On August 23, 2024, the Brazilian Data Protection Authority (“ANPD”) published Resolution 19/2024, approving the Regulation on international data transfers and the content of standard contractual clauses (the “Regulation”).  The Regulation implements the international data transfer framework under the Brazilian General Data Protection Law (“LGPD”).

Under the LGPD, international data transfers from Brazil to a third country are permitted if: (i) the ANPD recognizes the third country as providing adequate protection for personal data; (ii) the data exporter and data importer enter into standard contractual clauses (“SCCs”), binding corporate rules, or special contractual clauses; or (iii) one of the specific cases listed in the LGPD applies (e.g., the transfer is necessary to protect the life of the data subject, the data subject consents to the transfer, or the ANPD authorizes the transfer).  The Regulation relates to the data transfer instruments mentioned in (i) and (ii).

Standard Contractual Clauses
The Regulation approves and publishes SCCs for the transfer of personal data outside of Brazil without ANPD’s authorization.  The SCCs cover both controller-to-controller and controller-to-processor international data transfers.  Like the EU SCCs, they are contracts signed between the data exporter (in Brazil) and the data importer (in a third country).  The parties may not modify them.  The ANPD may allow the transfer of personal data outside of Brazil on the basis of “equivalent SCCs” adopted by third countries, provided that they are compatible with the LGPD.  The ANPD has not (yet) indicated that it would recognize the EU SCCs as equivalent.

Brazilian controllers that use contractual clauses to transfer personal data internationally must replace those contracts with the newly published SCCs by August 22, 2025.

Adequacy Decisions
The Regulation sets out the procedure that the ANPD must follow in order to make an adequacy decision, i.e., to recognize a third country as providing adequate protection for personal data.  It requires the ANPD to consider, among other things, compliance with data protection principles, data protection rights, and legal and institutional safeguards for the protection of personal data (e.g., the independence of the regulator and judicial remedies for data subjects).

Specific Contractual Clauses and Binding Corporate Rules
The Regulation sets out the procedure for controllers to seek ANPD’s approval of:

  • bespoke contract clauses (i.e., contract clauses that differ from the approved SCCs), for example, when the approved SCCs cannot be used due to “exceptional circumstances” to be assessed on a case-by-case basis; and
  • binding corporate rules for data transfers within the same group of companies.

****

Covington & Burling regularly advises the world’s top technology companies on their most challenging regulatory and compliance issues around the globe.  If you have any questions about the international data transfer framework, please do not hesitate to contact us.

(This blog post was written with the contributions of Alberto Vogel.)

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.

She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).

Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.

Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.