The European Commission has adopted a draft adequacy decision recognizing Brazil’s data protection framework as providing an adequate level of protection for personal data under the EU’s General Data Protection Regulation (GDPR). The move, published in a draft Commission Implementing Decision, would allow personal data to flow freely from the EU to Brazil without the need for additional safeguards or authorizations.

The decision follows a detailed assessment of Brazil’s legal order, including its constitutional protections, general data protection law, and oversight mechanisms. The Commission concluded that Brazil’s system delivers a level of protection “essentially equivalent” to that provided in the EU, the benchmark for adequacy decisions established by the Court of Justice of the European Union (CJEU) in the Schrems I and Schrems II rulings.

Brazil’s 1988 Constitution enshrines privacy and data protection as fundamental rights, reinforced by a 2022 constitutional amendment explicitly recognizing the right to personal data protection. These rights extend not only to Brazilian citizens but also to foreigners, including those residing abroad. Brazil has also ratified the American Convention on Human Rights and accepted the jurisdiction of the Inter-American Court of Human Rights, which provides an additional international safeguard.

The cornerstone of Brazil’s data protection regime is the 2018 General Data Protection Law (Lei Geral de Proteção de Dados, LGPD), modeled closely on the GDPR. The law applies broadly to the processing of personal data in Brazil and includes provisions on lawful processing, consent, legitimate interest, sensitive data, and rights of access and redress. Its scope mirrors the GDPR’s territorial reach, applying even to foreign companies offering goods or services in Brazil.

Oversight is carried out by the Autoridade Nacional de Proteção de Dados (ANPD), established in 2019 and granted independent status in 2022. The ANPD issues binding regulations, conducts enforcement, and provides guidance on compliance. Brazil has also engaged internationally, joining the Global Privacy Assembly in 2023 and serving as an observer to the Council of Europe’s Convention 108 committee.

The adequacy decision would enable businesses to transfer data between the EU and Brazil without resorting to mechanisms like standard contractual clauses, reducing compliance costs and facilitating digital trade. It would also align Brazil more closely with global data protection standards, reinforcing trust in its digital economy.

Next steps include formal adoption of the adequacy decision by the European Commission following consultation with the European Data Protection Board and approval by EU member states. Once finalized, Brazil would join a select group of countries deemed to provide adequate safeguards, strengthening its position as a key partner in global data governance.

Need Help?

If you have questions or concerns about any global guidelines, regulations and laws, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.