The newly introduced framework sets forth detailed requirements for organizations involved in transferring personal data internationally, aligning Brazil’s data protection regime with international standards such as the GDPR in the European Union. The objective of these rules is to ensure that personal data is granted the same level of protection abroad as it is domestically in Brazil, thus protecting the privacy rights of Brazilian data subjects.
Under the regulation, personal data may only be transferred to countries or international organizations that ensure an “adequate level of protection.” The ANPD will assess whether a foreign jurisdiction’s data protection standards are sufficient based on factors such as legal frameworks, international commitments, and the effective enforcement of rights.
In the event that the recipient country does not offer adequate protection, businesses must rely on specific mechanisms to legitimize the transfer. These include:
- Standard Contractual Clauses (SCCs) approved by the ANPD,
- Binding Corporate Rules (BCRs) for multinational organizations,
- Explicit and informed consent from the data subject, or
- Execution of international cooperation agreements for data protection.
Organizations must perform comprehensive assessments of the risks associated with cross-border data transfers. These assessments should address the legal, technical, and operational measures required to safeguard personal data. The principle of accountability is at the core of the regulation, requiring businesses to document compliance efforts and implement internal governance policies to protect data during transfer.
The regulation strengthens the rights of data subjects by ensuring that individuals retain control over their personal data even when it is processed internationally. Companies must provide clear and transparent information to data subjects about where their data will be transferred, under what legal basis, and the safeguards in place.
In that order organizations must promptly adapt their data handling practices to comply with the regulation within one year. Failure to adhere to the rules could lead to administrative sanctions, including warnings, fines, and the suspension of data processing activities. The ANPD has outlined specific compliance deadlines for businesses to ensure the safe and lawful transfer of personal data across borders.
With these new Regulation CD/ANPD nº 19/2024, businesses that engage in international data transfers—whether within the same corporate group or to third-party service providers—must review and potentially modify their practices to meet the compliance obligations outlined by the ANPD. This includes updating data transfer agreements, revising internal policies, and ensuring that contractual clauses or safeguards are in place when transferring data to countries without adequate protections.
Our team is here to assist you in navigating these regulatory changes and ensuring that your organization remains compliant with the ANPD’s data transfer requirements. We offer comprehensive services, including risk assessments, legal support in updating contracts, and guidance on implementing robust data governance frameworks.
—
Author: Daniel Eustáquio Ramos Marinho, and Cesar Peduti Filho, Peduti Advogados.
—
If you want to learn more about this topic, contact the author or the managing partner, Dr. Cesar Peduti Filho.
Se quiser saber mais sobre este tema, contate o autor ou o Dr. Cesar Peduti Filho.
