Brazil’s New Digital Child Protection Law: Practical Implications for Foreign Tech Companies

6 de mayo de 2026

  • Brasil
  • Privacidad y Protección de Datos

Summary

Brazil’s new Digital Child Protection Law (ECA Digital – Law No. 15,211/2025) radically changes the compliance obligations for foreign technology companies operating in Brazil. The law introduces a proactive duty of care toward minors, replacing the previous reactive liability model under the Marco Civil da Internet. Any digital service accessible to children or adolescents — including social media, gaming, streaming, AI tools, and app stores — must now adopt safety-by-design and privacy-by-default principles.

Brazil Introduces a New Digital Protection Framework for Minors

When Law No. 15,211/2025, known as the ECA Digital or Digital Statute for Children and Adolescents, came into force on March 17, 2026, Brazil took a significant step in regulating the digital environment. For foreign technology companies that offer services to the Brazilian public, the legislation is far more than just another local rule. It represents a genuine paradigm shift in how platforms must be designed, operated, and monitored.

Until now, the Brazilian Internet Civil Framework (Marco Civil da Internet) of 2014 established essentially a reactive liability regime. Platforms were generally only held responsible for third-party content after receiving a specific court order or valid notification. The ECA Digital inverts this logic. Companies now face a proactive and continuous duty of care, something close to the “duty of care” we already know in Europe through the UK’s Online Safety Act or parts of the Digital Services Act (DSA).

The Best Interests of the Child Become the Central Compliance Principle

The central principle of the law is the best interests of the child and adolescent. Any information technology product or service that is targeted at minors or has a reasonable likelihood of being accessed by them must be developed with this interest as an absolute priority. This includes social networks, gaming apps, streaming platforms, app stores, and even artificial intelligence tools.

In practice, this means adopting the concepts of safety-by-design and privacy-by-default from the outset. It is no longer enough to fix problems after they arise. Companies must anticipate risks to the physical, mental, and moral integrity of younger users and build preventive safeguards.

Mandatory Impact Assessments and Platform Risk Analysis

One of the pillars of the new legislation is the requirement for impact assessments. Platforms must conduct periodic detailed analyses of the potential effects of their functionalities (recommendation algorithms, engagement mechanisms, advertising systems, and even augmented reality features) on children and adolescents. These reports need to be properly documented internally and, in many cases, generate transparent information that can be shared with authorities or made available to the public in a summarized version.

New Age Verification and Parental Control Obligations

Age verification has become significantly more rigorous. A simple self-declaration (“click here if you are over 18”) is no longer considered sufficient. The law requires effective and proportionate mechanisms that respect privacy but genuinely manage to distinguish adults from minors. For users up to 16 years old, accounts on social networks and similar platforms must, as a rule, be linked to a legal guardian.

Furthermore, companies are required to provide robust parental control tools. Guardians must have access to dashboards that allow them to set screen time limits, restrict contacts, approve or block in-app purchases, and disable personalized algorithmic recommendation systems. Many foreign clients I have spoken with still underestimate the weight of this requirement.

Restrictions on Advertising, Profiling, and Gaming Monetization

In the commercial sphere, the law is particularly restrictive. The use of advanced behavioral profiling, emotional analysis, or immersive technologies to target advertising at children and adolescents is prohibited. Monetization of content that inappropriately exploits the image of minors is also subject to severe limitations. In the gaming sector, there are express bans on “loot boxes” and randomized reward systems when the game is accessible to minors, precisely because of their addictive potential and the risk of uncontrolled spending.

Harmful Content Removal and Reporting Requirements

Another aspect that deserves attention is the swift removal of harmful content. The law establishes short deadlines – in some cases as little as 24 hours – for the removal of material related to sexual exploitation, violence, bullying, cyberbullying, incitement to suicide, self-harm, or drug use. In addition to removal, in serious situations platforms must notify the competent authorities, including through international cooperation when necessary.

Legal Representation and Enforcement Risks for Foreign Companies

For foreign companies without a physical presence in Brazil, the law strengthens enforcement mechanisms. It is mandatory to appoint a legal representative established in the country, with powers to receive judicial and administrative citations, respond to requests from the Public Prosecutor’s Office and the National Data Protection Authority (ANPD), and serve as the local point of contact.

In fact, the ANPD assumes a central role in supervising and regulating the law, acting in coordination with the Public Prosecutor’s Office. This creates a more robust enforcement scenario than many international players initially anticipated. Moreover, the law provides for joint and several liability: subsidiaries, branches, or companies within the same economic group in Brazil may be held accountable for violations committed by the foreign parent company.

Financial Penalties and Operational Sanctions

The sanctions are dissuasive. Fines can reach up to 10% of the economic group’s revenue in Brazil in the previous year, or up to R$ 50 million per individual violation, depending on the severity. In extreme cases or in the event of recurrence, authorities may order the temporary suspension or even the complete blocking of the service within Brazilian territory. For companies that depend on the Brazilian market, especially consumer technology firms, this operational risk is very real.

Relationship Between the ECA Digital and Brazil’s LGPD

It is worth noting that the ECA Digital interacts closely with the General Data Protection Law (LGPD). Many of the principles of privacy-by-default, data minimization, and impact assessments already existed under the LGPD, but they now take on more specific contours when the data subject is a child or adolescent. The processing of minors’ data requires even greater care, with more restrictive legal bases and heightened attention to consent and the rights of legal guardians.

Global Regulatory Trends and Brazilian Specificities

From a comparative perspective, the Brazilian law aligns with global trends. It bears clear similarities to the UK’s Age Appropriate Design Code, certain aspects of the European DSA, and ongoing discussions in other Latin American countries. However, it presents distinctly Brazilian nuances: strong influence from the Public Prosecutor’s Office, the tradition of integral protection of children established in the 1990 Child and Adolescent Statute (ECA), and an approach that combines state regulation with the shared responsibility of families, schools, and platforms.

Practical Compliance Steps for Foreign Technology Companies

Foreign legal advisors must act with urgency. A good starting point is to conduct a comprehensive gap analysis: mapping user onboarding flows, reviewing advertising and algorithmic recommendation policies, assessing the adequacy of age verification mechanisms, and verifying whether the legal representation structure in Brazil meets the new requirements.

In addition, it is important to prepare local teams or partners to handle administrative requests and potential audits. Investing in privacy-preserving age verification technologies, such as age estimation or document-based verification without excessive data storage, can make a difference both in compliance and in the user experience.

Conclusion

In summary, the ECA Digital is not merely a symbolic law. It imposes concrete obligations, with adaptation deadlines that have already expired for many companies, and carries real risks of financial and operational sanctions. For law firms advising international clients, especially small and medium-sized practices in Europe and Asia, the moment has come to help these players turn compliance into a competitive advantage.

Those who manage to implement robust protection measures from the design stage of their products will not only avoid heavy fines but may also build greater trust with the Brazilian public and authorities.

Summary: On January 25, 2026, Brazil and the EU mutually recognized each other as providing adequate personal data protection—removing, in many cases, the need for Standard Contractual Clauses (SCCs) or other transfer tools. This shifts the conversation from “copy-paste compliance” to strategy: deciding when to retire SCCs, updating cross-border transfer policies, and modernizing contractual models for future deals.

Why this matters in real transactions

Imagine you’re about to close a deal with a German business partner and your Brazilian client urgently asks for a data transfer clause. It’s always the same copy-paste: Standard Contractual Clauses (SCCs), Annex I and II in both languages, signatures on the dotted line. Now imagine this scene is finally unnecessary.

The mutual adequacy milestone (January 25, 2026)

On January 25, 2026, Brazil and the European Union mutually recognized each other as countries with adequate levels of personal data protection. It’s the first adequacy agreement signed between the EU and a Latin American country. In practical terms, it means that companies can transfer personal data between Brazil and the EU without the need for additional mechanisms, like SCCs or Binding Corporate Rules (BCRs). In strategic terms, it opens a new front of opportunities for Brazilian lawyers, especially those advising clients who export, import, invest, or operate in the EU.

A starting point, not a “compliance break”

This is a milestone and also a starting point. Mutual adequacy does not mean «relax your compliance programs»; on the contrary, it demands governance maturity and careful review.

Three concrete fronts for legal work

1.      Retiring SCCs: Not Always Automatic

The adequacy decision makes SCCs optional in many cases, but that doesn’t mean you can simply tear them up. For existing contracts that already use SCCs, lawyers will need to assess whether they should keep, revise, or remove those clauses. The answer will depend on the risks, data flows, and reliance on third countries in the processing chain. There may also be internal policies, negotiated warranties, or obligations to supervisory authorities that require formal justifications.

In practice, companies with complex processing chains (e.g., European headquarters, shared Brazilian HR services, cloud servers in the U.S.) may continue using SCCs in certain flows even after the adequacy recognition. Lawyers will need to carefully document and track this hybrid model.

2.      Reviewing Cross-Border Data Transfer Policies

Many companies, especially multinationals or those with multiple data protection obligations, have established cross-border data transfer policies («CBTPs») that classify countries into categories and associate specific safeguards for each. Brazil’s new status as an «adequate country» must now be reflected in those documents.

For instance, a Brazilian company that receives data from France and sends it to Argentina and India may now adjust internal protocols to reduce documentation and controls on the EU → Brazil leg, while reinforcing controls in the Brazil → Argentina or Brazil → India legs. These changes must be aligned with the company’s policies, contracts, and internal training materials.

3.      Adapting Contractual Models for Future Deals

The mutual adequacy decision creates a new contractual scenario. Brazilian lawyers advising international clients can now use data transfer models aligned with GDPR—without needing SCCs or complex annexes—provided both parties are located in Brazil and the EU.

This reduces transaction costs, improves legal certainty, and increases speed in negotiations involving technology services, cross-border M&A, or shared service centers. A good contractual model should still include data protection clauses—but now focused on risk allocation, DPO cooperation, and incident response coordination, rather than formal compliance with Art. 46 GDPR or Arts. 33–36 LGPD.

Summary: Brazil’s data protection authority (ANPD) is signaling a clear move toward stronger, more GDPR-aligned enforcement and rulemaking through its 2026–2027 Priority Topics Map and updated Regulatory Agenda. The selected priorities mirror familiar EU themes—data subject rights, children’s data, public-sector processing, and AI—while adding practical predictability for organizations planning compliance. For European businesses operating in Brazil, the direction of travel suggests increasing convergence in governance, risk assessment, and transparency expectations. This trajectory may also strengthen the long-term case for Brazil to pursue an EU adequacy decision.

A maturing authority with a strategic alignment to GDPR

While European regulators refine enforcement mechanisms for mature frameworks, Brazil is quietly building one of the world’s most GDPR-aligned data protection systems outside the EU. The release of Priority Topics Map for 2026–2027 and its updated Regulatory Agenda by the National Agency of Personal Data Protection (ANPD) reveals an authority no longer in its infancy, but one strategically positioning itself as a credible counterpart to European supervisory bodies.

ANPD’s priority topics for 2026–2027

The four priority topics chosen by Brazil’s National Data Protection Authority («ANPD») tell a familiar tale to anyone working with GDPR compliance: data subject rights, protection of children and adolescents in digital environments, processing by public authorities, and artificial intelligence with emerging technologies.

Why these priorities feel familiar to GDPR practitioners

These are not arbitrary choices but deliberate alignments with the core concerns that have shaped European enforcement over the past seven years, from the fundamental rights guarantees in Articles 12 through 22, to the heightened scrutiny of processing involving minors, to the evolving regulatory treatment of algorithmic systems that now spans both GDPR recitals and the EU AI Act itself.

Children and adolescents: new authority and converging expectations

Brazil’s recent Digital Statute for Children and Adolescents hands ANPD substantial new authority over age verification and parental consent mechanisms, creating a regulatory bridge that should look strikingly familiar to companies navigating the UK’s Age Appropriate Design Code or implementing EDPB guidance on child data. European digital services operating in Brazil, particularly in social media, gaming, education, or wellness sectors, now face converging compliance expectations on both sides of the Atlantic. The technical architectures and consent flows designed for GDPR are increasingly fit for purpose in the Brazilian context as well.

Artificial intelligence and emerging technologies

The elevation of artificial intelligence to priority status represents ANPD’s clearest statement yet about where Brazilian regulation is headed – in fact, no big news in the move, since it is worrying every regulator in every industry. While the LGPD lacks specific AI provisions, the authority has been methodically laying groundwork through public consultations on automated decision-making and studies on algorithmic profiling. For companies already deep in EU AI Act preparation, such a convergence offers something rare in global privacy compliance: the potential for genuine efficiency gains through shared governance frameworks, unified risk assessment methodologies, and harmonized transparency protocols rather than duplicative regional adaptations.

Data subject rights and DPIAs: reinforcing accountability

ANPD’s continued emphasis on data subject rights and Data Protection Impact Assessments reinforces the structural similarities with GDPR’s accountability model. The Brazilian approach increasingly mirrors European expectations around documented risk assessment, standardized response protocols for individual rights requests, and transparency obligations for profiling activities. Multinational organizations can now reasonably contemplate unified DPIA templates and centralized rights management systems that serve both jurisdictions without fundamental architectural splits.

The updated Regulatory Agenda for 2025–2026: predictability as a compliance asset

The updated Regulatory Agenda for 2025–2026 provides something perhaps more valuable than new rules: predictability. One should not underestimate the importance of predictability in Brazil, since it is a rare asset, even before courts – former Treasury Minister Pedro Malana once iroonically stated that «in Brazil, even the past is uncertain».

What ANPD is telegraphing next

By telegraphing upcoming initiatives on biometric data processing, inspection methodologies, sanctioning procedures, cybersecurity standards, and privacy program governance, ANPD offers companies the planning visibility that makes cross-border compliance feasible rather than reactive. These topics map directly onto GDPR’s controller obligations, security requirements, and Data Protection Officer independence provisions in Articles 24 through 39.

Beyond compliance: what convergence could mean for data flows

The regulatory convergence carries implications beyond operational compliance. The structural alignment between LGPD and GDPR, reinforced by ANPD’s strategic choices, strengthens the case for an eventual EU adequacy decision recognizing Brazil under Article 45.

For European businesses and their counsel, the trajectory suggests not just reduced friction in managing trans-Atlantic data flows, but the emergence of genuinely compatible regulatory ecosystems. The challenge will be maintaining attention to Brazilian developments with the same intensity devoted to EDPB guidelines and Commission decisions, recognizing that convergence is a continuous process rather than a static achievement.

Conclusion

Brazil’s ANPD is increasingly setting priorities that mirror the main pressure points of GDPR compliance, while using its Regulatory Agenda to add clarity and sequencing to what comes next. For organizations operating across the EU and Brazil, the message is practical: governance structures, rights-handling processes, and risk assessment tooling built for GDPR are becoming progressively reusable in the Brazilian context. At the same time, staying alert to ANPD’s evolving guidance—especially around children’s data, AI, biometrics, cybersecurity, and enforcement methodology—will be key to turning regulatory convergence into real operational efficiency and reduced cross-border friction.

Summary
This article explores the ANPD’s 2025 Tech Radar on neurotechnologies and how it reshapes compliance risks for Brazilian healthtechs—especially in M&A contexts involving GDPR exposure. It outlines key regulatory concerns, the GDPR’s extraterritorial impact, major due-diligence red flags, and the essential deliverables investors should require.

Introduction

Brazil’s latest ANPD Tech Radar brings neurotechnologies to the forefront of data-protection compliance, exposing significant risks for healthtech companies and investors. With GDPR’s extraterritorial reach, sensitive data processing, opaque AI, and cross-border transfers, data governance has become a critical M&A due-diligence factor requiring structured reviews and robust contractual safeguards.

Key Compliance Risks Shaping Brazilian Healthtech M&A

Brazil’s Data Protection Authority (ANPD) released its 4th Tech Radar in June 2025, focusing entirely on neurotechnologies—marking the first time the regulator targeted this field so directly. The report explores brain-computer interfaces, advanced wearables, AI-driven cognitive therapies, and predictive diagnostics, highlighting risks far beyond traditional health data processing.

For investors and lawyers working M&A deals in Brazil’s healthtech sector, this Radar signals that data protection is no longer a secondary compliance issue—it is now a major source of legal, reputational, and operational risk.

GDPR’s Extraterritorial Relevance

Many Brazilian healthtechs handle personal data from foreign individuals, particularly Europeans—through expats, medical tourists, cross-border clinical trials, or partnerships with EU-based vendors. When this occurs, GDPR Article 3(2) extends jurisdiction to the Brazilian company, even without any EU establishment.

Main Risks Identified by ANPD (Tech Radar #4)

  • Inferring health data without explicit consent
    Example: wearables identifying depression through sleep or stress patterns without informing users.
  • Lack of transparency in predictive algorithms
    Black-box AI models making clinical decisions without accessible documentation.
  • Cybersecurity vulnerabilities in connected devices
    Neural implants or neurostimulators vulnerable to hacking, with potentially physical consequences.
  • Automated processing that impacts human dignity
    Behavioral profiling influencing insurance eligibility, discrimination, or patient autonomy in therapy environments.

GDPR Article 22 prohibits automated decision-making with significant effects unless strict safeguards are implemented—making this a critical risk during due diligence.

Most Common Red Flags in Brazilian Healthtech Due Diligence

No clear legal basis for sensitive data (health, genetic, biometric)

LGPD Impact (Brazil): Breach of LGPD Art. 11
GDPR Parallel (Europe): Art. 9 (special categories)
Practical Recommendation: Require full data-mapping and warranties

Generic or “click-to-accept” consents

LGPD Impact (Brazil): Invalid consent (Art. 7 & 11)
GDPR Parallel (Europe): Art. 6 + 7
Practical Recommendation: Ensure all consents are granular, specific, and revocable

Third-party sharing without processor agreements

LGPD Impact (Brazil): Breach of LGPD Art. 28 & 33
GDPR Parallel (Europe): Art. 28
Practical Recommendation: Verify existence and adequacy of all DPAs

Missing or incomplete ROPA

LGPD Impact (Brazil): Serious regulatory violation
GDPR Parallel (Europe): Art. 30
Practical Recommendation: Make ROPA delivery a closing condition

Non-existent or conflicted DPO

LGPD Impact (Brazil): Non-compliance with ANPD Resolution CD nº 2
GDPR Parallel (Europe): Art. 37–39
Practical Recommendation: Require interview + independence confirmation

No DPIA for high-risk products

LGPD Impact (Brazil): Mandatory (ANPD Res. 15/2023)
GDPR Parallel (Europe): Art. 35
Practical Recommendation: Include pre-closing DPIA audit clause

International transfers without safeguards

LGPD Impact (Brazil): Arts. 33–35
GDPR Parallel (Europe): Arts. 44–50
Practical Recommendation: Verify SCCs (2021/2023) or adequacy status

Real Cases Illustrating the Scale of Risk

  • Telepsychology platforms investigated for using automated triage without informed consent or AI transparency.
  • ANPD actions against genomics startups due to cross-border transfers without SCCs or DPIAs.
  • Outsourced cloud hosting increasing irregular data transfer risks.

Until Brazil receives an EU adequacy decision, SCCs and BCRs remain mandatory for compliant transfers.

Essential Due Diligence Deliverables

A robust data-protection review is now essential in healthtech M&A. Key deliverables include:

  • LGPD ↔ GDPR gap analysis
  • ROPA and DPIA review
  • Sub-processor contract verification
  • Mapping of all international transfers
  • Privacy-specific warranties and indemnities
  • Escrow or holdback for regulatory risk exposure

Conclusion

Data protection is no longer secondary in healthtech M&A—especially when neurodata is involved. With ANPD scrutinizing neurotechnologies and GDPR obligations extending across borders, investors must prioritize structured due diligence and strong contractual safeguards.

FAQ

Is neurodata considered sensitive personal data under the LGPD?

Yes—ANPD treats neurodata as highly sensitive because it reveals cognitive, emotional, and health patterns.

Does GDPR apply to Brazilian companies with no EU presence?

Yes, via Article 3(2), whenever EU data subjects’ information is processed.

Are SCCs still required for Brazil–EU transfers?

Yes, until Brazil receives an EU adequacy decision.

What are the top investor red flags?

Missing DPIAs, unclear legal bases, opaque algorithms, and irregular transfers.

Since the General Data Protection Regulation (GDPR) took effect in 2018, the European Union (EU) has granted adequacy status to only a limited number of jurisdictions — those whose data protection regimes are deemed to provide an «essentially equivalent» level of protection to that of the EU. The current list includes Andorra, Argentina, Canada (under PIPEDA), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, Uruguay, the United Kingdom, and the United States (limited to companies certified under the Data Privacy Framework).

As of 5 September 2025, Brazil is on the verge of joining this exclusive group. The European Commission has issued a draft adequacy decision concluding that the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais – LGPD), in conjunction with Brazil’s broader legal and constitutional framework, offers protections that are essentially equivalent to those found in the GDPR. While Brazil’s rules offer somewhat more flexibility in specific areas of data processing, the foundational principles and safeguards are well-aligned with EU standards.

Once finalized, the adequacy decision will authorize the free flow of personal data from the EU to Brazil without the need for additional contractual clauses or technical safeguards. Such a development is not just regulatory — it also answers a core political argument made by LGPD advocates since its inception: that the absence of a comprehensive data protection framework was undermining Brazil’s international competitiveness by limiting data flows and discouraging investment. For businesses, the EU decision may finally mean the removal of a significant layer of compliance complexity — a development especially welcome by small and medium-sized enterprises engaged in cross-border trade or service provision. The draft is currently under review by the European Data Protection Board (EDPB) and the Member States of the EU.

The Commission’s assessment highlights several key aspects of Brazil’s data protection landscape. It begins by noting that the Brazilian Constitution expressly guarantees the right to privacy and the protection of personal data — a notable distinction among non-EU jurisdictions. These protections are further supported by Brazil’s ratification of the American Convention on Human Rights and its recognition of the jurisdiction of the Inter-American Court of Human Rights, reinforcing a commitment to fundamental rights and democratic oversight.

The LGPD mirrors the GDPR in many critical respects and defines its territorial scope clearly. It applies to: (i) data processing carried out within Brazilian territory, (ii) the offering of goods or services to individuals in Brazil, and (iii) data collected in Brazil, even if subsequently processed abroad. This aligns well with the extraterritorial provisions of the GDPR. The definitions of personal data, sensitive data, controller, and processor are materially similar, as are the key principles governing processing — including lawfulness, purpose limitation, data minimization, accuracy, transparency, and security. The law expressly excludes anonymized data from its scope and establishes specific exemptions for journalistic activities, public security, and scientific research.

Another strength is Brazil’s institutional framework. The National Data Protection Authority (ANPD) was recently transformed into an autonomous regulatory agency, enhancing its independence and technical capacity. The ANPD holds both regulatory and enforcement powers: it can issue binding regulations, impose administrative sanctions, and publish authoritative guidance. To date, it has issued key guidelines on topics such as consent, legitimate interest, the role of the Data Protection Officer (DPO), and security incident reporting. Internationally, the ANPD is an active participant in global data protection dialogue — it is a member of the Global Privacy Assembly and an official observer to the Council of Europe’s Convention 108.

The LGPD’s approach to international data transfers is also structurally aligned with the GDPR. It requires appropriate safeguards such as standard contractual clauses, allows for future adequacy decisions under a regime comparable to Article 45 of the GDPR, and includes detailed provisions for onward transfers and transit data — that is, data merely passing through Brazil without further processing. The rights of data subjects are robust and familiar to European practitioners: access, rectification, erasure, portability, and withdrawal of consent are guaranteed. Lawful bases for processing are also aligned — including consent, legal obligations, contract execution, and legitimate interest. Notably, the LGPD requires a documented balancing test when relying on legitimate interest, bringing additional accountability to this flexible legal basis.

Security incidents involving personal data must be notified to both the ANPD and affected data subjects when there is a significant risk of harm. The standard notification deadline is 72 hours, and the required content aligns closely with Articles 33 and 34 of the GDPR. The ANPD may also order public disclosure of incidents or require remedial measures, depending on the nature and scope of the breach.

Importantly, this process is not one-sided. In parallel to the European Commission’s adequacy decision, the ANPD is conducting its own adequacy assessment of the EU and EEA data protection frameworks. This process is regulated by the Brazilian Resolution CD/ANPD No. 19/2024, which governs international data transfers. Once the technical and legal evaluation is complete, the ANPD’s Board of Directors will issue a formal decision. This reciprocal move reflects Brazil’s commitment to mutual recognition and regulatory symmetry — a positive signal for companies on both sides of the Atlantic.

In conclusion: If confirmed, Brazil’s adequacy status will simplify international operations, reduce compliance costs, and expand opportunities for data-driven business and legal cooperation. For European lawyers advising SMEs with interests in Latin America, this development is a strategic signal: Brazil is emerging not just as a growing market, but as a legally compatible and data-safe jurisdiction for international partnerships.

On 23 August 2024, Brazil’s National Data Protection Authority (ANPD) issued Resolution No. 19, a landmark regulation governing the international transfer of personal data under the Brazilian General Data Protection Law (LGPD). Companies now have until 23 August 2025 to fully comply.

This deadline is especially relevant for European multinationals operating in Brazil, or Brazilian subsidiaries sharing data with foreign HQs or vendors. The new rules align Brazil more closely with global privacy frameworks like the GDPR—but with local twists that demand attention.

Why It Matters

Unlike previous guidance, Resolution No. 19 creates binding legal obligations and explicit deadlines. It introduces mechanisms such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and public transparency requirements—all within a strict 12-month timeframe.

For many international companies, this will require significant updates to internal governance, contract management, and cloud data strategies. Below are the key takeaways for foreign counsel.

Standard Contractual Clauses (SCCs): Now Mandatory

The ANPD has released its own set of Standard Contractual Clauses, which must be used for data transfers to jurisdictions not recognized as offering “adequate protection.”

Companies must adopt these clauses by 23 August 2025. This will likely require revisiting existing data processing agreements involving Brazilian parties and ensuring alignment with the ANPD template.

Important: The SCCs cannot be modified beyond inserting details in the annexes. Any deviations require prior approval from the ANPD and are limited to exceptional cases.

Broad Transparency Requirements

Data controllers are now required to publish, on their website, a plain-language document explaining:

  • the purpose of the international data transfer,
  • the categories of data involved,
  • the countries of destination,
  • and the legal mechanism used to legitimize the transfer.

Upon request, data subjects must also receive a copy of the full SCCs within 15 days. Multinationals will need protocols and document templates to respond efficiently—especially when dealing with requests in Portuguese.

Expanded Definition of “International Transfer”

The Resolution clarifies that a transfer occurs whenever:

  • data is accessed or stored by an entity located abroad, or
  • processing is outsourced to a cloud provider with servers or technical teams outside Brazil.

This has important implications for global companies that centralize services such as payroll, CRM, or cybersecurity outside Brazil—even if hosted on multinational platforms.

Binding Corporate Rules (BCRs): Now Recognized

Multinationals with mature privacy programs may apply to the ANPD for approval of their own Binding Corporate Rules, offering an alternative to SCCs.

This is a welcome development for companies seeking harmonized compliance across jurisdictions, but approval is expected to involve a complex and time-consuming process. Early preparation is essential.

Custom Clauses in Exceptional Circumstances

Companies unable to adopt the standard clauses—due to specific factual or legal constraints—may submit alternative clauses for ANPD approval. However, such flexibility is limited and subject to strict justification.

In practice, the official SCCs will be the default path for most international data transfers involving Brazil.

What Foreign Companies Should Do Now

The 12-month window is already ticking. International groups operating in Brazil or processing Brazilian data should urgently:

  • Map all international data transfers involving Brazil;
  • Identify contracts and vendors requiring updates;
  • Insert ANPD’s SCCs where applicable;
  • Publish the required transparency notice online in Portuguese;
  • Monitor for further ANPD guidance or enforcement trends.

Strategic Compliance: Beyond Legal Risk

Resolution No. 19 is part of a global trend toward standardized but locally enforced privacy frameworks. For GDPR-compliant companies, Brazil’s new rules offer a chance to reaffirm leadership in data governance.

Those who act early can avoid last-minute fire drills, reduce regulatory exposure, and strengthen credibility with Brazilian regulators and consumers.

In today’s data economy, privacy compliance is more than a legal duty—it’s a business differentiator.

Brazil’s National Data Protection Authority (ANPD) released a long-awaited guidance document on how companies should interpret and apply the legal basis of legitimate interest under the Brazilian General Data Protection Law (LGPD).

This is not merely a local update. As Brazil continues to shape its data protection regime, foreign companies—particularly European SMEs with clients, platforms, or partners in Brazil—must adapt their compliance strategies to local expectations. This new guidance is a crucial development.

Below, I summarize what has changed, how it compares to the GDPR approach, and what steps you (or your clients) should take next.

Why Legitimate Interest Matters—But Remains Risky

Just like under the GDPR, Brazil’s LGPD allows personal data to be processed without consent when doing so is necessary for purposes aligned with the controller’s legitimate interests. However, due to the lack of regulation since the LGPD came into force, this legal basis has long been regarded as risky in Brazil – in fact, it was unclear on how to evaluate the «legitimacy» of the interest and balance it against data subject rights.

The ANPD’s «Guia Orientativo sobre o Legítimo Interesse» (Guidance on Legitimate Interest) fills that gap—providing a practical framework to assess, document, and justify this legal basis.

The ANPD’s Three-Step Balancing Test

The core of the new guidance is a three-step balancing test, which mirrors the GDPR’s Legitimate Interests Assessment (LIA) but with Brazilian nuances.

  • Purpose Test : The controller must define a specific, concrete, and legitimate objective behind the data processing. Open-ended or abstract justifications (“marketing purposes”, “efficiency”) will not suffice. The processing must also align with the reasonable expectations of the data subject.
  • Necessity Test : The data processing must be strictly necessary to achieve the defined purpose. If the same result could be achieved through less intrusive means (e.g. anonymized data or a different legal basis), the test will likely fail.
  • Balancing Test and Safeguards : This step assesses whether the controller’s interest outweighs the rights and freedoms of the data subject. Controllers must consider the nature of the data, the context of the processing, and the potential risks involved. When risks are identified, appropriate safeguards must be implemented, such as transparency, opt-outs, pseudonymization, and impact assessments.

Takeaway: The ANPD recommends documenting the entire process. While this is not mandatory by law, it will be critical in case of investigations or complaints.

How This Affects Foreign Companies doing business in Brazil

Many foreign companies process personal data of Brazilian individuals—whether by offering digital services, interacting with Brazilian suppliers, or collecting contact information via websites or CRM tools.

Although some assume that GDPR compliance is sufficient, the ANPD may evaluate legitimate interest more restrictively than some EU supervisory authorities.

Foreign companies should:

  • Revisit their legal bases for processing data of Brazilian individuals.
  • Conduct a proper balancing test using the ANPD’s model, even for non-sensitive data.
  • Keep written records of the analysis (especially if using legitimate interest for analytics or marketing).
  • Update their privacy notices to reflect the legal basis and safeguards in place.
  • Be aware of the extraterritorial reach of the LGPD—yes, it applies even if you have no office in Brazil.

Strategic Guidance

If you advise SMEs that operate across jurisdictions—including Brazil—this new guidance is a practical compliance tool and a risk-mitigation opportunity.

Here’s how to act now:

  • Perform a Legitimate Interests Assessment (LIA) whenever your client relies on this basis in Brazil.
  • Compare it with the GDPR LIA to identify overlaps and gaps.
  • Align documentation—so your clients are ready in the event of a complaint or data subject request.
  • Monitor ANPD updates—the ANPD has increased its activity and enforcement posture significantly in the past year.

Final Thoughts

The ANPD’s guidance reflects a growing maturity in Brazil’s data protection landscape. Legitimate interest is no longer a vague fallback—it requires structure, analysis, and above all, transparency.

European companies with operations or digital exposure in Brazil should approach this legal basis with care and diligence. The good news? The ANPD is now offering the roadmap. It’s up to us, as legal advisors, to make sure our clients follow it.

Want to see the full guidance? The original document (in Portuguese) is available here.

Brazil is increasingly in the global spotlight when it comes to cybersecurity threats. With over 10 billion cyberattack attempts recorded in 2023 alone, the country ranks among the most targeted worldwide. These incidents are not abstract: they affect sensitive sectors such as finance and healthcare, including data leaks involving over 220 million data subjects from national institutions and critical infrastructure operators.

While Brazil may seem like a distant jurisdiction, its data protection regime — shaped by the Lei Geral de Proteção de Dados (LGPD) — has growing significance for European businesses operating or partnering in the region. The LGPD, inspired by the GDPR, sets out specific obligations around data breach notification. However, unlike the GDPR’s mandatory 72-hour notification rule, not all security incidents must be reported to the Brazilian Data Protection Authority (ANPD).

So: when exactly should a security incident be reported in Brazil?

When Notification is Required: A Three-Step Test

Under Brazilian law, a security incident involving personal data must be reported to the ANPD only if the following three criteria are cumulatively met:

  • The incident has been confirmed.
  • It involves personal data subject to the LGPD.
  • It poses a relevant risk or damage to data subjects.

This third threshold is critical. According to the ANPD’s Security Incident Communication Regulation (RCIS), relevant risks include incidents that may:

  • Prevent the exercise of rights or access to services.
  • Cause material or moral harm.
  • Involve special categories of data such as: Sensitive personal data / Financial data / Large-scale datasets / Children’s or elderly persons’ data / Authentication credentials / Legally protected information (e.g., medical, legal, or professional secrets).

This approach offers some flexibility – but it also requires careful legal judgment.

When You Don’t Have to Notify

There is no obligation to notify the ANPD if the incident does not result in significant risk or damage. For instance, if the breached data is non-sensitive and publicly available (e.g., general contact information), and no additional harm is expected, companies may reasonably determine that notification is unnecessary.

However, this decision should not be taken lightly. Controllers are expected to assess several contextual factors, such as:

  • The volume and nature of the affected data.
  • Whether the data subjects can be identified.
  • The likely impact on fundamental rights.
  • The technical and security measures in place.
  • Any steps taken to mitigate the damage.

In practice, each case must be analyzed individually — and well documented — to ensure a defensible position.

How to Notify the ANPD (If Required)

If the thresholds for notification are met, companies must report the incident within three business days from the date they became aware that personal data was affected. The notification must include:

  • A description of the breach and affected data.
  • The number and profile of impacted data subjects.
  • Security measures in place before and after the incident.
  • Potential risks to the data subjects.
  • Mitigation strategies.
  • Identification of the controller and DPO (if applicable).

Notifications are submitted via the ANPD’s online platform (SUPER). Sensitive business information can be protected through a request for confidential treatment, provided it is properly justified.

Strategic Takeaways for European Stakeholders

For European companies and compliance officers, understanding the nuances of Brazilian data breach notification rules is essential for several reasons:

  • Cross-border compliance: Companies transferring personal data to Brazil must ensure regulatory alignment under the GDPR’s international transfer rules.
  • Due diligence: M&A or vendor screening in Brazil should include assessments of LGPD readiness and breach history.
  • Incident response protocols: Global organizations must harmonize breach notification timelines and thresholds across jurisdictions, adapting to Brazil’s risk-based approach.

In a landscape of increasing cyber threats, aligning with the LGPD is not just a regulatory obligation — it’s a strategic necessity.

Final Thoughts

Brazil’s data protection authority does not adopt a «one size fits all» model for breach notification. The LGPD introduces a risk-based, case-by-case approach, which may offer more flexibility than the GDPR — but also places a greater burden on organizations to justify their decisions.

European companies doing business in Brazil must be prepared to evaluate security incidents in light of both local obligations and international expectations. Failing to notify a breach — or notifying too hastily — can have serious reputational, legal, and operational consequences.

Understanding when (and how) to notify the ANPD is a key part of navigating Brazil’s complex but maturing data protection landscape.

Leopoldo Pagotto

Áreas de práctica

  • Antitrust
  • Ética y Compliance empresarial
  • Contratos
  • Derecho Societario
  • Protección de datos
  • Delitos financieros
Contáctanos Leopoldo

Contacta con Leopoldo





    Lea la política de privacidad de Legalmondo.
    Este sitio está protegido por reCAPTCHA y se aplican la Política de privacidad de Google y los Términos de servicio.

    Brazil–EU Mutual Adequacy and What Comes Next

    12 de febrero de 2026

    • Brasil
    • Privacidad y Protección de Datos

    Summary

    Brazil’s new Digital Child Protection Law (ECA Digital – Law No. 15,211/2025) radically changes the compliance obligations for foreign technology companies operating in Brazil. The law introduces a proactive duty of care toward minors, replacing the previous reactive liability model under the Marco Civil da Internet. Any digital service accessible to children or adolescents — including social media, gaming, streaming, AI tools, and app stores — must now adopt safety-by-design and privacy-by-default principles.

    Brazil Introduces a New Digital Protection Framework for Minors

    When Law No. 15,211/2025, known as the ECA Digital or Digital Statute for Children and Adolescents, came into force on March 17, 2026, Brazil took a significant step in regulating the digital environment. For foreign technology companies that offer services to the Brazilian public, the legislation is far more than just another local rule. It represents a genuine paradigm shift in how platforms must be designed, operated, and monitored.

    Until now, the Brazilian Internet Civil Framework (Marco Civil da Internet) of 2014 established essentially a reactive liability regime. Platforms were generally only held responsible for third-party content after receiving a specific court order or valid notification. The ECA Digital inverts this logic. Companies now face a proactive and continuous duty of care, something close to the “duty of care” we already know in Europe through the UK’s Online Safety Act or parts of the Digital Services Act (DSA).

    The Best Interests of the Child Become the Central Compliance Principle

    The central principle of the law is the best interests of the child and adolescent. Any information technology product or service that is targeted at minors or has a reasonable likelihood of being accessed by them must be developed with this interest as an absolute priority. This includes social networks, gaming apps, streaming platforms, app stores, and even artificial intelligence tools.

    In practice, this means adopting the concepts of safety-by-design and privacy-by-default from the outset. It is no longer enough to fix problems after they arise. Companies must anticipate risks to the physical, mental, and moral integrity of younger users and build preventive safeguards.

    Mandatory Impact Assessments and Platform Risk Analysis

    One of the pillars of the new legislation is the requirement for impact assessments. Platforms must conduct periodic detailed analyses of the potential effects of their functionalities (recommendation algorithms, engagement mechanisms, advertising systems, and even augmented reality features) on children and adolescents. These reports need to be properly documented internally and, in many cases, generate transparent information that can be shared with authorities or made available to the public in a summarized version.

    New Age Verification and Parental Control Obligations

    Age verification has become significantly more rigorous. A simple self-declaration (“click here if you are over 18”) is no longer considered sufficient. The law requires effective and proportionate mechanisms that respect privacy but genuinely manage to distinguish adults from minors. For users up to 16 years old, accounts on social networks and similar platforms must, as a rule, be linked to a legal guardian.

    Furthermore, companies are required to provide robust parental control tools. Guardians must have access to dashboards that allow them to set screen time limits, restrict contacts, approve or block in-app purchases, and disable personalized algorithmic recommendation systems. Many foreign clients I have spoken with still underestimate the weight of this requirement.

    Restrictions on Advertising, Profiling, and Gaming Monetization

    In the commercial sphere, the law is particularly restrictive. The use of advanced behavioral profiling, emotional analysis, or immersive technologies to target advertising at children and adolescents is prohibited. Monetization of content that inappropriately exploits the image of minors is also subject to severe limitations. In the gaming sector, there are express bans on “loot boxes” and randomized reward systems when the game is accessible to minors, precisely because of their addictive potential and the risk of uncontrolled spending.

    Harmful Content Removal and Reporting Requirements

    Another aspect that deserves attention is the swift removal of harmful content. The law establishes short deadlines – in some cases as little as 24 hours – for the removal of material related to sexual exploitation, violence, bullying, cyberbullying, incitement to suicide, self-harm, or drug use. In addition to removal, in serious situations platforms must notify the competent authorities, including through international cooperation when necessary.

    Legal Representation and Enforcement Risks for Foreign Companies

    For foreign companies without a physical presence in Brazil, the law strengthens enforcement mechanisms. It is mandatory to appoint a legal representative established in the country, with powers to receive judicial and administrative citations, respond to requests from the Public Prosecutor’s Office and the National Data Protection Authority (ANPD), and serve as the local point of contact.

    In fact, the ANPD assumes a central role in supervising and regulating the law, acting in coordination with the Public Prosecutor’s Office. This creates a more robust enforcement scenario than many international players initially anticipated. Moreover, the law provides for joint and several liability: subsidiaries, branches, or companies within the same economic group in Brazil may be held accountable for violations committed by the foreign parent company.

    Financial Penalties and Operational Sanctions

    The sanctions are dissuasive. Fines can reach up to 10% of the economic group’s revenue in Brazil in the previous year, or up to R$ 50 million per individual violation, depending on the severity. In extreme cases or in the event of recurrence, authorities may order the temporary suspension or even the complete blocking of the service within Brazilian territory. For companies that depend on the Brazilian market, especially consumer technology firms, this operational risk is very real.

    Relationship Between the ECA Digital and Brazil’s LGPD

    It is worth noting that the ECA Digital interacts closely with the General Data Protection Law (LGPD). Many of the principles of privacy-by-default, data minimization, and impact assessments already existed under the LGPD, but they now take on more specific contours when the data subject is a child or adolescent. The processing of minors’ data requires even greater care, with more restrictive legal bases and heightened attention to consent and the rights of legal guardians.

