-
Бразилия
Brazil’s New Digital Child Protection Law: Practical Implications for Foreign Tech Companies
06.05.2026
- Конфиденциальность - Защита данных
Summary
Brazil’s new Digital Child Protection Law (ECA Digital – Law No. 15,211/2025) radically changes the compliance obligations for foreign technology companies operating in Brazil. The law introduces a proactive duty of care toward minors, replacing the previous reactive liability model under the Marco Civil da Internet. Any digital service accessible to children or adolescents — including social media, gaming, streaming, AI tools, and app stores — must now adopt safety-by-design and privacy-by-default principles.
Brazil Introduces a New Digital Protection Framework for Minors
When Law No. 15,211/2025, known as the ECA Digital or Digital Statute for Children and Adolescents, came into force on March 17, 2026, Brazil took a significant step in regulating the digital environment. For foreign technology companies that offer services to the Brazilian public, the legislation is far more than just another local rule. It represents a genuine paradigm shift in how platforms must be designed, operated, and monitored.
Until now, the Brazilian Internet Civil Framework (Marco Civil da Internet) of 2014 established essentially a reactive liability regime. Platforms were generally only held responsible for third-party content after receiving a specific court order or valid notification. The ECA Digital inverts this logic. Companies now face a proactive and continuous duty of care, something close to the “duty of care” we already know in Europe through the UK’s Online Safety Act or parts of the Digital Services Act (DSA).
The Best Interests of the Child Become the Central Compliance Principle
The central principle of the law is the best interests of the child and adolescent. Any information technology product or service that is targeted at minors or has a reasonable likelihood of being accessed by them must be developed with this interest as an absolute priority. This includes social networks, gaming apps, streaming platforms, app stores, and even artificial intelligence tools.
In practice, this means adopting the concepts of safety-by-design and privacy-by-default from the outset. It is no longer enough to fix problems after they arise. Companies must anticipate risks to the physical, mental, and moral integrity of younger users and build preventive safeguards.
Mandatory Impact Assessments and Platform Risk Analysis
One of the pillars of the new legislation is the requirement for impact assessments. Platforms must conduct periodic detailed analyses of the potential effects of their functionalities (recommendation algorithms, engagement mechanisms, advertising systems, and even augmented reality features) on children and adolescents. These reports need to be properly documented internally and, in many cases, generate transparent information that can be shared with authorities or made available to the public in a summarized version.
New Age Verification and Parental Control Obligations
Age verification has become significantly more rigorous. A simple self-declaration (“click here if you are over 18”) is no longer considered sufficient. The law requires effective and proportionate mechanisms that respect privacy but genuinely manage to distinguish adults from minors. For users up to 16 years old, accounts on social networks and similar platforms must, as a rule, be linked to a legal guardian.
Furthermore, companies are required to provide robust parental control tools. Guardians must have access to dashboards that allow them to set screen time limits, restrict contacts, approve or block in-app purchases, and disable personalized algorithmic recommendation systems. Many foreign clients I have spoken with still underestimate the weight of this requirement.
Restrictions on Advertising, Profiling, and Gaming Monetization
In the commercial sphere, the law is particularly restrictive. The use of advanced behavioral profiling, emotional analysis, or immersive technologies to target advertising at children and adolescents is prohibited. Monetization of content that inappropriately exploits the image of minors is also subject to severe limitations. In the gaming sector, there are express bans on “loot boxes” and randomized reward systems when the game is accessible to minors, precisely because of their addictive potential and the risk of uncontrolled spending.
Harmful Content Removal and Reporting Requirements
Another aspect that deserves attention is the swift removal of harmful content. The law establishes short deadlines — in some cases as little as 24 hours — for the removal of material related to sexual exploitation, violence, bullying, cyberbullying, incitement to suicide, self-harm, or drug use. In addition to removal, in serious situations platforms must notify the competent authorities, including through international cooperation when necessary.
Legal Representation and Enforcement Risks for Foreign Companies
For foreign companies without a physical presence in Brazil, the law strengthens enforcement mechanisms. It is mandatory to appoint a legal representative established in the country, with powers to receive judicial and administrative citations, respond to requests from the Public Prosecutor’s Office and the National Data Protection Authority (ANPD), and serve as the local point of contact.
In fact, the ANPD assumes a central role in supervising and regulating the law, acting in coordination with the Public Prosecutor’s Office. This creates a more robust enforcement scenario than many international players initially anticipated. Moreover, the law provides for joint and several liability: subsidiaries, branches, or companies within the same economic group in Brazil may be held accountable for violations committed by the foreign parent company.
Financial Penalties and Operational Sanctions
The sanctions are dissuasive. Fines can reach up to 10% of the economic group’s revenue in Brazil in the previous year, or up to R$ 50 million per individual violation, depending on the severity. In extreme cases or in the event of recurrence, authorities may order the temporary suspension or even the complete blocking of the service within Brazilian territory. For companies that depend on the Brazilian market, especially consumer technology firms, this operational risk is very real.
Relationship Between the ECA Digital and Brazil’s LGPD
It is worth noting that the ECA Digital interacts closely with the General Data Protection Law (LGPD). Many of the principles of privacy-by-default, data minimization, and impact assessments already existed under the LGPD, but they now take on more specific contours when the data subject is a child or adolescent. The processing of minors’ data requires even greater care, with more restrictive legal bases and heightened attention to consent and the rights of legal guardians.
Global Regulatory Trends and Brazilian Specificities
From a comparative perspective, the Brazilian law aligns with global trends. It bears clear similarities to the UK’s Age Appropriate Design Code, certain aspects of the European DSA, and ongoing discussions in other Latin American countries. However, it presents distinctly Brazilian nuances: strong influence from the Public Prosecutor’s Office, the tradition of integral protection of children established in the 1990 Child and Adolescent Statute (ECA), and an approach that combines state regulation with the shared responsibility of families, schools, and platforms.
Practical Compliance Steps for Foreign Technology Companies
Foreign legal advisors must act with urgency. A good starting point is to conduct a comprehensive gap analysis: mapping user onboarding flows, reviewing advertising and algorithmic recommendation policies, assessing the adequacy of age verification mechanisms, and verifying whether the legal representation structure in Brazil meets the new requirements.
In addition, it is important to prepare local teams or partners to handle administrative requests and potential audits. Investing in privacy-preserving age verification technologies, such as age estimation or document-based verification without excessive data storage, can make a difference both in compliance and in the user experience.
Conclusion
In summary, the ECA Digital is not merely a symbolic law. It imposes concrete obligations, with adaptation deadlines that have already expired for many companies, and carries real risks of financial and operational sanctions. For law firms advising international clients, especially small and medium-sized practices in Europe and Asia, the moment has come to help these players turn compliance into a competitive advantage.
Those who manage to implement robust protection measures from the design stage of their products will not only avoid heavy fines but may also build greater trust with the Brazilian public and authorities.
Summary: On January 25, 2026, Brazil and the EU mutually recognized each other as providing adequate personal data protection—removing, in many cases, the need for Standard Contractual Clauses (SCCs) or other transfer tools. This shifts the conversation from “copy-paste compliance” to strategy: deciding when to retire SCCs, updating cross-border transfer policies, and modernizing contractual models for future deals.
Why this matters in real transactions
Imagine you’re about to close a deal with a German business partner and your Brazilian client urgently asks for a data transfer clause. It’s always the same copy-paste: Standard Contractual Clauses (SCCs), Annex I and II in both languages, signatures on the dotted line. Now imagine this scene is finally unnecessary.
The mutual adequacy milestone (January 25, 2026)
On January 25, 2026, Brazil and the European Union mutually recognized each other as countries with adequate levels of personal data protection. It’s the first adequacy agreement signed between the EU and a Latin American country. In practical terms, it means that companies can transfer personal data between Brazil and the EU without the need for additional mechanisms, like SCCs or Binding Corporate Rules (BCRs). In strategic terms, it opens a new front of opportunities for Brazilian lawyers, especially those advising clients who export, import, invest, or operate in the EU.
A starting point, not a “compliance break”
This is a milestone and also a starting point. Mutual adequacy does not mean «relax your compliance programs»; on the contrary, it demands governance maturity and careful review.
Three concrete fronts for legal work
1. Retiring SCCs: Not Always Automatic
The adequacy decision makes SCCs optional in many cases, but that doesn’t mean you can simply tear them up. For existing contracts that already use SCCs, lawyers will need to assess whether they should keep, revise, or remove those clauses. The answer will depend on the risks, data flows, and reliance on third countries in the processing chain. There may also be internal policies, negotiated warranties, or obligations to supervisory authorities that require formal justifications.
In practice, companies with complex processing chains (e.g., European headquarters, shared Brazilian HR services, cloud servers in the U.S.) may continue using SCCs in certain flows even after the adequacy recognition. Lawyers will need to carefully document and track this hybrid model.
2. Reviewing Cross-Border Data Transfer Policies
Many companies, especially multinationals or those with multiple data protection obligations, have established cross-border data transfer policies («CBTPs») that classify countries into categories and associate specific safeguards for each. Brazil’s new status as an «adequate country» must now be reflected in those documents.
For instance, a Brazilian company that receives data from France and sends it to Argentina and India may now adjust internal protocols to reduce documentation and controls on the EU → Brazil leg, while reinforcing controls in the Brazil → Argentina or Brazil → India legs. These changes must be aligned with the company’s policies, contracts, and internal training materials.
3. Adapting Contractual Models for Future Deals
The mutual adequacy decision creates a new contractual scenario. Brazilian lawyers advising international clients can now use data transfer models aligned with GDPR—without needing SCCs or complex annexes—provided both parties are located in Brazil and the EU.
This reduces transaction costs, improves legal certainty, and increases speed in negotiations involving technology services, cross-border M&A, or shared service centers. A good contractual model should still include data protection clauses—but now focused on risk allocation, DPO cooperation, and incident response coordination, rather than formal compliance with Art. 46 GDPR or Arts. 33–36 LGPD.
Summary: Brazil’s data protection authority (ANPD) is signaling a clear move toward stronger, more GDPR-aligned enforcement and rulemaking through its 2026–2027 Priority Topics Map and updated Regulatory Agenda. The selected priorities mirror familiar EU themes—data subject rights, children’s data, public-sector processing, and AI—while adding practical predictability for organizations planning compliance. For European businesses operating in Brazil, the direction of travel suggests increasing convergence in governance, risk assessment, and transparency expectations. This trajectory may also strengthen the long-term case for Brazil to pursue an EU adequacy decision.
A maturing authority with a strategic alignment to GDPR
While European regulators refine enforcement mechanisms for mature frameworks, Brazil is quietly building one of the world’s most GDPR-aligned data protection systems outside the EU. The release of Priority Topics Map for 2026–2027 and its updated Regulatory Agenda by the National Agency of Personal Data Protection (ANPD) reveals an authority no longer in its infancy, but one strategically positioning itself as a credible counterpart to European supervisory bodies.
ANPD’s priority topics for 2026–2027
The four priority topics chosen by Brazil’s National Data Protection Authority («ANPD») tell a familiar tale to anyone working with GDPR compliance: data subject rights, protection of children and adolescents in digital environments, processing by public authorities, and artificial intelligence with emerging technologies.
Why these priorities feel familiar to GDPR practitioners
These are not arbitrary choices but deliberate alignments with the core concerns that have shaped European enforcement over the past seven years, from the fundamental rights guarantees in Articles 12 through 22, to the heightened scrutiny of processing involving minors, to the evolving regulatory treatment of algorithmic systems that now spans both GDPR recitals and the EU AI Act itself.
Children and adolescents: new authority and converging expectations
Brazil’s recent Digital Statute for Children and Adolescents hands ANPD substantial new authority over age verification and parental consent mechanisms, creating a regulatory bridge that should look strikingly familiar to companies navigating the UK’s Age Appropriate Design Code or implementing EDPB guidance on child data. European digital services operating in Brazil, particularly in social media, gaming, education, or wellness sectors, now face converging compliance expectations on both sides of the Atlantic. The technical architectures and consent flows designed for GDPR are increasingly fit for purpose in the Brazilian context as well.
Artificial intelligence and emerging technologies
The elevation of artificial intelligence to priority status represents ANPD’s clearest statement yet about where Brazilian regulation is headed – in fact, no big news in the move, since it is worrying every regulator in every industry. While the LGPD lacks specific AI provisions, the authority has been methodically laying groundwork through public consultations on automated decision-making and studies on algorithmic profiling. For companies already deep in EU AI Act preparation, such a convergence offers something rare in global privacy compliance: the potential for genuine efficiency gains through shared governance frameworks, unified risk assessment methodologies, and harmonized transparency protocols rather than duplicative regional adaptations.
Data subject rights and DPIAs: reinforcing accountability
ANPD’s continued emphasis on data subject rights and Data Protection Impact Assessments reinforces the structural similarities with GDPR’s accountability model. The Brazilian approach increasingly mirrors European expectations around documented risk assessment, standardized response protocols for individual rights requests, and transparency obligations for profiling activities. Multinational organizations can now reasonably contemplate unified DPIA templates and centralized rights management systems that serve both jurisdictions without fundamental architectural splits.
The updated Regulatory Agenda for 2025–2026: predictability as a compliance asset
The updated Regulatory Agenda for 2025–2026 provides something perhaps more valuable than new rules: predictability. One should not underestimate the importance of predictability in Brazil, since it is a rare asset, even before courts – former Treasury Minister Pedro Malana once iroonically stated that «in Brazil, even the past is uncertain».
What ANPD is telegraphing next
By telegraphing upcoming initiatives on biometric data processing, inspection methodologies, sanctioning procedures, cybersecurity standards, and privacy program governance, ANPD offers companies the planning visibility that makes cross-border compliance feasible rather than reactive. These topics map directly onto GDPR’s controller obligations, security requirements, and Data Protection Officer independence provisions in Articles 24 through 39.
Beyond compliance: what convergence could mean for data flows
The regulatory convergence carries implications beyond operational compliance. The structural alignment between LGPD and GDPR, reinforced by ANPD’s strategic choices, strengthens the case for an eventual EU adequacy decision recognizing Brazil under Article 45.
For European businesses and their counsel, the trajectory suggests not just reduced friction in managing trans-Atlantic data flows, but the emergence of genuinely compatible regulatory ecosystems. The challenge will be maintaining attention to Brazilian developments with the same intensity devoted to EDPB guidelines and Commission decisions, recognizing that convergence is a continuous process rather than a static achievement.
Conclusion
Brazil’s ANPD is increasingly setting priorities that mirror the main pressure points of GDPR compliance, while using its Regulatory Agenda to add clarity and sequencing to what comes next. For organizations operating across the EU and Brazil, the message is practical: governance structures, rights-handling processes, and risk assessment tooling built for GDPR are becoming progressively reusable in the Brazilian context. At the same time, staying alert to ANPD’s evolving guidance—especially around children’s data, AI, biometrics, cybersecurity, and enforcement methodology—will be key to turning regulatory convergence into real operational efficiency and reduced cross-border friction.
Summary
This article explores the ANPD’s 2025 Tech Radar on neurotechnologies and how it reshapes compliance risks for Brazilian healthtechs—especially in M&A contexts involving GDPR exposure. It outlines key regulatory concerns, the GDPR’s extraterritorial impact, major due-diligence red flags, and the essential deliverables investors should require.
Introduction
Brazil’s latest ANPD Tech Radar brings neurotechnologies to the forefront of data-protection compliance, exposing significant risks for healthtech companies and investors. With GDPR’s extraterritorial reach, sensitive data processing, opaque AI, and cross-border transfers, data governance has become a critical M&A due-diligence factor requiring structured reviews and robust contractual safeguards.
Key Compliance Risks Shaping Brazilian Healthtech M&A
Brazil’s Data Protection Authority (ANPD) released its 4th Tech Radar in June 2025, focusing entirely on neurotechnologies—marking the first time the regulator targeted this field so directly. The report explores brain-computer interfaces, advanced wearables, AI-driven cognitive therapies, and predictive diagnostics, highlighting risks far beyond traditional health data processing.
For investors and lawyers working M&A deals in Brazil’s healthtech sector, this Radar signals that data protection is no longer a secondary compliance issue—it is now a major source of legal, reputational, and operational risk.
GDPR’s Extraterritorial Relevance
Many Brazilian healthtechs handle personal data from foreign individuals, particularly Europeans—through expats, medical tourists, cross-border clinical trials, or partnerships with EU-based vendors. When this occurs, GDPR Article 3(2) extends jurisdiction to the Brazilian company, even without any EU establishment.
Main Risks Identified by ANPD (Tech Radar #4)
- Inferring health data without explicit consent
Example: wearables identifying depression through sleep or stress patterns without informing users. - Lack of transparency in predictive algorithms
Black-box AI models making clinical decisions without accessible documentation. - Cybersecurity vulnerabilities in connected devices
Neural implants or neurostimulators vulnerable to hacking, with potentially physical consequences. - Automated processing that impacts human dignity
Behavioral profiling influencing insurance eligibility, discrimination, or patient autonomy in therapy environments.
GDPR Article 22 prohibits automated decision-making with significant effects unless strict safeguards are implemented—making this a critical risk during due diligence.
Most Common Red Flags in Brazilian Healthtech Due Diligence
No clear legal basis for sensitive data (health, genetic, biometric)
LGPD Impact (Brazil): Breach of LGPD Art. 11
GDPR Parallel (Europe): Art. 9 (special categories)
Practical Recommendation: Require full data-mapping and warranties
Generic or “click-to-accept” consents
LGPD Impact (Brazil): Invalid consent (Art. 7 & 11)
GDPR Parallel (Europe): Art. 6 + 7
Practical Recommendation: Ensure all consents are granular, specific, and revocable
Third-party sharing without processor agreements
LGPD Impact (Brazil): Breach of LGPD Art. 28 & 33
GDPR Parallel (Europe): Art. 28
Practical Recommendation: Verify existence and adequacy of all DPAs
Missing or incomplete ROPA
LGPD Impact (Brazil): Serious regulatory violation
GDPR Parallel (Europe): Art. 30
Practical Recommendation: Make ROPA delivery a closing condition
Non-existent or conflicted DPO
LGPD Impact (Brazil): Non-compliance with ANPD Resolution CD nº 2
GDPR Parallel (Europe): Art. 37–39
Practical Recommendation: Require interview + independence confirmation
No DPIA for high-risk products
LGPD Impact (Brazil): Mandatory (ANPD Res. 15/2023)
GDPR Parallel (Europe): Art. 35
Practical Recommendation: Include pre-closing DPIA audit clause
International transfers without safeguards
LGPD Impact (Brazil): Arts. 33–35
GDPR Parallel (Europe): Arts. 44–50
Practical Recommendation: Verify SCCs (2021/2023) or adequacy status
Real Cases Illustrating the Scale of Risk
- Telepsychology platforms investigated for using automated triage without informed consent or AI transparency.
- ANPD actions against genomics startups due to cross-border transfers without SCCs or DPIAs.
- Outsourced cloud hosting increasing irregular data transfer risks.
Until Brazil receives an EU adequacy decision, SCCs and BCRs remain mandatory for compliant transfers.
Essential Due Diligence Deliverables
A robust data-protection review is now essential in healthtech M&A. Key deliverables include:
- LGPD ↔ GDPR gap analysis
- ROPA and DPIA review
- Sub-processor contract verification
- Mapping of all international transfers
- Privacy-specific warranties and indemnities
- Escrow or holdback for regulatory risk exposure
Conclusion
Data protection is no longer secondary in healthtech M&A—especially when neurodata is involved. With ANPD scrutinizing neurotechnologies and GDPR obligations extending across borders, investors must prioritize structured due diligence and strong contractual safeguards.
FAQ
Is neurodata considered sensitive personal data under the LGPD?
Yes—ANPD treats neurodata as highly sensitive because it reveals cognitive, emotional, and health patterns.
Does GDPR apply to Brazilian companies with no EU presence?
Yes, via Article 3(2), whenever EU data subjects’ information is processed.
Are SCCs still required for Brazil–EU transfers?
Yes, until Brazil receives an EU adequacy decision.
What are the top investor red flags?
Missing DPIAs, unclear legal bases, opaque algorithms, and irregular transfers.
Since the General Data Protection Regulation (GDPR) took effect in 2018, the European Union (EU) has granted adequacy status to only a limited number of jurisdictions — those whose data protection regimes are deemed to provide an «essentially equivalent» level of protection to that of the EU. The current list includes Andorra, Argentina, Canada (under PIPEDA), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, Uruguay, the United Kingdom, and the United States (limited to companies certified under the Data Privacy Framework).
As of 5 September 2025, Brazil is on the verge of joining this exclusive group. The European Commission has issued a draft adequacy decision concluding that the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais – LGPD), in conjunction with Brazil’s broader legal and constitutional framework, offers protections that are essentially equivalent to those found in the GDPR. While Brazil’s rules offer somewhat more flexibility in specific areas of data processing, the foundational principles and safeguards are well-aligned with EU standards.
Once finalized, the adequacy decision will authorize the free flow of personal data from the EU to Brazil without the need for additional contractual clauses or technical safeguards. Such a development is not just regulatory — it also answers a core political argument made by LGPD advocates since its inception: that the absence of a comprehensive data protection framework was undermining Brazil’s international competitiveness by limiting data flows and discouraging investment. For businesses, the EU decision may finally mean the removal of a significant layer of compliance complexity — a development especially welcome by small and medium-sized enterprises engaged in cross-border trade or service provision. The draft is currently under review by the European Data Protection Board (EDPB) and the Member States of the EU.
The Commission’s assessment highlights several key aspects of Brazil’s data protection landscape. It begins by noting that the Brazilian Constitution expressly guarantees the right to privacy and the protection of personal data — a notable distinction among non-EU jurisdictions. These protections are further supported by Brazil’s ratification of the American Convention on Human Rights and its recognition of the jurisdiction of the Inter-American Court of Human Rights, reinforcing a commitment to fundamental rights and democratic oversight.
The LGPD mirrors the GDPR in many critical respects and defines its territorial scope clearly. It applies to: (i) data processing carried out within Brazilian territory, (ii) the offering of goods or services to individuals in Brazil, and (iii) data collected in Brazil, even if subsequently processed abroad. This aligns well with the extraterritorial provisions of the GDPR. The definitions of personal data, sensitive data, controller, and processor are materially similar, as are the key principles governing processing — including lawfulness, purpose limitation, data minimization, accuracy, transparency, and security. The law expressly excludes anonymized data from its scope and establishes specific exemptions for journalistic activities, public security, and scientific research.
Another strength is Brazil’s institutional framework. The National Data Protection Authority (ANPD) was recently transformed into an autonomous regulatory agency, enhancing its independence and technical capacity. The ANPD holds both regulatory and enforcement powers: it can issue binding regulations, impose administrative sanctions, and publish authoritative guidance. To date, it has issued key guidelines on topics such as consent, legitimate interest, the role of the Data Protection Officer (DPO), and security incident reporting. Internationally, the ANPD is an active participant in global data protection dialogue — it is a member of the Global Privacy Assembly and an official observer to the Council of Europe’s Convention 108.
The LGPD’s approach to international data transfers is also structurally aligned with the GDPR. It requires appropriate safeguards such as standard contractual clauses, allows for future adequacy decisions under a regime comparable to Article 45 of the GDPR, and includes detailed provisions for onward transfers and transit data — that is, data merely passing through Brazil without further processing. The rights of data subjects are robust and familiar to European practitioners: access, rectification, erasure, portability, and withdrawal of consent are guaranteed. Lawful bases for processing are also aligned — including consent, legal obligations, contract execution, and legitimate interest. Notably, the LGPD requires a documented balancing test when relying on legitimate interest, bringing additional accountability to this flexible legal basis.
Security incidents involving personal data must be notified to both the ANPD and affected data subjects when there is a significant risk of harm. The standard notification deadline is 72 hours, and the required content aligns closely with Articles 33 and 34 of the GDPR. The ANPD may also order public disclosure of incidents or require remedial measures, depending on the nature and scope of the breach.
Importantly, this process is not one-sided. In parallel to the European Commission’s adequacy decision, the ANPD is conducting its own adequacy assessment of the EU and EEA data protection frameworks. This process is regulated by the Brazilian Resolution CD/ANPD No. 19/2024, which governs international data transfers. Once the technical and legal evaluation is complete, the ANPD’s Board of Directors will issue a formal decision. This reciprocal move reflects Brazil’s commitment to mutual recognition and regulatory symmetry — a positive signal for companies on both sides of the Atlantic.
In conclusion: If confirmed, Brazil’s adequacy status will simplify international operations, reduce compliance costs, and expand opportunities for data-driven business and legal cooperation. For European lawyers advising SMEs with interests in Latin America, this development is a strategic signal: Brazil is emerging not just as a growing market, but as a legally compatible and data-safe jurisdiction for international partnerships.
On 23 August 2024, Brazil’s National Data Protection Authority (ANPD) issued Resolution No. 19, a landmark regulation governing the international transfer of personal data under the Brazilian General Data Protection Law (LGPD). Companies now have until 23 August 2025 to fully comply.
This deadline is especially relevant for European multinationals operating in Brazil, or Brazilian subsidiaries sharing data with foreign HQs or vendors. The new rules align Brazil more closely with global privacy frameworks like the GDPR—but with local twists that demand attention.
Why It Matters
Unlike previous guidance, Resolution No. 19 creates binding legal obligations and explicit deadlines. It introduces mechanisms such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and public transparency requirements—all within a strict 12-month timeframe.
For many international companies, this will require significant updates to internal governance, contract management, and cloud data strategies. Below are the key takeaways for foreign counsel.
Standard Contractual Clauses (SCCs): Now Mandatory
The ANPD has released its own set of Standard Contractual Clauses, which must be used for data transfers to jurisdictions not recognized as offering “adequate protection.”
Companies must adopt these clauses by 23 August 2025. This will likely require revisiting existing data processing agreements involving Brazilian parties and ensuring alignment with the ANPD template.
Important: The SCCs cannot be modified beyond inserting details in the annexes. Any deviations require prior approval from the ANPD and are limited to exceptional cases.
Broad Transparency Requirements
Data controllers are now required to publish, on their website, a plain-language document explaining:
- the purpose of the international data transfer,
- the categories of data involved,
- the countries of destination,
- and the legal mechanism used to legitimize the transfer.
Upon request, data subjects must also receive a copy of the full SCCs within 15 days. Multinationals will need protocols and document templates to respond efficiently—especially when dealing with requests in Portuguese.
Expanded Definition of “International Transfer”
The Resolution clarifies that a transfer occurs whenever:
- data is accessed or stored by an entity located abroad, or
- processing is outsourced to a cloud provider with servers or technical teams outside Brazil.
This has important implications for global companies that centralize services such as payroll, CRM, or cybersecurity outside Brazil—even if hosted on multinational platforms.
Binding Corporate Rules (BCRs): Now Recognized
Multinationals with mature privacy programs may apply to the ANPD for approval of their own Binding Corporate Rules, offering an alternative to SCCs.
This is a welcome development for companies seeking harmonized compliance across jurisdictions, but approval is expected to involve a complex and time-consuming process. Early preparation is essential.
Custom Clauses in Exceptional Circumstances
Companies unable to adopt the standard clauses—due to specific factual or legal constraints—may submit alternative clauses for ANPD approval. However, such flexibility is limited and subject to strict justification.
In practice, the official SCCs will be the default path for most international data transfers involving Brazil.
What Foreign Companies Should Do Now
The 12-month window is already ticking. International groups operating in Brazil or processing Brazilian data should urgently:
- Map all international data transfers involving Brazil;
- Identify contracts and vendors requiring updates;
- Insert ANPD’s SCCs where applicable;
- Publish the required transparency notice online in Portuguese;
- Monitor for further ANPD guidance or enforcement trends.
Strategic Compliance: Beyond Legal Risk
Resolution No. 19 is part of a global trend toward standardized but locally enforced privacy frameworks. For GDPR-compliant companies, Brazil’s new rules offer a chance to reaffirm leadership in data governance.
Those who act early can avoid last-minute fire drills, reduce regulatory exposure, and strengthen credibility with Brazilian regulators and consumers.
In today’s data economy, privacy compliance is more than a legal duty—it’s a business differentiator.
Brazil’s National Data Protection Authority (ANPD) released a long-awaited guidance document on how companies should interpret and apply the legal basis of legitimate interest under the Brazilian General Data Protection Law (LGPD).
This is not merely a local update. As Brazil continues to shape its data protection regime, foreign companies—particularly European SMEs with clients, platforms, or partners in Brazil—must adapt their compliance strategies to local expectations. This new guidance is a crucial development.
Below, I summarize what has changed, how it compares to the GDPR approach, and what steps you (or your clients) should take next.
Why Legitimate Interest Matters—But Remains Risky
Just like under the GDPR, Brazil’s LGPD allows personal data to be processed without consent when doing so is necessary for purposes aligned with the controller’s legitimate interests. However, due to the lack of regulation since the LGPD came into force, this legal basis has long been regarded as risky in Brazil – in fact, it was unclear on how to evaluate the «legitimacy» of the interest and balance it against data subject rights.
The ANPD’s «Guia Orientativo sobre o Legítimo Interesse» (Guidance on Legitimate Interest) fills that gap—providing a practical framework to assess, document, and justify this legal basis.
The ANPD’s Three-Step Balancing Test
The core of the new guidance is a three-step balancing test, which mirrors the GDPR’s Legitimate Interests Assessment (LIA) but with Brazilian nuances.
- Purpose Test : The controller must define a specific, concrete, and legitimate objective behind the data processing. Open-ended or abstract justifications (“marketing purposes”, “efficiency”) will not suffice. The processing must also align with the reasonable expectations of the data subject.
- Necessity Test : The data processing must be strictly necessary to achieve the defined purpose. If the same result could be achieved through less intrusive means (e.g. anonymized data or a different legal basis), the test will likely fail.
- Balancing Test and Safeguards : This step assesses whether the controller’s interest outweighs the rights and freedoms of the data subject. Controllers must consider the nature of the data, the context of the processing, and the potential risks involved. When risks are identified, appropriate safeguards must be implemented, such as transparency, opt-outs, pseudonymization, and impact assessments.
Takeaway: The ANPD recommends documenting the entire process. While this is not mandatory by law, it will be critical in case of investigations or complaints.
How This Affects Foreign Companies doing business in Brazil
Many foreign companies process personal data of Brazilian individuals—whether by offering digital services, interacting with Brazilian suppliers, or collecting contact information via websites or CRM tools.
Although some assume that GDPR compliance is sufficient, the ANPD may evaluate legitimate interest more restrictively than some EU supervisory authorities.
Foreign companies should:
- Revisit their legal bases for processing data of Brazilian individuals.
- Conduct a proper balancing test using the ANPD’s model, even for non-sensitive data.
- Keep written records of the analysis (especially if using legitimate interest for analytics or marketing).
- Update their privacy notices to reflect the legal basis and safeguards in place.
- Be aware of the extraterritorial reach of the LGPD—yes, it applies even if you have no office in Brazil.
Strategic Guidance
If you advise SMEs that operate across jurisdictions—including Brazil—this new guidance is a practical compliance tool and a risk-mitigation opportunity.
Here’s how to act now:
- Perform a Legitimate Interests Assessment (LIA) whenever your client relies on this basis in Brazil.
- Compare it with the GDPR LIA to identify overlaps and gaps.
- Align documentation—so your clients are ready in the event of a complaint or data subject request.
- Monitor ANPD updates—the ANPD has increased its activity and enforcement posture significantly in the past year.
Final Thoughts
The ANPD’s guidance reflects a growing maturity in Brazil’s data protection landscape. Legitimate interest is no longer a vague fallback—it requires structure, analysis, and above all, transparency.
European companies with operations or digital exposure in Brazil should approach this legal basis with care and diligence. The good news? The ANPD is now offering the roadmap. It’s up to us, as legal advisors, to make sure our clients follow it.
Want to see the full guidance? The original document (in Portuguese) is available here.
Brazil is increasingly in the global spotlight when it comes to cybersecurity threats. With over 10 billion cyberattack attempts recorded in 2023 alone, the country ranks among the most targeted worldwide. These incidents are not abstract: they affect sensitive sectors such as finance and healthcare, including data leaks involving over 220 million data subjects from national institutions and critical infrastructure operators.
While Brazil may seem like a distant jurisdiction, its data protection regime — shaped by the Lei Geral de Proteção de Dados (LGPD) — has growing significance for European businesses operating or partnering in the region. The LGPD, inspired by the GDPR, sets out specific obligations around data breach notification. However, unlike the GDPR’s mandatory 72-hour notification rule, not all security incidents must be reported to the Brazilian Data Protection Authority (ANPD).
So: when exactly should a security incident be reported in Brazil?
When Notification is Required: A Three-Step Test
Under Brazilian law, a security incident involving personal data must be reported to the ANPD only if the following three criteria are cumulatively met:
- The incident has been confirmed.
- It involves personal data subject to the LGPD.
- It poses a relevant risk or damage to data subjects.
This third threshold is critical. According to the ANPD’s Security Incident Communication Regulation (RCIS), relevant risks include incidents that may:
- Prevent the exercise of rights or access to services.
- Cause material or moral harm.
- Involve special categories of data such as: Sensitive personal data / Financial data / Large-scale datasets / Children’s or elderly persons’ data / Authentication credentials / Legally protected information (e.g., medical, legal, or professional secrets).
This approach offers some flexibility — but it also requires careful legal judgment.
When You Don’t Have to Notify
There is no obligation to notify the ANPD if the incident does not result in significant risk or damage. For instance, if the breached data is non-sensitive and publicly available (e.g., general contact information), and no additional harm is expected, companies may reasonably determine that notification is unnecessary.
However, this decision should not be taken lightly. Controllers are expected to assess several contextual factors, such as:
- The volume and nature of the affected data.
- Whether the data subjects can be identified.
- The likely impact on fundamental rights.
- The technical and security measures in place.
- Any steps taken to mitigate the damage.
In practice, each case must be analyzed individually — and well documented — to ensure a defensible position.
How to Notify the ANPD (If Required)
If the thresholds for notification are met, companies must report the incident within three business days from the date they became aware that personal data was affected. The notification must include:
- A description of the breach and affected data.
- The number and profile of impacted data subjects.
- Security measures in place before and after the incident.
- Potential risks to the data subjects.
- Mitigation strategies.
- Identification of the controller and DPO (if applicable).
Notifications are submitted via the ANPD’s online platform (SUPER). Sensitive business information can be protected through a request for confidential treatment, provided it is properly justified.
Strategic Takeaways for European Stakeholders
For European companies and compliance officers, understanding the nuances of Brazilian data breach notification rules is essential for several reasons:
- Cross-border compliance: Companies transferring personal data to Brazil must ensure regulatory alignment under the GDPR’s international transfer rules.
- Due diligence: M&A or vendor screening in Brazil should include assessments of LGPD readiness and breach history.
- Incident response protocols: Global organizations must harmonize breach notification timelines and thresholds across jurisdictions, adapting to Brazil’s risk-based approach.
In a landscape of increasing cyber threats, aligning with the LGPD is not just a regulatory obligation — it’s a strategic necessity.
