ARTICLE
24 September 2024

Brazil's Data Protection Authority Issues Rules Clarifying Data Transfers

SM
Sheppard, Mullin, Richter & Hampton LLP

Contributor

Sheppard, Mullin, Richter & Hampton LLP logo
Businesses turn to Sheppard to deliver sophisticated counsel to help clients move ahead. With more than 1,200 lawyers located in 16 offices worldwide, our client-centered approach is grounded in nearly a century of building enduring relationships on trust and collaboration. Our broad and diversified practices serve global clients—from startups to Fortune 500 companies—at every stage of the business cycle, including high-stakes litigation, complex transactions, sophisticated financings and regulatory issues. With leading edge technologies and innovation behind our team, we pride ourselves on being a strategic partner to our clients.
Explore Firm Details
Wondering what the requirements are for transferring personal information out of Brazil?
United States Privacy
Liisa M. Thomas and Tracy Chau
Your Author LinkedIn Connections
Liisa M. Thomas’s articles from Sheppard, Mullin, Richter & Hampton LLP are most popular:
  • with Inhouse Counsel

Wondering what the requirements are for transferring personal information out of Brazil? Under the country's Data Protection Law, extra-territorial transfers of personal information are regulated in much the same way as in EU Member States. Parties can transfer personal information from Brazil to a third country only in limited circumstances. This includes, among other scenarios, if the entity receiving the information is located in a country that has been deemed adequate or if the parties put in place approved standard contractual clauses.

There have been questions for both of these, which were recently addressed through rulemaking by the Brazilian data protection authority:

  • Adequacy: Currently, no country has been deemed adequate, although Brazil is working with the EU to establish that the EU's privacy laws meet the adequacy level. Similarly, the EU is working to recognize Brazil's law as adequate. Under the new rules, to make the process run more smoothly, the data protection authority (ANPD) has set out the criteria to assess if another region's privacy law should be found adequate.
  • Standard Contractual Clauses: Until there are adequacy decisions, those wishing to export personal data out of Brazil will need to rely on other measures. Those other measures include standard contractual clauses or SCCs. These were also addressed in the new rulemaking. The rules include a set of approved SCCs. In addition, the rules contemplate using SCCs that differ from the approved set. Companies who wish to rely on SCCs will have until August 2025 to put sufficient ones in place.

In addition to adequacy decisions and SCCs, the rules address other questions and issues that have arisen relating to cross-border transfers. This includes providing -upon a data subject's request- a copy of the contract that was relied on for making the transfer of information.

Putting It Into Practice: For those who wish to rely on SCCs for data transfers from Brazil, companies will have until August 2025 to put them in place. These might mirror SCCs being used for other jurisdictions, and we expect to see more clarification from the ANPD on this point. We also anticipate seeing more countries receiving "adequacy" decisions from Brazil in the near future.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Liisa M. Thomas
Liisa M. Thomas
Photo of Tracy Chau
Tracy Chau
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More