    Global Regulatory Trends and Brazilian Specificities

    From a comparative perspective, the Brazilian law aligns with global trends. It bears clear similarities to the UK’s Age Appropriate Design Code, certain aspects of the European DSA, and ongoing discussions in other Latin American countries. However, it presents distinctly Brazilian nuances: strong influence from the Public Prosecutor’s Office, the tradition of integral protection of children established in the 1990 Child and Adolescent Statute (ECA), and an approach that combines state regulation with the shared responsibility of families, schools, and platforms.

    Practical Compliance Steps for Foreign Technology Companies

    Foreign legal advisors must act with urgency. A good starting point is to conduct a comprehensive gap analysis: mapping user onboarding flows, reviewing advertising and algorithmic recommendation policies, assessing the adequacy of age verification mechanisms, and verifying whether the legal representation structure in Brazil meets the new requirements.

    In addition, it is important to prepare local teams or partners to handle administrative requests and potential audits. Investing in privacy-preserving age verification technologies, such as age estimation or document-based verification without excessive data storage, can make a difference both in compliance and in the user experience.

    Conclusion

    In summary, the ECA Digital is not merely a symbolic law. It imposes concrete obligations, with adaptation deadlines that have already expired for many companies, and carries real risks of financial and operational sanctions. For law firms advising international clients, especially small and medium-sized practices in Europe and Asia, the moment has come to help these players turn compliance into a competitive advantage.

    Those who manage to implement robust protection measures from the design stage of their products will not only avoid heavy fines but may also build greater trust with the Brazilian public and authorities.

    Summary: On January 25, 2026, Brazil and the EU mutually recognized each other as providing adequate personal data protection—removing, in many cases, the need for Standard Contractual Clauses (SCCs) or other transfer tools. This shifts the conversation from “copy-paste compliance” to strategy: deciding when to retire SCCs, updating cross-border transfer policies, and modernizing contractual models for future deals.

    Why this matters in real transactions

    Imagine you’re about to close a deal with a German business partner and your Brazilian client urgently asks for a data transfer clause. It’s always the same copy-paste: Standard Contractual Clauses (SCCs), Annex I and II in both languages, signatures on the dotted line. Now imagine this scene is finally unnecessary.

    The mutual adequacy milestone (January 25, 2026)

    On January 25, 2026, Brazil and the European Union mutually recognized each other as countries with adequate levels of personal data protection. It’s the first adequacy agreement signed between the EU and a Latin American country. In practical terms, it means that companies can transfer personal data between Brazil and the EU without the need for additional mechanisms, like SCCs or Binding Corporate Rules (BCRs). In strategic terms, it opens a new front of opportunities for Brazilian lawyers, especially those advising clients who export, import, invest, or operate in the EU.

    A starting point, not a “compliance break”

    This is a milestone and also a starting point. Mutual adequacy does not mean «relax your compliance programs»; on the contrary, it demands governance maturity and careful review.

    Three concrete fronts for legal work

    1.      Retiring SCCs: Not Always Automatic

    The adequacy decision makes SCCs optional in many cases, but that doesn’t mean you can simply tear them up. For existing contracts that already use SCCs, lawyers will need to assess whether they should keep, revise, or remove those clauses. The answer will depend on the risks, data flows, and reliance on third countries in the processing chain. There may also be internal policies, negotiated warranties, or obligations to supervisory authorities that require formal justifications.

    In practice, companies with complex processing chains (e.g., European headquarters, shared Brazilian HR services, cloud servers in the U.S.) may continue using SCCs in certain flows even after the adequacy recognition. Lawyers will need to carefully document and track this hybrid model.

    2.      Reviewing Cross-Border Data Transfer Policies

    Many companies, especially multinationals or those with multiple data protection obligations, have established cross-border data transfer policies («CBTPs») that classify countries into categories and associate specific safeguards for each. Brazil’s new status as an «adequate country» must now be reflected in those documents.

    For instance, a Brazilian company that receives data from France and sends it to Argentina and India may now adjust internal protocols to reduce documentation and controls on the EU → Brazil leg, while reinforcing controls in the Brazil → Argentina or Brazil → India legs. These changes must be aligned with the company’s policies, contracts, and internal training materials.

    3.      Adapting Contractual Models for Future Deals

    The mutual adequacy decision creates a new contractual scenario. Brazilian lawyers advising international clients can now use data transfer models aligned with GDPR—without needing SCCs or complex annexes—provided both parties are located in Brazil and the EU.

    This reduces transaction costs, improves legal certainty, and increases speed in negotiations involving technology services, cross-border M&A, or shared service centers. A good contractual model should still include data protection clauses—but now focused on risk allocation, DPO cooperation, and incident response coordination, rather than formal compliance with Art. 46 GDPR or Arts. 33–36 LGPD.

    Summary: Brazil’s data protection authority (ANPD) is signaling a clear move toward stronger, more GDPR-aligned enforcement and rulemaking through its 2026–2027 Priority Topics Map and updated Regulatory Agenda. The selected priorities mirror familiar EU themes—data subject rights, children’s data, public-sector processing, and AI—while adding practical predictability for organizations planning compliance. For European businesses operating in Brazil, the direction of travel suggests increasing convergence in governance, risk assessment, and transparency expectations. This trajectory may also strengthen the long-term case for Brazil to pursue an EU adequacy decision.

    A maturing authority with a strategic alignment to GDPR

    While European regulators refine enforcement mechanisms for mature frameworks, Brazil is quietly building one of the world’s most GDPR-aligned data protection systems outside the EU. The release of Priority Topics Map for 2026–2027 and its updated Regulatory Agenda by the National Agency of Personal Data Protection (ANPD) reveals an authority no longer in its infancy, but one strategically positioning itself as a credible counterpart to European supervisory bodies.

    ANPD’s priority topics for 2026–2027

    The four priority topics chosen by Brazil’s National Data Protection Authority («ANPD») tell a familiar tale to anyone working with GDPR compliance: data subject rights, protection of children and adolescents in digital environments, processing by public authorities, and artificial intelligence with emerging technologies.

    Why these priorities feel familiar to GDPR practitioners

    These are not arbitrary choices but deliberate alignments with the core concerns that have shaped European enforcement over the past seven years, from the fundamental rights guarantees in Articles 12 through 22, to the heightened scrutiny of processing involving minors, to the evolving regulatory treatment of algorithmic systems that now spans both GDPR recitals and the EU AI Act itself.

    Children and adolescents: new authority and converging expectations

    Brazil’s recent Digital Statute for Children and Adolescents hands ANPD substantial new authority over age verification and parental consent mechanisms, creating a regulatory bridge that should look strikingly familiar to companies navigating the UK’s Age Appropriate Design Code or implementing EDPB guidance on child data. European digital services operating in Brazil, particularly in social media, gaming, education, or wellness sectors, now face converging compliance expectations on both sides of the Atlantic. The technical architectures and consent flows designed for GDPR are increasingly fit for purpose in the Brazilian context as well.

    Artificial intelligence and emerging technologies

    The elevation of artificial intelligence to priority status represents ANPD’s clearest statement yet about where Brazilian regulation is headed – in fact, no big news in the move, since it is worrying every regulator in every industry. While the LGPD lacks specific AI provisions, the authority has been methodically laying groundwork through public consultations on automated decision-making and studies on algorithmic profiling. For companies already deep in EU AI Act preparation, such a convergence offers something rare in global privacy compliance: the potential for genuine efficiency gains through shared governance frameworks, unified risk assessment methodologies, and harmonized transparency protocols rather than duplicative regional adaptations.

    Data subject rights and DPIAs: reinforcing accountability

    ANPD’s continued emphasis on data subject rights and Data Protection Impact Assessments reinforces the structural similarities with GDPR’s accountability model. The Brazilian approach increasingly mirrors European expectations around documented risk assessment, standardized response protocols for individual rights requests, and transparency obligations for profiling activities. Multinational organizations can now reasonably contemplate unified DPIA templates and centralized rights management systems that serve both jurisdictions without fundamental architectural splits.

    The updated Regulatory Agenda for 2025–2026: predictability as a compliance asset

    The updated Regulatory Agenda for 2025–2026 provides something perhaps more valuable than new rules: predictability. One should not underestimate the importance of predictability in Brazil, since it is a rare asset, even before courts – former Treasury Minister Pedro Malana once iroonically stated that «in Brazil, even the past is uncertain».

    What ANPD is telegraphing next

    By telegraphing upcoming initiatives on biometric data processing, inspection methodologies, sanctioning procedures, cybersecurity standards, and privacy program governance, ANPD offers companies the planning visibility that makes cross-border compliance feasible rather than reactive. These topics map directly onto GDPR’s controller obligations, security requirements, and Data Protection Officer independence provisions in Articles 24 through 39.

    Beyond compliance: what convergence could mean for data flows

    The regulatory convergence carries implications beyond operational compliance. The structural alignment between LGPD and GDPR, reinforced by ANPD’s strategic choices, strengthens the case for an eventual EU adequacy decision recognizing Brazil under Article 45.

    For European businesses and their counsel, the trajectory suggests not just reduced friction in managing trans-Atlantic data flows, but the emergence of genuinely compatible regulatory ecosystems. The challenge will be maintaining attention to Brazilian developments with the same intensity devoted to EDPB guidelines and Commission decisions, recognizing that convergence is a continuous process rather than a static achievement.

    Conclusion

    Brazil’s ANPD is increasingly setting priorities that mirror the main pressure points of GDPR compliance, while using its Regulatory Agenda to add clarity and sequencing to what comes next. For organizations operating across the EU and Brazil, the message is practical: governance structures, rights-handling processes, and risk assessment tooling built for GDPR are becoming progressively reusable in the Brazilian context. At the same time, staying alert to ANPD’s evolving guidance—especially around children’s data, AI, biometrics, cybersecurity, and enforcement methodology—will be key to turning regulatory convergence into real operational efficiency and reduced cross-border friction.

    Summary
    This article explores the ANPD’s 2025 Tech Radar on neurotechnologies and how it reshapes compliance risks for Brazilian healthtechs—especially in M&A contexts involving GDPR exposure. It outlines key regulatory concerns, the GDPR’s extraterritorial impact, major due-diligence red flags, and the essential deliverables investors should require.

    Introduction

    Brazil’s latest ANPD Tech Radar brings neurotechnologies to the forefront of data-protection compliance, exposing significant risks for healthtech companies and investors. With GDPR’s extraterritorial reach, sensitive data processing, opaque AI, and cross-border transfers, data governance has become a critical M&A due-diligence factor requiring structured reviews and robust contractual safeguards.

    Key Compliance Risks Shaping Brazilian Healthtech M&A

    Brazil’s Data Protection Authority (ANPD) released its 4th Tech Radar in June 2025, focusing entirely on neurotechnologies—marking the first time the regulator targeted this field so directly. The report explores brain-computer interfaces, advanced wearables, AI-driven cognitive therapies, and predictive diagnostics, highlighting risks far beyond traditional health data processing.

    For investors and lawyers working M&A deals in Brazil’s healthtech sector, this Radar signals that data protection is no longer a secondary compliance issue—it is now a major source of legal, reputational, and operational risk.

    GDPR’s Extraterritorial Relevance

    Many Brazilian healthtechs handle personal data from foreign individuals, particularly Europeans—through expats, medical tourists, cross-border clinical trials, or partnerships with EU-based vendors. When this occurs, GDPR Article 3(2) extends jurisdiction to the Brazilian company, even without any EU establishment.

    Main Risks Identified by ANPD (Tech Radar #4)

    • Inferring health data without explicit consent
      Example: wearables identifying depression through sleep or stress patterns without informing users.
    • Lack of transparency in predictive algorithms
      Black-box AI models making clinical decisions without accessible documentation.
    • Cybersecurity vulnerabilities in connected devices
      Neural implants or neurostimulators vulnerable to hacking, with potentially physical consequences.
    • Automated processing that impacts human dignity
      Behavioral profiling influencing insurance eligibility, discrimination, or patient autonomy in therapy environments.

    GDPR Article 22 prohibits automated decision-making with significant effects unless strict safeguards are implemented—making this a critical risk during due diligence.

    Most Common Red Flags in Brazilian Healthtech Due Diligence

    No clear legal basis for sensitive data (health, genetic, biometric)

    LGPD Impact (Brazil): Breach of LGPD Art. 11
    GDPR Parallel (Europe): Art. 9 (special categories)
    Practical Recommendation: Require full data-mapping and warranties

    Generic or “click-to-accept” consents

    LGPD Impact (Brazil): Invalid consent (Art. 7 & 11)
    GDPR Parallel (Europe): Art. 6 + 7
    Practical Recommendation: Ensure all consents are granular, specific, and revocable

    Third-party sharing without processor agreements

    LGPD Impact (Brazil): Breach of LGPD Art. 28 & 33
    GDPR Parallel (Europe): Art. 28
    Practical Recommendation: Verify existence and adequacy of all DPAs

    Missing or incomplete ROPA

    LGPD Impact (Brazil): Serious regulatory violation
    GDPR Parallel (Europe): Art. 30
    Practical Recommendation: Make ROPA delivery a closing condition

    Non-existent or conflicted DPO

    LGPD Impact (Brazil): Non-compliance with ANPD Resolution CD nº 2
    GDPR Parallel (Europe): Art. 37–39
    Practical Recommendation: Require interview + independence confirmation

    No DPIA for high-risk products

    LGPD Impact (Brazil): Mandatory (ANPD Res. 15/2023)
    GDPR Parallel (Europe): Art. 35
    Practical Recommendation: Include pre-closing DPIA audit clause

    International transfers without safeguards

    LGPD Impact (Brazil): Arts. 33–35
    GDPR Parallel (Europe): Arts. 44–50
    Practical Recommendation: Verify SCCs (2021/2023) or adequacy status

    Real Cases Illustrating the Scale of Risk

    • Telepsychology platforms investigated for using automated triage without informed consent or AI transparency.
    • ANPD actions against genomics startups due to cross-border transfers without SCCs or DPIAs.
    • Outsourced cloud hosting increasing irregular data transfer risks.

    Until Brazil receives an EU adequacy decision, SCCs and BCRs remain mandatory for compliant transfers.

    Essential Due Diligence Deliverables

    A robust data-protection review is now essential in healthtech M&A. Key deliverables include:

    • LGPD ↔ GDPR gap analysis
    • ROPA and DPIA review
    • Sub-processor contract verification
    • Mapping of all international transfers
    • Privacy-specific warranties and indemnities
    • Escrow or holdback for regulatory risk exposure

    Conclusion

    Data protection is no longer secondary in healthtech M&A—especially when neurodata is involved. With ANPD scrutinizing neurotechnologies and GDPR obligations extending across borders, investors must prioritize structured due diligence and strong contractual safeguards.

    FAQ

    Is neurodata considered sensitive personal data under the LGPD?

    Yes—ANPD treats neurodata as highly sensitive because it reveals cognitive, emotional, and health patterns.

    Does GDPR apply to Brazilian companies with no EU presence?

    Yes, via Article 3(2), whenever EU data subjects’ information is processed.

    Are SCCs still required for Brazil–EU transfers?

    Yes, until Brazil receives an EU adequacy decision.

    What are the top investor red flags?

    Missing DPIAs, unclear legal bases, opaque algorithms, and irregular transfers.

    Since the General Data Protection Regulation (GDPR) took effect in 2018, the European Union (EU) has granted adequacy status to only a limited number of jurisdictions — those whose data protection regimes are deemed to provide an «essentially equivalent» level of protection to that of the EU. The current list includes Andorra, Argentina, Canada (under PIPEDA), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, Uruguay, the United Kingdom, and the United States (limited to companies certified under the Data Privacy Framework).

    As of 5 September 2025, Brazil is on the verge of joining this exclusive group. The European Commission has issued a draft adequacy decision concluding that the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais – LGPD), in conjunction with Brazil’s broader legal and constitutional framework, offers protections that are essentially equivalent to those found in the GDPR. While Brazil’s rules offer somewhat more flexibility in specific areas of data processing, the foundational principles and safeguards are well-aligned with EU standards.

    Once finalized, the adequacy decision will authorize the free flow of personal data from the EU to Brazil without the need for additional contractual clauses or technical safeguards. Such a development is not just regulatory — it also answers a core political argument made by LGPD advocates since its inception: that the absence of a comprehensive data protection framework was undermining Brazil’s international competitiveness by limiting data flows and discouraging investment. For businesses, the EU decision may finally mean the removal of a significant layer of compliance complexity — a development especially welcome by small and medium-sized enterprises engaged in cross-border trade or service provision. The draft is currently under review by the European Data Protection Board (EDPB) and the Member States of the EU.

    The Commission’s assessment highlights several key aspects of Brazil’s data protection landscape. It begins by noting that the Brazilian Constitution expressly guarantees the right to privacy and the protection of personal data — a notable distinction among non-EU jurisdictions. These protections are further supported by Brazil’s ratification of the American Convention on Human Rights and its recognition of the jurisdiction of the Inter-American Court of Human Rights, reinforcing a commitment to fundamental rights and democratic oversight.

    The LGPD mirrors the GDPR in many critical respects and defines its territorial scope clearly. It applies to: (i) data processing carried out within Brazilian territory, (ii) the offering of goods or services to individuals in Brazil, and (iii) data collected in Brazil, even if subsequently processed abroad. This aligns well with the extraterritorial provisions of the GDPR. The definitions of personal data, sensitive data, controller, and processor are materially similar, as are the key principles governing processing — including lawfulness, purpose limitation, data minimization, accuracy, transparency, and security. The law expressly excludes anonymized data from its scope and establishes specific exemptions for journalistic activities, public security, and scientific research.

    Another strength is Brazil’s institutional framework. The National Data Protection Authority (ANPD) was recently transformed into an autonomous regulatory agency, enhancing its independence and technical capacity. The ANPD holds both regulatory and enforcement powers: it can issue binding regulations, impose administrative sanctions, and publish authoritative guidance. To date, it has issued key guidelines on topics such as consent, legitimate interest, the role of the Data Protection Officer (DPO), and security incident reporting. Internationally, the ANPD is an active participant in global data protection dialogue — it is a member of the Global Privacy Assembly and an official observer to the Council of Europe’s Convention 108.

    The LGPD’s approach to international data transfers is also structurally aligned with the GDPR. It requires appropriate safeguards such as standard contractual clauses, allows for future adequacy decisions under a regime comparable to Article 45 of the GDPR, and includes detailed provisions for onward transfers and transit data — that is, data merely passing through Brazil without further processing. The rights of data subjects are robust and familiar to European practitioners: access, rectification, erasure, portability, and withdrawal of consent are guaranteed. Lawful bases for processing are also aligned — including consent, legal obligations, contract execution, and legitimate interest. Notably, the LGPD requires a documented balancing test when relying on legitimate interest, bringing additional accountability to this flexible legal basis.

    Security incidents involving personal data must be notified to both the ANPD and affected data subjects when there is a significant risk of harm. The standard notification deadline is 72 hours, and the required content aligns closely with Articles 33 and 34 of the GDPR. The ANPD may also order public disclosure of incidents or require remedial measures, depending on the nature and scope of the breach.

    Importantly, this process is not one-sided. In parallel to the European Commission’s adequacy decision, the ANPD is conducting its own adequacy assessment of the EU and EEA data protection frameworks. This process is regulated by the Brazilian Resolution CD/ANPD No. 19/2024, which governs international data transfers. Once the technical and legal evaluation is complete, the ANPD’s Board of Directors will issue a formal decision. This reciprocal move reflects Brazil’s commitment to mutual recognition and regulatory symmetry — a positive signal for companies on both sides of the Atlantic.

    In conclusion: If confirmed, Brazil’s adequacy status will simplify international operations, reduce compliance costs, and expand opportunities for data-driven business and legal cooperation. For European lawyers advising SMEs with interests in Latin America, this development is a strategic signal: Brazil is emerging not just as a growing market, but as a legally compatible and data-safe jurisdiction for international partnerships.

    On 23 August 2024, Brazil’s National Data Protection Authority (ANPD) issued Resolution No. 19, a landmark regulation governing the international transfer of personal data under the Brazilian General Data Protection Law (LGPD). Companies now have until 23 August 2025 to fully comply.

    This deadline is especially relevant for European multinationals operating in Brazil, or Brazilian subsidiaries sharing data with foreign HQs or vendors. The new rules align Brazil more closely with global privacy frameworks like the GDPR—but with local twists that demand attention.

    Why It Matters

    Unlike previous guidance, Resolution No. 19 creates binding legal obligations and explicit deadlines. It introduces mechanisms such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and public transparency requirements—all within a strict 12-month timeframe.

    For many international companies, this will require significant updates to internal governance, contract management, and cloud data strategies. Below are the key takeaways for foreign counsel.

    Standard Contractual Clauses (SCCs): Now Mandatory

    The ANPD has released its own set of Standard Contractual Clauses, which must be used for data transfers to jurisdictions not recognized as offering “adequate protection.”

    Companies must adopt these clauses by 23 August 2025. This will likely require revisiting existing data processing agreements involving Brazilian parties and ensuring alignment with the ANPD template.

    Important: The SCCs cannot be modified beyond inserting details in the annexes. Any deviations require prior approval from the ANPD and are limited to exceptional cases.

    Broad Transparency Requirements

    Data controllers are now required to publish, on their website, a plain-language document explaining:

    • the purpose of the international data transfer,
    • the categories of data involved,
    • the countries of destination,
    • and the legal mechanism used to legitimize the transfer.

    Upon request, data subjects must also receive a copy of the full SCCs within 15 days. Multinationals will need protocols and document templates to respond efficiently—especially when dealing with requests in Portuguese.

    Expanded Definition of “International Transfer”

    The Resolution clarifies that a transfer occurs whenever:

    • data is accessed or stored by an entity located abroad, or
    • processing is outsourced to a cloud provider with servers or technical teams outside Brazil.

    This has important implications for global companies that centralize services such as payroll, CRM, or cybersecurity outside Brazil—even if hosted on multinational platforms.

    Binding Corporate Rules (BCRs): Now Recognized

    Multinationals with mature privacy programs may apply to the ANPD for approval of their own Binding Corporate Rules, offering an alternative to SCCs.

    This is a welcome development for companies seeking harmonized compliance across jurisdictions, but approval is expected to involve a complex and time-consuming process. Early preparation is essential.

    Custom Clauses in Exceptional Circumstances

    Companies unable to adopt the standard clauses—due to specific factual or legal constraints—may submit alternative clauses for ANPD approval. However, such flexibility is limited and subject to strict justification.

    In practice, the official SCCs will be the default path for most international data transfers involving Brazil.

    What Foreign Companies Should Do Now

    The 12-month window is already ticking. International groups operating in Brazil or processing Brazilian data should urgently:

    • Map all international data transfers involving Brazil;
    • Identify contracts and vendors requiring updates;
    • Insert ANPD’s SCCs where applicable;
    • Publish the required transparency notice online in Portuguese;
    • Monitor for further ANPD guidance or enforcement trends.

    Strategic Compliance: Beyond Legal Risk

    Resolution No. 19 is part of a global trend toward standardized but locally enforced privacy frameworks. For GDPR-compliant companies, Brazil’s new rules offer a chance to reaffirm leadership in data governance.

    Those who act early can avoid last-minute fire drills, reduce regulatory exposure, and strengthen credibility with Brazilian regulators and consumers.

    In today’s data economy, privacy compliance is more than a legal duty—it’s a business differentiator.

    Brazil’s National Data Protection Authority (ANPD) released a long-awaited guidance document on how companies should interpret and apply the legal basis of legitimate interest under the Brazilian General Data Protection Law (LGPD).

    This is not merely a local update. As Brazil continues to shape its data protection regime, foreign companies—particularly European SMEs with clients, platforms, or partners in Brazil—must adapt their compliance strategies to local expectations. This new guidance is a crucial development.

    Below, I summarize what has changed, how it compares to the GDPR approach, and what steps you (or your clients) should take next.

    Why Legitimate Interest Matters—But Remains Risky

    Just like under the GDPR, Brazil’s LGPD allows personal data to be processed without consent when doing so is necessary for purposes aligned with the controller’s legitimate interests. However, due to the lack of regulation since the LGPD came into force, this legal basis has long been regarded as risky in Brazil – in fact, it was unclear on how to evaluate the «legitimacy» of the interest and balance it against data subject rights.

    The ANPD’s «Guia Orientativo sobre o Legítimo Interesse» (Guidance on Legitimate Interest) fills that gap—providing a practical framework to assess, document, and justify this legal basis.

    The ANPD’s Three-Step Balancing Test

    The core of the new guidance is a three-step balancing test, which mirrors the GDPR’s Legitimate Interests Assessment (LIA) but with Brazilian nuances.

    • Purpose Test : The controller must define a specific, concrete, and legitimate objective behind the data processing. Open-ended or abstract justifications (“marketing purposes”, “efficiency”) will not suffice. The processing must also align with the reasonable expectations of the data subject.
    • Necessity Test : The data processing must be strictly necessary to achieve the defined purpose. If the same result could be achieved through less intrusive means (e.g. anonymized data or a different legal basis), the test will likely fail.
    • Balancing Test and Safeguards : This step assesses whether the controller’s interest outweighs the rights and freedoms of the data subject. Controllers must consider the nature of the data, the context of the processing, and the potential risks involved. When risks are identified, appropriate safeguards must be implemented, such as transparency, opt-outs, pseudonymization, and impact assessments.

    Takeaway: The ANPD recommends documenting the entire process. While this is not mandatory by law, it will be critical in case of investigations or complaints.

    How This Affects Foreign Companies doing business in Brazil

    Many foreign companies process personal data of Brazilian individuals—whether by offering digital services, interacting with Brazilian suppliers, or collecting contact information via websites or CRM tools.

    Although some assume that GDPR compliance is sufficient, the ANPD may evaluate legitimate interest more restrictively than some EU supervisory authorities.

    Foreign companies should:

    • Revisit their legal bases for processing data of Brazilian individuals.
    • Conduct a proper balancing test using the ANPD’s model, even for non-sensitive data.
    • Keep written records of the analysis (especially if using legitimate interest for analytics or marketing).
    • Update their privacy notices to reflect the legal basis and safeguards in place.
    • Be aware of the extraterritorial reach of the LGPD—yes, it applies even if you have no office in Brazil.

    Strategic Guidance

    If you advise SMEs that operate across jurisdictions—including Brazil—this new guidance is a practical compliance tool and a risk-mitigation opportunity.

    Here’s how to act now:

    • Perform a Legitimate Interests Assessment (LIA) whenever your client relies on this basis in Brazil.
    • Compare it with the GDPR LIA to identify overlaps and gaps.
    • Align documentation—so your clients are ready in the event of a complaint or data subject request.
    • Monitor ANPD updates—the ANPD has increased its activity and enforcement posture significantly in the past year.

    Final Thoughts

    The ANPD’s guidance reflects a growing maturity in Brazil’s data protection landscape. Legitimate interest is no longer a vague fallback—it requires structure, analysis, and above all, transparency.

    European companies with operations or digital exposure in Brazil should approach this legal basis with care and diligence. The good news? The ANPD is now offering the roadmap. It’s up to us, as legal advisors, to make sure our clients follow it.

    Want to see the full guidance? The original document (in Portuguese) is available here.

    Brazil is increasingly in the global spotlight when it comes to cybersecurity threats. With over 10 billion cyberattack attempts recorded in 2023 alone, the country ranks among the most targeted worldwide. These incidents are not abstract: they affect sensitive sectors such as finance and healthcare, including data leaks involving over 220 million data subjects from national institutions and critical infrastructure operators.

    While Brazil may seem like a distant jurisdiction, its data protection regime — shaped by the Lei Geral de Proteção de Dados (LGPD) — has growing significance for European businesses operating or partnering in the region. The LGPD, inspired by the GDPR, sets out specific obligations around data breach notification. However, unlike the GDPR’s mandatory 72-hour notification rule, not all security incidents must be reported to the Brazilian Data Protection Authority (ANPD).

    So: when exactly should a security incident be reported in Brazil?

    When Notification is Required: A Three-Step Test

    Under Brazilian law, a security incident involving personal data must be reported to the ANPD only if the following three criteria are cumulatively met:

    • The incident has been confirmed.
    • It involves personal data subject to the LGPD.
    • It poses a relevant risk or damage to data subjects.

    This third threshold is critical. According to the ANPD’s Security Incident Communication Regulation (RCIS), relevant risks include incidents that may:

    • Prevent the exercise of rights or access to services.
    • Cause material or moral harm.
    • Involve special categories of data such as: Sensitive personal data / Financial data / Large-scale datasets / Children’s or elderly persons’ data / Authentication credentials / Legally protected information (e.g., medical, legal, or professional secrets).

    This approach offers some flexibility – but it also requires careful legal judgment.

    When You Don’t Have to Notify

    There is no obligation to notify the ANPD if the incident does not result in significant risk or damage. For instance, if the breached data is non-sensitive and publicly available (e.g., general contact information), and no additional harm is expected, companies may reasonably determine that notification is unnecessary.

    However, this decision should not be taken lightly. Controllers are expected to assess several contextual factors, such as:

    • The volume and nature of the affected data.
    • Whether the data subjects can be identified.
    • The likely impact on fundamental rights.
    • The technical and security measures in place.
    • Any steps taken to mitigate the damage.

    In practice, each case must be analyzed individually — and well documented — to ensure a defensible position.

    How to Notify the ANPD (If Required)

    If the thresholds for notification are met, companies must report the incident within three business days from the date they became aware that personal data was affected. The notification must include:

    • A description of the breach and affected data.
    • The number and profile of impacted data subjects.
    • Security measures in place before and after the incident.
    • Potential risks to the data subjects.
    • Mitigation strategies.
    • Identification of the controller and DPO (if applicable).

    Notifications are submitted via the ANPD’s online platform (SUPER). Sensitive business information can be protected through a request for confidential treatment, provided it is properly justified.

    Strategic Takeaways for European Stakeholders

    For European companies and compliance officers, understanding the nuances of Brazilian data breach notification rules is essential for several reasons:

    • Cross-border compliance: Companies transferring personal data to Brazil must ensure regulatory alignment under the GDPR’s international transfer rules.
    • Due diligence: M&A or vendor screening in Brazil should include assessments of LGPD readiness and breach history.
    • Incident response protocols: Global organizations must harmonize breach notification timelines and thresholds across jurisdictions, adapting to Brazil’s risk-based approach.

    In a landscape of increasing cyber threats, aligning with the LGPD is not just a regulatory obligation — it’s a strategic necessity.

    Final Thoughts

    Brazil’s data protection authority does not adopt a «one size fits all» model for breach notification. The LGPD introduces a risk-based, case-by-case approach, which may offer more flexibility than the GDPR — but also places a greater burden on organizations to justify their decisions.

    European companies doing business in Brazil must be prepared to evaluate security incidents in light of both local obligations and international expectations. Failing to notify a breach — or notifying too hastily — can have serious reputational, legal, and operational consequences.

    Understanding when (and how) to notify the ANPD is a key part of navigating Brazil’s complex but maturing data protection landscape.

    Leopoldo Pagotto

    Áreas de práctica

    • Antitrust
    • Ética y Compliance empresarial
    • Contratos
    • Derecho Societario
    • Protección de datos
    • Delitos financieros
    Contáctanos Leopoldo

    Contacta con Leopoldo





      Lea la política de privacidad de Legalmondo.
      Este sitio está protegido por reCAPTCHA y se aplican la Política de privacidad de Google y los Términos de servicio.

      Brazil Advances Toward GDPR Alignment: ANPD’s 2026–2027 Priority Topics

      26 de enero de 2026

      • Brasil
      • Privacidad y Protección de Datos

      Summary

      Brazil’s new Digital Child Protection Law (ECA Digital – Law No. 15,211/2025) radically changes the compliance obligations for foreign technology companies operating in Brazil. The law introduces a proactive duty of care toward minors, replacing the previous reactive liability model under the Marco Civil da Internet. Any digital service accessible to children or adolescents — including social media, gaming, streaming, AI tools, and app stores — must now adopt safety-by-design and privacy-by-default principles.

      Brazil Introduces a New Digital Protection Framework for Minors

      When Law No. 15,211/2025, known as the ECA Digital or Digital Statute for Children and Adolescents, came into force on March 17, 2026, Brazil took a significant step in regulating the digital environment. For foreign technology companies that offer services to the Brazilian public, the legislation is far more than just another local rule. It represents a genuine paradigm shift in how platforms must be designed, operated, and monitored.

      Until now, the Brazilian Internet Civil Framework (Marco Civil da Internet) of 2014 established essentially a reactive liability regime. Platforms were generally only held responsible for third-party content after receiving a specific court order or valid notification. The ECA Digital inverts this logic. Companies now face a proactive and continuous duty of care, something close to the “duty of care” we already know in Europe through the UK’s Online Safety Act or parts of the Digital Services Act (DSA).

      The Best Interests of the Child Become the Central Compliance Principle

      The central principle of the law is the best interests of the child and adolescent. Any information technology product or service that is targeted at minors or has a reasonable likelihood of being accessed by them must be developed with this interest as an absolute priority. This includes social networks, gaming apps, streaming platforms, app stores, and even artificial intelligence tools.

      In practice, this means adopting the concepts of safety-by-design and privacy-by-default from the outset. It is no longer enough to fix problems after they arise. Companies must anticipate risks to the physical, mental, and moral integrity of younger users and build preventive safeguards.

      Mandatory Impact Assessments and Platform Risk Analysis

      One of the pillars of the new legislation is the requirement for impact assessments. Platforms must conduct periodic detailed analyses of the potential effects of their functionalities (recommendation algorithms, engagement mechanisms, advertising systems, and even augmented reality features) on children and adolescents. These reports need to be properly documented internally and, in many cases, generate transparent information that can be shared with authorities or made available to the public in a summarized version.

      New Age Verification and Parental Control Obligations

      Age verification has become significantly more rigorous. A simple self-declaration (“click here if you are over 18”) is no longer considered sufficient. The law requires effective and proportionate mechanisms that respect privacy but genuinely manage to distinguish adults from minors. For users up to 16 years old, accounts on social networks and similar platforms must, as a rule, be linked to a legal guardian.

      Furthermore, companies are required to provide robust parental control tools. Guardians must have access to dashboards that allow them to set screen time limits, restrict contacts, approve or block in-app purchases, and disable personalized algorithmic recommendation systems. Many foreign clients I have spoken with still underestimate the weight of this requirement.

      Restrictions on Advertising, Profiling, and Gaming Monetization

      In the commercial sphere, the law is particularly restrictive. The use of advanced behavioral profiling, emotional analysis, or immersive technologies to target advertising at children and adolescents is prohibited. Monetization of content that inappropriately exploits the image of minors is also subject to severe limitations. In the gaming sector, there are express bans on “loot boxes” and randomized reward systems when the game is accessible to minors, precisely because of their addictive potential and the risk of uncontrolled spending.

      Harmful Content Removal and Reporting Requirements

      Another aspect that deserves attention is the swift removal of harmful content. The law establishes short deadlines – in some cases as little as 24 hours – for the removal of material related to sexual exploitation, violence, bullying, cyberbullying, incitement to suicide, self-harm, or drug use. In addition to removal, in serious situations platforms must notify the competent authorities, including through international cooperation when necessary.

      Legal Representation and Enforcement Risks for Foreign Companies

      For foreign companies without a physical presence in Brazil, the law strengthens enforcement mechanisms. It is mandatory to appoint a legal representative established in the country, with powers to receive judicial and administrative citations, respond to requests from the Public Prosecutor’s Office and the National Data Protection Authority (ANPD), and serve as the local point of contact.

      In fact, the ANPD assumes a central role in supervising and regulating the law, acting in coordination with the Public Prosecutor’s Office. This creates a more robust enforcement scenario than many international players initially anticipated. Moreover, the law provides for joint and several liability: subsidiaries, branches, or companies within the same economic group in Brazil may be held accountable for violations committed by the foreign parent company.

      Financial Penalties and Operational Sanctions

      The sanctions are dissuasive. Fines can reach up to 10% of the economic group’s revenue in Brazil in the previous year, or up to R$ 50 million per individual violation, depending on the severity. In extreme cases or in the event of recurrence, authorities may order the temporary suspension or even the complete blocking of the service within Brazilian territory. For companies that depend on the Brazilian market, especially consumer technology firms, this operational risk is very real.

      Relationship Between the ECA Digital and Brazil’s LGPD

      It is worth noting that the ECA Digital interacts closely with the General Data Protection Law (LGPD). Many of the principles of privacy-by-default, data minimization, and impact assessments already existed under the LGPD, but they now take on more specific contours when the data subject is a child or adolescent. The processing of minors’ data requires even greater care, with more restrictive legal bases and heightened attention to consent and the rights of legal guardians.

      Global Regulatory Trends and Brazilian Specificities

      From a comparative perspective, the Brazilian law aligns with global trends. It bears clear similarities to the UK’s Age Appropriate Design Code, certain aspects of the European DSA, and ongoing discussions in other Latin American countries. However, it presents distinctly Brazilian nuances: strong influence from the Public Prosecutor’s Office, the tradition of integral protection of children established in the 1990 Child and Adolescent Statute (ECA), and an approach that combines state regulation with the shared responsibility of families, schools, and platforms.

      Practical Compliance Steps for Foreign Technology Companies

      Foreign legal advisors must act with urgency. A good starting point is to conduct a comprehensive gap analysis: mapping user onboarding flows, reviewing advertising and algorithmic recommendation policies, assessing the adequacy of age verification mechanisms, and verifying whether the legal representation structure in Brazil meets the new requirements.

      In addition, it is important to prepare local teams or partners to handle administrative requests and potential audits. Investing in privacy-preserving age verification technologies, such as age estimation or document-based verification without excessive data storage, can make a difference both in compliance and in the user experience.

      Conclusion

      In summary, the ECA Digital is not merely a symbolic law. It imposes concrete obligations, with adaptation deadlines that have already expired for many companies, and carries real risks of financial and operational sanctions. For law firms advising international clients, especially small and medium-sized practices in Europe and Asia, the moment has come to help these players turn compliance into a competitive advantage.

      Those who manage to implement robust protection measures from the design stage of their products will not only avoid heavy fines but may also build greater trust with the Brazilian public and authorities.

      Summary: On January 25, 2026, Brazil and the EU mutually recognized each other as providing adequate personal data protection—removing, in many cases, the need for Standard Contractual Clauses (SCCs) or other transfer tools. This shifts the conversation from “copy-paste compliance” to strategy: deciding when to retire SCCs, updating cross-border transfer policies, and modernizing contractual models for future deals.

      Why this matters in real transactions

      Imagine you’re about to close a deal with a German business partner and your Brazilian client urgently asks for a data transfer clause. It’s always the same copy-paste: Standard Contractual Clauses (SCCs), Annex I and II in both languages, signatures on the dotted line. Now imagine this scene is finally unnecessary.

      The mutual adequacy milestone (January 25, 2026)

      On January 25, 2026, Brazil and the European Union mutually recognized each other as countries with adequate levels of personal data protection. It’s the first adequacy agreement signed between the EU and a Latin American country. In practical terms, it means that companies can transfer personal data between Brazil and the EU without the need for additional mechanisms, like SCCs or Binding Corporate Rules (BCRs). In strategic terms, it opens a new front of opportunities for Brazilian lawyers, especially those advising clients who export, import, invest, or operate in the EU.

      A starting point, not a “compliance break”

      This is a milestone and also a starting point. Mutual adequacy does not mean «relax your compliance programs»; on the contrary, it demands governance maturity and careful review.

      Three concrete fronts for legal work

      1.      Retiring SCCs: Not Always Automatic

      The adequacy decision makes SCCs optional in many cases, but that doesn’t mean you can simply tear them up. For existing contracts that already use SCCs, lawyers will need to assess whether they should keep, revise, or remove those clauses. The answer will depend on the risks, data flows, and reliance on third countries in the processing chain. There may also be internal policies, negotiated warranties, or obligations to supervisory authorities that require formal justifications.

      In practice, companies with complex processing chains (e.g., European headquarters, shared Brazilian HR services, cloud servers in the U.S.) may continue using SCCs in certain flows even after the adequacy recognition. Lawyers will need to carefully document and track this hybrid model.

      2.      Reviewing Cross-Border Data Transfer Policies

      Many companies, especially multinationals or those with multiple data protection obligations, have established cross-border data transfer policies («CBTPs») that classify countries into categories and associate specific safeguards for each. Brazil’s new status as an «adequate country» must now be reflected in those documents.

      For instance, a Brazilian company that receives data from France and sends it to Argentina and India may now adjust internal protocols to reduce documentation and controls on the EU → Brazil leg, while reinforcing controls in the Brazil → Argentina or Brazil → India legs. These changes must be aligned with the company’s policies, contracts, and internal training materials.

      3.      Adapting Contractual Models for Future Deals

      The mutual adequacy decision creates a new contractual scenario. Brazilian lawyers advising international clients can now use data transfer models aligned with GDPR—without needing SCCs or complex annexes—provided both parties are located in Brazil and the EU.