Final Thoughts
Brazil’s data protection authority does not adopt a «one size fits all» model for breach notification. The LGPD introduces a risk-based, case-by-case approach, which may offer more flexibility than the GDPR — but also places a greater burden on organizations to justify their decisions.
European companies doing business in Brazil must be prepared to evaluate security incidents in light of both local obligations and international expectations. Failing to notify a breach — or notifying too hastily — can have serious reputational, legal, and operational consequences.
Understanding when (and how) to notify the ANPD is a key part of navigating Brazil’s complex but maturing data protection landscape.
Spain | Franchising, Theory Of Risk and Guarantees By Franchisee
- Распространение
- Судебная практика
-
Испания
Вьетнам 
France | Pre-contractual disclosure in distribution and franchise agreements
- Распространение
- Франчайзинг
-
Франция
International distribution agreements | Key Clauses and Lessons learned from the history of Nike
- Контракты
- Распространение
-
Италия
Саудовская Аравия 
Corporate Sustainability in Practice – How Contracts Shape Responsibility
- Контракты
- Распространение
-
Finland
Rising Oil Prices and International Contracts: How to Manage Hardship in Global Supply Chains
- Контракты
- Распространение
-
Италия
Why the African Continental Free Trade Agreement has not yet turned into Reality — and What That Means for Egypt
- Распространение
- Иностранные инвестиции
-
Египет
Канада 
Brazil Advances Toward GDPR Alignment: ANPD’s 2026–2027 Priority Topics
- Конфиденциальность - Защита данных
-
Бразилия
Brazilian Healthtech – Neurotechnologies, LGPD and the GDPR’s Long-Arm Effect
- Закон о здравоохранении
- СЛИЯНИЯ И ПОГЛОЩЕНИЯ
-
Бразилия
Brazil — Deadline for Compliance on International Data Transfers
- Конфиденциальность - Защита данных
-
Бразилия
Brazil | Legitimate Interest under Data Protection Law: The official Guidance Explained
- Конфиденциальность - Защита данных
-
Бразилия
Security Incidents in Brazil: When and How to Notify the Data Protection Authority
- Конфиденциальность - Защита данных
-
Бразилия
Brazil | DPO Requirements — What foreign companies must do to stay compliant
- Соответствие требованиям
- Конфиденциальность - Защита данных
-
Бразилия
Scrivi a Leopoldo
Brazil–EU Mutual Adequacy and What Comes Next
12.02.2026
-
Бразилия
- Конфиденциальность - Защита данных
Summary
Brazil’s new Digital Child Protection Law (ECA Digital – Law No. 15,211/2025) radically changes the compliance obligations for foreign technology companies operating in Brazil. The law introduces a proactive duty of care toward minors, replacing the previous reactive liability model under the Marco Civil da Internet. Any digital service accessible to children or adolescents — including social media, gaming, streaming, AI tools, and app stores — must now adopt safety-by-design and privacy-by-default principles.
Brazil Introduces a New Digital Protection Framework for Minors
When Law No. 15,211/2025, known as the ECA Digital or Digital Statute for Children and Adolescents, came into force on March 17, 2026, Brazil took a significant step in regulating the digital environment. For foreign technology companies that offer services to the Brazilian public, the legislation is far more than just another local rule. It represents a genuine paradigm shift in how platforms must be designed, operated, and monitored.
Until now, the Brazilian Internet Civil Framework (Marco Civil da Internet) of 2014 established essentially a reactive liability regime. Platforms were generally only held responsible for third-party content after receiving a specific court order or valid notification. The ECA Digital inverts this logic. Companies now face a proactive and continuous duty of care, something close to the “duty of care” we already know in Europe through the UK’s Online Safety Act or parts of the Digital Services Act (DSA).
The Best Interests of the Child Become the Central Compliance Principle
The central principle of the law is the best interests of the child and adolescent. Any information technology product or service that is targeted at minors or has a reasonable likelihood of being accessed by them must be developed with this interest as an absolute priority. This includes social networks, gaming apps, streaming platforms, app stores, and even artificial intelligence tools.
In practice, this means adopting the concepts of safety-by-design and privacy-by-default from the outset. It is no longer enough to fix problems after they arise. Companies must anticipate risks to the physical, mental, and moral integrity of younger users and build preventive safeguards.
Mandatory Impact Assessments and Platform Risk Analysis
One of the pillars of the new legislation is the requirement for impact assessments. Platforms must conduct periodic detailed analyses of the potential effects of their functionalities (recommendation algorithms, engagement mechanisms, advertising systems, and even augmented reality features) on children and adolescents. These reports need to be properly documented internally and, in many cases, generate transparent information that can be shared with authorities or made available to the public in a summarized version.
New Age Verification and Parental Control Obligations
Age verification has become significantly more rigorous. A simple self-declaration (“click here if you are over 18”) is no longer considered sufficient. The law requires effective and proportionate mechanisms that respect privacy but genuinely manage to distinguish adults from minors. For users up to 16 years old, accounts on social networks and similar platforms must, as a rule, be linked to a legal guardian.
Furthermore, companies are required to provide robust parental control tools. Guardians must have access to dashboards that allow them to set screen time limits, restrict contacts, approve or block in-app purchases, and disable personalized algorithmic recommendation systems. Many foreign clients I have spoken with still underestimate the weight of this requirement.
Restrictions on Advertising, Profiling, and Gaming Monetization
In the commercial sphere, the law is particularly restrictive. The use of advanced behavioral profiling, emotional analysis, or immersive technologies to target advertising at children and adolescents is prohibited. Monetization of content that inappropriately exploits the image of minors is also subject to severe limitations. In the gaming sector, there are express bans on “loot boxes” and randomized reward systems when the game is accessible to minors, precisely because of their addictive potential and the risk of uncontrolled spending.
Harmful Content Removal and Reporting Requirements
Another aspect that deserves attention is the swift removal of harmful content. The law establishes short deadlines — in some cases as little as 24 hours — for the removal of material related to sexual exploitation, violence, bullying, cyberbullying, incitement to suicide, self-harm, or drug use. In addition to removal, in serious situations platforms must notify the competent authorities, including through international cooperation when necessary.
Legal Representation and Enforcement Risks for Foreign Companies
For foreign companies without a physical presence in Brazil, the law strengthens enforcement mechanisms. It is mandatory to appoint a legal representative established in the country, with powers to receive judicial and administrative citations, respond to requests from the Public Prosecutor’s Office and the National Data Protection Authority (ANPD), and serve as the local point of contact.
In fact, the ANPD assumes a central role in supervising and regulating the law, acting in coordination with the Public Prosecutor’s Office. This creates a more robust enforcement scenario than many international players initially anticipated. Moreover, the law provides for joint and several liability: subsidiaries, branches, or companies within the same economic group in Brazil may be held accountable for violations committed by the foreign parent company.
Financial Penalties and Operational Sanctions
The sanctions are dissuasive. Fines can reach up to 10% of the economic group’s revenue in Brazil in the previous year, or up to R$ 50 million per individual violation, depending on the severity. In extreme cases or in the event of recurrence, authorities may order the temporary suspension or even the complete blocking of the service within Brazilian territory. For companies that depend on the Brazilian market, especially consumer technology firms, this operational risk is very real.
Relationship Between the ECA Digital and Brazil’s LGPD
It is worth noting that the ECA Digital interacts closely with the General Data Protection Law (LGPD). Many of the principles of privacy-by-default, data minimization, and impact assessments already existed under the LGPD, but they now take on more specific contours when the data subject is a child or adolescent. The processing of minors’ data requires even greater care, with more restrictive legal bases and heightened attention to consent and the rights of legal guardians.
Global Regulatory Trends and Brazilian Specificities
From a comparative perspective, the Brazilian law aligns with global trends. It bears clear similarities to the UK’s Age Appropriate Design Code, certain aspects of the European DSA, and ongoing discussions in other Latin American countries. However, it presents distinctly Brazilian nuances: strong influence from the Public Prosecutor’s Office, the tradition of integral protection of children established in the 1990 Child and Adolescent Statute (ECA), and an approach that combines state regulation with the shared responsibility of families, schools, and platforms.
Practical Compliance Steps for Foreign Technology Companies
Foreign legal advisors must act with urgency. A good starting point is to conduct a comprehensive gap analysis: mapping user onboarding flows, reviewing advertising and algorithmic recommendation policies, assessing the adequacy of age verification mechanisms, and verifying whether the legal representation structure in Brazil meets the new requirements.
In addition, it is important to prepare local teams or partners to handle administrative requests and potential audits. Investing in privacy-preserving age verification technologies, such as age estimation or document-based verification without excessive data storage, can make a difference both in compliance and in the user experience.
Conclusion
In summary, the ECA Digital is not merely a symbolic law. It imposes concrete obligations, with adaptation deadlines that have already expired for many companies, and carries real risks of financial and operational sanctions. For law firms advising international clients, especially small and medium-sized practices in Europe and Asia, the moment has come to help these players turn compliance into a competitive advantage.
Those who manage to implement robust protection measures from the design stage of their products will not only avoid heavy fines but may also build greater trust with the Brazilian public and authorities.
Summary: On January 25, 2026, Brazil and the EU mutually recognized each other as providing adequate personal data protection—removing, in many cases, the need for Standard Contractual Clauses (SCCs) or other transfer tools. This shifts the conversation from “copy-paste compliance” to strategy: deciding when to retire SCCs, updating cross-border transfer policies, and modernizing contractual models for future deals.
Why this matters in real transactions
Imagine you’re about to close a deal with a German business partner and your Brazilian client urgently asks for a data transfer clause. It’s always the same copy-paste: Standard Contractual Clauses (SCCs), Annex I and II in both languages, signatures on the dotted line. Now imagine this scene is finally unnecessary.
The mutual adequacy milestone (January 25, 2026)
On January 25, 2026, Brazil and the European Union mutually recognized each other as countries with adequate levels of personal data protection. It’s the first adequacy agreement signed between the EU and a Latin American country. In practical terms, it means that companies can transfer personal data between Brazil and the EU without the need for additional mechanisms, like SCCs or Binding Corporate Rules (BCRs). In strategic terms, it opens a new front of opportunities for Brazilian lawyers, especially those advising clients who export, import, invest, or operate in the EU.
A starting point, not a “compliance break”
This is a milestone and also a starting point. Mutual adequacy does not mean «relax your compliance programs»; on the contrary, it demands governance maturity and careful review.
Three concrete fronts for legal work
1. Retiring SCCs: Not Always Automatic
The adequacy decision makes SCCs optional in many cases, but that doesn’t mean you can simply tear them up. For existing contracts that already use SCCs, lawyers will need to assess whether they should keep, revise, or remove those clauses. The answer will depend on the risks, data flows, and reliance on third countries in the processing chain. There may also be internal policies, negotiated warranties, or obligations to supervisory authorities that require formal justifications.
In practice, companies with complex processing chains (e.g., European headquarters, shared Brazilian HR services, cloud servers in the U.S.) may continue using SCCs in certain flows even after the adequacy recognition. Lawyers will need to carefully document and track this hybrid model.
2. Reviewing Cross-Border Data Transfer Policies
Many companies, especially multinationals or those with multiple data protection obligations, have established cross-border data transfer policies («CBTPs») that classify countries into categories and associate specific safeguards for each. Brazil’s new status as an «adequate country» must now be reflected in those documents.
For instance, a Brazilian company that receives data from France and sends it to Argentina and India may now adjust internal protocols to reduce documentation and controls on the EU → Brazil leg, while reinforcing controls in the Brazil → Argentina or Brazil → India legs. These changes must be aligned with the company’s policies, contracts, and internal training materials.
3. Adapting Contractual Models for Future Deals
The mutual adequacy decision creates a new contractual scenario. Brazilian lawyers advising international clients can now use data transfer models aligned with GDPR—without needing SCCs or complex annexes—provided both parties are located in Brazil and the EU.
This reduces transaction costs, improves legal certainty, and increases speed in negotiations involving technology services, cross-border M&A, or shared service centers. A good contractual model should still include data protection clauses—but now focused on risk allocation, DPO cooperation, and incident response coordination, rather than formal compliance with Art. 46 GDPR or Arts. 33–36 LGPD.
Summary: Brazil’s data protection authority (ANPD) is signaling a clear move toward stronger, more GDPR-aligned enforcement and rulemaking through its 2026–2027 Priority Topics Map and updated Regulatory Agenda. The selected priorities mirror familiar EU themes—data subject rights, children’s data, public-sector processing, and AI—while adding practical predictability for organizations planning compliance. For European businesses operating in Brazil, the direction of travel suggests increasing convergence in governance, risk assessment, and transparency expectations. This trajectory may also strengthen the long-term case for Brazil to pursue an EU adequacy decision.
A maturing authority with a strategic alignment to GDPR
While European regulators refine enforcement mechanisms for mature frameworks, Brazil is quietly building one of the world’s most GDPR-aligned data protection systems outside the EU. The release of Priority Topics Map for 2026–2027 and its updated Regulatory Agenda by the National Agency of Personal Data Protection (ANPD) reveals an authority no longer in its infancy, but one strategically positioning itself as a credible counterpart to European supervisory bodies.
ANPD’s priority topics for 2026–2027
The four priority topics chosen by Brazil’s National Data Protection Authority («ANPD») tell a familiar tale to anyone working with GDPR compliance: data subject rights, protection of children and adolescents in digital environments, processing by public authorities, and artificial intelligence with emerging technologies.
Why these priorities feel familiar to GDPR practitioners
These are not arbitrary choices but deliberate alignments with the core concerns that have shaped European enforcement over the past seven years, from the fundamental rights guarantees in Articles 12 through 22, to the heightened scrutiny of processing involving minors, to the evolving regulatory treatment of algorithmic systems that now spans both GDPR recitals and the EU AI Act itself.
Children and adolescents: new authority and converging expectations
Brazil’s recent Digital Statute for Children and Adolescents hands ANPD substantial new authority over age verification and parental consent mechanisms, creating a regulatory bridge that should look strikingly familiar to companies navigating the UK’s Age Appropriate Design Code or implementing EDPB guidance on child data. European digital services operating in Brazil, particularly in social media, gaming, education, or wellness sectors, now face converging compliance expectations on both sides of the Atlantic. The technical architectures and consent flows designed for GDPR are increasingly fit for purpose in the Brazilian context as well.
Artificial intelligence and emerging technologies
The elevation of artificial intelligence to priority status represents ANPD’s clearest statement yet about where Brazilian regulation is headed – in fact, no big news in the move, since it is worrying every regulator in every industry. While the LGPD lacks specific AI provisions, the authority has been methodically laying groundwork through public consultations on automated decision-making and studies on algorithmic profiling. For companies already deep in EU AI Act preparation, such a convergence offers something rare in global privacy compliance: the potential for genuine efficiency gains through shared governance frameworks, unified risk assessment methodologies, and harmonized transparency protocols rather than duplicative regional adaptations.
Data subject rights and DPIAs: reinforcing accountability
ANPD’s continued emphasis on data subject rights and Data Protection Impact Assessments reinforces the structural similarities with GDPR’s accountability model. The Brazilian approach increasingly mirrors European expectations around documented risk assessment, standardized response protocols for individual rights requests, and transparency obligations for profiling activities. Multinational organizations can now reasonably contemplate unified DPIA templates and centralized rights management systems that serve both jurisdictions without fundamental architectural splits.
The updated Regulatory Agenda for 2025–2026: predictability as a compliance asset
The updated Regulatory Agenda for 2025–2026 provides something perhaps more valuable than new rules: predictability. One should not underestimate the importance of predictability in Brazil, since it is a rare asset, even before courts – former Treasury Minister Pedro Malana once iroonically stated that «in Brazil, even the past is uncertain».
What ANPD is telegraphing next
By telegraphing upcoming initiatives on biometric data processing, inspection methodologies, sanctioning procedures, cybersecurity standards, and privacy program governance, ANPD offers companies the planning visibility that makes cross-border compliance feasible rather than reactive. These topics map directly onto GDPR’s controller obligations, security requirements, and Data Protection Officer independence provisions in Articles 24 through 39.
Beyond compliance: what convergence could mean for data flows
The regulatory convergence carries implications beyond operational compliance. The structural alignment between LGPD and GDPR, reinforced by ANPD’s strategic choices, strengthens the case for an eventual EU adequacy decision recognizing Brazil under Article 45.
For European businesses and their counsel, the trajectory suggests not just reduced friction in managing trans-Atlantic data flows, but the emergence of genuinely compatible regulatory ecosystems. The challenge will be maintaining attention to Brazilian developments with the same intensity devoted to EDPB guidelines and Commission decisions, recognizing that convergence is a continuous process rather than a static achievement.
Conclusion
Brazil’s ANPD is increasingly setting priorities that mirror the main pressure points of GDPR compliance, while using its Regulatory Agenda to add clarity and sequencing to what comes next. For organizations operating across the EU and Brazil, the message is practical: governance structures, rights-handling processes, and risk assessment tooling built for GDPR are becoming progressively reusable in the Brazilian context. At the same time, staying alert to ANPD’s evolving guidance—especially around children’s data, AI, biometrics, cybersecurity, and enforcement methodology—will be key to turning regulatory convergence into real operational efficiency and reduced cross-border friction.
Summary
This article explores the ANPD’s 2025 Tech Radar on neurotechnologies and how it reshapes compliance risks for Brazilian healthtechs—especially in M&A contexts involving GDPR exposure. It outlines key regulatory concerns, the GDPR’s extraterritorial impact, major due-diligence red flags, and the essential deliverables investors should require.
Introduction
Brazil’s latest ANPD Tech Radar brings neurotechnologies to the forefront of data-protection compliance, exposing significant risks for healthtech companies and investors. With GDPR’s extraterritorial reach, sensitive data processing, opaque AI, and cross-border transfers, data governance has become a critical M&A due-diligence factor requiring structured reviews and robust contractual safeguards.
Key Compliance Risks Shaping Brazilian Healthtech M&A
Brazil’s Data Protection Authority (ANPD) released its 4th Tech Radar in June 2025, focusing entirely on neurotechnologies—marking the first time the regulator targeted this field so directly. The report explores brain-computer interfaces, advanced wearables, AI-driven cognitive therapies, and predictive diagnostics, highlighting risks far beyond traditional health data processing.
For investors and lawyers working M&A deals in Brazil’s healthtech sector, this Radar signals that data protection is no longer a secondary compliance issue—it is now a major source of legal, reputational, and operational risk.
GDPR’s Extraterritorial Relevance
Many Brazilian healthtechs handle personal data from foreign individuals, particularly Europeans—through expats, medical tourists, cross-border clinical trials, or partnerships with EU-based vendors. When this occurs, GDPR Article 3(2) extends jurisdiction to the Brazilian company, even without any EU establishment.
Main Risks Identified by ANPD (Tech Radar #4)
- Inferring health data without explicit consent
Example: wearables identifying depression through sleep or stress patterns without informing users. - Lack of transparency in predictive algorithms
Black-box AI models making clinical decisions without accessible documentation. - Cybersecurity vulnerabilities in connected devices
Neural implants or neurostimulators vulnerable to hacking, with potentially physical consequences. - Automated processing that impacts human dignity
Behavioral profiling influencing insurance eligibility, discrimination, or patient autonomy in therapy environments.
GDPR Article 22 prohibits automated decision-making with significant effects unless strict safeguards are implemented—making this a critical risk during due diligence.
Most Common Red Flags in Brazilian Healthtech Due Diligence
No clear legal basis for sensitive data (health, genetic, biometric)
LGPD Impact (Brazil): Breach of LGPD Art. 11
GDPR Parallel (Europe): Art. 9 (special categories)
Practical Recommendation: Require full data-mapping and warranties
Generic or “click-to-accept” consents
LGPD Impact (Brazil): Invalid consent (Art. 7 & 11)
GDPR Parallel (Europe): Art. 6 + 7
Practical Recommendation: Ensure all consents are granular, specific, and revocable
Third-party sharing without processor agreements
LGPD Impact (Brazil): Breach of LGPD Art. 28 & 33
GDPR Parallel (Europe): Art. 28
Practical Recommendation: Verify existence and adequacy of all DPAs
Missing or incomplete ROPA
LGPD Impact (Brazil): Serious regulatory violation
GDPR Parallel (Europe): Art. 30
Practical Recommendation: Make ROPA delivery a closing condition
Non-existent or conflicted DPO
LGPD Impact (Brazil): Non-compliance with ANPD Resolution CD nº 2
GDPR Parallel (Europe): Art. 37–39
Practical Recommendation: Require interview + independence confirmation
No DPIA for high-risk products
LGPD Impact (Brazil): Mandatory (ANPD Res. 15/2023)
GDPR Parallel (Europe): Art. 35
Practical Recommendation: Include pre-closing DPIA audit clause
International transfers without safeguards
LGPD Impact (Brazil): Arts. 33–35
GDPR Parallel (Europe): Arts. 44–50
Practical Recommendation: Verify SCCs (2021/2023) or adequacy status
Real Cases Illustrating the Scale of Risk
- Telepsychology platforms investigated for using automated triage without informed consent or AI transparency.
- ANPD actions against genomics startups due to cross-border transfers without SCCs or DPIAs.
- Outsourced cloud hosting increasing irregular data transfer risks.
Until Brazil receives an EU adequacy decision, SCCs and BCRs remain mandatory for compliant transfers.
Essential Due Diligence Deliverables
A robust data-protection review is now essential in healthtech M&A. Key deliverables include:
- LGPD ↔ GDPR gap analysis
- ROPA and DPIA review
- Sub-processor contract verification
- Mapping of all international transfers
- Privacy-specific warranties and indemnities
- Escrow or holdback for regulatory risk exposure
Conclusion
Data protection is no longer secondary in healthtech M&A—especially when neurodata is involved. With ANPD scrutinizing neurotechnologies and GDPR obligations extending across borders, investors must prioritize structured due diligence and strong contractual safeguards.
FAQ
Is neurodata considered sensitive personal data under the LGPD?
Yes—ANPD treats neurodata as highly sensitive because it reveals cognitive, emotional, and health patterns.
Does GDPR apply to Brazilian companies with no EU presence?
Yes, via Article 3(2), whenever EU data subjects’ information is processed.
Are SCCs still required for Brazil–EU transfers?
Yes, until Brazil receives an EU adequacy decision.
What are the top investor red flags?
Missing DPIAs, unclear legal bases, opaque algorithms, and irregular transfers.
Since the General Data Protection Regulation (GDPR) took effect in 2018, the European Union (EU) has granted adequacy status to only a limited number of jurisdictions — those whose data protection regimes are deemed to provide an «essentially equivalent» level of protection to that of the EU. The current list includes Andorra, Argentina, Canada (under PIPEDA), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, Uruguay, the United Kingdom, and the United States (limited to companies certified under the Data Privacy Framework).
As of 5 September 2025, Brazil is on the verge of joining this exclusive group. The European Commission has issued a draft adequacy decision concluding that the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais – LGPD), in conjunction with Brazil’s broader legal and constitutional framework, offers protections that are essentially equivalent to those found in the GDPR. While Brazil’s rules offer somewhat more flexibility in specific areas of data processing, the foundational principles and safeguards are well-aligned with EU standards.
Once finalized, the adequacy decision will authorize the free flow of personal data from the EU to Brazil without the need for additional contractual clauses or technical safeguards. Such a development is not just regulatory — it also answers a core political argument made by LGPD advocates since its inception: that the absence of a comprehensive data protection framework was undermining Brazil’s international competitiveness by limiting data flows and discouraging investment. For businesses, the EU decision may finally mean the removal of a significant layer of compliance complexity — a development especially welcome by small and medium-sized enterprises engaged in cross-border trade or service provision. The draft is currently under review by the European Data Protection Board (EDPB) and the Member States of the EU.
The Commission’s assessment highlights several key aspects of Brazil’s data protection landscape. It begins by noting that the Brazilian Constitution expressly guarantees the right to privacy and the protection of personal data — a notable distinction among non-EU jurisdictions. These protections are further supported by Brazil’s ratification of the American Convention on Human Rights and its recognition of the jurisdiction of the Inter-American Court of Human Rights, reinforcing a commitment to fundamental rights and democratic oversight.
The LGPD mirrors the GDPR in many critical respects and defines its territorial scope clearly. It applies to: (i) data processing carried out within Brazilian territory, (ii) the offering of goods or services to individuals in Brazil, and (iii) data collected in Brazil, even if subsequently processed abroad. This aligns well with the extraterritorial provisions of the GDPR. The definitions of personal data, sensitive data, controller, and processor are materially similar, as are the key principles governing processing — including lawfulness, purpose limitation, data minimization, accuracy, transparency, and security. The law expressly excludes anonymized data from its scope and establishes specific exemptions for journalistic activities, public security, and scientific research.
Another strength is Brazil’s institutional framework. The National Data Protection Authority (ANPD) was recently transformed into an autonomous regulatory agency, enhancing its independence and technical capacity. The ANPD holds both regulatory and enforcement powers: it can issue binding regulations, impose administrative sanctions, and publish authoritative guidance. To date, it has issued key guidelines on topics such as consent, legitimate interest, the role of the Data Protection Officer (DPO), and security incident reporting. Internationally, the ANPD is an active participant in global data protection dialogue — it is a member of the Global Privacy Assembly and an official observer to the Council of Europe’s Convention 108.
The LGPD’s approach to international data transfers is also structurally aligned with the GDPR. It requires appropriate safeguards such as standard contractual clauses, allows for future adequacy decisions under a regime comparable to Article 45 of the GDPR, and includes detailed provisions for onward transfers and transit data — that is, data merely passing through Brazil without further processing. The rights of data subjects are robust and familiar to European practitioners: access, rectification, erasure, portability, and withdrawal of consent are guaranteed. Lawful bases for processing are also aligned — including consent, legal obligations, contract execution, and legitimate interest. Notably, the LGPD requires a documented balancing test when relying on legitimate interest, bringing additional accountability to this flexible legal basis.
Security incidents involving personal data must be notified to both the ANPD and affected data subjects when there is a significant risk of harm. The standard notification deadline is 72 hours, and the required content aligns closely with Articles 33 and 34 of the GDPR. The ANPD may also order public disclosure of incidents or require remedial measures, depending on the nature and scope of the breach.
Importantly, this process is not one-sided. In parallel to the European Commission’s adequacy decision, the ANPD is conducting its own adequacy assessment of the EU and EEA data protection frameworks. This process is regulated by the Brazilian Resolution CD/ANPD No. 19/2024, which governs international data transfers. Once the technical and legal evaluation is complete, the ANPD’s Board of Directors will issue a formal decision. This reciprocal move reflects Brazil’s commitment to mutual recognition and regulatory symmetry — a positive signal for companies on both sides of the Atlantic.
In conclusion: If confirmed, Brazil’s adequacy status will simplify international operations, reduce compliance costs, and expand opportunities for data-driven business and legal cooperation. For European lawyers advising SMEs with interests in Latin America, this development is a strategic signal: Brazil is emerging not just as a growing market, but as a legally compatible and data-safe jurisdiction for international partnerships.
On 23 August 2024, Brazil’s National Data Protection Authority (ANPD) issued Resolution No. 19, a landmark regulation governing the international transfer of personal data under the Brazilian General Data Protection Law (LGPD). Companies now have until 23 August 2025 to fully comply.
This deadline is especially relevant for European multinationals operating in Brazil, or Brazilian subsidiaries sharing data with foreign HQs or vendors. The new rules align Brazil more closely with global privacy frameworks like the GDPR—but with local twists that demand attention.
Why It Matters
Unlike previous guidance, Resolution No. 19 creates binding legal obligations and explicit deadlines. It introduces mechanisms such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and public transparency requirements—all within a strict 12-month timeframe.
For many international companies, this will require significant updates to internal governance, contract management, and cloud data strategies. Below are the key takeaways for foreign counsel.
Standard Contractual Clauses (SCCs): Now Mandatory
The ANPD has released its own set of Standard Contractual Clauses, which must be used for data transfers to jurisdictions not recognized as offering “adequate protection.”
Companies must adopt these clauses by 23 August 2025. This will likely require revisiting existing data processing agreements involving Brazilian parties and ensuring alignment with the ANPD template.
Important: The SCCs cannot be modified beyond inserting details in the annexes. Any deviations require prior approval from the ANPD and are limited to exceptional cases.
Broad Transparency Requirements
Data controllers are now required to publish, on their website, a plain-language document explaining:
- the purpose of the international data transfer,
- the categories of data involved,
- the countries of destination,
- and the legal mechanism used to legitimize the transfer.
Upon request, data subjects must also receive a copy of the full SCCs within 15 days. Multinationals will need protocols and document templates to respond efficiently—especially when dealing with requests in Portuguese.
Expanded Definition of “International Transfer”
The Resolution clarifies that a transfer occurs whenever:
- data is accessed or stored by an entity located abroad, or
- processing is outsourced to a cloud provider with servers or technical teams outside Brazil.
This has important implications for global companies that centralize services such as payroll, CRM, or cybersecurity outside Brazil—even if hosted on multinational platforms.
Binding Corporate Rules (BCRs): Now Recognized
Multinationals with mature privacy programs may apply to the ANPD for approval of their own Binding Corporate Rules, offering an alternative to SCCs.
This is a welcome development for companies seeking harmonized compliance across jurisdictions, but approval is expected to involve a complex and time-consuming process. Early preparation is essential.
Custom Clauses in Exceptional Circumstances
Companies unable to adopt the standard clauses—due to specific factual or legal constraints—may submit alternative clauses for ANPD approval. However, such flexibility is limited and subject to strict justification.
In practice, the official SCCs will be the default path for most international data transfers involving Brazil.
What Foreign Companies Should Do Now
The 12-month window is already ticking. International groups operating in Brazil or processing Brazilian data should urgently:
- Map all international data transfers involving Brazil;
- Identify contracts and vendors requiring updates;
- Insert ANPD’s SCCs where applicable;
- Publish the required transparency notice online in Portuguese;
- Monitor for further ANPD guidance or enforcement trends.
Strategic Compliance: Beyond Legal Risk
Resolution No. 19 is part of a global trend toward standardized but locally enforced privacy frameworks. For GDPR-compliant companies, Brazil’s new rules offer a chance to reaffirm leadership in data governance.
Those who act early can avoid last-minute fire drills, reduce regulatory exposure, and strengthen credibility with Brazilian regulators and consumers.
In today’s data economy, privacy compliance is more than a legal duty—it’s a business differentiator.
Brazil’s National Data Protection Authority (ANPD) released a long-awaited guidance document on how companies should interpret and apply the legal basis of legitimate interest under the Brazilian General Data Protection Law (LGPD).
This is not merely a local update. As Brazil continues to shape its data protection regime, foreign companies—particularly European SMEs with clients, platforms, or partners in Brazil—must adapt their compliance strategies to local expectations. This new guidance is a crucial development.
Below, I summarize what has changed, how it compares to the GDPR approach, and what steps you (or your clients) should take next.
Why Legitimate Interest Matters—But Remains Risky
Just like under the GDPR, Brazil’s LGPD allows personal data to be processed without consent when doing so is necessary for purposes aligned with the controller’s legitimate interests. However, due to the lack of regulation since the LGPD came into force, this legal basis has long been regarded as risky in Brazil – in fact, it was unclear on how to evaluate the «legitimacy» of the interest and balance it against data subject rights.
The ANPD’s «Guia Orientativo sobre o Legítimo Interesse» (Guidance on Legitimate Interest) fills that gap—providing a practical framework to assess, document, and justify this legal basis.
The ANPD’s Three-Step Balancing Test
The core of the new guidance is a three-step balancing test, which mirrors the GDPR’s Legitimate Interests Assessment (LIA) but with Brazilian nuances.
- Purpose Test : The controller must define a specific, concrete, and legitimate objective behind the data processing. Open-ended or abstract justifications (“marketing purposes”, “efficiency”) will not suffice. The processing must also align with the reasonable expectations of the data subject.
- Necessity Test : The data processing must be strictly necessary to achieve the defined purpose. If the same result could be achieved through less intrusive means (e.g. anonymized data or a different legal basis), the test will likely fail.
- Balancing Test and Safeguards : This step assesses whether the controller’s interest outweighs the rights and freedoms of the data subject. Controllers must consider the nature of the data, the context of the processing, and the potential risks involved. When risks are identified, appropriate safeguards must be implemented, such as transparency, opt-outs, pseudonymization, and impact assessments.
Takeaway: The ANPD recommends documenting the entire process. While this is not mandatory by law, it will be critical in case of investigations or complaints.
How This Affects Foreign Companies doing business in Brazil
Many foreign companies process personal data of Brazilian individuals—whether by offering digital services, interacting with Brazilian suppliers, or collecting contact information via websites or CRM tools.
Although some assume that GDPR compliance is sufficient, the ANPD may evaluate legitimate interest more restrictively than some EU supervisory authorities.
Foreign companies should:
- Revisit their legal bases for processing data of Brazilian individuals.
- Conduct a proper balancing test using the ANPD’s model, even for non-sensitive data.
- Keep written records of the analysis (especially if using legitimate interest for analytics or marketing).
- Update their privacy notices to reflect the legal basis and safeguards in place.
- Be aware of the extraterritorial reach of the LGPD—yes, it applies even if you have no office in Brazil.
Strategic Guidance
If you advise SMEs that operate across jurisdictions—including Brazil—this new guidance is a practical compliance tool and a risk-mitigation opportunity.
Here’s how to act now:
- Perform a Legitimate Interests Assessment (LIA) whenever your client relies on this basis in Brazil.
- Compare it with the GDPR LIA to identify overlaps and gaps.
- Align documentation—so your clients are ready in the event of a complaint or data subject request.
- Monitor ANPD updates—the ANPD has increased its activity and enforcement posture significantly in the past year.
Final Thoughts
The ANPD’s guidance reflects a growing maturity in Brazil’s data protection landscape. Legitimate interest is no longer a vague fallback—it requires structure, analysis, and above all, transparency.
European companies with operations or digital exposure in Brazil should approach this legal basis with care and diligence. The good news? The ANPD is now offering the roadmap. It’s up to us, as legal advisors, to make sure our clients follow it.
Want to see the full guidance? The original document (in Portuguese) is available here.
Brazil is increasingly in the global spotlight when it comes to cybersecurity threats. With over 10 billion cyberattack attempts recorded in 2023 alone, the country ranks among the most targeted worldwide. These incidents are not abstract: they affect sensitive sectors such as finance and healthcare, including data leaks involving over 220 million data subjects from national institutions and critical infrastructure operators.
While Brazil may seem like a distant jurisdiction, its data protection regime — shaped by the Lei Geral de Proteção de Dados (LGPD) — has growing significance for European businesses operating or partnering in the region. The LGPD, inspired by the GDPR, sets out specific obligations around data breach notification. However, unlike the GDPR’s mandatory 72-hour notification rule, not all security incidents must be reported to the Brazilian Data Protection Authority (ANPD).
So: when exactly should a security incident be reported in Brazil?
When Notification is Required: A Three-Step Test
Under Brazilian law, a security incident involving personal data must be reported to the ANPD only if the following three criteria are cumulatively met:
- The incident has been confirmed.
- It involves personal data subject to the LGPD.
- It poses a relevant risk or damage to data subjects.
This third threshold is critical. According to the ANPD’s Security Incident Communication Regulation (RCIS), relevant risks include incidents that may:
- Prevent the exercise of rights or access to services.
