On August 23, Brazil’s National Data Protection Authority (ANPD) issued Resolution CD/ANPD No. 19, approving the International Data Transfer Regulation (Regulamento de Transferência Internacional de Dados, referred to as "the Regulation") and Standard Contractual Clauses (SCCs). The Regulation provides detailed guidelines for cross-border data transfers, regulating the transmission of personal data outside of Brazil. SCCs offer a legal mechanism for data transfers between the transferring party and the receiving party abroad.
Below is an overview of the main points of Brazil's International Data Transfer Regulation and SCCs.
Main Requirements
1. Scope of the Regulation
Cross-border data transfers must comply with both Brazil’s General Data Protection Law (Lei Geral de Proteção de Dados Pessoais, LGPD) and the Regulation in the following cases:
- When data processing takes place within Brazil, excluding cases specified in Article 4, section IV of the LGPD and Article 8 of the Regulation (i.e., data sourced from abroad with no communication or sharing with a Brazilian processing entity; or data sourced from abroad, processed, and returned to the originating country, provided that the originating country’s law applies, its data protection level is recognized as adequate by the ANPD, and this exception is explicitly acknowledged in the adequacy decision).
- When data processing activities aim to offer goods or services within Brazil or involve processing personal data of individuals in Brazil.
- When data is collected from within Brazil.
The Regulation also clarifies that data collection directly from individuals in Brazil by foreign data processors (international data collection) is not considered a cross-border transfer and is not subject to the Regulation, but such data collection must still comply with LGPD.
2. Principles of Cross-Border Data Transfers
The Regulation states that cross-border data transfers must comply with the principles of LGPD and the Regulation, which include:
- Ensuring data processing principles are followed, safeguarding data subject rights, and providing the same level of protection as Brazilian law.
- Using simple, interoperable procedures that align with international standards and best practices.
- Facilitating the free flow of data while promoting social, economic, and technological development and protecting data subject rights.
- Implementing effective measures to demonstrate compliance with LGPD regarding data subject rights and personal data protection.
- Ensuring transparency by providing clear, accurate, and accessible information to data subjects about data transfers.
- Adopting security measures proportional to the nature of the personal data, processing purposes, and associated risks.
3. Mechanisms for Cross-Border Data Transfers
According to the Regulation, cross-border data transfers can occur via the following mechanisms:
- ANPD’s adequacy decision;
- Contractual clauses for specific transfers;
- Standard Contractual Clauses (SCCs);
- Binding Corporate Rules (BCRs);
- Other mechanisms under LGPD Article 33, including periodic certifications, explicit consent from the data subject, or for legal or public policy obligations, among others.
4. Standard Contractual Clauses (SCCs)
When companies in or outside Brazil transfer personal data of Brazilian users abroad, they can use SCCs as a legal mechanism, but they must fully adopt the ANPD's provided SCCs (available in Annex II of Resolution CD/ANPD No. 19) without any modification. The SCCs cannot be amended directly or indirectly, nor can agreements contradict them. The ANPD may recognize SCCs from other countries or international organizations as equivalent.
The Regulation requires transparency measures, meaning that data controllers must disclose the following in Portuguese on their websites, either on a dedicated page or within the existing privacy policy:
- The purpose, method, and duration of the data transfer;
- The destination country;
- The identity and contact details of the data controller;
- Information about data sharing and its purposes;
- The responsibilities of the parties involved and security measures;
- The rights of the data subject and how to exercise them, including contact details for complaints to the ANPD.
The SCCs cover topics like:
- Responsibility for sharing information, responding to data subject requests, and reporting security incidents;
- General obligations for processing data according to specific purposes and implementing security measures;
- Data subject rights;
- Liability for breaches;
- Jurisdiction clauses.
Unlike the EU’s SCCs, which distinguish between "controller-to-controller" and "controller-to-processor" scenarios, Brazil’s SCCs are based on the role of the parties (data transferor or recipient) without modular clauses. Both parties share responsibility, especially when both are data controllers.
5. Binding Corporate Rules (BCRs)
BCRs apply to cross-border data transfers within the same corporate group. Approved by the ANPD, BCRs can serve as a mechanism for internal data transfers from Brazil to abroad within a corporate group.
The Regulation specifies that BCRs must include:
- A privacy governance program as per LGPD Article 50(2), including policies, safeguards, risk assessments, incident response plans, etc.;
- A description of cross-border data transfer activities, including data categories, processing operations, purposes, legal basis, and data subject types;
- Potential recipient countries;
- Corporate structure and roles of group entities in data transfers;
- Allocation of responsibilities;
- Data subject rights and mechanisms to exercise those rights;
- BCRs review procedures;
- Reporting obligations if any group entity is legally restricted from complying with BCRs.
Compliance Recommendations
Companies operating in Brazil should pay close attention to the Regulation to ensure cross-border data transfer activities comply with Brazilian regulations. In general, businesses must establish a legitimate transfer mechanism and adhere to the cross-border transfer requirements.
If SCCs are used, companies must incorporate the ANPD’s SCCs into their contracts by August 23, 2025. It’s also important to implement transparency measures and disclose the required information as per the Regulation.