      This reduces transaction costs, improves legal certainty, and increases speed in negotiations involving technology services, cross-border M&A, or shared service centers. A good contractual model should still include data protection clauses—but now focused on risk allocation, DPO cooperation, and incident response coordination, rather than formal compliance with Art. 46 GDPR or Arts. 33–36 LGPD.

      Summary: Brazil’s data protection authority (ANPD) is signaling a clear move toward stronger, more GDPR-aligned enforcement and rulemaking through its 2026–2027 Priority Topics Map and updated Regulatory Agenda. The selected priorities mirror familiar EU themes—data subject rights, children’s data, public-sector processing, and AI—while adding practical predictability for organizations planning compliance. For European businesses operating in Brazil, the direction of travel suggests increasing convergence in governance, risk assessment, and transparency expectations. This trajectory may also strengthen the long-term case for Brazil to pursue an EU adequacy decision.

      A maturing authority with a strategic alignment to GDPR

      While European regulators refine enforcement mechanisms for mature frameworks, Brazil is quietly building one of the world’s most GDPR-aligned data protection systems outside the EU. The release of Priority Topics Map for 2026–2027 and its updated Regulatory Agenda by the National Agency of Personal Data Protection (ANPD) reveals an authority no longer in its infancy, but one strategically positioning itself as a credible counterpart to European supervisory bodies.

      ANPD’s priority topics for 2026–2027

      The four priority topics chosen by Brazil’s National Data Protection Authority («ANPD») tell a familiar tale to anyone working with GDPR compliance: data subject rights, protection of children and adolescents in digital environments, processing by public authorities, and artificial intelligence with emerging technologies.

      Why these priorities feel familiar to GDPR practitioners

      These are not arbitrary choices but deliberate alignments with the core concerns that have shaped European enforcement over the past seven years, from the fundamental rights guarantees in Articles 12 through 22, to the heightened scrutiny of processing involving minors, to the evolving regulatory treatment of algorithmic systems that now spans both GDPR recitals and the EU AI Act itself.

      Children and adolescents: new authority and converging expectations

      Brazil’s recent Digital Statute for Children and Adolescents hands ANPD substantial new authority over age verification and parental consent mechanisms, creating a regulatory bridge that should look strikingly familiar to companies navigating the UK’s Age Appropriate Design Code or implementing EDPB guidance on child data. European digital services operating in Brazil, particularly in social media, gaming, education, or wellness sectors, now face converging compliance expectations on both sides of the Atlantic. The technical architectures and consent flows designed for GDPR are increasingly fit for purpose in the Brazilian context as well.

      Artificial intelligence and emerging technologies

      The elevation of artificial intelligence to priority status represents ANPD’s clearest statement yet about where Brazilian regulation is headed – in fact, no big news in the move, since it is worrying every regulator in every industry. While the LGPD lacks specific AI provisions, the authority has been methodically laying groundwork through public consultations on automated decision-making and studies on algorithmic profiling. For companies already deep in EU AI Act preparation, such a convergence offers something rare in global privacy compliance: the potential for genuine efficiency gains through shared governance frameworks, unified risk assessment methodologies, and harmonized transparency protocols rather than duplicative regional adaptations.

      Data subject rights and DPIAs: reinforcing accountability

      ANPD’s continued emphasis on data subject rights and Data Protection Impact Assessments reinforces the structural similarities with GDPR’s accountability model. The Brazilian approach increasingly mirrors European expectations around documented risk assessment, standardized response protocols for individual rights requests, and transparency obligations for profiling activities. Multinational organizations can now reasonably contemplate unified DPIA templates and centralized rights management systems that serve both jurisdictions without fundamental architectural splits.

      The updated Regulatory Agenda for 2025–2026: predictability as a compliance asset

      The updated Regulatory Agenda for 2025–2026 provides something perhaps more valuable than new rules: predictability. One should not underestimate the importance of predictability in Brazil, since it is a rare asset, even before courts – former Treasury Minister Pedro Malana once iroonically stated that «in Brazil, even the past is uncertain».

      What ANPD is telegraphing next

      By telegraphing upcoming initiatives on biometric data processing, inspection methodologies, sanctioning procedures, cybersecurity standards, and privacy program governance, ANPD offers companies the planning visibility that makes cross-border compliance feasible rather than reactive. These topics map directly onto GDPR’s controller obligations, security requirements, and Data Protection Officer independence provisions in Articles 24 through 39.

      Beyond compliance: what convergence could mean for data flows

      The regulatory convergence carries implications beyond operational compliance. The structural alignment between LGPD and GDPR, reinforced by ANPD’s strategic choices, strengthens the case for an eventual EU adequacy decision recognizing Brazil under Article 45.

      For European businesses and their counsel, the trajectory suggests not just reduced friction in managing trans-Atlantic data flows, but the emergence of genuinely compatible regulatory ecosystems. The challenge will be maintaining attention to Brazilian developments with the same intensity devoted to EDPB guidelines and Commission decisions, recognizing that convergence is a continuous process rather than a static achievement.

      Conclusion

      Brazil’s ANPD is increasingly setting priorities that mirror the main pressure points of GDPR compliance, while using its Regulatory Agenda to add clarity and sequencing to what comes next. For organizations operating across the EU and Brazil, the message is practical: governance structures, rights-handling processes, and risk assessment tooling built for GDPR are becoming progressively reusable in the Brazilian context. At the same time, staying alert to ANPD’s evolving guidance—especially around children’s data, AI, biometrics, cybersecurity, and enforcement methodology—will be key to turning regulatory convergence into real operational efficiency and reduced cross-border friction.

      Summary
      This article explores the ANPD’s 2025 Tech Radar on neurotechnologies and how it reshapes compliance risks for Brazilian healthtechs—especially in M&A contexts involving GDPR exposure. It outlines key regulatory concerns, the GDPR’s extraterritorial impact, major due-diligence red flags, and the essential deliverables investors should require.

      Introduction

      Brazil’s latest ANPD Tech Radar brings neurotechnologies to the forefront of data-protection compliance, exposing significant risks for healthtech companies and investors. With GDPR’s extraterritorial reach, sensitive data processing, opaque AI, and cross-border transfers, data governance has become a critical M&A due-diligence factor requiring structured reviews and robust contractual safeguards.

      Key Compliance Risks Shaping Brazilian Healthtech M&A

      Brazil’s Data Protection Authority (ANPD) released its 4th Tech Radar in June 2025, focusing entirely on neurotechnologies—marking the first time the regulator targeted this field so directly. The report explores brain-computer interfaces, advanced wearables, AI-driven cognitive therapies, and predictive diagnostics, highlighting risks far beyond traditional health data processing.

      For investors and lawyers working M&A deals in Brazil’s healthtech sector, this Radar signals that data protection is no longer a secondary compliance issue—it is now a major source of legal, reputational, and operational risk.

      GDPR’s Extraterritorial Relevance

      Many Brazilian healthtechs handle personal data from foreign individuals, particularly Europeans—through expats, medical tourists, cross-border clinical trials, or partnerships with EU-based vendors. When this occurs, GDPR Article 3(2) extends jurisdiction to the Brazilian company, even without any EU establishment.

      Main Risks Identified by ANPD (Tech Radar #4)

      • Inferring health data without explicit consent
        Example: wearables identifying depression through sleep or stress patterns without informing users.
      • Lack of transparency in predictive algorithms
        Black-box AI models making clinical decisions without accessible documentation.
      • Cybersecurity vulnerabilities in connected devices
        Neural implants or neurostimulators vulnerable to hacking, with potentially physical consequences.
      • Automated processing that impacts human dignity
        Behavioral profiling influencing insurance eligibility, discrimination, or patient autonomy in therapy environments.

      GDPR Article 22 prohibits automated decision-making with significant effects unless strict safeguards are implemented—making this a critical risk during due diligence.

      Most Common Red Flags in Brazilian Healthtech Due Diligence

      No clear legal basis for sensitive data (health, genetic, biometric)

      LGPD Impact (Brazil): Breach of LGPD Art. 11
      GDPR Parallel (Europe): Art. 9 (special categories)
      Practical Recommendation: Require full data-mapping and warranties

      Generic or “click-to-accept” consents

      LGPD Impact (Brazil): Invalid consent (Art. 7 & 11)
      GDPR Parallel (Europe): Art. 6 + 7
      Practical Recommendation: Ensure all consents are granular, specific, and revocable

      Third-party sharing without processor agreements

      LGPD Impact (Brazil): Breach of LGPD Art. 28 & 33
      GDPR Parallel (Europe): Art. 28
      Practical Recommendation: Verify existence and adequacy of all DPAs

      Missing or incomplete ROPA

      LGPD Impact (Brazil): Serious regulatory violation
      GDPR Parallel (Europe): Art. 30
      Practical Recommendation: Make ROPA delivery a closing condition

      Non-existent or conflicted DPO

      LGPD Impact (Brazil): Non-compliance with ANPD Resolution CD nº 2
      GDPR Parallel (Europe): Art. 37–39
      Practical Recommendation: Require interview + independence confirmation

      No DPIA for high-risk products

      LGPD Impact (Brazil): Mandatory (ANPD Res. 15/2023)
      GDPR Parallel (Europe): Art. 35
      Practical Recommendation: Include pre-closing DPIA audit clause

      International transfers without safeguards

      LGPD Impact (Brazil): Arts. 33–35
      GDPR Parallel (Europe): Arts. 44–50
      Practical Recommendation: Verify SCCs (2021/2023) or adequacy status

      Real Cases Illustrating the Scale of Risk

      • Telepsychology platforms investigated for using automated triage without informed consent or AI transparency.
      • ANPD actions against genomics startups due to cross-border transfers without SCCs or DPIAs.
      • Outsourced cloud hosting increasing irregular data transfer risks.

      Until Brazil receives an EU adequacy decision, SCCs and BCRs remain mandatory for compliant transfers.

      Essential Due Diligence Deliverables

      A robust data-protection review is now essential in healthtech M&A. Key deliverables include:

      • LGPD ↔ GDPR gap analysis
      • ROPA and DPIA review
      • Sub-processor contract verification
      • Mapping of all international transfers
      • Privacy-specific warranties and indemnities
      • Escrow or holdback for regulatory risk exposure

      Conclusion

      Data protection is no longer secondary in healthtech M&A—especially when neurodata is involved. With ANPD scrutinizing neurotechnologies and GDPR obligations extending across borders, investors must prioritize structured due diligence and strong contractual safeguards.

      FAQ

      Is neurodata considered sensitive personal data under the LGPD?

      Yes—ANPD treats neurodata as highly sensitive because it reveals cognitive, emotional, and health patterns.

      Does GDPR apply to Brazilian companies with no EU presence?

      Yes, via Article 3(2), whenever EU data subjects’ information is processed.

      Are SCCs still required for Brazil–EU transfers?

      Yes, until Brazil receives an EU adequacy decision.

      What are the top investor red flags?

      Missing DPIAs, unclear legal bases, opaque algorithms, and irregular transfers.

      Since the General Data Protection Regulation (GDPR) took effect in 2018, the European Union (EU) has granted adequacy status to only a limited number of jurisdictions — those whose data protection regimes are deemed to provide an «essentially equivalent» level of protection to that of the EU. The current list includes Andorra, Argentina, Canada (under PIPEDA), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, Uruguay, the United Kingdom, and the United States (limited to companies certified under the Data Privacy Framework).

      As of 5 September 2025, Brazil is on the verge of joining this exclusive group. The European Commission has issued a draft adequacy decision concluding that the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais – LGPD), in conjunction with Brazil’s broader legal and constitutional framework, offers protections that are essentially equivalent to those found in the GDPR. While Brazil’s rules offer somewhat more flexibility in specific areas of data processing, the foundational principles and safeguards are well-aligned with EU standards.

      Once finalized, the adequacy decision will authorize the free flow of personal data from the EU to Brazil without the need for additional contractual clauses or technical safeguards. Such a development is not just regulatory — it also answers a core political argument made by LGPD advocates since its inception: that the absence of a comprehensive data protection framework was undermining Brazil’s international competitiveness by limiting data flows and discouraging investment. For businesses, the EU decision may finally mean the removal of a significant layer of compliance complexity — a development especially welcome by small and medium-sized enterprises engaged in cross-border trade or service provision. The draft is currently under review by the European Data Protection Board (EDPB) and the Member States of the EU.

      The Commission’s assessment highlights several key aspects of Brazil’s data protection landscape. It begins by noting that the Brazilian Constitution expressly guarantees the right to privacy and the protection of personal data — a notable distinction among non-EU jurisdictions. These protections are further supported by Brazil’s ratification of the American Convention on Human Rights and its recognition of the jurisdiction of the Inter-American Court of Human Rights, reinforcing a commitment to fundamental rights and democratic oversight.

      The LGPD mirrors the GDPR in many critical respects and defines its territorial scope clearly. It applies to: (i) data processing carried out within Brazilian territory, (ii) the offering of goods or services to individuals in Brazil, and (iii) data collected in Brazil, even if subsequently processed abroad. This aligns well with the extraterritorial provisions of the GDPR. The definitions of personal data, sensitive data, controller, and processor are materially similar, as are the key principles governing processing — including lawfulness, purpose limitation, data minimization, accuracy, transparency, and security. The law expressly excludes anonymized data from its scope and establishes specific exemptions for journalistic activities, public security, and scientific research.

      Another strength is Brazil’s institutional framework. The National Data Protection Authority (ANPD) was recently transformed into an autonomous regulatory agency, enhancing its independence and technical capacity. The ANPD holds both regulatory and enforcement powers: it can issue binding regulations, impose administrative sanctions, and publish authoritative guidance. To date, it has issued key guidelines on topics such as consent, legitimate interest, the role of the Data Protection Officer (DPO), and security incident reporting. Internationally, the ANPD is an active participant in global data protection dialogue — it is a member of the Global Privacy Assembly and an official observer to the Council of Europe’s Convention 108.

      The LGPD’s approach to international data transfers is also structurally aligned with the GDPR. It requires appropriate safeguards such as standard contractual clauses, allows for future adequacy decisions under a regime comparable to Article 45 of the GDPR, and includes detailed provisions for onward transfers and transit data — that is, data merely passing through Brazil without further processing. The rights of data subjects are robust and familiar to European practitioners: access, rectification, erasure, portability, and withdrawal of consent are guaranteed. Lawful bases for processing are also aligned — including consent, legal obligations, contract execution, and legitimate interest. Notably, the LGPD requires a documented balancing test when relying on legitimate interest, bringing additional accountability to this flexible legal basis.

      Security incidents involving personal data must be notified to both the ANPD and affected data subjects when there is a significant risk of harm. The standard notification deadline is 72 hours, and the required content aligns closely with Articles 33 and 34 of the GDPR. The ANPD may also order public disclosure of incidents or require remedial measures, depending on the nature and scope of the breach.

      Importantly, this process is not one-sided. In parallel to the European Commission’s adequacy decision, the ANPD is conducting its own adequacy assessment of the EU and EEA data protection frameworks. This process is regulated by the Brazilian Resolution CD/ANPD No. 19/2024, which governs international data transfers. Once the technical and legal evaluation is complete, the ANPD’s Board of Directors will issue a formal decision. This reciprocal move reflects Brazil’s commitment to mutual recognition and regulatory symmetry — a positive signal for companies on both sides of the Atlantic.

      In conclusion: If confirmed, Brazil’s adequacy status will simplify international operations, reduce compliance costs, and expand opportunities for data-driven business and legal cooperation. For European lawyers advising SMEs with interests in Latin America, this development is a strategic signal: Brazil is emerging not just as a growing market, but as a legally compatible and data-safe jurisdiction for international partnerships.

      On 23 August 2024, Brazil’s National Data Protection Authority (ANPD) issued Resolution No. 19, a landmark regulation governing the international transfer of personal data under the Brazilian General Data Protection Law (LGPD). Companies now have until 23 August 2025 to fully comply.

      This deadline is especially relevant for European multinationals operating in Brazil, or Brazilian subsidiaries sharing data with foreign HQs or vendors. The new rules align Brazil more closely with global privacy frameworks like the GDPR—but with local twists that demand attention.

      Why It Matters

      Unlike previous guidance, Resolution No. 19 creates binding legal obligations and explicit deadlines. It introduces mechanisms such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and public transparency requirements—all within a strict 12-month timeframe.

      For many international companies, this will require significant updates to internal governance, contract management, and cloud data strategies. Below are the key takeaways for foreign counsel.

      Standard Contractual Clauses (SCCs): Now Mandatory

      The ANPD has released its own set of Standard Contractual Clauses, which must be used for data transfers to jurisdictions not recognized as offering “adequate protection.”

      Companies must adopt these clauses by 23 August 2025. This will likely require revisiting existing data processing agreements involving Brazilian parties and ensuring alignment with the ANPD template.

      Important: The SCCs cannot be modified beyond inserting details in the annexes. Any deviations require prior approval from the ANPD and are limited to exceptional cases.

      Broad Transparency Requirements

      Data controllers are now required to publish, on their website, a plain-language document explaining:

      • the purpose of the international data transfer,
      • the categories of data involved,
      • the countries of destination,
      • and the legal mechanism used to legitimize the transfer.

      Upon request, data subjects must also receive a copy of the full SCCs within 15 days. Multinationals will need protocols and document templates to respond efficiently—especially when dealing with requests in Portuguese.

      Expanded Definition of “International Transfer”

      The Resolution clarifies that a transfer occurs whenever:

      • data is accessed or stored by an entity located abroad, or
      • processing is outsourced to a cloud provider with servers or technical teams outside Brazil.

      This has important implications for global companies that centralize services such as payroll, CRM, or cybersecurity outside Brazil—even if hosted on multinational platforms.

      Binding Corporate Rules (BCRs): Now Recognized

      Multinationals with mature privacy programs may apply to the ANPD for approval of their own Binding Corporate Rules, offering an alternative to SCCs.

      This is a welcome development for companies seeking harmonized compliance across jurisdictions, but approval is expected to involve a complex and time-consuming process. Early preparation is essential.

      Custom Clauses in Exceptional Circumstances

      Companies unable to adopt the standard clauses—due to specific factual or legal constraints—may submit alternative clauses for ANPD approval. However, such flexibility is limited and subject to strict justification.

      In practice, the official SCCs will be the default path for most international data transfers involving Brazil.

      What Foreign Companies Should Do Now

      The 12-month window is already ticking. International groups operating in Brazil or processing Brazilian data should urgently:

      • Map all international data transfers involving Brazil;
      • Identify contracts and vendors requiring updates;
      • Insert ANPD’s SCCs where applicable;
      • Publish the required transparency notice online in Portuguese;
      • Monitor for further ANPD guidance or enforcement trends.

      Strategic Compliance: Beyond Legal Risk

      Resolution No. 19 is part of a global trend toward standardized but locally enforced privacy frameworks. For GDPR-compliant companies, Brazil’s new rules offer a chance to reaffirm leadership in data governance.

      Those who act early can avoid last-minute fire drills, reduce regulatory exposure, and strengthen credibility with Brazilian regulators and consumers.

      In today’s data economy, privacy compliance is more than a legal duty—it’s a business differentiator.

      Brazil’s National Data Protection Authority (ANPD) released a long-awaited guidance document on how companies should interpret and apply the legal basis of legitimate interest under the Brazilian General Data Protection Law (LGPD).

      This is not merely a local update. As Brazil continues to shape its data protection regime, foreign companies—particularly European SMEs with clients, platforms, or partners in Brazil—must adapt their compliance strategies to local expectations. This new guidance is a crucial development.

      Below, I summarize what has changed, how it compares to the GDPR approach, and what steps you (or your clients) should take next.

      Why Legitimate Interest Matters—But Remains Risky

      Just like under the GDPR, Brazil’s LGPD allows personal data to be processed without consent when doing so is necessary for purposes aligned with the controller’s legitimate interests. However, due to the lack of regulation since the LGPD came into force, this legal basis has long been regarded as risky in Brazil – in fact, it was unclear on how to evaluate the «legitimacy» of the interest and balance it against data subject rights.

      The ANPD’s «Guia Orientativo sobre o Legítimo Interesse» (Guidance on Legitimate Interest) fills that gap—providing a practical framework to assess, document, and justify this legal basis.

      The ANPD’s Three-Step Balancing Test

      The core of the new guidance is a three-step balancing test, which mirrors the GDPR’s Legitimate Interests Assessment (LIA) but with Brazilian nuances.

      • Purpose Test : The controller must define a specific, concrete, and legitimate objective behind the data processing. Open-ended or abstract justifications (“marketing purposes”, “efficiency”) will not suffice. The processing must also align with the reasonable expectations of the data subject.
      • Necessity Test : The data processing must be strictly necessary to achieve the defined purpose. If the same result could be achieved through less intrusive means (e.g. anonymized data or a different legal basis), the test will likely fail.
      • Balancing Test and Safeguards : This step assesses whether the controller’s interest outweighs the rights and freedoms of the data subject. Controllers must consider the nature of the data, the context of the processing, and the potential risks involved. When risks are identified, appropriate safeguards must be implemented, such as transparency, opt-outs, pseudonymization, and impact assessments.

      Takeaway: The ANPD recommends documenting the entire process. While this is not mandatory by law, it will be critical in case of investigations or complaints.

      How This Affects Foreign Companies doing business in Brazil

      Many foreign companies process personal data of Brazilian individuals—whether by offering digital services, interacting with Brazilian suppliers, or collecting contact information via websites or CRM tools.

      Although some assume that GDPR compliance is sufficient, the ANPD may evaluate legitimate interest more restrictively than some EU supervisory authorities.

      Foreign companies should:

      • Revisit their legal bases for processing data of Brazilian individuals.
      • Conduct a proper balancing test using the ANPD’s model, even for non-sensitive data.
      • Keep written records of the analysis (especially if using legitimate interest for analytics or marketing).
      • Update their privacy notices to reflect the legal basis and safeguards in place.
      • Be aware of the extraterritorial reach of the LGPD—yes, it applies even if you have no office in Brazil.

      Strategic Guidance

      If you advise SMEs that operate across jurisdictions—including Brazil—this new guidance is a practical compliance tool and a risk-mitigation opportunity.

      Here’s how to act now:

      • Perform a Legitimate Interests Assessment (LIA) whenever your client relies on this basis in Brazil.
      • Compare it with the GDPR LIA to identify overlaps and gaps.
      • Align documentation—so your clients are ready in the event of a complaint or data subject request.
      • Monitor ANPD updates—the ANPD has increased its activity and enforcement posture significantly in the past year.

      Final Thoughts

      The ANPD’s guidance reflects a growing maturity in Brazil’s data protection landscape. Legitimate interest is no longer a vague fallback—it requires structure, analysis, and above all, transparency.

      European companies with operations or digital exposure in Brazil should approach this legal basis with care and diligence. The good news? The ANPD is now offering the roadmap. It’s up to us, as legal advisors, to make sure our clients follow it.

      Want to see the full guidance? The original document (in Portuguese) is available here.

      Brazil is increasingly in the global spotlight when it comes to cybersecurity threats. With over 10 billion cyberattack attempts recorded in 2023 alone, the country ranks among the most targeted worldwide. These incidents are not abstract: they affect sensitive sectors such as finance and healthcare, including data leaks involving over 220 million data subjects from national institutions and critical infrastructure operators.

      While Brazil may seem like a distant jurisdiction, its data protection regime — shaped by the Lei Geral de Proteção de Dados (LGPD) — has growing significance for European businesses operating or partnering in the region. The LGPD, inspired by the GDPR, sets out specific obligations around data breach notification. However, unlike the GDPR’s mandatory 72-hour notification rule, not all security incidents must be reported to the Brazilian Data Protection Authority (ANPD).

      So: when exactly should a security incident be reported in Brazil?

      When Notification is Required: A Three-Step Test

      Under Brazilian law, a security incident involving personal data must be reported to the ANPD only if the following three criteria are cumulatively met:

      • The incident has been confirmed.
      • It involves personal data subject to the LGPD.
      • It poses a relevant risk or damage to data subjects.

      This third threshold is critical. According to the ANPD’s Security Incident Communication Regulation (RCIS), relevant risks include incidents that may:

      • Prevent the exercise of rights or access to services.
      • Cause material or moral harm.
      • Involve special categories of data such as: Sensitive personal data / Financial data / Large-scale datasets / Children’s or elderly persons’ data / Authentication credentials / Legally protected information (e.g., medical, legal, or professional secrets).

      This approach offers some flexibility – but it also requires careful legal judgment.

      When You Don’t Have to Notify

      There is no obligation to notify the ANPD if the incident does not result in significant risk or damage. For instance, if the breached data is non-sensitive and publicly available (e.g., general contact information), and no additional harm is expected, companies may reasonably determine that notification is unnecessary.

      However, this decision should not be taken lightly. Controllers are expected to assess several contextual factors, such as:

      • The volume and nature of the affected data.
      • Whether the data subjects can be identified.
      • The likely impact on fundamental rights.
      • The technical and security measures in place.
      • Any steps taken to mitigate the damage.

      In practice, each case must be analyzed individually — and well documented — to ensure a defensible position.

      How to Notify the ANPD (If Required)

      If the thresholds for notification are met, companies must report the incident within three business days from the date they became aware that personal data was affected. The notification must include:

      • A description of the breach and affected data.
      • The number and profile of impacted data subjects.
      • Security measures in place before and after the incident.
      • Potential risks to the data subjects.
      • Mitigation strategies.
      • Identification of the controller and DPO (if applicable).

      Notifications are submitted via the ANPD’s online platform (SUPER). Sensitive business information can be protected through a request for confidential treatment, provided it is properly justified.

      Strategic Takeaways for European Stakeholders

      For European companies and compliance officers, understanding the nuances of Brazilian data breach notification rules is essential for several reasons:

      • Cross-border compliance: Companies transferring personal data to Brazil must ensure regulatory alignment under the GDPR’s international transfer rules.
      • Due diligence: M&A or vendor screening in Brazil should include assessments of LGPD readiness and breach history.
      • Incident response protocols: Global organizations must harmonize breach notification timelines and thresholds across jurisdictions, adapting to Brazil’s risk-based approach.

      In a landscape of increasing cyber threats, aligning with the LGPD is not just a regulatory obligation — it’s a strategic necessity.

      Final Thoughts

      Brazil’s data protection authority does not adopt a «one size fits all» model for breach notification. The LGPD introduces a risk-based, case-by-case approach, which may offer more flexibility than the GDPR — but also places a greater burden on organizations to justify their decisions.

      European companies doing business in Brazil must be prepared to evaluate security incidents in light of both local obligations and international expectations. Failing to notify a breach — or notifying too hastily — can have serious reputational, legal, and operational consequences.

      Understanding when (and how) to notify the ANPD is a key part of navigating Brazil’s complex but maturing data protection landscape.

      Leopoldo Pagotto

      Áreas de práctica

      • Antitrust
      • Ética y Compliance empresarial
      • Contratos
      • Derecho Societario
      • Protección de datos
      • Delitos financieros
      Contáctanos Leopoldo

      Contacta con Leopoldo





        Lea la política de privacidad de Legalmondo.
        Este sitio está protegido por reCAPTCHA y se aplican la Política de privacidad de Google y los Términos de servicio.

        Brazilian Healthtech – Neurotechnologies, LGPD and the GDPR’s Long-Arm Effect

        26 de noviembre de 2025

        • Brasil
        • Derecho sanitario
        • M&A
        • Privacidad y Protección de Datos

        Summary

        Brazil’s new Digital Child Protection Law (ECA Digital – Law No. 15,211/2025) radically changes the compliance obligations for foreign technology companies operating in Brazil. The law introduces a proactive duty of care toward minors, replacing the previous reactive liability model under the Marco Civil da Internet. Any digital service accessible to children or adolescents — including social media, gaming, streaming, AI tools, and app stores — must now adopt safety-by-design and privacy-by-default principles.

        Brazil Introduces a New Digital Protection Framework for Minors

        When Law No. 15,211/2025, known as the ECA Digital or Digital Statute for Children and Adolescents, came into force on March 17, 2026, Brazil took a significant step in regulating the digital environment. For foreign technology companies that offer services to the Brazilian public, the legislation is far more than just another local rule. It represents a genuine paradigm shift in how platforms must be designed, operated, and monitored.

        Until now, the Brazilian Internet Civil Framework (Marco Civil da Internet) of 2014 established essentially a reactive liability regime. Platforms were generally only held responsible for third-party content after receiving a specific court order or valid notification. The ECA Digital inverts this logic. Companies now face a proactive and continuous duty of care, something close to the “duty of care” we already know in Europe through the UK’s Online Safety Act or parts of the Digital Services Act (DSA).

        The Best Interests of the Child Become the Central Compliance Principle

        The central principle of the law is the best interests of the child and adolescent. Any information technology product or service that is targeted at minors or has a reasonable likelihood of being accessed by them must be developed with this interest as an absolute priority. This includes social networks, gaming apps, streaming platforms, app stores, and even artificial intelligence tools.

        In practice, this means adopting the concepts of safety-by-design and privacy-by-default from the outset. It is no longer enough to fix problems after they arise. Companies must anticipate risks to the physical, mental, and moral integrity of younger users and build preventive safeguards.

        Mandatory Impact Assessments and Platform Risk Analysis

        One of the pillars of the new legislation is the requirement for impact assessments. Platforms must conduct periodic detailed analyses of the potential effects of their functionalities (recommendation algorithms, engagement mechanisms, advertising systems, and even augmented reality features) on children and adolescents. These reports need to be properly documented internally and, in many cases, generate transparent information that can be shared with authorities or made available to the public in a summarized version.

        New Age Verification and Parental Control Obligations

        Age verification has become significantly more rigorous. A simple self-declaration (“click here if you are over 18”) is no longer considered sufficient. The law requires effective and proportionate mechanisms that respect privacy but genuinely manage to distinguish adults from minors. For users up to 16 years old, accounts on social networks and similar platforms must, as a rule, be linked to a legal guardian.

        Furthermore, companies are required to provide robust parental control tools. Guardians must have access to dashboards that allow them to set screen time limits, restrict contacts, approve or block in-app purchases, and disable personalized algorithmic recommendation systems. Many foreign clients I have spoken with still underestimate the weight of this requirement.

        Restrictions on Advertising, Profiling, and Gaming Monetization

        In the commercial sphere, the law is particularly restrictive. The use of advanced behavioral profiling, emotional analysis, or immersive technologies to target advertising at children and adolescents is prohibited. Monetization of content that inappropriately exploits the image of minors is also subject to severe limitations. In the gaming sector, there are express bans on “loot boxes” and randomized reward systems when the game is accessible to minors, precisely because of their addictive potential and the risk of uncontrolled spending.

        Harmful Content Removal and Reporting Requirements

        Another aspect that deserves attention is the swift removal of harmful content. The law establishes short deadlines – in some cases as little as 24 hours – for the removal of material related to sexual exploitation, violence, bullying, cyberbullying, incitement to suicide, self-harm, or drug use. In addition to removal, in serious situations platforms must notify the competent authorities, including through international cooperation when necessary.

        Legal Representation and Enforcement Risks for Foreign Companies

        For foreign companies without a physical presence in Brazil, the law strengthens enforcement mechanisms. It is mandatory to appoint a legal representative established in the country, with powers to receive judicial and administrative citations, respond to requests from the Public Prosecutor’s Office and the National Data Protection Authority (ANPD), and serve as the local point of contact.

        In fact, the ANPD assumes a central role in supervising and regulating the law, acting in coordination with the Public Prosecutor’s Office. This creates a more robust enforcement scenario than many international players initially anticipated. Moreover, the law provides for joint and several liability: subsidiaries, branches, or companies within the same economic group in Brazil may be held accountable for violations committed by the foreign parent company.

        Financial Penalties and Operational Sanctions

        The sanctions are dissuasive. Fines can reach up to 10% of the economic group’s revenue in Brazil in the previous year, or up to R$ 50 million per individual violation, depending on the severity. In extreme cases or in the event of recurrence, authorities may order the temporary suspension or even the complete blocking of the service within Brazilian territory. For companies that depend on the Brazilian market, especially consumer technology firms, this operational risk is very real.

        Relationship Between the ECA Digital and Brazil’s LGPD

        It is worth noting that the ECA Digital interacts closely with the General Data Protection Law (LGPD). Many of the principles of privacy-by-default, data minimization, and impact assessments already existed under the LGPD, but they now take on more specific contours when the data subject is a child or adolescent. The processing of minors’ data requires even greater care, with more restrictive legal bases and heightened attention to consent and the rights of legal guardians.

        Global Regulatory Trends and Brazilian Specificities

        From a comparative perspective, the Brazilian law aligns with global trends. It bears clear similarities to the UK’s Age Appropriate Design Code, certain aspects of the European DSA, and ongoing discussions in other Latin American countries. However, it presents distinctly Brazilian nuances: strong influence from the Public Prosecutor’s Office, the tradition of integral protection of children established in the 1990 Child and Adolescent Statute (ECA), and an approach that combines state regulation with the shared responsibility of families, schools, and platforms.

        Practical Compliance Steps for Foreign Technology Companies

        Foreign legal advisors must act with urgency. A good starting point is to conduct a comprehensive gap analysis: mapping user onboarding flows, reviewing advertising and algorithmic recommendation policies, assessing the adequacy of age verification mechanisms, and verifying whether the legal representation structure in Brazil meets the new requirements.

        In addition, it is important to prepare local teams or partners to handle administrative requests and potential audits. Investing in privacy-preserving age verification technologies, such as age estimation or document-based verification without excessive data storage, can make a difference both in compliance and in the user experience.

        Conclusion

        In summary, the ECA Digital is not merely a symbolic law. It imposes concrete obligations, with adaptation deadlines that have already expired for many companies, and carries real risks of financial and operational sanctions. For law firms advising international clients, especially small and medium-sized practices in Europe and Asia, the moment has come to help these players turn compliance into a competitive advantage.

        Those who manage to implement robust protection measures from the design stage of their products will not only avoid heavy fines but may also build greater trust with the Brazilian public and authorities.

        Summary: On January 25, 2026, Brazil and the EU mutually recognized each other as providing adequate personal data protection—removing, in many cases, the need for Standard Contractual Clauses (SCCs) or other transfer tools. This shifts the conversation from “copy-paste compliance” to strategy: deciding when to retire SCCs, updating cross-border transfer policies, and modernizing contractual models for future deals.

        Why this matters in real transactions

        Imagine you’re about to close a deal with a German business partner and your Brazilian client urgently asks for a data transfer clause. It’s always the same copy-paste: Standard Contractual Clauses (SCCs), Annex I and II in both languages, signatures on the dotted line. Now imagine this scene is finally unnecessary.

        The mutual adequacy milestone (January 25, 2026)

        On January 25, 2026, Brazil and the European Union mutually recognized each other as countries with adequate levels of personal data protection. It’s the first adequacy agreement signed between the EU and a Latin American country. In practical terms, it means that companies can transfer personal data between Brazil and the EU without the need for additional mechanisms, like SCCs or Binding Corporate Rules (BCRs). In strategic terms, it opens a new front of opportunities for Brazilian lawyers, especially those advising clients who export, import, invest, or operate in the EU.

        A starting point, not a “compliance break”

        This is a milestone and also a starting point. Mutual adequacy does not mean «relax your compliance programs»; on the contrary, it demands governance maturity and careful review.

        Three concrete fronts for legal work

        1.      Retiring SCCs: Not Always Automatic

        The adequacy decision makes SCCs optional in many cases, but that doesn’t mean you can simply tear them up. For existing contracts that already use SCCs, lawyers will need to assess whether they should keep, revise, or remove those clauses. The answer will depend on the risks, data flows, and reliance on third countries in the processing chain. There may also be internal policies, negotiated warranties, or obligations to supervisory authorities that require formal justifications.

        In practice, companies with complex processing chains (e.g., European headquarters, shared Brazilian HR services, cloud servers in the U.S.) may continue using SCCs in certain flows even after the adequacy recognition. Lawyers will need to carefully document and track this hybrid model.

        2.      Reviewing Cross-Border Data Transfer Policies

        Many companies, especially multinationals or those with multiple data protection obligations, have established cross-border data transfer policies («CBTPs») that classify countries into categories and associate specific safeguards for each. Brazil’s new status as an «adequate country» must now be reflected in those documents.

        For instance, a Brazilian company that receives data from France and sends it to Argentina and India may now adjust internal protocols to reduce documentation and controls on the EU → Brazil leg, while reinforcing controls in the Brazil → Argentina or Brazil → India legs. These changes must be aligned with the company’s policies, contracts, and internal training materials.

        3.      Adapting Contractual Models for Future Deals

        The mutual adequacy decision creates a new contractual scenario. Brazilian lawyers advising international clients can now use data transfer models aligned with GDPR—without needing SCCs or complex annexes—provided both parties are located in Brazil and the EU.

        This reduces transaction costs, improves legal certainty, and increases speed in negotiations involving technology services, cross-border M&A, or shared service centers. A good contractual model should still include data protection clauses—but now focused on risk allocation, DPO cooperation, and incident response coordination, rather than formal compliance with Art. 46 GDPR or Arts. 33–36 LGPD.

        Summary: Brazil’s data protection authority (ANPD) is signaling a clear move toward stronger, more GDPR-aligned enforcement and rulemaking through its 2026–2027 Priority Topics Map and updated Regulatory Agenda. The selected priorities mirror familiar EU themes—data subject rights, children’s data, public-sector processing, and AI—while adding practical predictability for organizations planning compliance. For European businesses operating in Brazil, the direction of travel suggests increasing convergence in governance, risk assessment, and transparency expectations. This trajectory may also strengthen the long-term case for Brazil to pursue an EU adequacy decision.

        A maturing authority with a strategic alignment to GDPR

        While European regulators refine enforcement mechanisms for mature frameworks, Brazil is quietly building one of the world’s most GDPR-aligned data protection systems outside the EU. The release of Priority Topics Map for 2026–2027 and its updated Regulatory Agenda by the National Agency of Personal Data Protection (ANPD) reveals an authority no longer in its infancy, but one strategically positioning itself as a credible counterpart to European supervisory bodies.

        ANPD’s priority topics for 2026–2027

        The four priority topics chosen by Brazil’s National Data Protection Authority («ANPD») tell a familiar tale to anyone working with GDPR compliance: data subject rights, protection of children and adolescents in digital environments, processing by public authorities, and artificial intelligence with emerging technologies.

        Why these priorities feel familiar to GDPR practitioners

        These are not arbitrary choices but deliberate alignments with the core concerns that have shaped European enforcement over the past seven years, from the fundamental rights guarantees in Articles 12 through 22, to the heightened scrutiny of processing involving minors, to the evolving regulatory treatment of algorithmic systems that now spans both GDPR recitals and the EU AI Act itself.

        Children and adolescents: new authority and converging expectations

        Brazil’s recent Digital Statute for Children and Adolescents hands ANPD substantial new authority over age verification and parental consent mechanisms, creating a regulatory bridge that should look strikingly familiar to companies navigating the UK’s Age Appropriate Design Code or implementing EDPB guidance on child data. European digital services operating in Brazil, particularly in social media, gaming, education, or wellness sectors, now face converging compliance expectations on both sides of the Atlantic. The technical architectures and consent flows designed for GDPR are increasingly fit for purpose in the Brazilian context as well.

        Artificial intelligence and emerging technologies

        The elevation of artificial intelligence to priority status represents ANPD’s clearest statement yet about where Brazilian regulation is headed – in fact, no big news in the move, since it is worrying every regulator in every industry. While the LGPD lacks specific AI provisions, the authority has been methodically laying groundwork through public consultations on automated decision-making and studies on algorithmic profiling. For companies already deep in EU AI Act preparation, such a convergence offers something rare in global privacy compliance: the potential for genuine efficiency gains through shared governance frameworks, unified risk assessment methodologies, and harmonized transparency protocols rather than duplicative regional adaptations.

        Data subject rights and DPIAs: reinforcing accountability

        ANPD’s continued emphasis on data subject rights and Data Protection Impact Assessments reinforces the structural similarities with GDPR’s accountability model. The Brazilian approach increasingly mirrors European expectations around documented risk assessment, standardized response protocols for individual rights requests, and transparency obligations for profiling activities. Multinational organizations can now reasonably contemplate unified DPIA templates and centralized rights management systems that serve both jurisdictions without fundamental architectural splits.

        The updated Regulatory Agenda for 2025–2026: predictability as a compliance asset

        The updated Regulatory Agenda for 2025–2026 provides something perhaps more valuable than new rules: predictability. One should not underestimate the importance of predictability in Brazil, since it is a rare asset, even before courts – former Treasury Minister Pedro Malana once iroonically stated that «in Brazil, even the past is uncertain».

        What ANPD is telegraphing next

        By telegraphing upcoming initiatives on biometric data processing, inspection methodologies, sanctioning procedures, cybersecurity standards, and privacy program governance, ANPD offers companies the planning visibility that makes cross-border compliance feasible rather than reactive. These topics map directly onto GDPR’s controller obligations, security requirements, and Data Protection Officer independence provisions in Articles 24 through 39.

        Beyond compliance: what convergence could mean for data flows

        The regulatory convergence carries implications beyond operational compliance. The structural alignment between LGPD and GDPR, reinforced by ANPD’s strategic choices, strengthens the case for an eventual EU adequacy decision recognizing Brazil under Article 45.