- Cause material or moral harm.
- Involve special categories of data such as: Sensitive personal data / Financial data / Large-scale datasets / Children’s or elderly persons’ data / Authentication credentials / Legally protected information (e.g., medical, legal, or professional secrets).
This approach offers some flexibility — but it also requires careful legal judgment.
When You Don’t Have to Notify
There is no obligation to notify the ANPD if the incident does not result in significant risk or damage. For instance, if the breached data is non-sensitive and publicly available (e.g., general contact information), and no additional harm is expected, companies may reasonably determine that notification is unnecessary.
However, this decision should not be taken lightly. Controllers are expected to assess several contextual factors, such as:
- The volume and nature of the affected data.
- Whether the data subjects can be identified.
- The likely impact on fundamental rights.
- The technical and security measures in place.
- Any steps taken to mitigate the damage.
In practice, each case must be analyzed individually — and well documented — to ensure a defensible position.
How to Notify the ANPD (If Required)
If the thresholds for notification are met, companies must report the incident within three business days from the date they became aware that personal data was affected. The notification must include:
- A description of the breach and affected data.
- The number and profile of impacted data subjects.
- Security measures in place before and after the incident.
- Potential risks to the data subjects.
- Mitigation strategies.
- Identification of the controller and DPO (if applicable).
Notifications are submitted via the ANPD’s online platform (SUPER). Sensitive business information can be protected through a request for confidential treatment, provided it is properly justified.
Strategic Takeaways for European Stakeholders
For European companies and compliance officers, understanding the nuances of Brazilian data breach notification rules is essential for several reasons:
- Cross-border compliance: Companies transferring personal data to Brazil must ensure regulatory alignment under the GDPR’s international transfer rules.
- Due diligence: M&A or vendor screening in Brazil should include assessments of LGPD readiness and breach history.
- Incident response protocols: Global organizations must harmonize breach notification timelines and thresholds across jurisdictions, adapting to Brazil’s risk-based approach.
In a landscape of increasing cyber threats, aligning with the LGPD is not just a regulatory obligation — it’s a strategic necessity.
Final Thoughts
Brazil’s data protection authority does not adopt a «one size fits all» model for breach notification. The LGPD introduces a risk-based, case-by-case approach, which may offer more flexibility than the GDPR — but also places a greater burden on organizations to justify their decisions.
European companies doing business in Brazil must be prepared to evaluate security incidents in light of both local obligations and international expectations. Failing to notify a breach — or notifying too hastily — can have serious reputational, legal, and operational consequences.
Understanding when (and how) to notify the ANPD is a key part of navigating Brazil’s complex but maturing data protection landscape.
Spain | Franchising, Theory Of Risk and Guarantees By Franchisee
- Распространение
- Судебная практика
-
Испания
France | Pre-contractual disclosure in distribution and franchise agreements
- Распространение
- Франчайзинг
-
Франция
International distribution agreements | Key Clauses and Lessons learned from the history of Nike
- Контракты
- Распространение
-
Италия
Corporate Sustainability in Practice – How Contracts Shape Responsibility
- Контракты
- Распространение
-
Finland
Rising Oil Prices and International Contracts: How to Manage Hardship in Global Supply Chains
- Контракты
- Распространение
-
Италия
Why the African Continental Free Trade Agreement has not yet turned into Reality — and What That Means for Egypt
- Распространение
- Иностранные инвестиции
-
Египет
Brazil Advances Toward GDPR Alignment: ANPD’s 2026–2027 Priority Topics
- Конфиденциальность - Защита данных
-
Бразилия
Brazilian Healthtech – Neurotechnologies, LGPD and the GDPR’s Long-Arm Effect
- Закон о здравоохранении
- СЛИЯНИЯ И ПОГЛОЩЕНИЯ
-
Бразилия
Brazil — Deadline for Compliance on International Data Transfers
- Конфиденциальность - Защита данных
-
Бразилия
Brazil | Legitimate Interest under Data Protection Law: The official Guidance Explained
- Конфиденциальность - Защита данных
-
Бразилия
Security Incidents in Brazil: When and How to Notify the Data Protection Authority
- Конфиденциальность - Защита данных
-
Бразилия
Brazil | DPO Requirements — What foreign companies must do to stay compliant
- Соответствие требованиям
- Конфиденциальность - Защита данных
-
Бразилия
Scrivi a Leopoldo
Brazil Advances Toward GDPR Alignment: ANPD’s 2026–2027 Priority Topics
26.01.2026
-
Бразилия
- Конфиденциальность - Защита данных
Summary
Brazil’s new Digital Child Protection Law (ECA Digital – Law No. 15,211/2025) radically changes the compliance obligations for foreign technology companies operating in Brazil. The law introduces a proactive duty of care toward minors, replacing the previous reactive liability model under the Marco Civil da Internet. Any digital service accessible to children or adolescents — including social media, gaming, streaming, AI tools, and app stores — must now adopt safety-by-design and privacy-by-default principles.
Brazil Introduces a New Digital Protection Framework for Minors
When Law No. 15,211/2025, known as the ECA Digital or Digital Statute for Children and Adolescents, came into force on March 17, 2026, Brazil took a significant step in regulating the digital environment. For foreign technology companies that offer services to the Brazilian public, the legislation is far more than just another local rule. It represents a genuine paradigm shift in how platforms must be designed, operated, and monitored.
Until now, the Brazilian Internet Civil Framework (Marco Civil da Internet) of 2014 established essentially a reactive liability regime. Platforms were generally only held responsible for third-party content after receiving a specific court order or valid notification. The ECA Digital inverts this logic. Companies now face a proactive and continuous duty of care, something close to the “duty of care” we already know in Europe through the UK’s Online Safety Act or parts of the Digital Services Act (DSA).
The Best Interests of the Child Become the Central Compliance Principle
The central principle of the law is the best interests of the child and adolescent. Any information technology product or service that is targeted at minors or has a reasonable likelihood of being accessed by them must be developed with this interest as an absolute priority. This includes social networks, gaming apps, streaming platforms, app stores, and even artificial intelligence tools.
In practice, this means adopting the concepts of safety-by-design and privacy-by-default from the outset. It is no longer enough to fix problems after they arise. Companies must anticipate risks to the physical, mental, and moral integrity of younger users and build preventive safeguards.
Mandatory Impact Assessments and Platform Risk Analysis
One of the pillars of the new legislation is the requirement for impact assessments. Platforms must conduct periodic detailed analyses of the potential effects of their functionalities (recommendation algorithms, engagement mechanisms, advertising systems, and even augmented reality features) on children and adolescents. These reports need to be properly documented internally and, in many cases, generate transparent information that can be shared with authorities or made available to the public in a summarized version.
New Age Verification and Parental Control Obligations
Age verification has become significantly more rigorous. A simple self-declaration (“click here if you are over 18”) is no longer considered sufficient. The law requires effective and proportionate mechanisms that respect privacy but genuinely manage to distinguish adults from minors. For users up to 16 years old, accounts on social networks and similar platforms must, as a rule, be linked to a legal guardian.
Furthermore, companies are required to provide robust parental control tools. Guardians must have access to dashboards that allow them to set screen time limits, restrict contacts, approve or block in-app purchases, and disable personalized algorithmic recommendation systems. Many foreign clients I have spoken with still underestimate the weight of this requirement.
Restrictions on Advertising, Profiling, and Gaming Monetization
In the commercial sphere, the law is particularly restrictive. The use of advanced behavioral profiling, emotional analysis, or immersive technologies to target advertising at children and adolescents is prohibited. Monetization of content that inappropriately exploits the image of minors is also subject to severe limitations. In the gaming sector, there are express bans on “loot boxes” and randomized reward systems when the game is accessible to minors, precisely because of their addictive potential and the risk of uncontrolled spending.
Harmful Content Removal and Reporting Requirements
Another aspect that deserves attention is the swift removal of harmful content. The law establishes short deadlines — in some cases as little as 24 hours — for the removal of material related to sexual exploitation, violence, bullying, cyberbullying, incitement to suicide, self-harm, or drug use. In addition to removal, in serious situations platforms must notify the competent authorities, including through international cooperation when necessary.
Legal Representation and Enforcement Risks for Foreign Companies
For foreign companies without a physical presence in Brazil, the law strengthens enforcement mechanisms. It is mandatory to appoint a legal representative established in the country, with powers to receive judicial and administrative citations, respond to requests from the Public Prosecutor’s Office and the National Data Protection Authority (ANPD), and serve as the local point of contact.
In fact, the ANPD assumes a central role in supervising and regulating the law, acting in coordination with the Public Prosecutor’s Office. This creates a more robust enforcement scenario than many international players initially anticipated. Moreover, the law provides for joint and several liability: subsidiaries, branches, or companies within the same economic group in Brazil may be held accountable for violations committed by the foreign parent company.
Financial Penalties and Operational Sanctions
The sanctions are dissuasive. Fines can reach up to 10% of the economic group’s revenue in Brazil in the previous year, or up to R$ 50 million per individual violation, depending on the severity. In extreme cases or in the event of recurrence, authorities may order the temporary suspension or even the complete blocking of the service within Brazilian territory. For companies that depend on the Brazilian market, especially consumer technology firms, this operational risk is very real.
Relationship Between the ECA Digital and Brazil’s LGPD
It is worth noting that the ECA Digital interacts closely with the General Data Protection Law (LGPD). Many of the principles of privacy-by-default, data minimization, and impact assessments already existed under the LGPD, but they now take on more specific contours when the data subject is a child or adolescent. The processing of minors’ data requires even greater care, with more restrictive legal bases and heightened attention to consent and the rights of legal guardians.
Global Regulatory Trends and Brazilian Specificities
From a comparative perspective, the Brazilian law aligns with global trends. It bears clear similarities to the UK’s Age Appropriate Design Code, certain aspects of the European DSA, and ongoing discussions in other Latin American countries. However, it presents distinctly Brazilian nuances: strong influence from the Public Prosecutor’s Office, the tradition of integral protection of children established in the 1990 Child and Adolescent Statute (ECA), and an approach that combines state regulation with the shared responsibility of families, schools, and platforms.
Practical Compliance Steps for Foreign Technology Companies
Foreign legal advisors must act with urgency. A good starting point is to conduct a comprehensive gap analysis: mapping user onboarding flows, reviewing advertising and algorithmic recommendation policies, assessing the adequacy of age verification mechanisms, and verifying whether the legal representation structure in Brazil meets the new requirements.
In addition, it is important to prepare local teams or partners to handle administrative requests and potential audits. Investing in privacy-preserving age verification technologies, such as age estimation or document-based verification without excessive data storage, can make a difference both in compliance and in the user experience.
Conclusion
In summary, the ECA Digital is not merely a symbolic law. It imposes concrete obligations, with adaptation deadlines that have already expired for many companies, and carries real risks of financial and operational sanctions. For law firms advising international clients, especially small and medium-sized practices in Europe and Asia, the moment has come to help these players turn compliance into a competitive advantage.
Those who manage to implement robust protection measures from the design stage of their products will not only avoid heavy fines but may also build greater trust with the Brazilian public and authorities.
Summary: On January 25, 2026, Brazil and the EU mutually recognized each other as providing adequate personal data protection—removing, in many cases, the need for Standard Contractual Clauses (SCCs) or other transfer tools. This shifts the conversation from “copy-paste compliance” to strategy: deciding when to retire SCCs, updating cross-border transfer policies, and modernizing contractual models for future deals.
Why this matters in real transactions
Imagine you’re about to close a deal with a German business partner and your Brazilian client urgently asks for a data transfer clause. It’s always the same copy-paste: Standard Contractual Clauses (SCCs), Annex I and II in both languages, signatures on the dotted line. Now imagine this scene is finally unnecessary.
The mutual adequacy milestone (January 25, 2026)
On January 25, 2026, Brazil and the European Union mutually recognized each other as countries with adequate levels of personal data protection. It’s the first adequacy agreement signed between the EU and a Latin American country. In practical terms, it means that companies can transfer personal data between Brazil and the EU without the need for additional mechanisms, like SCCs or Binding Corporate Rules (BCRs). In strategic terms, it opens a new front of opportunities for Brazilian lawyers, especially those advising clients who export, import, invest, or operate in the EU.
A starting point, not a “compliance break”
This is a milestone and also a starting point. Mutual adequacy does not mean «relax your compliance programs»; on the contrary, it demands governance maturity and careful review.
Three concrete fronts for legal work
1. Retiring SCCs: Not Always Automatic
The adequacy decision makes SCCs optional in many cases, but that doesn’t mean you can simply tear them up. For existing contracts that already use SCCs, lawyers will need to assess whether they should keep, revise, or remove those clauses. The answer will depend on the risks, data flows, and reliance on third countries in the processing chain. There may also be internal policies, negotiated warranties, or obligations to supervisory authorities that require formal justifications.
In practice, companies with complex processing chains (e.g., European headquarters, shared Brazilian HR services, cloud servers in the U.S.) may continue using SCCs in certain flows even after the adequacy recognition. Lawyers will need to carefully document and track this hybrid model.
2. Reviewing Cross-Border Data Transfer Policies
Many companies, especially multinationals or those with multiple data protection obligations, have established cross-border data transfer policies («CBTPs») that classify countries into categories and associate specific safeguards for each. Brazil’s new status as an «adequate country» must now be reflected in those documents.
For instance, a Brazilian company that receives data from France and sends it to Argentina and India may now adjust internal protocols to reduce documentation and controls on the EU → Brazil leg, while reinforcing controls in the Brazil → Argentina or Brazil → India legs. These changes must be aligned with the company’s policies, contracts, and internal training materials.
3. Adapting Contractual Models for Future Deals
The mutual adequacy decision creates a new contractual scenario. Brazilian lawyers advising international clients can now use data transfer models aligned with GDPR—without needing SCCs or complex annexes—provided both parties are located in Brazil and the EU.
This reduces transaction costs, improves legal certainty, and increases speed in negotiations involving technology services, cross-border M&A, or shared service centers. A good contractual model should still include data protection clauses—but now focused on risk allocation, DPO cooperation, and incident response coordination, rather than formal compliance with Art. 46 GDPR or Arts. 33–36 LGPD.
Summary: Brazil’s data protection authority (ANPD) is signaling a clear move toward stronger, more GDPR-aligned enforcement and rulemaking through its 2026–2027 Priority Topics Map and updated Regulatory Agenda. The selected priorities mirror familiar EU themes—data subject rights, children’s data, public-sector processing, and AI—while adding practical predictability for organizations planning compliance. For European businesses operating in Brazil, the direction of travel suggests increasing convergence in governance, risk assessment, and transparency expectations. This trajectory may also strengthen the long-term case for Brazil to pursue an EU adequacy decision.
A maturing authority with a strategic alignment to GDPR
While European regulators refine enforcement mechanisms for mature frameworks, Brazil is quietly building one of the world’s most GDPR-aligned data protection systems outside the EU. The release of Priority Topics Map for 2026–2027 and its updated Regulatory Agenda by the National Agency of Personal Data Protection (ANPD) reveals an authority no longer in its infancy, but one strategically positioning itself as a credible counterpart to European supervisory bodies.
ANPD’s priority topics for 2026–2027
The four priority topics chosen by Brazil’s National Data Protection Authority («ANPD») tell a familiar tale to anyone working with GDPR compliance: data subject rights, protection of children and adolescents in digital environments, processing by public authorities, and artificial intelligence with emerging technologies.
Why these priorities feel familiar to GDPR practitioners
These are not arbitrary choices but deliberate alignments with the core concerns that have shaped European enforcement over the past seven years, from the fundamental rights guarantees in Articles 12 through 22, to the heightened scrutiny of processing involving minors, to the evolving regulatory treatment of algorithmic systems that now spans both GDPR recitals and the EU AI Act itself.
Children and adolescents: new authority and converging expectations
Brazil’s recent Digital Statute for Children and Adolescents hands ANPD substantial new authority over age verification and parental consent mechanisms, creating a regulatory bridge that should look strikingly familiar to companies navigating the UK’s Age Appropriate Design Code or implementing EDPB guidance on child data. European digital services operating in Brazil, particularly in social media, gaming, education, or wellness sectors, now face converging compliance expectations on both sides of the Atlantic. The technical architectures and consent flows designed for GDPR are increasingly fit for purpose in the Brazilian context as well.
Artificial intelligence and emerging technologies
The elevation of artificial intelligence to priority status represents ANPD’s clearest statement yet about where Brazilian regulation is headed – in fact, no big news in the move, since it is worrying every regulator in every industry. While the LGPD lacks specific AI provisions, the authority has been methodically laying groundwork through public consultations on automated decision-making and studies on algorithmic profiling. For companies already deep in EU AI Act preparation, such a convergence offers something rare in global privacy compliance: the potential for genuine efficiency gains through shared governance frameworks, unified risk assessment methodologies, and harmonized transparency protocols rather than duplicative regional adaptations.
Data subject rights and DPIAs: reinforcing accountability
ANPD’s continued emphasis on data subject rights and Data Protection Impact Assessments reinforces the structural similarities with GDPR’s accountability model. The Brazilian approach increasingly mirrors European expectations around documented risk assessment, standardized response protocols for individual rights requests, and transparency obligations for profiling activities. Multinational organizations can now reasonably contemplate unified DPIA templates and centralized rights management systems that serve both jurisdictions without fundamental architectural splits.
The updated Regulatory Agenda for 2025–2026: predictability as a compliance asset
The updated Regulatory Agenda for 2025–2026 provides something perhaps more valuable than new rules: predictability. One should not underestimate the importance of predictability in Brazil, since it is a rare asset, even before courts – former Treasury Minister Pedro Malana once iroonically stated that «in Brazil, even the past is uncertain».
What ANPD is telegraphing next
By telegraphing upcoming initiatives on biometric data processing, inspection methodologies, sanctioning procedures, cybersecurity standards, and privacy program governance, ANPD offers companies the planning visibility that makes cross-border compliance feasible rather than reactive. These topics map directly onto GDPR’s controller obligations, security requirements, and Data Protection Officer independence provisions in Articles 24 through 39.
Beyond compliance: what convergence could mean for data flows
The regulatory convergence carries implications beyond operational compliance. The structural alignment between LGPD and GDPR, reinforced by ANPD’s strategic choices, strengthens the case for an eventual EU adequacy decision recognizing Brazil under Article 45.
For European businesses and their counsel, the trajectory suggests not just reduced friction in managing trans-Atlantic data flows, but the emergence of genuinely compatible regulatory ecosystems. The challenge will be maintaining attention to Brazilian developments with the same intensity devoted to EDPB guidelines and Commission decisions, recognizing that convergence is a continuous process rather than a static achievement.
Conclusion
Brazil’s ANPD is increasingly setting priorities that mirror the main pressure points of GDPR compliance, while using its Regulatory Agenda to add clarity and sequencing to what comes next. For organizations operating across the EU and Brazil, the message is practical: governance structures, rights-handling processes, and risk assessment tooling built for GDPR are becoming progressively reusable in the Brazilian context. At the same time, staying alert to ANPD’s evolving guidance—especially around children’s data, AI, biometrics, cybersecurity, and enforcement methodology—will be key to turning regulatory convergence into real operational efficiency and reduced cross-border friction.
Summary
This article explores the ANPD’s 2025 Tech Radar on neurotechnologies and how it reshapes compliance risks for Brazilian healthtechs—especially in M&A contexts involving GDPR exposure. It outlines key regulatory concerns, the GDPR’s extraterritorial impact, major due-diligence red flags, and the essential deliverables investors should require.
Introduction
Brazil’s latest ANPD Tech Radar brings neurotechnologies to the forefront of data-protection compliance, exposing significant risks for healthtech companies and investors. With GDPR’s extraterritorial reach, sensitive data processing, opaque AI, and cross-border transfers, data governance has become a critical M&A due-diligence factor requiring structured reviews and robust contractual safeguards.
Key Compliance Risks Shaping Brazilian Healthtech M&A
Brazil’s Data Protection Authority (ANPD) released its 4th Tech Radar in June 2025, focusing entirely on neurotechnologies—marking the first time the regulator targeted this field so directly. The report explores brain-computer interfaces, advanced wearables, AI-driven cognitive therapies, and predictive diagnostics, highlighting risks far beyond traditional health data processing.
For investors and lawyers working M&A deals in Brazil’s healthtech sector, this Radar signals that data protection is no longer a secondary compliance issue—it is now a major source of legal, reputational, and operational risk.
GDPR’s Extraterritorial Relevance
Many Brazilian healthtechs handle personal data from foreign individuals, particularly Europeans—through expats, medical tourists, cross-border clinical trials, or partnerships with EU-based vendors. When this occurs, GDPR Article 3(2) extends jurisdiction to the Brazilian company, even without any EU establishment.
Main Risks Identified by ANPD (Tech Radar #4)
- Inferring health data without explicit consent
Example: wearables identifying depression through sleep or stress patterns without informing users. - Lack of transparency in predictive algorithms
Black-box AI models making clinical decisions without accessible documentation. - Cybersecurity vulnerabilities in connected devices
Neural implants or neurostimulators vulnerable to hacking, with potentially physical consequences. - Automated processing that impacts human dignity
Behavioral profiling influencing insurance eligibility, discrimination, or patient autonomy in therapy environments.
GDPR Article 22 prohibits automated decision-making with significant effects unless strict safeguards are implemented—making this a critical risk during due diligence.
Most Common Red Flags in Brazilian Healthtech Due Diligence
No clear legal basis for sensitive data (health, genetic, biometric)
LGPD Impact (Brazil): Breach of LGPD Art. 11
GDPR Parallel (Europe): Art. 9 (special categories)
Practical Recommendation: Require full data-mapping and warranties
Generic or “click-to-accept” consents
LGPD Impact (Brazil): Invalid consent (Art. 7 & 11)
GDPR Parallel (Europe): Art. 6 + 7
Practical Recommendation: Ensure all consents are granular, specific, and revocable
Third-party sharing without processor agreements
LGPD Impact (Brazil): Breach of LGPD Art. 28 & 33
GDPR Parallel (Europe): Art. 28
Practical Recommendation: Verify existence and adequacy of all DPAs
Missing or incomplete ROPA
LGPD Impact (Brazil): Serious regulatory violation
GDPR Parallel (Europe): Art. 30
Practical Recommendation: Make ROPA delivery a closing condition
Non-existent or conflicted DPO
LGPD Impact (Brazil): Non-compliance with ANPD Resolution CD nº 2
GDPR Parallel (Europe): Art. 37–39
Practical Recommendation: Require interview + independence confirmation
No DPIA for high-risk products
LGPD Impact (Brazil): Mandatory (ANPD Res. 15/2023)
GDPR Parallel (Europe): Art. 35
Practical Recommendation: Include pre-closing DPIA audit clause
International transfers without safeguards
LGPD Impact (Brazil): Arts. 33–35
GDPR Parallel (Europe): Arts. 44–50
Practical Recommendation: Verify SCCs (2021/2023) or adequacy status
Real Cases Illustrating the Scale of Risk
- Telepsychology platforms investigated for using automated triage without informed consent or AI transparency.
- ANPD actions against genomics startups due to cross-border transfers without SCCs or DPIAs.
- Outsourced cloud hosting increasing irregular data transfer risks.
Until Brazil receives an EU adequacy decision, SCCs and BCRs remain mandatory for compliant transfers.
Essential Due Diligence Deliverables
A robust data-protection review is now essential in healthtech M&A. Key deliverables include:
- LGPD ↔ GDPR gap analysis
- ROPA and DPIA review
- Sub-processor contract verification
- Mapping of all international transfers
- Privacy-specific warranties and indemnities
- Escrow or holdback for regulatory risk exposure
Conclusion
Data protection is no longer secondary in healthtech M&A—especially when neurodata is involved. With ANPD scrutinizing neurotechnologies and GDPR obligations extending across borders, investors must prioritize structured due diligence and strong contractual safeguards.
FAQ
Is neurodata considered sensitive personal data under the LGPD?
Yes—ANPD treats neurodata as highly sensitive because it reveals cognitive, emotional, and health patterns.
Does GDPR apply to Brazilian companies with no EU presence?
Yes, via Article 3(2), whenever EU data subjects’ information is processed.
Are SCCs still required for Brazil–EU transfers?
Yes, until Brazil receives an EU adequacy decision.
What are the top investor red flags?
Missing DPIAs, unclear legal bases, opaque algorithms, and irregular transfers.
Since the General Data Protection Regulation (GDPR) took effect in 2018, the European Union (EU) has granted adequacy status to only a limited number of jurisdictions — those whose data protection regimes are deemed to provide an «essentially equivalent» level of protection to that of the EU. The current list includes Andorra, Argentina, Canada (under PIPEDA), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, Uruguay, the United Kingdom, and the United States (limited to companies certified under the Data Privacy Framework).
As of 5 September 2025, Brazil is on the verge of joining this exclusive group. The European Commission has issued a draft adequacy decision concluding that the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais – LGPD), in conjunction with Brazil’s broader legal and constitutional framework, offers protections that are essentially equivalent to those found in the GDPR. While Brazil’s rules offer somewhat more flexibility in specific areas of data processing, the foundational principles and safeguards are well-aligned with EU standards.
Once finalized, the adequacy decision will authorize the free flow of personal data from the EU to Brazil without the need for additional contractual clauses or technical safeguards. Such a development is not just regulatory — it also answers a core political argument made by LGPD advocates since its inception: that the absence of a comprehensive data protection framework was undermining Brazil’s international competitiveness by limiting data flows and discouraging investment. For businesses, the EU decision may finally mean the removal of a significant layer of compliance complexity — a development especially welcome by small and medium-sized enterprises engaged in cross-border trade or service provision. The draft is currently under review by the European Data Protection Board (EDPB) and the Member States of the EU.
The Commission’s assessment highlights several key aspects of Brazil’s data protection landscape. It begins by noting that the Brazilian Constitution expressly guarantees the right to privacy and the protection of personal data — a notable distinction among non-EU jurisdictions. These protections are further supported by Brazil’s ratification of the American Convention on Human Rights and its recognition of the jurisdiction of the Inter-American Court of Human Rights, reinforcing a commitment to fundamental rights and democratic oversight.
The LGPD mirrors the GDPR in many critical respects and defines its territorial scope clearly. It applies to: (i) data processing carried out within Brazilian territory, (ii) the offering of goods or services to individuals in Brazil, and (iii) data collected in Brazil, even if subsequently processed abroad. This aligns well with the extraterritorial provisions of the GDPR. The definitions of personal data, sensitive data, controller, and processor are materially similar, as are the key principles governing processing — including lawfulness, purpose limitation, data minimization, accuracy, transparency, and security. The law expressly excludes anonymized data from its scope and establishes specific exemptions for journalistic activities, public security, and scientific research.
Another strength is Brazil’s institutional framework. The National Data Protection Authority (ANPD) was recently transformed into an autonomous regulatory agency, enhancing its independence and technical capacity. The ANPD holds both regulatory and enforcement powers: it can issue binding regulations, impose administrative sanctions, and publish authoritative guidance. To date, it has issued key guidelines on topics such as consent, legitimate interest, the role of the Data Protection Officer (DPO), and security incident reporting. Internationally, the ANPD is an active participant in global data protection dialogue — it is a member of the Global Privacy Assembly and an official observer to the Council of Europe’s Convention 108.
The LGPD’s approach to international data transfers is also structurally aligned with the GDPR. It requires appropriate safeguards such as standard contractual clauses, allows for future adequacy decisions under a regime comparable to Article 45 of the GDPR, and includes detailed provisions for onward transfers and transit data — that is, data merely passing through Brazil without further processing. The rights of data subjects are robust and familiar to European practitioners: access, rectification, erasure, portability, and withdrawal of consent are guaranteed. Lawful bases for processing are also aligned — including consent, legal obligations, contract execution, and legitimate interest. Notably, the LGPD requires a documented balancing test when relying on legitimate interest, bringing additional accountability to this flexible legal basis.
Security incidents involving personal data must be notified to both the ANPD and affected data subjects when there is a significant risk of harm. The standard notification deadline is 72 hours, and the required content aligns closely with Articles 33 and 34 of the GDPR. The ANPD may also order public disclosure of incidents or require remedial measures, depending on the nature and scope of the breach.
Importantly, this process is not one-sided. In parallel to the European Commission’s adequacy decision, the ANPD is conducting its own adequacy assessment of the EU and EEA data protection frameworks. This process is regulated by the Brazilian Resolution CD/ANPD No. 19/2024, which governs international data transfers. Once the technical and legal evaluation is complete, the ANPD’s Board of Directors will issue a formal decision. This reciprocal move reflects Brazil’s commitment to mutual recognition and regulatory symmetry — a positive signal for companies on both sides of the Atlantic.
In conclusion: If confirmed, Brazil’s adequacy status will simplify international operations, reduce compliance costs, and expand opportunities for data-driven business and legal cooperation. For European lawyers advising SMEs with interests in Latin America, this development is a strategic signal: Brazil is emerging not just as a growing market, but as a legally compatible and data-safe jurisdiction for international partnerships.
On 23 August 2024, Brazil’s National Data Protection Authority (ANPD) issued Resolution No. 19, a landmark regulation governing the international transfer of personal data under the Brazilian General Data Protection Law (LGPD). Companies now have until 23 August 2025 to fully comply.
This deadline is especially relevant for European multinationals operating in Brazil, or Brazilian subsidiaries sharing data with foreign HQs or vendors. The new rules align Brazil more closely with global privacy frameworks like the GDPR—but with local twists that demand attention.
Why It Matters
Unlike previous guidance, Resolution No. 19 creates binding legal obligations and explicit deadlines. It introduces mechanisms such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and public transparency requirements—all within a strict 12-month timeframe.
For many international companies, this will require significant updates to internal governance, contract management, and cloud data strategies. Below are the key takeaways for foreign counsel.
Standard Contractual Clauses (SCCs): Now Mandatory
The ANPD has released its own set of Standard Contractual Clauses, which must be used for data transfers to jurisdictions not recognized as offering “adequate protection.”
Companies must adopt these clauses by 23 August 2025. This will likely require revisiting existing data processing agreements involving Brazilian parties and ensuring alignment with the ANPD template.
Important: The SCCs cannot be modified beyond inserting details in the annexes. Any deviations require prior approval from the ANPD and are limited to exceptional cases.
Broad Transparency Requirements
Data controllers are now required to publish, on their website, a plain-language document explaining:
- the purpose of the international data transfer,
- the categories of data involved,
- the countries of destination,
- and the legal mechanism used to legitimize the transfer.
Upon request, data subjects must also receive a copy of the full SCCs within 15 days. Multinationals will need protocols and document templates to respond efficiently—especially when dealing with requests in Portuguese.
Expanded Definition of “International Transfer”
The Resolution clarifies that a transfer occurs whenever:
- data is accessed or stored by an entity located abroad, or
- processing is outsourced to a cloud provider with servers or technical teams outside Brazil.
This has important implications for global companies that centralize services such as payroll, CRM, or cybersecurity outside Brazil—even if hosted on multinational platforms.
Binding Corporate Rules (BCRs): Now Recognized
Multinationals with mature privacy programs may apply to the ANPD for approval of their own Binding Corporate Rules, offering an alternative to SCCs.
This is a welcome development for companies seeking harmonized compliance across jurisdictions, but approval is expected to involve a complex and time-consuming process. Early preparation is essential.
Custom Clauses in Exceptional Circumstances
Companies unable to adopt the standard clauses—due to specific factual or legal constraints—may submit alternative clauses for ANPD approval. However, such flexibility is limited and subject to strict justification.
In practice, the official SCCs will be the default path for most international data transfers involving Brazil.
What Foreign Companies Should Do Now
The 12-month window is already ticking. International groups operating in Brazil or processing Brazilian data should urgently:
- Map all international data transfers involving Brazil;
- Identify contracts and vendors requiring updates;
- Insert ANPD’s SCCs where applicable;
- Publish the required transparency notice online in Portuguese;
- Monitor for further ANPD guidance or enforcement trends.
Strategic Compliance: Beyond Legal Risk
Resolution No. 19 is part of a global trend toward standardized but locally enforced privacy frameworks. For GDPR-compliant companies, Brazil’s new rules offer a chance to reaffirm leadership in data governance.
Those who act early can avoid last-minute fire drills, reduce regulatory exposure, and strengthen credibility with Brazilian regulators and consumers.
In today’s data economy, privacy compliance is more than a legal duty—it’s a business differentiator.
Brazil’s National Data Protection Authority (ANPD) released a long-awaited guidance document on how companies should interpret and apply the legal basis of legitimate interest under the Brazilian General Data Protection Law (LGPD).
This is not merely a local update. As Brazil continues to shape its data protection regime, foreign companies—particularly European SMEs with clients, platforms, or partners in Brazil—must adapt their compliance strategies to local expectations. This new guidance is a crucial development.
Below, I summarize what has changed, how it compares to the GDPR approach, and what steps you (or your clients) should take next.
Why Legitimate Interest Matters—But Remains Risky
Just like under the GDPR, Brazil’s LGPD allows personal data to be processed without consent when doing so is necessary for purposes aligned with the controller’s legitimate interests. However, due to the lack of regulation since the LGPD came into force, this legal basis has long been regarded as risky in Brazil – in fact, it was unclear on how to evaluate the «legitimacy» of the interest and balance it against data subject rights.
The ANPD’s «Guia Orientativo sobre o Legítimo Interesse» (Guidance on Legitimate Interest) fills that gap—providing a practical framework to assess, document, and justify this legal basis.
The ANPD’s Three-Step Balancing Test
The core of the new guidance is a three-step balancing test, which mirrors the GDPR’s Legitimate Interests Assessment (LIA) but with Brazilian nuances.
- Purpose Test : The controller must define a specific, concrete, and legitimate objective behind the data processing. Open-ended or abstract justifications (“marketing purposes”, “efficiency”) will not suffice. The processing must also align with the reasonable expectations of the data subject.
- Necessity Test : The data processing must be strictly necessary to achieve the defined purpose. If the same result could be achieved through less intrusive means (e.g. anonymized data or a different legal basis), the test will likely fail.
- Balancing Test and Safeguards : This step assesses whether the controller’s interest outweighs the rights and freedoms of the data subject. Controllers must consider the nature of the data, the context of the processing, and the potential risks involved. When risks are identified, appropriate safeguards must be implemented, such as transparency, opt-outs, pseudonymization, and impact assessments.
Takeaway: The ANPD recommends documenting the entire process. While this is not mandatory by law, it will be critical in case of investigations or complaints.
How This Affects Foreign Companies doing business in Brazil
Many foreign companies process personal data of Brazilian individuals—whether by offering digital services, interacting with Brazilian suppliers, or collecting contact information via websites or CRM tools.
Although some assume that GDPR compliance is sufficient, the ANPD may evaluate legitimate interest more restrictively than some EU supervisory authorities.
Foreign companies should:
- Revisit their legal bases for processing data of Brazilian individuals.
- Conduct a proper balancing test using the ANPD’s model, even for non-sensitive data.
- Keep written records of the analysis (especially if using legitimate interest for analytics or marketing).
- Update their privacy notices to reflect the legal basis and safeguards in place.
- Be aware of the extraterritorial reach of the LGPD—yes, it applies even if you have no office in Brazil.
