The extraterritorial scope of Brazil’s General Data Protection Law reaches far beyond its borders — perhaps further than any comparable data protection law. Its data transfer regime could have huge operational impacts for companies around the world. Whether it does and in what ways will hinge on how it is applied.
Brazil has the ninth-largest economy in the world, as measured by gross domestic product. Among those with larger economies, half — Germany, the U.K., France and Italy — already share a single comprehensive data protection regime, the EU General Data Protection Regulation or its U.K. equivalent. Other than those European nations, only Japan has both a larger economic footprint and a comprehensive data protection law. The other three — the U.S., China and India — all have legislation in the works. Due to its size and economic integration, privacy professionals have closely monitored Brazil’s more-than-decade-long legislative process that led to the adoption of the LGPD. As they dig into the data protection rights it creates for individuals (the focus of part one of this series by IAPP Westin Research Fellow Sarah Rippy), the data governance responsibilities it places on companies (the subject of part two by IAPP Senior Westin Research Fellow Müge Fazlioglu, CIPP/E, CIPP/US), and international transfer mechanisms it requires, they will surely take a heightened interest.
So, what does Brazil’s now-in-force data transfer regime look like?
The answer is simple. It looks a lot like Europe’s. The LGPD even maintains similar article and chapter numbers for ease of reference. Article 3 articulates the geographic scope, and Chapter V, the data transfer mechanisms in both laws. Despite the clear similarities, there are nuances well worth considering in the text of the law, as well as its historical and geopolitical grounding that could influence how it is operationalized.
The text: Article 3 — extraterritorial scope
The LGPD replicates the GDPR’s extraterritorial scope and then takes it one giant step further. The LGPD, like the GDPR, applies to processing carried out in Brazil, as well as processing related to the offering or provision of goods or services to individuals in Brazil. Importantly, Article 3 also provides, as translated into English, that the LGPD applies where “the personal data being processed were collected in the national territory” and goes on to explain that “data collected in the national territory are considered to be those whose data subject is in the national territory at the time of collection.”
Operationally, these words imply that the full scope of the LGPD applies in perpetuity to data processing related to individuals in Brazil whether by a Brazilian or foreign controller or any processor anywhere to whom either might transfer such data. In short, if your company is processing personal data related to individuals in Brazil, the LGPD now applies regardless of the origin of that data.
Since Article 3 makes clear that LGPD protections and rights follow the data globally, it begs the question of why Chapter V transfer mechanisms would be required to extend its legal protections overseas. Nonetheless, they too are required, much like under the GPDR, with significant operational impacts.
The text: Chapter V — data transfer mechanisms
The LGPD’s data transfer regime, like the GDPR’s, is premised on the idea that personal data must remain within a physical territory — in this case, Brazil — unless certain circumstances exist. Chapter V outlines those circumstances or transfer mechanisms, which closely resemble those available under the GDPR.
Commercial entities can transfer personal data out of Brazil in the following cases:
- When the recipient country or international organization is deemed adequate by the Autoridade Nacional de Proteção de Dados.
- Under the controller’s specific contractual clauses approved by the ANPD.
- Under the controller’s standard contractual clauses adopted by the ANPD.
- Pursuant to the controller’s binding corporate rules approved by the ANPD.
- When the controller has proven compliance via regularly issued stamps, certificates or codes of conduct as provided by the ANPD.
- With authorization from the ANPD.
- When the data subject has given specific and highlighted consent for the transfer with prior information about the international nature of the operation clearly distinct from other purposes.
- When necessary for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject.
The list above does not include LGPD transfer mechanisms that are not readily accessible to companies in the normal course of business, such as those designed for the public sector, defense of legal claims, compliance with legal obligations or the possibility of transferring data when necessary to save a life.
The ANPD must take action to operationalize six of the eight mechanisms listed above. While the ANPD board was recently approved by the Senate, the new agency is not yet set up or staffed. Once it is, it is unclear how long it will take to assess, create or approve the data transfer mechanisms outlined in the law. Until then, with the LGPD now in force, companies may be limited to two data transfer mechanisms only — specific and distinct consent and the necessity for the execution of a contract.
Given the relatively limited nature of these two mechanisms, at least as operationalized under the GDPR, it is worth considering how the ANPD might approach the others. How soon could they be available? And, what might they look like?
