Brazil introduces comprehensive regulations for international data transfers

The ANPD issued Resolution 19/2024 under the LGPD, regulating international data transfers with new Standard Contractual Clauses (SCCs) and procedures for adequacy decisions and binding corporate rules (BCRs).

Brazil aims for technological autonomy with a new AI investment initiative.

The Brazilian Data Protection Authority (ANPD) has introduced Resolution 19/2024, which establishes new regulations for international data transfers under the Brazilian General Data Protection Law (LGPD). Effective 23 August 2024, the regulation provides a structured framework for transferring personal data from Brazil to other countries to ensure that data protection standards are upheld.

The framework outlines Standard Contractual Clauses (SCCs), adequacy decisions for third countries, and the approval of binding corporate rules for intra-group data transfers. The Brazilian Data Protection Authority has approved Standard Contractual Clauses (SCCs) as a key instrument for international data transfers.

These SCCs cover controller-to-controller and controller-to-processor transfers, ensuring legal protection without needing prior ANPD authorisation. Similar to the EU’s SCCs, they are non-modifiable, and companies in Brazil must adopt these new clauses by 22 August 2025, replacing any existing contractual arrangements. The ANPD may also recognise equivalent SCCs from other jurisdictions, though no decision has been made yet regarding the EU SCCs.

The Brazilian Data Protection Authority also provides procedures for adequacy decisions, bespoke contractual clauses, and binding corporate rules (BCRs). Adequacy decisions will assess whether a third country offers sufficient data protection. Companies can use bespoke contractual clauses in exceptional cases with ANPD approval, while BCRs allow data transfers within corporate groups if approved by the ANPD.