Strategic Guidance
If you advise SMEs that operate across jurisdictions—including Brazil—this new guidance is a practical compliance tool and a risk-mitigation opportunity.
Here’s how to act now:
- Perform a Legitimate Interests Assessment (LIA) whenever your client relies on this basis in Brazil.
- Compare it with the GDPR LIA to identify overlaps and gaps.
- Align documentation—so your clients are ready in the event of a complaint or data subject request.
- Monitor ANPD updates—the ANPD has increased its activity and enforcement posture significantly in the past year.
Final Thoughts
The ANPD’s guidance reflects a growing maturity in Brazil’s data protection landscape. Legitimate interest is no longer a vague fallback—it requires structure, analysis, and above all, transparency.
European companies with operations or digital exposure in Brazil should approach this legal basis with care and diligence. The good news? The ANPD is now offering the roadmap. It’s up to us, as legal advisors, to make sure our clients follow it.
Want to see the full guidance? The original document (in Portuguese) is available here.
Brazil is increasingly in the global spotlight when it comes to cybersecurity threats. With over 10 billion cyberattack attempts recorded in 2023 alone, the country ranks among the most targeted worldwide. These incidents are not abstract: they affect sensitive sectors such as finance and healthcare, including data leaks involving over 220 million data subjects from national institutions and critical infrastructure operators.
While Brazil may seem like a distant jurisdiction, its data protection regime — shaped by the Lei Geral de Proteção de Dados (LGPD) — has growing significance for European businesses operating or partnering in the region. The LGPD, inspired by the GDPR, sets out specific obligations around data breach notification. However, unlike the GDPR’s mandatory 72-hour notification rule, not all security incidents must be reported to the Brazilian Data Protection Authority (ANPD).
So: when exactly should a security incident be reported in Brazil?
When Notification is Required: A Three-Step Test
Under Brazilian law, a security incident involving personal data must be reported to the ANPD only if the following three criteria are cumulatively met:
- The incident has been confirmed.
- It involves personal data subject to the LGPD.
- It poses a relevant risk or damage to data subjects.
This third threshold is critical. According to the ANPD’s Security Incident Communication Regulation (RCIS), relevant risks include incidents that may:
- Prevent the exercise of rights or access to services.
- Cause material or moral harm.
- Involve special categories of data such as: Sensitive personal data / Financial data / Large-scale datasets / Children’s or elderly persons’ data / Authentication credentials / Legally protected information (e.g., medical, legal, or professional secrets).
This approach offers some flexibility — but it also requires careful legal judgment.
When You Don’t Have to Notify
There is no obligation to notify the ANPD if the incident does not result in significant risk or damage. For instance, if the breached data is non-sensitive and publicly available (e.g., general contact information), and no additional harm is expected, companies may reasonably determine that notification is unnecessary.
However, this decision should not be taken lightly. Controllers are expected to assess several contextual factors, such as:
- The volume and nature of the affected data.
- Whether the data subjects can be identified.
- The likely impact on fundamental rights.
- The technical and security measures in place.
- Any steps taken to mitigate the damage.
In practice, each case must be analyzed individually — and well documented — to ensure a defensible position.
How to Notify the ANPD (If Required)
If the thresholds for notification are met, companies must report the incident within three business days from the date they became aware that personal data was affected. The notification must include:
- A description of the breach and affected data.
- The number and profile of impacted data subjects.
- Security measures in place before and after the incident.
- Potential risks to the data subjects.
- Mitigation strategies.
- Identification of the controller and DPO (if applicable).
Notifications are submitted via the ANPD’s online platform (SUPER). Sensitive business information can be protected through a request for confidential treatment, provided it is properly justified.
Strategic Takeaways for European Stakeholders
For European companies and compliance officers, understanding the nuances of Brazilian data breach notification rules is essential for several reasons:
- Cross-border compliance: Companies transferring personal data to Brazil must ensure regulatory alignment under the GDPR’s international transfer rules.
- Due diligence: M&A or vendor screening in Brazil should include assessments of LGPD readiness and breach history.
- Incident response protocols: Global organizations must harmonize breach notification timelines and thresholds across jurisdictions, adapting to Brazil’s risk-based approach.
In a landscape of increasing cyber threats, aligning with the LGPD is not just a regulatory obligation — it’s a strategic necessity.
Final Thoughts
Brazil’s data protection authority does not adopt a «one size fits all» model for breach notification. The LGPD introduces a risk-based, case-by-case approach, which may offer more flexibility than the GDPR — but also places a greater burden on organizations to justify their decisions.
European companies doing business in Brazil must be prepared to evaluate security incidents in light of both local obligations and international expectations. Failing to notify a breach — or notifying too hastily — can have serious reputational, legal, and operational consequences.
Understanding when (and how) to notify the ANPD is a key part of navigating Brazil’s complex but maturing data protection landscape.
Spain | Franchising, Theory Of Risk and Guarantees By Franchisee
- Распространение
- Судебная практика
-
Испания
France | Pre-contractual disclosure in distribution and franchise agreements
- Распространение
- Франчайзинг
-
Франция
International distribution agreements | Key Clauses and Lessons learned from the history of Nike
- Контракты
- Распространение
-
Италия
Corporate Sustainability in Practice – How Contracts Shape Responsibility
- Контракты
- Распространение
-
Finland
Rising Oil Prices and International Contracts: How to Manage Hardship in Global Supply Chains
- Контракты
- Распространение
-
Италия
Why the African Continental Free Trade Agreement has not yet turned into Reality — and What That Means for Egypt
- Распространение
- Иностранные инвестиции
-
Египет
Brazil Advances Toward GDPR Alignment: ANPD’s 2026–2027 Priority Topics
- Конфиденциальность - Защита данных
-
Бразилия
Brazilian Healthtech – Neurotechnologies, LGPD and the GDPR’s Long-Arm Effect
- Закон о здравоохранении
- СЛИЯНИЯ И ПОГЛОЩЕНИЯ
-
Бразилия
Brazil — Deadline for Compliance on International Data Transfers
- Конфиденциальность - Защита данных
-
Бразилия
Brazil | Legitimate Interest under Data Protection Law: The official Guidance Explained
- Конфиденциальность - Защита данных
-
Бразилия
Security Incidents in Brazil: When and How to Notify the Data Protection Authority
- Конфиденциальность - Защита данных
-
Бразилия
Brazil | DPO Requirements — What foreign companies must do to stay compliant
- Соответствие требованиям
- Конфиденциальность - Защита данных
-
Бразилия
Scrivi a Leopoldo
Brazilian Healthtech – Neurotechnologies, LGPD and the GDPR’s Long-Arm Effect
26.11.2025
-
Бразилия
- Закон о здравоохранении
- СЛИЯНИЯ И ПОГЛОЩЕНИЯ
- Конфиденциальность - Защита данных
Summary
Brazil’s new Digital Child Protection Law (ECA Digital – Law No. 15,211/2025) radically changes the compliance obligations for foreign technology companies operating in Brazil. The law introduces a proactive duty of care toward minors, replacing the previous reactive liability model under the Marco Civil da Internet. Any digital service accessible to children or adolescents — including social media, gaming, streaming, AI tools, and app stores — must now adopt safety-by-design and privacy-by-default principles.
Brazil Introduces a New Digital Protection Framework for Minors
When Law No. 15,211/2025, known as the ECA Digital or Digital Statute for Children and Adolescents, came into force on March 17, 2026, Brazil took a significant step in regulating the digital environment. For foreign technology companies that offer services to the Brazilian public, the legislation is far more than just another local rule. It represents a genuine paradigm shift in how platforms must be designed, operated, and monitored.
Until now, the Brazilian Internet Civil Framework (Marco Civil da Internet) of 2014 established essentially a reactive liability regime. Platforms were generally only held responsible for third-party content after receiving a specific court order or valid notification. The ECA Digital inverts this logic. Companies now face a proactive and continuous duty of care, something close to the “duty of care” we already know in Europe through the UK’s Online Safety Act or parts of the Digital Services Act (DSA).
The Best Interests of the Child Become the Central Compliance Principle
The central principle of the law is the best interests of the child and adolescent. Any information technology product or service that is targeted at minors or has a reasonable likelihood of being accessed by them must be developed with this interest as an absolute priority. This includes social networks, gaming apps, streaming platforms, app stores, and even artificial intelligence tools.
In practice, this means adopting the concepts of safety-by-design and privacy-by-default from the outset. It is no longer enough to fix problems after they arise. Companies must anticipate risks to the physical, mental, and moral integrity of younger users and build preventive safeguards.
Mandatory Impact Assessments and Platform Risk Analysis
One of the pillars of the new legislation is the requirement for impact assessments. Platforms must conduct periodic detailed analyses of the potential effects of their functionalities (recommendation algorithms, engagement mechanisms, advertising systems, and even augmented reality features) on children and adolescents. These reports need to be properly documented internally and, in many cases, generate transparent information that can be shared with authorities or made available to the public in a summarized version.
New Age Verification and Parental Control Obligations
Age verification has become significantly more rigorous. A simple self-declaration (“click here if you are over 18”) is no longer considered sufficient. The law requires effective and proportionate mechanisms that respect privacy but genuinely manage to distinguish adults from minors. For users up to 16 years old, accounts on social networks and similar platforms must, as a rule, be linked to a legal guardian.
Furthermore, companies are required to provide robust parental control tools. Guardians must have access to dashboards that allow them to set screen time limits, restrict contacts, approve or block in-app purchases, and disable personalized algorithmic recommendation systems. Many foreign clients I have spoken with still underestimate the weight of this requirement.
Restrictions on Advertising, Profiling, and Gaming Monetization
In the commercial sphere, the law is particularly restrictive. The use of advanced behavioral profiling, emotional analysis, or immersive technologies to target advertising at children and adolescents is prohibited. Monetization of content that inappropriately exploits the image of minors is also subject to severe limitations. In the gaming sector, there are express bans on “loot boxes” and randomized reward systems when the game is accessible to minors, precisely because of their addictive potential and the risk of uncontrolled spending.
Harmful Content Removal and Reporting Requirements
Another aspect that deserves attention is the swift removal of harmful content. The law establishes short deadlines — in some cases as little as 24 hours — for the removal of material related to sexual exploitation, violence, bullying, cyberbullying, incitement to suicide, self-harm, or drug use. In addition to removal, in serious situations platforms must notify the competent authorities, including through international cooperation when necessary.
Legal Representation and Enforcement Risks for Foreign Companies
For foreign companies without a physical presence in Brazil, the law strengthens enforcement mechanisms. It is mandatory to appoint a legal representative established in the country, with powers to receive judicial and administrative citations, respond to requests from the Public Prosecutor’s Office and the National Data Protection Authority (ANPD), and serve as the local point of contact.
In fact, the ANPD assumes a central role in supervising and regulating the law, acting in coordination with the Public Prosecutor’s Office. This creates a more robust enforcement scenario than many international players initially anticipated. Moreover, the law provides for joint and several liability: subsidiaries, branches, or companies within the same economic group in Brazil may be held accountable for violations committed by the foreign parent company.
Financial Penalties and Operational Sanctions
The sanctions are dissuasive. Fines can reach up to 10% of the economic group’s revenue in Brazil in the previous year, or up to R$ 50 million per individual violation, depending on the severity. In extreme cases or in the event of recurrence, authorities may order the temporary suspension or even the complete blocking of the service within Brazilian territory. For companies that depend on the Brazilian market, especially consumer technology firms, this operational risk is very real.
Relationship Between the ECA Digital and Brazil’s LGPD
It is worth noting that the ECA Digital interacts closely with the General Data Protection Law (LGPD). Many of the principles of privacy-by-default, data minimization, and impact assessments already existed under the LGPD, but they now take on more specific contours when the data subject is a child or adolescent. The processing of minors’ data requires even greater care, with more restrictive legal bases and heightened attention to consent and the rights of legal guardians.
Global Regulatory Trends and Brazilian Specificities
From a comparative perspective, the Brazilian law aligns with global trends. It bears clear similarities to the UK’s Age Appropriate Design Code, certain aspects of the European DSA, and ongoing discussions in other Latin American countries. However, it presents distinctly Brazilian nuances: strong influence from the Public Prosecutor’s Office, the tradition of integral protection of children established in the 1990 Child and Adolescent Statute (ECA), and an approach that combines state regulation with the shared responsibility of families, schools, and platforms.
Practical Compliance Steps for Foreign Technology Companies
Foreign legal advisors must act with urgency. A good starting point is to conduct a comprehensive gap analysis: mapping user onboarding flows, reviewing advertising and algorithmic recommendation policies, assessing the adequacy of age verification mechanisms, and verifying whether the legal representation structure in Brazil meets the new requirements.
In addition, it is important to prepare local teams or partners to handle administrative requests and potential audits. Investing in privacy-preserving age verification technologies, such as age estimation or document-based verification without excessive data storage, can make a difference both in compliance and in the user experience.
Conclusion
In summary, the ECA Digital is not merely a symbolic law. It imposes concrete obligations, with adaptation deadlines that have already expired for many companies, and carries real risks of financial and operational sanctions. For law firms advising international clients, especially small and medium-sized practices in Europe and Asia, the moment has come to help these players turn compliance into a competitive advantage.
Those who manage to implement robust protection measures from the design stage of their products will not only avoid heavy fines but may also build greater trust with the Brazilian public and authorities.
Summary: On January 25, 2026, Brazil and the EU mutually recognized each other as providing adequate personal data protection—removing, in many cases, the need for Standard Contractual Clauses (SCCs) or other transfer tools. This shifts the conversation from “copy-paste compliance” to strategy: deciding when to retire SCCs, updating cross-border transfer policies, and modernizing contractual models for future deals.
Why this matters in real transactions
Imagine you’re about to close a deal with a German business partner and your Brazilian client urgently asks for a data transfer clause. It’s always the same copy-paste: Standard Contractual Clauses (SCCs), Annex I and II in both languages, signatures on the dotted line. Now imagine this scene is finally unnecessary.
The mutual adequacy milestone (January 25, 2026)
On January 25, 2026, Brazil and the European Union mutually recognized each other as countries with adequate levels of personal data protection. It’s the first adequacy agreement signed between the EU and a Latin American country. In practical terms, it means that companies can transfer personal data between Brazil and the EU without the need for additional mechanisms, like SCCs or Binding Corporate Rules (BCRs). In strategic terms, it opens a new front of opportunities for Brazilian lawyers, especially those advising clients who export, import, invest, or operate in the EU.
A starting point, not a “compliance break”
This is a milestone and also a starting point. Mutual adequacy does not mean «relax your compliance programs»; on the contrary, it demands governance maturity and careful review.
Three concrete fronts for legal work
1. Retiring SCCs: Not Always Automatic
The adequacy decision makes SCCs optional in many cases, but that doesn’t mean you can simply tear them up. For existing contracts that already use SCCs, lawyers will need to assess whether they should keep, revise, or remove those clauses. The answer will depend on the risks, data flows, and reliance on third countries in the processing chain. There may also be internal policies, negotiated warranties, or obligations to supervisory authorities that require formal justifications.
In practice, companies with complex processing chains (e.g., European headquarters, shared Brazilian HR services, cloud servers in the U.S.) may continue using SCCs in certain flows even after the adequacy recognition. Lawyers will need to carefully document and track this hybrid model.
2. Reviewing Cross-Border Data Transfer Policies
Many companies, especially multinationals or those with multiple data protection obligations, have established cross-border data transfer policies («CBTPs») that classify countries into categories and associate specific safeguards for each. Brazil’s new status as an «adequate country» must now be reflected in those documents.
For instance, a Brazilian company that receives data from France and sends it to Argentina and India may now adjust internal protocols to reduce documentation and controls on the EU → Brazil leg, while reinforcing controls in the Brazil → Argentina or Brazil → India legs. These changes must be aligned with the company’s policies, contracts, and internal training materials.
3. Adapting Contractual Models for Future Deals
The mutual adequacy decision creates a new contractual scenario. Brazilian lawyers advising international clients can now use data transfer models aligned with GDPR—without needing SCCs or complex annexes—provided both parties are located in Brazil and the EU.
This reduces transaction costs, improves legal certainty, and increases speed in negotiations involving technology services, cross-border M&A, or shared service centers. A good contractual model should still include data protection clauses—but now focused on risk allocation, DPO cooperation, and incident response coordination, rather than formal compliance with Art. 46 GDPR or Arts. 33–36 LGPD.
Summary: Brazil’s data protection authority (ANPD) is signaling a clear move toward stronger, more GDPR-aligned enforcement and rulemaking through its 2026–2027 Priority Topics Map and updated Regulatory Agenda. The selected priorities mirror familiar EU themes—data subject rights, children’s data, public-sector processing, and AI—while adding practical predictability for organizations planning compliance. For European businesses operating in Brazil, the direction of travel suggests increasing convergence in governance, risk assessment, and transparency expectations. This trajectory may also strengthen the long-term case for Brazil to pursue an EU adequacy decision.
A maturing authority with a strategic alignment to GDPR
While European regulators refine enforcement mechanisms for mature frameworks, Brazil is quietly building one of the world’s most GDPR-aligned data protection systems outside the EU. The release of Priority Topics Map for 2026–2027 and its updated Regulatory Agenda by the National Agency of Personal Data Protection (ANPD) reveals an authority no longer in its infancy, but one strategically positioning itself as a credible counterpart to European supervisory bodies.
ANPD’s priority topics for 2026–2027
The four priority topics chosen by Brazil’s National Data Protection Authority («ANPD») tell a familiar tale to anyone working with GDPR compliance: data subject rights, protection of children and adolescents in digital environments, processing by public authorities, and artificial intelligence with emerging technologies.
Why these priorities feel familiar to GDPR practitioners
These are not arbitrary choices but deliberate alignments with the core concerns that have shaped European enforcement over the past seven years, from the fundamental rights guarantees in Articles 12 through 22, to the heightened scrutiny of processing involving minors, to the evolving regulatory treatment of algorithmic systems that now spans both GDPR recitals and the EU AI Act itself.
Children and adolescents: new authority and converging expectations
Brazil’s recent Digital Statute for Children and Adolescents hands ANPD substantial new authority over age verification and parental consent mechanisms, creating a regulatory bridge that should look strikingly familiar to companies navigating the UK’s Age Appropriate Design Code or implementing EDPB guidance on child data. European digital services operating in Brazil, particularly in social media, gaming, education, or wellness sectors, now face converging compliance expectations on both sides of the Atlantic. The technical architectures and consent flows designed for GDPR are increasingly fit for purpose in the Brazilian context as well.
Artificial intelligence and emerging technologies
The elevation of artificial intelligence to priority status represents ANPD’s clearest statement yet about where Brazilian regulation is headed – in fact, no big news in the move, since it is worrying every regulator in every industry. While the LGPD lacks specific AI provisions, the authority has been methodically laying groundwork through public consultations on automated decision-making and studies on algorithmic profiling. For companies already deep in EU AI Act preparation, such a convergence offers something rare in global privacy compliance: the potential for genuine efficiency gains through shared governance frameworks, unified risk assessment methodologies, and harmonized transparency protocols rather than duplicative regional adaptations.
Data subject rights and DPIAs: reinforcing accountability
ANPD’s continued emphasis on data subject rights and Data Protection Impact Assessments reinforces the structural similarities with GDPR’s accountability model. The Brazilian approach increasingly mirrors European expectations around documented risk assessment, standardized response protocols for individual rights requests, and transparency obligations for profiling activities. Multinational organizations can now reasonably contemplate unified DPIA templates and centralized rights management systems that serve both jurisdictions without fundamental architectural splits.
The updated Regulatory Agenda for 2025–2026: predictability as a compliance asset
The updated Regulatory Agenda for 2025–2026 provides something perhaps more valuable than new rules: predictability. One should not underestimate the importance of predictability in Brazil, since it is a rare asset, even before courts – former Treasury Minister Pedro Malana once iroonically stated that «in Brazil, even the past is uncertain».
What ANPD is telegraphing next
By telegraphing upcoming initiatives on biometric data processing, inspection methodologies, sanctioning procedures, cybersecurity standards, and privacy program governance, ANPD offers companies the planning visibility that makes cross-border compliance feasible rather than reactive. These topics map directly onto GDPR’s controller obligations, security requirements, and Data Protection Officer independence provisions in Articles 24 through 39.
Beyond compliance: what convergence could mean for data flows
The regulatory convergence carries implications beyond operational compliance. The structural alignment between LGPD and GDPR, reinforced by ANPD’s strategic choices, strengthens the case for an eventual EU adequacy decision recognizing Brazil under Article 45.
For European businesses and their counsel, the trajectory suggests not just reduced friction in managing trans-Atlantic data flows, but the emergence of genuinely compatible regulatory ecosystems. The challenge will be maintaining attention to Brazilian developments with the same intensity devoted to EDPB guidelines and Commission decisions, recognizing that convergence is a continuous process rather than a static achievement.
Conclusion
Brazil’s ANPD is increasingly setting priorities that mirror the main pressure points of GDPR compliance, while using its Regulatory Agenda to add clarity and sequencing to what comes next. For organizations operating across the EU and Brazil, the message is practical: governance structures, rights-handling processes, and risk assessment tooling built for GDPR are becoming progressively reusable in the Brazilian context. At the same time, staying alert to ANPD’s evolving guidance—especially around children’s data, AI, biometrics, cybersecurity, and enforcement methodology—will be key to turning regulatory convergence into real operational efficiency and reduced cross-border friction.
Summary
This article explores the ANPD’s 2025 Tech Radar on neurotechnologies and how it reshapes compliance risks for Brazilian healthtechs—especially in M&A contexts involving GDPR exposure. It outlines key regulatory concerns, the GDPR’s extraterritorial impact, major due-diligence red flags, and the essential deliverables investors should require.
Introduction
Brazil’s latest ANPD Tech Radar brings neurotechnologies to the forefront of data-protection compliance, exposing significant risks for healthtech companies and investors. With GDPR’s extraterritorial reach, sensitive data processing, opaque AI, and cross-border transfers, data governance has become a critical M&A due-diligence factor requiring structured reviews and robust contractual safeguards.
Key Compliance Risks Shaping Brazilian Healthtech M&A
Brazil’s Data Protection Authority (ANPD) released its 4th Tech Radar in June 2025, focusing entirely on neurotechnologies—marking the first time the regulator targeted this field so directly. The report explores brain-computer interfaces, advanced wearables, AI-driven cognitive therapies, and predictive diagnostics, highlighting risks far beyond traditional health data processing.
For investors and lawyers working M&A deals in Brazil’s healthtech sector, this Radar signals that data protection is no longer a secondary compliance issue—it is now a major source of legal, reputational, and operational risk.
GDPR’s Extraterritorial Relevance
Many Brazilian healthtechs handle personal data from foreign individuals, particularly Europeans—through expats, medical tourists, cross-border clinical trials, or partnerships with EU-based vendors. When this occurs, GDPR Article 3(2) extends jurisdiction to the Brazilian company, even without any EU establishment.
Main Risks Identified by ANPD (Tech Radar #4)
- Inferring health data without explicit consent
Example: wearables identifying depression through sleep or stress patterns without informing users. - Lack of transparency in predictive algorithms
Black-box AI models making clinical decisions without accessible documentation. - Cybersecurity vulnerabilities in connected devices
Neural implants or neurostimulators vulnerable to hacking, with potentially physical consequences. - Automated processing that impacts human dignity
Behavioral profiling influencing insurance eligibility, discrimination, or patient autonomy in therapy environments.
GDPR Article 22 prohibits automated decision-making with significant effects unless strict safeguards are implemented—making this a critical risk during due diligence.
Most Common Red Flags in Brazilian Healthtech Due Diligence
No clear legal basis for sensitive data (health, genetic, biometric)
LGPD Impact (Brazil): Breach of LGPD Art. 11
GDPR Parallel (Europe): Art. 9 (special categories)
Practical Recommendation: Require full data-mapping and warranties
Generic or “click-to-accept” consents
LGPD Impact (Brazil): Invalid consent (Art. 7 & 11)
GDPR Parallel (Europe): Art. 6 + 7
Practical Recommendation: Ensure all consents are granular, specific, and revocable
Third-party sharing without processor agreements
LGPD Impact (Brazil): Breach of LGPD Art. 28 & 33
GDPR Parallel (Europe): Art. 28
Practical Recommendation: Verify existence and adequacy of all DPAs
Missing or incomplete ROPA
LGPD Impact (Brazil): Serious regulatory violation
GDPR Parallel (Europe): Art. 30
Practical Recommendation: Make ROPA delivery a closing condition
Non-existent or conflicted DPO
LGPD Impact (Brazil): Non-compliance with ANPD Resolution CD nº 2
GDPR Parallel (Europe): Art. 37–39
Practical Recommendation: Require interview + independence confirmation
No DPIA for high-risk products
LGPD Impact (Brazil): Mandatory (ANPD Res. 15/2023)
GDPR Parallel (Europe): Art. 35
Practical Recommendation: Include pre-closing DPIA audit clause
International transfers without safeguards
LGPD Impact (Brazil): Arts. 33–35
GDPR Parallel (Europe): Arts. 44–50
Practical Recommendation: Verify SCCs (2021/2023) or adequacy status
Real Cases Illustrating the Scale of Risk
- Telepsychology platforms investigated for using automated triage without informed consent or AI transparency.
- ANPD actions against genomics startups due to cross-border transfers without SCCs or DPIAs.
- Outsourced cloud hosting increasing irregular data transfer risks.
Until Brazil receives an EU adequacy decision, SCCs and BCRs remain mandatory for compliant transfers.
Essential Due Diligence Deliverables
A robust data-protection review is now essential in healthtech M&A. Key deliverables include:
- LGPD ↔ GDPR gap analysis
- ROPA and DPIA review
- Sub-processor contract verification
- Mapping of all international transfers
- Privacy-specific warranties and indemnities
- Escrow or holdback for regulatory risk exposure
Conclusion
Data protection is no longer secondary in healthtech M&A—especially when neurodata is involved. With ANPD scrutinizing neurotechnologies and GDPR obligations extending across borders, investors must prioritize structured due diligence and strong contractual safeguards.
FAQ
Is neurodata considered sensitive personal data under the LGPD?
Yes—ANPD treats neurodata as highly sensitive because it reveals cognitive, emotional, and health patterns.
Does GDPR apply to Brazilian companies with no EU presence?
Yes, via Article 3(2), whenever EU data subjects’ information is processed.
Are SCCs still required for Brazil–EU transfers?
Yes, until Brazil receives an EU adequacy decision.
What are the top investor red flags?
Missing DPIAs, unclear legal bases, opaque algorithms, and irregular transfers.
Since the General Data Protection Regulation (GDPR) took effect in 2018, the European Union (EU) has granted adequacy status to only a limited number of jurisdictions — those whose data protection regimes are deemed to provide an «essentially equivalent» level of protection to that of the EU. The current list includes Andorra, Argentina, Canada (under PIPEDA), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, Uruguay, the United Kingdom, and the United States (limited to companies certified under the Data Privacy Framework).
As of 5 September 2025, Brazil is on the verge of joining this exclusive group. The European Commission has issued a draft adequacy decision concluding that the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais – LGPD), in conjunction with Brazil’s broader legal and constitutional framework, offers protections that are essentially equivalent to those found in the GDPR. While Brazil’s rules offer somewhat more flexibility in specific areas of data processing, the foundational principles and safeguards are well-aligned with EU standards.
Once finalized, the adequacy decision will authorize the free flow of personal data from the EU to Brazil without the need for additional contractual clauses or technical safeguards. Such a development is not just regulatory — it also answers a core political argument made by LGPD advocates since its inception: that the absence of a comprehensive data protection framework was undermining Brazil’s international competitiveness by limiting data flows and discouraging investment. For businesses, the EU decision may finally mean the removal of a significant layer of compliance complexity — a development especially welcome by small and medium-sized enterprises engaged in cross-border trade or service provision. The draft is currently under review by the European Data Protection Board (EDPB) and the Member States of the EU.
The Commission’s assessment highlights several key aspects of Brazil’s data protection landscape. It begins by noting that the Brazilian Constitution expressly guarantees the right to privacy and the protection of personal data — a notable distinction among non-EU jurisdictions. These protections are further supported by Brazil’s ratification of the American Convention on Human Rights and its recognition of the jurisdiction of the Inter-American Court of Human Rights, reinforcing a commitment to fundamental rights and democratic oversight.
The LGPD mirrors the GDPR in many critical respects and defines its territorial scope clearly. It applies to: (i) data processing carried out within Brazilian territory, (ii) the offering of goods or services to individuals in Brazil, and (iii) data collected in Brazil, even if subsequently processed abroad. This aligns well with the extraterritorial provisions of the GDPR. The definitions of personal data, sensitive data, controller, and processor are materially similar, as are the key principles governing processing — including lawfulness, purpose limitation, data minimization, accuracy, transparency, and security. The law expressly excludes anonymized data from its scope and establishes specific exemptions for journalistic activities, public security, and scientific research.
Another strength is Brazil’s institutional framework. The National Data Protection Authority (ANPD) was recently transformed into an autonomous regulatory agency, enhancing its independence and technical capacity. The ANPD holds both regulatory and enforcement powers: it can issue binding regulations, impose administrative sanctions, and publish authoritative guidance. To date, it has issued key guidelines on topics such as consent, legitimate interest, the role of the Data Protection Officer (DPO), and security incident reporting. Internationally, the ANPD is an active participant in global data protection dialogue — it is a member of the Global Privacy Assembly and an official observer to the Council of Europe’s Convention 108.
The LGPD’s approach to international data transfers is also structurally aligned with the GDPR. It requires appropriate safeguards such as standard contractual clauses, allows for future adequacy decisions under a regime comparable to Article 45 of the GDPR, and includes detailed provisions for onward transfers and transit data — that is, data merely passing through Brazil without further processing. The rights of data subjects are robust and familiar to European practitioners: access, rectification, erasure, portability, and withdrawal of consent are guaranteed. Lawful bases for processing are also aligned — including consent, legal obligations, contract execution, and legitimate interest. Notably, the LGPD requires a documented balancing test when relying on legitimate interest, bringing additional accountability to this flexible legal basis.
Security incidents involving personal data must be notified to both the ANPD and affected data subjects when there is a significant risk of harm. The standard notification deadline is 72 hours, and the required content aligns closely with Articles 33 and 34 of the GDPR. The ANPD may also order public disclosure of incidents or require remedial measures, depending on the nature and scope of the breach.
Importantly, this process is not one-sided. In parallel to the European Commission’s adequacy decision, the ANPD is conducting its own adequacy assessment of the EU and EEA data protection frameworks. This process is regulated by the Brazilian Resolution CD/ANPD No. 19/2024, which governs international data transfers. Once the technical and legal evaluation is complete, the ANPD’s Board of Directors will issue a formal decision. This reciprocal move reflects Brazil’s commitment to mutual recognition and regulatory symmetry — a positive signal for companies on both sides of the Atlantic.
In conclusion: If confirmed, Brazil’s adequacy status will simplify international operations, reduce compliance costs, and expand opportunities for data-driven business and legal cooperation. For European lawyers advising SMEs with interests in Latin America, this development is a strategic signal: Brazil is emerging not just as a growing market, but as a legally compatible and data-safe jurisdiction for international partnerships.
On 23 August 2024, Brazil’s National Data Protection Authority (ANPD) issued Resolution No. 19, a landmark regulation governing the international transfer of personal data under the Brazilian General Data Protection Law (LGPD). Companies now have until 23 August 2025 to fully comply.
This deadline is especially relevant for European multinationals operating in Brazil, or Brazilian subsidiaries sharing data with foreign HQs or vendors. The new rules align Brazil more closely with global privacy frameworks like the GDPR—but with local twists that demand attention.
Why It Matters
Unlike previous guidance, Resolution No. 19 creates binding legal obligations and explicit deadlines. It introduces mechanisms such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and public transparency requirements—all within a strict 12-month timeframe.
For many international companies, this will require significant updates to internal governance, contract management, and cloud data strategies. Below are the key takeaways for foreign counsel.
Standard Contractual Clauses (SCCs): Now Mandatory
The ANPD has released its own set of Standard Contractual Clauses, which must be used for data transfers to jurisdictions not recognized as offering “adequate protection.”
Companies must adopt these clauses by 23 August 2025. This will likely require revisiting existing data processing agreements involving Brazilian parties and ensuring alignment with the ANPD template.
Important: The SCCs cannot be modified beyond inserting details in the annexes. Any deviations require prior approval from the ANPD and are limited to exceptional cases.
Broad Transparency Requirements
Data controllers are now required to publish, on their website, a plain-language document explaining:
- the purpose of the international data transfer,
- the categories of data involved,
- the countries of destination,
- and the legal mechanism used to legitimize the transfer.
Upon request, data subjects must also receive a copy of the full SCCs within 15 days. Multinationals will need protocols and document templates to respond efficiently—especially when dealing with requests in Portuguese.
Expanded Definition of “International Transfer”
The Resolution clarifies that a transfer occurs whenever:
- data is accessed or stored by an entity located abroad, or
- processing is outsourced to a cloud provider with servers or technical teams outside Brazil.
This has important implications for global companies that centralize services such as payroll, CRM, or cybersecurity outside Brazil—even if hosted on multinational platforms.
Binding Corporate Rules (BCRs): Now Recognized
Multinationals with mature privacy programs may apply to the ANPD for approval of their own Binding Corporate Rules, offering an alternative to SCCs.
This is a welcome development for companies seeking harmonized compliance across jurisdictions, but approval is expected to involve a complex and time-consuming process. Early preparation is essential.
Custom Clauses in Exceptional Circumstances
Companies unable to adopt the standard clauses—due to specific factual or legal constraints—may submit alternative clauses for ANPD approval. However, such flexibility is limited and subject to strict justification.
In practice, the official SCCs will be the default path for most international data transfers involving Brazil.
What Foreign Companies Should Do Now
The 12-month window is already ticking. International groups operating in Brazil or processing Brazilian data should urgently:
- Map all international data transfers involving Brazil;
- Identify contracts and vendors requiring updates;
- Insert ANPD’s SCCs where applicable;
- Publish the required transparency notice online in Portuguese;
- Monitor for further ANPD guidance or enforcement trends.
Strategic Compliance: Beyond Legal Risk
Resolution No. 19 is part of a global trend toward standardized but locally enforced privacy frameworks. For GDPR-compliant companies, Brazil’s new rules offer a chance to reaffirm leadership in data governance.
Those who act early can avoid last-minute fire drills, reduce regulatory exposure, and strengthen credibility with Brazilian regulators and consumers.
In today’s data economy, privacy compliance is more than a legal duty—it’s a business differentiator.
Brazil’s National Data Protection Authority (ANPD) released a long-awaited guidance document on how companies should interpret and apply the legal basis of legitimate interest under the Brazilian General Data Protection Law (LGPD).
This is not merely a local update. As Brazil continues to shape its data protection regime, foreign companies—particularly European SMEs with clients, platforms, or partners in Brazil—must adapt their compliance strategies to local expectations. This new guidance is a crucial development.
Below, I summarize what has changed, how it compares to the GDPR approach, and what steps you (or your clients) should take next.
