This regulation was introduced during broader discussions about creating a “sovereign cloud” as part of Brazil’s Artificial Intelligence Plan. The goal of this cloud would be to keep government data within the country and independent of foreign infrastructure. Under Brazil’s General Data Protection Law (“LGPD”), international data transfers are allowed but only under specific conditions and through legally recognized mechanisms. The new International Data Transfer Regulation clarifies what such mechanisms look like.
In similar fashion to EU law, the International Data Transfer Regulation permits international data transfers if the recipient country ensures a level of protection comparable to that provided by the LGPD, as determined by the ANPD. The new regulation clarifies that the ANPD will work to ensure “equivalence in the level of personal data protection” in providing or denying adequacy decisions. As such, the ANPD will review whether applicable protective frameworks in the transferee country are sufficiently similar to Brazil’s standards.
In determining whether to provide adequacy decisions, the ANPD will evaluate factors such as the transferee country’s laws, data protection principles, data subject rights, security measures, and institutional safeguards with respect to the protection of data. Although no adequacy decisions have been made yet, the ANPD will consider how these decisions impact international data flows, and has stated that it will prioritize providing adequacy decisions to countries that provide reciprocal treatment to Brazil with respect to international data transfers.
The LGPD also permits international data transfers when data controllers (parties controlling and determining the nature of processing performed on personal data, defined similarly to how that term is used in the European Union’s General Data Protection Regulation (“GDPR”)) can demonstrate compliance with Brazilian data protection principles, subject rights, and the broader protection regime set by the law. This can be done through Standard Contractual Clauses (“SCCs”), Specific Contractual Clauses, or Binding Corporate Rules (“BCRs”).
Standard Contractual Clauses
Brazil’s ANPD has introduced a strict model for SCCs in an annex to the new International Data Transfer Regulation. Concepts set forth in these SCCs are similar to those found in similar SCC frameworks in the EU, U.K., New Zealand, and Singapore. Brazilian SCCs can either be standalone contracts or incorporated into larger agreements, but they must be adopted in full and with no changes to the text as set forth in the International Data Transfer Regulation (save for specific, customizable fields that are set forth in the SCCs as promulgated in the International Data Transfer Regulation).
The ANPD also offers a process for recognizing foreign SCCs (such as those used in the EU) as equivalent, which process can be initiated either by the ANPD or by any interested party.
Specific Contractual Clauses
If SCCs cannot be used, organizations may rely on Specific Contractual Clauses as a secondary option. These clauses must closely reflect the SCCs promulgated in the International Data Transfer Regulation, must only be used in exceptional cases, and must be submitted to the ANPD for approval. Notably, the ANPD has not provided guidance as to when Specific Contractual Clauses would be approved.
In cases of intragroup transfers within a larger organization, such organizations can use BCRs, which are legally binding policies governing how companies within a multinational organization transfer data from Brazilian data subjects to parties outside of Brazil. Much like their usage in the EU, BCRs require governmental approval (in this case from the ANPD), and the process for obtaining successful approval of such BCRs requires several steps as outlined in the International Data Transfer Regulation, such as the establishment of a comprehensive data privacy governance program. As such, BCRs remain a better option for larger multinational organizations.
Transparency in Contractual Instruments
The International Data Transfer Regulation also mandates increased transparency for the use of contractual instruments in international data transfers. Data controllers must provide the full text of the contractual instruments used upon request by an applicable data subject within 15 days (subject to exclusions for trade secrets). They must also publish information about international data transfers on their websites, and such publication must be in Portuguese, and must be clear, precise and simple for readers.
Beyond the measures discussed above, the LGPD allows international transfers in certain specific situations, including international legal cooperation agreements, where ANPD authorization has been obtained for such transfer, protection of life or safety, as required by public policy or for legal or regulatory compliance, as required by contractual necessity with respect to the applicable data subject, and with the applicable data subject’s consent.
The International Data Transfer Regulation is now in effect, with the ANPD enforcing compliance under its regulations. SCCs may be implemented by covered organizations over the next 12 months, and the ANPD is beginning to make determinations as to adequacy decisions, the acceptability of foreign jurisdictions SCCs, and BCRs.
Businesses processing the data of Brazilian data subjects are encouraged to begin the process of implementing data maps to identify covered data that is subject to international transfers covered by the International Data Regulation. Internal policies must be set to limit liability under the new regulation and comply with transparency requirements. Covered organizations are encouraged to begin the time-consuming processes of implementing SCCs or seeking approval under other contractual mechanisms for international data transfers as discussed above. As we anticipate further evolving regulation regarding international data transfers and general data privacy regulation in Brazil, now is the time for businesses handling data of Brazilian data subjects to begin their compliance process to avoid unnecessary penalties and be prepared to pivot as regulations continue to change.