Brazil’s data protection authority (ANPD) regulates the international transfer of personal data


Brazil’s data protection authority (ANPD) regulates the international transfer of personal data


As of August 23, ANPD Resolution CD/ANPD 19/2024 has come into effect, under which ANPD has approved the International Data Transfer Regulation and the content of the standard contractual clauses. This topic is one of the items in Phase 1 of ANPD’s Regulatory Agenda for 2023-2024, and is therefore a priority for ANPD.

LGPD addresses the issue of international data transfer in Articles 33 to 36, allowing it through nine mechanisms, of which only two are regulated by Res. CD/ANPD 19/2024:

  • International data transfer to countries or international organizations that provide a level of personal data protection equivalent to that provided under LGPD;
  • When the data controller provides and demonstrates guarantees of compliance with the principles, data subject rights, and data protection regime set forth in LGPD, in the form of: 

a) specific contractual clauses for a given transfer; 

b) standard contractual clauses; or 

c) binding corporate rules.

In the second mechanism above, the Resolution did not include item “d) seals, certificates, and codes of conduct regularly issued” (LGPD, art. 33, II, d). Other international transfer scenarios  not addressed by the new Resolution may still be conducted, provided they do not depend on regulation and meet legal requirements and the specific needs of the case.

Below, we analyze aspects of the International Data Transfer Regulation, followed by an examination of the relevant provisions of Res. CD/ANPD 19/2024 concerning Standard Contractual Clauses, Specific Contractual Clauses, and Binding Corporate Rules.

                                                                         INTERNATIONAL TRANSFER OF PERSONAL DATA


The Resolution places the responsibility on the data controller to verify whether the data processing operation: (i) constitutes an international transfer; (ii) is subject to Brazilian data 

protection law; and (iii) whether there are both a legal basis and a valid mechanism for international data transfer. Each of these items is explained below.


1. Characterization of International Data Transfer

International data transfer occurs when the data exporter transfers personal data to the data importer.

The Regulation defines transfer as the processing operation by which a data controller transmits, shares or provides, to another processing agent, access to personal data. An international data transfer is the transfer of personal data to a foreign country or international organization of which the country is a member.

The exporter is the processing agent, located in Brazil or in a foreign country, that transfers personal data to the importer. The importer is the processing agent, located in a foreign country or that is an international organization, which receives personal data transferred by the exporter.

It is also important to note that international data collection, which is simply the collection of personal data from the data subject directly by the processing agent located abroad, i.e., without data transfer, does not characterize an international transfer.


2. Application of Brazilian Legislation

LGPD and the Regulation apply to an international data transfer when there is:

  • Processing carried out within Brazilian territory, with exception to Article 4, IV ²  of LGPD and in accordance with Article 8 of the Regulation; 
  • Processing aimed at offering or providing goods or services or processing data of individuals located within Brazilian territory; or 
  • Collection, within Brazilian territory, of the personal data subject to processing.

Regarding processing conducted within Brazilian territory, Article 8 of the Regulation states that LGPD does not apply to data originating from abroad in the following cases:

  • Flow of personal data, without communication or shared use of data with a processing agent located in the Brazilian territory; or 
  • Return of personal data, subject to processing in Brazilian territory, exclusively to the country or international organization of origin, provided that:

a) the country or international organization of origin provides an adequate level of personal data protection, recognized by ANPD’s decision; 

b) the legislation of the country or the rules applicable to the international organization of origin apply to the operation; and 

c) the specific and exceptional situation of non-application of LGPD is expressly provided for in the adequacy decision referred to in item "a".

Even in cases where LGPD does not apply, other rules may apply and must be observed, such as laws and regulations on inviolability and secrecy of communications, technical and security requirements, and access to data by public authorities.


3. Legal Basis and Transfer Mechanism

International data transfer may only be conducted for legitimate, specific, explicit, and informed purposes to the data subject. Subsequent processing incompatible with these purposes is not allowed. The international transfer must also:

  • Be based on one of the legal bases provided in Article 7  or Article 11  of LGPD; and 
  • Utilize one of the valid mechanisms for carrying out the international transfer. 

The international data transfer should be limited to the minimum necessary to achieve its purposes, with data scope that is pertinent, proportional, and not excessive in relation to the data processing purposes.