        For European businesses and their counsel, the trajectory suggests not just reduced friction in managing trans-Atlantic data flows, but the emergence of genuinely compatible regulatory ecosystems. The challenge will be maintaining attention to Brazilian developments with the same intensity devoted to EDPB guidelines and Commission decisions, recognizing that convergence is a continuous process rather than a static achievement.

        Conclusion

        Brazil’s ANPD is increasingly setting priorities that mirror the main pressure points of GDPR compliance, while using its Regulatory Agenda to add clarity and sequencing to what comes next. For organizations operating across the EU and Brazil, the message is practical: governance structures, rights-handling processes, and risk assessment tooling built for GDPR are becoming progressively reusable in the Brazilian context. At the same time, staying alert to ANPD’s evolving guidance—especially around children’s data, AI, biometrics, cybersecurity, and enforcement methodology—will be key to turning regulatory convergence into real operational efficiency and reduced cross-border friction.

        Summary
        This article explores the ANPD’s 2025 Tech Radar on neurotechnologies and how it reshapes compliance risks for Brazilian healthtechs—especially in M&A contexts involving GDPR exposure. It outlines key regulatory concerns, the GDPR’s extraterritorial impact, major due-diligence red flags, and the essential deliverables investors should require.

        Introduction

        Brazil’s latest ANPD Tech Radar brings neurotechnologies to the forefront of data-protection compliance, exposing significant risks for healthtech companies and investors. With GDPR’s extraterritorial reach, sensitive data processing, opaque AI, and cross-border transfers, data governance has become a critical M&A due-diligence factor requiring structured reviews and robust contractual safeguards.

        Key Compliance Risks Shaping Brazilian Healthtech M&A

        Brazil’s Data Protection Authority (ANPD) released its 4th Tech Radar in June 2025, focusing entirely on neurotechnologies—marking the first time the regulator targeted this field so directly. The report explores brain-computer interfaces, advanced wearables, AI-driven cognitive therapies, and predictive diagnostics, highlighting risks far beyond traditional health data processing.

        For investors and lawyers working M&A deals in Brazil’s healthtech sector, this Radar signals that data protection is no longer a secondary compliance issue—it is now a major source of legal, reputational, and operational risk.

        GDPR’s Extraterritorial Relevance

        Many Brazilian healthtechs handle personal data from foreign individuals, particularly Europeans—through expats, medical tourists, cross-border clinical trials, or partnerships with EU-based vendors. When this occurs, GDPR Article 3(2) extends jurisdiction to the Brazilian company, even without any EU establishment.

        Main Risks Identified by ANPD (Tech Radar #4)

        • Inferring health data without explicit consent
          Example: wearables identifying depression through sleep or stress patterns without informing users.
        • Lack of transparency in predictive algorithms
          Black-box AI models making clinical decisions without accessible documentation.
        • Cybersecurity vulnerabilities in connected devices
          Neural implants or neurostimulators vulnerable to hacking, with potentially physical consequences.
        • Automated processing that impacts human dignity
          Behavioral profiling influencing insurance eligibility, discrimination, or patient autonomy in therapy environments.

        GDPR Article 22 prohibits automated decision-making with significant effects unless strict safeguards are implemented—making this a critical risk during due diligence.

        Most Common Red Flags in Brazilian Healthtech Due Diligence

        No clear legal basis for sensitive data (health, genetic, biometric)

        LGPD Impact (Brazil): Breach of LGPD Art. 11
        GDPR Parallel (Europe): Art. 9 (special categories)
        Practical Recommendation: Require full data-mapping and warranties

        Generic or “click-to-accept” consents

        LGPD Impact (Brazil): Invalid consent (Art. 7 & 11)
        GDPR Parallel (Europe): Art. 6 + 7
        Practical Recommendation: Ensure all consents are granular, specific, and revocable

        Third-party sharing without processor agreements

        LGPD Impact (Brazil): Breach of LGPD Art. 28 & 33
        GDPR Parallel (Europe): Art. 28
        Practical Recommendation: Verify existence and adequacy of all DPAs

        Missing or incomplete ROPA

        LGPD Impact (Brazil): Serious regulatory violation
        GDPR Parallel (Europe): Art. 30
        Practical Recommendation: Make ROPA delivery a closing condition

        Non-existent or conflicted DPO

        LGPD Impact (Brazil): Non-compliance with ANPD Resolution CD nº 2
        GDPR Parallel (Europe): Art. 37–39
        Practical Recommendation: Require interview + independence confirmation

        No DPIA for high-risk products

        LGPD Impact (Brazil): Mandatory (ANPD Res. 15/2023)
        GDPR Parallel (Europe): Art. 35
        Practical Recommendation: Include pre-closing DPIA audit clause

        International transfers without safeguards

        LGPD Impact (Brazil): Arts. 33–35
        GDPR Parallel (Europe): Arts. 44–50
        Practical Recommendation: Verify SCCs (2021/2023) or adequacy status

        Real Cases Illustrating the Scale of Risk

        • Telepsychology platforms investigated for using automated triage without informed consent or AI transparency.
        • ANPD actions against genomics startups due to cross-border transfers without SCCs or DPIAs.
        • Outsourced cloud hosting increasing irregular data transfer risks.

        Until Brazil receives an EU adequacy decision, SCCs and BCRs remain mandatory for compliant transfers.

        Essential Due Diligence Deliverables

        A robust data-protection review is now essential in healthtech M&A. Key deliverables include:

        • LGPD ↔ GDPR gap analysis
        • ROPA and DPIA review
        • Sub-processor contract verification
        • Mapping of all international transfers
        • Privacy-specific warranties and indemnities
        • Escrow or holdback for regulatory risk exposure

        Conclusion

        Data protection is no longer secondary in healthtech M&A—especially when neurodata is involved. With ANPD scrutinizing neurotechnologies and GDPR obligations extending across borders, investors must prioritize structured due diligence and strong contractual safeguards.

        FAQ

        Is neurodata considered sensitive personal data under the LGPD?

        Yes—ANPD treats neurodata as highly sensitive because it reveals cognitive, emotional, and health patterns.

        Does GDPR apply to Brazilian companies with no EU presence?

        Yes, via Article 3(2), whenever EU data subjects’ information is processed.

        Are SCCs still required for Brazil–EU transfers?

        Yes, until Brazil receives an EU adequacy decision.

        What are the top investor red flags?

        Missing DPIAs, unclear legal bases, opaque algorithms, and irregular transfers.

        Since the General Data Protection Regulation (GDPR) took effect in 2018, the European Union (EU) has granted adequacy status to only a limited number of jurisdictions — those whose data protection regimes are deemed to provide an «essentially equivalent» level of protection to that of the EU. The current list includes Andorra, Argentina, Canada (under PIPEDA), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, Uruguay, the United Kingdom, and the United States (limited to companies certified under the Data Privacy Framework).

        As of 5 September 2025, Brazil is on the verge of joining this exclusive group. The European Commission has issued a draft adequacy decision concluding that the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais – LGPD), in conjunction with Brazil’s broader legal and constitutional framework, offers protections that are essentially equivalent to those found in the GDPR. While Brazil’s rules offer somewhat more flexibility in specific areas of data processing, the foundational principles and safeguards are well-aligned with EU standards.

        Once finalized, the adequacy decision will authorize the free flow of personal data from the EU to Brazil without the need for additional contractual clauses or technical safeguards. Such a development is not just regulatory — it also answers a core political argument made by LGPD advocates since its inception: that the absence of a comprehensive data protection framework was undermining Brazil’s international competitiveness by limiting data flows and discouraging investment. For businesses, the EU decision may finally mean the removal of a significant layer of compliance complexity — a development especially welcome by small and medium-sized enterprises engaged in cross-border trade or service provision. The draft is currently under review by the European Data Protection Board (EDPB) and the Member States of the EU.

        The Commission’s assessment highlights several key aspects of Brazil’s data protection landscape. It begins by noting that the Brazilian Constitution expressly guarantees the right to privacy and the protection of personal data — a notable distinction among non-EU jurisdictions. These protections are further supported by Brazil’s ratification of the American Convention on Human Rights and its recognition of the jurisdiction of the Inter-American Court of Human Rights, reinforcing a commitment to fundamental rights and democratic oversight.

        The LGPD mirrors the GDPR in many critical respects and defines its territorial scope clearly. It applies to: (i) data processing carried out within Brazilian territory, (ii) the offering of goods or services to individuals in Brazil, and (iii) data collected in Brazil, even if subsequently processed abroad. This aligns well with the extraterritorial provisions of the GDPR. The definitions of personal data, sensitive data, controller, and processor are materially similar, as are the key principles governing processing — including lawfulness, purpose limitation, data minimization, accuracy, transparency, and security. The law expressly excludes anonymized data from its scope and establishes specific exemptions for journalistic activities, public security, and scientific research.

        Another strength is Brazil’s institutional framework. The National Data Protection Authority (ANPD) was recently transformed into an autonomous regulatory agency, enhancing its independence and technical capacity. The ANPD holds both regulatory and enforcement powers: it can issue binding regulations, impose administrative sanctions, and publish authoritative guidance. To date, it has issued key guidelines on topics such as consent, legitimate interest, the role of the Data Protection Officer (DPO), and security incident reporting. Internationally, the ANPD is an active participant in global data protection dialogue — it is a member of the Global Privacy Assembly and an official observer to the Council of Europe’s Convention 108.

        The LGPD’s approach to international data transfers is also structurally aligned with the GDPR. It requires appropriate safeguards such as standard contractual clauses, allows for future adequacy decisions under a regime comparable to Article 45 of the GDPR, and includes detailed provisions for onward transfers and transit data — that is, data merely passing through Brazil without further processing. The rights of data subjects are robust and familiar to European practitioners: access, rectification, erasure, portability, and withdrawal of consent are guaranteed. Lawful bases for processing are also aligned — including consent, legal obligations, contract execution, and legitimate interest. Notably, the LGPD requires a documented balancing test when relying on legitimate interest, bringing additional accountability to this flexible legal basis.

        Security incidents involving personal data must be notified to both the ANPD and affected data subjects when there is a significant risk of harm. The standard notification deadline is 72 hours, and the required content aligns closely with Articles 33 and 34 of the GDPR. The ANPD may also order public disclosure of incidents or require remedial measures, depending on the nature and scope of the breach.

        Importantly, this process is not one-sided. In parallel to the European Commission’s adequacy decision, the ANPD is conducting its own adequacy assessment of the EU and EEA data protection frameworks. This process is regulated by the Brazilian Resolution CD/ANPD No. 19/2024, which governs international data transfers. Once the technical and legal evaluation is complete, the ANPD’s Board of Directors will issue a formal decision. This reciprocal move reflects Brazil’s commitment to mutual recognition and regulatory symmetry — a positive signal for companies on both sides of the Atlantic.

        In conclusion: If confirmed, Brazil’s adequacy status will simplify international operations, reduce compliance costs, and expand opportunities for data-driven business and legal cooperation. For European lawyers advising SMEs with interests in Latin America, this development is a strategic signal: Brazil is emerging not just as a growing market, but as a legally compatible and data-safe jurisdiction for international partnerships.

        On 23 August 2024, Brazil’s National Data Protection Authority (ANPD) issued Resolution No. 19, a landmark regulation governing the international transfer of personal data under the Brazilian General Data Protection Law (LGPD). Companies now have until 23 August 2025 to fully comply.

        This deadline is especially relevant for European multinationals operating in Brazil, or Brazilian subsidiaries sharing data with foreign HQs or vendors. The new rules align Brazil more closely with global privacy frameworks like the GDPR—but with local twists that demand attention.

        Why It Matters

        Unlike previous guidance, Resolution No. 19 creates binding legal obligations and explicit deadlines. It introduces mechanisms such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and public transparency requirements—all within a strict 12-month timeframe.

        For many international companies, this will require significant updates to internal governance, contract management, and cloud data strategies. Below are the key takeaways for foreign counsel.

        Standard Contractual Clauses (SCCs): Now Mandatory

        The ANPD has released its own set of Standard Contractual Clauses, which must be used for data transfers to jurisdictions not recognized as offering “adequate protection.”

        Companies must adopt these clauses by 23 August 2025. This will likely require revisiting existing data processing agreements involving Brazilian parties and ensuring alignment with the ANPD template.

        Important: The SCCs cannot be modified beyond inserting details in the annexes. Any deviations require prior approval from the ANPD and are limited to exceptional cases.

        Broad Transparency Requirements

        Data controllers are now required to publish, on their website, a plain-language document explaining:

        • the purpose of the international data transfer,
        • the categories of data involved,
        • the countries of destination,
        • and the legal mechanism used to legitimize the transfer.

        Upon request, data subjects must also receive a copy of the full SCCs within 15 days. Multinationals will need protocols and document templates to respond efficiently—especially when dealing with requests in Portuguese.

        Expanded Definition of “International Transfer”

        The Resolution clarifies that a transfer occurs whenever:

        • data is accessed or stored by an entity located abroad, or
        • processing is outsourced to a cloud provider with servers or technical teams outside Brazil.

        This has important implications for global companies that centralize services such as payroll, CRM, or cybersecurity outside Brazil—even if hosted on multinational platforms.

        Binding Corporate Rules (BCRs): Now Recognized

        Multinationals with mature privacy programs may apply to the ANPD for approval of their own Binding Corporate Rules, offering an alternative to SCCs.

        This is a welcome development for companies seeking harmonized compliance across jurisdictions, but approval is expected to involve a complex and time-consuming process. Early preparation is essential.

        Custom Clauses in Exceptional Circumstances

        Companies unable to adopt the standard clauses—due to specific factual or legal constraints—may submit alternative clauses for ANPD approval. However, such flexibility is limited and subject to strict justification.

        In practice, the official SCCs will be the default path for most international data transfers involving Brazil.

        What Foreign Companies Should Do Now

        The 12-month window is already ticking. International groups operating in Brazil or processing Brazilian data should urgently:

        • Map all international data transfers involving Brazil;
        • Identify contracts and vendors requiring updates;
        • Insert ANPD’s SCCs where applicable;
        • Publish the required transparency notice online in Portuguese;
        • Monitor for further ANPD guidance or enforcement trends.

        Strategic Compliance: Beyond Legal Risk

        Resolution No. 19 is part of a global trend toward standardized but locally enforced privacy frameworks. For GDPR-compliant companies, Brazil’s new rules offer a chance to reaffirm leadership in data governance.

        Those who act early can avoid last-minute fire drills, reduce regulatory exposure, and strengthen credibility with Brazilian regulators and consumers.

        In today’s data economy, privacy compliance is more than a legal duty—it’s a business differentiator.

        Brazil’s National Data Protection Authority (ANPD) released a long-awaited guidance document on how companies should interpret and apply the legal basis of legitimate interest under the Brazilian General Data Protection Law (LGPD).

        This is not merely a local update. As Brazil continues to shape its data protection regime, foreign companies—particularly European SMEs with clients, platforms, or partners in Brazil—must adapt their compliance strategies to local expectations. This new guidance is a crucial development.

        Below, I summarize what has changed, how it compares to the GDPR approach, and what steps you (or your clients) should take next.

        Why Legitimate Interest Matters—But Remains Risky

        Just like under the GDPR, Brazil’s LGPD allows personal data to be processed without consent when doing so is necessary for purposes aligned with the controller’s legitimate interests. However, due to the lack of regulation since the LGPD came into force, this legal basis has long been regarded as risky in Brazil – in fact, it was unclear on how to evaluate the «legitimacy» of the interest and balance it against data subject rights.

        The ANPD’s «Guia Orientativo sobre o Legítimo Interesse» (Guidance on Legitimate Interest) fills that gap—providing a practical framework to assess, document, and justify this legal basis.

        The ANPD’s Three-Step Balancing Test

        The core of the new guidance is a three-step balancing test, which mirrors the GDPR’s Legitimate Interests Assessment (LIA) but with Brazilian nuances.

        • Purpose Test : The controller must define a specific, concrete, and legitimate objective behind the data processing. Open-ended or abstract justifications (“marketing purposes”, “efficiency”) will not suffice. The processing must also align with the reasonable expectations of the data subject.
        • Necessity Test : The data processing must be strictly necessary to achieve the defined purpose. If the same result could be achieved through less intrusive means (e.g. anonymized data or a different legal basis), the test will likely fail.
        • Balancing Test and Safeguards : This step assesses whether the controller’s interest outweighs the rights and freedoms of the data subject. Controllers must consider the nature of the data, the context of the processing, and the potential risks involved. When risks are identified, appropriate safeguards must be implemented, such as transparency, opt-outs, pseudonymization, and impact assessments.

        Takeaway: The ANPD recommends documenting the entire process. While this is not mandatory by law, it will be critical in case of investigations or complaints.

        How This Affects Foreign Companies doing business in Brazil

        Many foreign companies process personal data of Brazilian individuals—whether by offering digital services, interacting with Brazilian suppliers, or collecting contact information via websites or CRM tools.

        Although some assume that GDPR compliance is sufficient, the ANPD may evaluate legitimate interest more restrictively than some EU supervisory authorities.

        Foreign companies should:

        • Revisit their legal bases for processing data of Brazilian individuals.
        • Conduct a proper balancing test using the ANPD’s model, even for non-sensitive data.
        • Keep written records of the analysis (especially if using legitimate interest for analytics or marketing).
        • Update their privacy notices to reflect the legal basis and safeguards in place.
        • Be aware of the extraterritorial reach of the LGPD—yes, it applies even if you have no office in Brazil.

        Strategic Guidance

        If you advise SMEs that operate across jurisdictions—including Brazil—this new guidance is a practical compliance tool and a risk-mitigation opportunity.

        Here’s how to act now:

        • Perform a Legitimate Interests Assessment (LIA) whenever your client relies on this basis in Brazil.
        • Compare it with the GDPR LIA to identify overlaps and gaps.
        • Align documentation—so your clients are ready in the event of a complaint or data subject request.
        • Monitor ANPD updates—the ANPD has increased its activity and enforcement posture significantly in the past year.

        Final Thoughts

        The ANPD’s guidance reflects a growing maturity in Brazil’s data protection landscape. Legitimate interest is no longer a vague fallback—it requires structure, analysis, and above all, transparency.

        European companies with operations or digital exposure in Brazil should approach this legal basis with care and diligence. The good news? The ANPD is now offering the roadmap. It’s up to us, as legal advisors, to make sure our clients follow it.

        Want to see the full guidance? The original document (in Portuguese) is available here.

        Brazil is increasingly in the global spotlight when it comes to cybersecurity threats. With over 10 billion cyberattack attempts recorded in 2023 alone, the country ranks among the most targeted worldwide. These incidents are not abstract: they affect sensitive sectors such as finance and healthcare, including data leaks involving over 220 million data subjects from national institutions and critical infrastructure operators.

        While Brazil may seem like a distant jurisdiction, its data protection regime — shaped by the Lei Geral de Proteção de Dados (LGPD) — has growing significance for European businesses operating or partnering in the region. The LGPD, inspired by the GDPR, sets out specific obligations around data breach notification. However, unlike the GDPR’s mandatory 72-hour notification rule, not all security incidents must be reported to the Brazilian Data Protection Authority (ANPD).

        So: when exactly should a security incident be reported in Brazil?

        When Notification is Required: A Three-Step Test

        Under Brazilian law, a security incident involving personal data must be reported to the ANPD only if the following three criteria are cumulatively met:

        • The incident has been confirmed.
        • It involves personal data subject to the LGPD.
        • It poses a relevant risk or damage to data subjects.

        This third threshold is critical. According to the ANPD’s Security Incident Communication Regulation (RCIS), relevant risks include incidents that may:

        • Prevent the exercise of rights or access to services.
        • Cause material or moral harm.
        • Involve special categories of data such as: Sensitive personal data / Financial data / Large-scale datasets / Children’s or elderly persons’ data / Authentication credentials / Legally protected information (e.g., medical, legal, or professional secrets).

        This approach offers some flexibility – but it also requires careful legal judgment.

        When You Don’t Have to Notify

        There is no obligation to notify the ANPD if the incident does not result in significant risk or damage. For instance, if the breached data is non-sensitive and publicly available (e.g., general contact information), and no additional harm is expected, companies may reasonably determine that notification is unnecessary.

        However, this decision should not be taken lightly. Controllers are expected to assess several contextual factors, such as:

        • The volume and nature of the affected data.
        • Whether the data subjects can be identified.
        • The likely impact on fundamental rights.
        • The technical and security measures in place.
        • Any steps taken to mitigate the damage.

        In practice, each case must be analyzed individually — and well documented — to ensure a defensible position.

        How to Notify the ANPD (If Required)

        If the thresholds for notification are met, companies must report the incident within three business days from the date they became aware that personal data was affected. The notification must include:

        • A description of the breach and affected data.
        • The number and profile of impacted data subjects.
        • Security measures in place before and after the incident.
        • Potential risks to the data subjects.
        • Mitigation strategies.
        • Identification of the controller and DPO (if applicable).

        Notifications are submitted via the ANPD’s online platform (SUPER). Sensitive business information can be protected through a request for confidential treatment, provided it is properly justified.

        Strategic Takeaways for European Stakeholders

        For European companies and compliance officers, understanding the nuances of Brazilian data breach notification rules is essential for several reasons:

        • Cross-border compliance: Companies transferring personal data to Brazil must ensure regulatory alignment under the GDPR’s international transfer rules.
        • Due diligence: M&A or vendor screening in Brazil should include assessments of LGPD readiness and breach history.
        • Incident response protocols: Global organizations must harmonize breach notification timelines and thresholds across jurisdictions, adapting to Brazil’s risk-based approach.

        In a landscape of increasing cyber threats, aligning with the LGPD is not just a regulatory obligation — it’s a strategic necessity.

        Final Thoughts

        Brazil’s data protection authority does not adopt a «one size fits all» model for breach notification. The LGPD introduces a risk-based, case-by-case approach, which may offer more flexibility than the GDPR — but also places a greater burden on organizations to justify their decisions.

        European companies doing business in Brazil must be prepared to evaluate security incidents in light of both local obligations and international expectations. Failing to notify a breach — or notifying too hastily — can have serious reputational, legal, and operational consequences.

        Understanding when (and how) to notify the ANPD is a key part of navigating Brazil’s complex but maturing data protection landscape.

        Leopoldo Pagotto

        Áreas de práctica

        • Antitrust
        • Ética y Compliance empresarial
        • Contratos
        • Derecho Societario
        • Protección de datos
        • Delitos financieros
        Contáctanos Leopoldo

        Contacta con Leopoldo





          Lea la política de privacidad de Legalmondo.
          Este sitio está protegido por reCAPTCHA y se aplican la Política de privacidad de Google y los Términos de servicio.

          Brazil Set to Join the GDPR Adequacy Club

          11 de octubre de 2025

          • Brasil
          • Contratos
          • Privacidad y Protección de Datos

          Summary

          Brazil’s new Digital Child Protection Law (ECA Digital – Law No. 15,211/2025) radically changes the compliance obligations for foreign technology companies operating in Brazil. The law introduces a proactive duty of care toward minors, replacing the previous reactive liability model under the Marco Civil da Internet. Any digital service accessible to children or adolescents — including social media, gaming, streaming, AI tools, and app stores — must now adopt safety-by-design and privacy-by-default principles.

          Brazil Introduces a New Digital Protection Framework for Minors

          When Law No. 15,211/2025, known as the ECA Digital or Digital Statute for Children and Adolescents, came into force on March 17, 2026, Brazil took a significant step in regulating the digital environment. For foreign technology companies that offer services to the Brazilian public, the legislation is far more than just another local rule. It represents a genuine paradigm shift in how platforms must be designed, operated, and monitored.

          Until now, the Brazilian Internet Civil Framework (Marco Civil da Internet) of 2014 established essentially a reactive liability regime. Platforms were generally only held responsible for third-party content after receiving a specific court order or valid notification. The ECA Digital inverts this logic. Companies now face a proactive and continuous duty of care, something close to the “duty of care” we already know in Europe through the UK’s Online Safety Act or parts of the Digital Services Act (DSA).

          The Best Interests of the Child Become the Central Compliance Principle

          The central principle of the law is the best interests of the child and adolescent. Any information technology product or service that is targeted at minors or has a reasonable likelihood of being accessed by them must be developed with this interest as an absolute priority. This includes social networks, gaming apps, streaming platforms, app stores, and even artificial intelligence tools.

          In practice, this means adopting the concepts of safety-by-design and privacy-by-default from the outset. It is no longer enough to fix problems after they arise. Companies must anticipate risks to the physical, mental, and moral integrity of younger users and build preventive safeguards.

          Mandatory Impact Assessments and Platform Risk Analysis

          One of the pillars of the new legislation is the requirement for impact assessments. Platforms must conduct periodic detailed analyses of the potential effects of their functionalities (recommendation algorithms, engagement mechanisms, advertising systems, and even augmented reality features) on children and adolescents. These reports need to be properly documented internally and, in many cases, generate transparent information that can be shared with authorities or made available to the public in a summarized version.

          New Age Verification and Parental Control Obligations

          Age verification has become significantly more rigorous. A simple self-declaration (“click here if you are over 18”) is no longer considered sufficient. The law requires effective and proportionate mechanisms that respect privacy but genuinely manage to distinguish adults from minors. For users up to 16 years old, accounts on social networks and similar platforms must, as a rule, be linked to a legal guardian.

          Furthermore, companies are required to provide robust parental control tools. Guardians must have access to dashboards that allow them to set screen time limits, restrict contacts, approve or block in-app purchases, and disable personalized algorithmic recommendation systems. Many foreign clients I have spoken with still underestimate the weight of this requirement.

          Restrictions on Advertising, Profiling, and Gaming Monetization

          In the commercial sphere, the law is particularly restrictive. The use of advanced behavioral profiling, emotional analysis, or immersive technologies to target advertising at children and adolescents is prohibited. Monetization of content that inappropriately exploits the image of minors is also subject to severe limitations. In the gaming sector, there are express bans on “loot boxes” and randomized reward systems when the game is accessible to minors, precisely because of their addictive potential and the risk of uncontrolled spending.

          Harmful Content Removal and Reporting Requirements

          Another aspect that deserves attention is the swift removal of harmful content. The law establishes short deadlines – in some cases as little as 24 hours – for the removal of material related to sexual exploitation, violence, bullying, cyberbullying, incitement to suicide, self-harm, or drug use. In addition to removal, in serious situations platforms must notify the competent authorities, including through international cooperation when necessary.

          Legal Representation and Enforcement Risks for Foreign Companies

          For foreign companies without a physical presence in Brazil, the law strengthens enforcement mechanisms. It is mandatory to appoint a legal representative established in the country, with powers to receive judicial and administrative citations, respond to requests from the Public Prosecutor’s Office and the National Data Protection Authority (ANPD), and serve as the local point of contact.

          In fact, the ANPD assumes a central role in supervising and regulating the law, acting in coordination with the Public Prosecutor’s Office. This creates a more robust enforcement scenario than many international players initially anticipated. Moreover, the law provides for joint and several liability: subsidiaries, branches, or companies within the same economic group in Brazil may be held accountable for violations committed by the foreign parent company.

          Financial Penalties and Operational Sanctions

          The sanctions are dissuasive. Fines can reach up to 10% of the economic group’s revenue in Brazil in the previous year, or up to R$ 50 million per individual violation, depending on the severity. In extreme cases or in the event of recurrence, authorities may order the temporary suspension or even the complete blocking of the service within Brazilian territory. For companies that depend on the Brazilian market, especially consumer technology firms, this operational risk is very real.

          Relationship Between the ECA Digital and Brazil’s LGPD

          It is worth noting that the ECA Digital interacts closely with the General Data Protection Law (LGPD). Many of the principles of privacy-by-default, data minimization, and impact assessments already existed under the LGPD, but they now take on more specific contours when the data subject is a child or adolescent. The processing of minors’ data requires even greater care, with more restrictive legal bases and heightened attention to consent and the rights of legal guardians.

          Global Regulatory Trends and Brazilian Specificities

          From a comparative perspective, the Brazilian law aligns with global trends. It bears clear similarities to the UK’s Age Appropriate Design Code, certain aspects of the European DSA, and ongoing discussions in other Latin American countries. However, it presents distinctly Brazilian nuances: strong influence from the Public Prosecutor’s Office, the tradition of integral protection of children established in the 1990 Child and Adolescent Statute (ECA), and an approach that combines state regulation with the shared responsibility of families, schools, and platforms.

          Practical Compliance Steps for Foreign Technology Companies

          Foreign legal advisors must act with urgency. A good starting point is to conduct a comprehensive gap analysis: mapping user onboarding flows, reviewing advertising and algorithmic recommendation policies, assessing the adequacy of age verification mechanisms, and verifying whether the legal representation structure in Brazil meets the new requirements.

          In addition, it is important to prepare local teams or partners to handle administrative requests and potential audits. Investing in privacy-preserving age verification technologies, such as age estimation or document-based verification without excessive data storage, can make a difference both in compliance and in the user experience.

          Conclusion

          In summary, the ECA Digital is not merely a symbolic law. It imposes concrete obligations, with adaptation deadlines that have already expired for many companies, and carries real risks of financial and operational sanctions. For law firms advising international clients, especially small and medium-sized practices in Europe and Asia, the moment has come to help these players turn compliance into a competitive advantage.

          Those who manage to implement robust protection measures from the design stage of their products will not only avoid heavy fines but may also build greater trust with the Brazilian public and authorities.

          Summary: On January 25, 2026, Brazil and the EU mutually recognized each other as providing adequate personal data protection—removing, in many cases, the need for Standard Contractual Clauses (SCCs) or other transfer tools. This shifts the conversation from “copy-paste compliance” to strategy: deciding when to retire SCCs, updating cross-border transfer policies, and modernizing contractual models for future deals.

          Why this matters in real transactions

          Imagine you’re about to close a deal with a German business partner and your Brazilian client urgently asks for a data transfer clause. It’s always the same copy-paste: Standard Contractual Clauses (SCCs), Annex I and II in both languages, signatures on the dotted line. Now imagine this scene is finally unnecessary.

          The mutual adequacy milestone (January 25, 2026)

          On January 25, 2026, Brazil and the European Union mutually recognized each other as countries with adequate levels of personal data protection. It’s the first adequacy agreement signed between the EU and a Latin American country. In practical terms, it means that companies can transfer personal data between Brazil and the EU without the need for additional mechanisms, like SCCs or Binding Corporate Rules (BCRs). In strategic terms, it opens a new front of opportunities for Brazilian lawyers, especially those advising clients who export, import, invest, or operate in the EU.

          A starting point, not a “compliance break”

          This is a milestone and also a starting point. Mutual adequacy does not mean «relax your compliance programs»; on the contrary, it demands governance maturity and careful review.

          Three concrete fronts for legal work

          1.      Retiring SCCs: Not Always Automatic

          The adequacy decision makes SCCs optional in many cases, but that doesn’t mean you can simply tear them up. For existing contracts that already use SCCs, lawyers will need to assess whether they should keep, revise, or remove those clauses. The answer will depend on the risks, data flows, and reliance on third countries in the processing chain. There may also be internal policies, negotiated warranties, or obligations to supervisory authorities that require formal justifications.

          In practice, companies with complex processing chains (e.g., European headquarters, shared Brazilian HR services, cloud servers in the U.S.) may continue using SCCs in certain flows even after the adequacy recognition. Lawyers will need to carefully document and track this hybrid model.

          2.      Reviewing Cross-Border Data Transfer Policies

          Many companies, especially multinationals or those with multiple data protection obligations, have established cross-border data transfer policies («CBTPs») that classify countries into categories and associate specific safeguards for each. Brazil’s new status as an «adequate country» must now be reflected in those documents.

          For instance, a Brazilian company that receives data from France and sends it to Argentina and India may now adjust internal protocols to reduce documentation and controls on the EU → Brazil leg, while reinforcing controls in the Brazil → Argentina or Brazil → India legs. These changes must be aligned with the company’s policies, contracts, and internal training materials.

          3.      Adapting Contractual Models for Future Deals

          The mutual adequacy decision creates a new contractual scenario. Brazilian lawyers advising international clients can now use data transfer models aligned with GDPR—without needing SCCs or complex annexes—provided both parties are located in Brazil and the EU.

          This reduces transaction costs, improves legal certainty, and increases speed in negotiations involving technology services, cross-border M&A, or shared service centers. A good contractual model should still include data protection clauses—but now focused on risk allocation, DPO cooperation, and incident response coordination, rather than formal compliance with Art. 46 GDPR or Arts. 33–36 LGPD.

          Summary: Brazil’s data protection authority (ANPD) is signaling a clear move toward stronger, more GDPR-aligned enforcement and rulemaking through its 2026–2027 Priority Topics Map and updated Regulatory Agenda. The selected priorities mirror familiar EU themes—data subject rights, children’s data, public-sector processing, and AI—while adding practical predictability for organizations planning compliance. For European businesses operating in Brazil, the direction of travel suggests increasing convergence in governance, risk assessment, and transparency expectations. This trajectory may also strengthen the long-term case for Brazil to pursue an EU adequacy decision.

          A maturing authority with a strategic alignment to GDPR

          While European regulators refine enforcement mechanisms for mature frameworks, Brazil is quietly building one of the world’s most GDPR-aligned data protection systems outside the EU. The release of Priority Topics Map for 2026–2027 and its updated Regulatory Agenda by the National Agency of Personal Data Protection (ANPD) reveals an authority no longer in its infancy, but one strategically positioning itself as a credible counterpart to European supervisory bodies.

          ANPD’s priority topics for 2026–2027

          The four priority topics chosen by Brazil’s National Data Protection Authority («ANPD») tell a familiar tale to anyone working with GDPR compliance: data subject rights, protection of children and adolescents in digital environments, processing by public authorities, and artificial intelligence with emerging technologies.

          Why these priorities feel familiar to GDPR practitioners

          These are not arbitrary choices but deliberate alignments with the core concerns that have shaped European enforcement over the past seven years, from the fundamental rights guarantees in Articles 12 through 22, to the heightened scrutiny of processing involving minors, to the evolving regulatory treatment of algorithmic systems that now spans both GDPR recitals and the EU AI Act itself.

          Children and adolescents: new authority and converging expectations

          Brazil’s recent Digital Statute for Children and Adolescents hands ANPD substantial new authority over age verification and parental consent mechanisms, creating a regulatory bridge that should look strikingly familiar to companies navigating the UK’s Age Appropriate Design Code or implementing EDPB guidance on child data. European digital services operating in Brazil, particularly in social media, gaming, education, or wellness sectors, now face converging compliance expectations on both sides of the Atlantic. The technical architectures and consent flows designed for GDPR are increasingly fit for purpose in the Brazilian context as well.

          Artificial intelligence and emerging technologies

          The elevation of artificial intelligence to priority status represents ANPD’s clearest statement yet about where Brazilian regulation is headed – in fact, no big news in the move, since it is worrying every regulator in every industry. While the LGPD lacks specific AI provisions, the authority has been methodically laying groundwork through public consultations on automated decision-making and studies on algorithmic profiling. For companies already deep in EU AI Act preparation, such a convergence offers something rare in global privacy compliance: the potential for genuine efficiency gains through shared governance frameworks, unified risk assessment methodologies, and harmonized transparency protocols rather than duplicative regional adaptations.

          Data subject rights and DPIAs: reinforcing accountability

          ANPD’s continued emphasis on data subject rights and Data Protection Impact Assessments reinforces the structural similarities with GDPR’s accountability model. The Brazilian approach increasingly mirrors European expectations around documented risk assessment, standardized response protocols for individual rights requests, and transparency obligations for profiling activities. Multinational organizations can now reasonably contemplate unified DPIA templates and centralized rights management systems that serve both jurisdictions without fundamental architectural splits.

          The updated Regulatory Agenda for 2025–2026: predictability as a compliance asset

          The updated Regulatory Agenda for 2025–2026 provides something perhaps more valuable than new rules: predictability. One should not underestimate the importance of predictability in Brazil, since it is a rare asset, even before courts – former Treasury Minister Pedro Malana once iroonically stated that «in Brazil, even the past is uncertain».

          What ANPD is telegraphing next

          By telegraphing upcoming initiatives on biometric data processing, inspection methodologies, sanctioning procedures, cybersecurity standards, and privacy program governance, ANPD offers companies the planning visibility that makes cross-border compliance feasible rather than reactive. These topics map directly onto GDPR’s controller obligations, security requirements, and Data Protection Officer independence provisions in Articles 24 through 39.

          Beyond compliance: what convergence could mean for data flows

          The regulatory convergence carries implications beyond operational compliance. The structural alignment between LGPD and GDPR, reinforced by ANPD’s strategic choices, strengthens the case for an eventual EU adequacy decision recognizing Brazil under Article 45.

          For European businesses and their counsel, the trajectory suggests not just reduced friction in managing trans-Atlantic data flows, but the emergence of genuinely compatible regulatory ecosystems. The challenge will be maintaining attention to Brazilian developments with the same intensity devoted to EDPB guidelines and Commission decisions, recognizing that convergence is a continuous process rather than a static achievement.

          Conclusion

          Brazil’s ANPD is increasingly setting priorities that mirror the main pressure points of GDPR compliance, while using its Regulatory Agenda to add clarity and sequencing to what comes next. For organizations operating across the EU and Brazil, the message is practical: governance structures, rights-handling processes, and risk assessment tooling built for GDPR are becoming progressively reusable in the Brazilian context. At the same time, staying alert to ANPD’s evolving guidance—especially around children’s data, AI, biometrics, cybersecurity, and enforcement methodology—will be key to turning regulatory convergence into real operational efficiency and reduced cross-border friction.

          Summary
          This article explores the ANPD’s 2025 Tech Radar on neurotechnologies and how it reshapes compliance risks for Brazilian healthtechs—especially in M&A contexts involving GDPR exposure. It outlines key regulatory concerns, the GDPR’s extraterritorial impact, major due-diligence red flags, and the essential deliverables investors should require.

          Introduction

          Brazil’s latest ANPD Tech Radar brings neurotechnologies to the forefront of data-protection compliance, exposing significant risks for healthtech companies and investors. With GDPR’s extraterritorial reach, sensitive data processing, opaque AI, and cross-border transfers, data governance has become a critical M&A due-diligence factor requiring structured reviews and robust contractual safeguards.

          Key Compliance Risks Shaping Brazilian Healthtech M&A

          Brazil’s Data Protection Authority (ANPD) released its 4th Tech Radar in June 2025, focusing entirely on neurotechnologies—marking the first time the regulator targeted this field so directly. The report explores brain-computer interfaces, advanced wearables, AI-driven cognitive therapies, and predictive diagnostics, highlighting risks far beyond traditional health data processing.

          For investors and lawyers working M&A deals in Brazil’s healthtech sector, this Radar signals that data protection is no longer a secondary compliance issue—it is now a major source of legal, reputational, and operational risk.

          GDPR’s Extraterritorial Relevance

          Many Brazilian healthtechs handle personal data from foreign individuals, particularly Europeans—through expats, medical tourists, cross-border clinical trials, or partnerships with EU-based vendors. When this occurs, GDPR Article 3(2) extends jurisdiction to the Brazilian company, even without any EU establishment.

          Main Risks Identified by ANPD (Tech Radar #4)

          • Inferring health data without explicit consent
            Example: wearables identifying depression through sleep or stress patterns without informing users.
          • Lack of transparency in predictive algorithms
            Black-box AI models making clinical decisions without accessible documentation.
          • Cybersecurity vulnerabilities in connected devices
            Neural implants or neurostimulators vulnerable to hacking, with potentially physical consequences.
          • Automated processing that impacts human dignity
            Behavioral profiling influencing insurance eligibility, discrimination, or patient autonomy in therapy environments.

          GDPR Article 22 prohibits automated decision-making with significant effects unless strict safeguards are implemented—making this a critical risk during due diligence.

          Most Common Red Flags in Brazilian Healthtech Due Diligence

          No clear legal basis for sensitive data (health, genetic, biometric)

          LGPD Impact (Brazil): Breach of LGPD Art. 11
          GDPR Parallel (Europe): Art. 9 (special categories)
          Practical Recommendation: Require full data-mapping and warranties

          Generic or “click-to-accept” consents

          LGPD Impact (Brazil): Invalid consent (Art. 7 & 11)
          GDPR Parallel (Europe): Art. 6 + 7
          Practical Recommendation: Ensure all consents are granular, specific, and revocable

          Third-party sharing without processor agreements

          LGPD Impact (Brazil): Breach of LGPD Art. 28 & 33
          GDPR Parallel (Europe): Art. 28
          Practical Recommendation: Verify existence and adequacy of all DPAs

          Missing or incomplete ROPA

          LGPD Impact (Brazil): Serious regulatory violation
          GDPR Parallel (Europe): Art. 30
          Practical Recommendation: Make ROPA delivery a closing condition

          Non-existent or conflicted DPO

          LGPD Impact (Brazil): Non-compliance with ANPD Resolution CD nº 2
          GDPR Parallel (Europe): Art. 37–39
          Practical Recommendation: Require interview + independence confirmation

          No DPIA for high-risk products

          LGPD Impact (Brazil): Mandatory (ANPD Res. 15/2023)
          GDPR Parallel (Europe): Art. 35
          Practical Recommendation: Include pre-closing DPIA audit clause

          International transfers without safeguards

          LGPD Impact (Brazil): Arts. 33–35
          GDPR Parallel (Europe): Arts. 44–50
          Practical Recommendation: Verify SCCs (2021/2023) or adequacy status

          Real Cases Illustrating the Scale of Risk

          • Telepsychology platforms investigated for using automated triage without informed consent or AI transparency.
          • ANPD actions against genomics startups due to cross-border transfers without SCCs or DPIAs.
          • Outsourced cloud hosting increasing irregular data transfer risks.

