Brazil’s New International Data Transfer Regulation
Brazil's Autoridade Nacional de Proteção de Dados (#ANPD) released its much-anticipated International Data Transfer Regulation, providing clarity for businesses navigating cross-border data flows under Brazil's General Data Protection Law (#LGPD).
Key Highlights from the Regulation
Adequacy Decisions
- Brazil allows data transfers to countries offering "equivalent" levels of data protection.
- The ANPD will assess factors such as legal frameworks, data subject rights, and security measures.
- Priority will be given to countries extending similar privileges to Brazil.
Contractual Instruments
The ANPD has introduced mechanisms like Standard Contractual Clauses (#SCC), specific contractual clauses, and Binding Corporate Rules (#BCR):
Standard Contractual Clauses:
- Must be adopted in their entirety with minimal modification.
- Four sections include general information, mandatory clauses, security measures, and additional clauses.
- ANPD may also recognize foreign SCCs.
Specific Contractual Clauses:
- Used only in exceptional cases with ANPD pre-approval.
- Must align closely with SCCs but allow some flexibility.
Binding Corporate Rules:
- For intragroup transfers, requiring comprehensive privacy governance programs and prior ANPD approval.
Organizations must:
- Provide data subjects with the full text of the contractual instruments upon request within 15 days.
- Include international transfer details in privacy notices or on websites.
Other Transfer Mechanisms
In addition to adequacy decisions and contractual instruments, the regulation permits transfers for:
- Legal obligations.
- Protection of life or physical safety.
- Data subject consent.
- Public policies or international cooperation agreements.
Organizations have 12 months to adopt SCCs, while other mechanisms are already enforceable.
Author: Sebastian Burgemejster
Comments