ANPD approves the International Data Transfer Regulation

CD/ANPD Resolution No. 19/2024, which approves the International Data Transfer Regulation and the content of standard contractual clauses, was published in the Federal Official Gazette on August 23, 2024.

The regulation entered into force on the date of its publication, and processing agents who employ contractual clauses to carry out international transfers will have up to 12 months from publication to adapt their contracts to incorporate standard clauses.

Purpose and Scope

The regulation establishes the procedures and rules applicable to international data transfer operations:

• for countries and international organizations that provide a level of protection of personal data that is adequate, according to the recognition of suitability by the Brazilian National Data Protection Authority (“ANPD”); and
• when the controller offers and provides proof of compliance with the Brazilian General Data Protection Law (“LGPD”) through:
  • specific contractual clauses for a given transfer;
  • standard contractual clauses; or
  • binding corporate rules.

However, the regulation does not exclude the possibility of carrying out an international transfer based on other mechanisms provided for in Article 33 of the LGPD that do not depend on regulation, provided that the specifics of the case and the applicable legal requirements are met.

Characteristics of the International Transfer

An international transfer is characterized when personal data is transferred from an exporting agent to an importing agent located in a foreign country.

When personal data has been collected abroad, the international transfer of data will not be characterized, although the provisions of the LGPD are applicable to these cases when one of the hypotheses provided for in Article 3 of the LGPD is verified.

Legal Bases for an International Transfer

The international transfer of data can only be carried out to fulfill legitimate, specific, explicit purposes that have been informed to the data subject, without the possibility of further processing in a manner incompatible with these purposes, and provided that it is supported by one of the legal grounds provided for in article 7 or article 11 of the LGPD, linked to a valid mechanism for carrying out international transfers.

Data Protection Level Assessment

• Assessment criteria:
  • general and sectoral regulations in force that impact the protection of personal data in the country of destination or international organization;
  • the type of the data;
  • compliance with the general principles of personal data protection and the rights of data subjects as provided for in the LGPD;
  • the adoption of appropriate security measures to minimize impacts on the civil liberties and fundamental rights of data subjects;
  • the existence of judicial and institutional guarantees for compliance with personal data protection rights;
  • other specific circumstances relating to the transfer;
  • the risks and benefits of the suitability decision;
  • the impacts of this decision on the international flow of data, diplomatic relations, international trade and Brazil’s international cooperation with other countries and international organizations.

The suitability decision will be taken by a resolution of the Board of Directors and published on the ANPD website.

Standard Contractual Clauses

The standard clauses drawn up and approved by the ANPD and provided as an annex to the regulations establish minimum guarantees and valid conditions for international transfers when this is the transfer mechanism used.

These standard clauses must be fully adopted, with no changes to the text provided, through a contractual instrument signed between the exporter and the importer and may form part of:

• a contract specifically signed to govern international data transfers; or
• a contract with a broader purpose, including the signing of an addendum by the exporter and importer involved in the international data transfer operation.

Transparency for Data Subjects

The controller must make available to the data subject, upon request, a complete copy of the clauses used to carry out the international transfer within 15 days, in compliance with trade and industrial confidentiality, unless the ANPD provides for another deadline in a specific regulation.

The controller must also publish on its website a document in Portuguese containing, at least, information on:

• the method, duration and specific purpose of the international transfer;
• the country of destination of the transferred data;
• the identification and contact information of the controller;
• the shared use of data by the controller and its purpose;
• the duties of the agents who will carry out the processing and the security measures adopted; and
• the rights of the data subject and methods for enforcing them, including an easily accessible channel and the right to petition the controller before the ANPD.

Equivalent Standard Contractual Clauses

The ANPD may recognize the equivalence of standard contractual clauses from other countries or international organizations with the contractual clauses published along with the regulation.

The decision on the proposed equivalence will take into account, among other significant circumstances:

• Whether the standard contractual clauses are compatible with the provisions of the LGPD, and the regulation and whether they ensure a level of data protection equivalent to that guaranteed by the Brazilian standard contractual clauses; and
• The risks and benefits provided by the approval, considering, among other aspects, the assurance of the principles, the rights of the data subject and the data protection regime provided for in the LGPD, in addition to the impacts on the international flow of data, diplomatic relations, international trade and international cooperation of Brazil with other countries and international organizations.

Standard contractual clauses recognized as equivalent will be approved by a resolution of the Board of Directors and published on the ANPD website.

Specific Contractual Clauses

If the international transfer of data cannot be carried out through the standard contractual clauses due to exceptional circumstances of fact or law duly proven by the controller, the controller may request the ANPD to approve specific contractual clauses that offer and prove compliance with the principles, the rights of the data subject and the data protection regime provided for in the LGPD and the regulation.

The ANPD’s analysis will consider, among other significant circumstances:

• Whether the specific clauses are compatible with the provisions of the LGPD, and the regulation, and whether they ensure a level of data protection equivalent to that guaranteed by Brazilian standard contractual clauses; and
• The risks and benefits provided by the approval, considering, among other aspects, the assurance of the principles, the rights of the data subject and the data protection regime provided for in the LGPD, in addition to the impacts on the international flow of data, diplomatic relations, international trade and international cooperation of Brazil with other countries and international organizations.

Binding Corporate Rules

Binding corporate rules are intended for international data transfers between organizations in the same group conglomerate of companies.

These standards are binding on the members of the group that subscribe to them and must be linked to implementing a privacy governance program that meets the minimum conditions provided for in paragraph 2 of article 50 of the LGPD.

The regulation also provides for minimum information to be addressed by binding corporate rules, such as:

• the description of international data transfers, including the categories of personal data, the processing operation and its purposes, the legal basis and the types of data subjects;
• the identification of the countries to which the data may be transferred; and
• the structure of the group or conglomerate of companies, containing the list of related entities, the role played by each of them in the processing and the contact details of each organization that processes personal data.

Demarest’s Privacy, Technology and Cybersecurity and Telecommunications, Media and Technology (TMT) teams are closely monitoring any developments in this topic and remain available to provide any clarifications that may be necessary.