Why Legitimate Interest Matters—But Remains Risky
Just like under the GDPR, Brazil’s LGPD allows personal data to be processed without consent when doing so is necessary for purposes aligned with the controller’s legitimate interests. However, due to the lack of regulation since the LGPD came into force, this legal basis has long been regarded as risky in Brazil – in fact, it was unclear on how to evaluate the «legitimacy» of the interest and balance it against data subject rights.
The ANPD’s «Guia Orientativo sobre o Legítimo Interesse» (Guidance on Legitimate Interest) fills that gap—providing a practical framework to assess, document, and justify this legal basis.
The ANPD’s Three-Step Balancing Test
The core of the new guidance is a three-step balancing test, which mirrors the GDPR’s Legitimate Interests Assessment (LIA) but with Brazilian nuances.
- Purpose Test : The controller must define a specific, concrete, and legitimate objective behind the data processing. Open-ended or abstract justifications (“marketing purposes”, “efficiency”) will not suffice. The processing must also align with the reasonable expectations of the data subject.
- Necessity Test : The data processing must be strictly necessary to achieve the defined purpose. If the same result could be achieved through less intrusive means (e.g. anonymized data or a different legal basis), the test will likely fail.
- Balancing Test and Safeguards : This step assesses whether the controller’s interest outweighs the rights and freedoms of the data subject. Controllers must consider the nature of the data, the context of the processing, and the potential risks involved. When risks are identified, appropriate safeguards must be implemented, such as transparency, opt-outs, pseudonymization, and impact assessments.
Takeaway: The ANPD recommends documenting the entire process. While this is not mandatory by law, it will be critical in case of investigations or complaints.
How This Affects Foreign Companies doing business in Brazil
Many foreign companies process personal data of Brazilian individuals—whether by offering digital services, interacting with Brazilian suppliers, or collecting contact information via websites or CRM tools.
Although some assume that GDPR compliance is sufficient, the ANPD may evaluate legitimate interest more restrictively than some EU supervisory authorities.
Foreign companies should:
- Revisit their legal bases for processing data of Brazilian individuals.
- Conduct a proper balancing test using the ANPD’s model, even for non-sensitive data.
- Keep written records of the analysis (especially if using legitimate interest for analytics or marketing).
- Update their privacy notices to reflect the legal basis and safeguards in place.
- Be aware of the extraterritorial reach of the LGPD—yes, it applies even if you have no office in Brazil.
Strategic Guidance
If you advise SMEs that operate across jurisdictions—including Brazil—this new guidance is a practical compliance tool and a risk-mitigation opportunity.
Here’s how to act now:
- Perform a Legitimate Interests Assessment (LIA) whenever your client relies on this basis in Brazil.
- Compare it with the GDPR LIA to identify overlaps and gaps.
- Align documentation—so your clients are ready in the event of a complaint or data subject request.
- Monitor ANPD updates—the ANPD has increased its activity and enforcement posture significantly in the past year.
Final Thoughts
The ANPD’s guidance reflects a growing maturity in Brazil’s data protection landscape. Legitimate interest is no longer a vague fallback—it requires structure, analysis, and above all, transparency.
European companies with operations or digital exposure in Brazil should approach this legal basis with care and diligence. The good news? The ANPD is now offering the roadmap. It’s up to us, as legal advisors, to make sure our clients follow it.
Want to see the full guidance? The original document (in Portuguese) is available here.
Brazil is increasingly in the global spotlight when it comes to cybersecurity threats. With over 10 billion cyberattack attempts recorded in 2023 alone, the country ranks among the most targeted worldwide. These incidents are not abstract: they affect sensitive sectors such as finance and healthcare, including data leaks involving over 220 million data subjects from national institutions and critical infrastructure operators.
While Brazil may seem like a distant jurisdiction, its data protection regime — shaped by the Lei Geral de Proteção de Dados (LGPD) — has growing significance for European businesses operating or partnering in the region. The LGPD, inspired by the GDPR, sets out specific obligations around data breach notification. However, unlike the GDPR’s mandatory 72-hour notification rule, not all security incidents must be reported to the Brazilian Data Protection Authority (ANPD).
So: when exactly should a security incident be reported in Brazil?
When Notification is Required: A Three-Step Test
Under Brazilian law, a security incident involving personal data must be reported to the ANPD only if the following three criteria are cumulatively met:
- The incident has been confirmed.
- It involves personal data subject to the LGPD.
- It poses a relevant risk or damage to data subjects.
This third threshold is critical. According to the ANPD’s Security Incident Communication Regulation (RCIS), relevant risks include incidents that may:
- Prevent the exercise of rights or access to services.
- Cause material or moral harm.
- Involve special categories of data such as: Sensitive personal data / Financial data / Large-scale datasets / Children’s or elderly persons’ data / Authentication credentials / Legally protected information (e.g., medical, legal, or professional secrets).
This approach offers some flexibility — but it also requires careful legal judgment.
When You Don’t Have to Notify
There is no obligation to notify the ANPD if the incident does not result in significant risk or damage. For instance, if the breached data is non-sensitive and publicly available (e.g., general contact information), and no additional harm is expected, companies may reasonably determine that notification is unnecessary.
However, this decision should not be taken lightly. Controllers are expected to assess several contextual factors, such as:
- The volume and nature of the affected data.
- Whether the data subjects can be identified.
- The likely impact on fundamental rights.
- The technical and security measures in place.
- Any steps taken to mitigate the damage.
In practice, each case must be analyzed individually — and well documented — to ensure a defensible position.
How to Notify the ANPD (If Required)
If the thresholds for notification are met, companies must report the incident within three business days from the date they became aware that personal data was affected. The notification must include:
- A description of the breach and affected data.
- The number and profile of impacted data subjects.
- Security measures in place before and after the incident.
- Potential risks to the data subjects.
- Mitigation strategies.
- Identification of the controller and DPO (if applicable).
Notifications are submitted via the ANPD’s online platform (SUPER). Sensitive business information can be protected through a request for confidential treatment, provided it is properly justified.
Strategic Takeaways for European Stakeholders
For European companies and compliance officers, understanding the nuances of Brazilian data breach notification rules is essential for several reasons:
- Cross-border compliance: Companies transferring personal data to Brazil must ensure regulatory alignment under the GDPR’s international transfer rules.
- Due diligence: M&A or vendor screening in Brazil should include assessments of LGPD readiness and breach history.
- Incident response protocols: Global organizations must harmonize breach notification timelines and thresholds across jurisdictions, adapting to Brazil’s risk-based approach.
In a landscape of increasing cyber threats, aligning with the LGPD is not just a regulatory obligation — it’s a strategic necessity.
Final Thoughts
Brazil’s data protection authority does not adopt a «one size fits all» model for breach notification. The LGPD introduces a risk-based, case-by-case approach, which may offer more flexibility than the GDPR — but also places a greater burden on organizations to justify their decisions.
European companies doing business in Brazil must be prepared to evaluate security incidents in light of both local obligations and international expectations. Failing to notify a breach — or notifying too hastily — can have serious reputational, legal, and operational consequences.
Understanding when (and how) to notify the ANPD is a key part of navigating Brazil’s complex but maturing data protection landscape.
Spain | Franchising, Theory Of Risk and Guarantees By Franchisee
- Распространение
- Судебная практика
-
Испания
France | Pre-contractual disclosure in distribution and franchise agreements
- Распространение
- Франчайзинг
-
Франция
International distribution agreements | Key Clauses and Lessons learned from the history of Nike
- Контракты
- Распространение
-
Италия
Corporate Sustainability in Practice – How Contracts Shape Responsibility
- Контракты
- Распространение
-
Finland
Rising Oil Prices and International Contracts: How to Manage Hardship in Global Supply Chains
- Контракты
- Распространение
-
Италия
Why the African Continental Free Trade Agreement has not yet turned into Reality — and What That Means for Egypt
- Распространение
- Иностранные инвестиции
-
Египет
Brazil Advances Toward GDPR Alignment: ANPD’s 2026–2027 Priority Topics
- Конфиденциальность - Защита данных
-
Бразилия
Brazilian Healthtech – Neurotechnologies, LGPD and the GDPR’s Long-Arm Effect
- Закон о здравоохранении
- СЛИЯНИЯ И ПОГЛОЩЕНИЯ
-
Бразилия
Brazil — Deadline for Compliance on International Data Transfers
- Конфиденциальность - Защита данных
-
Бразилия
Brazil | Legitimate Interest under Data Protection Law: The official Guidance Explained
- Конфиденциальность - Защита данных
-
Бразилия
Security Incidents in Brazil: When and How to Notify the Data Protection Authority
- Конфиденциальность - Защита данных
-
Бразилия
Brazil | DPO Requirements — What foreign companies must do to stay compliant
- Соответствие требованиям
- Конфиденциальность - Защита данных
-
Бразилия
Scrivi a Leopoldo
Brazil Set to Join the GDPR Adequacy Club
11.10.2025
-
Бразилия
- Контракты
- Конфиденциальность - Защита данных
Summary
Brazil’s new Digital Child Protection Law (ECA Digital – Law No. 15,211/2025) radically changes the compliance obligations for foreign technology companies operating in Brazil. The law introduces a proactive duty of care toward minors, replacing the previous reactive liability model under the Marco Civil da Internet. Any digital service accessible to children or adolescents — including social media, gaming, streaming, AI tools, and app stores — must now adopt safety-by-design and privacy-by-default principles.
Brazil Introduces a New Digital Protection Framework for Minors
When Law No. 15,211/2025, known as the ECA Digital or Digital Statute for Children and Adolescents, came into force on March 17, 2026, Brazil took a significant step in regulating the digital environment. For foreign technology companies that offer services to the Brazilian public, the legislation is far more than just another local rule. It represents a genuine paradigm shift in how platforms must be designed, operated, and monitored.
Until now, the Brazilian Internet Civil Framework (Marco Civil da Internet) of 2014 established essentially a reactive liability regime. Platforms were generally only held responsible for third-party content after receiving a specific court order or valid notification. The ECA Digital inverts this logic. Companies now face a proactive and continuous duty of care, something close to the “duty of care” we already know in Europe through the UK’s Online Safety Act or parts of the Digital Services Act (DSA).
The Best Interests of the Child Become the Central Compliance Principle
The central principle of the law is the best interests of the child and adolescent. Any information technology product or service that is targeted at minors or has a reasonable likelihood of being accessed by them must be developed with this interest as an absolute priority. This includes social networks, gaming apps, streaming platforms, app stores, and even artificial intelligence tools.
In practice, this means adopting the concepts of safety-by-design and privacy-by-default from the outset. It is no longer enough to fix problems after they arise. Companies must anticipate risks to the physical, mental, and moral integrity of younger users and build preventive safeguards.
Mandatory Impact Assessments and Platform Risk Analysis
One of the pillars of the new legislation is the requirement for impact assessments. Platforms must conduct periodic detailed analyses of the potential effects of their functionalities (recommendation algorithms, engagement mechanisms, advertising systems, and even augmented reality features) on children and adolescents. These reports need to be properly documented internally and, in many cases, generate transparent information that can be shared with authorities or made available to the public in a summarized version.
New Age Verification and Parental Control Obligations
Age verification has become significantly more rigorous. A simple self-declaration (“click here if you are over 18”) is no longer considered sufficient. The law requires effective and proportionate mechanisms that respect privacy but genuinely manage to distinguish adults from minors. For users up to 16 years old, accounts on social networks and similar platforms must, as a rule, be linked to a legal guardian.
Furthermore, companies are required to provide robust parental control tools. Guardians must have access to dashboards that allow them to set screen time limits, restrict contacts, approve or block in-app purchases, and disable personalized algorithmic recommendation systems. Many foreign clients I have spoken with still underestimate the weight of this requirement.
Restrictions on Advertising, Profiling, and Gaming Monetization
In the commercial sphere, the law is particularly restrictive. The use of advanced behavioral profiling, emotional analysis, or immersive technologies to target advertising at children and adolescents is prohibited. Monetization of content that inappropriately exploits the image of minors is also subject to severe limitations. In the gaming sector, there are express bans on “loot boxes” and randomized reward systems when the game is accessible to minors, precisely because of their addictive potential and the risk of uncontrolled spending.
Harmful Content Removal and Reporting Requirements
Another aspect that deserves attention is the swift removal of harmful content. The law establishes short deadlines — in some cases as little as 24 hours — for the removal of material related to sexual exploitation, violence, bullying, cyberbullying, incitement to suicide, self-harm, or drug use. In addition to removal, in serious situations platforms must notify the competent authorities, including through international cooperation when necessary.
Legal Representation and Enforcement Risks for Foreign Companies
For foreign companies without a physical presence in Brazil, the law strengthens enforcement mechanisms. It is mandatory to appoint a legal representative established in the country, with powers to receive judicial and administrative citations, respond to requests from the Public Prosecutor’s Office and the National Data Protection Authority (ANPD), and serve as the local point of contact.
In fact, the ANPD assumes a central role in supervising and regulating the law, acting in coordination with the Public Prosecutor’s Office. This creates a more robust enforcement scenario than many international players initially anticipated. Moreover, the law provides for joint and several liability: subsidiaries, branches, or companies within the same economic group in Brazil may be held accountable for violations committed by the foreign parent company.
Financial Penalties and Operational Sanctions
The sanctions are dissuasive. Fines can reach up to 10% of the economic group’s revenue in Brazil in the previous year, or up to R$ 50 million per individual violation, depending on the severity. In extreme cases or in the event of recurrence, authorities may order the temporary suspension or even the complete blocking of the service within Brazilian territory. For companies that depend on the Brazilian market, especially consumer technology firms, this operational risk is very real.
Relationship Between the ECA Digital and Brazil’s LGPD
It is worth noting that the ECA Digital interacts closely with the General Data Protection Law (LGPD). Many of the principles of privacy-by-default, data minimization, and impact assessments already existed under the LGPD, but they now take on more specific contours when the data subject is a child or adolescent. The processing of minors’ data requires even greater care, with more restrictive legal bases and heightened attention to consent and the rights of legal guardians.
Global Regulatory Trends and Brazilian Specificities
From a comparative perspective, the Brazilian law aligns with global trends. It bears clear similarities to the UK’s Age Appropriate Design Code, certain aspects of the European DSA, and ongoing discussions in other Latin American countries. However, it presents distinctly Brazilian nuances: strong influence from the Public Prosecutor’s Office, the tradition of integral protection of children established in the 1990 Child and Adolescent Statute (ECA), and an approach that combines state regulation with the shared responsibility of families, schools, and platforms.
Practical Compliance Steps for Foreign Technology Companies
Foreign legal advisors must act with urgency. A good starting point is to conduct a comprehensive gap analysis: mapping user onboarding flows, reviewing advertising and algorithmic recommendation policies, assessing the adequacy of age verification mechanisms, and verifying whether the legal representation structure in Brazil meets the new requirements.
In addition, it is important to prepare local teams or partners to handle administrative requests and potential audits. Investing in privacy-preserving age verification technologies, such as age estimation or document-based verification without excessive data storage, can make a difference both in compliance and in the user experience.
Conclusion
In summary, the ECA Digital is not merely a symbolic law. It imposes concrete obligations, with adaptation deadlines that have already expired for many companies, and carries real risks of financial and operational sanctions. For law firms advising international clients, especially small and medium-sized practices in Europe and Asia, the moment has come to help these players turn compliance into a competitive advantage.
Those who manage to implement robust protection measures from the design stage of their products will not only avoid heavy fines but may also build greater trust with the Brazilian public and authorities.
Summary: On January 25, 2026, Brazil and the EU mutually recognized each other as providing adequate personal data protection—removing, in many cases, the need for Standard Contractual Clauses (SCCs) or other transfer tools. This shifts the conversation from “copy-paste compliance” to strategy: deciding when to retire SCCs, updating cross-border transfer policies, and modernizing contractual models for future deals.
Why this matters in real transactions
Imagine you’re about to close a deal with a German business partner and your Brazilian client urgently asks for a data transfer clause. It’s always the same copy-paste: Standard Contractual Clauses (SCCs), Annex I and II in both languages, signatures on the dotted line. Now imagine this scene is finally unnecessary.
The mutual adequacy milestone (January 25, 2026)
On January 25, 2026, Brazil and the European Union mutually recognized each other as countries with adequate levels of personal data protection. It’s the first adequacy agreement signed between the EU and a Latin American country. In practical terms, it means that companies can transfer personal data between Brazil and the EU without the need for additional mechanisms, like SCCs or Binding Corporate Rules (BCRs). In strategic terms, it opens a new front of opportunities for Brazilian lawyers, especially those advising clients who export, import, invest, or operate in the EU.
A starting point, not a “compliance break”
This is a milestone and also a starting point. Mutual adequacy does not mean «relax your compliance programs»; on the contrary, it demands governance maturity and careful review.
Three concrete fronts for legal work
1. Retiring SCCs: Not Always Automatic
The adequacy decision makes SCCs optional in many cases, but that doesn’t mean you can simply tear them up. For existing contracts that already use SCCs, lawyers will need to assess whether they should keep, revise, or remove those clauses. The answer will depend on the risks, data flows, and reliance on third countries in the processing chain. There may also be internal policies, negotiated warranties, or obligations to supervisory authorities that require formal justifications.
In practice, companies with complex processing chains (e.g., European headquarters, shared Brazilian HR services, cloud servers in the U.S.) may continue using SCCs in certain flows even after the adequacy recognition. Lawyers will need to carefully document and track this hybrid model.
2. Reviewing Cross-Border Data Transfer Policies
Many companies, especially multinationals or those with multiple data protection obligations, have established cross-border data transfer policies («CBTPs») that classify countries into categories and associate specific safeguards for each. Brazil’s new status as an «adequate country» must now be reflected in those documents.
For instance, a Brazilian company that receives data from France and sends it to Argentina and India may now adjust internal protocols to reduce documentation and controls on the EU → Brazil leg, while reinforcing controls in the Brazil → Argentina or Brazil → India legs. These changes must be aligned with the company’s policies, contracts, and internal training materials.
3. Adapting Contractual Models for Future Deals
The mutual adequacy decision creates a new contractual scenario. Brazilian lawyers advising international clients can now use data transfer models aligned with GDPR—without needing SCCs or complex annexes—provided both parties are located in Brazil and the EU.
This reduces transaction costs, improves legal certainty, and increases speed in negotiations involving technology services, cross-border M&A, or shared service centers. A good contractual model should still include data protection clauses—but now focused on risk allocation, DPO cooperation, and incident response coordination, rather than formal compliance with Art. 46 GDPR or Arts. 33–36 LGPD.
Summary: Brazil’s data protection authority (ANPD) is signaling a clear move toward stronger, more GDPR-aligned enforcement and rulemaking through its 2026–2027 Priority Topics Map and updated Regulatory Agenda. The selected priorities mirror familiar EU themes—data subject rights, children’s data, public-sector processing, and AI—while adding practical predictability for organizations planning compliance. For European businesses operating in Brazil, the direction of travel suggests increasing convergence in governance, risk assessment, and transparency expectations. This trajectory may also strengthen the long-term case for Brazil to pursue an EU adequacy decision.
A maturing authority with a strategic alignment to GDPR
While European regulators refine enforcement mechanisms for mature frameworks, Brazil is quietly building one of the world’s most GDPR-aligned data protection systems outside the EU. The release of Priority Topics Map for 2026–2027 and its updated Regulatory Agenda by the National Agency of Personal Data Protection (ANPD) reveals an authority no longer in its infancy, but one strategically positioning itself as a credible counterpart to European supervisory bodies.
ANPD’s priority topics for 2026–2027
The four priority topics chosen by Brazil’s National Data Protection Authority («ANPD») tell a familiar tale to anyone working with GDPR compliance: data subject rights, protection of children and adolescents in digital environments, processing by public authorities, and artificial intelligence with emerging technologies.
Why these priorities feel familiar to GDPR practitioners
These are not arbitrary choices but deliberate alignments with the core concerns that have shaped European enforcement over the past seven years, from the fundamental rights guarantees in Articles 12 through 22, to the heightened scrutiny of processing involving minors, to the evolving regulatory treatment of algorithmic systems that now spans both GDPR recitals and the EU AI Act itself.
Children and adolescents: new authority and converging expectations
Brazil’s recent Digital Statute for Children and Adolescents hands ANPD substantial new authority over age verification and parental consent mechanisms, creating a regulatory bridge that should look strikingly familiar to companies navigating the UK’s Age Appropriate Design Code or implementing EDPB guidance on child data. European digital services operating in Brazil, particularly in social media, gaming, education, or wellness sectors, now face converging compliance expectations on both sides of the Atlantic. The technical architectures and consent flows designed for GDPR are increasingly fit for purpose in the Brazilian context as well.
Artificial intelligence and emerging technologies
The elevation of artificial intelligence to priority status represents ANPD’s clearest statement yet about where Brazilian regulation is headed – in fact, no big news in the move, since it is worrying every regulator in every industry. While the LGPD lacks specific AI provisions, the authority has been methodically laying groundwork through public consultations on automated decision-making and studies on algorithmic profiling. For companies already deep in EU AI Act preparation, such a convergence offers something rare in global privacy compliance: the potential for genuine efficiency gains through shared governance frameworks, unified risk assessment methodologies, and harmonized transparency protocols rather than duplicative regional adaptations.
Data subject rights and DPIAs: reinforcing accountability
ANPD’s continued emphasis on data subject rights and Data Protection Impact Assessments reinforces the structural similarities with GDPR’s accountability model. The Brazilian approach increasingly mirrors European expectations around documented risk assessment, standardized response protocols for individual rights requests, and transparency obligations for profiling activities. Multinational organizations can now reasonably contemplate unified DPIA templates and centralized rights management systems that serve both jurisdictions without fundamental architectural splits.
The updated Regulatory Agenda for 2025–2026: predictability as a compliance asset
The updated Regulatory Agenda for 2025–2026 provides something perhaps more valuable than new rules: predictability. One should not underestimate the importance of predictability in Brazil, since it is a rare asset, even before courts – former Treasury Minister Pedro Malana once iroonically stated that «in Brazil, even the past is uncertain».
What ANPD is telegraphing next
By telegraphing upcoming initiatives on biometric data processing, inspection methodologies, sanctioning procedures, cybersecurity standards, and privacy program governance, ANPD offers companies the planning visibility that makes cross-border compliance feasible rather than reactive. These topics map directly onto GDPR’s controller obligations, security requirements, and Data Protection Officer independence provisions in Articles 24 through 39.
Beyond compliance: what convergence could mean for data flows
The regulatory convergence carries implications beyond operational compliance. The structural alignment between LGPD and GDPR, reinforced by ANPD’s strategic choices, strengthens the case for an eventual EU adequacy decision recognizing Brazil under Article 45.
For European businesses and their counsel, the trajectory suggests not just reduced friction in managing trans-Atlantic data flows, but the emergence of genuinely compatible regulatory ecosystems. The challenge will be maintaining attention to Brazilian developments with the same intensity devoted to EDPB guidelines and Commission decisions, recognizing that convergence is a continuous process rather than a static achievement.
Conclusion
Brazil’s ANPD is increasingly setting priorities that mirror the main pressure points of GDPR compliance, while using its Regulatory Agenda to add clarity and sequencing to what comes next. For organizations operating across the EU and Brazil, the message is practical: governance structures, rights-handling processes, and risk assessment tooling built for GDPR are becoming progressively reusable in the Brazilian context. At the same time, staying alert to ANPD’s evolving guidance—especially around children’s data, AI, biometrics, cybersecurity, and enforcement methodology—will be key to turning regulatory convergence into real operational efficiency and reduced cross-border friction.
Summary
This article explores the ANPD’s 2025 Tech Radar on neurotechnologies and how it reshapes compliance risks for Brazilian healthtechs—especially in M&A contexts involving GDPR exposure. It outlines key regulatory concerns, the GDPR’s extraterritorial impact, major due-diligence red flags, and the essential deliverables investors should require.
Introduction
Brazil’s latest ANPD Tech Radar brings neurotechnologies to the forefront of data-protection compliance, exposing significant risks for healthtech companies and investors. With GDPR’s extraterritorial reach, sensitive data processing, opaque AI, and cross-border transfers, data governance has become a critical M&A due-diligence factor requiring structured reviews and robust contractual safeguards.
Key Compliance Risks Shaping Brazilian Healthtech M&A
Brazil’s Data Protection Authority (ANPD) released its 4th Tech Radar in June 2025, focusing entirely on neurotechnologies—marking the first time the regulator targeted this field so directly. The report explores brain-computer interfaces, advanced wearables, AI-driven cognitive therapies, and predictive diagnostics, highlighting risks far beyond traditional health data processing.
For investors and lawyers working M&A deals in Brazil’s healthtech sector, this Radar signals that data protection is no longer a secondary compliance issue—it is now a major source of legal, reputational, and operational risk.
GDPR’s Extraterritorial Relevance
Many Brazilian healthtechs handle personal data from foreign individuals, particularly Europeans—through expats, medical tourists, cross-border clinical trials, or partnerships with EU-based vendors. When this occurs, GDPR Article 3(2) extends jurisdiction to the Brazilian company, even without any EU establishment.
Main Risks Identified by ANPD (Tech Radar #4)
- Inferring health data without explicit consent
Example: wearables identifying depression through sleep or stress patterns without informing users. - Lack of transparency in predictive algorithms
Black-box AI models making clinical decisions without accessible documentation. - Cybersecurity vulnerabilities in connected devices
Neural implants or neurostimulators vulnerable to hacking, with potentially physical consequences. - Automated processing that impacts human dignity
Behavioral profiling influencing insurance eligibility, discrimination, or patient autonomy in therapy environments.
GDPR Article 22 prohibits automated decision-making with significant effects unless strict safeguards are implemented—making this a critical risk during due diligence.
Most Common Red Flags in Brazilian Healthtech Due Diligence
No clear legal basis for sensitive data (health, genetic, biometric)
LGPD Impact (Brazil): Breach of LGPD Art. 11
GDPR Parallel (Europe): Art. 9 (special categories)
Practical Recommendation: Require full data-mapping and warranties
Generic or “click-to-accept” consents
LGPD Impact (Brazil): Invalid consent (Art. 7 & 11)
GDPR Parallel (Europe): Art. 6 + 7
Practical Recommendation: Ensure all consents are granular, specific, and revocable
Third-party sharing without processor agreements
LGPD Impact (Brazil): Breach of LGPD Art. 28 & 33
GDPR Parallel (Europe): Art. 28
Practical Recommendation: Verify existence and adequacy of all DPAs
Missing or incomplete ROPA
LGPD Impact (Brazil): Serious regulatory violation
GDPR Parallel (Europe): Art. 30
Practical Recommendation: Make ROPA delivery a closing condition
Non-existent or conflicted DPO
LGPD Impact (Brazil): Non-compliance with ANPD Resolution CD nº 2
GDPR Parallel (Europe): Art. 37–39
Practical Recommendation: Require interview + independence confirmation
No DPIA for high-risk products
LGPD Impact (Brazil): Mandatory (ANPD Res. 15/2023)
GDPR Parallel (Europe): Art. 35
Practical Recommendation: Include pre-closing DPIA audit clause
International transfers without safeguards
LGPD Impact (Brazil): Arts. 33–35
GDPR Parallel (Europe): Arts. 44–50
Practical Recommendation: Verify SCCs (2021/2023) or adequacy status
Real Cases Illustrating the Scale of Risk
- Telepsychology platforms investigated for using automated triage without informed consent or AI transparency.
- ANPD actions against genomics startups due to cross-border transfers without SCCs or DPIAs.
- Outsourced cloud hosting increasing irregular data transfer risks.
Until Brazil receives an EU adequacy decision, SCCs and BCRs remain mandatory for compliant transfers.
Essential Due Diligence Deliverables
A robust data-protection review is now essential in healthtech M&A. Key deliverables include:
- LGPD ↔ GDPR gap analysis
- ROPA and DPIA review
- Sub-processor contract verification
- Mapping of all international transfers
- Privacy-specific warranties and indemnities
- Escrow or holdback for regulatory risk exposure
Conclusion
Data protection is no longer secondary in healthtech M&A—especially when neurodata is involved. With ANPD scrutinizing neurotechnologies and GDPR obligations extending across borders, investors must prioritize structured due diligence and strong contractual safeguards.
FAQ
Is neurodata considered sensitive personal data under the LGPD?
Yes—ANPD treats neurodata as highly sensitive because it reveals cognitive, emotional, and health patterns.
Does GDPR apply to Brazilian companies with no EU presence?
Yes, via Article 3(2), whenever EU data subjects’ information is processed.
Are SCCs still required for Brazil–EU transfers?
Yes, until Brazil receives an EU adequacy decision.
What are the top investor red flags?
Missing DPIAs, unclear legal bases, opaque algorithms, and irregular transfers.
Since the General Data Protection Regulation (GDPR) took effect in 2018, the European Union (EU) has granted adequacy status to only a limited number of jurisdictions — those whose data protection regimes are deemed to provide an «essentially equivalent» level of protection to that of the EU. The current list includes Andorra, Argentina, Canada (under PIPEDA), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, Uruguay, the United Kingdom, and the United States (limited to companies certified under the Data Privacy Framework).
As of 5 September 2025, Brazil is on the verge of joining this exclusive group. The European Commission has issued a draft adequacy decision concluding that the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais – LGPD), in conjunction with Brazil’s broader legal and constitutional framework, offers protections that are essentially equivalent to those found in the GDPR. While Brazil’s rules offer somewhat more flexibility in specific areas of data processing, the foundational principles and safeguards are well-aligned with EU standards.
Once finalized, the adequacy decision will authorize the free flow of personal data from the EU to Brazil without the need for additional contractual clauses or technical safeguards. Such a development is not just regulatory — it also answers a core political argument made by LGPD advocates since its inception: that the absence of a comprehensive data protection framework was undermining Brazil’s international competitiveness by limiting data flows and discouraging investment. For businesses, the EU decision may finally mean the removal of a significant layer of compliance complexity — a development especially welcome by small and medium-sized enterprises engaged in cross-border trade or service provision. The draft is currently under review by the European Data Protection Board (EDPB) and the Member States of the EU.
The Commission’s assessment highlights several key aspects of Brazil’s data protection landscape. It begins by noting that the Brazilian Constitution expressly guarantees the right to privacy and the protection of personal data — a notable distinction among non-EU jurisdictions. These protections are further supported by Brazil’s ratification of the American Convention on Human Rights and its recognition of the jurisdiction of the Inter-American Court of Human Rights, reinforcing a commitment to fundamental rights and democratic oversight.
The LGPD mirrors the GDPR in many critical respects and defines its territorial scope clearly. It applies to: (i) data processing carried out within Brazilian territory, (ii) the offering of goods or services to individuals in Brazil, and (iii) data collected in Brazil, even if subsequently processed abroad. This aligns well with the extraterritorial provisions of the GDPR. The definitions of personal data, sensitive data, controller, and processor are materially similar, as are the key principles governing processing — including lawfulness, purpose limitation, data minimization, accuracy, transparency, and security. The law expressly excludes anonymized data from its scope and establishes specific exemptions for journalistic activities, public security, and scientific research.
Another strength is Brazil’s institutional framework. The National Data Protection Authority (ANPD) was recently transformed into an autonomous regulatory agency, enhancing its independence and technical capacity. The ANPD holds both regulatory and enforcement powers: it can issue binding regulations, impose administrative sanctions, and publish authoritative guidance. To date, it has issued key guidelines on topics such as consent, legitimate interest, the role of the Data Protection Officer (DPO), and security incident reporting. Internationally, the ANPD is an active participant in global data protection dialogue — it is a member of the Global Privacy Assembly and an official observer to the Council of Europe’s Convention 108.
The LGPD’s approach to international data transfers is also structurally aligned with the GDPR. It requires appropriate safeguards such as standard contractual clauses, allows for future adequacy decisions under a regime comparable to Article 45 of the GDPR, and includes detailed provisions for onward transfers and transit data — that is, data merely passing through Brazil without further processing. The rights of data subjects are robust and familiar to European practitioners: access, rectification, erasure, portability, and withdrawal of consent are guaranteed. Lawful bases for processing are also aligned — including consent, legal obligations, contract execution, and legitimate interest. Notably, the LGPD requires a documented balancing test when relying on legitimate interest, bringing additional accountability to this flexible legal basis.
Security incidents involving personal data must be notified to both the ANPD and affected data subjects when there is a significant risk of harm. The standard notification deadline is 72 hours, and the required content aligns closely with Articles 33 and 34 of the GDPR. The ANPD may also order public disclosure of incidents or require remedial measures, depending on the nature and scope of the breach.
Importantly, this process is not one-sided. In parallel to the European Commission’s adequacy decision, the ANPD is conducting its own adequacy assessment of the EU and EEA data protection frameworks. This process is regulated by the Brazilian Resolution CD/ANPD No. 19/2024, which governs international data transfers. Once the technical and legal evaluation is complete, the ANPD’s Board of Directors will issue a formal decision. This reciprocal move reflects Brazil’s commitment to mutual recognition and regulatory symmetry — a positive signal for companies on both sides of the Atlantic.
In conclusion: If confirmed, Brazil’s adequacy status will simplify international operations, reduce compliance costs, and expand opportunities for data-driven business and legal cooperation. For European lawyers advising SMEs with interests in Latin America, this development is a strategic signal: Brazil is emerging not just as a growing market, but as a legally compatible and data-safe jurisdiction for international partnerships.
On 23 August 2024, Brazil’s National Data Protection Authority (ANPD) issued Resolution No. 19, a landmark regulation governing the international transfer of personal data under the Brazilian General Data Protection Law (LGPD). Companies now have until 23 August 2025 to fully comply.
This deadline is especially relevant for European multinationals operating in Brazil, or Brazilian subsidiaries sharing data with foreign HQs or vendors. The new rules align Brazil more closely with global privacy frameworks like the GDPR—but with local twists that demand attention.
Why It Matters
Unlike previous guidance, Resolution No. 19 creates binding legal obligations and explicit deadlines. It introduces mechanisms such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and public transparency requirements—all within a strict 12-month timeframe.
For many international companies, this will require significant updates to internal governance, contract management, and cloud data strategies. Below are the key takeaways for foreign counsel.
Standard Contractual Clauses (SCCs): Now Mandatory
The ANPD has released its own set of Standard Contractual Clauses, which must be used for data transfers to jurisdictions not recognized as offering “adequate protection.”
Companies must adopt these clauses by 23 August 2025. This will likely require revisiting existing data processing agreements involving Brazilian parties and ensuring alignment with the ANPD template.
Important: The SCCs cannot be modified beyond inserting details in the annexes. Any deviations require prior approval from the ANPD and are limited to exceptional cases.
Broad Transparency Requirements
Data controllers are now required to publish, on their website, a plain-language document explaining:
- the purpose of the international data transfer,
- the categories of data involved,
- the countries of destination,
- and the legal mechanism used to legitimize the transfer.
Upon request, data subjects must also receive a copy of the full SCCs within 15 days. Multinationals will need protocols and document templates to respond efficiently—especially when dealing with requests in Portuguese.
Expanded Definition of “International Transfer”
The Resolution clarifies that a transfer occurs whenever:
- data is accessed or stored by an entity located abroad, or
- processing is outsourced to a cloud provider with servers or technical teams outside Brazil.