Adequacy Decision

ANPD can recognize the equivalence, with Brazilian legislation, of the level of personal data protection of a foreign country or international organization. This evaluation will consider, in addition to specific circumstances regarding the transfer:

  • The general and sectoral rules in force, directly applicable or having significant impacts on personal data protection in the destination country or international organization; 
  • The nature of the data; 
  • The adherence to the general principles of personal data protection and the data subject rights set forth in LGPD;
  • The adoption of adequate security measures to minimize impacts on civil liberties and fundamental rights of data subjects; and 
  • The existence of judicial and institutional guarantees for the respect of personal data protection rights, such as, for example, the existence of an independent regulatory body.

The risks and benefits arising from the adequacy decision, as well as the impacts on international data flow and on diplomatic relations, international trade, and on Brazil’s international cooperation with other countries and international organizations will also be considered.

In such analyses by ANPD, priority will be given to countries or international organizations that ensure reciprocal treatment to Brazil and that facilitate the free flow of international transfers.


Obligations of Processing Agents 

The Resolution places on the data controller the responsibility to verify the three aforementioned requirements – characterization of the international transfer, submission to Brazilian data protection legislation, and existence of a valid legal basis and transfer mechanism. The processor will assist the controller by providing the information available and necessary for the controller’s verification.

Both the controller and the processor must adopt effective measures to demonstrate compliance with personal data protection regulations and the effectiveness of these measures. These measures must be commensurate with the risk level of the processing and the mechanism used for the international transfer, which requires case-by-case analysis.

Data processing agents using contractual clauses for international data transfers have a deadline of up to 12 (twelve) months, starting from August 23, 2024, to incorporate the standard contractual clauses approved by ANPD into their respective contracts.

STANDARD CONTRACTUAL CLAUSES


ANPD has approved standard contractual clauses in Annex II of the Regulation, with minimum guarantees and conditions for conducting international data transfers. The validity of international data transfers based on these clauses requires full and unaltered adoption of the standard clauses in Annex II, and nothing in the contract or related contracts may exclude, modify, or contradict, directly or indirectly, the content of the standard contractual clauses.

These clauses may be included in a specific contract governing the transfer or even in a broader contract, including through an amendment signed by the data exporter and importer involved in the operation. In the latter case, the amendment must contain Sections I (general information), II (mandatory clauses), and III (security measures) from Annex II of the Regulation.

As a transparency measure, the regulation requires the controller to provide the data subject, upon request, with the full text of the clauses used for the international data transfer, respecting commercial and industrial secrets, and fulfilling this request within 15 days.

Additionally, the controller must publish on its website a document containing information in Portuguese, in clear, simple, precise, and accessible language about the international data transfer. This document can be on a dedicated page or integrated into the Privacy Policy or equivalent document, prominently and easily accessible, and must include, at a minimum:

  • The method, duration, and specific purpose of the international transfer; 
  • The destination country of the transferred data; 
  • Identification and contact details of the controller; 
  • Shared use of data by the controller and its purpose; 
  • Responsibilities of the parties involved in the processing and the security measures adopted; and 
  • Data subject rights and methods for exercising them.

A new development is that ANPD may recognize the equivalence of standard contractual clauses from other countries or international organizations. Among other criteria, the equivalence decision will consider: (i) whether the clauses are equivalent to LGPD and the Regulation and ensure an equivalent level of protection; and (ii) risks and benefits, as well as impacts on international data flow, diplomatic relations, international trade, and Brazil’s international cooperation.

SPECIFIC CONTRACTUAL CLAUSES


The Regulation allows the controller to request ANPDs approval of specific contractual clauses. These can be approved only when the controller can demonstrate that the international transfer cannot be conducted based on the standard contractual clauses due to exceptional factual or legal circumstances.

In any case, such clauses must be governed by Brazilian data protection legislation and subject to ANPD’s oversight. Among other criteria, the decision on equivalence will consider: (i) whether the clauses are equivalent to LGPD and the Regulation and ensure an equivalent level of protection to that provided by the standard contractual clauses; and (ii) risks and benefits, as well as impacts on international data flow, diplomatic relations, international trade, and Brazil’s international cooperation.

Specific clauses that can also be used by other processing agents conducting international data transfers in similar situations will be prioritized. 