          Until Brazil receives an EU adequacy decision, SCCs and BCRs remain mandatory for compliant transfers.

          Essential Due Diligence Deliverables

          A robust data-protection review is now essential in healthtech M&A. Key deliverables include:

          • LGPD ↔ GDPR gap analysis
          • ROPA and DPIA review
          • Sub-processor contract verification
          • Mapping of all international transfers
          • Privacy-specific warranties and indemnities
          • Escrow or holdback for regulatory risk exposure

          Conclusion

          Data protection is no longer secondary in healthtech M&A—especially when neurodata is involved. With ANPD scrutinizing neurotechnologies and GDPR obligations extending across borders, investors must prioritize structured due diligence and strong contractual safeguards.

          FAQ

          Is neurodata considered sensitive personal data under the LGPD?

          Yes—ANPD treats neurodata as highly sensitive because it reveals cognitive, emotional, and health patterns.

          Does GDPR apply to Brazilian companies with no EU presence?

          Yes, via Article 3(2), whenever EU data subjects’ information is processed.

          Are SCCs still required for Brazil–EU transfers?

          Yes, until Brazil receives an EU adequacy decision.

          What are the top investor red flags?

          Missing DPIAs, unclear legal bases, opaque algorithms, and irregular transfers.

          Since the General Data Protection Regulation (GDPR) took effect in 2018, the European Union (EU) has granted adequacy status to only a limited number of jurisdictions — those whose data protection regimes are deemed to provide an «essentially equivalent» level of protection to that of the EU. The current list includes Andorra, Argentina, Canada (under PIPEDA), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, Uruguay, the United Kingdom, and the United States (limited to companies certified under the Data Privacy Framework).

          As of 5 September 2025, Brazil is on the verge of joining this exclusive group. The European Commission has issued a draft adequacy decision concluding that the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais – LGPD), in conjunction with Brazil’s broader legal and constitutional framework, offers protections that are essentially equivalent to those found in the GDPR. While Brazil’s rules offer somewhat more flexibility in specific areas of data processing, the foundational principles and safeguards are well-aligned with EU standards.

          Once finalized, the adequacy decision will authorize the free flow of personal data from the EU to Brazil without the need for additional contractual clauses or technical safeguards. Such a development is not just regulatory — it also answers a core political argument made by LGPD advocates since its inception: that the absence of a comprehensive data protection framework was undermining Brazil’s international competitiveness by limiting data flows and discouraging investment. For businesses, the EU decision may finally mean the removal of a significant layer of compliance complexity — a development especially welcome by small and medium-sized enterprises engaged in cross-border trade or service provision. The draft is currently under review by the European Data Protection Board (EDPB) and the Member States of the EU.

          The Commission’s assessment highlights several key aspects of Brazil’s data protection landscape. It begins by noting that the Brazilian Constitution expressly guarantees the right to privacy and the protection of personal data — a notable distinction among non-EU jurisdictions. These protections are further supported by Brazil’s ratification of the American Convention on Human Rights and its recognition of the jurisdiction of the Inter-American Court of Human Rights, reinforcing a commitment to fundamental rights and democratic oversight.

          The LGPD mirrors the GDPR in many critical respects and defines its territorial scope clearly. It applies to: (i) data processing carried out within Brazilian territory, (ii) the offering of goods or services to individuals in Brazil, and (iii) data collected in Brazil, even if subsequently processed abroad. This aligns well with the extraterritorial provisions of the GDPR. The definitions of personal data, sensitive data, controller, and processor are materially similar, as are the key principles governing processing — including lawfulness, purpose limitation, data minimization, accuracy, transparency, and security. The law expressly excludes anonymized data from its scope and establishes specific exemptions for journalistic activities, public security, and scientific research.

          Another strength is Brazil’s institutional framework. The National Data Protection Authority (ANPD) was recently transformed into an autonomous regulatory agency, enhancing its independence and technical capacity. The ANPD holds both regulatory and enforcement powers: it can issue binding regulations, impose administrative sanctions, and publish authoritative guidance. To date, it has issued key guidelines on topics such as consent, legitimate interest, the role of the Data Protection Officer (DPO), and security incident reporting. Internationally, the ANPD is an active participant in global data protection dialogue — it is a member of the Global Privacy Assembly and an official observer to the Council of Europe’s Convention 108.

          The LGPD’s approach to international data transfers is also structurally aligned with the GDPR. It requires appropriate safeguards such as standard contractual clauses, allows for future adequacy decisions under a regime comparable to Article 45 of the GDPR, and includes detailed provisions for onward transfers and transit data — that is, data merely passing through Brazil without further processing. The rights of data subjects are robust and familiar to European practitioners: access, rectification, erasure, portability, and withdrawal of consent are guaranteed. Lawful bases for processing are also aligned — including consent, legal obligations, contract execution, and legitimate interest. Notably, the LGPD requires a documented balancing test when relying on legitimate interest, bringing additional accountability to this flexible legal basis.

          Security incidents involving personal data must be notified to both the ANPD and affected data subjects when there is a significant risk of harm. The standard notification deadline is 72 hours, and the required content aligns closely with Articles 33 and 34 of the GDPR. The ANPD may also order public disclosure of incidents or require remedial measures, depending on the nature and scope of the breach.

          Importantly, this process is not one-sided. In parallel to the European Commission’s adequacy decision, the ANPD is conducting its own adequacy assessment of the EU and EEA data protection frameworks. This process is regulated by the Brazilian Resolution CD/ANPD No. 19/2024, which governs international data transfers. Once the technical and legal evaluation is complete, the ANPD’s Board of Directors will issue a formal decision. This reciprocal move reflects Brazil’s commitment to mutual recognition and regulatory symmetry — a positive signal for companies on both sides of the Atlantic.

          In conclusion: If confirmed, Brazil’s adequacy status will simplify international operations, reduce compliance costs, and expand opportunities for data-driven business and legal cooperation. For European lawyers advising SMEs with interests in Latin America, this development is a strategic signal: Brazil is emerging not just as a growing market, but as a legally compatible and data-safe jurisdiction for international partnerships.

          On 23 August 2024, Brazil’s National Data Protection Authority (ANPD) issued Resolution No. 19, a landmark regulation governing the international transfer of personal data under the Brazilian General Data Protection Law (LGPD). Companies now have until 23 August 2025 to fully comply.

          This deadline is especially relevant for European multinationals operating in Brazil, or Brazilian subsidiaries sharing data with foreign HQs or vendors. The new rules align Brazil more closely with global privacy frameworks like the GDPR—but with local twists that demand attention.

          Why It Matters

          Unlike previous guidance, Resolution No. 19 creates binding legal obligations and explicit deadlines. It introduces mechanisms such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and public transparency requirements—all within a strict 12-month timeframe.

          For many international companies, this will require significant updates to internal governance, contract management, and cloud data strategies. Below are the key takeaways for foreign counsel.

          Standard Contractual Clauses (SCCs): Now Mandatory

          The ANPD has released its own set of Standard Contractual Clauses, which must be used for data transfers to jurisdictions not recognized as offering “adequate protection.”

          Companies must adopt these clauses by 23 August 2025. This will likely require revisiting existing data processing agreements involving Brazilian parties and ensuring alignment with the ANPD template.

          Important: The SCCs cannot be modified beyond inserting details in the annexes. Any deviations require prior approval from the ANPD and are limited to exceptional cases.

          Broad Transparency Requirements

          Data controllers are now required to publish, on their website, a plain-language document explaining:

          • the purpose of the international data transfer,
          • the categories of data involved,
          • the countries of destination,
          • and the legal mechanism used to legitimize the transfer.

          Upon request, data subjects must also receive a copy of the full SCCs within 15 days. Multinationals will need protocols and document templates to respond efficiently—especially when dealing with requests in Portuguese.

          Expanded Definition of “International Transfer”

          The Resolution clarifies that a transfer occurs whenever:

          • data is accessed or stored by an entity located abroad, or
          • processing is outsourced to a cloud provider with servers or technical teams outside Brazil.

          This has important implications for global companies that centralize services such as payroll, CRM, or cybersecurity outside Brazil—even if hosted on multinational platforms.

          Binding Corporate Rules (BCRs): Now Recognized

          Multinationals with mature privacy programs may apply to the ANPD for approval of their own Binding Corporate Rules, offering an alternative to SCCs.

          This is a welcome development for companies seeking harmonized compliance across jurisdictions, but approval is expected to involve a complex and time-consuming process. Early preparation is essential.

          Custom Clauses in Exceptional Circumstances

          Companies unable to adopt the standard clauses—due to specific factual or legal constraints—may submit alternative clauses for ANPD approval. However, such flexibility is limited and subject to strict justification.

          In practice, the official SCCs will be the default path for most international data transfers involving Brazil.

          What Foreign Companies Should Do Now

          The 12-month window is already ticking. International groups operating in Brazil or processing Brazilian data should urgently:

          • Map all international data transfers involving Brazil;
          • Identify contracts and vendors requiring updates;
          • Insert ANPD’s SCCs where applicable;
          • Publish the required transparency notice online in Portuguese;
          • Monitor for further ANPD guidance or enforcement trends.

          Strategic Compliance: Beyond Legal Risk

          Resolution No. 19 is part of a global trend toward standardized but locally enforced privacy frameworks. For GDPR-compliant companies, Brazil’s new rules offer a chance to reaffirm leadership in data governance.

          Those who act early can avoid last-minute fire drills, reduce regulatory exposure, and strengthen credibility with Brazilian regulators and consumers.

          In today’s data economy, privacy compliance is more than a legal duty—it’s a business differentiator.

          Brazil’s National Data Protection Authority (ANPD) released a long-awaited guidance document on how companies should interpret and apply the legal basis of legitimate interest under the Brazilian General Data Protection Law (LGPD).

          This is not merely a local update. As Brazil continues to shape its data protection regime, foreign companies—particularly European SMEs with clients, platforms, or partners in Brazil—must adapt their compliance strategies to local expectations. This new guidance is a crucial development.

          Below, I summarize what has changed, how it compares to the GDPR approach, and what steps you (or your clients) should take next.

          Why Legitimate Interest Matters—But Remains Risky

          Just like under the GDPR, Brazil’s LGPD allows personal data to be processed without consent when doing so is necessary for purposes aligned with the controller’s legitimate interests. However, due to the lack of regulation since the LGPD came into force, this legal basis has long been regarded as risky in Brazil – in fact, it was unclear on how to evaluate the «legitimacy» of the interest and balance it against data subject rights.

          The ANPD’s «Guia Orientativo sobre o Legítimo Interesse» (Guidance on Legitimate Interest) fills that gap—providing a practical framework to assess, document, and justify this legal basis.

          The ANPD’s Three-Step Balancing Test

          The core of the new guidance is a three-step balancing test, which mirrors the GDPR’s Legitimate Interests Assessment (LIA) but with Brazilian nuances.

          • Purpose Test : The controller must define a specific, concrete, and legitimate objective behind the data processing. Open-ended or abstract justifications (“marketing purposes”, “efficiency”) will not suffice. The processing must also align with the reasonable expectations of the data subject.
          • Necessity Test : The data processing must be strictly necessary to achieve the defined purpose. If the same result could be achieved through less intrusive means (e.g. anonymized data or a different legal basis), the test will likely fail.
          • Balancing Test and Safeguards : This step assesses whether the controller’s interest outweighs the rights and freedoms of the data subject. Controllers must consider the nature of the data, the context of the processing, and the potential risks involved. When risks are identified, appropriate safeguards must be implemented, such as transparency, opt-outs, pseudonymization, and impact assessments.

          Takeaway: The ANPD recommends documenting the entire process. While this is not mandatory by law, it will be critical in case of investigations or complaints.

          How This Affects Foreign Companies doing business in Brazil

          Many foreign companies process personal data of Brazilian individuals—whether by offering digital services, interacting with Brazilian suppliers, or collecting contact information via websites or CRM tools.

          Although some assume that GDPR compliance is sufficient, the ANPD may evaluate legitimate interest more restrictively than some EU supervisory authorities.

          Foreign companies should:

          • Revisit their legal bases for processing data of Brazilian individuals.
          • Conduct a proper balancing test using the ANPD’s model, even for non-sensitive data.
          • Keep written records of the analysis (especially if using legitimate interest for analytics or marketing).
          • Update their privacy notices to reflect the legal basis and safeguards in place.
          • Be aware of the extraterritorial reach of the LGPD—yes, it applies even if you have no office in Brazil.

          Strategic Guidance

          If you advise SMEs that operate across jurisdictions—including Brazil—this new guidance is a practical compliance tool and a risk-mitigation opportunity.

          Here’s how to act now:

          • Perform a Legitimate Interests Assessment (LIA) whenever your client relies on this basis in Brazil.
          • Compare it with the GDPR LIA to identify overlaps and gaps.
          • Align documentation—so your clients are ready in the event of a complaint or data subject request.
          • Monitor ANPD updates—the ANPD has increased its activity and enforcement posture significantly in the past year.

          Final Thoughts

          The ANPD’s guidance reflects a growing maturity in Brazil’s data protection landscape. Legitimate interest is no longer a vague fallback—it requires structure, analysis, and above all, transparency.

          European companies with operations or digital exposure in Brazil should approach this legal basis with care and diligence. The good news? The ANPD is now offering the roadmap. It’s up to us, as legal advisors, to make sure our clients follow it.

          Want to see the full guidance? The original document (in Portuguese) is available here.

          Brazil is increasingly in the global spotlight when it comes to cybersecurity threats. With over 10 billion cyberattack attempts recorded in 2023 alone, the country ranks among the most targeted worldwide. These incidents are not abstract: they affect sensitive sectors such as finance and healthcare, including data leaks involving over 220 million data subjects from national institutions and critical infrastructure operators.

          While Brazil may seem like a distant jurisdiction, its data protection regime — shaped by the Lei Geral de Proteção de Dados (LGPD) — has growing significance for European businesses operating or partnering in the region. The LGPD, inspired by the GDPR, sets out specific obligations around data breach notification. However, unlike the GDPR’s mandatory 72-hour notification rule, not all security incidents must be reported to the Brazilian Data Protection Authority (ANPD).

          So: when exactly should a security incident be reported in Brazil?

          When Notification is Required: A Three-Step Test

          Under Brazilian law, a security incident involving personal data must be reported to the ANPD only if the following three criteria are cumulatively met:

          • The incident has been confirmed.
          • It involves personal data subject to the LGPD.
          • It poses a relevant risk or damage to data subjects.

          This third threshold is critical. According to the ANPD’s Security Incident Communication Regulation (RCIS), relevant risks include incidents that may:

          • Prevent the exercise of rights or access to services.
          • Cause material or moral harm.
          • Involve special categories of data such as: Sensitive personal data / Financial data / Large-scale datasets / Children’s or elderly persons’ data / Authentication credentials / Legally protected information (e.g., medical, legal, or professional secrets).

          This approach offers some flexibility – but it also requires careful legal judgment.

          When You Don’t Have to Notify

          There is no obligation to notify the ANPD if the incident does not result in significant risk or damage. For instance, if the breached data is non-sensitive and publicly available (e.g., general contact information), and no additional harm is expected, companies may reasonably determine that notification is unnecessary.

          However, this decision should not be taken lightly. Controllers are expected to assess several contextual factors, such as:

          • The volume and nature of the affected data.
          • Whether the data subjects can be identified.
          • The likely impact on fundamental rights.
          • The technical and security measures in place.
          • Any steps taken to mitigate the damage.

          In practice, each case must be analyzed individually — and well documented — to ensure a defensible position.

          How to Notify the ANPD (If Required)

          If the thresholds for notification are met, companies must report the incident within three business days from the date they became aware that personal data was affected. The notification must include:

          • A description of the breach and affected data.
          • The number and profile of impacted data subjects.
          • Security measures in place before and after the incident.
          • Potential risks to the data subjects.
          • Mitigation strategies.
          • Identification of the controller and DPO (if applicable).

          Notifications are submitted via the ANPD’s online platform (SUPER). Sensitive business information can be protected through a request for confidential treatment, provided it is properly justified.

          Strategic Takeaways for European Stakeholders

          For European companies and compliance officers, understanding the nuances of Brazilian data breach notification rules is essential for several reasons:

          • Cross-border compliance: Companies transferring personal data to Brazil must ensure regulatory alignment under the GDPR’s international transfer rules.
          • Due diligence: M&A or vendor screening in Brazil should include assessments of LGPD readiness and breach history.
          • Incident response protocols: Global organizations must harmonize breach notification timelines and thresholds across jurisdictions, adapting to Brazil’s risk-based approach.

          In a landscape of increasing cyber threats, aligning with the LGPD is not just a regulatory obligation — it’s a strategic necessity.

          Final Thoughts

          Brazil’s data protection authority does not adopt a «one size fits all» model for breach notification. The LGPD introduces a risk-based, case-by-case approach, which may offer more flexibility than the GDPR — but also places a greater burden on organizations to justify their decisions.

          European companies doing business in Brazil must be prepared to evaluate security incidents in light of both local obligations and international expectations. Failing to notify a breach — or notifying too hastily — can have serious reputational, legal, and operational consequences.

          Understanding when (and how) to notify the ANPD is a key part of navigating Brazil’s complex but maturing data protection landscape.

          Leopoldo Pagotto

          Áreas de práctica

          • Antitrust
          • Ética y Compliance empresarial
          • Contratos
          • Derecho Societario
          • Protección de datos
          • Delitos financieros
          Contáctanos Leopoldo

          Contacta con Leopoldo





            Lea la política de privacidad de Legalmondo.
            Este sitio está protegido por reCAPTCHA y se aplican la Política de privacidad de Google y los Términos de servicio.

            Brazil – Deadline for Compliance on International Data Transfers

            11 de agosto de 2025

            • Brasil
            • Privacidad y Protección de Datos

            Summary

            Brazil’s new Digital Child Protection Law (ECA Digital – Law No. 15,211/2025) radically changes the compliance obligations for foreign technology companies operating in Brazil. The law introduces a proactive duty of care toward minors, replacing the previous reactive liability model under the Marco Civil da Internet. Any digital service accessible to children or adolescents — including social media, gaming, streaming, AI tools, and app stores — must now adopt safety-by-design and privacy-by-default principles.

            Brazil Introduces a New Digital Protection Framework for Minors

            When Law No. 15,211/2025, known as the ECA Digital or Digital Statute for Children and Adolescents, came into force on March 17, 2026, Brazil took a significant step in regulating the digital environment. For foreign technology companies that offer services to the Brazilian public, the legislation is far more than just another local rule. It represents a genuine paradigm shift in how platforms must be designed, operated, and monitored.

            Until now, the Brazilian Internet Civil Framework (Marco Civil da Internet) of 2014 established essentially a reactive liability regime. Platforms were generally only held responsible for third-party content after receiving a specific court order or valid notification. The ECA Digital inverts this logic. Companies now face a proactive and continuous duty of care, something close to the “duty of care” we already know in Europe through the UK’s Online Safety Act or parts of the Digital Services Act (DSA).

            The Best Interests of the Child Become the Central Compliance Principle

            The central principle of the law is the best interests of the child and adolescent. Any information technology product or service that is targeted at minors or has a reasonable likelihood of being accessed by them must be developed with this interest as an absolute priority. This includes social networks, gaming apps, streaming platforms, app stores, and even artificial intelligence tools.

            In practice, this means adopting the concepts of safety-by-design and privacy-by-default from the outset. It is no longer enough to fix problems after they arise. Companies must anticipate risks to the physical, mental, and moral integrity of younger users and build preventive safeguards.

            Mandatory Impact Assessments and Platform Risk Analysis

            One of the pillars of the new legislation is the requirement for impact assessments. Platforms must conduct periodic detailed analyses of the potential effects of their functionalities (recommendation algorithms, engagement mechanisms, advertising systems, and even augmented reality features) on children and adolescents. These reports need to be properly documented internally and, in many cases, generate transparent information that can be shared with authorities or made available to the public in a summarized version.

            New Age Verification and Parental Control Obligations

            Age verification has become significantly more rigorous. A simple self-declaration (“click here if you are over 18”) is no longer considered sufficient. The law requires effective and proportionate mechanisms that respect privacy but genuinely manage to distinguish adults from minors. For users up to 16 years old, accounts on social networks and similar platforms must, as a rule, be linked to a legal guardian.

            Furthermore, companies are required to provide robust parental control tools. Guardians must have access to dashboards that allow them to set screen time limits, restrict contacts, approve or block in-app purchases, and disable personalized algorithmic recommendation systems. Many foreign clients I have spoken with still underestimate the weight of this requirement.

            Restrictions on Advertising, Profiling, and Gaming Monetization

            In the commercial sphere, the law is particularly restrictive. The use of advanced behavioral profiling, emotional analysis, or immersive technologies to target advertising at children and adolescents is prohibited. Monetization of content that inappropriately exploits the image of minors is also subject to severe limitations. In the gaming sector, there are express bans on “loot boxes” and randomized reward systems when the game is accessible to minors, precisely because of their addictive potential and the risk of uncontrolled spending.

            Harmful Content Removal and Reporting Requirements

            Another aspect that deserves attention is the swift removal of harmful content. The law establishes short deadlines – in some cases as little as 24 hours – for the removal of material related to sexual exploitation, violence, bullying, cyberbullying, incitement to suicide, self-harm, or drug use. In addition to removal, in serious situations platforms must notify the competent authorities, including through international cooperation when necessary.

            Legal Representation and Enforcement Risks for Foreign Companies

            For foreign companies without a physical presence in Brazil, the law strengthens enforcement mechanisms. It is mandatory to appoint a legal representative established in the country, with powers to receive judicial and administrative citations, respond to requests from the Public Prosecutor’s Office and the National Data Protection Authority (ANPD), and serve as the local point of contact.

            In fact, the ANPD assumes a central role in supervising and regulating the law, acting in coordination with the Public Prosecutor’s Office. This creates a more robust enforcement scenario than many international players initially anticipated. Moreover, the law provides for joint and several liability: subsidiaries, branches, or companies within the same economic group in Brazil may be held accountable for violations committed by the foreign parent company.

            Financial Penalties and Operational Sanctions

            The sanctions are dissuasive. Fines can reach up to 10% of the economic group’s revenue in Brazil in the previous year, or up to R$ 50 million per individual violation, depending on the severity. In extreme cases or in the event of recurrence, authorities may order the temporary suspension or even the complete blocking of the service within Brazilian territory. For companies that depend on the Brazilian market, especially consumer technology firms, this operational risk is very real.

            Relationship Between the ECA Digital and Brazil’s LGPD

            It is worth noting that the ECA Digital interacts closely with the General Data Protection Law (LGPD). Many of the principles of privacy-by-default, data minimization, and impact assessments already existed under the LGPD, but they now take on more specific contours when the data subject is a child or adolescent. The processing of minors’ data requires even greater care, with more restrictive legal bases and heightened attention to consent and the rights of legal guardians.

            Global Regulatory Trends and Brazilian Specificities

            From a comparative perspective, the Brazilian law aligns with global trends. It bears clear similarities to the UK’s Age Appropriate Design Code, certain aspects of the European DSA, and ongoing discussions in other Latin American countries. However, it presents distinctly Brazilian nuances: strong influence from the Public Prosecutor’s Office, the tradition of integral protection of children established in the 1990 Child and Adolescent Statute (ECA), and an approach that combines state regulation with the shared responsibility of families, schools, and platforms.

            Practical Compliance Steps for Foreign Technology Companies

            Foreign legal advisors must act with urgency. A good starting point is to conduct a comprehensive gap analysis: mapping user onboarding flows, reviewing advertising and algorithmic recommendation policies, assessing the adequacy of age verification mechanisms, and verifying whether the legal representation structure in Brazil meets the new requirements.

            In addition, it is important to prepare local teams or partners to handle administrative requests and potential audits. Investing in privacy-preserving age verification technologies, such as age estimation or document-based verification without excessive data storage, can make a difference both in compliance and in the user experience.

            Conclusion

            In summary, the ECA Digital is not merely a symbolic law. It imposes concrete obligations, with adaptation deadlines that have already expired for many companies, and carries real risks of financial and operational sanctions. For law firms advising international clients, especially small and medium-sized practices in Europe and Asia, the moment has come to help these players turn compliance into a competitive advantage.

            Those who manage to implement robust protection measures from the design stage of their products will not only avoid heavy fines but may also build greater trust with the Brazilian public and authorities.

            Summary: On January 25, 2026, Brazil and the EU mutually recognized each other as providing adequate personal data protection—removing, in many cases, the need for Standard Contractual Clauses (SCCs) or other transfer tools. This shifts the conversation from “copy-paste compliance” to strategy: deciding when to retire SCCs, updating cross-border transfer policies, and modernizing contractual models for future deals.

            Why this matters in real transactions

            Imagine you’re about to close a deal with a German business partner and your Brazilian client urgently asks for a data transfer clause. It’s always the same copy-paste: Standard Contractual Clauses (SCCs), Annex I and II in both languages, signatures on the dotted line. Now imagine this scene is finally unnecessary.

            The mutual adequacy milestone (January 25, 2026)

            On January 25, 2026, Brazil and the European Union mutually recognized each other as countries with adequate levels of personal data protection. It’s the first adequacy agreement signed between the EU and a Latin American country. In practical terms, it means that companies can transfer personal data between Brazil and the EU without the need for additional mechanisms, like SCCs or Binding Corporate Rules (BCRs). In strategic terms, it opens a new front of opportunities for Brazilian lawyers, especially those advising clients who export, import, invest, or operate in the EU.

            A starting point, not a “compliance break”

            This is a milestone and also a starting point. Mutual adequacy does not mean «relax your compliance programs»; on the contrary, it demands governance maturity and careful review.

            Three concrete fronts for legal work

            1.      Retiring SCCs: Not Always Automatic

            The adequacy decision makes SCCs optional in many cases, but that doesn’t mean you can simply tear them up. For existing contracts that already use SCCs, lawyers will need to assess whether they should keep, revise, or remove those clauses. The answer will depend on the risks, data flows, and reliance on third countries in the processing chain. There may also be internal policies, negotiated warranties, or obligations to supervisory authorities that require formal justifications.

            In practice, companies with complex processing chains (e.g., European headquarters, shared Brazilian HR services, cloud servers in the U.S.) may continue using SCCs in certain flows even after the adequacy recognition. Lawyers will need to carefully document and track this hybrid model.

            2.      Reviewing Cross-Border Data Transfer Policies

            Many companies, especially multinationals or those with multiple data protection obligations, have established cross-border data transfer policies («CBTPs») that classify countries into categories and associate specific safeguards for each. Brazil’s new status as an «adequate country» must now be reflected in those documents.

            For instance, a Brazilian company that receives data from France and sends it to Argentina and India may now adjust internal protocols to reduce documentation and controls on the EU → Brazil leg, while reinforcing controls in the Brazil → Argentina or Brazil → India legs. These changes must be aligned with the company’s policies, contracts, and internal training materials.

            3.      Adapting Contractual Models for Future Deals

            The mutual adequacy decision creates a new contractual scenario. Brazilian lawyers advising international clients can now use data transfer models aligned with GDPR—without needing SCCs or complex annexes—provided both parties are located in Brazil and the EU.

            This reduces transaction costs, improves legal certainty, and increases speed in negotiations involving technology services, cross-border M&A, or shared service centers. A good contractual model should still include data protection clauses—but now focused on risk allocation, DPO cooperation, and incident response coordination, rather than formal compliance with Art. 46 GDPR or Arts. 33–36 LGPD.

            Summary: Brazil’s data protection authority (ANPD) is signaling a clear move toward stronger, more GDPR-aligned enforcement and rulemaking through its 2026–2027 Priority Topics Map and updated Regulatory Agenda. The selected priorities mirror familiar EU themes—data subject rights, children’s data, public-sector processing, and AI—while adding practical predictability for organizations planning compliance. For European businesses operating in Brazil, the direction of travel suggests increasing convergence in governance, risk assessment, and transparency expectations. This trajectory may also strengthen the long-term case for Brazil to pursue an EU adequacy decision.

            A maturing authority with a strategic alignment to GDPR

            While European regulators refine enforcement mechanisms for mature frameworks, Brazil is quietly building one of the world’s most GDPR-aligned data protection systems outside the EU. The release of Priority Topics Map for 2026–2027 and its updated Regulatory Agenda by the National Agency of Personal Data Protection (ANPD) reveals an authority no longer in its infancy, but one strategically positioning itself as a credible counterpart to European supervisory bodies.

            ANPD’s priority topics for 2026–2027

            The four priority topics chosen by Brazil’s National Data Protection Authority («ANPD») tell a familiar tale to anyone working with GDPR compliance: data subject rights, protection of children and adolescents in digital environments, processing by public authorities, and artificial intelligence with emerging technologies.

            Why these priorities feel familiar to GDPR practitioners

            These are not arbitrary choices but deliberate alignments with the core concerns that have shaped European enforcement over the past seven years, from the fundamental rights guarantees in Articles 12 through 22, to the heightened scrutiny of processing involving minors, to the evolving regulatory treatment of algorithmic systems that now spans both GDPR recitals and the EU AI Act itself.

            Children and adolescents: new authority and converging expectations

            Brazil’s recent Digital Statute for Children and Adolescents hands ANPD substantial new authority over age verification and parental consent mechanisms, creating a regulatory bridge that should look strikingly familiar to companies navigating the UK’s Age Appropriate Design Code or implementing EDPB guidance on child data. European digital services operating in Brazil, particularly in social media, gaming, education, or wellness sectors, now face converging compliance expectations on both sides of the Atlantic. The technical architectures and consent flows designed for GDPR are increasingly fit for purpose in the Brazilian context as well.

            Artificial intelligence and emerging technologies

            The elevation of artificial intelligence to priority status represents ANPD’s clearest statement yet about where Brazilian regulation is headed – in fact, no big news in the move, since it is worrying every regulator in every industry. While the LGPD lacks specific AI provisions, the authority has been methodically laying groundwork through public consultations on automated decision-making and studies on algorithmic profiling. For companies already deep in EU AI Act preparation, such a convergence offers something rare in global privacy compliance: the potential for genuine efficiency gains through shared governance frameworks, unified risk assessment methodologies, and harmonized transparency protocols rather than duplicative regional adaptations.

            Data subject rights and DPIAs: reinforcing accountability

            ANPD’s continued emphasis on data subject rights and Data Protection Impact Assessments reinforces the structural similarities with GDPR’s accountability model. The Brazilian approach increasingly mirrors European expectations around documented risk assessment, standardized response protocols for individual rights requests, and transparency obligations for profiling activities. Multinational organizations can now reasonably contemplate unified DPIA templates and centralized rights management systems that serve both jurisdictions without fundamental architectural splits.

            The updated Regulatory Agenda for 2025–2026: predictability as a compliance asset

            The updated Regulatory Agenda for 2025–2026 provides something perhaps more valuable than new rules: predictability. One should not underestimate the importance of predictability in Brazil, since it is a rare asset, even before courts – former Treasury Minister Pedro Malana once iroonically stated that «in Brazil, even the past is uncertain».

            What ANPD is telegraphing next

            By telegraphing upcoming initiatives on biometric data processing, inspection methodologies, sanctioning procedures, cybersecurity standards, and privacy program governance, ANPD offers companies the planning visibility that makes cross-border compliance feasible rather than reactive. These topics map directly onto GDPR’s controller obligations, security requirements, and Data Protection Officer independence provisions in Articles 24 through 39.

            Beyond compliance: what convergence could mean for data flows

            The regulatory convergence carries implications beyond operational compliance. The structural alignment between LGPD and GDPR, reinforced by ANPD’s strategic choices, strengthens the case for an eventual EU adequacy decision recognizing Brazil under Article 45.

            For European businesses and their counsel, the trajectory suggests not just reduced friction in managing trans-Atlantic data flows, but the emergence of genuinely compatible regulatory ecosystems. The challenge will be maintaining attention to Brazilian developments with the same intensity devoted to EDPB guidelines and Commission decisions, recognizing that convergence is a continuous process rather than a static achievement.

            Conclusion

            Brazil’s ANPD is increasingly setting priorities that mirror the main pressure points of GDPR compliance, while using its Regulatory Agenda to add clarity and sequencing to what comes next. For organizations operating across the EU and Brazil, the message is practical: governance structures, rights-handling processes, and risk assessment tooling built for GDPR are becoming progressively reusable in the Brazilian context. At the same time, staying alert to ANPD’s evolving guidance—especially around children’s data, AI, biometrics, cybersecurity, and enforcement methodology—will be key to turning regulatory convergence into real operational efficiency and reduced cross-border friction.

            Summary
            This article explores the ANPD’s 2025 Tech Radar on neurotechnologies and how it reshapes compliance risks for Brazilian healthtechs—especially in M&A contexts involving GDPR exposure. It outlines key regulatory concerns, the GDPR’s extraterritorial impact, major due-diligence red flags, and the essential deliverables investors should require.

            Introduction

            Brazil’s latest ANPD Tech Radar brings neurotechnologies to the forefront of data-protection compliance, exposing significant risks for healthtech companies and investors. With GDPR’s extraterritorial reach, sensitive data processing, opaque AI, and cross-border transfers, data governance has become a critical M&A due-diligence factor requiring structured reviews and robust contractual safeguards.

            Key Compliance Risks Shaping Brazilian Healthtech M&A

            Brazil’s Data Protection Authority (ANPD) released its 4th Tech Radar in June 2025, focusing entirely on neurotechnologies—marking the first time the regulator targeted this field so directly. The report explores brain-computer interfaces, advanced wearables, AI-driven cognitive therapies, and predictive diagnostics, highlighting risks far beyond traditional health data processing.

            For investors and lawyers working M&A deals in Brazil’s healthtech sector, this Radar signals that data protection is no longer a secondary compliance issue—it is now a major source of legal, reputational, and operational risk.

            GDPR’s Extraterritorial Relevance

            Many Brazilian healthtechs handle personal data from foreign individuals, particularly Europeans—through expats, medical tourists, cross-border clinical trials, or partnerships with EU-based vendors. When this occurs, GDPR Article 3(2) extends jurisdiction to the Brazilian company, even without any EU establishment.

            Main Risks Identified by ANPD (Tech Radar #4)

            • Inferring health data without explicit consent
              Example: wearables identifying depression through sleep or stress patterns without informing users.
            • Lack of transparency in predictive algorithms
              Black-box AI models making clinical decisions without accessible documentation.
            • Cybersecurity vulnerabilities in connected devices
              Neural implants or neurostimulators vulnerable to hacking, with potentially physical consequences.
            • Automated processing that impacts human dignity
              Behavioral profiling influencing insurance eligibility, discrimination, or patient autonomy in therapy environments.

            GDPR Article 22 prohibits automated decision-making with significant effects unless strict safeguards are implemented—making this a critical risk during due diligence.

            Most Common Red Flags in Brazilian Healthtech Due Diligence

            No clear legal basis for sensitive data (health, genetic, biometric)

            LGPD Impact (Brazil): Breach of LGPD Art. 11
            GDPR Parallel (Europe): Art. 9 (special categories)
            Practical Recommendation: Require full data-mapping and warranties

            Generic or “click-to-accept” consents

            LGPD Impact (Brazil): Invalid consent (Art. 7 & 11)
            GDPR Parallel (Europe): Art. 6 + 7
            Practical Recommendation: Ensure all consents are granular, specific, and revocable

            Third-party sharing without processor agreements

            LGPD Impact (Brazil): Breach of LGPD Art. 28 & 33
            GDPR Parallel (Europe): Art. 28
            Practical Recommendation: Verify existence and adequacy of all DPAs

            Missing or incomplete ROPA

            LGPD Impact (Brazil): Serious regulatory violation
            GDPR Parallel (Europe): Art. 30
            Practical Recommendation: Make ROPA delivery a closing condition

            Non-existent or conflicted DPO

            LGPD Impact (Brazil): Non-compliance with ANPD Resolution CD nº 2
            GDPR Parallel (Europe): Art. 37–39
            Practical Recommendation: Require interview + independence confirmation

            No DPIA for high-risk products

            LGPD Impact (Brazil): Mandatory (ANPD Res. 15/2023)
            GDPR Parallel (Europe): Art. 35
            Practical Recommendation: Include pre-closing DPIA audit clause

            International transfers without safeguards

            LGPD Impact (Brazil): Arts. 33–35
            GDPR Parallel (Europe): Arts. 44–50
            Practical Recommendation: Verify SCCs (2021/2023) or adequacy status

            Real Cases Illustrating the Scale of Risk

            • Telepsychology platforms investigated for using automated triage without informed consent or AI transparency.
            • ANPD actions against genomics startups due to cross-border transfers without SCCs or DPIAs.
            • Outsourced cloud hosting increasing irregular data transfer risks.

            Until Brazil receives an EU adequacy decision, SCCs and BCRs remain mandatory for compliant transfers.

            Essential Due Diligence Deliverables

            A robust data-protection review is now essential in healthtech M&A. Key deliverables include:

            • LGPD ↔ GDPR gap analysis
            • ROPA and DPIA review
            • Sub-processor contract verification
            • Mapping of all international transfers
            • Privacy-specific warranties and indemnities
            • Escrow or holdback for regulatory risk exposure

            Conclusion

            Data protection is no longer secondary in healthtech M&A—especially when neurodata is involved. With ANPD scrutinizing neurotechnologies and GDPR obligations extending across borders, investors must prioritize structured due diligence and strong contractual safeguards.

            FAQ

            Is neurodata considered sensitive personal data under the LGPD?

            Yes—ANPD treats neurodata as highly sensitive because it reveals cognitive, emotional, and health patterns.

            Does GDPR apply to Brazilian companies with no EU presence?

            Yes, via Article 3(2), whenever EU data subjects’ information is processed.

            Are SCCs still required for Brazil–EU transfers?

            Yes, until Brazil receives an EU adequacy decision.

            What are the top investor red flags?

            Missing DPIAs, unclear legal bases, opaque algorithms, and irregular transfers.

            Since the General Data Protection Regulation (GDPR) took effect in 2018, the European Union (EU) has granted adequacy status to only a limited number of jurisdictions — those whose data protection regimes are deemed to provide an «essentially equivalent» level of protection to that of the EU. The current list includes Andorra, Argentina, Canada (under PIPEDA), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, Uruguay, the United Kingdom, and the United States (limited to companies certified under the Data Privacy Framework).

            As of 5 September 2025, Brazil is on the verge of joining this exclusive group. The European Commission has issued a draft adequacy decision concluding that the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais – LGPD), in conjunction with Brazil’s broader legal and constitutional framework, offers protections that are essentially equivalent to those found in the GDPR. While Brazil’s rules offer somewhat more flexibility in specific areas of data processing, the foundational principles and safeguards are well-aligned with EU standards.

            Once finalized, the adequacy decision will authorize the free flow of personal data from the EU to Brazil without the need for additional contractual clauses or technical safeguards. Such a development is not just regulatory — it also answers a core political argument made by LGPD advocates since its inception: that the absence of a comprehensive data protection framework was undermining Brazil’s international competitiveness by limiting data flows and discouraging investment. For businesses, the EU decision may finally mean the removal of a significant layer of compliance complexity — a development especially welcome by small and medium-sized enterprises engaged in cross-border trade or service provision. The draft is currently under review by the European Data Protection Board (EDPB) and the Member States of the EU.

            The Commission’s assessment highlights several key aspects of Brazil’s data protection landscape. It begins by noting that the Brazilian Constitution expressly guarantees the right to privacy and the protection of personal data — a notable distinction among non-EU jurisdictions. These protections are further supported by Brazil’s ratification of the American Convention on Human Rights and its recognition of the jurisdiction of the Inter-American Court of Human Rights, reinforcing a commitment to fundamental rights and democratic oversight.

            The LGPD mirrors the GDPR in many critical respects and defines its territorial scope clearly. It applies to: (i) data processing carried out within Brazilian territory, (ii) the offering of goods or services to individuals in Brazil, and (iii) data collected in Brazil, even if subsequently processed abroad. This aligns well with the extraterritorial provisions of the GDPR. The definitions of personal data, sensitive data, controller, and processor are materially similar, as are the key principles governing processing — including lawfulness, purpose limitation, data minimization, accuracy, transparency, and security. The law expressly excludes anonymized data from its scope and establishes specific exemptions for journalistic activities, public security, and scientific research.

            Another strength is Brazil’s institutional framework. The National Data Protection Authority (ANPD) was recently transformed into an autonomous regulatory agency, enhancing its independence and technical capacity. The ANPD holds both regulatory and enforcement powers: it can issue binding regulations, impose administrative sanctions, and publish authoritative guidance. To date, it has issued key guidelines on topics such as consent, legitimate interest, the role of the Data Protection Officer (DPO), and security incident reporting. Internationally, the ANPD is an active participant in global data protection dialogue — it is a member of the Global Privacy Assembly and an official observer to the Council of Europe’s Convention 108.