This has important implications for global companies that centralize services such as payroll, CRM, or cybersecurity outside Brazil—even if hosted on multinational platforms.
Binding Corporate Rules (BCRs): Now Recognized
Multinationals with mature privacy programs may apply to the ANPD for approval of their own Binding Corporate Rules, offering an alternative to SCCs.
This is a welcome development for companies seeking harmonized compliance across jurisdictions, but approval is expected to involve a complex and time-consuming process. Early preparation is essential.
Custom Clauses in Exceptional Circumstances
Companies unable to adopt the standard clauses—due to specific factual or legal constraints—may submit alternative clauses for ANPD approval. However, such flexibility is limited and subject to strict justification.
In practice, the official SCCs will be the default path for most international data transfers involving Brazil.
What Foreign Companies Should Do Now
The 12-month window is already ticking. International groups operating in Brazil or processing Brazilian data should urgently:
- Map all international data transfers involving Brazil;
- Identify contracts and vendors requiring updates;
- Insert ANPD’s SCCs where applicable;
- Publish the required transparency notice online in Portuguese;
- Monitor for further ANPD guidance or enforcement trends.
Strategic Compliance: Beyond Legal Risk
Resolution No. 19 is part of a global trend toward standardized but locally enforced privacy frameworks. For GDPR-compliant companies, Brazil’s new rules offer a chance to reaffirm leadership in data governance.
Those who act early can avoid last-minute fire drills, reduce regulatory exposure, and strengthen credibility with Brazilian regulators and consumers.
In today’s data economy, privacy compliance is more than a legal duty—it’s a business differentiator.
Brazil’s National Data Protection Authority (ANPD) released a long-awaited guidance document on how companies should interpret and apply the legal basis of legitimate interest under the Brazilian General Data Protection Law (LGPD).
This is not merely a local update. As Brazil continues to shape its data protection regime, foreign companies—particularly European SMEs with clients, platforms, or partners in Brazil—must adapt their compliance strategies to local expectations. This new guidance is a crucial development.
Below, I summarize what has changed, how it compares to the GDPR approach, and what steps you (or your clients) should take next.
Why Legitimate Interest Matters—But Remains Risky
Just like under the GDPR, Brazil’s LGPD allows personal data to be processed without consent when doing so is necessary for purposes aligned with the controller’s legitimate interests. However, due to the lack of regulation since the LGPD came into force, this legal basis has long been regarded as risky in Brazil – in fact, it was unclear on how to evaluate the «legitimacy» of the interest and balance it against data subject rights.
The ANPD’s «Guia Orientativo sobre o Legítimo Interesse» (Guidance on Legitimate Interest) fills that gap—providing a practical framework to assess, document, and justify this legal basis.
The ANPD’s Three-Step Balancing Test
The core of the new guidance is a three-step balancing test, which mirrors the GDPR’s Legitimate Interests Assessment (LIA) but with Brazilian nuances.
- Purpose Test : The controller must define a specific, concrete, and legitimate objective behind the data processing. Open-ended or abstract justifications (“marketing purposes”, “efficiency”) will not suffice. The processing must also align with the reasonable expectations of the data subject.
- Necessity Test : The data processing must be strictly necessary to achieve the defined purpose. If the same result could be achieved through less intrusive means (e.g. anonymized data or a different legal basis), the test will likely fail.
- Balancing Test and Safeguards : This step assesses whether the controller’s interest outweighs the rights and freedoms of the data subject. Controllers must consider the nature of the data, the context of the processing, and the potential risks involved. When risks are identified, appropriate safeguards must be implemented, such as transparency, opt-outs, pseudonymization, and impact assessments.
Takeaway: The ANPD recommends documenting the entire process. While this is not mandatory by law, it will be critical in case of investigations or complaints.
How This Affects Foreign Companies doing business in Brazil
Many foreign companies process personal data of Brazilian individuals—whether by offering digital services, interacting with Brazilian suppliers, or collecting contact information via websites or CRM tools.
Although some assume that GDPR compliance is sufficient, the ANPD may evaluate legitimate interest more restrictively than some EU supervisory authorities.
Foreign companies should:
- Revisit their legal bases for processing data of Brazilian individuals.
- Conduct a proper balancing test using the ANPD’s model, even for non-sensitive data.
- Keep written records of the analysis (especially if using legitimate interest for analytics or marketing).
- Update their privacy notices to reflect the legal basis and safeguards in place.
- Be aware of the extraterritorial reach of the LGPD—yes, it applies even if you have no office in Brazil.
Strategic Guidance
If you advise SMEs that operate across jurisdictions—including Brazil—this new guidance is a practical compliance tool and a risk-mitigation opportunity.
Here’s how to act now:
- Perform a Legitimate Interests Assessment (LIA) whenever your client relies on this basis in Brazil.
- Compare it with the GDPR LIA to identify overlaps and gaps.
- Align documentation—so your clients are ready in the event of a complaint or data subject request.
- Monitor ANPD updates—the ANPD has increased its activity and enforcement posture significantly in the past year.
Final Thoughts
The ANPD’s guidance reflects a growing maturity in Brazil’s data protection landscape. Legitimate interest is no longer a vague fallback—it requires structure, analysis, and above all, transparency.
European companies with operations or digital exposure in Brazil should approach this legal basis with care and diligence. The good news? The ANPD is now offering the roadmap. It’s up to us, as legal advisors, to make sure our clients follow it.
Want to see the full guidance? The original document (in Portuguese) is available here.
Brazil is increasingly in the global spotlight when it comes to cybersecurity threats. With over 10 billion cyberattack attempts recorded in 2023 alone, the country ranks among the most targeted worldwide. These incidents are not abstract: they affect sensitive sectors such as finance and healthcare, including data leaks involving over 220 million data subjects from national institutions and critical infrastructure operators.
While Brazil may seem like a distant jurisdiction, its data protection regime — shaped by the Lei Geral de Proteção de Dados (LGPD) — has growing significance for European businesses operating or partnering in the region. The LGPD, inspired by the GDPR, sets out specific obligations around data breach notification. However, unlike the GDPR’s mandatory 72-hour notification rule, not all security incidents must be reported to the Brazilian Data Protection Authority (ANPD).
So: when exactly should a security incident be reported in Brazil?
When Notification is Required: A Three-Step Test
Under Brazilian law, a security incident involving personal data must be reported to the ANPD only if the following three criteria are cumulatively met:
- The incident has been confirmed.
- It involves personal data subject to the LGPD.
- It poses a relevant risk or damage to data subjects.
This third threshold is critical. According to the ANPD’s Security Incident Communication Regulation (RCIS), relevant risks include incidents that may:
- Prevent the exercise of rights or access to services.
- Cause material or moral harm.
- Involve special categories of data such as: Sensitive personal data / Financial data / Large-scale datasets / Children’s or elderly persons’ data / Authentication credentials / Legally protected information (e.g., medical, legal, or professional secrets).
This approach offers some flexibility — but it also requires careful legal judgment.
When You Don’t Have to Notify
There is no obligation to notify the ANPD if the incident does not result in significant risk or damage. For instance, if the breached data is non-sensitive and publicly available (e.g., general contact information), and no additional harm is expected, companies may reasonably determine that notification is unnecessary.
However, this decision should not be taken lightly. Controllers are expected to assess several contextual factors, such as:
- The volume and nature of the affected data.
- Whether the data subjects can be identified.
- The likely impact on fundamental rights.
- The technical and security measures in place.
- Any steps taken to mitigate the damage.
In practice, each case must be analyzed individually — and well documented — to ensure a defensible position.
How to Notify the ANPD (If Required)
If the thresholds for notification are met, companies must report the incident within three business days from the date they became aware that personal data was affected. The notification must include:
- A description of the breach and affected data.
- The number and profile of impacted data subjects.
- Security measures in place before and after the incident.
- Potential risks to the data subjects.
- Mitigation strategies.
- Identification of the controller and DPO (if applicable).
Notifications are submitted via the ANPD’s online platform (SUPER). Sensitive business information can be protected through a request for confidential treatment, provided it is properly justified.
Strategic Takeaways for European Stakeholders
For European companies and compliance officers, understanding the nuances of Brazilian data breach notification rules is essential for several reasons:
- Cross-border compliance: Companies transferring personal data to Brazil must ensure regulatory alignment under the GDPR’s international transfer rules.
- Due diligence: M&A or vendor screening in Brazil should include assessments of LGPD readiness and breach history.
- Incident response protocols: Global organizations must harmonize breach notification timelines and thresholds across jurisdictions, adapting to Brazil’s risk-based approach.
In a landscape of increasing cyber threats, aligning with the LGPD is not just a regulatory obligation — it’s a strategic necessity.
Final Thoughts
Brazil’s data protection authority does not adopt a «one size fits all» model for breach notification. The LGPD introduces a risk-based, case-by-case approach, which may offer more flexibility than the GDPR — but also places a greater burden on organizations to justify their decisions.
European companies doing business in Brazil must be prepared to evaluate security incidents in light of both local obligations and international expectations. Failing to notify a breach — or notifying too hastily — can have serious reputational, legal, and operational consequences.
Understanding when (and how) to notify the ANPD is a key part of navigating Brazil’s complex but maturing data protection landscape.
Spain | Franchising, Theory Of Risk and Guarantees By Franchisee
- Распространение
- Судебная практика
-
Испания
France | Pre-contractual disclosure in distribution and franchise agreements
- Распространение
- Франчайзинг
-
Франция
International distribution agreements | Key Clauses and Lessons learned from the history of Nike
- Контракты
- Распространение
-
Италия
Corporate Sustainability in Practice – How Contracts Shape Responsibility
- Контракты
- Распространение
-
Finland
Rising Oil Prices and International Contracts: How to Manage Hardship in Global Supply Chains
- Контракты
- Распространение
-
Италия
Why the African Continental Free Trade Agreement has not yet turned into Reality — and What That Means for Egypt
- Распространение
- Иностранные инвестиции
-
Египет
Brazil Advances Toward GDPR Alignment: ANPD’s 2026–2027 Priority Topics
- Конфиденциальность - Защита данных
-
Бразилия
Brazilian Healthtech – Neurotechnologies, LGPD and the GDPR’s Long-Arm Effect
- Закон о здравоохранении
- СЛИЯНИЯ И ПОГЛОЩЕНИЯ
-
Бразилия
Brazil — Deadline for Compliance on International Data Transfers
- Конфиденциальность - Защита данных
-
Бразилия
Brazil | Legitimate Interest under Data Protection Law: The official Guidance Explained
- Конфиденциальность - Защита данных
-
Бразилия
Security Incidents in Brazil: When and How to Notify the Data Protection Authority
- Конфиденциальность - Защита данных
-
Бразилия
Brazil | DPO Requirements — What foreign companies must do to stay compliant
- Соответствие требованиям
- Конфиденциальность - Защита данных
-
Бразилия
Scrivi a Leopoldo
Brazil — Deadline for Compliance on International Data Transfers
11.08.2025
-
Бразилия
- Конфиденциальность - Защита данных
Summary
Brazil’s new Digital Child Protection Law (ECA Digital – Law No. 15,211/2025) radically changes the compliance obligations for foreign technology companies operating in Brazil. The law introduces a proactive duty of care toward minors, replacing the previous reactive liability model under the Marco Civil da Internet. Any digital service accessible to children or adolescents — including social media, gaming, streaming, AI tools, and app stores — must now adopt safety-by-design and privacy-by-default principles.
Brazil Introduces a New Digital Protection Framework for Minors
When Law No. 15,211/2025, known as the ECA Digital or Digital Statute for Children and Adolescents, came into force on March 17, 2026, Brazil took a significant step in regulating the digital environment. For foreign technology companies that offer services to the Brazilian public, the legislation is far more than just another local rule. It represents a genuine paradigm shift in how platforms must be designed, operated, and monitored.
Until now, the Brazilian Internet Civil Framework (Marco Civil da Internet) of 2014 established essentially a reactive liability regime. Platforms were generally only held responsible for third-party content after receiving a specific court order or valid notification. The ECA Digital inverts this logic. Companies now face a proactive and continuous duty of care, something close to the “duty of care” we already know in Europe through the UK’s Online Safety Act or parts of the Digital Services Act (DSA).
The Best Interests of the Child Become the Central Compliance Principle
The central principle of the law is the best interests of the child and adolescent. Any information technology product or service that is targeted at minors or has a reasonable likelihood of being accessed by them must be developed with this interest as an absolute priority. This includes social networks, gaming apps, streaming platforms, app stores, and even artificial intelligence tools.
In practice, this means adopting the concepts of safety-by-design and privacy-by-default from the outset. It is no longer enough to fix problems after they arise. Companies must anticipate risks to the physical, mental, and moral integrity of younger users and build preventive safeguards.
Mandatory Impact Assessments and Platform Risk Analysis
One of the pillars of the new legislation is the requirement for impact assessments. Platforms must conduct periodic detailed analyses of the potential effects of their functionalities (recommendation algorithms, engagement mechanisms, advertising systems, and even augmented reality features) on children and adolescents. These reports need to be properly documented internally and, in many cases, generate transparent information that can be shared with authorities or made available to the public in a summarized version.
New Age Verification and Parental Control Obligations
Age verification has become significantly more rigorous. A simple self-declaration (“click here if you are over 18”) is no longer considered sufficient. The law requires effective and proportionate mechanisms that respect privacy but genuinely manage to distinguish adults from minors. For users up to 16 years old, accounts on social networks and similar platforms must, as a rule, be linked to a legal guardian.
Furthermore, companies are required to provide robust parental control tools. Guardians must have access to dashboards that allow them to set screen time limits, restrict contacts, approve or block in-app purchases, and disable personalized algorithmic recommendation systems. Many foreign clients I have spoken with still underestimate the weight of this requirement.
Restrictions on Advertising, Profiling, and Gaming Monetization
In the commercial sphere, the law is particularly restrictive. The use of advanced behavioral profiling, emotional analysis, or immersive technologies to target advertising at children and adolescents is prohibited. Monetization of content that inappropriately exploits the image of minors is also subject to severe limitations. In the gaming sector, there are express bans on “loot boxes” and randomized reward systems when the game is accessible to minors, precisely because of their addictive potential and the risk of uncontrolled spending.
Harmful Content Removal and Reporting Requirements
Another aspect that deserves attention is the swift removal of harmful content. The law establishes short deadlines — in some cases as little as 24 hours — for the removal of material related to sexual exploitation, violence, bullying, cyberbullying, incitement to suicide, self-harm, or drug use. In addition to removal, in serious situations platforms must notify the competent authorities, including through international cooperation when necessary.
Legal Representation and Enforcement Risks for Foreign Companies
For foreign companies without a physical presence in Brazil, the law strengthens enforcement mechanisms. It is mandatory to appoint a legal representative established in the country, with powers to receive judicial and administrative citations, respond to requests from the Public Prosecutor’s Office and the National Data Protection Authority (ANPD), and serve as the local point of contact.
In fact, the ANPD assumes a central role in supervising and regulating the law, acting in coordination with the Public Prosecutor’s Office. This creates a more robust enforcement scenario than many international players initially anticipated. Moreover, the law provides for joint and several liability: subsidiaries, branches, or companies within the same economic group in Brazil may be held accountable for violations committed by the foreign parent company.
Financial Penalties and Operational Sanctions
The sanctions are dissuasive. Fines can reach up to 10% of the economic group’s revenue in Brazil in the previous year, or up to R$ 50 million per individual violation, depending on the severity. In extreme cases or in the event of recurrence, authorities may order the temporary suspension or even the complete blocking of the service within Brazilian territory. For companies that depend on the Brazilian market, especially consumer technology firms, this operational risk is very real.
Relationship Between the ECA Digital and Brazil’s LGPD
It is worth noting that the ECA Digital interacts closely with the General Data Protection Law (LGPD). Many of the principles of privacy-by-default, data minimization, and impact assessments already existed under the LGPD, but they now take on more specific contours when the data subject is a child or adolescent. The processing of minors’ data requires even greater care, with more restrictive legal bases and heightened attention to consent and the rights of legal guardians.
Global Regulatory Trends and Brazilian Specificities
From a comparative perspective, the Brazilian law aligns with global trends. It bears clear similarities to the UK’s Age Appropriate Design Code, certain aspects of the European DSA, and ongoing discussions in other Latin American countries. However, it presents distinctly Brazilian nuances: strong influence from the Public Prosecutor’s Office, the tradition of integral protection of children established in the 1990 Child and Adolescent Statute (ECA), and an approach that combines state regulation with the shared responsibility of families, schools, and platforms.
Practical Compliance Steps for Foreign Technology Companies
Foreign legal advisors must act with urgency. A good starting point is to conduct a comprehensive gap analysis: mapping user onboarding flows, reviewing advertising and algorithmic recommendation policies, assessing the adequacy of age verification mechanisms, and verifying whether the legal representation structure in Brazil meets the new requirements.
In addition, it is important to prepare local teams or partners to handle administrative requests and potential audits. Investing in privacy-preserving age verification technologies, such as age estimation or document-based verification without excessive data storage, can make a difference both in compliance and in the user experience.
Conclusion
In summary, the ECA Digital is not merely a symbolic law. It imposes concrete obligations, with adaptation deadlines that have already expired for many companies, and carries real risks of financial and operational sanctions. For law firms advising international clients, especially small and medium-sized practices in Europe and Asia, the moment has come to help these players turn compliance into a competitive advantage.
Those who manage to implement robust protection measures from the design stage of their products will not only avoid heavy fines but may also build greater trust with the Brazilian public and authorities.
Summary: On January 25, 2026, Brazil and the EU mutually recognized each other as providing adequate personal data protection—removing, in many cases, the need for Standard Contractual Clauses (SCCs) or other transfer tools. This shifts the conversation from “copy-paste compliance” to strategy: deciding when to retire SCCs, updating cross-border transfer policies, and modernizing contractual models for future deals.
Why this matters in real transactions
Imagine you’re about to close a deal with a German business partner and your Brazilian client urgently asks for a data transfer clause. It’s always the same copy-paste: Standard Contractual Clauses (SCCs), Annex I and II in both languages, signatures on the dotted line. Now imagine this scene is finally unnecessary.
The mutual adequacy milestone (January 25, 2026)
On January 25, 2026, Brazil and the European Union mutually recognized each other as countries with adequate levels of personal data protection. It’s the first adequacy agreement signed between the EU and a Latin American country. In practical terms, it means that companies can transfer personal data between Brazil and the EU without the need for additional mechanisms, like SCCs or Binding Corporate Rules (BCRs). In strategic terms, it opens a new front of opportunities for Brazilian lawyers, especially those advising clients who export, import, invest, or operate in the EU.
A starting point, not a “compliance break”
This is a milestone and also a starting point. Mutual adequacy does not mean «relax your compliance programs»; on the contrary, it demands governance maturity and careful review.
Three concrete fronts for legal work
1. Retiring SCCs: Not Always Automatic
The adequacy decision makes SCCs optional in many cases, but that doesn’t mean you can simply tear them up. For existing contracts that already use SCCs, lawyers will need to assess whether they should keep, revise, or remove those clauses. The answer will depend on the risks, data flows, and reliance on third countries in the processing chain. There may also be internal policies, negotiated warranties, or obligations to supervisory authorities that require formal justifications.
In practice, companies with complex processing chains (e.g., European headquarters, shared Brazilian HR services, cloud servers in the U.S.) may continue using SCCs in certain flows even after the adequacy recognition. Lawyers will need to carefully document and track this hybrid model.
2. Reviewing Cross-Border Data Transfer Policies
Many companies, especially multinationals or those with multiple data protection obligations, have established cross-border data transfer policies («CBTPs») that classify countries into categories and associate specific safeguards for each. Brazil’s new status as an «adequate country» must now be reflected in those documents.
For instance, a Brazilian company that receives data from France and sends it to Argentina and India may now adjust internal protocols to reduce documentation and controls on the EU → Brazil leg, while reinforcing controls in the Brazil → Argentina or Brazil → India legs. These changes must be aligned with the company’s policies, contracts, and internal training materials.
3. Adapting Contractual Models for Future Deals
The mutual adequacy decision creates a new contractual scenario. Brazilian lawyers advising international clients can now use data transfer models aligned with GDPR—without needing SCCs or complex annexes—provided both parties are located in Brazil and the EU.
This reduces transaction costs, improves legal certainty, and increases speed in negotiations involving technology services, cross-border M&A, or shared service centers. A good contractual model should still include data protection clauses—but now focused on risk allocation, DPO cooperation, and incident response coordination, rather than formal compliance with Art. 46 GDPR or Arts. 33–36 LGPD.
Summary: Brazil’s data protection authority (ANPD) is signaling a clear move toward stronger, more GDPR-aligned enforcement and rulemaking through its 2026–2027 Priority Topics Map and updated Regulatory Agenda. The selected priorities mirror familiar EU themes—data subject rights, children’s data, public-sector processing, and AI—while adding practical predictability for organizations planning compliance. For European businesses operating in Brazil, the direction of travel suggests increasing convergence in governance, risk assessment, and transparency expectations. This trajectory may also strengthen the long-term case for Brazil to pursue an EU adequacy decision.
A maturing authority with a strategic alignment to GDPR
While European regulators refine enforcement mechanisms for mature frameworks, Brazil is quietly building one of the world’s most GDPR-aligned data protection systems outside the EU. The release of Priority Topics Map for 2026–2027 and its updated Regulatory Agenda by the National Agency of Personal Data Protection (ANPD) reveals an authority no longer in its infancy, but one strategically positioning itself as a credible counterpart to European supervisory bodies.
ANPD’s priority topics for 2026–2027
The four priority topics chosen by Brazil’s National Data Protection Authority («ANPD») tell a familiar tale to anyone working with GDPR compliance: data subject rights, protection of children and adolescents in digital environments, processing by public authorities, and artificial intelligence with emerging technologies.
Why these priorities feel familiar to GDPR practitioners
These are not arbitrary choices but deliberate alignments with the core concerns that have shaped European enforcement over the past seven years, from the fundamental rights guarantees in Articles 12 through 22, to the heightened scrutiny of processing involving minors, to the evolving regulatory treatment of algorithmic systems that now spans both GDPR recitals and the EU AI Act itself.
Children and adolescents: new authority and converging expectations
Brazil’s recent Digital Statute for Children and Adolescents hands ANPD substantial new authority over age verification and parental consent mechanisms, creating a regulatory bridge that should look strikingly familiar to companies navigating the UK’s Age Appropriate Design Code or implementing EDPB guidance on child data. European digital services operating in Brazil, particularly in social media, gaming, education, or wellness sectors, now face converging compliance expectations on both sides of the Atlantic. The technical architectures and consent flows designed for GDPR are increasingly fit for purpose in the Brazilian context as well.
Artificial intelligence and emerging technologies
The elevation of artificial intelligence to priority status represents ANPD’s clearest statement yet about where Brazilian regulation is headed – in fact, no big news in the move, since it is worrying every regulator in every industry. While the LGPD lacks specific AI provisions, the authority has been methodically laying groundwork through public consultations on automated decision-making and studies on algorithmic profiling. For companies already deep in EU AI Act preparation, such a convergence offers something rare in global privacy compliance: the potential for genuine efficiency gains through shared governance frameworks, unified risk assessment methodologies, and harmonized transparency protocols rather than duplicative regional adaptations.
Data subject rights and DPIAs: reinforcing accountability
ANPD’s continued emphasis on data subject rights and Data Protection Impact Assessments reinforces the structural similarities with GDPR’s accountability model. The Brazilian approach increasingly mirrors European expectations around documented risk assessment, standardized response protocols for individual rights requests, and transparency obligations for profiling activities. Multinational organizations can now reasonably contemplate unified DPIA templates and centralized rights management systems that serve both jurisdictions without fundamental architectural splits.
The updated Regulatory Agenda for 2025–2026: predictability as a compliance asset
The updated Regulatory Agenda for 2025–2026 provides something perhaps more valuable than new rules: predictability. One should not underestimate the importance of predictability in Brazil, since it is a rare asset, even before courts – former Treasury Minister Pedro Malana once iroonically stated that «in Brazil, even the past is uncertain».
What ANPD is telegraphing next
By telegraphing upcoming initiatives on biometric data processing, inspection methodologies, sanctioning procedures, cybersecurity standards, and privacy program governance, ANPD offers companies the planning visibility that makes cross-border compliance feasible rather than reactive. These topics map directly onto GDPR’s controller obligations, security requirements, and Data Protection Officer independence provisions in Articles 24 through 39.
Beyond compliance: what convergence could mean for data flows
The regulatory convergence carries implications beyond operational compliance. The structural alignment between LGPD and GDPR, reinforced by ANPD’s strategic choices, strengthens the case for an eventual EU adequacy decision recognizing Brazil under Article 45.
For European businesses and their counsel, the trajectory suggests not just reduced friction in managing trans-Atlantic data flows, but the emergence of genuinely compatible regulatory ecosystems. The challenge will be maintaining attention to Brazilian developments with the same intensity devoted to EDPB guidelines and Commission decisions, recognizing that convergence is a continuous process rather than a static achievement.
Conclusion
Brazil’s ANPD is increasingly setting priorities that mirror the main pressure points of GDPR compliance, while using its Regulatory Agenda to add clarity and sequencing to what comes next. For organizations operating across the EU and Brazil, the message is practical: governance structures, rights-handling processes, and risk assessment tooling built for GDPR are becoming progressively reusable in the Brazilian context. At the same time, staying alert to ANPD’s evolving guidance—especially around children’s data, AI, biometrics, cybersecurity, and enforcement methodology—will be key to turning regulatory convergence into real operational efficiency and reduced cross-border friction.
Summary
This article explores the ANPD’s 2025 Tech Radar on neurotechnologies and how it reshapes compliance risks for Brazilian healthtechs—especially in M&A contexts involving GDPR exposure. It outlines key regulatory concerns, the GDPR’s extraterritorial impact, major due-diligence red flags, and the essential deliverables investors should require.
Introduction
Brazil’s latest ANPD Tech Radar brings neurotechnologies to the forefront of data-protection compliance, exposing significant risks for healthtech companies and investors. With GDPR’s extraterritorial reach, sensitive data processing, opaque AI, and cross-border transfers, data governance has become a critical M&A due-diligence factor requiring structured reviews and robust contractual safeguards.
Key Compliance Risks Shaping Brazilian Healthtech M&A
Brazil’s Data Protection Authority (ANPD) released its 4th Tech Radar in June 2025, focusing entirely on neurotechnologies—marking the first time the regulator targeted this field so directly. The report explores brain-computer interfaces, advanced wearables, AI-driven cognitive therapies, and predictive diagnostics, highlighting risks far beyond traditional health data processing.
For investors and lawyers working M&A deals in Brazil’s healthtech sector, this Radar signals that data protection is no longer a secondary compliance issue—it is now a major source of legal, reputational, and operational risk.
GDPR’s Extraterritorial Relevance
Many Brazilian healthtechs handle personal data from foreign individuals, particularly Europeans—through expats, medical tourists, cross-border clinical trials, or partnerships with EU-based vendors. When this occurs, GDPR Article 3(2) extends jurisdiction to the Brazilian company, even without any EU establishment.
Main Risks Identified by ANPD (Tech Radar #4)
- Inferring health data without explicit consent
Example: wearables identifying depression through sleep or stress patterns without informing users. - Lack of transparency in predictive algorithms
Black-box AI models making clinical decisions without accessible documentation. - Cybersecurity vulnerabilities in connected devices
Neural implants or neurostimulators vulnerable to hacking, with potentially physical consequences. - Automated processing that impacts human dignity
Behavioral profiling influencing insurance eligibility, discrimination, or patient autonomy in therapy environments.
GDPR Article 22 prohibits automated decision-making with significant effects unless strict safeguards are implemented—making this a critical risk during due diligence.
Most Common Red Flags in Brazilian Healthtech Due Diligence
No clear legal basis for sensitive data (health, genetic, biometric)
LGPD Impact (Brazil): Breach of LGPD Art. 11
GDPR Parallel (Europe): Art. 9 (special categories)
Practical Recommendation: Require full data-mapping and warranties
Generic or “click-to-accept” consents
LGPD Impact (Brazil): Invalid consent (Art. 7 & 11)
GDPR Parallel (Europe): Art. 6 + 7
Practical Recommendation: Ensure all consents are granular, specific, and revocable
Third-party sharing without processor agreements
LGPD Impact (Brazil): Breach of LGPD Art. 28 & 33
GDPR Parallel (Europe): Art. 28
Practical Recommendation: Verify existence and adequacy of all DPAs
Missing or incomplete ROPA
LGPD Impact (Brazil): Serious regulatory violation
GDPR Parallel (Europe): Art. 30
Practical Recommendation: Make ROPA delivery a closing condition
Non-existent or conflicted DPO
LGPD Impact (Brazil): Non-compliance with ANPD Resolution CD nº 2
GDPR Parallel (Europe): Art. 37–39
Practical Recommendation: Require interview + independence confirmation
No DPIA for high-risk products
LGPD Impact (Brazil): Mandatory (ANPD Res. 15/2023)
GDPR Parallel (Europe): Art. 35
Practical Recommendation: Include pre-closing DPIA audit clause
International transfers without safeguards
LGPD Impact (Brazil): Arts. 33–35
GDPR Parallel (Europe): Arts. 44–50
Practical Recommendation: Verify SCCs (2021/2023) or adequacy status
Real Cases Illustrating the Scale of Risk
- Telepsychology platforms investigated for using automated triage without informed consent or AI transparency.
- ANPD actions against genomics startups due to cross-border transfers without SCCs or DPIAs.
- Outsourced cloud hosting increasing irregular data transfer risks.
Until Brazil receives an EU adequacy decision, SCCs and BCRs remain mandatory for compliant transfers.
Essential Due Diligence Deliverables
A robust data-protection review is now essential in healthtech M&A. Key deliverables include:
- LGPD ↔ GDPR gap analysis
- ROPA and DPIA review
- Sub-processor contract verification
- Mapping of all international transfers
- Privacy-specific warranties and indemnities
- Escrow or holdback for regulatory risk exposure
Conclusion
Data protection is no longer secondary in healthtech M&A—especially when neurodata is involved. With ANPD scrutinizing neurotechnologies and GDPR obligations extending across borders, investors must prioritize structured due diligence and strong contractual safeguards.
FAQ
Is neurodata considered sensitive personal data under the LGPD?
Yes—ANPD treats neurodata as highly sensitive because it reveals cognitive, emotional, and health patterns.
Does GDPR apply to Brazilian companies with no EU presence?
Yes, via Article 3(2), whenever EU data subjects’ information is processed.
Are SCCs still required for Brazil–EU transfers?
Yes, until Brazil receives an EU adequacy decision.
What are the top investor red flags?
Missing DPIAs, unclear legal bases, opaque algorithms, and irregular transfers.
Since the General Data Protection Regulation (GDPR) took effect in 2018, the European Union (EU) has granted adequacy status to only a limited number of jurisdictions — those whose data protection regimes are deemed to provide an «essentially equivalent» level of protection to that of the EU. The current list includes Andorra, Argentina, Canada (under PIPEDA), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, Uruguay, the United Kingdom, and the United States (limited to companies certified under the Data Privacy Framework).
As of 5 September 2025, Brazil is on the verge of joining this exclusive group. The European Commission has issued a draft adequacy decision concluding that the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais – LGPD), in conjunction with Brazil’s broader legal and constitutional framework, offers protections that are essentially equivalent to those found in the GDPR. While Brazil’s rules offer somewhat more flexibility in specific areas of data processing, the foundational principles and safeguards are well-aligned with EU standards.
Once finalized, the adequacy decision will authorize the free flow of personal data from the EU to Brazil without the need for additional contractual clauses or technical safeguards. Such a development is not just regulatory — it also answers a core political argument made by LGPD advocates since its inception: that the absence of a comprehensive data protection framework was undermining Brazil’s international competitiveness by limiting data flows and discouraging investment. For businesses, the EU decision may finally mean the removal of a significant layer of compliance complexity — a development especially welcome by small and medium-sized enterprises engaged in cross-border trade or service provision. The draft is currently under review by the European Data Protection Board (EDPB) and the Member States of the EU.
The Commission’s assessment highlights several key aspects of Brazil’s data protection landscape. It begins by noting that the Brazilian Constitution expressly guarantees the right to privacy and the protection of personal data — a notable distinction among non-EU jurisdictions. These protections are further supported by Brazil’s ratification of the American Convention on Human Rights and its recognition of the jurisdiction of the Inter-American Court of Human Rights, reinforcing a commitment to fundamental rights and democratic oversight.
The LGPD mirrors the GDPR in many critical respects and defines its territorial scope clearly. It applies to: (i) data processing carried out within Brazilian territory, (ii) the offering of goods or services to individuals in Brazil, and (iii) data collected in Brazil, even if subsequently processed abroad. This aligns well with the extraterritorial provisions of the GDPR. The definitions of personal data, sensitive data, controller, and processor are materially similar, as are the key principles governing processing — including lawfulness, purpose limitation, data minimization, accuracy, transparency, and security. The law expressly excludes anonymized data from its scope and establishes specific exemptions for journalistic activities, public security, and scientific research.
Another strength is Brazil’s institutional framework. The National Data Protection Authority (ANPD) was recently transformed into an autonomous regulatory agency, enhancing its independence and technical capacity. The ANPD holds both regulatory and enforcement powers: it can issue binding regulations, impose administrative sanctions, and publish authoritative guidance. To date, it has issued key guidelines on topics such as consent, legitimate interest, the role of the Data Protection Officer (DPO), and security incident reporting. Internationally, the ANPD is an active participant in global data protection dialogue — it is a member of the Global Privacy Assembly and an official observer to the Council of Europe’s Convention 108.
The LGPD’s approach to international data transfers is also structurally aligned with the GDPR. It requires appropriate safeguards such as standard contractual clauses, allows for future adequacy decisions under a regime comparable to Article 45 of the GDPR, and includes detailed provisions for onward transfers and transit data — that is, data merely passing through Brazil without further processing. The rights of data subjects are robust and familiar to European practitioners: access, rectification, erasure, portability, and withdrawal of consent are guaranteed. Lawful bases for processing are also aligned — including consent, legal obligations, contract execution, and legitimate interest. Notably, the LGPD requires a documented balancing test when relying on legitimate interest, bringing additional accountability to this flexible legal basis.
Security incidents involving personal data must be notified to both the ANPD and affected data subjects when there is a significant risk of harm. The standard notification deadline is 72 hours, and the required content aligns closely with Articles 33 and 34 of the GDPR. The ANPD may also order public disclosure of incidents or require remedial measures, depending on the nature and scope of the breach.
Importantly, this process is not one-sided. In parallel to the European Commission’s adequacy decision, the ANPD is conducting its own adequacy assessment of the EU and EEA data protection frameworks. This process is regulated by the Brazilian Resolution CD/ANPD No. 19/2024, which governs international data transfers. Once the technical and legal evaluation is complete, the ANPD’s Board of Directors will issue a formal decision. This reciprocal move reflects Brazil’s commitment to mutual recognition and regulatory symmetry — a positive signal for companies on both sides of the Atlantic.
