses and BRCs require prior approval from the ANPD, which may be time consuming, SCCs and other transfer mechanisms are likely to be the preferred options for data controllers.

Still, certain aspects of the regulation remain unclear or contentious.

For example, data exporters who wish to rely on specific contractual clauses may face uncertainty about the conditions under which the clauses will be accepted by the ANPD. Organizations might also have questions about the minimum content and level of detail required to meet the additional transparency measures for contractual instruments.

Lastly, there will inevitably be discussions about the adequacy of SCCs and if additional measures are necessary to ensure a sufficient level of protection, mirroring concerns raised in the EU under Schrems II.

Navigating data protection remains a persistent challenge amid constant change. The ANPD is expected to provide further guidance on cross-border data transfers as it continues its regulatory efforts.

Fernando Bousso, CIPP/E, CIPM, CDPO/BR, FIP, is a partner and head of technology, privacy and data protection at Baptista Luz Advogados. Matheus Botsman Kasputis is an associate attorney at Baptista Luz Advogados.

***