International Data Transfer: New Brazilian Regulation with SCCs

Author: Alan Campos Elias Thomaz

Transferring personal data across borders is a crucial component of global business and communication. International Data Transfer (“IDT”) refers to the movement of personal data from one country to another or to an international organization.
Brazil’s General Data Protection Law (Law No. 13,719 – “LGPD”) provides a thorough legal framework to govern these transfers, ensuring the protection of Brazilian citizens’ rights and other individuals located in Brazil.

While Brazil’s IDT mechanisms share similarities with those in the European Union’s General Data Protection Regulation (“GDPR”), there are some key differences. Under Brazilian law, international data transfers are permitted in several situations, including when the receiving country provides an adequate level of protection, when using standard contractual clauses (SCCs) defined by the Data Protection Authority (“DPA”), specific contractual clauses, binding corporate rules, certifications, and other mechanisms. These mechanisms are discussed further in this article.

On August 23, 2024, the Brazilian DPA, the “ANPD”, issued Resolution No. 19/2024, which provides regulations on certain mechanisms that permit international transfers in Brazil, including decisions recognizing the adequacy of protection in certain countries, SCCs, specific contractual clauses, and binding corporate rules. Other mechanisms were not included in this resolution.

Definition of International Data Transfer

International data transfer involves sending personal data from one country to another or to an international organization. This process includes a “data exporter” who sends the data from Brazil and a “data importer” who receives it in any other country. Two common situations where IDT occurs are:

1. A Brazilian company (exporter) hires a foreign company (importer) to process personal data outside Brazil.
2. A Brazilian company hires a local service provider, who then outsources to a foreign company (importer).

In both situations, an IDT occurs, and a valid mechanism must be in place to ensure compliance. It is important to distinguish between international data transfer and international data collection. IDT involves two entities (exporter and importer), whereas international data collection occurs when data is collected from individuals in Brazil by a foreign entity. In this case, IDT rules do not apply, though the LGPD still applies to the foreign entity collecting the data.

Mechanisms for International Data Transfers – Regulated by the Brazilian DPA

Article 33 of the LGPD lists specific circumstances under which IDTs are allowed, and these are further detailed in Resolution No. 19/2024:

• Adequate Level of Protection: The ANPD has the authority to determine whether certain countries or organizations offer a level of data protection that aligns with Brazilian legal standards. If an adequacy decision is issued, it allows for data transfers to those countries or organizations without needing further transfer mechanisms.

This evaluation can be initiated by the ANPD Board or requested by a public entity. The review process looks at the country’s legal framework, security measures, and institutional guarantees. After a legal opinion from the Federal Attorney’s Office, the ANPD Board makes a final decision. These adequacy decisions are published and can be reassessed or revoked if circumstances in the country or organization change. As of this article’s publication, no adequacy decisions have been issued by the ANPD.
The ANPD will keep a public list of countries and organizations deemed to have an adequate level of protection for data transfers.

• Standard Contractual Clauses (SCCs): These are pre-approved clauses issued by the ANPD, designed to ensure personal data remains protected when transferred to countries with different data protection laws. These clauses must be adopted without modification, as outlined in Appendix II of Resolution No. 19/2024, and organizations have until August 2025 to implement them.
• Recognition of Equivalent SCCs: The ANPD may recognize SCCs from other countries as providing the same level of protection as the Brazilian SCCs. To achieve this recognition, the ANPD reviews how the foreign SCCs align with Brazilian law and the LGPD. Once reviewed and approved by the ANPD Board, these foreign clauses can be used for data transfers, provided the conditions of the Board’s decision are followed. As of this article’s publication, no foreign SCCs have been recognized as equivalent.
• Specific Contractual Clauses: In cases where SCCs are not practical, organizations may use specific contractual clauses, provided they offer the same level of protection as the SCCs. These clauses must be tailored to the specific data transfer and require prior approval from the ANPD, which will evaluate their compliance with the LGPD. No specific contractual clauses have been approved so far.
• Binding Corporate Rules: Companies within the same corporate group can adopt binding corporate rules, which are internal policies ensuring that all group members, regardless of their location, comply with Brazilian data protection standards. These rules require approval from the ANPD and must include detailed descriptions of the data transfers, the countries involved, and the security measures in place. These rules are especially useful for multinational companies seeking consistency in their data privacy practices. No binding corporate rules have been approved as of the date of this article.

Mechanisms for International Data Transfers – NOT Regulated by the Brazilian DPA

Resolution No. 19/2024 did not regulate all mechanisms for IDT outlined in the LGPD. The following mechanisms remain unregulated:

• Seals, Certificates, and Codes of Conduct
• International Cooperation Agreements
• Specific ANPD Authorization
• Implementation of Public Policies
• Data Subject Consent
• Legal or Regulatory Obligations
• Performance of Contract
• Judicial, Administrative, or Arbitration Proceedings
• Protection of Life or Physical Safety

The ANPD has yet to clarify whether these mechanisms should be used as a fallback option compared to adequacy decisions, SCCs, or binding corporate rules. The LGPD does not indicate a preferred mechanism, and Resolution No. 19/2024 did not address this matter.

Transparency Requirements and Data Subject Rights

Resolution No. 19/2024 establishes that data subjects must be informed of any international data transfers, including the countries where their data will be sent. This information is typically included in the Privacy Notices.

Additional Sector-Specific Regulations

In Brazil, certain sectors like banking have additional requirements for international data transfers. Organizations should assess whether sector-specific laws apply in their cases to ensure full compliance with IDT requirements.

Specific Recommendations

Given the complexities surrounding international data transfer, organizations should take several important steps to ensure compliance with the LGPD:

• Conduct Due Diligence: Carefully review cases where IDTs occur, such as when hiring international service providers or when a local provider subcontracts foreign processors.
• Understand the Regulatory Environment: Identify which laws and regulations apply, including any sector-specific rules.
• Choose an Appropriate Transfer Mechanism: Implement the right IDT mechanism, such as SCCs, based on the situation.
• Contractual Protections: Regardless of the transfer mechanism used, companies should establish clear contracts that outline the rights and responsibilities of all parties involved.
• Transparency: Ensure privacy policies are updated to reflect the countries where data will be transferred.
• Strong Security Measures: Implement stringent security measures to safeguard personal data during transfer and storage.
• Stay Compliant: Continuously monitor changes in data protection laws and regulations to remain compliant.

Conclusion

International data transfers involve complex legal and regulatory considerations. Brazil’s LGPD, supplemented by Resolution No. 19/2024, offers a comprehensive framework to regulate these transfers, ensuring the rights of data subjects are protected while supporting global business operations. For organizations involved in cross-border data activities, it is crucial to understand the mechanisms and criteria outlined in the LGPD and implement the appropriate IDT mechanisms.

share