The international transfer of personal data has become a highly relevant topic in today’s data protection landscape, especially with the increasing globalization of business operations and the interconnectedness of information systems worldwide. On August 23, 2024, the Brazilian Data Protection Authority (ANPD – Autoridade Nacional de Proteção de Dados) took a significant step by publishing Rule #19, providing clearer and more detailed regulations for international data transfers. This article explores the new features introduced by this rule, highlights the main mechanisms for data transfer, and compares them with the General Data Protection Regulation (GDPR), the European standard on the subject.
According to ANPD’s Rule #19, an international data transfer occurs when personal data collected within Brazilian territory is sent outside the country, whether to other nations or international organizations. The process is governed by several rules designed to ensure that the personal data of Brazilian individuals are protected in line with standards equivalent to those of Brazil’s General Data Protection Act (LGPD – Lei Geral de Proteção de Dados).
The LGPD established general guidelines for international data transfers, outlined in Articles 33 to 36. ANPD’s Rule #19 now provides practical regulations that address the specifics of these transfers.
ANPD’s Rule #19 outlines specific mechanisms to enable these transfers, ensuring that personal data maintains an adequate level of protection. The following are the key mechanisms:
- Standard Contractual Clauses – models of contractual clauses specified and approved by ANPD in Annex II of Rule #19, which establish clear obligations for the parties involved in the transfer
- Certifications – companies certified in good data protection practices, recognized by ANPD, which facilitate international transfers.
- Seals and Certifications – compliance methods that demonstrate organizations adhere to data protection standards compatible with the LGPD.
- Binding Corporate Rules (BCRs) – internal rules applicable to multinational groups, ensuring that data remains protected within the group, regardless of the country.
- Specific Contractual Clauses – customized clauses for a particular international data transfer, previously approved by the ANPD, which ensure compliance with LGPD requirements but do not fit into Standard Contractual Clauses due to the unique nature of the operation.
These mechanisms aim to facilitate the flow of data outside Brazil while ensuring the protection of data subjects' rights. However, this new regulation presents significant contractual challenges for companies engaged in international data transfers.
Comparison with GDPR: Differences and Similarities
The GDPR, in effect across the European Union since 2018, served as a model for the creation of the LGPD and, by extension, Rule #19. Both regulations aim to ensure the security of personal data in a globalized environment. However, there are notable differences in the international transfer mechanisms each provides.
International Transfer Mechanisms
Both the GDPR and ANPD’s Rule #19 outline standard contractual clauses and binding corporate rules as secure methods for enabling data transfers. However, while the GDPR already has a well-established set of standard contractual clauses approved by the European Commission, the ANPD is still in the process of drafting and publishing its own models. Although the first set of Standard Contractual Clauses is included in Annex II of Rule #19, this regulatory framework is still in its early stages. This creates uncertainty for Brazilian companies that rely on these operations daily.
The GDPR also introduced the concept of “adequacy,” allowing data transfers to countries that offer data protection levels equivalent to the EU's standards. ANPD’s Rule #19 adopts a similar approach, but the list of countries deemed adequate by the ANPD has yet to be published. This lack of clarity can pose challenges for companies needing to carry out urgent data transfers while awaiting more concrete guidance from the ANPD.
Global Corporate Standards (BCRs)
Both regulations recognize BCRs as a valid mechanism for data transfer within multinational groups. However, Brazilian companies may face challenges in adopting BCRs, as this practice is still not widespread in Brazil. Additionally, the approval process for BCRs by the ANPD could be slower than anticipated, leading to a gap between practical implementation and regulatory compliance. ANPD’s Rule #19 outlines only the minimum information BCRs must contain, which could make the evaluation and approval process more subjective and open to interpretation by the regulatory authority.
Certifications and Seals
The GDPR allows organizations to use certification mechanisms as proof of compliance with data protection regulations. Similarly, ANPD Rule 19 provides for this but Brazil still lacks a robust certification system, which could be an obstacle for companies looking to use this route to facilitate international data transfers.
Differences in Contractual Practice
One of the major contractual challenges for Brazilian companies will be adapting their international data transfer agreements to meet the requirements of ANPD’s Rule #19 within the 12-month deadline from its publication. The ANPD has imposed specific rules regarding mandatory clauses to ensure the protection of transferred personal data, requiring companies to review contracts with third parties engaged in these operations.
Another key consideration is the need for reviewing existing BCRs to ensure they meet the criteria set by the Rule, and then submitting them for ANPD approval; or, the preparation of such standards for validation by the ANPD. Furthermore, Brazilian companies that do not have BCRs in place should work diligently with foreign counterparts within their economic group to prepare them for validation by the ANPD, or even consider creating an agreement with standard contractual clauses as provided in Annex II of the Rule to expedite compliance. In either case, Brazilian companies are facing a race against time.
Companies operating in the European market are already familiar with adapting contracts to the GDPR, which can make it easier to adjust to the new ANPD’s Rule. However, for companies that have not yet dealt with international data transfers, implementing these contractual clauses may require greater legal assistance and internal review of their procedures.
Conclusion
ANPD’s Rule 19 marks a significant advancement in Brazil’s data protection framework, aligning with international best practices, particularly the GDPRR. However, the practical implementation of this Rule presents substantial contractual challenges for Brazilian companies, which will need to adjust their international data transfer contracts and operations to meet a new regulatory standard.
One of the most significant challenges will be adapting contractual clauses to ANPD requirements, especially for transfer operations that do not align with the standard clauses outlined by the ANPD. Furthermore, the absence of a clear list of countries deemed suitable for data transfers and the lack of a well-established certification system may pose further obstacles.
To navigate these challenges, Brazilian companies must stay informed of future ANPD guidelines and invest in specialized legal consultancy to ensure compliance with the new regulations. Adapting to ANPD’s Rule #19 is not only essential to avoid sanctions, but also to maintain competitiveness in a global market that increasingly prioritizes data protection and privacy.