Countdown: 30 days to comply with Brazilian Rules about International Data Transfer

On August 23, 2024, the Brazilian Data Protection Authority (“ANPD”) published the Resolution CD/ANPD No. 19/2024, which approved the regulation on international data transfers and the respective content of standard contractual clauses (SCCs), thereby regulating Articles 33 to 36 of the Brazilian Data Protection Regulation – LGPD (Law No. 13,709/2018).

Although the Resolution came into effect on the date of its publication, it established a 12-month deadline for data controllers and processors that use mechanisms for international data transfers to incorporate the ANPD-approved standard contractual clauses. This means the deadline for compliance is August 23, 2025, exactly 30 days from now.

The Regulation is guided by principles such as ensuring the protection of data subjects’ rights, adopting simple, operable, and transparent procedures, promoting the free and safe cross-border flow of personal data, and encouraging accountability, best practices, and preventive security measures.

It also clarifies that an international data transfer is typified when a data exporter sends personal data to a data importer, in accordance with specific, legitimate, and explicit purposes informed to the data subject. Mere international data collection, on the other hand, does not constitute data transfer.

Who must comply?

Any data controllers or processors that transfer personal data from Brazil to another country, including intra-group transfers, must adopt one of the mechanisms authorized under article 33 of LGPD.

What mechanisms are available?

• Adequacy Decision: ANPD may recognize countries or international organizations that provide a level of data protection equivalent to that of the LGPD, simplifying transfers to those destinations. No countries have yet been listed.
• Standard Contractual Clauses (SCCs): the ANPD-approved SCCs include 24 mandatory clauses, detailed in Annex II of the Resolution. These clauses must be implemented transparently and cover key LGPD compliance requirements related to personal data protection.

Any future “equivalent clauses” issued by foreign authorities or international organizations must be formally approved by ANPD’s Board of Directors and published on the authority’s official website.

• Specific Contractual Clauses: these may be used in exceptional factual or legal circumstances where SCCs are justifiably not applicable. Their use is subject to ANPD’s approval.
• Binding Corporate Rules (Bcrs): applicable to multinational groups or corporate conglomerates, BCRs must have a binding effect on all group members. Their use is subject to ANPD’s approval.

What do I do now?

Start by identifying the origin and destination of the personal data and determine which transfer mechanisms are currently in use (if any).

Carefully review existing contracts with international partners and cloud service providers. It is advisable to update contract templates and, where necessary, execute amendments to existing agreements.

Non-compliance may result in administrative and civil sanctions, including fines, as set forth in Article 52 of the LGPD.

Which mechanism best fits my business?

The most suitable transfer mechanism will depend on the specific characteristics and operational context of your organization. Factors such as data volume and sensitivity, group structure, destination jurisdiction, and the nature of third-party relationships should be weighed carefully.

Factors such as the volume and sensitivity of the data, the structure of the business group, the destination country, and the third parties involved all play a role. Each organization should conduct a tailored assessment to identify the most balanced and compliant solution.

Our Digital Law team is closely monitoring all developments on this matter. If you would like to receive more information on this topic, please contact us at digital@kasznarleonardos.com.