By Vanessa Borges and Fabiano Deffenti
International data transfers are critical for businesses operating in a globalised digital environment. Both Brazil and the European Union have implemented specific legal frameworks to regulate international data transfers to ensure that personal data is protected when transferred across borders.
Brazil’s National Data Protection Agency (“ANPD”) has recently published Resolution 19/2024, which establishes the guidelines and rules for international data transfers for Brazilian companies under the General Data Protection Law (“GDPL”). The Resolution’s counterpart in the EU is found in Chapter V of the General Data Protection Regulation (“GDPR”).
While both frameworks aim to secure personal data during international transfers, there are important differences in their structure, scope, and implementation mechanisms. Below is a comparative analysis of the key points of ANPD’s Resolution 19/2024 and the GDPR’s Chapter V:
Key differences | ANPD Resolution 19/2024 | Chapter V of the GDPR |
Scope of application | Applies to organisations processing personal data in Brazil or processing data of individuals within Brazil to offer goods or services or if the data is collected in Brazil. | Applies to data controllers and processors in the EU and non-EU entities handling EU residents’ data. |
Legal Mechanisms for Transfers | Requires that international data transfers provide equivalent levels of protection as required under the GDPL. Mechanisms include adequacy decisions, contractual clauses and binding corporate rules. | Allows transfers based on adequacy decisions, standard data protection clauses, binding corporate rules, codes of conduct, certification mechanisms and ad hoc contractual clauses. Special provisions exist for certain scenarios (such as where there is “explicit consent” by the data subject). |
Adequacy Decisions | ANPD may recognise foreign countries or international organisations that provide an adequate level of protection. No countries or organisations have yet been recognised. | The European Commission issues adequacy decisions, confirming if a third country provides an adequate level of protection. Andorra, Argentina, Canada (commercial organisations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, the United States (commercial organisations participating in the EU-US Data Privacy Framework) and Uruguay have been recognised. |
Standard Contractual Clauses (“SCCs”) | Organisations can use SCCs as a tool for ensuring protection during international transfers, but the clauses must align with the GDPL’s provisions. | SCCs are widely used and approved by the European Commission to facilitate compliant international transfers. These clauses ensure data is protected according to EU standards. |
Binding Corporate Rules (“BCRs”) | BCRs are available for multinational companies to internally transfer data between affiliates in different jurisdictions. These must be individually approved by the ANPD. | BCRs are a mechanism approved by the competent European data protection authority, allowing multinational companies to securely transfer data within their corporate group. |
Owners’ Rights | Owners in Brazil must be informed about international data transfers and have the right to access, rectify and delete their data. | Owners in the EU are provided robust rights, including transparency regarding where their data is being transferred and the ability to exercise their rights across borders (these include the same rights offered to owners in Brazil). |
Supervision and Enforcement | The ANPD is responsible for overseeing compliance, issuing penalties for violations and providing guidance to organisations. | The GDPR is enforced by national supervisory authorities within each member state, with the ability to issue significant fines for non-compliance (up to 4% of global annual turnover). |
Derogations for Specific Situations | Certain exceptions are made for transfers, such as those necessary for the execution of contracts or legal obligations. | Derogations exist under the GDPR for transfers based on specific conditions, including explicit consent or necessity for contractual performance. |
Penalties for Non-Compliance | The ANPD can issue fines and sanctions for non-compliance, with potential penalties outlined under the GDPL (administrative fines of up to 2% of a company’s revenue, capped at a maximum of R$50 million per violation). | GDPR fines can reach up to €20 million or 4% of annual global turnover, whichever is higher. |
Future Updates and Flexibility | Resolution 19/2024 is subject to future amendments by the ANPD. | The GDPR remains a flexible framework, allowing updates by the European Commission and national authorities to adapt to new data protection challenges. |
Final Remarks
The GDPR and the GDPL rules relating to international transfers are similar, not identical. They do differ in specific and relevant areas.
The GDPR has a more established framework for adequacy decisions, with various countries already recognised. In contrast, the ANPD’s process for granting adequacy decisions is still under development, which may initially complicate international transfers for Brazilian organisations.
Moreover, the GDPR is known for its stringent enforcement and tough penalties, which have been imposed on several global businesses (for example, Meta was fined US$1.3 billion in 2023 and Amazon €886 million in 2021.
While ANPD’s penalty structure is relatively new, the legal basis for significant fines exists under the GDPL. ANPD’s first public sanction was issued in October 2023, when a company was fined R$14,400 for violations related to transparency in data processing. Higher fines are expected as the ANPD ramps up its enforcement efforts and adopts stricter measures to ensure compliance with the GDPL.
Both the GDPR and GDPL recognise BCRs, offering flexibility for multinational companies. However, the GDPR has a more mature system for the approval and use of BCRs, making it potentially simpler to comply with.
While the GDPR and the GDPL apply to entities within their respective jurisdictions, the GDPR’s extraterritorial scope is broader, affecting any business dealing with EU data owners, regardless of the company’s location. Even though the GDPL also applies to companies outside Brazil that process individuals’ personal data located in Brazil, its extraterritorial application is limited to situations where the data processing is carried out for the purpose of offering goods or services to Brazilian residents or if the data was collected in Brazil.
Do you have any questions?
Contact us if you would like further information. Our firm is ready to assist you.
Brazil Compliance Corporate law Data Privacy Data Protection Data Protection Law GDPL GDPR GDPR compared General Data Protection Law
Last modified: September 24, 2024