            The LGPD’s approach to international data transfers is also structurally aligned with the GDPR. It requires appropriate safeguards such as standard contractual clauses, allows for future adequacy decisions under a regime comparable to Article 45 of the GDPR, and includes detailed provisions for onward transfers and transit data — that is, data merely passing through Brazil without further processing. The rights of data subjects are robust and familiar to European practitioners: access, rectification, erasure, portability, and withdrawal of consent are guaranteed. Lawful bases for processing are also aligned — including consent, legal obligations, contract execution, and legitimate interest. Notably, the LGPD requires a documented balancing test when relying on legitimate interest, bringing additional accountability to this flexible legal basis.

            Security incidents involving personal data must be notified to both the ANPD and affected data subjects when there is a significant risk of harm. The standard notification deadline is 72 hours, and the required content aligns closely with Articles 33 and 34 of the GDPR. The ANPD may also order public disclosure of incidents or require remedial measures, depending on the nature and scope of the breach.

            Importantly, this process is not one-sided. In parallel to the European Commission’s adequacy decision, the ANPD is conducting its own adequacy assessment of the EU and EEA data protection frameworks. This process is regulated by the Brazilian Resolution CD/ANPD No. 19/2024, which governs international data transfers. Once the technical and legal evaluation is complete, the ANPD’s Board of Directors will issue a formal decision. This reciprocal move reflects Brazil’s commitment to mutual recognition and regulatory symmetry — a positive signal for companies on both sides of the Atlantic.

            In conclusion: If confirmed, Brazil’s adequacy status will simplify international operations, reduce compliance costs, and expand opportunities for data-driven business and legal cooperation. For European lawyers advising SMEs with interests in Latin America, this development is a strategic signal: Brazil is emerging not just as a growing market, but as a legally compatible and data-safe jurisdiction for international partnerships.

            On 23 August 2024, Brazil’s National Data Protection Authority (ANPD) issued Resolution No. 19, a landmark regulation governing the international transfer of personal data under the Brazilian General Data Protection Law (LGPD). Companies now have until 23 August 2025 to fully comply.

            This deadline is especially relevant for European multinationals operating in Brazil, or Brazilian subsidiaries sharing data with foreign HQs or vendors. The new rules align Brazil more closely with global privacy frameworks like the GDPR—but with local twists that demand attention.

            Why It Matters

            Unlike previous guidance, Resolution No. 19 creates binding legal obligations and explicit deadlines. It introduces mechanisms such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and public transparency requirements—all within a strict 12-month timeframe.

            For many international companies, this will require significant updates to internal governance, contract management, and cloud data strategies. Below are the key takeaways for foreign counsel.

            Standard Contractual Clauses (SCCs): Now Mandatory

            The ANPD has released its own set of Standard Contractual Clauses, which must be used for data transfers to jurisdictions not recognized as offering “adequate protection.”

            Companies must adopt these clauses by 23 August 2025. This will likely require revisiting existing data processing agreements involving Brazilian parties and ensuring alignment with the ANPD template.

            Important: The SCCs cannot be modified beyond inserting details in the annexes. Any deviations require prior approval from the ANPD and are limited to exceptional cases.

            Broad Transparency Requirements

            Data controllers are now required to publish, on their website, a plain-language document explaining:

            • the purpose of the international data transfer,
            • the categories of data involved,
            • the countries of destination,
            • and the legal mechanism used to legitimize the transfer.

            Upon request, data subjects must also receive a copy of the full SCCs within 15 days. Multinationals will need protocols and document templates to respond efficiently—especially when dealing with requests in Portuguese.

            Expanded Definition of “International Transfer”

            The Resolution clarifies that a transfer occurs whenever:

            • data is accessed or stored by an entity located abroad, or
            • processing is outsourced to a cloud provider with servers or technical teams outside Brazil.

            This has important implications for global companies that centralize services such as payroll, CRM, or cybersecurity outside Brazil—even if hosted on multinational platforms.

            Binding Corporate Rules (BCRs): Now Recognized

            Multinationals with mature privacy programs may apply to the ANPD for approval of their own Binding Corporate Rules, offering an alternative to SCCs.

            This is a welcome development for companies seeking harmonized compliance across jurisdictions, but approval is expected to involve a complex and time-consuming process. Early preparation is essential.

            Custom Clauses in Exceptional Circumstances

            Companies unable to adopt the standard clauses—due to specific factual or legal constraints—may submit alternative clauses for ANPD approval. However, such flexibility is limited and subject to strict justification.

            In practice, the official SCCs will be the default path for most international data transfers involving Brazil.

            What Foreign Companies Should Do Now

            The 12-month window is already ticking. International groups operating in Brazil or processing Brazilian data should urgently:

            • Map all international data transfers involving Brazil;
            • Identify contracts and vendors requiring updates;
            • Insert ANPD’s SCCs where applicable;
            • Publish the required transparency notice online in Portuguese;
            • Monitor for further ANPD guidance or enforcement trends.

            Strategic Compliance: Beyond Legal Risk

            Resolution No. 19 is part of a global trend toward standardized but locally enforced privacy frameworks. For GDPR-compliant companies, Brazil’s new rules offer a chance to reaffirm leadership in data governance.

            Those who act early can avoid last-minute fire drills, reduce regulatory exposure, and strengthen credibility with Brazilian regulators and consumers.

            In today’s data economy, privacy compliance is more than a legal duty—it’s a business differentiator.

            Brazil’s National Data Protection Authority (ANPD) released a long-awaited guidance document on how companies should interpret and apply the legal basis of legitimate interest under the Brazilian General Data Protection Law (LGPD).

            This is not merely a local update. As Brazil continues to shape its data protection regime, foreign companies—particularly European SMEs with clients, platforms, or partners in Brazil—must adapt their compliance strategies to local expectations. This new guidance is a crucial development.

            Below, I summarize what has changed, how it compares to the GDPR approach, and what steps you (or your clients) should take next.

            Why Legitimate Interest Matters—But Remains Risky

            Just like under the GDPR, Brazil’s LGPD allows personal data to be processed without consent when doing so is necessary for purposes aligned with the controller’s legitimate interests. However, due to the lack of regulation since the LGPD came into force, this legal basis has long been regarded as risky in Brazil – in fact, it was unclear on how to evaluate the «legitimacy» of the interest and balance it against data subject rights.

            The ANPD’s «Guia Orientativo sobre o Legítimo Interesse» (Guidance on Legitimate Interest) fills that gap—providing a practical framework to assess, document, and justify this legal basis.

            The ANPD’s Three-Step Balancing Test

            The core of the new guidance is a three-step balancing test, which mirrors the GDPR’s Legitimate Interests Assessment (LIA) but with Brazilian nuances.

            • Purpose Test : The controller must define a specific, concrete, and legitimate objective behind the data processing. Open-ended or abstract justifications (“marketing purposes”, “efficiency”) will not suffice. The processing must also align with the reasonable expectations of the data subject.
            • Necessity Test : The data processing must be strictly necessary to achieve the defined purpose. If the same result could be achieved through less intrusive means (e.g. anonymized data or a different legal basis), the test will likely fail.
            • Balancing Test and Safeguards : This step assesses whether the controller’s interest outweighs the rights and freedoms of the data subject. Controllers must consider the nature of the data, the context of the processing, and the potential risks involved. When risks are identified, appropriate safeguards must be implemented, such as transparency, opt-outs, pseudonymization, and impact assessments.

            Takeaway: The ANPD recommends documenting the entire process. While this is not mandatory by law, it will be critical in case of investigations or complaints.

            How This Affects Foreign Companies doing business in Brazil

            Many foreign companies process personal data of Brazilian individuals—whether by offering digital services, interacting with Brazilian suppliers, or collecting contact information via websites or CRM tools.

            Although some assume that GDPR compliance is sufficient, the ANPD may evaluate legitimate interest more restrictively than some EU supervisory authorities.

            Foreign companies should:

            • Revisit their legal bases for processing data of Brazilian individuals.
            • Conduct a proper balancing test using the ANPD’s model, even for non-sensitive data.
            • Keep written records of the analysis (especially if using legitimate interest for analytics or marketing).
            • Update their privacy notices to reflect the legal basis and safeguards in place.
            • Be aware of the extraterritorial reach of the LGPD—yes, it applies even if you have no office in Brazil.

            Strategic Guidance

            If you advise SMEs that operate across jurisdictions—including Brazil—this new guidance is a practical compliance tool and a risk-mitigation opportunity.

            Here’s how to act now:

            • Perform a Legitimate Interests Assessment (LIA) whenever your client relies on this basis in Brazil.
            • Compare it with the GDPR LIA to identify overlaps and gaps.
            • Align documentation—so your clients are ready in the event of a complaint or data subject request.
            • Monitor ANPD updates—the ANPD has increased its activity and enforcement posture significantly in the past year.

            Final Thoughts

            The ANPD’s guidance reflects a growing maturity in Brazil’s data protection landscape. Legitimate interest is no longer a vague fallback—it requires structure, analysis, and above all, transparency.

            European companies with operations or digital exposure in Brazil should approach this legal basis with care and diligence. The good news? The ANPD is now offering the roadmap. It’s up to us, as legal advisors, to make sure our clients follow it.

            Want to see the full guidance? The original document (in Portuguese) is available here.

            Brazil is increasingly in the global spotlight when it comes to cybersecurity threats. With over 10 billion cyberattack attempts recorded in 2023 alone, the country ranks among the most targeted worldwide. These incidents are not abstract: they affect sensitive sectors such as finance and healthcare, including data leaks involving over 220 million data subjects from national institutions and critical infrastructure operators.

            While Brazil may seem like a distant jurisdiction, its data protection regime — shaped by the Lei Geral de Proteção de Dados (LGPD) — has growing significance for European businesses operating or partnering in the region. The LGPD, inspired by the GDPR, sets out specific obligations around data breach notification. However, unlike the GDPR’s mandatory 72-hour notification rule, not all security incidents must be reported to the Brazilian Data Protection Authority (ANPD).

            So: when exactly should a security incident be reported in Brazil?

            When Notification is Required: A Three-Step Test

            Under Brazilian law, a security incident involving personal data must be reported to the ANPD only if the following three criteria are cumulatively met:

            • The incident has been confirmed.
            • It involves personal data subject to the LGPD.
            • It poses a relevant risk or damage to data subjects.

            This third threshold is critical. According to the ANPD’s Security Incident Communication Regulation (RCIS), relevant risks include incidents that may:

            • Prevent the exercise of rights or access to services.
            • Cause material or moral harm.
            • Involve special categories of data such as: Sensitive personal data / Financial data / Large-scale datasets / Children’s or elderly persons’ data / Authentication credentials / Legally protected information (e.g., medical, legal, or professional secrets).

            This approach offers some flexibility – but it also requires careful legal judgment.

            When You Don’t Have to Notify

            There is no obligation to notify the ANPD if the incident does not result in significant risk or damage. For instance, if the breached data is non-sensitive and publicly available (e.g., general contact information), and no additional harm is expected, companies may reasonably determine that notification is unnecessary.

            However, this decision should not be taken lightly. Controllers are expected to assess several contextual factors, such as:

            • The volume and nature of the affected data.
            • Whether the data subjects can be identified.
            • The likely impact on fundamental rights.
            • The technical and security measures in place.
            • Any steps taken to mitigate the damage.

            In practice, each case must be analyzed individually — and well documented — to ensure a defensible position.

            How to Notify the ANPD (If Required)

            If the thresholds for notification are met, companies must report the incident within three business days from the date they became aware that personal data was affected. The notification must include:

            • A description of the breach and affected data.
            • The number and profile of impacted data subjects.
            • Security measures in place before and after the incident.
            • Potential risks to the data subjects.
            • Mitigation strategies.
            • Identification of the controller and DPO (if applicable).

            Notifications are submitted via the ANPD’s online platform (SUPER). Sensitive business information can be protected through a request for confidential treatment, provided it is properly justified.

            Strategic Takeaways for European Stakeholders

            For European companies and compliance officers, understanding the nuances of Brazilian data breach notification rules is essential for several reasons:

            • Cross-border compliance: Companies transferring personal data to Brazil must ensure regulatory alignment under the GDPR’s international transfer rules.
            • Due diligence: M&A or vendor screening in Brazil should include assessments of LGPD readiness and breach history.
            • Incident response protocols: Global organizations must harmonize breach notification timelines and thresholds across jurisdictions, adapting to Brazil’s risk-based approach.

            In a landscape of increasing cyber threats, aligning with the LGPD is not just a regulatory obligation — it’s a strategic necessity.

            Final Thoughts

            Brazil’s data protection authority does not adopt a «one size fits all» model for breach notification. The LGPD introduces a risk-based, case-by-case approach, which may offer more flexibility than the GDPR — but also places a greater burden on organizations to justify their decisions.

            European companies doing business in Brazil must be prepared to evaluate security incidents in light of both local obligations and international expectations. Failing to notify a breach — or notifying too hastily — can have serious reputational, legal, and operational consequences.

            Understanding when (and how) to notify the ANPD is a key part of navigating Brazil’s complex but maturing data protection landscape.

            Leopoldo Pagotto

            Áreas de práctica

            • Antitrust
            • Ética y Compliance empresarial
            • Contratos
            • Derecho Societario
            • Protección de datos
            • Delitos financieros
            Contáctanos Leopoldo

            Contacta con Leopoldo





              Lea la política de privacidad de Legalmondo.
              Este sitio está protegido por reCAPTCHA y se aplican la Política de privacidad de Google y los Términos de servicio.

              Brazil | Legitimate Interest under Data Protection Law: The official Guidance Explained

              10 de junio de 2025

              • Brasil
              • Privacidad y Protección de Datos

              Summary

              Brazil’s new Digital Child Protection Law (ECA Digital – Law No. 15,211/2025) radically changes the compliance obligations for foreign technology companies operating in Brazil. The law introduces a proactive duty of care toward minors, replacing the previous reactive liability model under the Marco Civil da Internet. Any digital service accessible to children or adolescents — including social media, gaming, streaming, AI tools, and app stores — must now adopt safety-by-design and privacy-by-default principles.

              Brazil Introduces a New Digital Protection Framework for Minors

              When Law No. 15,211/2025, known as the ECA Digital or Digital Statute for Children and Adolescents, came into force on March 17, 2026, Brazil took a significant step in regulating the digital environment. For foreign technology companies that offer services to the Brazilian public, the legislation is far more than just another local rule. It represents a genuine paradigm shift in how platforms must be designed, operated, and monitored.

              Until now, the Brazilian Internet Civil Framework (Marco Civil da Internet) of 2014 established essentially a reactive liability regime. Platforms were generally only held responsible for third-party content after receiving a specific court order or valid notification. The ECA Digital inverts this logic. Companies now face a proactive and continuous duty of care, something close to the “duty of care” we already know in Europe through the UK’s Online Safety Act or parts of the Digital Services Act (DSA).

              The Best Interests of the Child Become the Central Compliance Principle

              The central principle of the law is the best interests of the child and adolescent. Any information technology product or service that is targeted at minors or has a reasonable likelihood of being accessed by them must be developed with this interest as an absolute priority. This includes social networks, gaming apps, streaming platforms, app stores, and even artificial intelligence tools.

              In practice, this means adopting the concepts of safety-by-design and privacy-by-default from the outset. It is no longer enough to fix problems after they arise. Companies must anticipate risks to the physical, mental, and moral integrity of younger users and build preventive safeguards.

              Mandatory Impact Assessments and Platform Risk Analysis

              One of the pillars of the new legislation is the requirement for impact assessments. Platforms must conduct periodic detailed analyses of the potential effects of their functionalities (recommendation algorithms, engagement mechanisms, advertising systems, and even augmented reality features) on children and adolescents. These reports need to be properly documented internally and, in many cases, generate transparent information that can be shared with authorities or made available to the public in a summarized version.

              New Age Verification and Parental Control Obligations

              Age verification has become significantly more rigorous. A simple self-declaration (“click here if you are over 18”) is no longer considered sufficient. The law requires effective and proportionate mechanisms that respect privacy but genuinely manage to distinguish adults from minors. For users up to 16 years old, accounts on social networks and similar platforms must, as a rule, be linked to a legal guardian.

              Furthermore, companies are required to provide robust parental control tools. Guardians must have access to dashboards that allow them to set screen time limits, restrict contacts, approve or block in-app purchases, and disable personalized algorithmic recommendation systems. Many foreign clients I have spoken with still underestimate the weight of this requirement.

              Restrictions on Advertising, Profiling, and Gaming Monetization

              In the commercial sphere, the law is particularly restrictive. The use of advanced behavioral profiling, emotional analysis, or immersive technologies to target advertising at children and adolescents is prohibited. Monetization of content that inappropriately exploits the image of minors is also subject to severe limitations. In the gaming sector, there are express bans on “loot boxes” and randomized reward systems when the game is accessible to minors, precisely because of their addictive potential and the risk of uncontrolled spending.

              Harmful Content Removal and Reporting Requirements

              Another aspect that deserves attention is the swift removal of harmful content. The law establishes short deadlines – in some cases as little as 24 hours – for the removal of material related to sexual exploitation, violence, bullying, cyberbullying, incitement to suicide, self-harm, or drug use. In addition to removal, in serious situations platforms must notify the competent authorities, including through international cooperation when necessary.

              Legal Representation and Enforcement Risks for Foreign Companies

              For foreign companies without a physical presence in Brazil, the law strengthens enforcement mechanisms. It is mandatory to appoint a legal representative established in the country, with powers to receive judicial and administrative citations, respond to requests from the Public Prosecutor’s Office and the National Data Protection Authority (ANPD), and serve as the local point of contact.

              In fact, the ANPD assumes a central role in supervising and regulating the law, acting in coordination with the Public Prosecutor’s Office. This creates a more robust enforcement scenario than many international players initially anticipated. Moreover, the law provides for joint and several liability: subsidiaries, branches, or companies within the same economic group in Brazil may be held accountable for violations committed by the foreign parent company.

              Financial Penalties and Operational Sanctions

              The sanctions are dissuasive. Fines can reach up to 10% of the economic group’s revenue in Brazil in the previous year, or up to R$ 50 million per individual violation, depending on the severity. In extreme cases or in the event of recurrence, authorities may order the temporary suspension or even the complete blocking of the service within Brazilian territory. For companies that depend on the Brazilian market, especially consumer technology firms, this operational risk is very real.

              Relationship Between the ECA Digital and Brazil’s LGPD

              It is worth noting that the ECA Digital interacts closely with the General Data Protection Law (LGPD). Many of the principles of privacy-by-default, data minimization, and impact assessments already existed under the LGPD, but they now take on more specific contours when the data subject is a child or adolescent. The processing of minors’ data requires even greater care, with more restrictive legal bases and heightened attention to consent and the rights of legal guardians.

              Global Regulatory Trends and Brazilian Specificities

              From a comparative perspective, the Brazilian law aligns with global trends. It bears clear similarities to the UK’s Age Appropriate Design Code, certain aspects of the European DSA, and ongoing discussions in other Latin American countries. However, it presents distinctly Brazilian nuances: strong influence from the Public Prosecutor’s Office, the tradition of integral protection of children established in the 1990 Child and Adolescent Statute (ECA), and an approach that combines state regulation with the shared responsibility of families, schools, and platforms.

              Practical Compliance Steps for Foreign Technology Companies

              Foreign legal advisors must act with urgency. A good starting point is to conduct a comprehensive gap analysis: mapping user onboarding flows, reviewing advertising and algorithmic recommendation policies, assessing the adequacy of age verification mechanisms, and verifying whether the legal representation structure in Brazil meets the new requirements.

              In addition, it is important to prepare local teams or partners to handle administrative requests and potential audits. Investing in privacy-preserving age verification technologies, such as age estimation or document-based verification without excessive data storage, can make a difference both in compliance and in the user experience.

              Conclusion

              In summary, the ECA Digital is not merely a symbolic law. It imposes concrete obligations, with adaptation deadlines that have already expired for many companies, and carries real risks of financial and operational sanctions. For law firms advising international clients, especially small and medium-sized practices in Europe and Asia, the moment has come to help these players turn compliance into a competitive advantage.

              Those who manage to implement robust protection measures from the design stage of their products will not only avoid heavy fines but may also build greater trust with the Brazilian public and authorities.

              Summary: On January 25, 2026, Brazil and the EU mutually recognized each other as providing adequate personal data protection—removing, in many cases, the need for Standard Contractual Clauses (SCCs) or other transfer tools. This shifts the conversation from “copy-paste compliance” to strategy: deciding when to retire SCCs, updating cross-border transfer policies, and modernizing contractual models for future deals.

              Why this matters in real transactions

              Imagine you’re about to close a deal with a German business partner and your Brazilian client urgently asks for a data transfer clause. It’s always the same copy-paste: Standard Contractual Clauses (SCCs), Annex I and II in both languages, signatures on the dotted line. Now imagine this scene is finally unnecessary.

              The mutual adequacy milestone (January 25, 2026)

              On January 25, 2026, Brazil and the European Union mutually recognized each other as countries with adequate levels of personal data protection. It’s the first adequacy agreement signed between the EU and a Latin American country. In practical terms, it means that companies can transfer personal data between Brazil and the EU without the need for additional mechanisms, like SCCs or Binding Corporate Rules (BCRs). In strategic terms, it opens a new front of opportunities for Brazilian lawyers, especially those advising clients who export, import, invest, or operate in the EU.

              A starting point, not a “compliance break”

              This is a milestone and also a starting point. Mutual adequacy does not mean «relax your compliance programs»; on the contrary, it demands governance maturity and careful review.

              Three concrete fronts for legal work

              1.      Retiring SCCs: Not Always Automatic

              The adequacy decision makes SCCs optional in many cases, but that doesn’t mean you can simply tear them up. For existing contracts that already use SCCs, lawyers will need to assess whether they should keep, revise, or remove those clauses. The answer will depend on the risks, data flows, and reliance on third countries in the processing chain. There may also be internal policies, negotiated warranties, or obligations to supervisory authorities that require formal justifications.

              In practice, companies with complex processing chains (e.g., European headquarters, shared Brazilian HR services, cloud servers in the U.S.) may continue using SCCs in certain flows even after the adequacy recognition. Lawyers will need to carefully document and track this hybrid model.

              2.      Reviewing Cross-Border Data Transfer Policies

              Many companies, especially multinationals or those with multiple data protection obligations, have established cross-border data transfer policies («CBTPs») that classify countries into categories and associate specific safeguards for each. Brazil’s new status as an «adequate country» must now be reflected in those documents.

              For instance, a Brazilian company that receives data from France and sends it to Argentina and India may now adjust internal protocols to reduce documentation and controls on the EU → Brazil leg, while reinforcing controls in the Brazil → Argentina or Brazil → India legs. These changes must be aligned with the company’s policies, contracts, and internal training materials.

              3.      Adapting Contractual Models for Future Deals

              The mutual adequacy decision creates a new contractual scenario. Brazilian lawyers advising international clients can now use data transfer models aligned with GDPR—without needing SCCs or complex annexes—provided both parties are located in Brazil and the EU.

              This reduces transaction costs, improves legal certainty, and increases speed in negotiations involving technology services, cross-border M&A, or shared service centers. A good contractual model should still include data protection clauses—but now focused on risk allocation, DPO cooperation, and incident response coordination, rather than formal compliance with Art. 46 GDPR or Arts. 33–36 LGPD.

              Summary: Brazil’s data protection authority (ANPD) is signaling a clear move toward stronger, more GDPR-aligned enforcement and rulemaking through its 2026–2027 Priority Topics Map and updated Regulatory Agenda. The selected priorities mirror familiar EU themes—data subject rights, children’s data, public-sector processing, and AI—while adding practical predictability for organizations planning compliance. For European businesses operating in Brazil, the direction of travel suggests increasing convergence in governance, risk assessment, and transparency expectations. This trajectory may also strengthen the long-term case for Brazil to pursue an EU adequacy decision.

              A maturing authority with a strategic alignment to GDPR

              While European regulators refine enforcement mechanisms for mature frameworks, Brazil is quietly building one of the world’s most GDPR-aligned data protection systems outside the EU. The release of Priority Topics Map for 2026–2027 and its updated Regulatory Agenda by the National Agency of Personal Data Protection (ANPD) reveals an authority no longer in its infancy, but one strategically positioning itself as a credible counterpart to European supervisory bodies.

              ANPD’s priority topics for 2026–2027

              The four priority topics chosen by Brazil’s National Data Protection Authority («ANPD») tell a familiar tale to anyone working with GDPR compliance: data subject rights, protection of children and adolescents in digital environments, processing by public authorities, and artificial intelligence with emerging technologies.

              Why these priorities feel familiar to GDPR practitioners

              These are not arbitrary choices but deliberate alignments with the core concerns that have shaped European enforcement over the past seven years, from the fundamental rights guarantees in Articles 12 through 22, to the heightened scrutiny of processing involving minors, to the evolving regulatory treatment of algorithmic systems that now spans both GDPR recitals and the EU AI Act itself.

              Children and adolescents: new authority and converging expectations

              Brazil’s recent Digital Statute for Children and Adolescents hands ANPD substantial new authority over age verification and parental consent mechanisms, creating a regulatory bridge that should look strikingly familiar to companies navigating the UK’s Age Appropriate Design Code or implementing EDPB guidance on child data. European digital services operating in Brazil, particularly in social media, gaming, education, or wellness sectors, now face converging compliance expectations on both sides of the Atlantic. The technical architectures and consent flows designed for GDPR are increasingly fit for purpose in the Brazilian context as well.

              Artificial intelligence and emerging technologies

              The elevation of artificial intelligence to priority status represents ANPD’s clearest statement yet about where Brazilian regulation is headed – in fact, no big news in the move, since it is worrying every regulator in every industry. While the LGPD lacks specific AI provisions, the authority has been methodically laying groundwork through public consultations on automated decision-making and studies on algorithmic profiling. For companies already deep in EU AI Act preparation, such a convergence offers something rare in global privacy compliance: the potential for genuine efficiency gains through shared governance frameworks, unified risk assessment methodologies, and harmonized transparency protocols rather than duplicative regional adaptations.

              Data subject rights and DPIAs: reinforcing accountability

              ANPD’s continued emphasis on data subject rights and Data Protection Impact Assessments reinforces the structural similarities with GDPR’s accountability model. The Brazilian approach increasingly mirrors European expectations around documented risk assessment, standardized response protocols for individual rights requests, and transparency obligations for profiling activities. Multinational organizations can now reasonably contemplate unified DPIA templates and centralized rights management systems that serve both jurisdictions without fundamental architectural splits.

              The updated Regulatory Agenda for 2025–2026: predictability as a compliance asset

              The updated Regulatory Agenda for 2025–2026 provides something perhaps more valuable than new rules: predictability. One should not underestimate the importance of predictability in Brazil, since it is a rare asset, even before courts – former Treasury Minister Pedro Malana once iroonically stated that «in Brazil, even the past is uncertain».

              What ANPD is telegraphing next

              By telegraphing upcoming initiatives on biometric data processing, inspection methodologies, sanctioning procedures, cybersecurity standards, and privacy program governance, ANPD offers companies the planning visibility that makes cross-border compliance feasible rather than reactive. These topics map directly onto GDPR’s controller obligations, security requirements, and Data Protection Officer independence provisions in Articles 24 through 39.

              Beyond compliance: what convergence could mean for data flows

              The regulatory convergence carries implications beyond operational compliance. The structural alignment between LGPD and GDPR, reinforced by ANPD’s strategic choices, strengthens the case for an eventual EU adequacy decision recognizing Brazil under Article 45.

              For European businesses and their counsel, the trajectory suggests not just reduced friction in managing trans-Atlantic data flows, but the emergence of genuinely compatible regulatory ecosystems. The challenge will be maintaining attention to Brazilian developments with the same intensity devoted to EDPB guidelines and Commission decisions, recognizing that convergence is a continuous process rather than a static achievement.

              Conclusion

              Brazil’s ANPD is increasingly setting priorities that mirror the main pressure points of GDPR compliance, while using its Regulatory Agenda to add clarity and sequencing to what comes next. For organizations operating across the EU and Brazil, the message is practical: governance structures, rights-handling processes, and risk assessment tooling built for GDPR are becoming progressively reusable in the Brazilian context. At the same time, staying alert to ANPD’s evolving guidance—especially around children’s data, AI, biometrics, cybersecurity, and enforcement methodology—will be key to turning regulatory convergence into real operational efficiency and reduced cross-border friction.

              Summary
              This article explores the ANPD’s 2025 Tech Radar on neurotechnologies and how it reshapes compliance risks for Brazilian healthtechs—especially in M&A contexts involving GDPR exposure. It outlines key regulatory concerns, the GDPR’s extraterritorial impact, major due-diligence red flags, and the essential deliverables investors should require.

              Introduction

              Brazil’s latest ANPD Tech Radar brings neurotechnologies to the forefront of data-protection compliance, exposing significant risks for healthtech companies and investors. With GDPR’s extraterritorial reach, sensitive data processing, opaque AI, and cross-border transfers, data governance has become a critical M&A due-diligence factor requiring structured reviews and robust contractual safeguards.

              Key Compliance Risks Shaping Brazilian Healthtech M&A

              Brazil’s Data Protection Authority (ANPD) released its 4th Tech Radar in June 2025, focusing entirely on neurotechnologies—marking the first time the regulator targeted this field so directly. The report explores brain-computer interfaces, advanced wearables, AI-driven cognitive therapies, and predictive diagnostics, highlighting risks far beyond traditional health data processing.

              For investors and lawyers working M&A deals in Brazil’s healthtech sector, this Radar signals that data protection is no longer a secondary compliance issue—it is now a major source of legal, reputational, and operational risk.

              GDPR’s Extraterritorial Relevance

              Many Brazilian healthtechs handle personal data from foreign individuals, particularly Europeans—through expats, medical tourists, cross-border clinical trials, or partnerships with EU-based vendors. When this occurs, GDPR Article 3(2) extends jurisdiction to the Brazilian company, even without any EU establishment.

              Main Risks Identified by ANPD (Tech Radar #4)

              • Inferring health data without explicit consent
                Example: wearables identifying depression through sleep or stress patterns without informing users.
              • Lack of transparency in predictive algorithms
                Black-box AI models making clinical decisions without accessible documentation.
              • Cybersecurity vulnerabilities in connected devices
                Neural implants or neurostimulators vulnerable to hacking, with potentially physical consequences.
              • Automated processing that impacts human dignity
                Behavioral profiling influencing insurance eligibility, discrimination, or patient autonomy in therapy environments.

              GDPR Article 22 prohibits automated decision-making with significant effects unless strict safeguards are implemented—making this a critical risk during due diligence.

              Most Common Red Flags in Brazilian Healthtech Due Diligence

              No clear legal basis for sensitive data (health, genetic, biometric)

              LGPD Impact (Brazil): Breach of LGPD Art. 11
              GDPR Parallel (Europe): Art. 9 (special categories)
              Practical Recommendation: Require full data-mapping and warranties

              Generic or “click-to-accept” consents

              LGPD Impact (Brazil): Invalid consent (Art. 7 & 11)
              GDPR Parallel (Europe): Art. 6 + 7
              Practical Recommendation: Ensure all consents are granular, specific, and revocable

              Third-party sharing without processor agreements

              LGPD Impact (Brazil): Breach of LGPD Art. 28 & 33
              GDPR Parallel (Europe): Art. 28
              Practical Recommendation: Verify existence and adequacy of all DPAs

              Missing or incomplete ROPA

              LGPD Impact (Brazil): Serious regulatory violation
              GDPR Parallel (Europe): Art. 30
              Practical Recommendation: Make ROPA delivery a closing condition

              Non-existent or conflicted DPO

              LGPD Impact (Brazil): Non-compliance with ANPD Resolution CD nº 2
              GDPR Parallel (Europe): Art. 37–39
              Practical Recommendation: Require interview + independence confirmation

              No DPIA for high-risk products

              LGPD Impact (Brazil): Mandatory (ANPD Res. 15/2023)
              GDPR Parallel (Europe): Art. 35
              Practical Recommendation: Include pre-closing DPIA audit clause

              International transfers without safeguards

              LGPD Impact (Brazil): Arts. 33–35
              GDPR Parallel (Europe): Arts. 44–50
              Practical Recommendation: Verify SCCs (2021/2023) or adequacy status

              Real Cases Illustrating the Scale of Risk

              • Telepsychology platforms investigated for using automated triage without informed consent or AI transparency.
              • ANPD actions against genomics startups due to cross-border transfers without SCCs or DPIAs.
              • Outsourced cloud hosting increasing irregular data transfer risks.

              Until Brazil receives an EU adequacy decision, SCCs and BCRs remain mandatory for compliant transfers.

              Essential Due Diligence Deliverables

              A robust data-protection review is now essential in healthtech M&A. Key deliverables include:

              • LGPD ↔ GDPR gap analysis
              • ROPA and DPIA review
              • Sub-processor contract verification
              • Mapping of all international transfers
              • Privacy-specific warranties and indemnities
              • Escrow or holdback for regulatory risk exposure

              Conclusion

              Data protection is no longer secondary in healthtech M&A—especially when neurodata is involved. With ANPD scrutinizing neurotechnologies and GDPR obligations extending across borders, investors must prioritize structured due diligence and strong contractual safeguards.

              FAQ

              Is neurodata considered sensitive personal data under the LGPD?

              Yes—ANPD treats neurodata as highly sensitive because it reveals cognitive, emotional, and health patterns.

              Does GDPR apply to Brazilian companies with no EU presence?

              Yes, via Article 3(2), whenever EU data subjects’ information is processed.

              Are SCCs still required for Brazil–EU transfers?

              Yes, until Brazil receives an EU adequacy decision.

              What are the top investor red flags?

              Missing DPIAs, unclear legal bases, opaque algorithms, and irregular transfers.

              Since the General Data Protection Regulation (GDPR) took effect in 2018, the European Union (EU) has granted adequacy status to only a limited number of jurisdictions — those whose data protection regimes are deemed to provide an «essentially equivalent» level of protection to that of the EU. The current list includes Andorra, Argentina, Canada (under PIPEDA), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, Uruguay, the United Kingdom, and the United States (limited to companies certified under the Data Privacy Framework).

              As of 5 September 2025, Brazil is on the verge of joining this exclusive group. The European Commission has issued a draft adequacy decision concluding that the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais – LGPD), in conjunction with Brazil’s broader legal and constitutional framework, offers protections that are essentially equivalent to those found in the GDPR. While Brazil’s rules offer somewhat more flexibility in specific areas of data processing, the foundational principles and safeguards are well-aligned with EU standards.

              Once finalized, the adequacy decision will authorize the free flow of personal data from the EU to Brazil without the need for additional contractual clauses or technical safeguards. Such a development is not just regulatory — it also answers a core political argument made by LGPD advocates since its inception: that the absence of a comprehensive data protection framework was undermining Brazil’s international competitiveness by limiting data flows and discouraging investment. For businesses, the EU decision may finally mean the removal of a significant layer of compliance complexity — a development especially welcome by small and medium-sized enterprises engaged in cross-border trade or service provision. The draft is currently under review by the European Data Protection Board (EDPB) and the Member States of the EU.

              The Commission’s assessment highlights several key aspects of Brazil’s data protection landscape. It begins by noting that the Brazilian Constitution expressly guarantees the right to privacy and the protection of personal data — a notable distinction among non-EU jurisdictions. These protections are further supported by Brazil’s ratification of the American Convention on Human Rights and its recognition of the jurisdiction of the Inter-American Court of Human Rights, reinforcing a commitment to fundamental rights and democratic oversight.

              The LGPD mirrors the GDPR in many critical respects and defines its territorial scope clearly. It applies to: (i) data processing carried out within Brazilian territory, (ii) the offering of goods or services to individuals in Brazil, and (iii) data collected in Brazil, even if subsequently processed abroad. This aligns well with the extraterritorial provisions of the GDPR. The definitions of personal data, sensitive data, controller, and processor are materially similar, as are the key principles governing processing — including lawfulness, purpose limitation, data minimization, accuracy, transparency, and security. The law expressly excludes anonymized data from its scope and establishes specific exemptions for journalistic activities, public security, and scientific research.

              Another strength is Brazil’s institutional framework. The National Data Protection Authority (ANPD) was recently transformed into an autonomous regulatory agency, enhancing its independence and technical capacity. The ANPD holds both regulatory and enforcement powers: it can issue binding regulations, impose administrative sanctions, and publish authoritative guidance. To date, it has issued key guidelines on topics such as consent, legitimate interest, the role of the Data Protection Officer (DPO), and security incident reporting. Internationally, the ANPD is an active participant in global data protection dialogue — it is a member of the Global Privacy Assembly and an official observer to the Council of Europe’s Convention 108.

              The LGPD’s approach to international data transfers is also structurally aligned with the GDPR. It requires appropriate safeguards such as standard contractual clauses, allows for future adequacy decisions under a regime comparable to Article 45 of the GDPR, and includes detailed provisions for onward transfers and transit data — that is, data merely passing through Brazil without further processing. The rights of data subjects are robust and familiar to European practitioners: access, rectification, erasure, portability, and withdrawal of consent are guaranteed. Lawful bases for processing are also aligned — including consent, legal obligations, contract execution, and legitimate interest. Notably, the LGPD requires a documented balancing test when relying on legitimate interest, bringing additional accountability to this flexible legal basis.

              Security incidents involving personal data must be notified to both the ANPD and affected data subjects when there is a significant risk of harm. The standard notification deadline is 72 hours, and the required content aligns closely with Articles 33 and 34 of the GDPR. The ANPD may also order public disclosure of incidents or require remedial measures, depending on the nature and scope of the breach.

              Importantly, this process is not one-sided. In parallel to the European Commission’s adequacy decision, the ANPD is conducting its own adequacy assessment of the EU and EEA data protection frameworks. This process is regulated by the Brazilian Resolution CD/ANPD No. 19/2024, which governs international data transfers. Once the technical and legal evaluation is complete, the ANPD’s Board of Directors will issue a formal decision. This reciprocal move reflects Brazil’s commitment to mutual recognition and regulatory symmetry — a positive signal for companies on both sides of the Atlantic.

              In conclusion: If confirmed, Brazil’s adequacy status will simplify international operations, reduce compliance costs, and expand opportunities for data-driven business and legal cooperation. For European lawyers advising SMEs with interests in Latin America, this development is a strategic signal: Brazil is emerging not just as a growing market, but as a legally compatible and data-safe jurisdiction for international partnerships.

              On 23 August 2024, Brazil’s National Data Protection Authority (ANPD) issued Resolution No. 19, a landmark regulation governing the international transfer of personal data under the Brazilian General Data Protection Law (LGPD). Companies now have until 23 August 2025 to fully comply.

              This deadline is especially relevant for European multinationals operating in Brazil, or Brazilian subsidiaries sharing data with foreign HQs or vendors. The new rules align Brazil more closely with global privacy frameworks like the GDPR—but with local twists that demand attention.

              Why It Matters

              Unlike previous guidance, Resolution No. 19 creates binding legal obligations and explicit deadlines. It introduces mechanisms such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and public transparency requirements—all within a strict 12-month timeframe.

              For many international companies, this will require significant updates to internal governance, contract management, and cloud data strategies. Below are the key takeaways for foreign counsel.

              Standard Contractual Clauses (SCCs): Now Mandatory

              The ANPD has released its own set of Standard Contractual Clauses, which must be used for data transfers to jurisdictions not recognized as offering “adequate protection.”

              Companies must adopt these clauses by 23 August 2025. This will likely require revisiting existing data processing agreements involving Brazilian parties and ensuring alignment with the ANPD template.

              Important: The SCCs cannot be modified beyond inserting details in the annexes. Any deviations require prior approval from the ANPD and are limited to exceptional cases.

              Broad Transparency Requirements

              Data controllers are now required to publish, on their website, a plain-language document explaining:

              • the purpose of the international data transfer,
              • the categories of data involved,
              • the countries of destination,
              • and the legal mechanism used to legitimize the transfer.

              Upon request, data subjects must also receive a copy of the full SCCs within 15 days. Multinationals will need protocols and document templates to respond efficiently—especially when dealing with requests in Portuguese.

              Expanded Definition of “International Transfer”

              The Resolution clarifies that a transfer occurs whenever:

              • data is accessed or stored by an entity located abroad, or
              • processing is outsourced to a cloud provider with servers or technical teams outside Brazil.

              This has important implications for global companies that centralize services such as payroll, CRM, or cybersecurity outside Brazil—even if hosted on multinational platforms.

              Binding Corporate Rules (BCRs): Now Recognized

              Multinationals with mature privacy programs may apply to the ANPD for approval of their own Binding Corporate Rules, offering an alternative to SCCs.

              This is a welcome development for companies seeking harmonized compliance across jurisdictions, but approval is expected to involve a complex and time-consuming process. Early preparation is essential.

              Custom Clauses in Exceptional Circumstances

              Companies unable to adopt the standard clauses—due to specific factual or legal constraints—may submit alternative clauses for ANPD approval. However, such flexibility is limited and subject to strict justification.

              In practice, the official SCCs will be the default path for most international data transfers involving Brazil.

              What Foreign Companies Should Do Now

              The 12-month window is already ticking. International groups operating in Brazil or processing Brazilian data should urgently:

              • Map all international data transfers involving Brazil;
              • Identify contracts and vendors requiring updates;
              • Insert ANPD’s SCCs where applicable;
              • Publish the required transparency notice online in Portuguese;
              • Monitor for further ANPD guidance or enforcement trends.

