The international transfer of personal data continues to be one of the most challenging topics in the global data protection landscape, as the flow of information across borders intensifies. Resolution CD/ANPD No. 19/2024, published by the National Data Protection Authority (ANPD), introduces detailed rules to regulate such transfers in Brazil, aiming to align with international regulations such as the European Union’s General Data Protection Regulation (GDPR) and U.S. legislation like the California Consumer Privacy Act (CCPA) and the recent EU-US Data Privacy Framework.
The new ANPD Resolution No. 19/2024 establishes criteria and mechanisms for international data transfers to comply with Brazil’s General Data Protection Law (LGPD). While it shares similarities with European and American regulations, it also presents unique nuances that shape the data protection landscape in Brazil.
Countries with Adequate Levels of Protection
ANPD Resolution No. 19/2024, like the GDPR in Europe, permits the transfer of data to countries that offer an adequate level of protection. While the European Commission has already recognized countries like Japan and the United Kingdom as adequate, ANPD, despite conducting its own adequacy analysis, has not yet formally recognized any country as adequate. This analysis takes into account factors such as the data protection laws of the receiving country, the effectiveness of regulatory authorities, the respect for data subjects’ rights, among other factors[1].
Given that no country has yet been recognized as offering adequate levels of protection in Brazil, companies wishing to transfer personal data to other countries must use one of the mechanisms provided for in Resolution No. 19/2024, such as Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs).
Standard Contractual Clauses (SCCs)
One of the most common mechanisms for international transfers is the Standard Contractual Clauses (SCCs). The GDPR has already consolidated these clauses as an essential tool to ensure that personal data transfers to countries outside the European Union occur safely. These SCCs specify clear obligations for data exporters and importers, ensuring that data processing practices comply with data protection principles.Similarly, the ANPD has published its own SCCs in Resolution No. 19/2024, which must be incorporated into contracts between controllers or processors in Brazil and their foreign partners. This step aligns Brazil with global practices, providing a standardized path to ensure the compliance of data transfers, regardless of the destination
One of the most important provisions of the Resolution 19 is that the SCCs must be applied without any alteration[1], as established in the Annex to the regulation. This means that companies choosing to use this mechanism cannot modify the content of the clauses unless express authorization is given by the ANPD for specific adaptations. Companies must also be prepared with a fully implemented Data Governance Program to comply with the SCCs.
Binding Corporate Rules (BCRs)
Both the European Union and Brazil, through Resolution No. 19, recognize Binding Corporate Rules (BCRs) as an efficient mechanism for intra-group transfers. Multinational companies that implement BCRs demonstrate a commitment to a uniform level of data protection, applicable to all their subsidiaries, regardless of geographical location.
For a company in Brazil with its headquarters in Europe, the main provisions of the Resolution include the requirement for adoption and approval of the BCRs by the ANPD, ensuring that these rules align with the principles of the LGPD and provide an adequate level of protection for personal data transferred between entities within the same corporate group. BCRs facilitate the safe transfer of data between subsidiaries and branches located in different countries, such as Brazil and Europe, without the need for individual compliance assessments for each transaction.
Additionally, BCRs must ensure that the rights of data subjects, such as access, correction, and deletion, are respected in all group entities, regardless of jurisdiction. Companies must establish clear and transparent mechanisms to meet these requests from data subjects, ensuring data protection throughout the entire process. The rules also outline responsibility and governance in data processing, including the appointment of a Data Protection Officer (DPO) and the creation of robust internal policies for data protection across all units of the company.
The ANPD also plays a supervisory role over BCRs, which may involve audits and requests for additional information to ensure that personal data protection is being properly implemented and monitored in all the company’s international operations.
Additional Contractual Guarantees and Transfer Mechanisms
In addition to SCCs and BCRs, both Resolution No. 19/2024 and the GDPR allow for the use of other contractual guarantees or mechanisms, such as codes of conduct or certifications, as long as these mechanisms offer equivalent protections to the rights ensured by the legislation. ANPD encourages the adoption of documented and auditable practices so that controllers and processors can demonstrate compliance with the LGPD during international data transfers.
Conclusion
Resolution CD/ANPD No. 19/2024 is a significant milestone for data protection in Brazil in the context of international transfers. The regulation seeks to balance global best practices, such as those implemented in the European Union through the GDPR, while addressing the specificities of the Brazilian context.
The Data Team at GT Lawyers is available to follow the developments of Resolution No. 19/2024 and assist companies in all aspects related to international data transfers.
See Article 11 of Resolution No. 19/2024: “The evaluation of the level of protection of personal data in a foreign country or international organization shall take into consideration: I – the general and sectoral regulations in force that impact the protection of personal data in the destination country or international organization; II – the nature of the data; III – the observance of the general principles of personal data protection and the rights of data subjects provided for in Law No. 13.709, of August 14, 2018; IV – the adoption of appropriate security measures to minimize impacts on the civil liberties and fundamental rights of the data subjects; V – the existence of judicial and institutional guarantees to respect personal data protection rights; and VI – other specific circumstances related to the transfer.”.
See Article 16 of Resolution No. 19/2024: “The validity of international data transfers, when based on the adoption of standard contractual clauses, requires the full and unaltered adoption of the text provided in Annex II, through a contractual instrument signed between the exporter and the importer.”.
