‍

ANPD Rule #19, published by the Brazilian Data Protection Authority (Autoridade Nacional de Proteção de Dados – ANPD) in August 2024, introduced new regulations on international data transfers, a crucial aspect of data protection in Brazil and worldwide. After this regulation, the ANPD launched a dedicated page on its official portal to provide clear and detailed information about international data transfer mechanisms. This new page marks an important step toward transparency and aligns Brazil with international data protection standards, especially in comparison to the European Union's General Data Protection Regulation (GDPR).

What Constitutes an International Data Transfer under the LGPD and ANPD Rule #19

Brazil’s General Data Protection Act (Lei Geral de Proteção de Dados – LGPD) defines an international data transfer as the movement of personal data collected within Brazil to any location outside the country. This can occur when a Brazilian company transfers data to its international headquarters, contracts third-party services based in other countries, or uses technology solutions located abroad, such as hiring servers to store data overseas. ANPD Rule #19 outlines the legal mechanisms allowed for these transfers, ensuring that Brazilian citizens’ data remains protected even outside Brazil.

The mechanisms permitted under the Rule include specific contractual clauses, global corporate standards, the use of certification of compliance, and international agreements. The Rule seeks to ensure that such transfers occur in a secure and transparent manner, adhering to the data protection principles established by the LGPD, while also aligning with global practices.

Launch of the International Data Transfer Page on the ANPD Portal

The launch of a dedicated page on international data transfers on the ANPD portal has significantly enhanced transparency around this process. This new section aims to provide detailed guidance for both companies and data subjects on how international transfer mechanisms operate and the obligations established by the LGPD and ANPD Rule #19.

A key highlight of the portal is its clarity and simplicity: the ANPD has organized the content of Rule #19 into straightforward, easy-to-understand topics, using accessible language for all audiences and including a FAQ section to help clarify the legislation. Furthermore, among the information provided, the website provides guidelines on which mechanisms are valid to ensure the protection of personal data during international transfers. It also offers a clear explanation of the decision-making process for requests concerning both the adaptation of transfer mechanisms and the recognition of certain countries or international organizations as having a level of personal data protection equivalent to that required by Brazilian law.

The availability of this page makes vital information more accessible to businesses and individuals, fostering a better understanding of legal obligations and making it easier to comply with data protection regulations. In doing so, the ANPD directly contributes to building greater trust in the processing of personal data in Brazil and its international operations.

Transparency as a Pillar of Data Protection

Transparency is a core principle of the LGPD and data protection regulations worldwide. The creation of this new page on the ANPD portal is a practical step in reinforcing this principle, helping both businesses and individuals understand how international data transfers can and should be conducted. By making this information publicly available and easily accessible, the ANPD promotes not only compliance with legislation but also fosters an environment of trust, allowing data subjects to feel more secure about the handling of their personal data. This measure also aligns with international practices, particularly those observed in the European Union through the GDPR.

The GDPR, in effect since 2018, similarly prioritizes transparency in data processing, especially with regard to international transfers. Like the ANPD, European authorities have implemented user-friendly portals and systems to help companies understand their legal responsibilities and to ensure that data subjects are adequately informed.

For example, several resources currently exist:

• European Data Protection Supervisor (EDPS): The EDPS provides a dedicated portal focused on international data transfers, offering detailed explanations on how to ensure transfers comply with the GDPR, addressing potential risks, and outlining the measures necessary to protect data subjects. Available at: International Transfers | European Data Protection Supervisor (europa.eu)

• European Commission – Adequacy Decisions: The European Commission maintains a list of countries that offer adequate protection for personal data. This list is a crucial reference for companies engaged in international data transfers, ensuring GDPR compliance. The portal also includes comprehensive information on the tools and procedures required for secure data transfers. Available at: ec.europa.eu

• European Data Protection Board (EDPB): The EDPB offers guidance on Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs), both of which are used to regulate international data transfers. This portal provides practical resources for businesses to understand GDPR requirements for transferring data outside the European Economic Area (EEA). More information on SCCs and BCRs can be found at: EDPB | European Data Protection Board (europa.eu)

As illustrated above, the European Union has implemented a series of measures through the GDPR aimed at ensuring transparency in international data transfers. These measures include the publication of clear guidelines on appropriate data transfer procedures, as well as the provision of standard contractual clauses and other compliance mechanisms.

The launch of the ANPD website follows a similar path by offering centralized and easily accessible information, enabling Brazilian companies to navigate the complexities of international transfers more effectively. A comparison of these initiatives reveals that both the GDPR and ANPD Rule #19 aim to facilitate compliance for businesses while strengthening the protection of data subjects' rights.

This convergence of measures reinforces the global trend toward harmonizing data protection practices, which is essential for ensuring that international transfers occur in a secure and transparent manner, regardless of the jurisdictions involved.

Conclusion

Thus, it can be seen that ANPD Rule #19 marks a significant advancement in the processing of personal data in Brazil, particularly concerning international data transfers. The launch of the dedicated page on the ANPD portal enhances these regulations by providing greater clarity and accessibility regarding the mechanisms that enable secure and legally compliant transfers.

By promoting transparency, the ANPD not only aids companies in understanding and complying with the rules but also strengthens data subjects' trust in Brazil. This represents an important step toward the maturation of the Brazilian data protection system, which is increasingly aligned with international best practices, such as those established by the GDPR in the European Union.

Therefore, the introduction of this dedicated page on the official ANPD portal should be viewed as a positive milestone, ensuring that transparency in international data transfers is accessible to all.