In conclusion: If confirmed, Brazil’s adequacy status will simplify international operations, reduce compliance costs, and expand opportunities for data-driven business and legal cooperation. For European lawyers advising SMEs with interests in Latin America, this development is a strategic signal: Brazil is emerging not just as a growing market, but as a legally compatible and data-safe jurisdiction for international partnerships.
On 23 August 2024, Brazil’s National Data Protection Authority (ANPD) issued Resolution No. 19, a landmark regulation governing the international transfer of personal data under the Brazilian General Data Protection Law (LGPD). Companies now have until 23 August 2025 to fully comply.
This deadline is especially relevant for European multinationals operating in Brazil, or Brazilian subsidiaries sharing data with foreign HQs or vendors. The new rules align Brazil more closely with global privacy frameworks like the GDPR—but with local twists that demand attention.
Why It Matters
Unlike previous guidance, Resolution No. 19 creates binding legal obligations and explicit deadlines. It introduces mechanisms such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and public transparency requirements—all within a strict 12-month timeframe.
For many international companies, this will require significant updates to internal governance, contract management, and cloud data strategies. Below are the key takeaways for foreign counsel.
Standard Contractual Clauses (SCCs): Now Mandatory
The ANPD has released its own set of Standard Contractual Clauses, which must be used for data transfers to jurisdictions not recognized as offering “adequate protection.”
Companies must adopt these clauses by 23 August 2025. This will likely require revisiting existing data processing agreements involving Brazilian parties and ensuring alignment with the ANPD template.
Important: The SCCs cannot be modified beyond inserting details in the annexes. Any deviations require prior approval from the ANPD and are limited to exceptional cases.
Broad Transparency Requirements
Data controllers are now required to publish, on their website, a plain-language document explaining:
- the purpose of the international data transfer,
- the categories of data involved,
- the countries of destination,
- and the legal mechanism used to legitimize the transfer.
Upon request, data subjects must also receive a copy of the full SCCs within 15 days. Multinationals will need protocols and document templates to respond efficiently—especially when dealing with requests in Portuguese.
Expanded Definition of “International Transfer”
The Resolution clarifies that a transfer occurs whenever:
- data is accessed or stored by an entity located abroad, or
- processing is outsourced to a cloud provider with servers or technical teams outside Brazil.
This has important implications for global companies that centralize services such as payroll, CRM, or cybersecurity outside Brazil—even if hosted on multinational platforms.
Binding Corporate Rules (BCRs): Now Recognized
Multinationals with mature privacy programs may apply to the ANPD for approval of their own Binding Corporate Rules, offering an alternative to SCCs.
This is a welcome development for companies seeking harmonized compliance across jurisdictions, but approval is expected to involve a complex and time-consuming process. Early preparation is essential.
Custom Clauses in Exceptional Circumstances
Companies unable to adopt the standard clauses—due to specific factual or legal constraints—may submit alternative clauses for ANPD approval. However, such flexibility is limited and subject to strict justification.
In practice, the official SCCs will be the default path for most international data transfers involving Brazil.
What Foreign Companies Should Do Now
The 12-month window is already ticking. International groups operating in Brazil or processing Brazilian data should urgently:
- Map all international data transfers involving Brazil;
- Identify contracts and vendors requiring updates;
- Insert ANPD’s SCCs where applicable;
- Publish the required transparency notice online in Portuguese;
- Monitor for further ANPD guidance or enforcement trends.
Strategic Compliance: Beyond Legal Risk
Resolution No. 19 is part of a global trend toward standardized but locally enforced privacy frameworks. For GDPR-compliant companies, Brazil’s new rules offer a chance to reaffirm leadership in data governance.
Those who act early can avoid last-minute fire drills, reduce regulatory exposure, and strengthen credibility with Brazilian regulators and consumers.
In today’s data economy, privacy compliance is more than a legal duty—it’s a business differentiator.
Brazil’s National Data Protection Authority (ANPD) released a long-awaited guidance document on how companies should interpret and apply the legal basis of legitimate interest under the Brazilian General Data Protection Law (LGPD).
This is not merely a local update. As Brazil continues to shape its data protection regime, foreign companies—particularly European SMEs with clients, platforms, or partners in Brazil—must adapt their compliance strategies to local expectations. This new guidance is a crucial development.
Below, I summarize what has changed, how it compares to the GDPR approach, and what steps you (or your clients) should take next.
Why Legitimate Interest Matters—But Remains Risky
Just like under the GDPR, Brazil’s LGPD allows personal data to be processed without consent when doing so is necessary for purposes aligned with the controller’s legitimate interests. However, due to the lack of regulation since the LGPD came into force, this legal basis has long been regarded as risky in Brazil – in fact, it was unclear on how to evaluate the «legitimacy» of the interest and balance it against data subject rights.
The ANPD’s «Guia Orientativo sobre o Legítimo Interesse» (Guidance on Legitimate Interest) fills that gap—providing a practical framework to assess, document, and justify this legal basis.
The ANPD’s Three-Step Balancing Test
The core of the new guidance is a three-step balancing test, which mirrors the GDPR’s Legitimate Interests Assessment (LIA) but with Brazilian nuances.
- Purpose Test : The controller must define a specific, concrete, and legitimate objective behind the data processing. Open-ended or abstract justifications (“marketing purposes”, “efficiency”) will not suffice. The processing must also align with the reasonable expectations of the data subject.
- Necessity Test : The data processing must be strictly necessary to achieve the defined purpose. If the same result could be achieved through less intrusive means (e.g. anonymized data or a different legal basis), the test will likely fail.
- Balancing Test and Safeguards : This step assesses whether the controller’s interest outweighs the rights and freedoms of the data subject. Controllers must consider the nature of the data, the context of the processing, and the potential risks involved. When risks are identified, appropriate safeguards must be implemented, such as transparency, opt-outs, pseudonymization, and impact assessments.
Takeaway: The ANPD recommends documenting the entire process. While this is not mandatory by law, it will be critical in case of investigations or complaints.
How This Affects Foreign Companies doing business in Brazil
Many foreign companies process personal data of Brazilian individuals—whether by offering digital services, interacting with Brazilian suppliers, or collecting contact information via websites or CRM tools.
Although some assume that GDPR compliance is sufficient, the ANPD may evaluate legitimate interest more restrictively than some EU supervisory authorities.
Foreign companies should:
- Revisit their legal bases for processing data of Brazilian individuals.
- Conduct a proper balancing test using the ANPD’s model, even for non-sensitive data.
- Keep written records of the analysis (especially if using legitimate interest for analytics or marketing).
- Update their privacy notices to reflect the legal basis and safeguards in place.
- Be aware of the extraterritorial reach of the LGPD—yes, it applies even if you have no office in Brazil.
Strategic Guidance
If you advise SMEs that operate across jurisdictions—including Brazil—this new guidance is a practical compliance tool and a risk-mitigation opportunity.
Here’s how to act now:
- Perform a Legitimate Interests Assessment (LIA) whenever your client relies on this basis in Brazil.
- Compare it with the GDPR LIA to identify overlaps and gaps.
- Align documentation—so your clients are ready in the event of a complaint or data subject request.
- Monitor ANPD updates—the ANPD has increased its activity and enforcement posture significantly in the past year.
Final Thoughts
The ANPD’s guidance reflects a growing maturity in Brazil’s data protection landscape. Legitimate interest is no longer a vague fallback—it requires structure, analysis, and above all, transparency.
European companies with operations or digital exposure in Brazil should approach this legal basis with care and diligence. The good news? The ANPD is now offering the roadmap. It’s up to us, as legal advisors, to make sure our clients follow it.
Want to see the full guidance? The original document (in Portuguese) is available here.
Brazil is increasingly in the global spotlight when it comes to cybersecurity threats. With over 10 billion cyberattack attempts recorded in 2023 alone, the country ranks among the most targeted worldwide. These incidents are not abstract: they affect sensitive sectors such as finance and healthcare, including data leaks involving over 220 million data subjects from national institutions and critical infrastructure operators.
While Brazil may seem like a distant jurisdiction, its data protection regime — shaped by the Lei Geral de Proteção de Dados (LGPD) — has growing significance for European businesses operating or partnering in the region. The LGPD, inspired by the GDPR, sets out specific obligations around data breach notification. However, unlike the GDPR’s mandatory 72-hour notification rule, not all security incidents must be reported to the Brazilian Data Protection Authority (ANPD).
So: when exactly should a security incident be reported in Brazil?
When Notification is Required: A Three-Step Test
Under Brazilian law, a security incident involving personal data must be reported to the ANPD only if the following three criteria are cumulatively met:
- The incident has been confirmed.
- It involves personal data subject to the LGPD.
- It poses a relevant risk or damage to data subjects.
This third threshold is critical. According to the ANPD’s Security Incident Communication Regulation (RCIS), relevant risks include incidents that may:
- Prevent the exercise of rights or access to services.
- Cause material or moral harm.
- Involve special categories of data such as: Sensitive personal data / Financial data / Large-scale datasets / Children’s or elderly persons’ data / Authentication credentials / Legally protected information (e.g., medical, legal, or professional secrets).
This approach offers some flexibility — but it also requires careful legal judgment.
When You Don’t Have to Notify
There is no obligation to notify the ANPD if the incident does not result in significant risk or damage. For instance, if the breached data is non-sensitive and publicly available (e.g., general contact information), and no additional harm is expected, companies may reasonably determine that notification is unnecessary.
However, this decision should not be taken lightly. Controllers are expected to assess several contextual factors, such as:
- The volume and nature of the affected data.
- Whether the data subjects can be identified.
- The likely impact on fundamental rights.
- The technical and security measures in place.
- Any steps taken to mitigate the damage.
In practice, each case must be analyzed individually — and well documented — to ensure a defensible position.
How to Notify the ANPD (If Required)
If the thresholds for notification are met, companies must report the incident within three business days from the date they became aware that personal data was affected. The notification must include:
- A description of the breach and affected data.
- The number and profile of impacted data subjects.
- Security measures in place before and after the incident.
- Potential risks to the data subjects.
- Mitigation strategies.
- Identification of the controller and DPO (if applicable).
Notifications are submitted via the ANPD’s online platform (SUPER). Sensitive business information can be protected through a request for confidential treatment, provided it is properly justified.
Strategic Takeaways for European Stakeholders
For European companies and compliance officers, understanding the nuances of Brazilian data breach notification rules is essential for several reasons:
- Cross-border compliance: Companies transferring personal data to Brazil must ensure regulatory alignment under the GDPR’s international transfer rules.
- Due diligence: M&A or vendor screening in Brazil should include assessments of LGPD readiness and breach history.
- Incident response protocols: Global organizations must harmonize breach notification timelines and thresholds across jurisdictions, adapting to Brazil’s risk-based approach.
In a landscape of increasing cyber threats, aligning with the LGPD is not just a regulatory obligation — it’s a strategic necessity.
Final Thoughts
Brazil’s data protection authority does not adopt a «one size fits all» model for breach notification. The LGPD introduces a risk-based, case-by-case approach, which may offer more flexibility than the GDPR — but also places a greater burden on organizations to justify their decisions.
European companies doing business in Brazil must be prepared to evaluate security incidents in light of both local obligations and international expectations. Failing to notify a breach — or notifying too hastily — can have serious reputational, legal, and operational consequences.
Understanding when (and how) to notify the ANPD is a key part of navigating Brazil’s complex but maturing data protection landscape.
Spain | Franchising, Theory Of Risk and Guarantees By Franchisee
- Распространение
- Судебная практика
-
Испания
France | Pre-contractual disclosure in distribution and franchise agreements
- Распространение
- Франчайзинг
-
Франция
International distribution agreements | Key Clauses and Lessons learned from the history of Nike
- Контракты
- Распространение
-
Италия
Corporate Sustainability in Practice – How Contracts Shape Responsibility
- Контракты
- Распространение
-
Finland
Rising Oil Prices and International Contracts: How to Manage Hardship in Global Supply Chains
- Контракты
- Распространение
-
Италия
Why the African Continental Free Trade Agreement has not yet turned into Reality — and What That Means for Egypt
- Распространение
- Иностранные инвестиции
-
Египет
Brazil Advances Toward GDPR Alignment: ANPD’s 2026–2027 Priority Topics
- Конфиденциальность - Защита данных
-
Бразилия
Brazilian Healthtech – Neurotechnologies, LGPD and the GDPR’s Long-Arm Effect
- Закон о здравоохранении
- СЛИЯНИЯ И ПОГЛОЩЕНИЯ
-
Бразилия
Brazil — Deadline for Compliance on International Data Transfers
- Конфиденциальность - Защита данных
-
Бразилия
Brazil | Legitimate Interest under Data Protection Law: The official Guidance Explained
- Конфиденциальность - Защита данных
-
Бразилия
Security Incidents in Brazil: When and How to Notify the Data Protection Authority
- Конфиденциальность - Защита данных
-
Бразилия
Brazil | DPO Requirements — What foreign companies must do to stay compliant
- Соответствие требованиям
- Конфиденциальность - Защита данных
-
Бразилия
Scrivi a Leopoldo
Brazil | Legitimate Interest under Data Protection Law: The official Guidance Explained
10.06.2025
-
Бразилия
- Конфиденциальность - Защита данных
Summary
Brazil’s new Digital Child Protection Law (ECA Digital – Law No. 15,211/2025) radically changes the compliance obligations for foreign technology companies operating in Brazil. The law introduces a proactive duty of care toward minors, replacing the previous reactive liability model under the Marco Civil da Internet. Any digital service accessible to children or adolescents — including social media, gaming, streaming, AI tools, and app stores — must now adopt safety-by-design and privacy-by-default principles.
Brazil Introduces a New Digital Protection Framework for Minors
When Law No. 15,211/2025, known as the ECA Digital or Digital Statute for Children and Adolescents, came into force on March 17, 2026, Brazil took a significant step in regulating the digital environment. For foreign technology companies that offer services to the Brazilian public, the legislation is far more than just another local rule. It represents a genuine paradigm shift in how platforms must be designed, operated, and monitored.
Until now, the Brazilian Internet Civil Framework (Marco Civil da Internet) of 2014 established essentially a reactive liability regime. Platforms were generally only held responsible for third-party content after receiving a specific court order or valid notification. The ECA Digital inverts this logic. Companies now face a proactive and continuous duty of care, something close to the “duty of care” we already know in Europe through the UK’s Online Safety Act or parts of the Digital Services Act (DSA).
The Best Interests of the Child Become the Central Compliance Principle
The central principle of the law is the best interests of the child and adolescent. Any information technology product or service that is targeted at minors or has a reasonable likelihood of being accessed by them must be developed with this interest as an absolute priority. This includes social networks, gaming apps, streaming platforms, app stores, and even artificial intelligence tools.
In practice, this means adopting the concepts of safety-by-design and privacy-by-default from the outset. It is no longer enough to fix problems after they arise. Companies must anticipate risks to the physical, mental, and moral integrity of younger users and build preventive safeguards.
Mandatory Impact Assessments and Platform Risk Analysis
One of the pillars of the new legislation is the requirement for impact assessments. Platforms must conduct periodic detailed analyses of the potential effects of their functionalities (recommendation algorithms, engagement mechanisms, advertising systems, and even augmented reality features) on children and adolescents. These reports need to be properly documented internally and, in many cases, generate transparent information that can be shared with authorities or made available to the public in a summarized version.
New Age Verification and Parental Control Obligations
Age verification has become significantly more rigorous. A simple self-declaration (“click here if you are over 18”) is no longer considered sufficient. The law requires effective and proportionate mechanisms that respect privacy but genuinely manage to distinguish adults from minors. For users up to 16 years old, accounts on social networks and similar platforms must, as a rule, be linked to a legal guardian.
Furthermore, companies are required to provide robust parental control tools. Guardians must have access to dashboards that allow them to set screen time limits, restrict contacts, approve or block in-app purchases, and disable personalized algorithmic recommendation systems. Many foreign clients I have spoken with still underestimate the weight of this requirement.
Restrictions on Advertising, Profiling, and Gaming Monetization
In the commercial sphere, the law is particularly restrictive. The use of advanced behavioral profiling, emotional analysis, or immersive technologies to target advertising at children and adolescents is prohibited. Monetization of content that inappropriately exploits the image of minors is also subject to severe limitations. In the gaming sector, there are express bans on “loot boxes” and randomized reward systems when the game is accessible to minors, precisely because of their addictive potential and the risk of uncontrolled spending.
Harmful Content Removal and Reporting Requirements
Another aspect that deserves attention is the swift removal of harmful content. The law establishes short deadlines — in some cases as little as 24 hours — for the removal of material related to sexual exploitation, violence, bullying, cyberbullying, incitement to suicide, self-harm, or drug use. In addition to removal, in serious situations platforms must notify the competent authorities, including through international cooperation when necessary.
Legal Representation and Enforcement Risks for Foreign Companies
For foreign companies without a physical presence in Brazil, the law strengthens enforcement mechanisms. It is mandatory to appoint a legal representative established in the country, with powers to receive judicial and administrative citations, respond to requests from the Public Prosecutor’s Office and the National Data Protection Authority (ANPD), and serve as the local point of contact.
In fact, the ANPD assumes a central role in supervising and regulating the law, acting in coordination with the Public Prosecutor’s Office. This creates a more robust enforcement scenario than many international players initially anticipated. Moreover, the law provides for joint and several liability: subsidiaries, branches, or companies within the same economic group in Brazil may be held accountable for violations committed by the foreign parent company.
Financial Penalties and Operational Sanctions
The sanctions are dissuasive. Fines can reach up to 10% of the economic group’s revenue in Brazil in the previous year, or up to R$ 50 million per individual violation, depending on the severity. In extreme cases or in the event of recurrence, authorities may order the temporary suspension or even the complete blocking of the service within Brazilian territory. For companies that depend on the Brazilian market, especially consumer technology firms, this operational risk is very real.
Relationship Between the ECA Digital and Brazil’s LGPD
It is worth noting that the ECA Digital interacts closely with the General Data Protection Law (LGPD). Many of the principles of privacy-by-default, data minimization, and impact assessments already existed under the LGPD, but they now take on more specific contours when the data subject is a child or adolescent. The processing of minors’ data requires even greater care, with more restrictive legal bases and heightened attention to consent and the rights of legal guardians.
Global Regulatory Trends and Brazilian Specificities
From a comparative perspective, the Brazilian law aligns with global trends. It bears clear similarities to the UK’s Age Appropriate Design Code, certain aspects of the European DSA, and ongoing discussions in other Latin American countries. However, it presents distinctly Brazilian nuances: strong influence from the Public Prosecutor’s Office, the tradition of integral protection of children established in the 1990 Child and Adolescent Statute (ECA), and an approach that combines state regulation with the shared responsibility of families, schools, and platforms.
Practical Compliance Steps for Foreign Technology Companies
Foreign legal advisors must act with urgency. A good starting point is to conduct a comprehensive gap analysis: mapping user onboarding flows, reviewing advertising and algorithmic recommendation policies, assessing the adequacy of age verification mechanisms, and verifying whether the legal representation structure in Brazil meets the new requirements.
In addition, it is important to prepare local teams or partners to handle administrative requests and potential audits. Investing in privacy-preserving age verification technologies, such as age estimation or document-based verification without excessive data storage, can make a difference both in compliance and in the user experience.
Conclusion
In summary, the ECA Digital is not merely a symbolic law. It imposes concrete obligations, with adaptation deadlines that have already expired for many companies, and carries real risks of financial and operational sanctions. For law firms advising international clients, especially small and medium-sized practices in Europe and Asia, the moment has come to help these players turn compliance into a competitive advantage.
Those who manage to implement robust protection measures from the design stage of their products will not only avoid heavy fines but may also build greater trust with the Brazilian public and authorities.
Summary: On January 25, 2026, Brazil and the EU mutually recognized each other as providing adequate personal data protection—removing, in many cases, the need for Standard Contractual Clauses (SCCs) or other transfer tools. This shifts the conversation from “copy-paste compliance” to strategy: deciding when to retire SCCs, updating cross-border transfer policies, and modernizing contractual models for future deals.
Why this matters in real transactions
Imagine you’re about to close a deal with a German business partner and your Brazilian client urgently asks for a data transfer clause. It’s always the same copy-paste: Standard Contractual Clauses (SCCs), Annex I and II in both languages, signatures on the dotted line. Now imagine this scene is finally unnecessary.
The mutual adequacy milestone (January 25, 2026)
On January 25, 2026, Brazil and the European Union mutually recognized each other as countries with adequate levels of personal data protection. It’s the first adequacy agreement signed between the EU and a Latin American country. In practical terms, it means that companies can transfer personal data between Brazil and the EU without the need for additional mechanisms, like SCCs or Binding Corporate Rules (BCRs). In strategic terms, it opens a new front of opportunities for Brazilian lawyers, especially those advising clients who export, import, invest, or operate in the EU.
A starting point, not a “compliance break”
This is a milestone and also a starting point. Mutual adequacy does not mean «relax your compliance programs»; on the contrary, it demands governance maturity and careful review.
Three concrete fronts for legal work
1. Retiring SCCs: Not Always Automatic
The adequacy decision makes SCCs optional in many cases, but that doesn’t mean you can simply tear them up. For existing contracts that already use SCCs, lawyers will need to assess whether they should keep, revise, or remove those clauses. The answer will depend on the risks, data flows, and reliance on third countries in the processing chain. There may also be internal policies, negotiated warranties, or obligations to supervisory authorities that require formal justifications.
In practice, companies with complex processing chains (e.g., European headquarters, shared Brazilian HR services, cloud servers in the U.S.) may continue using SCCs in certain flows even after the adequacy recognition. Lawyers will need to carefully document and track this hybrid model.
2. Reviewing Cross-Border Data Transfer Policies
Many companies, especially multinationals or those with multiple data protection obligations, have established cross-border data transfer policies («CBTPs») that classify countries into categories and associate specific safeguards for each. Brazil’s new status as an «adequate country» must now be reflected in those documents.
For instance, a Brazilian company that receives data from France and sends it to Argentina and India may now adjust internal protocols to reduce documentation and controls on the EU → Brazil leg, while reinforcing controls in the Brazil → Argentina or Brazil → India legs. These changes must be aligned with the company’s policies, contracts, and internal training materials.
3. Adapting Contractual Models for Future Deals
The mutual adequacy decision creates a new contractual scenario. Brazilian lawyers advising international clients can now use data transfer models aligned with GDPR—without needing SCCs or complex annexes—provided both parties are located in Brazil and the EU.
This reduces transaction costs, improves legal certainty, and increases speed in negotiations involving technology services, cross-border M&A, or shared service centers. A good contractual model should still include data protection clauses—but now focused on risk allocation, DPO cooperation, and incident response coordination, rather than formal compliance with Art. 46 GDPR or Arts. 33–36 LGPD.
Summary: Brazil’s data protection authority (ANPD) is signaling a clear move toward stronger, more GDPR-aligned enforcement and rulemaking through its 2026–2027 Priority Topics Map and updated Regulatory Agenda. The selected priorities mirror familiar EU themes—data subject rights, children’s data, public-sector processing, and AI—while adding practical predictability for organizations planning compliance. For European businesses operating in Brazil, the direction of travel suggests increasing convergence in governance, risk assessment, and transparency expectations. This trajectory may also strengthen the long-term case for Brazil to pursue an EU adequacy decision.
A maturing authority with a strategic alignment to GDPR
While European regulators refine enforcement mechanisms for mature frameworks, Brazil is quietly building one of the world’s most GDPR-aligned data protection systems outside the EU. The release of Priority Topics Map for 2026–2027 and its updated Regulatory Agenda by the National Agency of Personal Data Protection (ANPD) reveals an authority no longer in its infancy, but one strategically positioning itself as a credible counterpart to European supervisory bodies.
ANPD’s priority topics for 2026–2027
The four priority topics chosen by Brazil’s National Data Protection Authority («ANPD») tell a familiar tale to anyone working with GDPR compliance: data subject rights, protection of children and adolescents in digital environments, processing by public authorities, and artificial intelligence with emerging technologies.
Why these priorities feel familiar to GDPR practitioners
These are not arbitrary choices but deliberate alignments with the core concerns that have shaped European enforcement over the past seven years, from the fundamental rights guarantees in Articles 12 through 22, to the heightened scrutiny of processing involving minors, to the evolving regulatory treatment of algorithmic systems that now spans both GDPR recitals and the EU AI Act itself.
Children and adolescents: new authority and converging expectations
Brazil’s recent Digital Statute for Children and Adolescents hands ANPD substantial new authority over age verification and parental consent mechanisms, creating a regulatory bridge that should look strikingly familiar to companies navigating the UK’s Age Appropriate Design Code or implementing EDPB guidance on child data. European digital services operating in Brazil, particularly in social media, gaming, education, or wellness sectors, now face converging compliance expectations on both sides of the Atlantic. The technical architectures and consent flows designed for GDPR are increasingly fit for purpose in the Brazilian context as well.
Artificial intelligence and emerging technologies
The elevation of artificial intelligence to priority status represents ANPD’s clearest statement yet about where Brazilian regulation is headed – in fact, no big news in the move, since it is worrying every regulator in every industry. While the LGPD lacks specific AI provisions, the authority has been methodically laying groundwork through public consultations on automated decision-making and studies on algorithmic profiling. For companies already deep in EU AI Act preparation, such a convergence offers something rare in global privacy compliance: the potential for genuine efficiency gains through shared governance frameworks, unified risk assessment methodologies, and harmonized transparency protocols rather than duplicative regional adaptations.
Data subject rights and DPIAs: reinforcing accountability
ANPD’s continued emphasis on data subject rights and Data Protection Impact Assessments reinforces the structural similarities with GDPR’s accountability model. The Brazilian approach increasingly mirrors European expectations around documented risk assessment, standardized response protocols for individual rights requests, and transparency obligations for profiling activities. Multinational organizations can now reasonably contemplate unified DPIA templates and centralized rights management systems that serve both jurisdictions without fundamental architectural splits.
The updated Regulatory Agenda for 2025–2026: predictability as a compliance asset
The updated Regulatory Agenda for 2025–2026 provides something perhaps more valuable than new rules: predictability. One should not underestimate the importance of predictability in Brazil, since it is a rare asset, even before courts – former Treasury Minister Pedro Malana once iroonically stated that «in Brazil, even the past is uncertain».
What ANPD is telegraphing next
By telegraphing upcoming initiatives on biometric data processing, inspection methodologies, sanctioning procedures, cybersecurity standards, and privacy program governance, ANPD offers companies the planning visibility that makes cross-border compliance feasible rather than reactive. These topics map directly onto GDPR’s controller obligations, security requirements, and Data Protection Officer independence provisions in Articles 24 through 39.
Beyond compliance: what convergence could mean for data flows
The regulatory convergence carries implications beyond operational compliance. The structural alignment between LGPD and GDPR, reinforced by ANPD’s strategic choices, strengthens the case for an eventual EU adequacy decision recognizing Brazil under Article 45.
For European businesses and their counsel, the trajectory suggests not just reduced friction in managing trans-Atlantic data flows, but the emergence of genuinely compatible regulatory ecosystems. The challenge will be maintaining attention to Brazilian developments with the same intensity devoted to EDPB guidelines and Commission decisions, recognizing that convergence is a continuous process rather than a static achievement.
Conclusion
Brazil’s ANPD is increasingly setting priorities that mirror the main pressure points of GDPR compliance, while using its Regulatory Agenda to add clarity and sequencing to what comes next. For organizations operating across the EU and Brazil, the message is practical: governance structures, rights-handling processes, and risk assessment tooling built for GDPR are becoming progressively reusable in the Brazilian context. At the same time, staying alert to ANPD’s evolving guidance—especially around children’s data, AI, biometrics, cybersecurity, and enforcement methodology—will be key to turning regulatory convergence into real operational efficiency and reduced cross-border friction.
Summary
This article explores the ANPD’s 2025 Tech Radar on neurotechnologies and how it reshapes compliance risks for Brazilian healthtechs—especially in M&A contexts involving GDPR exposure. It outlines key regulatory concerns, the GDPR’s extraterritorial impact, major due-diligence red flags, and the essential deliverables investors should require.
Introduction
Brazil’s latest ANPD Tech Radar brings neurotechnologies to the forefront of data-protection compliance, exposing significant risks for healthtech companies and investors. With GDPR’s extraterritorial reach, sensitive data processing, opaque AI, and cross-border transfers, data governance has become a critical M&A due-diligence factor requiring structured reviews and robust contractual safeguards.
Key Compliance Risks Shaping Brazilian Healthtech M&A
Brazil’s Data Protection Authority (ANPD) released its 4th Tech Radar in June 2025, focusing entirely on neurotechnologies—marking the first time the regulator targeted this field so directly. The report explores brain-computer interfaces, advanced wearables, AI-driven cognitive therapies, and predictive diagnostics, highlighting risks far beyond traditional health data processing.
For investors and lawyers working M&A deals in Brazil’s healthtech sector, this Radar signals that data protection is no longer a secondary compliance issue—it is now a major source of legal, reputational, and operational risk.
GDPR’s Extraterritorial Relevance
Many Brazilian healthtechs handle personal data from foreign individuals, particularly Europeans—through expats, medical tourists, cross-border clinical trials, or partnerships with EU-based vendors. When this occurs, GDPR Article 3(2) extends jurisdiction to the Brazilian company, even without any EU establishment.
Main Risks Identified by ANPD (Tech Radar #4)
- Inferring health data without explicit consent
Example: wearables identifying depression through sleep or stress patterns without informing users. - Lack of transparency in predictive algorithms
Black-box AI models making clinical decisions without accessible documentation. - Cybersecurity vulnerabilities in connected devices
Neural implants or neurostimulators vulnerable to hacking, with potentially physical consequences. - Automated processing that impacts human dignity
Behavioral profiling influencing insurance eligibility, discrimination, or patient autonomy in therapy environments.
GDPR Article 22 prohibits automated decision-making with significant effects unless strict safeguards are implemented—making this a critical risk during due diligence.
Most Common Red Flags in Brazilian Healthtech Due Diligence
No clear legal basis for sensitive data (health, genetic, biometric)
LGPD Impact (Brazil): Breach of LGPD Art. 11
GDPR Parallel (Europe): Art. 9 (special categories)
Practical Recommendation: Require full data-mapping and warranties
Generic or “click-to-accept” consents
LGPD Impact (Brazil): Invalid consent (Art. 7 & 11)
GDPR Parallel (Europe): Art. 6 + 7
Practical Recommendation: Ensure all consents are granular, specific, and revocable
Third-party sharing without processor agreements
LGPD Impact (Brazil): Breach of LGPD Art. 28 & 33
GDPR Parallel (Europe): Art. 28
Practical Recommendation: Verify existence and adequacy of all DPAs
Missing or incomplete ROPA
LGPD Impact (Brazil): Serious regulatory violation
GDPR Parallel (Europe): Art. 30
Practical Recommendation: Make ROPA delivery a closing condition
Non-existent or conflicted DPO
LGPD Impact (Brazil): Non-compliance with ANPD Resolution CD nº 2
GDPR Parallel (Europe): Art. 37–39
Practical Recommendation: Require interview + independence confirmation
No DPIA for high-risk products
LGPD Impact (Brazil): Mandatory (ANPD Res. 15/2023)
GDPR Parallel (Europe): Art. 35
Practical Recommendation: Include pre-closing DPIA audit clause
International transfers without safeguards
LGPD Impact (Brazil): Arts. 33–35
GDPR Parallel (Europe): Arts. 44–50
Practical Recommendation: Verify SCCs (2021/2023) or adequacy status
Real Cases Illustrating the Scale of Risk
- Telepsychology platforms investigated for using automated triage without informed consent or AI transparency.
- ANPD actions against genomics startups due to cross-border transfers without SCCs or DPIAs.
- Outsourced cloud hosting increasing irregular data transfer risks.
Until Brazil receives an EU adequacy decision, SCCs and BCRs remain mandatory for compliant transfers.
Essential Due Diligence Deliverables
A robust data-protection review is now essential in healthtech M&A. Key deliverables include:
- LGPD ↔ GDPR gap analysis
- ROPA and DPIA review
- Sub-processor contract verification
- Mapping of all international transfers
- Privacy-specific warranties and indemnities
- Escrow or holdback for regulatory risk exposure
Conclusion
Data protection is no longer secondary in healthtech M&A—especially when neurodata is involved. With ANPD scrutinizing neurotechnologies and GDPR obligations extending across borders, investors must prioritize structured due diligence and strong contractual safeguards.
FAQ
Is neurodata considered sensitive personal data under the LGPD?
Yes—ANPD treats neurodata as highly sensitive because it reveals cognitive, emotional, and health patterns.
Does GDPR apply to Brazilian companies with no EU presence?
Yes, via Article 3(2), whenever EU data subjects’ information is processed.
Are SCCs still required for Brazil–EU transfers?
Yes, until Brazil receives an EU adequacy decision.
What are the top investor red flags?
Missing DPIAs, unclear legal bases, opaque algorithms, and irregular transfers.
Since the General Data Protection Regulation (GDPR) took effect in 2018, the European Union (EU) has granted adequacy status to only a limited number of jurisdictions — those whose data protection regimes are deemed to provide an «essentially equivalent» level of protection to that of the EU. The current list includes Andorra, Argentina, Canada (under PIPEDA), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, Uruguay, the United Kingdom, and the United States (limited to companies certified under the Data Privacy Framework).
As of 5 September 2025, Brazil is on the verge of joining this exclusive group. The European Commission has issued a draft adequacy decision concluding that the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais – LGPD), in conjunction with Brazil’s broader legal and constitutional framework, offers protections that are essentially equivalent to those found in the GDPR. While Brazil’s rules offer somewhat more flexibility in specific areas of data processing, the foundational principles and safeguards are well-aligned with EU standards.
Once finalized, the adequacy decision will authorize the free flow of personal data from the EU to Brazil without the need for additional contractual clauses or technical safeguards. Such a development is not just regulatory — it also answers a core political argument made by LGPD advocates since its inception: that the absence of a comprehensive data protection framework was undermining Brazil’s international competitiveness by limiting data flows and discouraging investment. For businesses, the EU decision may finally mean the removal of a significant layer of compliance complexity — a development especially welcome by small and medium-sized enterprises engaged in cross-border trade or service provision. The draft is currently under review by the European Data Protection Board (EDPB) and the Member States of the EU.
The Commission’s assessment highlights several key aspects of Brazil’s data protection landscape. It begins by noting that the Brazilian Constitution expressly guarantees the right to privacy and the protection of personal data — a notable distinction among non-EU jurisdictions. These protections are further supported by Brazil’s ratification of the American Convention on Human Rights and its recognition of the jurisdiction of the Inter-American Court of Human Rights, reinforcing a commitment to fundamental rights and democratic oversight.
The LGPD mirrors the GDPR in many critical respects and defines its territorial scope clearly. It applies to: (i) data processing carried out within Brazilian territory, (ii) the offering of goods or services to individuals in Brazil, and (iii) data collected in Brazil, even if subsequently processed abroad. This aligns well with the extraterritorial provisions of the GDPR. The definitions of personal data, sensitive data, controller, and processor are materially similar, as are the key principles governing processing — including lawfulness, purpose limitation, data minimization, accuracy, transparency, and security. The law expressly excludes anonymized data from its scope and establishes specific exemptions for journalistic activities, public security, and scientific research.