BINDING CORPORATE RULES

The final mechanism detailed in the Regulation is binding corporate rules. These rules are intended for international data transfers among organizations within the same group or conglomerate of companies , binding the group members and being valid only for organizations or countries covered by these rules.

Binding corporate rules must be linked to a privacy governance program and be submitted for approval by ANPD. The minimum content of binding corporate rules must include the following:

  • Description of the international data transfers, including categories of personal data, the processing operation and its purposes, legal basis, and types of data subjects;
  • Identification of the countries to which data may be transferred;
  • Structure of the group or conglomerate, including a list of affiliated entities, each entity’s role in data processing, and contact information for each organization;
  • Determination of the binding nature of the global corporate rule for all members of the group or conglomerate, including employees; 
  • Delimitation of processing responsibilities, identifying the responsible entity ; 
  • Specification of applicable data subject rights and methods for exercising them; 
  • Rules regarding the process for reviewing the binding corporate rules and provision for prior approval by ANPD; and 
  • Provision for notifying ANPD in the event of changes to data protection guarantees under LGPD, particularly when a member of the group or conglomerate becomes subject to a legal regime of another country that impedes compliance with the corporate rules.

The Technology, Media, and Telecommunications team at Azevedo Sette Advogados is closely monitoring the development of this topic and is available to provide clarifications and insights on the subject.


_______________________________________________________________________________________________

¹Other transfers provided for under LGPD include: (i) those necessary for international legal cooperation among public bodies engaged in intelligence, investigation, and prosecution; (ii) those necessary for the protection of life or physical safety of the data subject or a third party; (iii) those authorized by ANPD; (iv) those resulting from a commitment made in an international cooperation agreement; (v) those necessary for the execution of public policy or legal duties of public service; (vi) those where the data subject has provided specific and highlighted consent for the transfer, with prior information about the international nature of the operation, clearly distinguishing it from other purposes; or (vii) those necessary to meet the scenarios provided in items II (compliance with legal or regulatory obligations), V (execution of a contract or preliminary procedures related to a contract to which the data subject is a party), and VI (regular exercise of rights in judicial, administrative, or arbitral proceedings) of Article 7 of LGPD.

² Art. 4. This Law does not apply to the processing of personal data:
[...] IV - originating from outside the national territory and not subject to communication, shared use of data with Brazilian processing agents, or international data transfer to a country other than the country of origin, provided that the country of origin allow a level of protection for personal data that is adequate to that required by this Law.


³ The legal bases for processing under Article 7 of LGPD are: consent; compliance with a legal or regulatory obligation by the controller; execution of public policies by public administration; research by a research institution; execution of a contract or preliminary procedures; regular exercise of rights in judicial, administrative, or arbitral proceedings; protection of life or physical safety of the data subject or a third party; health protection; legitimate interests of the controller or a third party; credit protection.


[4] The legal bases under Article 11 of LGPD concern the processing of sensitive personal data; These are: (i) specific and highlighted consent for specific purposes; or (ii) without consent of the data subject, processing may occur for the following purposes: compliance with a legal or regulatory obligation by the controller; shared processing necessary for execution of public policy by the public administration; research by a research institution, with anonymization ensured whenever possible; regular exercise of rights, including in contracts and in judicial, administrative, or arbitral proceedings; protection of life or physical safety of the data subject or a third party; health protection; to ensure fraud prevention and security of the data subject, particularly in electronic system identification and authentication processes.


[5] The mechanisms are:

a) For countries or international organizations that provide a level of protection for personal data that is adequate to that required by LGPD and its supplementary regulations, as recognized by an adequacy decision issued by ANPD;

b) Standard contractual clauses, binding corporate rules, or specific contractual clauses; or

c) In the cases provided for in items II, "d" (seals, certificates, and codes of conduct), and III through IX (other seven scenarios that authorize international data transfers) of Article 33 of LGPD.


[6] The Regulation defines a group or conglomerate of companies as a set of companies, whether de facto or de jure, with their own legal personalities, under the direction, control, or administration of a natural or legal person, or a group of individuals who hold, either individually or collectively, control over the others, provided that there is demonstrated integrated interest, effective mutual interest, and joint action among the companies involved (Resolution CD/ANPD 19/2024, Article 3, VI).