The Brazil Data Protection Agency ("ANPD") on August 15, 2023 released a draft of the International Transfer of Personal Data Regulation ("Regulation Draft") and the standard contractual clauses ("SCCs") for public comment. Interested parties can submit comments to the provisions of the Regulation between August 15 and September 14, 2023. After the comments period is closed, the ANPD will hold a public hearing to discuss the draft at a date to be determined. Once the Regulation Draft is approved, it will take effect immediately upon publication and companies will have 180 days to incorporate in their existing SCCs agreements the ANPD's version or implement new agreements with the ANPD SCCs.
By way of background, the ANPD is the agency charged with implementing Brazil's General Data Protection Law ("LGPD"). The LGPD is Brazil's all-encompassing data protection law similar to the European Union's GDPR. The LGPD imposes certain requirements on data processing agents (which include controllers and processors of data) to safeguard the data privacy rights of individuals (data subjects).
The newly issued Regulation Draft provides that the ANPD will determine which jurisdictions have an adequate level of data protection that will allow the free flow of personal data between Brazil and such countries, but the ANPD will prioritize the review of jurisdictions that provide reciprocal protections. It may take some time before we have a list of countries with data protection levels the ANPD deems adequate. In the interim, multinational countries will have to rely on other possible mechanisms to transfer personal data from Brazil.
According to the Regulation Draft, the ANPD may recognize as an equivalent the SCCs of other countries, upon their review and approval. The review procedure may be started by the ANPD or an interested party, but the ANPD will prioritize the review of those SCCs that can be widely used by processing agents performing international transfers of data in similar circumstances. Foreign SCCs recognized by the ANPD as equivalent will be considered a valid alternative.
The Regulation Draft also provides for the approval process of specific contractual clauses and global corporate rules, but it does not include the expected timeline for the review and approval of such.
A more readily available mechanism will be the ANPD SCCs, and the Regulation Draft includes a SCC Draft template, which companies may eventually choose to use, although there will be some challenges if the SCC Draft remains as-is after the public consultation.
The ANPD opted to create only one module of SCCs and it is in many aspects different from the EU SCCs. One provision that immediately catches one's attention is that regardless of whether the exporter or importer is named as the responsible party for certain measures (as the Designated Party), the controller will ultimately remain responsible for (i) compliance with the obligations under the law and the agreement, (ii) responding to the ANPD, (iii) guaranteeing the data subject's rights and (iv) the reparation of damage they may suffer. Moreover, when exporter and importer are processors, the controller, which instructs the processor that exports the personal data to the importer outside Brazil (the "Third-Party Controller"), must co-sign the SCCs and be ultimately responsible for the obligations mentioned above.
Another potential issue with the ANPD SCCs is that the provisions relating to the rights of the data subject do not provide any limitations, such as those under the EU SCCs, which allow the imposition of fees for excessive requests or the refusal to comply with a request, if permitted by law. The data subject will also be entitled to seek individual or collective damages by filing judicial claims in Brazil, and the courts have the discretion to shift the burden of proof to the controller if it is too onerous for the data subject.
The ANPD SCCs also do not address automated decisions as do the EU SCCs, which may become a more prominent issue with the increased use of AI tools.
Finally, it is interesting to point out that, for the first time, an ANPD guideline or regulation includes a specific requirement to provide a notice in Portuguese. Article 16 of the Regulation Draft provides that the "Designated Party," identified as such in the SCCs, will have to post on its Internet page, prominently and easy to access, as part of the Data Privacy Notice or other equivalent document, in Portuguese and in simple language, the following main information about the international transfer of personal data:
- the form, duration and specific purpose of the international transfer;
- the country of destination of the transferred data;
- the identification and contacts of the controller;
- the shared use of data by the controller and the purpose;
- the responsibilities of the agents who will carry out the processing; and
- the rights of the data subjects and the means for their exercise, including an easily accessible channel and the right to petition against the controller before the ANPD.
Employers in Brazil process huge amounts of employees' personal data, which is protected under LGPD, and most share such data with their headquarters and affiliates outside Brazil which, in turn, use global HRIS programs and other platforms to manage their operations. These transfers will eventually be scrutinized by the ANPD and employees, as they become more aware of their rights. Employers with operations in Brazil must diligently map out their employees' personal data and work on getting ready to implement the required mechanisms to properly support (and safeguard the parties involved in) the international transfer of personal data to the data importers and their sub-processors.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.