              Strategic Compliance: Beyond Legal Risk

              Resolution No. 19 is part of a global trend toward standardized but locally enforced privacy frameworks. For GDPR-compliant companies, Brazil’s new rules offer a chance to reaffirm leadership in data governance.

              Those who act early can avoid last-minute fire drills, reduce regulatory exposure, and strengthen credibility with Brazilian regulators and consumers.

              In today’s data economy, privacy compliance is more than a legal duty—it’s a business differentiator.

              Brazil’s National Data Protection Authority (ANPD) released a long-awaited guidance document on how companies should interpret and apply the legal basis of legitimate interest under the Brazilian General Data Protection Law (LGPD).

              This is not merely a local update. As Brazil continues to shape its data protection regime, foreign companies—particularly European SMEs with clients, platforms, or partners in Brazil—must adapt their compliance strategies to local expectations. This new guidance is a crucial development.

              Below, I summarize what has changed, how it compares to the GDPR approach, and what steps you (or your clients) should take next.

              Why Legitimate Interest Matters—But Remains Risky

              Just like under the GDPR, Brazil’s LGPD allows personal data to be processed without consent when doing so is necessary for purposes aligned with the controller’s legitimate interests. However, due to the lack of regulation since the LGPD came into force, this legal basis has long been regarded as risky in Brazil – in fact, it was unclear on how to evaluate the «legitimacy» of the interest and balance it against data subject rights.

              The ANPD’s «Guia Orientativo sobre o Legítimo Interesse» (Guidance on Legitimate Interest) fills that gap—providing a practical framework to assess, document, and justify this legal basis.

              The ANPD’s Three-Step Balancing Test

              The core of the new guidance is a three-step balancing test, which mirrors the GDPR’s Legitimate Interests Assessment (LIA) but with Brazilian nuances.

              • Purpose Test : The controller must define a specific, concrete, and legitimate objective behind the data processing. Open-ended or abstract justifications (“marketing purposes”, “efficiency”) will not suffice. The processing must also align with the reasonable expectations of the data subject.
              • Necessity Test : The data processing must be strictly necessary to achieve the defined purpose. If the same result could be achieved through less intrusive means (e.g. anonymized data or a different legal basis), the test will likely fail.
              • Balancing Test and Safeguards : This step assesses whether the controller’s interest outweighs the rights and freedoms of the data subject. Controllers must consider the nature of the data, the context of the processing, and the potential risks involved. When risks are identified, appropriate safeguards must be implemented, such as transparency, opt-outs, pseudonymization, and impact assessments.

              Takeaway: The ANPD recommends documenting the entire process. While this is not mandatory by law, it will be critical in case of investigations or complaints.

              How This Affects Foreign Companies doing business in Brazil

              Many foreign companies process personal data of Brazilian individuals—whether by offering digital services, interacting with Brazilian suppliers, or collecting contact information via websites or CRM tools.

              Although some assume that GDPR compliance is sufficient, the ANPD may evaluate legitimate interest more restrictively than some EU supervisory authorities.

              Foreign companies should:

              • Revisit their legal bases for processing data of Brazilian individuals.
              • Conduct a proper balancing test using the ANPD’s model, even for non-sensitive data.
              • Keep written records of the analysis (especially if using legitimate interest for analytics or marketing).
              • Update their privacy notices to reflect the legal basis and safeguards in place.
              • Be aware of the extraterritorial reach of the LGPD—yes, it applies even if you have no office in Brazil.

              Strategic Guidance

              If you advise SMEs that operate across jurisdictions—including Brazil—this new guidance is a practical compliance tool and a risk-mitigation opportunity.

              Here’s how to act now:

              • Perform a Legitimate Interests Assessment (LIA) whenever your client relies on this basis in Brazil.
              • Compare it with the GDPR LIA to identify overlaps and gaps.
              • Align documentation—so your clients are ready in the event of a complaint or data subject request.
              • Monitor ANPD updates—the ANPD has increased its activity and enforcement posture significantly in the past year.

              Final Thoughts

              The ANPD’s guidance reflects a growing maturity in Brazil’s data protection landscape. Legitimate interest is no longer a vague fallback—it requires structure, analysis, and above all, transparency.

              European companies with operations or digital exposure in Brazil should approach this legal basis with care and diligence. The good news? The ANPD is now offering the roadmap. It’s up to us, as legal advisors, to make sure our clients follow it.

              Want to see the full guidance? The original document (in Portuguese) is available here.

              Brazil is increasingly in the global spotlight when it comes to cybersecurity threats. With over 10 billion cyberattack attempts recorded in 2023 alone, the country ranks among the most targeted worldwide. These incidents are not abstract: they affect sensitive sectors such as finance and healthcare, including data leaks involving over 220 million data subjects from national institutions and critical infrastructure operators.

              While Brazil may seem like a distant jurisdiction, its data protection regime — shaped by the Lei Geral de Proteção de Dados (LGPD) — has growing significance for European businesses operating or partnering in the region. The LGPD, inspired by the GDPR, sets out specific obligations around data breach notification. However, unlike the GDPR’s mandatory 72-hour notification rule, not all security incidents must be reported to the Brazilian Data Protection Authority (ANPD).

              So: when exactly should a security incident be reported in Brazil?

              When Notification is Required: A Three-Step Test

              Under Brazilian law, a security incident involving personal data must be reported to the ANPD only if the following three criteria are cumulatively met:

              • The incident has been confirmed.
              • It involves personal data subject to the LGPD.
              • It poses a relevant risk or damage to data subjects.

              This third threshold is critical. According to the ANPD’s Security Incident Communication Regulation (RCIS), relevant risks include incidents that may:

              • Prevent the exercise of rights or access to services.
              • Cause material or moral harm.
              • Involve special categories of data such as: Sensitive personal data / Financial data / Large-scale datasets / Children’s or elderly persons’ data / Authentication credentials / Legally protected information (e.g., medical, legal, or professional secrets).

              This approach offers some flexibility – but it also requires careful legal judgment.

              When You Don’t Have to Notify

              There is no obligation to notify the ANPD if the incident does not result in significant risk or damage. For instance, if the breached data is non-sensitive and publicly available (e.g., general contact information), and no additional harm is expected, companies may reasonably determine that notification is unnecessary.

              However, this decision should not be taken lightly. Controllers are expected to assess several contextual factors, such as:

              • The volume and nature of the affected data.
              • Whether the data subjects can be identified.
              • The likely impact on fundamental rights.
              • The technical and security measures in place.
              • Any steps taken to mitigate the damage.

              In practice, each case must be analyzed individually — and well documented — to ensure a defensible position.

              How to Notify the ANPD (If Required)

              If the thresholds for notification are met, companies must report the incident within three business days from the date they became aware that personal data was affected. The notification must include:

              • A description of the breach and affected data.
              • The number and profile of impacted data subjects.
              • Security measures in place before and after the incident.
              • Potential risks to the data subjects.
              • Mitigation strategies.
              • Identification of the controller and DPO (if applicable).

              Notifications are submitted via the ANPD’s online platform (SUPER). Sensitive business information can be protected through a request for confidential treatment, provided it is properly justified.

              Strategic Takeaways for European Stakeholders

              For European companies and compliance officers, understanding the nuances of Brazilian data breach notification rules is essential for several reasons:

              • Cross-border compliance: Companies transferring personal data to Brazil must ensure regulatory alignment under the GDPR’s international transfer rules.
              • Due diligence: M&A or vendor screening in Brazil should include assessments of LGPD readiness and breach history.
              • Incident response protocols: Global organizations must harmonize breach notification timelines and thresholds across jurisdictions, adapting to Brazil’s risk-based approach.

              In a landscape of increasing cyber threats, aligning with the LGPD is not just a regulatory obligation — it’s a strategic necessity.

              Final Thoughts

              Brazil’s data protection authority does not adopt a «one size fits all» model for breach notification. The LGPD introduces a risk-based, case-by-case approach, which may offer more flexibility than the GDPR — but also places a greater burden on organizations to justify their decisions.

              European companies doing business in Brazil must be prepared to evaluate security incidents in light of both local obligations and international expectations. Failing to notify a breach — or notifying too hastily — can have serious reputational, legal, and operational consequences.

              Understanding when (and how) to notify the ANPD is a key part of navigating Brazil’s complex but maturing data protection landscape.

              Leopoldo Pagotto

              Áreas de práctica

              • Antitrust
              • Ética y Compliance empresarial
              • Contratos
              • Derecho Societario
              • Protección de datos
              • Delitos financieros
              Contáctanos Leopoldo

              Contacta con Leopoldo





                Lea la política de privacidad de Legalmondo.
                Este sitio está protegido por reCAPTCHA y se aplican la Política de privacidad de Google y los Términos de servicio.

                Security Incidents in Brazil: When and How to Notify the Data Protection Authority

                13 de mayo de 2025

                • Brasil
                • Privacidad y Protección de Datos

                Summary

                Brazil’s new Digital Child Protection Law (ECA Digital – Law No. 15,211/2025) radically changes the compliance obligations for foreign technology companies operating in Brazil. The law introduces a proactive duty of care toward minors, replacing the previous reactive liability model under the Marco Civil da Internet. Any digital service accessible to children or adolescents — including social media, gaming, streaming, AI tools, and app stores — must now adopt safety-by-design and privacy-by-default principles.

                Brazil Introduces a New Digital Protection Framework for Minors

                When Law No. 15,211/2025, known as the ECA Digital or Digital Statute for Children and Adolescents, came into force on March 17, 2026, Brazil took a significant step in regulating the digital environment. For foreign technology companies that offer services to the Brazilian public, the legislation is far more than just another local rule. It represents a genuine paradigm shift in how platforms must be designed, operated, and monitored.

                Until now, the Brazilian Internet Civil Framework (Marco Civil da Internet) of 2014 established essentially a reactive liability regime. Platforms were generally only held responsible for third-party content after receiving a specific court order or valid notification. The ECA Digital inverts this logic. Companies now face a proactive and continuous duty of care, something close to the “duty of care” we already know in Europe through the UK’s Online Safety Act or parts of the Digital Services Act (DSA).

                The Best Interests of the Child Become the Central Compliance Principle

                The central principle of the law is the best interests of the child and adolescent. Any information technology product or service that is targeted at minors or has a reasonable likelihood of being accessed by them must be developed with this interest as an absolute priority. This includes social networks, gaming apps, streaming platforms, app stores, and even artificial intelligence tools.

                In practice, this means adopting the concepts of safety-by-design and privacy-by-default from the outset. It is no longer enough to fix problems after they arise. Companies must anticipate risks to the physical, mental, and moral integrity of younger users and build preventive safeguards.

                Mandatory Impact Assessments and Platform Risk Analysis

                One of the pillars of the new legislation is the requirement for impact assessments. Platforms must conduct periodic detailed analyses of the potential effects of their functionalities (recommendation algorithms, engagement mechanisms, advertising systems, and even augmented reality features) on children and adolescents. These reports need to be properly documented internally and, in many cases, generate transparent information that can be shared with authorities or made available to the public in a summarized version.

                New Age Verification and Parental Control Obligations

                Age verification has become significantly more rigorous. A simple self-declaration (“click here if you are over 18”) is no longer considered sufficient. The law requires effective and proportionate mechanisms that respect privacy but genuinely manage to distinguish adults from minors. For users up to 16 years old, accounts on social networks and similar platforms must, as a rule, be linked to a legal guardian.

                Furthermore, companies are required to provide robust parental control tools. Guardians must have access to dashboards that allow them to set screen time limits, restrict contacts, approve or block in-app purchases, and disable personalized algorithmic recommendation systems. Many foreign clients I have spoken with still underestimate the weight of this requirement.

                Restrictions on Advertising, Profiling, and Gaming Monetization

                In the commercial sphere, the law is particularly restrictive. The use of advanced behavioral profiling, emotional analysis, or immersive technologies to target advertising at children and adolescents is prohibited. Monetization of content that inappropriately exploits the image of minors is also subject to severe limitations. In the gaming sector, there are express bans on “loot boxes” and randomized reward systems when the game is accessible to minors, precisely because of their addictive potential and the risk of uncontrolled spending.

                Harmful Content Removal and Reporting Requirements

                Another aspect that deserves attention is the swift removal of harmful content. The law establishes short deadlines – in some cases as little as 24 hours – for the removal of material related to sexual exploitation, violence, bullying, cyberbullying, incitement to suicide, self-harm, or drug use. In addition to removal, in serious situations platforms must notify the competent authorities, including through international cooperation when necessary.

                Legal Representation and Enforcement Risks for Foreign Companies

                For foreign companies without a physical presence in Brazil, the law strengthens enforcement mechanisms. It is mandatory to appoint a legal representative established in the country, with powers to receive judicial and administrative citations, respond to requests from the Public Prosecutor’s Office and the National Data Protection Authority (ANPD), and serve as the local point of contact.

                In fact, the ANPD assumes a central role in supervising and regulating the law, acting in coordination with the Public Prosecutor’s Office. This creates a more robust enforcement scenario than many international players initially anticipated. Moreover, the law provides for joint and several liability: subsidiaries, branches, or companies within the same economic group in Brazil may be held accountable for violations committed by the foreign parent company.

                Financial Penalties and Operational Sanctions

                The sanctions are dissuasive. Fines can reach up to 10% of the economic group’s revenue in Brazil in the previous year, or up to R$ 50 million per individual violation, depending on the severity. In extreme cases or in the event of recurrence, authorities may order the temporary suspension or even the complete blocking of the service within Brazilian territory. For companies that depend on the Brazilian market, especially consumer technology firms, this operational risk is very real.

                Relationship Between the ECA Digital and Brazil’s LGPD

                It is worth noting that the ECA Digital interacts closely with the General Data Protection Law (LGPD). Many of the principles of privacy-by-default, data minimization, and impact assessments already existed under the LGPD, but they now take on more specific contours when the data subject is a child or adolescent. The processing of minors’ data requires even greater care, with more restrictive legal bases and heightened attention to consent and the rights of legal guardians.

                Global Regulatory Trends and Brazilian Specificities

                From a comparative perspective, the Brazilian law aligns with global trends. It bears clear similarities to the UK’s Age Appropriate Design Code, certain aspects of the European DSA, and ongoing discussions in other Latin American countries. However, it presents distinctly Brazilian nuances: strong influence from the Public Prosecutor’s Office, the tradition of integral protection of children established in the 1990 Child and Adolescent Statute (ECA), and an approach that combines state regulation with the shared responsibility of families, schools, and platforms.

                Practical Compliance Steps for Foreign Technology Companies

                Foreign legal advisors must act with urgency. A good starting point is to conduct a comprehensive gap analysis: mapping user onboarding flows, reviewing advertising and algorithmic recommendation policies, assessing the adequacy of age verification mechanisms, and verifying whether the legal representation structure in Brazil meets the new requirements.

                In addition, it is important to prepare local teams or partners to handle administrative requests and potential audits. Investing in privacy-preserving age verification technologies, such as age estimation or document-based verification without excessive data storage, can make a difference both in compliance and in the user experience.

                Conclusion

                In summary, the ECA Digital is not merely a symbolic law. It imposes concrete obligations, with adaptation deadlines that have already expired for many companies, and carries real risks of financial and operational sanctions. For law firms advising international clients, especially small and medium-sized practices in Europe and Asia, the moment has come to help these players turn compliance into a competitive advantage.

                Those who manage to implement robust protection measures from the design stage of their products will not only avoid heavy fines but may also build greater trust with the Brazilian public and authorities.

                Summary: On January 25, 2026, Brazil and the EU mutually recognized each other as providing adequate personal data protection—removing, in many cases, the need for Standard Contractual Clauses (SCCs) or other transfer tools. This shifts the conversation from “copy-paste compliance” to strategy: deciding when to retire SCCs, updating cross-border transfer policies, and modernizing contractual models for future deals.

                Why this matters in real transactions

                Imagine you’re about to close a deal with a German business partner and your Brazilian client urgently asks for a data transfer clause. It’s always the same copy-paste: Standard Contractual Clauses (SCCs), Annex I and II in both languages, signatures on the dotted line. Now imagine this scene is finally unnecessary.

                The mutual adequacy milestone (January 25, 2026)

                On January 25, 2026, Brazil and the European Union mutually recognized each other as countries with adequate levels of personal data protection. It’s the first adequacy agreement signed between the EU and a Latin American country. In practical terms, it means that companies can transfer personal data between Brazil and the EU without the need for additional mechanisms, like SCCs or Binding Corporate Rules (BCRs). In strategic terms, it opens a new front of opportunities for Brazilian lawyers, especially those advising clients who export, import, invest, or operate in the EU.

                A starting point, not a “compliance break”

                This is a milestone and also a starting point. Mutual adequacy does not mean «relax your compliance programs»; on the contrary, it demands governance maturity and careful review.

                Three concrete fronts for legal work

                1.      Retiring SCCs: Not Always Automatic

                The adequacy decision makes SCCs optional in many cases, but that doesn’t mean you can simply tear them up. For existing contracts that already use SCCs, lawyers will need to assess whether they should keep, revise, or remove those clauses. The answer will depend on the risks, data flows, and reliance on third countries in the processing chain. There may also be internal policies, negotiated warranties, or obligations to supervisory authorities that require formal justifications.

                In practice, companies with complex processing chains (e.g., European headquarters, shared Brazilian HR services, cloud servers in the U.S.) may continue using SCCs in certain flows even after the adequacy recognition. Lawyers will need to carefully document and track this hybrid model.

                2.      Reviewing Cross-Border Data Transfer Policies

                Many companies, especially multinationals or those with multiple data protection obligations, have established cross-border data transfer policies («CBTPs») that classify countries into categories and associate specific safeguards for each. Brazil’s new status as an «adequate country» must now be reflected in those documents.

                For instance, a Brazilian company that receives data from France and sends it to Argentina and India may now adjust internal protocols to reduce documentation and controls on the EU → Brazil leg, while reinforcing controls in the Brazil → Argentina or Brazil → India legs. These changes must be aligned with the company’s policies, contracts, and internal training materials.

                3.      Adapting Contractual Models for Future Deals

                The mutual adequacy decision creates a new contractual scenario. Brazilian lawyers advising international clients can now use data transfer models aligned with GDPR—without needing SCCs or complex annexes—provided both parties are located in Brazil and the EU.

                This reduces transaction costs, improves legal certainty, and increases speed in negotiations involving technology services, cross-border M&A, or shared service centers. A good contractual model should still include data protection clauses—but now focused on risk allocation, DPO cooperation, and incident response coordination, rather than formal compliance with Art. 46 GDPR or Arts. 33–36 LGPD.

                Summary: Brazil’s data protection authority (ANPD) is signaling a clear move toward stronger, more GDPR-aligned enforcement and rulemaking through its 2026–2027 Priority Topics Map and updated Regulatory Agenda. The selected priorities mirror familiar EU themes—data subject rights, children’s data, public-sector processing, and AI—while adding practical predictability for organizations planning compliance. For European businesses operating in Brazil, the direction of travel suggests increasing convergence in governance, risk assessment, and transparency expectations. This trajectory may also strengthen the long-term case for Brazil to pursue an EU adequacy decision.

                A maturing authority with a strategic alignment to GDPR

                While European regulators refine enforcement mechanisms for mature frameworks, Brazil is quietly building one of the world’s most GDPR-aligned data protection systems outside the EU. The release of Priority Topics Map for 2026–2027 and its updated Regulatory Agenda by the National Agency of Personal Data Protection (ANPD) reveals an authority no longer in its infancy, but one strategically positioning itself as a credible counterpart to European supervisory bodies.

                ANPD’s priority topics for 2026–2027

                The four priority topics chosen by Brazil’s National Data Protection Authority («ANPD») tell a familiar tale to anyone working with GDPR compliance: data subject rights, protection of children and adolescents in digital environments, processing by public authorities, and artificial intelligence with emerging technologies.

                Why these priorities feel familiar to GDPR practitioners

                These are not arbitrary choices but deliberate alignments with the core concerns that have shaped European enforcement over the past seven years, from the fundamental rights guarantees in Articles 12 through 22, to the heightened scrutiny of processing involving minors, to the evolving regulatory treatment of algorithmic systems that now spans both GDPR recitals and the EU AI Act itself.

                Children and adolescents: new authority and converging expectations

                Brazil’s recent Digital Statute for Children and Adolescents hands ANPD substantial new authority over age verification and parental consent mechanisms, creating a regulatory bridge that should look strikingly familiar to companies navigating the UK’s Age Appropriate Design Code or implementing EDPB guidance on child data. European digital services operating in Brazil, particularly in social media, gaming, education, or wellness sectors, now face converging compliance expectations on both sides of the Atlantic. The technical architectures and consent flows designed for GDPR are increasingly fit for purpose in the Brazilian context as well.

                Artificial intelligence and emerging technologies

                The elevation of artificial intelligence to priority status represents ANPD’s clearest statement yet about where Brazilian regulation is headed – in fact, no big news in the move, since it is worrying every regulator in every industry. While the LGPD lacks specific AI provisions, the authority has been methodically laying groundwork through public consultations on automated decision-making and studies on algorithmic profiling. For companies already deep in EU AI Act preparation, such a convergence offers something rare in global privacy compliance: the potential for genuine efficiency gains through shared governance frameworks, unified risk assessment methodologies, and harmonized transparency protocols rather than duplicative regional adaptations.

                Data subject rights and DPIAs: reinforcing accountability

                ANPD’s continued emphasis on data subject rights and Data Protection Impact Assessments reinforces the structural similarities with GDPR’s accountability model. The Brazilian approach increasingly mirrors European expectations around documented risk assessment, standardized response protocols for individual rights requests, and transparency obligations for profiling activities. Multinational organizations can now reasonably contemplate unified DPIA templates and centralized rights management systems that serve both jurisdictions without fundamental architectural splits.

                The updated Regulatory Agenda for 2025–2026: predictability as a compliance asset

                The updated Regulatory Agenda for 2025–2026 provides something perhaps more valuable than new rules: predictability. One should not underestimate the importance of predictability in Brazil, since it is a rare asset, even before courts – former Treasury Minister Pedro Malana once iroonically stated that «in Brazil, even the past is uncertain».

                What ANPD is telegraphing next

                By telegraphing upcoming initiatives on biometric data processing, inspection methodologies, sanctioning procedures, cybersecurity standards, and privacy program governance, ANPD offers companies the planning visibility that makes cross-border compliance feasible rather than reactive. These topics map directly onto GDPR’s controller obligations, security requirements, and Data Protection Officer independence provisions in Articles 24 through 39.

                Beyond compliance: what convergence could mean for data flows

                The regulatory convergence carries implications beyond operational compliance. The structural alignment between LGPD and GDPR, reinforced by ANPD’s strategic choices, strengthens the case for an eventual EU adequacy decision recognizing Brazil under Article 45.

                For European businesses and their counsel, the trajectory suggests not just reduced friction in managing trans-Atlantic data flows, but the emergence of genuinely compatible regulatory ecosystems. The challenge will be maintaining attention to Brazilian developments with the same intensity devoted to EDPB guidelines and Commission decisions, recognizing that convergence is a continuous process rather than a static achievement.

                Conclusion

                Brazil’s ANPD is increasingly setting priorities that mirror the main pressure points of GDPR compliance, while using its Regulatory Agenda to add clarity and sequencing to what comes next. For organizations operating across the EU and Brazil, the message is practical: governance structures, rights-handling processes, and risk assessment tooling built for GDPR are becoming progressively reusable in the Brazilian context. At the same time, staying alert to ANPD’s evolving guidance—especially around children’s data, AI, biometrics, cybersecurity, and enforcement methodology—will be key to turning regulatory convergence into real operational efficiency and reduced cross-border friction.

                Summary
                This article explores the ANPD’s 2025 Tech Radar on neurotechnologies and how it reshapes compliance risks for Brazilian healthtechs—especially in M&A contexts involving GDPR exposure. It outlines key regulatory concerns, the GDPR’s extraterritorial impact, major due-diligence red flags, and the essential deliverables investors should require.

                Introduction

                Brazil’s latest ANPD Tech Radar brings neurotechnologies to the forefront of data-protection compliance, exposing significant risks for healthtech companies and investors. With GDPR’s extraterritorial reach, sensitive data processing, opaque AI, and cross-border transfers, data governance has become a critical M&A due-diligence factor requiring structured reviews and robust contractual safeguards.

                Key Compliance Risks Shaping Brazilian Healthtech M&A

                Brazil’s Data Protection Authority (ANPD) released its 4th Tech Radar in June 2025, focusing entirely on neurotechnologies—marking the first time the regulator targeted this field so directly. The report explores brain-computer interfaces, advanced wearables, AI-driven cognitive therapies, and predictive diagnostics, highlighting risks far beyond traditional health data processing.

                For investors and lawyers working M&A deals in Brazil’s healthtech sector, this Radar signals that data protection is no longer a secondary compliance issue—it is now a major source of legal, reputational, and operational risk.

                GDPR’s Extraterritorial Relevance

                Many Brazilian healthtechs handle personal data from foreign individuals, particularly Europeans—through expats, medical tourists, cross-border clinical trials, or partnerships with EU-based vendors. When this occurs, GDPR Article 3(2) extends jurisdiction to the Brazilian company, even without any EU establishment.

                Main Risks Identified by ANPD (Tech Radar #4)

                • Inferring health data without explicit consent
                  Example: wearables identifying depression through sleep or stress patterns without informing users.
                • Lack of transparency in predictive algorithms
                  Black-box AI models making clinical decisions without accessible documentation.
                • Cybersecurity vulnerabilities in connected devices
                  Neural implants or neurostimulators vulnerable to hacking, with potentially physical consequences.
                • Automated processing that impacts human dignity
                  Behavioral profiling influencing insurance eligibility, discrimination, or patient autonomy in therapy environments.

                GDPR Article 22 prohibits automated decision-making with significant effects unless strict safeguards are implemented—making this a critical risk during due diligence.

                Most Common Red Flags in Brazilian Healthtech Due Diligence

                No clear legal basis for sensitive data (health, genetic, biometric)

                LGPD Impact (Brazil): Breach of LGPD Art. 11
                GDPR Parallel (Europe): Art. 9 (special categories)
                Practical Recommendation: Require full data-mapping and warranties

                Generic or “click-to-accept” consents

                LGPD Impact (Brazil): Invalid consent (Art. 7 & 11)
                GDPR Parallel (Europe): Art. 6 + 7
                Practical Recommendation: Ensure all consents are granular, specific, and revocable

                Third-party sharing without processor agreements

                LGPD Impact (Brazil): Breach of LGPD Art. 28 & 33
                GDPR Parallel (Europe): Art. 28
                Practical Recommendation: Verify existence and adequacy of all DPAs

                Missing or incomplete ROPA

                LGPD Impact (Brazil): Serious regulatory violation
                GDPR Parallel (Europe): Art. 30
                Practical Recommendation: Make ROPA delivery a closing condition

                Non-existent or conflicted DPO

                LGPD Impact (Brazil): Non-compliance with ANPD Resolution CD nº 2
                GDPR Parallel (Europe): Art. 37–39
                Practical Recommendation: Require interview + independence confirmation

                No DPIA for high-risk products

                LGPD Impact (Brazil): Mandatory (ANPD Res. 15/2023)
                GDPR Parallel (Europe): Art. 35
                Practical Recommendation: Include pre-closing DPIA audit clause

                International transfers without safeguards

                LGPD Impact (Brazil): Arts. 33–35
                GDPR Parallel (Europe): Arts. 44–50
                Practical Recommendation: Verify SCCs (2021/2023) or adequacy status

                Real Cases Illustrating the Scale of Risk

                • Telepsychology platforms investigated for using automated triage without informed consent or AI transparency.
                • ANPD actions against genomics startups due to cross-border transfers without SCCs or DPIAs.
                • Outsourced cloud hosting increasing irregular data transfer risks.

                Until Brazil receives an EU adequacy decision, SCCs and BCRs remain mandatory for compliant transfers.

                Essential Due Diligence Deliverables

                A robust data-protection review is now essential in healthtech M&A. Key deliverables include:

                • LGPD ↔ GDPR gap analysis
                • ROPA and DPIA review
                • Sub-processor contract verification
                • Mapping of all international transfers
                • Privacy-specific warranties and indemnities
                • Escrow or holdback for regulatory risk exposure

                Conclusion

                Data protection is no longer secondary in healthtech M&A—especially when neurodata is involved. With ANPD scrutinizing neurotechnologies and GDPR obligations extending across borders, investors must prioritize structured due diligence and strong contractual safeguards.

                FAQ

                Is neurodata considered sensitive personal data under the LGPD?

                Yes—ANPD treats neurodata as highly sensitive because it reveals cognitive, emotional, and health patterns.

                Does GDPR apply to Brazilian companies with no EU presence?

                Yes, via Article 3(2), whenever EU data subjects’ information is processed.

                Are SCCs still required for Brazil–EU transfers?

                Yes, until Brazil receives an EU adequacy decision.

                What are the top investor red flags?

                Missing DPIAs, unclear legal bases, opaque algorithms, and irregular transfers.

                Since the General Data Protection Regulation (GDPR) took effect in 2018, the European Union (EU) has granted adequacy status to only a limited number of jurisdictions — those whose data protection regimes are deemed to provide an «essentially equivalent» level of protection to that of the EU. The current list includes Andorra, Argentina, Canada (under PIPEDA), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, Uruguay, the United Kingdom, and the United States (limited to companies certified under the Data Privacy Framework).

                As of 5 September 2025, Brazil is on the verge of joining this exclusive group. The European Commission has issued a draft adequacy decision concluding that the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais – LGPD), in conjunction with Brazil’s broader legal and constitutional framework, offers protections that are essentially equivalent to those found in the GDPR. While Brazil’s rules offer somewhat more flexibility in specific areas of data processing, the foundational principles and safeguards are well-aligned with EU standards.

                Once finalized, the adequacy decision will authorize the free flow of personal data from the EU to Brazil without the need for additional contractual clauses or technical safeguards. Such a development is not just regulatory — it also answers a core political argument made by LGPD advocates since its inception: that the absence of a comprehensive data protection framework was undermining Brazil’s international competitiveness by limiting data flows and discouraging investment. For businesses, the EU decision may finally mean the removal of a significant layer of compliance complexity — a development especially welcome by small and medium-sized enterprises engaged in cross-border trade or service provision. The draft is currently under review by the European Data Protection Board (EDPB) and the Member States of the EU.

                The Commission’s assessment highlights several key aspects of Brazil’s data protection landscape. It begins by noting that the Brazilian Constitution expressly guarantees the right to privacy and the protection of personal data — a notable distinction among non-EU jurisdictions. These protections are further supported by Brazil’s ratification of the American Convention on Human Rights and its recognition of the jurisdiction of the Inter-American Court of Human Rights, reinforcing a commitment to fundamental rights and democratic oversight.

                The LGPD mirrors the GDPR in many critical respects and defines its territorial scope clearly. It applies to: (i) data processing carried out within Brazilian territory, (ii) the offering of goods or services to individuals in Brazil, and (iii) data collected in Brazil, even if subsequently processed abroad. This aligns well with the extraterritorial provisions of the GDPR. The definitions of personal data, sensitive data, controller, and processor are materially similar, as are the key principles governing processing — including lawfulness, purpose limitation, data minimization, accuracy, transparency, and security. The law expressly excludes anonymized data from its scope and establishes specific exemptions for journalistic activities, public security, and scientific research.

                Another strength is Brazil’s institutional framework. The National Data Protection Authority (ANPD) was recently transformed into an autonomous regulatory agency, enhancing its independence and technical capacity. The ANPD holds both regulatory and enforcement powers: it can issue binding regulations, impose administrative sanctions, and publish authoritative guidance. To date, it has issued key guidelines on topics such as consent, legitimate interest, the role of the Data Protection Officer (DPO), and security incident reporting. Internationally, the ANPD is an active participant in global data protection dialogue — it is a member of the Global Privacy Assembly and an official observer to the Council of Europe’s Convention 108.

                The LGPD’s approach to international data transfers is also structurally aligned with the GDPR. It requires appropriate safeguards such as standard contractual clauses, allows for future adequacy decisions under a regime comparable to Article 45 of the GDPR, and includes detailed provisions for onward transfers and transit data — that is, data merely passing through Brazil without further processing. The rights of data subjects are robust and familiar to European practitioners: access, rectification, erasure, portability, and withdrawal of consent are guaranteed. Lawful bases for processing are also aligned — including consent, legal obligations, contract execution, and legitimate interest. Notably, the LGPD requires a documented balancing test when relying on legitimate interest, bringing additional accountability to this flexible legal basis.

                Security incidents involving personal data must be notified to both the ANPD and affected data subjects when there is a significant risk of harm. The standard notification deadline is 72 hours, and the required content aligns closely with Articles 33 and 34 of the GDPR. The ANPD may also order public disclosure of incidents or require remedial measures, depending on the nature and scope of the breach.

                Importantly, this process is not one-sided. In parallel to the European Commission’s adequacy decision, the ANPD is conducting its own adequacy assessment of the EU and EEA data protection frameworks. This process is regulated by the Brazilian Resolution CD/ANPD No. 19/2024, which governs international data transfers. Once the technical and legal evaluation is complete, the ANPD’s Board of Directors will issue a formal decision. This reciprocal move reflects Brazil’s commitment to mutual recognition and regulatory symmetry — a positive signal for companies on both sides of the Atlantic.

                In conclusion: If confirmed, Brazil’s adequacy status will simplify international operations, reduce compliance costs, and expand opportunities for data-driven business and legal cooperation. For European lawyers advising SMEs with interests in Latin America, this development is a strategic signal: Brazil is emerging not just as a growing market, but as a legally compatible and data-safe jurisdiction for international partnerships.

                On 23 August 2024, Brazil’s National Data Protection Authority (ANPD) issued Resolution No. 19, a landmark regulation governing the international transfer of personal data under the Brazilian General Data Protection Law (LGPD). Companies now have until 23 August 2025 to fully comply.

                This deadline is especially relevant for European multinationals operating in Brazil, or Brazilian subsidiaries sharing data with foreign HQs or vendors. The new rules align Brazil more closely with global privacy frameworks like the GDPR—but with local twists that demand attention.

                Why It Matters

                Unlike previous guidance, Resolution No. 19 creates binding legal obligations and explicit deadlines. It introduces mechanisms such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and public transparency requirements—all within a strict 12-month timeframe.

                For many international companies, this will require significant updates to internal governance, contract management, and cloud data strategies. Below are the key takeaways for foreign counsel.

                Standard Contractual Clauses (SCCs): Now Mandatory

                The ANPD has released its own set of Standard Contractual Clauses, which must be used for data transfers to jurisdictions not recognized as offering “adequate protection.”

                Companies must adopt these clauses by 23 August 2025. This will likely require revisiting existing data processing agreements involving Brazilian parties and ensuring alignment with the ANPD template.

                Important: The SCCs cannot be modified beyond inserting details in the annexes. Any deviations require prior approval from the ANPD and are limited to exceptional cases.

                Broad Transparency Requirements

                Data controllers are now required to publish, on their website, a plain-language document explaining:

                • the purpose of the international data transfer,
                • the categories of data involved,
                • the countries of destination,
                • and the legal mechanism used to legitimize the transfer.

                Upon request, data subjects must also receive a copy of the full SCCs within 15 days. Multinationals will need protocols and document templates to respond efficiently—especially when dealing with requests in Portuguese.

                Expanded Definition of “International Transfer”

                The Resolution clarifies that a transfer occurs whenever:

                • data is accessed or stored by an entity located abroad, or
                • processing is outsourced to a cloud provider with servers or technical teams outside Brazil.

                This has important implications for global companies that centralize services such as payroll, CRM, or cybersecurity outside Brazil—even if hosted on multinational platforms.

                Binding Corporate Rules (BCRs): Now Recognized

                Multinationals with mature privacy programs may apply to the ANPD for approval of their own Binding Corporate Rules, offering an alternative to SCCs.

                This is a welcome development for companies seeking harmonized compliance across jurisdictions, but approval is expected to involve a complex and time-consuming process. Early preparation is essential.

                Custom Clauses in Exceptional Circumstances

                Companies unable to adopt the standard clauses—due to specific factual or legal constraints—may submit alternative clauses for ANPD approval. However, such flexibility is limited and subject to strict justification.

                In practice, the official SCCs will be the default path for most international data transfers involving Brazil.

                What Foreign Companies Should Do Now

                The 12-month window is already ticking. International groups operating in Brazil or processing Brazilian data should urgently:

                • Map all international data transfers involving Brazil;
                • Identify contracts and vendors requiring updates;
                • Insert ANPD’s SCCs where applicable;
                • Publish the required transparency notice online in Portuguese;
                • Monitor for further ANPD guidance or enforcement trends.

                Strategic Compliance: Beyond Legal Risk

                Resolution No. 19 is part of a global trend toward standardized but locally enforced privacy frameworks. For GDPR-compliant companies, Brazil’s new rules offer a chance to reaffirm leadership in data governance.

                Those who act early can avoid last-minute fire drills, reduce regulatory exposure, and strengthen credibility with Brazilian regulators and consumers.

                In today’s data economy, privacy compliance is more than a legal duty—it’s a business differentiator.

                Brazil’s National Data Protection Authority (ANPD) released a long-awaited guidance document on how companies should interpret and apply the legal basis of legitimate interest under the Brazilian General Data Protection Law (LGPD).

                This is not merely a local update. As Brazil continues to shape its data protection regime, foreign companies—particularly European SMEs with clients, platforms, or partners in Brazil—must adapt their compliance strategies to local expectations. This new guidance is a crucial development.

                Below, I summarize what has changed, how it compares to the GDPR approach, and what steps you (or your clients) should take next.

                Why Legitimate Interest Matters—But Remains Risky

                Just like under the GDPR, Brazil’s LGPD allows personal data to be processed without consent when doing so is necessary for purposes aligned with the controller’s legitimate interests. However, due to the lack of regulation since the LGPD came into force, this legal basis has long been regarded as risky in Brazil – in fact, it was unclear on how to evaluate the «legitimacy» of the interest and balance it against data subject rights.

                The ANPD’s «Guia Orientativo sobre o Legítimo Interesse» (Guidance on Legitimate Interest) fills that gap—providing a practical framework to assess, document, and justify this legal basis.

                The ANPD’s Three-Step Balancing Test

                The core of the new guidance is a three-step balancing test, which mirrors the GDPR’s Legitimate Interests Assessment (LIA) but with Brazilian nuances.

                • Purpose Test : The controller must define a specific, concrete, and legitimate objective behind the data processing. Open-ended or abstract justifications (“marketing purposes”, “efficiency”) will not suffice. The processing must also align with the reasonable expectations of the data subject.
                • Necessity Test : The data processing must be strictly necessary to achieve the defined purpose. If the same result could be achieved through less intrusive means (e.g. anonymized data or a different legal basis), the test will likely fail.
                • Balancing Test and Safeguards : This step assesses whether the controller’s interest outweighs the rights and freedoms of the data subject. Controllers must consider the nature of the data, the context of the processing, and the potential risks involved. When risks are identified, appropriate safeguards must be implemented, such as transparency, opt-outs, pseudonymization, and impact assessments.

                Takeaway: The ANPD recommends documenting the entire process. While this is not mandatory by law, it will be critical in case of investigations or complaints.

                How This Affects Foreign Companies doing business in Brazil

                Many foreign companies process personal data of Brazilian individuals—whether by offering digital services, interacting with Brazilian suppliers, or collecting contact information via websites or CRM tools.

                Although some assume that GDPR compliance is sufficient, the ANPD may evaluate legitimate interest more restrictively than some EU supervisory authorities.

                Foreign companies should:

                • Revisit their legal bases for processing data of Brazilian individuals.
                • Conduct a proper balancing test using the ANPD’s model, even for non-sensitive data.
                • Keep written records of the analysis (especially if using legitimate interest for analytics or marketing).
                • Update their privacy notices to reflect the legal basis and safeguards in place.
                • Be aware of the extraterritorial reach of the LGPD—yes, it applies even if you have no office in Brazil.

                Strategic Guidance

                If you advise SMEs that operate across jurisdictions—including Brazil—this new guidance is a practical compliance tool and a risk-mitigation opportunity.

                Here’s how to act now:

                • Perform a Legitimate Interests Assessment (LIA) whenever your client relies on this basis in Brazil.
                • Compare it with the GDPR LIA to identify overlaps and gaps.
                • Align documentation—so your clients are ready in the event of a complaint or data subject request.
                • Monitor ANPD updates—the ANPD has increased its activity and enforcement posture significantly in the past year.

                Final Thoughts

                The ANPD’s guidance reflects a growing maturity in Brazil’s data protection landscape. Legitimate interest is no longer a vague fallback—it requires structure, analysis, and above all, transparency.

                European companies with operations or digital exposure in Brazil should approach this legal basis with care and diligence. The good news? The ANPD is now offering the roadmap. It’s up to us, as legal advisors, to make sure our clients follow it.

                Want to see the full guidance? The original document (in Portuguese) is available here.

                Brazil is increasingly in the global spotlight when it comes to cybersecurity threats. With over 10 billion cyberattack attempts recorded in 2023 alone, the country ranks among the most targeted worldwide. These incidents are not abstract: they affect sensitive sectors such as finance and healthcare, including data leaks involving over 220 million data subjects from national institutions and critical infrastructure operators.

