18/12/24
Mechanisms for international data transfers are essential for protecting data subjects’ rights while simultaneously fostering the growth of the digital economy and international trade. These mechanisms have become increasingly important in a world where data moves seamlessly across borders, fueling global innovation, business operations, and communication. Recognizing this, the Brazilian General Data Protection Law (LGPD), enacted in 2018, assigned the Brazilian Data Protection Agency (ANPD) the responsibility of regulating such transfers. This marked a pivotal step in Brazil’s journey toward aligning its data protection framework with global standards. Article 33 of the LGPD outlines the legal mechanisms for international data transfers, which include adequacy decisions and safeguards like Standard Contractual Clauses (SCCs), tailored contractual clauses, binding corporate rules, and mechanisms such as seals, certificates, or codes of conduct.
To address the long-standing regulatory gap in this area, ANPD enacted Resolution CD/ANPD No. 19 on August 23, 2024. This resolution provides rules governing international data transfers and introduces standardized SCCs, offering companies a concrete framework to navigate cross-border data flows. Before the resolution’s publication, the absence of specific regulations created significant challenges for Brazilian companies engaging in international operations. Uncertainty regarding the legality of cross-border transfers discouraged businesses from transferring data abroad, while foreign companies were reluctant to transfer data to Brazil. Many foreign jurisdictions, such as those governed by the European Union’s GDPR, viewed Brazil’s adequacy level as insufficient, which hindered international collaboration and data exchange.
The resolution aims to bridge these gaps by establishing actionable guidelines for SCCs. These clauses are widely recognized as practical and efficient, providing a straightforward mechanism for ensuring compliance with data protection standards. Unlike alternative mechanisms such as seals, certificates, and codes of conduct – which remain unregulated for now –, and tailored contractual clauses and binding contractual rules – which require prior approval from ANPD -,SCCs can be implemented without further formalities. This approach reflects ANPD’s pragmatic understanding of global best practices, where SCCs are the preferred tool due to their immediate applicability. By prioritizing SCCs, the resolution helps create an environment of legal certainty, reducing administrative burdens for businesses while enhancing Brazil’s position in the international data protection landscape.
The resolution defines international data transfer through cumulative criteria that clarify its scope and applicability. First, it involves processing agents, such as controllers or processors, where one entity (the exporter) transfers data to another (the importer). The exporter may act as a controller while the importer operates as a processor, or vice versa. Second, the processing must occur within Brazil and relate to the supply of goods or services to the domestic market or involve data belonging to individuals located in Brazil. Lastly, the data exporter may be located either inside or outside Brazil. If these conditions are met, the LGPD applies, irrespective of the mechanism used or the geographic location of the agents or the data.
The resolution also introduces important clarifications that reduce ambiguities. For instance, the direct collection of personal data by a foreign entity from individuals in Brazil is not classified as an international transfer but rather as international collection. Consequently, such activities fall outside the resolution’s scope, though the rights of Brazilian data subjects remain protected under the LGPD. Similarly, data merely transiting through Brazil without interaction or processing by a local agent is exempt from these provisions, further delineating the boundaries of the resolution’s applicability.
SCCs, as detailed in Annex II of the Regulation, establish minimum guarantees for international data transfers. To ensure their validity, these clauses must be adopted without modification and incorporated into contracts between exporters and importers. They can be included in standalone agreements or integrated into broader contracts, provided no additional provisions contradict or undermine the SCCs. The resolution allows parties to supplement certain sections, such as general information about the parties, the scope of the transfer, and security measures. However, strict adherence is required for core clauses covering areas like purpose limitation, transparency, data subject rights, liability, and jurisdiction. This standardized approach enhances legal certainty while reducing the oversight burden on ANPD.
Despite their advantages, SCCs may not be the ideal solution for all scenarios. Larger multinational organizations often prefer Binding Corporate Rules (BCRs) due to their inherent flexibility and ability to tailor rules to the group’s operational needs. BCRs, however, come with significant challenges. Their adoption requires prior ANPD approval, along with evidence of effective implementation and ongoing compliance across all entities within the corporate group. Additionally, BCRs must demonstrate practical application beyond written policies, a requirement that limits their widespread use even in regions like the European Union. As a result, SCCs remain the most accessible and pragmatic solution for many businesses operating internationally.
The resolution took effect immediately upon its publication, but ANPD provided companies with a 12-month transition period to integrate SCCs into existing agreements. This phased implementation acknowledges the operational complexities faced by businesses while emphasizing the importance of compliance. The introduction of these rules represents a milestone in Brazil’s data protection journey, providing much-needed legal certainty for companies involved in cross-border data flows. These rules address common scenarios such as intra-group transfers of HR data between Brazilian subsidiaries and parent companies abroad, as well as data storage in foreign cloud servers.
Nevertheless, stakeholders must remain vigilant to ensure full compliance with the LGPD and the resolution. Identifying transactions that qualify as international transfers and adhering to the established rules is essential. By fostering standardization and offering practical tools for compliance, this resolution strengthens Brazil’s position as a trusted partner in the global data economy. It not only aligns Brazil with international norms but also equips businesses with the resources needed to operate confidently in a data-driven world.
_
NEWS
03/10/24
Compliance
20/03/24
Trabalhista
ALL NEWS 