Since each of the mechanisms listed above has a close relative under the GDPR, the EU’s experience, as well as the experience of other nations that have replicated the EU model, is instructive. The history of these mechanisms and the current economic and geopolitical context in which each was released offer insight into how the ANPD might operationalize them and the impact that could have on companies.
Historical and geopolitical context
Most major companies around the world are familiar with adequacy determinations, standard contracts and BCRs, which grew up under the EU Data Protection Directive, which preceded the GDPR. They have a checkered past, have frequently faced EU legal challenges and currently stand on shaky ground following the July 2020 “Schrems II” ruling by the Court of Justice of the European Union. But, more importantly, they came of age when the internet was more nascent, and commercial cross-border data flows just a little less integral to the average small business. As a result, at first, there was somewhat less urgency to make them operational.
The EU Data Protection Directive, which established the data transfer regime on which the LGPD is modeled, was adopted in 1995 and entered into application in 1998. The European Commission issued its first two adequacy determinations in 2000, five years after the adoption of the law, and two years after it took effect. It recognized 11 additional countries or territories as adequate over the next 20 years. The commission released the original set of SCCs for the controller to controller transfers in 2001 and the first set for controller-to-processor transfers in 2002. The U.K. Information Commissioner’s Office approved the first set of BCRsin 2005. About 140 followed over the next 15 years. In short, the EU’s experience suggests that bespoke assessments and approvals take time — years, in fact.
Countries whose laws were adopted later arguably faced greater time-pressure to make their data transfer regimes work and keep the data flowing. Perhaps, as a result, they have approached these mechanisms differently. In most instances, they took an EU-plus approach, grandfathering EU-approved mechanisms and countries and then adding a few additional options to the mix.
In 2001, Israel, for instance, replicated the adequacy model in its regulations but did not make its own adequacy determinations or adopt unique standard contracts. Rather, as IAPP Vice President and Chief Knowledge Officer Omer Tene recently explained, its implementing regulations simply allow transfers to EU member states, signatories of Council of Europe Convention 108, any country “which receives data from Member States of the EU, under the same terms of acceptance,” and from an Israeli parent to a subsidiary, among other listed options.
Colombia, which adopted a data protection law in 2012 with a similar adequacy requirement, published its own list of adequate countries in 2017, which recognizes as the adequate EU member states, those countries recognized by the EU, as well as Mexico, South Korea, Costa Rica, Serbia, Peru, and the U.S.
Japan’s Act on the Protection of Personal Information entered into force in May 2017, bringing with it an adequacy regime among a broader set of transfer options. Just over a year later, Japan successfully concluded talks with the EU that led to Japan’s one and only adequacy determination — mutual recognition of adequacy with the EU. Meanwhile, Japan continues to participate in the APEC Cross Border Privacy Rules System. The CBPR System is a multilateral approach to data protection and transfers, which requires assessment and approval of participating economies’ enforceable data protections and certification of participating companies’ protections by approved third parties. Eight other countries participate alongside Japan — the U.S., Mexico, Canada, Singapore, South Korea, Australia, Chinese Taipei and the Philippines.
What’s next?
This history suggests the ANPD has options in how it operationalizes Chapter V of the LGPD. Over the course of time, countries that adopted an EU-like data transfer model have increasingly recognized EU-approved mechanisms alongside others. The data transfer mechanisms outlined in Chapter V certainly provide the ANPD such flexibility.
The ANPD could choose to use its adequacy power to adopt an EU-plus model, as Israel and Colombia did, or lean more heavily on other options like Japan, or even rechart a path once taken by the U.K. by delegating authority to make such determinations to those controlling the data. The ANPD could recognize existing EU SCCs and BCRs or simply require contractual protections to provide a comparable level of protection, as Canada has done. The ANPD could also lead the way in operationalizing certificates or codes of conduct, a feature of the GDPR which is not yet functional, by pursuing participation in the CBPR System or working with local associations to recognize codes of conduct and increase its reach by deputizing third-party certifiers. Until then, companies may need to rely on consent and necessity for the performance of a contract for the majority of ongoing transfers.
As one of the biggest economies in the world, the choices that Brazil makes regarding its new data transfer regime will be closely scrutinized and impactful. With EU data transfer mechanisms on shaky ground and limited options to move data out of Brazil without ANPD action, ANPD leadership and creativity will be urgently sought.
Photo by Isabela Kronemberger on Unsplash