                While Brazil may seem like a distant jurisdiction, its data protection regime — shaped by the Lei Geral de Proteção de Dados (LGPD) — has growing significance for European businesses operating or partnering in the region. The LGPD, inspired by the GDPR, sets out specific obligations around data breach notification. However, unlike the GDPR’s mandatory 72-hour notification rule, not all security incidents must be reported to the Brazilian Data Protection Authority (ANPD).

                So: when exactly should a security incident be reported in Brazil?

                When Notification is Required: A Three-Step Test

                Under Brazilian law, a security incident involving personal data must be reported to the ANPD only if the following three criteria are cumulatively met:

                • The incident has been confirmed.
                • It involves personal data subject to the LGPD.
                • It poses a relevant risk or damage to data subjects.

                This third threshold is critical. According to the ANPD’s Security Incident Communication Regulation (RCIS), relevant risks include incidents that may:

                • Prevent the exercise of rights or access to services.
                • Cause material or moral harm.
                • Involve special categories of data such as: Sensitive personal data / Financial data / Large-scale datasets / Children’s or elderly persons’ data / Authentication credentials / Legally protected information (e.g., medical, legal, or professional secrets).

                This approach offers some flexibility – but it also requires careful legal judgment.

                When You Don’t Have to Notify

                There is no obligation to notify the ANPD if the incident does not result in significant risk or damage. For instance, if the breached data is non-sensitive and publicly available (e.g., general contact information), and no additional harm is expected, companies may reasonably determine that notification is unnecessary.

                However, this decision should not be taken lightly. Controllers are expected to assess several contextual factors, such as:

                • The volume and nature of the affected data.
                • Whether the data subjects can be identified.
                • The likely impact on fundamental rights.
                • The technical and security measures in place.
                • Any steps taken to mitigate the damage.

                In practice, each case must be analyzed individually — and well documented — to ensure a defensible position.

                How to Notify the ANPD (If Required)

                If the thresholds for notification are met, companies must report the incident within three business days from the date they became aware that personal data was affected. The notification must include:

                • A description of the breach and affected data.
                • The number and profile of impacted data subjects.
                • Security measures in place before and after the incident.
                • Potential risks to the data subjects.
                • Mitigation strategies.
                • Identification of the controller and DPO (if applicable).

                Notifications are submitted via the ANPD’s online platform (SUPER). Sensitive business information can be protected through a request for confidential treatment, provided it is properly justified.

                Strategic Takeaways for European Stakeholders

                For European companies and compliance officers, understanding the nuances of Brazilian data breach notification rules is essential for several reasons:

                • Cross-border compliance: Companies transferring personal data to Brazil must ensure regulatory alignment under the GDPR’s international transfer rules.
                • Due diligence: M&A or vendor screening in Brazil should include assessments of LGPD readiness and breach history.
                • Incident response protocols: Global organizations must harmonize breach notification timelines and thresholds across jurisdictions, adapting to Brazil’s risk-based approach.

                In a landscape of increasing cyber threats, aligning with the LGPD is not just a regulatory obligation — it’s a strategic necessity.

                Final Thoughts

                Brazil’s data protection authority does not adopt a «one size fits all» model for breach notification. The LGPD introduces a risk-based, case-by-case approach, which may offer more flexibility than the GDPR — but also places a greater burden on organizations to justify their decisions.

                European companies doing business in Brazil must be prepared to evaluate security incidents in light of both local obligations and international expectations. Failing to notify a breach — or notifying too hastily — can have serious reputational, legal, and operational consequences.

                Understanding when (and how) to notify the ANPD is a key part of navigating Brazil’s complex but maturing data protection landscape.

                Leopoldo Pagotto

                Áreas de práctica

                • Antitrust
                • Ética y Compliance empresarial
                • Contratos
                • Derecho Societario
                • Protección de datos
                • Delitos financieros
                Contáctanos Leopoldo

                Contacta con Leopoldo





                  Lea la política de privacidad de Legalmondo.
                  Este sitio está protegido por reCAPTCHA y se aplican la Política de privacidad de Google y los Términos de servicio.

                  Brazil | DPO Requirements – What foreign companies must do to stay compliant

                  13 de abril de 2025

                  • Brasil
                  • Compliance
                  • Privacidad y Protección de Datos

                  Summary

                  Brazil’s new Digital Child Protection Law (ECA Digital – Law No. 15,211/2025) radically changes the compliance obligations for foreign technology companies operating in Brazil. The law introduces a proactive duty of care toward minors, replacing the previous reactive liability model under the Marco Civil da Internet. Any digital service accessible to children or adolescents — including social media, gaming, streaming, AI tools, and app stores — must now adopt safety-by-design and privacy-by-default principles.

                  Brazil Introduces a New Digital Protection Framework for Minors

                  When Law No. 15,211/2025, known as the ECA Digital or Digital Statute for Children and Adolescents, came into force on March 17, 2026, Brazil took a significant step in regulating the digital environment. For foreign technology companies that offer services to the Brazilian public, the legislation is far more than just another local rule. It represents a genuine paradigm shift in how platforms must be designed, operated, and monitored.

                  Until now, the Brazilian Internet Civil Framework (Marco Civil da Internet) of 2014 established essentially a reactive liability regime. Platforms were generally only held responsible for third-party content after receiving a specific court order or valid notification. The ECA Digital inverts this logic. Companies now face a proactive and continuous duty of care, something close to the “duty of care” we already know in Europe through the UK’s Online Safety Act or parts of the Digital Services Act (DSA).

                  The Best Interests of the Child Become the Central Compliance Principle

                  The central principle of the law is the best interests of the child and adolescent. Any information technology product or service that is targeted at minors or has a reasonable likelihood of being accessed by them must be developed with this interest as an absolute priority. This includes social networks, gaming apps, streaming platforms, app stores, and even artificial intelligence tools.

                  In practice, this means adopting the concepts of safety-by-design and privacy-by-default from the outset. It is no longer enough to fix problems after they arise. Companies must anticipate risks to the physical, mental, and moral integrity of younger users and build preventive safeguards.

                  Mandatory Impact Assessments and Platform Risk Analysis

                  One of the pillars of the new legislation is the requirement for impact assessments. Platforms must conduct periodic detailed analyses of the potential effects of their functionalities (recommendation algorithms, engagement mechanisms, advertising systems, and even augmented reality features) on children and adolescents. These reports need to be properly documented internally and, in many cases, generate transparent information that can be shared with authorities or made available to the public in a summarized version.

                  New Age Verification and Parental Control Obligations

                  Age verification has become significantly more rigorous. A simple self-declaration (“click here if you are over 18”) is no longer considered sufficient. The law requires effective and proportionate mechanisms that respect privacy but genuinely manage to distinguish adults from minors. For users up to 16 years old, accounts on social networks and similar platforms must, as a rule, be linked to a legal guardian.

                  Furthermore, companies are required to provide robust parental control tools. Guardians must have access to dashboards that allow them to set screen time limits, restrict contacts, approve or block in-app purchases, and disable personalized algorithmic recommendation systems. Many foreign clients I have spoken with still underestimate the weight of this requirement.

                  Restrictions on Advertising, Profiling, and Gaming Monetization

                  In the commercial sphere, the law is particularly restrictive. The use of advanced behavioral profiling, emotional analysis, or immersive technologies to target advertising at children and adolescents is prohibited. Monetization of content that inappropriately exploits the image of minors is also subject to severe limitations. In the gaming sector, there are express bans on “loot boxes” and randomized reward systems when the game is accessible to minors, precisely because of their addictive potential and the risk of uncontrolled spending.

                  Harmful Content Removal and Reporting Requirements

                  Another aspect that deserves attention is the swift removal of harmful content. The law establishes short deadlines – in some cases as little as 24 hours – for the removal of material related to sexual exploitation, violence, bullying, cyberbullying, incitement to suicide, self-harm, or drug use. In addition to removal, in serious situations platforms must notify the competent authorities, including through international cooperation when necessary.

                  Legal Representation and Enforcement Risks for Foreign Companies

                  For foreign companies without a physical presence in Brazil, the law strengthens enforcement mechanisms. It is mandatory to appoint a legal representative established in the country, with powers to receive judicial and administrative citations, respond to requests from the Public Prosecutor’s Office and the National Data Protection Authority (ANPD), and serve as the local point of contact.

                  In fact, the ANPD assumes a central role in supervising and regulating the law, acting in coordination with the Public Prosecutor’s Office. This creates a more robust enforcement scenario than many international players initially anticipated. Moreover, the law provides for joint and several liability: subsidiaries, branches, or companies within the same economic group in Brazil may be held accountable for violations committed by the foreign parent company.

                  Financial Penalties and Operational Sanctions

                  The sanctions are dissuasive. Fines can reach up to 10% of the economic group’s revenue in Brazil in the previous year, or up to R$ 50 million per individual violation, depending on the severity. In extreme cases or in the event of recurrence, authorities may order the temporary suspension or even the complete blocking of the service within Brazilian territory. For companies that depend on the Brazilian market, especially consumer technology firms, this operational risk is very real.

                  Relationship Between the ECA Digital and Brazil’s LGPD

                  It is worth noting that the ECA Digital interacts closely with the General Data Protection Law (LGPD). Many of the principles of privacy-by-default, data minimization, and impact assessments already existed under the LGPD, but they now take on more specific contours when the data subject is a child or adolescent. The processing of minors’ data requires even greater care, with more restrictive legal bases and heightened attention to consent and the rights of legal guardians.

                  Global Regulatory Trends and Brazilian Specificities

                  From a comparative perspective, the Brazilian law aligns with global trends. It bears clear similarities to the UK’s Age Appropriate Design Code, certain aspects of the European DSA, and ongoing discussions in other Latin American countries. However, it presents distinctly Brazilian nuances: strong influence from the Public Prosecutor’s Office, the tradition of integral protection of children established in the 1990 Child and Adolescent Statute (ECA), and an approach that combines state regulation with the shared responsibility of families, schools, and platforms.

                  Practical Compliance Steps for Foreign Technology Companies

                  Foreign legal advisors must act with urgency. A good starting point is to conduct a comprehensive gap analysis: mapping user onboarding flows, reviewing advertising and algorithmic recommendation policies, assessing the adequacy of age verification mechanisms, and verifying whether the legal representation structure in Brazil meets the new requirements.

                  In addition, it is important to prepare local teams or partners to handle administrative requests and potential audits. Investing in privacy-preserving age verification technologies, such as age estimation or document-based verification without excessive data storage, can make a difference both in compliance and in the user experience.

                  Conclusion

                  In summary, the ECA Digital is not merely a symbolic law. It imposes concrete obligations, with adaptation deadlines that have already expired for many companies, and carries real risks of financial and operational sanctions. For law firms advising international clients, especially small and medium-sized practices in Europe and Asia, the moment has come to help these players turn compliance into a competitive advantage.

                  Those who manage to implement robust protection measures from the design stage of their products will not only avoid heavy fines but may also build greater trust with the Brazilian public and authorities.

                  Summary: On January 25, 2026, Brazil and the EU mutually recognized each other as providing adequate personal data protection—removing, in many cases, the need for Standard Contractual Clauses (SCCs) or other transfer tools. This shifts the conversation from “copy-paste compliance” to strategy: deciding when to retire SCCs, updating cross-border transfer policies, and modernizing contractual models for future deals.

                  Why this matters in real transactions

                  Imagine you’re about to close a deal with a German business partner and your Brazilian client urgently asks for a data transfer clause. It’s always the same copy-paste: Standard Contractual Clauses (SCCs), Annex I and II in both languages, signatures on the dotted line. Now imagine this scene is finally unnecessary.

                  The mutual adequacy milestone (January 25, 2026)

                  On January 25, 2026, Brazil and the European Union mutually recognized each other as countries with adequate levels of personal data protection. It’s the first adequacy agreement signed between the EU and a Latin American country. In practical terms, it means that companies can transfer personal data between Brazil and the EU without the need for additional mechanisms, like SCCs or Binding Corporate Rules (BCRs). In strategic terms, it opens a new front of opportunities for Brazilian lawyers, especially those advising clients who export, import, invest, or operate in the EU.

                  A starting point, not a “compliance break”

                  This is a milestone and also a starting point. Mutual adequacy does not mean «relax your compliance programs»; on the contrary, it demands governance maturity and careful review.

                  Three concrete fronts for legal work

                  1.      Retiring SCCs: Not Always Automatic

                  The adequacy decision makes SCCs optional in many cases, but that doesn’t mean you can simply tear them up. For existing contracts that already use SCCs, lawyers will need to assess whether they should keep, revise, or remove those clauses. The answer will depend on the risks, data flows, and reliance on third countries in the processing chain. There may also be internal policies, negotiated warranties, or obligations to supervisory authorities that require formal justifications.

                  In practice, companies with complex processing chains (e.g., European headquarters, shared Brazilian HR services, cloud servers in the U.S.) may continue using SCCs in certain flows even after the adequacy recognition. Lawyers will need to carefully document and track this hybrid model.

                  2.      Reviewing Cross-Border Data Transfer Policies

                  Many companies, especially multinationals or those with multiple data protection obligations, have established cross-border data transfer policies («CBTPs») that classify countries into categories and associate specific safeguards for each. Brazil’s new status as an «adequate country» must now be reflected in those documents.

                  For instance, a Brazilian company that receives data from France and sends it to Argentina and India may now adjust internal protocols to reduce documentation and controls on the EU → Brazil leg, while reinforcing controls in the Brazil → Argentina or Brazil → India legs. These changes must be aligned with the company’s policies, contracts, and internal training materials.

                  3.      Adapting Contractual Models for Future Deals

                  The mutual adequacy decision creates a new contractual scenario. Brazilian lawyers advising international clients can now use data transfer models aligned with GDPR—without needing SCCs or complex annexes—provided both parties are located in Brazil and the EU.

                  This reduces transaction costs, improves legal certainty, and increases speed in negotiations involving technology services, cross-border M&A, or shared service centers. A good contractual model should still include data protection clauses—but now focused on risk allocation, DPO cooperation, and incident response coordination, rather than formal compliance with Art. 46 GDPR or Arts. 33–36 LGPD.

                  Summary: Brazil’s data protection authority (ANPD) is signaling a clear move toward stronger, more GDPR-aligned enforcement and rulemaking through its 2026–2027 Priority Topics Map and updated Regulatory Agenda. The selected priorities mirror familiar EU themes—data subject rights, children’s data, public-sector processing, and AI—while adding practical predictability for organizations planning compliance. For European businesses operating in Brazil, the direction of travel suggests increasing convergence in governance, risk assessment, and transparency expectations. This trajectory may also strengthen the long-term case for Brazil to pursue an EU adequacy decision.

                  A maturing authority with a strategic alignment to GDPR

                  While European regulators refine enforcement mechanisms for mature frameworks, Brazil is quietly building one of the world’s most GDPR-aligned data protection systems outside the EU. The release of Priority Topics Map for 2026–2027 and its updated Regulatory Agenda by the National Agency of Personal Data Protection (ANPD) reveals an authority no longer in its infancy, but one strategically positioning itself as a credible counterpart to European supervisory bodies.

                  ANPD’s priority topics for 2026–2027

                  The four priority topics chosen by Brazil’s National Data Protection Authority («ANPD») tell a familiar tale to anyone working with GDPR compliance: data subject rights, protection of children and adolescents in digital environments, processing by public authorities, and artificial intelligence with emerging technologies.

                  Why these priorities feel familiar to GDPR practitioners

                  These are not arbitrary choices but deliberate alignments with the core concerns that have shaped European enforcement over the past seven years, from the fundamental rights guarantees in Articles 12 through 22, to the heightened scrutiny of processing involving minors, to the evolving regulatory treatment of algorithmic systems that now spans both GDPR recitals and the EU AI Act itself.

                  Children and adolescents: new authority and converging expectations

                  Brazil’s recent Digital Statute for Children and Adolescents hands ANPD substantial new authority over age verification and parental consent mechanisms, creating a regulatory bridge that should look strikingly familiar to companies navigating the UK’s Age Appropriate Design Code or implementing EDPB guidance on child data. European digital services operating in Brazil, particularly in social media, gaming, education, or wellness sectors, now face converging compliance expectations on both sides of the Atlantic. The technical architectures and consent flows designed for GDPR are increasingly fit for purpose in the Brazilian context as well.

                  Artificial intelligence and emerging technologies

                  The elevation of artificial intelligence to priority status represents ANPD’s clearest statement yet about where Brazilian regulation is headed – in fact, no big news in the move, since it is worrying every regulator in every industry. While the LGPD lacks specific AI provisions, the authority has been methodically laying groundwork through public consultations on automated decision-making and studies on algorithmic profiling. For companies already deep in EU AI Act preparation, such a convergence offers something rare in global privacy compliance: the potential for genuine efficiency gains through shared governance frameworks, unified risk assessment methodologies, and harmonized transparency protocols rather than duplicative regional adaptations.

                  Data subject rights and DPIAs: reinforcing accountability

                  ANPD’s continued emphasis on data subject rights and Data Protection Impact Assessments reinforces the structural similarities with GDPR’s accountability model. The Brazilian approach increasingly mirrors European expectations around documented risk assessment, standardized response protocols for individual rights requests, and transparency obligations for profiling activities. Multinational organizations can now reasonably contemplate unified DPIA templates and centralized rights management systems that serve both jurisdictions without fundamental architectural splits.

                  The updated Regulatory Agenda for 2025–2026: predictability as a compliance asset

                  The updated Regulatory Agenda for 2025–2026 provides something perhaps more valuable than new rules: predictability. One should not underestimate the importance of predictability in Brazil, since it is a rare asset, even before courts – former Treasury Minister Pedro Malana once iroonically stated that «in Brazil, even the past is uncertain».

                  What ANPD is telegraphing next

                  By telegraphing upcoming initiatives on biometric data processing, inspection methodologies, sanctioning procedures, cybersecurity standards, and privacy program governance, ANPD offers companies the planning visibility that makes cross-border compliance feasible rather than reactive. These topics map directly onto GDPR’s controller obligations, security requirements, and Data Protection Officer independence provisions in Articles 24 through 39.

                  Beyond compliance: what convergence could mean for data flows

                  The regulatory convergence carries implications beyond operational compliance. The structural alignment between LGPD and GDPR, reinforced by ANPD’s strategic choices, strengthens the case for an eventual EU adequacy decision recognizing Brazil under Article 45.

                  For European businesses and their counsel, the trajectory suggests not just reduced friction in managing trans-Atlantic data flows, but the emergence of genuinely compatible regulatory ecosystems. The challenge will be maintaining attention to Brazilian developments with the same intensity devoted to EDPB guidelines and Commission decisions, recognizing that convergence is a continuous process rather than a static achievement.

                  Conclusion

                  Brazil’s ANPD is increasingly setting priorities that mirror the main pressure points of GDPR compliance, while using its Regulatory Agenda to add clarity and sequencing to what comes next. For organizations operating across the EU and Brazil, the message is practical: governance structures, rights-handling processes, and risk assessment tooling built for GDPR are becoming progressively reusable in the Brazilian context. At the same time, staying alert to ANPD’s evolving guidance—especially around children’s data, AI, biometrics, cybersecurity, and enforcement methodology—will be key to turning regulatory convergence into real operational efficiency and reduced cross-border friction.

                  Summary
                  This article explores the ANPD’s 2025 Tech Radar on neurotechnologies and how it reshapes compliance risks for Brazilian healthtechs—especially in M&A contexts involving GDPR exposure. It outlines key regulatory concerns, the GDPR’s extraterritorial impact, major due-diligence red flags, and the essential deliverables investors should require.

                  Introduction

                  Brazil’s latest ANPD Tech Radar brings neurotechnologies to the forefront of data-protection compliance, exposing significant risks for healthtech companies and investors. With GDPR’s extraterritorial reach, sensitive data processing, opaque AI, and cross-border transfers, data governance has become a critical M&A due-diligence factor requiring structured reviews and robust contractual safeguards.

                  Key Compliance Risks Shaping Brazilian Healthtech M&A

                  Brazil’s Data Protection Authority (ANPD) released its 4th Tech Radar in June 2025, focusing entirely on neurotechnologies—marking the first time the regulator targeted this field so directly. The report explores brain-computer interfaces, advanced wearables, AI-driven cognitive therapies, and predictive diagnostics, highlighting risks far beyond traditional health data processing.

                  For investors and lawyers working M&A deals in Brazil’s healthtech sector, this Radar signals that data protection is no longer a secondary compliance issue—it is now a major source of legal, reputational, and operational risk.

                  GDPR’s Extraterritorial Relevance

                  Many Brazilian healthtechs handle personal data from foreign individuals, particularly Europeans—through expats, medical tourists, cross-border clinical trials, or partnerships with EU-based vendors. When this occurs, GDPR Article 3(2) extends jurisdiction to the Brazilian company, even without any EU establishment.

                  Main Risks Identified by ANPD (Tech Radar #4)

                  • Inferring health data without explicit consent
                    Example: wearables identifying depression through sleep or stress patterns without informing users.
                  • Lack of transparency in predictive algorithms
                    Black-box AI models making clinical decisions without accessible documentation.
                  • Cybersecurity vulnerabilities in connected devices
                    Neural implants or neurostimulators vulnerable to hacking, with potentially physical consequences.
                  • Automated processing that impacts human dignity
                    Behavioral profiling influencing insurance eligibility, discrimination, or patient autonomy in therapy environments.

                  GDPR Article 22 prohibits automated decision-making with significant effects unless strict safeguards are implemented—making this a critical risk during due diligence.

                  Most Common Red Flags in Brazilian Healthtech Due Diligence

                  No clear legal basis for sensitive data (health, genetic, biometric)

                  LGPD Impact (Brazil): Breach of LGPD Art. 11
                  GDPR Parallel (Europe): Art. 9 (special categories)
                  Practical Recommendation: Require full data-mapping and warranties

                  Generic or “click-to-accept” consents

                  LGPD Impact (Brazil): Invalid consent (Art. 7 & 11)
                  GDPR Parallel (Europe): Art. 6 + 7
                  Practical Recommendation: Ensure all consents are granular, specific, and revocable

                  Third-party sharing without processor agreements

                  LGPD Impact (Brazil): Breach of LGPD Art. 28 & 33
                  GDPR Parallel (Europe): Art. 28
                  Practical Recommendation: Verify existence and adequacy of all DPAs

                  Missing or incomplete ROPA

                  LGPD Impact (Brazil): Serious regulatory violation
                  GDPR Parallel (Europe): Art. 30
                  Practical Recommendation: Make ROPA delivery a closing condition

                  Non-existent or conflicted DPO

                  LGPD Impact (Brazil): Non-compliance with ANPD Resolution CD nº 2
                  GDPR Parallel (Europe): Art. 37–39
                  Practical Recommendation: Require interview + independence confirmation

                  No DPIA for high-risk products

                  LGPD Impact (Brazil): Mandatory (ANPD Res. 15/2023)
                  GDPR Parallel (Europe): Art. 35
                  Practical Recommendation: Include pre-closing DPIA audit clause

                  International transfers without safeguards

                  LGPD Impact (Brazil): Arts. 33–35
                  GDPR Parallel (Europe): Arts. 44–50
                  Practical Recommendation: Verify SCCs (2021/2023) or adequacy status

                  Real Cases Illustrating the Scale of Risk

                  • Telepsychology platforms investigated for using automated triage without informed consent or AI transparency.
                  • ANPD actions against genomics startups due to cross-border transfers without SCCs or DPIAs.
                  • Outsourced cloud hosting increasing irregular data transfer risks.

                  Until Brazil receives an EU adequacy decision, SCCs and BCRs remain mandatory for compliant transfers.

                  Essential Due Diligence Deliverables

                  A robust data-protection review is now essential in healthtech M&A. Key deliverables include:

                  • LGPD ↔ GDPR gap analysis
                  • ROPA and DPIA review
                  • Sub-processor contract verification
                  • Mapping of all international transfers
                  • Privacy-specific warranties and indemnities
                  • Escrow or holdback for regulatory risk exposure

                  Conclusion

                  Data protection is no longer secondary in healthtech M&A—especially when neurodata is involved. With ANPD scrutinizing neurotechnologies and GDPR obligations extending across borders, investors must prioritize structured due diligence and strong contractual safeguards.

                  FAQ

                  Is neurodata considered sensitive personal data under the LGPD?

                  Yes—ANPD treats neurodata as highly sensitive because it reveals cognitive, emotional, and health patterns.

                  Does GDPR apply to Brazilian companies with no EU presence?

                  Yes, via Article 3(2), whenever EU data subjects’ information is processed.

                  Are SCCs still required for Brazil–EU transfers?

                  Yes, until Brazil receives an EU adequacy decision.

                  What are the top investor red flags?

                  Missing DPIAs, unclear legal bases, opaque algorithms, and irregular transfers.

                  Since the General Data Protection Regulation (GDPR) took effect in 2018, the European Union (EU) has granted adequacy status to only a limited number of jurisdictions — those whose data protection regimes are deemed to provide an «essentially equivalent» level of protection to that of the EU. The current list includes Andorra, Argentina, Canada (under PIPEDA), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, Uruguay, the United Kingdom, and the United States (limited to companies certified under the Data Privacy Framework).

                  As of 5 September 2025, Brazil is on the verge of joining this exclusive group. The European Commission has issued a draft adequacy decision concluding that the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais – LGPD), in conjunction with Brazil’s broader legal and constitutional framework, offers protections that are essentially equivalent to those found in the GDPR. While Brazil’s rules offer somewhat more flexibility in specific areas of data processing, the foundational principles and safeguards are well-aligned with EU standards.

                  Once finalized, the adequacy decision will authorize the free flow of personal data from the EU to Brazil without the need for additional contractual clauses or technical safeguards. Such a development is not just regulatory — it also answers a core political argument made by LGPD advocates since its inception: that the absence of a comprehensive data protection framework was undermining Brazil’s international competitiveness by limiting data flows and discouraging investment. For businesses, the EU decision may finally mean the removal of a significant layer of compliance complexity — a development especially welcome by small and medium-sized enterprises engaged in cross-border trade or service provision. The draft is currently under review by the European Data Protection Board (EDPB) and the Member States of the EU.

                  The Commission’s assessment highlights several key aspects of Brazil’s data protection landscape. It begins by noting that the Brazilian Constitution expressly guarantees the right to privacy and the protection of personal data — a notable distinction among non-EU jurisdictions. These protections are further supported by Brazil’s ratification of the American Convention on Human Rights and its recognition of the jurisdiction of the Inter-American Court of Human Rights, reinforcing a commitment to fundamental rights and democratic oversight.

                  The LGPD mirrors the GDPR in many critical respects and defines its territorial scope clearly. It applies to: (i) data processing carried out within Brazilian territory, (ii) the offering of goods or services to individuals in Brazil, and (iii) data collected in Brazil, even if subsequently processed abroad. This aligns well with the extraterritorial provisions of the GDPR. The definitions of personal data, sensitive data, controller, and processor are materially similar, as are the key principles governing processing — including lawfulness, purpose limitation, data minimization, accuracy, transparency, and security. The law expressly excludes anonymized data from its scope and establishes specific exemptions for journalistic activities, public security, and scientific research.

                  Another strength is Brazil’s institutional framework. The National Data Protection Authority (ANPD) was recently transformed into an autonomous regulatory agency, enhancing its independence and technical capacity. The ANPD holds both regulatory and enforcement powers: it can issue binding regulations, impose administrative sanctions, and publish authoritative guidance. To date, it has issued key guidelines on topics such as consent, legitimate interest, the role of the Data Protection Officer (DPO), and security incident reporting. Internationally, the ANPD is an active participant in global data protection dialogue — it is a member of the Global Privacy Assembly and an official observer to the Council of Europe’s Convention 108.

                  The LGPD’s approach to international data transfers is also structurally aligned with the GDPR. It requires appropriate safeguards such as standard contractual clauses, allows for future adequacy decisions under a regime comparable to Article 45 of the GDPR, and includes detailed provisions for onward transfers and transit data — that is, data merely passing through Brazil without further processing. The rights of data subjects are robust and familiar to European practitioners: access, rectification, erasure, portability, and withdrawal of consent are guaranteed. Lawful bases for processing are also aligned — including consent, legal obligations, contract execution, and legitimate interest. Notably, the LGPD requires a documented balancing test when relying on legitimate interest, bringing additional accountability to this flexible legal basis.

                  Security incidents involving personal data must be notified to both the ANPD and affected data subjects when there is a significant risk of harm. The standard notification deadline is 72 hours, and the required content aligns closely with Articles 33 and 34 of the GDPR. The ANPD may also order public disclosure of incidents or require remedial measures, depending on the nature and scope of the breach.

                  Importantly, this process is not one-sided. In parallel to the European Commission’s adequacy decision, the ANPD is conducting its own adequacy assessment of the EU and EEA data protection frameworks. This process is regulated by the Brazilian Resolution CD/ANPD No. 19/2024, which governs international data transfers. Once the technical and legal evaluation is complete, the ANPD’s Board of Directors will issue a formal decision. This reciprocal move reflects Brazil’s commitment to mutual recognition and regulatory symmetry — a positive signal for companies on both sides of the Atlantic.

                  In conclusion: If confirmed, Brazil’s adequacy status will simplify international operations, reduce compliance costs, and expand opportunities for data-driven business and legal cooperation. For European lawyers advising SMEs with interests in Latin America, this development is a strategic signal: Brazil is emerging not just as a growing market, but as a legally compatible and data-safe jurisdiction for international partnerships.

                  On 23 August 2024, Brazil’s National Data Protection Authority (ANPD) issued Resolution No. 19, a landmark regulation governing the international transfer of personal data under the Brazilian General Data Protection Law (LGPD). Companies now have until 23 August 2025 to fully comply.

                  This deadline is especially relevant for European multinationals operating in Brazil, or Brazilian subsidiaries sharing data with foreign HQs or vendors. The new rules align Brazil more closely with global privacy frameworks like the GDPR—but with local twists that demand attention.

                  Why It Matters

                  Unlike previous guidance, Resolution No. 19 creates binding legal obligations and explicit deadlines. It introduces mechanisms such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and public transparency requirements—all within a strict 12-month timeframe.

                  For many international companies, this will require significant updates to internal governance, contract management, and cloud data strategies. Below are the key takeaways for foreign counsel.

                  Standard Contractual Clauses (SCCs): Now Mandatory

                  The ANPD has released its own set of Standard Contractual Clauses, which must be used for data transfers to jurisdictions not recognized as offering “adequate protection.”

                  Companies must adopt these clauses by 23 August 2025. This will likely require revisiting existing data processing agreements involving Brazilian parties and ensuring alignment with the ANPD template.

                  Important: The SCCs cannot be modified beyond inserting details in the annexes. Any deviations require prior approval from the ANPD and are limited to exceptional cases.

                  Broad Transparency Requirements

                  Data controllers are now required to publish, on their website, a plain-language document explaining:

                  • the purpose of the international data transfer,
                  • the categories of data involved,
                  • the countries of destination,
                  • and the legal mechanism used to legitimize the transfer.

                  Upon request, data subjects must also receive a copy of the full SCCs within 15 days. Multinationals will need protocols and document templates to respond efficiently—especially when dealing with requests in Portuguese.

                  Expanded Definition of “International Transfer”

                  The Resolution clarifies that a transfer occurs whenever:

                  • data is accessed or stored by an entity located abroad, or
                  • processing is outsourced to a cloud provider with servers or technical teams outside Brazil.

                  This has important implications for global companies that centralize services such as payroll, CRM, or cybersecurity outside Brazil—even if hosted on multinational platforms.

                  Binding Corporate Rules (BCRs): Now Recognized

                  Multinationals with mature privacy programs may apply to the ANPD for approval of their own Binding Corporate Rules, offering an alternative to SCCs.

                  This is a welcome development for companies seeking harmonized compliance across jurisdictions, but approval is expected to involve a complex and time-consuming process. Early preparation is essential.

                  Custom Clauses in Exceptional Circumstances

                  Companies unable to adopt the standard clauses—due to specific factual or legal constraints—may submit alternative clauses for ANPD approval. However, such flexibility is limited and subject to strict justification.

                  In practice, the official SCCs will be the default path for most international data transfers involving Brazil.

                  What Foreign Companies Should Do Now

                  The 12-month window is already ticking. International groups operating in Brazil or processing Brazilian data should urgently:

                  • Map all international data transfers involving Brazil;
                  • Identify contracts and vendors requiring updates;
                  • Insert ANPD’s SCCs where applicable;
                  • Publish the required transparency notice online in Portuguese;
                  • Monitor for further ANPD guidance or enforcement trends.

                  Strategic Compliance: Beyond Legal Risk

                  Resolution No. 19 is part of a global trend toward standardized but locally enforced privacy frameworks. For GDPR-compliant companies, Brazil’s new rules offer a chance to reaffirm leadership in data governance.

                  Those who act early can avoid last-minute fire drills, reduce regulatory exposure, and strengthen credibility with Brazilian regulators and consumers.

                  In today’s data economy, privacy compliance is more than a legal duty—it’s a business differentiator.

                  Brazil’s National Data Protection Authority (ANPD) released a long-awaited guidance document on how companies should interpret and apply the legal basis of legitimate interest under the Brazilian General Data Protection Law (LGPD).

                  This is not merely a local update. As Brazil continues to shape its data protection regime, foreign companies—particularly European SMEs with clients, platforms, or partners in Brazil—must adapt their compliance strategies to local expectations. This new guidance is a crucial development.

                  Below, I summarize what has changed, how it compares to the GDPR approach, and what steps you (or your clients) should take next.

                  Why Legitimate Interest Matters—But Remains Risky

                  Just like under the GDPR, Brazil’s LGPD allows personal data to be processed without consent when doing so is necessary for purposes aligned with the controller’s legitimate interests. However, due to the lack of regulation since the LGPD came into force, this legal basis has long been regarded as risky in Brazil – in fact, it was unclear on how to evaluate the «legitimacy» of the interest and balance it against data subject rights.

                  The ANPD’s «Guia Orientativo sobre o Legítimo Interesse» (Guidance on Legitimate Interest) fills that gap—providing a practical framework to assess, document, and justify this legal basis.

                  The ANPD’s Three-Step Balancing Test

                  The core of the new guidance is a three-step balancing test, which mirrors the GDPR’s Legitimate Interests Assessment (LIA) but with Brazilian nuances.

                  • Purpose Test : The controller must define a specific, concrete, and legitimate objective behind the data processing. Open-ended or abstract justifications (“marketing purposes”, “efficiency”) will not suffice. The processing must also align with the reasonable expectations of the data subject.
                  • Necessity Test : The data processing must be strictly necessary to achieve the defined purpose. If the same result could be achieved through less intrusive means (e.g. anonymized data or a different legal basis), the test will likely fail.
                  • Balancing Test and Safeguards : This step assesses whether the controller’s interest outweighs the rights and freedoms of the data subject. Controllers must consider the nature of the data, the context of the processing, and the potential risks involved. When risks are identified, appropriate safeguards must be implemented, such as transparency, opt-outs, pseudonymization, and impact assessments.

                  Takeaway: The ANPD recommends documenting the entire process. While this is not mandatory by law, it will be critical in case of investigations or complaints.

                  How This Affects Foreign Companies doing business in Brazil

                  Many foreign companies process personal data of Brazilian individuals—whether by offering digital services, interacting with Brazilian suppliers, or collecting contact information via websites or CRM tools.

                  Although some assume that GDPR compliance is sufficient, the ANPD may evaluate legitimate interest more restrictively than some EU supervisory authorities.

                  Foreign companies should:

                  • Revisit their legal bases for processing data of Brazilian individuals.
                  • Conduct a proper balancing test using the ANPD’s model, even for non-sensitive data.
                  • Keep written records of the analysis (especially if using legitimate interest for analytics or marketing).
                  • Update their privacy notices to reflect the legal basis and safeguards in place.
                  • Be aware of the extraterritorial reach of the LGPD—yes, it applies even if you have no office in Brazil.

                  Strategic Guidance

                  If you advise SMEs that operate across jurisdictions—including Brazil—this new guidance is a practical compliance tool and a risk-mitigation opportunity.

                  Here’s how to act now:

                  • Perform a Legitimate Interests Assessment (LIA) whenever your client relies on this basis in Brazil.
                  • Compare it with the GDPR LIA to identify overlaps and gaps.
                  • Align documentation—so your clients are ready in the event of a complaint or data subject request.
                  • Monitor ANPD updates—the ANPD has increased its activity and enforcement posture significantly in the past year.

                  Final Thoughts

                  The ANPD’s guidance reflects a growing maturity in Brazil’s data protection landscape. Legitimate interest is no longer a vague fallback—it requires structure, analysis, and above all, transparency.

                  European companies with operations or digital exposure in Brazil should approach this legal basis with care and diligence. The good news? The ANPD is now offering the roadmap. It’s up to us, as legal advisors, to make sure our clients follow it.

                  Want to see the full guidance? The original document (in Portuguese) is available here.

                  Brazil is increasingly in the global spotlight when it comes to cybersecurity threats. With over 10 billion cyberattack attempts recorded in 2023 alone, the country ranks among the most targeted worldwide. These incidents are not abstract: they affect sensitive sectors such as finance and healthcare, including data leaks involving over 220 million data subjects from national institutions and critical infrastructure operators.

                  While Brazil may seem like a distant jurisdiction, its data protection regime — shaped by the Lei Geral de Proteção de Dados (LGPD) — has growing significance for European businesses operating or partnering in the region. The LGPD, inspired by the GDPR, sets out specific obligations around data breach notification. However, unlike the GDPR’s mandatory 72-hour notification rule, not all security incidents must be reported to the Brazilian Data Protection Authority (ANPD).

                  So: when exactly should a security incident be reported in Brazil?

                  When Notification is Required: A Three-Step Test

                  Under Brazilian law, a security incident involving personal data must be reported to the ANPD only if the following three criteria are cumulatively met:

                  • The incident has been confirmed.
                  • It involves personal data subject to the LGPD.
                  • It poses a relevant risk or damage to data subjects.

                  This third threshold is critical. According to the ANPD’s Security Incident Communication Regulation (RCIS), relevant risks include incidents that may:

                  • Prevent the exercise of rights or access to services.
                  • Cause material or moral harm.
                  • Involve special categories of data such as: Sensitive personal data / Financial data / Large-scale datasets / Children’s or elderly persons’ data / Authentication credentials / Legally protected information (e.g., medical, legal, or professional secrets).

                  This approach offers some flexibility – but it also requires careful legal judgment.

                  When You Don’t Have to Notify

                  There is no obligation to notify the ANPD if the incident does not result in significant risk or damage. For instance, if the breached data is non-sensitive and publicly available (e.g., general contact information), and no additional harm is expected, companies may reasonably determine that notification is unnecessary.

                  However, this decision should not be taken lightly. Controllers are expected to assess several contextual factors, such as:

                  • The volume and nature of the affected data.
                  • Whether the data subjects can be identified.
                  • The likely impact on fundamental rights.
                  • The technical and security measures in place.
                  • Any steps taken to mitigate the damage.

                  In practice, each case must be analyzed individually — and well documented — to ensure a defensible position.

                  How to Notify the ANPD (If Required)

                  If the thresholds for notification are met, companies must report the incident within three business days from the date they became aware that personal data was affected. The notification must include:

                  • A description of the breach and affected data.
                  • The number and profile of impacted data subjects.
                  • Security measures in place before and after the incident.
                  • Potential risks to the data subjects.
                  • Mitigation strategies.
                  • Identification of the controller and DPO (if applicable).

                  Notifications are submitted via the ANPD’s online platform (SUPER). Sensitive business information can be protected through a request for confidential treatment, provided it is properly justified.

                  Strategic Takeaways for European Stakeholders

                  For European companies and compliance officers, understanding the nuances of Brazilian data breach notification rules is essential for several reasons:

                  • Cross-border compliance: Companies transferring personal data to Brazil must ensure regulatory alignment under the GDPR’s international transfer rules.
                  • Due diligence: M&A or vendor screening in Brazil should include assessments of LGPD readiness and breach history.
                  • Incident response protocols: Global organizations must harmonize breach notification timelines and thresholds across jurisdictions, adapting to Brazil’s risk-based approach.

                  In a landscape of increasing cyber threats, aligning with the LGPD is not just a regulatory obligation — it’s a strategic necessity.

                  Final Thoughts

                  Brazil’s data protection authority does not adopt a «one size fits all» model for breach notification. The LGPD introduces a risk-based, case-by-case approach, which may offer more flexibility than the GDPR — but also places a greater burden on organizations to justify their decisions.

                  European companies doing business in Brazil must be prepared to evaluate security incidents in light of both local obligations and international expectations. Failing to notify a breach — or notifying too hastily — can have serious reputational, legal, and operational consequences.

                  Understanding when (and how) to notify the ANPD is a key part of navigating Brazil’s complex but maturing data protection landscape.

                  Leopoldo Pagotto

                  Áreas de práctica

                  • Antitrust
                  • Ética y Compliance empresarial
                  • Contratos
                  • Derecho Societario
                  • Protección de datos
                  • Delitos financieros
                  Contáctanos Leopoldo

                  Contacta con Leopoldo





                    Lea la política de privacidad de Legalmondo.
                    Este sitio está protegido por reCAPTCHA y se aplican la Política de privacidad de Google y los Términos de servicio.