Another strength is Brazil’s institutional framework. The National Data Protection Authority (ANPD) was recently transformed into an autonomous regulatory agency, enhancing its independence and technical capacity. The ANPD holds both regulatory and enforcement powers: it can issue binding regulations, impose administrative sanctions, and publish authoritative guidance. To date, it has issued key guidelines on topics such as consent, legitimate interest, the role of the Data Protection Officer (DPO), and security incident reporting. Internationally, the ANPD is an active participant in global data protection dialogue — it is a member of the Global Privacy Assembly and an official observer to the Council of Europe’s Convention 108.
The LGPD’s approach to international data transfers is also structurally aligned with the GDPR. It requires appropriate safeguards such as standard contractual clauses, allows for future adequacy decisions under a regime comparable to Article 45 of the GDPR, and includes detailed provisions for onward transfers and transit data — that is, data merely passing through Brazil without further processing. The rights of data subjects are robust and familiar to European practitioners: access, rectification, erasure, portability, and withdrawal of consent are guaranteed. Lawful bases for processing are also aligned — including consent, legal obligations, contract execution, and legitimate interest. Notably, the LGPD requires a documented balancing test when relying on legitimate interest, bringing additional accountability to this flexible legal basis.
Security incidents involving personal data must be notified to both the ANPD and affected data subjects when there is a significant risk of harm. The standard notification deadline is 72 hours, and the required content aligns closely with Articles 33 and 34 of the GDPR. The ANPD may also order public disclosure of incidents or require remedial measures, depending on the nature and scope of the breach.
Importantly, this process is not one-sided. In parallel to the European Commission’s adequacy decision, the ANPD is conducting its own adequacy assessment of the EU and EEA data protection frameworks. This process is regulated by the Brazilian Resolution CD/ANPD No. 19/2024, which governs international data transfers. Once the technical and legal evaluation is complete, the ANPD’s Board of Directors will issue a formal decision. This reciprocal move reflects Brazil’s commitment to mutual recognition and regulatory symmetry — a positive signal for companies on both sides of the Atlantic.
In conclusion: If confirmed, Brazil’s adequacy status will simplify international operations, reduce compliance costs, and expand opportunities for data-driven business and legal cooperation. For European lawyers advising SMEs with interests in Latin America, this development is a strategic signal: Brazil is emerging not just as a growing market, but as a legally compatible and data-safe jurisdiction for international partnerships.
On 23 August 2024, Brazil’s National Data Protection Authority (ANPD) issued Resolution No. 19, a landmark regulation governing the international transfer of personal data under the Brazilian General Data Protection Law (LGPD). Companies now have until 23 August 2025 to fully comply.
This deadline is especially relevant for European multinationals operating in Brazil, or Brazilian subsidiaries sharing data with foreign HQs or vendors. The new rules align Brazil more closely with global privacy frameworks like the GDPR—but with local twists that demand attention.
Why It Matters
Unlike previous guidance, Resolution No. 19 creates binding legal obligations and explicit deadlines. It introduces mechanisms such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and public transparency requirements—all within a strict 12-month timeframe.
For many international companies, this will require significant updates to internal governance, contract management, and cloud data strategies. Below are the key takeaways for foreign counsel.
Standard Contractual Clauses (SCCs): Now Mandatory
The ANPD has released its own set of Standard Contractual Clauses, which must be used for data transfers to jurisdictions not recognized as offering “adequate protection.”
Companies must adopt these clauses by 23 August 2025. This will likely require revisiting existing data processing agreements involving Brazilian parties and ensuring alignment with the ANPD template.
Important: The SCCs cannot be modified beyond inserting details in the annexes. Any deviations require prior approval from the ANPD and are limited to exceptional cases.
Broad Transparency Requirements
Data controllers are now required to publish, on their website, a plain-language document explaining:
- the purpose of the international data transfer,
- the categories of data involved,
- the countries of destination,
- and the legal mechanism used to legitimize the transfer.
Upon request, data subjects must also receive a copy of the full SCCs within 15 days. Multinationals will need protocols and document templates to respond efficiently—especially when dealing with requests in Portuguese.
Expanded Definition of “International Transfer”
The Resolution clarifies that a transfer occurs whenever:
- data is accessed or stored by an entity located abroad, or
- processing is outsourced to a cloud provider with servers or technical teams outside Brazil.
This has important implications for global companies that centralize services such as payroll, CRM, or cybersecurity outside Brazil—even if hosted on multinational platforms.
Binding Corporate Rules (BCRs): Now Recognized
Multinationals with mature privacy programs may apply to the ANPD for approval of their own Binding Corporate Rules, offering an alternative to SCCs.
This is a welcome development for companies seeking harmonized compliance across jurisdictions, but approval is expected to involve a complex and time-consuming process. Early preparation is essential.
Custom Clauses in Exceptional Circumstances
Companies unable to adopt the standard clauses—due to specific factual or legal constraints—may submit alternative clauses for ANPD approval. However, such flexibility is limited and subject to strict justification.
In practice, the official SCCs will be the default path for most international data transfers involving Brazil.
What Foreign Companies Should Do Now
The 12-month window is already ticking. International groups operating in Brazil or processing Brazilian data should urgently:
- Map all international data transfers involving Brazil;
- Identify contracts and vendors requiring updates;
- Insert ANPD’s SCCs where applicable;
- Publish the required transparency notice online in Portuguese;
- Monitor for further ANPD guidance or enforcement trends.
Strategic Compliance: Beyond Legal Risk
Resolution No. 19 is part of a global trend toward standardized but locally enforced privacy frameworks. For GDPR-compliant companies, Brazil’s new rules offer a chance to reaffirm leadership in data governance.
Those who act early can avoid last-minute fire drills, reduce regulatory exposure, and strengthen credibility with Brazilian regulators and consumers.
In today’s data economy, privacy compliance is more than a legal duty—it’s a business differentiator.
Brazil’s National Data Protection Authority (ANPD) released a long-awaited guidance document on how companies should interpret and apply the legal basis of legitimate interest under the Brazilian General Data Protection Law (LGPD).
This is not merely a local update. As Brazil continues to shape its data protection regime, foreign companies—particularly European SMEs with clients, platforms, or partners in Brazil—must adapt their compliance strategies to local expectations. This new guidance is a crucial development.
Below, I summarize what has changed, how it compares to the GDPR approach, and what steps you (or your clients) should take next.
Why Legitimate Interest Matters—But Remains Risky
Just like under the GDPR, Brazil’s LGPD allows personal data to be processed without consent when doing so is necessary for purposes aligned with the controller’s legitimate interests. However, due to the lack of regulation since the LGPD came into force, this legal basis has long been regarded as risky in Brazil – in fact, it was unclear on how to evaluate the «legitimacy» of the interest and balance it against data subject rights.
The ANPD’s «Guia Orientativo sobre o Legítimo Interesse» (Guidance on Legitimate Interest) fills that gap—providing a practical framework to assess, document, and justify this legal basis.
The ANPD’s Three-Step Balancing Test
The core of the new guidance is a three-step balancing test, which mirrors the GDPR’s Legitimate Interests Assessment (LIA) but with Brazilian nuances.
- Purpose Test : The controller must define a specific, concrete, and legitimate objective behind the data processing. Open-ended or abstract justifications (“marketing purposes”, “efficiency”) will not suffice. The processing must also align with the reasonable expectations of the data subject.
- Necessity Test : The data processing must be strictly necessary to achieve the defined purpose. If the same result could be achieved through less intrusive means (e.g. anonymized data or a different legal basis), the test will likely fail.
- Balancing Test and Safeguards : This step assesses whether the controller’s interest outweighs the rights and freedoms of the data subject. Controllers must consider the nature of the data, the context of the processing, and the potential risks involved. When risks are identified, appropriate safeguards must be implemented, such as transparency, opt-outs, pseudonymization, and impact assessments.
Takeaway: The ANPD recommends documenting the entire process. While this is not mandatory by law, it will be critical in case of investigations or complaints.
How This Affects Foreign Companies doing business in Brazil
Many foreign companies process personal data of Brazilian individuals—whether by offering digital services, interacting with Brazilian suppliers, or collecting contact information via websites or CRM tools.
Although some assume that GDPR compliance is sufficient, the ANPD may evaluate legitimate interest more restrictively than some EU supervisory authorities.
Foreign companies should:
- Revisit their legal bases for processing data of Brazilian individuals.
- Conduct a proper balancing test using the ANPD’s model, even for non-sensitive data.
- Keep written records of the analysis (especially if using legitimate interest for analytics or marketing).
- Update their privacy notices to reflect the legal basis and safeguards in place.
- Be aware of the extraterritorial reach of the LGPD—yes, it applies even if you have no office in Brazil.
Strategic Guidance
If you advise SMEs that operate across jurisdictions—including Brazil—this new guidance is a practical compliance tool and a risk-mitigation opportunity.
Here’s how to act now:
- Perform a Legitimate Interests Assessment (LIA) whenever your client relies on this basis in Brazil.
- Compare it with the GDPR LIA to identify overlaps and gaps.
- Align documentation—so your clients are ready in the event of a complaint or data subject request.
- Monitor ANPD updates—the ANPD has increased its activity and enforcement posture significantly in the past year.
Final Thoughts
The ANPD’s guidance reflects a growing maturity in Brazil’s data protection landscape. Legitimate interest is no longer a vague fallback—it requires structure, analysis, and above all, transparency.
European companies with operations or digital exposure in Brazil should approach this legal basis with care and diligence. The good news? The ANPD is now offering the roadmap. It’s up to us, as legal advisors, to make sure our clients follow it.
Want to see the full guidance? The original document (in Portuguese) is available here.
Brazil is increasingly in the global spotlight when it comes to cybersecurity threats. With over 10 billion cyberattack attempts recorded in 2023 alone, the country ranks among the most targeted worldwide. These incidents are not abstract: they affect sensitive sectors such as finance and healthcare, including data leaks involving over 220 million data subjects from national institutions and critical infrastructure operators.
While Brazil may seem like a distant jurisdiction, its data protection regime — shaped by the Lei Geral de Proteção de Dados (LGPD) — has growing significance for European businesses operating or partnering in the region. The LGPD, inspired by the GDPR, sets out specific obligations around data breach notification. However, unlike the GDPR’s mandatory 72-hour notification rule, not all security incidents must be reported to the Brazilian Data Protection Authority (ANPD).
So: when exactly should a security incident be reported in Brazil?
When Notification is Required: A Three-Step Test
Under Brazilian law, a security incident involving personal data must be reported to the ANPD only if the following three criteria are cumulatively met:
- The incident has been confirmed.
- It involves personal data subject to the LGPD.
- It poses a relevant risk or damage to data subjects.
This third threshold is critical. According to the ANPD’s Security Incident Communication Regulation (RCIS), relevant risks include incidents that may:
- Prevent the exercise of rights or access to services.
- Cause material or moral harm.
- Involve special categories of data such as: Sensitive personal data / Financial data / Large-scale datasets / Children’s or elderly persons’ data / Authentication credentials / Legally protected information (e.g., medical, legal, or professional secrets).
This approach offers some flexibility — but it also requires careful legal judgment.
When You Don’t Have to Notify
There is no obligation to notify the ANPD if the incident does not result in significant risk or damage. For instance, if the breached data is non-sensitive and publicly available (e.g., general contact information), and no additional harm is expected, companies may reasonably determine that notification is unnecessary.
However, this decision should not be taken lightly. Controllers are expected to assess several contextual factors, such as:
- The volume and nature of the affected data.
- Whether the data subjects can be identified.
- The likely impact on fundamental rights.
- The technical and security measures in place.
- Any steps taken to mitigate the damage.
In practice, each case must be analyzed individually — and well documented — to ensure a defensible position.
How to Notify the ANPD (If Required)
If the thresholds for notification are met, companies must report the incident within three business days from the date they became aware that personal data was affected. The notification must include:
- A description of the breach and affected data.
- The number and profile of impacted data subjects.
- Security measures in place before and after the incident.
- Potential risks to the data subjects.
- Mitigation strategies.
- Identification of the controller and DPO (if applicable).
Notifications are submitted via the ANPD’s online platform (SUPER). Sensitive business information can be protected through a request for confidential treatment, provided it is properly justified.
Strategic Takeaways for European Stakeholders
For European companies and compliance officers, understanding the nuances of Brazilian data breach notification rules is essential for several reasons:
- Cross-border compliance: Companies transferring personal data to Brazil must ensure regulatory alignment under the GDPR’s international transfer rules.
- Due diligence: M&A or vendor screening in Brazil should include assessments of LGPD readiness and breach history.
- Incident response protocols: Global organizations must harmonize breach notification timelines and thresholds across jurisdictions, adapting to Brazil’s risk-based approach.
In a landscape of increasing cyber threats, aligning with the LGPD is not just a regulatory obligation — it’s a strategic necessity.
Final Thoughts
Brazil’s data protection authority does not adopt a «one size fits all» model for breach notification. The LGPD introduces a risk-based, case-by-case approach, which may offer more flexibility than the GDPR — but also places a greater burden on organizations to justify their decisions.
European companies doing business in Brazil must be prepared to evaluate security incidents in light of both local obligations and international expectations. Failing to notify a breach — or notifying too hastily — can have serious reputational, legal, and operational consequences.
Understanding when (and how) to notify the ANPD is a key part of navigating Brazil’s complex but maturing data protection landscape.
Spain | Franchising, Theory Of Risk and Guarantees By Franchisee
- Распространение
- Судебная практика
-
Испания
France | Pre-contractual disclosure in distribution and franchise agreements
- Распространение
- Франчайзинг
-
Франция
International distribution agreements | Key Clauses and Lessons learned from the history of Nike
- Контракты
- Распространение
-
Италия
Corporate Sustainability in Practice – How Contracts Shape Responsibility
- Контракты
- Распространение
-
Finland
Rising Oil Prices and International Contracts: How to Manage Hardship in Global Supply Chains
- Контракты
- Распространение
-
Италия
Why the African Continental Free Trade Agreement has not yet turned into Reality — and What That Means for Egypt
- Распространение
- Иностранные инвестиции
-
Египет
Brazil Advances Toward GDPR Alignment: ANPD’s 2026–2027 Priority Topics
- Конфиденциальность - Защита данных
-
Бразилия
Brazilian Healthtech – Neurotechnologies, LGPD and the GDPR’s Long-Arm Effect
- Закон о здравоохранении
- СЛИЯНИЯ И ПОГЛОЩЕНИЯ
-
Бразилия
Brazil — Deadline for Compliance on International Data Transfers
- Конфиденциальность - Защита данных
-
Бразилия
Brazil | Legitimate Interest under Data Protection Law: The official Guidance Explained
- Конфиденциальность - Защита данных
-
Бразилия
Security Incidents in Brazil: When and How to Notify the Data Protection Authority
- Конфиденциальность - Защита данных
-
Бразилия
Brazil | DPO Requirements — What foreign companies must do to stay compliant
- Соответствие требованиям
- Конфиденциальность - Защита данных
-
Бразилия
Scrivi a Leopoldo
Security Incidents in Brazil: When and How to Notify the Data Protection Authority
13.05.2025
-
Бразилия
- Конфиденциальность - Защита данных
Summary
Brazil’s new Digital Child Protection Law (ECA Digital – Law No. 15,211/2025) radically changes the compliance obligations for foreign technology companies operating in Brazil. The law introduces a proactive duty of care toward minors, replacing the previous reactive liability model under the Marco Civil da Internet. Any digital service accessible to children or adolescents — including social media, gaming, streaming, AI tools, and app stores — must now adopt safety-by-design and privacy-by-default principles.
Brazil Introduces a New Digital Protection Framework for Minors
When Law No. 15,211/2025, known as the ECA Digital or Digital Statute for Children and Adolescents, came into force on March 17, 2026, Brazil took a significant step in regulating the digital environment. For foreign technology companies that offer services to the Brazilian public, the legislation is far more than just another local rule. It represents a genuine paradigm shift in how platforms must be designed, operated, and monitored.
Until now, the Brazilian Internet Civil Framework (Marco Civil da Internet) of 2014 established essentially a reactive liability regime. Platforms were generally only held responsible for third-party content after receiving a specific court order or valid notification. The ECA Digital inverts this logic. Companies now face a proactive and continuous duty of care, something close to the “duty of care” we already know in Europe through the UK’s Online Safety Act or parts of the Digital Services Act (DSA).
The Best Interests of the Child Become the Central Compliance Principle
The central principle of the law is the best interests of the child and adolescent. Any information technology product or service that is targeted at minors or has a reasonable likelihood of being accessed by them must be developed with this interest as an absolute priority. This includes social networks, gaming apps, streaming platforms, app stores, and even artificial intelligence tools.
In practice, this means adopting the concepts of safety-by-design and privacy-by-default from the outset. It is no longer enough to fix problems after they arise. Companies must anticipate risks to the physical, mental, and moral integrity of younger users and build preventive safeguards.
Mandatory Impact Assessments and Platform Risk Analysis
One of the pillars of the new legislation is the requirement for impact assessments. Platforms must conduct periodic detailed analyses of the potential effects of their functionalities (recommendation algorithms, engagement mechanisms, advertising systems, and even augmented reality features) on children and adolescents. These reports need to be properly documented internally and, in many cases, generate transparent information that can be shared with authorities or made available to the public in a summarized version.
New Age Verification and Parental Control Obligations
Age verification has become significantly more rigorous. A simple self-declaration (“click here if you are over 18”) is no longer considered sufficient. The law requires effective and proportionate mechanisms that respect privacy but genuinely manage to distinguish adults from minors. For users up to 16 years old, accounts on social networks and similar platforms must, as a rule, be linked to a legal guardian.
Furthermore, companies are required to provide robust parental control tools. Guardians must have access to dashboards that allow them to set screen time limits, restrict contacts, approve or block in-app purchases, and disable personalized algorithmic recommendation systems. Many foreign clients I have spoken with still underestimate the weight of this requirement.
Restrictions on Advertising, Profiling, and Gaming Monetization
In the commercial sphere, the law is particularly restrictive. The use of advanced behavioral profiling, emotional analysis, or immersive technologies to target advertising at children and adolescents is prohibited. Monetization of content that inappropriately exploits the image of minors is also subject to severe limitations. In the gaming sector, there are express bans on “loot boxes” and randomized reward systems when the game is accessible to minors, precisely because of their addictive potential and the risk of uncontrolled spending.
Harmful Content Removal and Reporting Requirements
Another aspect that deserves attention is the swift removal of harmful content. The law establishes short deadlines — in some cases as little as 24 hours — for the removal of material related to sexual exploitation, violence, bullying, cyberbullying, incitement to suicide, self-harm, or drug use. In addition to removal, in serious situations platforms must notify the competent authorities, including through international cooperation when necessary.
Legal Representation and Enforcement Risks for Foreign Companies
For foreign companies without a physical presence in Brazil, the law strengthens enforcement mechanisms. It is mandatory to appoint a legal representative established in the country, with powers to receive judicial and administrative citations, respond to requests from the Public Prosecutor’s Office and the National Data Protection Authority (ANPD), and serve as the local point of contact.
In fact, the ANPD assumes a central role in supervising and regulating the law, acting in coordination with the Public Prosecutor’s Office. This creates a more robust enforcement scenario than many international players initially anticipated. Moreover, the law provides for joint and several liability: subsidiaries, branches, or companies within the same economic group in Brazil may be held accountable for violations committed by the foreign parent company.
Financial Penalties and Operational Sanctions
The sanctions are dissuasive. Fines can reach up to 10% of the economic group’s revenue in Brazil in the previous year, or up to R$ 50 million per individual violation, depending on the severity. In extreme cases or in the event of recurrence, authorities may order the temporary suspension or even the complete blocking of the service within Brazilian territory. For companies that depend on the Brazilian market, especially consumer technology firms, this operational risk is very real.
Relationship Between the ECA Digital and Brazil’s LGPD
It is worth noting that the ECA Digital interacts closely with the General Data Protection Law (LGPD). Many of the principles of privacy-by-default, data minimization, and impact assessments already existed under the LGPD, but they now take on more specific contours when the data subject is a child or adolescent. The processing of minors’ data requires even greater care, with more restrictive legal bases and heightened attention to consent and the rights of legal guardians.
Global Regulatory Trends and Brazilian Specificities
From a comparative perspective, the Brazilian law aligns with global trends. It bears clear similarities to the UK’s Age Appropriate Design Code, certain aspects of the European DSA, and ongoing discussions in other Latin American countries. However, it presents distinctly Brazilian nuances: strong influence from the Public Prosecutor’s Office, the tradition of integral protection of children established in the 1990 Child and Adolescent Statute (ECA), and an approach that combines state regulation with the shared responsibility of families, schools, and platforms.
Practical Compliance Steps for Foreign Technology Companies
Foreign legal advisors must act with urgency. A good starting point is to conduct a comprehensive gap analysis: mapping user onboarding flows, reviewing advertising and algorithmic recommendation policies, assessing the adequacy of age verification mechanisms, and verifying whether the legal representation structure in Brazil meets the new requirements.
In addition, it is important to prepare local teams or partners to handle administrative requests and potential audits. Investing in privacy-preserving age verification technologies, such as age estimation or document-based verification without excessive data storage, can make a difference both in compliance and in the user experience.
Conclusion
In summary, the ECA Digital is not merely a symbolic law. It imposes concrete obligations, with adaptation deadlines that have already expired for many companies, and carries real risks of financial and operational sanctions. For law firms advising international clients, especially small and medium-sized practices in Europe and Asia, the moment has come to help these players turn compliance into a competitive advantage.
Those who manage to implement robust protection measures from the design stage of their products will not only avoid heavy fines but may also build greater trust with the Brazilian public and authorities.
Summary: On January 25, 2026, Brazil and the EU mutually recognized each other as providing adequate personal data protection—removing, in many cases, the need for Standard Contractual Clauses (SCCs) or other transfer tools. This shifts the conversation from “copy-paste compliance” to strategy: deciding when to retire SCCs, updating cross-border transfer policies, and modernizing contractual models for future deals.
Why this matters in real transactions
Imagine you’re about to close a deal with a German business partner and your Brazilian client urgently asks for a data transfer clause. It’s always the same copy-paste: Standard Contractual Clauses (SCCs), Annex I and II in both languages, signatures on the dotted line. Now imagine this scene is finally unnecessary.
The mutual adequacy milestone (January 25, 2026)
On January 25, 2026, Brazil and the European Union mutually recognized each other as countries with adequate levels of personal data protection. It’s the first adequacy agreement signed between the EU and a Latin American country. In practical terms, it means that companies can transfer personal data between Brazil and the EU without the need for additional mechanisms, like SCCs or Binding Corporate Rules (BCRs). In strategic terms, it opens a new front of opportunities for Brazilian lawyers, especially those advising clients who export, import, invest, or operate in the EU.
A starting point, not a “compliance break”
This is a milestone and also a starting point. Mutual adequacy does not mean «relax your compliance programs»; on the contrary, it demands governance maturity and careful review.
Three concrete fronts for legal work
1. Retiring SCCs: Not Always Automatic
The adequacy decision makes SCCs optional in many cases, but that doesn’t mean you can simply tear them up. For existing contracts that already use SCCs, lawyers will need to assess whether they should keep, revise, or remove those clauses. The answer will depend on the risks, data flows, and reliance on third countries in the processing chain. There may also be internal policies, negotiated warranties, or obligations to supervisory authorities that require formal justifications.
In practice, companies with complex processing chains (e.g., European headquarters, shared Brazilian HR services, cloud servers in the U.S.) may continue using SCCs in certain flows even after the adequacy recognition. Lawyers will need to carefully document and track this hybrid model.
2. Reviewing Cross-Border Data Transfer Policies
Many companies, especially multinationals or those with multiple data protection obligations, have established cross-border data transfer policies («CBTPs») that classify countries into categories and associate specific safeguards for each. Brazil’s new status as an «adequate country» must now be reflected in those documents.
For instance, a Brazilian company that receives data from France and sends it to Argentina and India may now adjust internal protocols to reduce documentation and controls on the EU → Brazil leg, while reinforcing controls in the Brazil → Argentina or Brazil → India legs. These changes must be aligned with the company’s policies, contracts, and internal training materials.
3. Adapting Contractual Models for Future Deals
The mutual adequacy decision creates a new contractual scenario. Brazilian lawyers advising international clients can now use data transfer models aligned with GDPR—without needing SCCs or complex annexes—provided both parties are located in Brazil and the EU.
This reduces transaction costs, improves legal certainty, and increases speed in negotiations involving technology services, cross-border M&A, or shared service centers. A good contractual model should still include data protection clauses—but now focused on risk allocation, DPO cooperation, and incident response coordination, rather than formal compliance with Art. 46 GDPR or Arts. 33–36 LGPD.
Summary: Brazil’s data protection authority (ANPD) is signaling a clear move toward stronger, more GDPR-aligned enforcement and rulemaking through its 2026–2027 Priority Topics Map and updated Regulatory Agenda. The selected priorities mirror familiar EU themes—data subject rights, children’s data, public-sector processing, and AI—while adding practical predictability for organizations planning compliance. For European businesses operating in Brazil, the direction of travel suggests increasing convergence in governance, risk assessment, and transparency expectations. This trajectory may also strengthen the long-term case for Brazil to pursue an EU adequacy decision.
A maturing authority with a strategic alignment to GDPR
While European regulators refine enforcement mechanisms for mature frameworks, Brazil is quietly building one of the world’s most GDPR-aligned data protection systems outside the EU. The release of Priority Topics Map for 2026–2027 and its updated Regulatory Agenda by the National Agency of Personal Data Protection (ANPD) reveals an authority no longer in its infancy, but one strategically positioning itself as a credible counterpart to European supervisory bodies.
ANPD’s priority topics for 2026–2027
The four priority topics chosen by Brazil’s National Data Protection Authority («ANPD») tell a familiar tale to anyone working with GDPR compliance: data subject rights, protection of children and adolescents in digital environments, processing by public authorities, and artificial intelligence with emerging technologies.
Why these priorities feel familiar to GDPR practitioners
These are not arbitrary choices but deliberate alignments with the core concerns that have shaped European enforcement over the past seven years, from the fundamental rights guarantees in Articles 12 through 22, to the heightened scrutiny of processing involving minors, to the evolving regulatory treatment of algorithmic systems that now spans both GDPR recitals and the EU AI Act itself.
Children and adolescents: new authority and converging expectations
Brazil’s recent Digital Statute for Children and Adolescents hands ANPD substantial new authority over age verification and parental consent mechanisms, creating a regulatory bridge that should look strikingly familiar to companies navigating the UK’s Age Appropriate Design Code or implementing EDPB guidance on child data. European digital services operating in Brazil, particularly in social media, gaming, education, or wellness sectors, now face converging compliance expectations on both sides of the Atlantic. The technical architectures and consent flows designed for GDPR are increasingly fit for purpose in the Brazilian context as well.
Artificial intelligence and emerging technologies
The elevation of artificial intelligence to priority status represents ANPD’s clearest statement yet about where Brazilian regulation is headed – in fact, no big news in the move, since it is worrying every regulator in every industry. While the LGPD lacks specific AI provisions, the authority has been methodically laying groundwork through public consultations on automated decision-making and studies on algorithmic profiling. For companies already deep in EU AI Act preparation, such a convergence offers something rare in global privacy compliance: the potential for genuine efficiency gains through shared governance frameworks, unified risk assessment methodologies, and harmonized transparency protocols rather than duplicative regional adaptations.
Data subject rights and DPIAs: reinforcing accountability
ANPD’s continued emphasis on data subject rights and Data Protection Impact Assessments reinforces the structural similarities with GDPR’s accountability model. The Brazilian approach increasingly mirrors European expectations around documented risk assessment, standardized response protocols for individual rights requests, and transparency obligations for profiling activities. Multinational organizations can now reasonably contemplate unified DPIA templates and centralized rights management systems that serve both jurisdictions without fundamental architectural splits.
The updated Regulatory Agenda for 2025–2026: predictability as a compliance asset
The updated Regulatory Agenda for 2025–2026 provides something perhaps more valuable than new rules: predictability. One should not underestimate the importance of predictability in Brazil, since it is a rare asset, even before courts – former Treasury Minister Pedro Malana once iroonically stated that «in Brazil, even the past is uncertain».
What ANPD is telegraphing next
By telegraphing upcoming initiatives on biometric data processing, inspection methodologies, sanctioning procedures, cybersecurity standards, and privacy program governance, ANPD offers companies the planning visibility that makes cross-border compliance feasible rather than reactive. These topics map directly onto GDPR’s controller obligations, security requirements, and Data Protection Officer independence provisions in Articles 24 through 39.
Beyond compliance: what convergence could mean for data flows
The regulatory convergence carries implications beyond operational compliance. The structural alignment between LGPD and GDPR, reinforced by ANPD’s strategic choices, strengthens the case for an eventual EU adequacy decision recognizing Brazil under Article 45.
For European businesses and their counsel, the trajectory suggests not just reduced friction in managing trans-Atlantic data flows, but the emergence of genuinely compatible regulatory ecosystems. The challenge will be maintaining attention to Brazilian developments with the same intensity devoted to EDPB guidelines and Commission decisions, recognizing that convergence is a continuous process rather than a static achievement.
Conclusion
Brazil’s ANPD is increasingly setting priorities that mirror the main pressure points of GDPR compliance, while using its Regulatory Agenda to add clarity and sequencing to what comes next. For organizations operating across the EU and Brazil, the message is practical: governance structures, rights-handling processes, and risk assessment tooling built for GDPR are becoming progressively reusable in the Brazilian context. At the same time, staying alert to ANPD’s evolving guidance—especially around children’s data, AI, biometrics, cybersecurity, and enforcement methodology—will be key to turning regulatory convergence into real operational efficiency and reduced cross-border friction.
Summary
This article explores the ANPD’s 2025 Tech Radar on neurotechnologies and how it reshapes compliance risks for Brazilian healthtechs—especially in M&A contexts involving GDPR exposure. It outlines key regulatory concerns, the GDPR’s extraterritorial impact, major due-diligence red flags, and the essential deliverables investors should require.
Introduction
Brazil’s latest ANPD Tech Radar brings neurotechnologies to the forefront of data-protection compliance, exposing significant risks for healthtech companies and investors. With GDPR’s extraterritorial reach, sensitive data processing, opaque AI, and cross-border transfers, data governance has become a critical M&A due-diligence factor requiring structured reviews and robust contractual safeguards.
Key Compliance Risks Shaping Brazilian Healthtech M&A
Brazil’s Data Protection Authority (ANPD) released its 4th Tech Radar in June 2025, focusing entirely on neurotechnologies—marking the first time the regulator targeted this field so directly. The report explores brain-computer interfaces, advanced wearables, AI-driven cognitive therapies, and predictive diagnostics, highlighting risks far beyond traditional health data processing.
For investors and lawyers working M&A deals in Brazil’s healthtech sector, this Radar signals that data protection is no longer a secondary compliance issue—it is now a major source of legal, reputational, and operational risk.
GDPR’s Extraterritorial Relevance
Many Brazilian healthtechs handle personal data from foreign individuals, particularly Europeans—through expats, medical tourists, cross-border clinical trials, or partnerships with EU-based vendors. When this occurs, GDPR Article 3(2) extends jurisdiction to the Brazilian company, even without any EU establishment.
Main Risks Identified by ANPD (Tech Radar #4)
- Inferring health data without explicit consent
Example: wearables identifying depression through sleep or stress patterns without informing users. - Lack of transparency in predictive algorithms
Black-box AI models making clinical decisions without accessible documentation. - Cybersecurity vulnerabilities in connected devices
Neural implants or neurostimulators vulnerable to hacking, with potentially physical consequences. - Automated processing that impacts human dignity
Behavioral profiling influencing insurance eligibility, discrimination, or patient autonomy in therapy environments.
GDPR Article 22 prohibits automated decision-making with significant effects unless strict safeguards are implemented—making this a critical risk during due diligence.
Most Common Red Flags in Brazilian Healthtech Due Diligence
No clear legal basis for sensitive data (health, genetic, biometric)
LGPD Impact (Brazil): Breach of LGPD Art. 11
GDPR Parallel (Europe): Art. 9 (special categories)
Practical Recommendation: Require full data-mapping and warranties
Generic or “click-to-accept” consents
LGPD Impact (Brazil): Invalid consent (Art. 7 & 11)
GDPR Parallel (Europe): Art. 6 + 7
Practical Recommendation: Ensure all consents are granular, specific, and revocable
Third-party sharing without processor agreements
LGPD Impact (Brazil): Breach of LGPD Art. 28 & 33
GDPR Parallel (Europe): Art. 28
Practical Recommendation: Verify existence and adequacy of all DPAs
Missing or incomplete ROPA
LGPD Impact (Brazil): Serious regulatory violation
GDPR Parallel (Europe): Art. 30
Practical Recommendation: Make ROPA delivery a closing condition
Non-existent or conflicted DPO
LGPD Impact (Brazil): Non-compliance with ANPD Resolution CD nº 2
GDPR Parallel (Europe): Art. 37–39
Practical Recommendation: Require interview + independence confirmation
No DPIA for high-risk products
LGPD Impact (Brazil): Mandatory (ANPD Res. 15/2023)
GDPR Parallel (Europe): Art. 35
Practical Recommendation: Include pre-closing DPIA audit clause
International transfers without safeguards
LGPD Impact (Brazil): Arts. 33–35
GDPR Parallel (Europe): Arts. 44–50
Practical Recommendation: Verify SCCs (2021/2023) or adequacy status
Real Cases Illustrating the Scale of Risk
- Telepsychology platforms investigated for using automated triage without informed consent or AI transparency.
- ANPD actions against genomics startups due to cross-border transfers without SCCs or DPIAs.
- Outsourced cloud hosting increasing irregular data transfer risks.
Until Brazil receives an EU adequacy decision, SCCs and BCRs remain mandatory for compliant transfers.
Essential Due Diligence Deliverables
A robust data-protection review is now essential in healthtech M&A. Key deliverables include:
- LGPD ↔ GDPR gap analysis
- ROPA and DPIA review
- Sub-processor contract verification
- Mapping of all international transfers
- Privacy-specific warranties and indemnities
- Escrow or holdback for regulatory risk exposure
Conclusion
Data protection is no longer secondary in healthtech M&A—especially when neurodata is involved. With ANPD scrutinizing neurotechnologies and GDPR obligations extending across borders, investors must prioritize structured due diligence and strong contractual safeguards.
FAQ
Is neurodata considered sensitive personal data under the LGPD?
Yes—ANPD treats neurodata as highly sensitive because it reveals cognitive, emotional, and health patterns.
Does GDPR apply to Brazilian companies with no EU presence?
Yes, via Article 3(2), whenever EU data subjects’ information is processed.
Are SCCs still required for Brazil–EU transfers?
Yes, until Brazil receives an EU adequacy decision.
What are the top investor red flags?
Missing DPIAs, unclear legal bases, opaque algorithms, and irregular transfers.
Since the General Data Protection Regulation (GDPR) took effect in 2018, the European Union (EU) has granted adequacy status to only a limited number of jurisdictions — those whose data protection regimes are deemed to provide an «essentially equivalent» level of protection to that of the EU. The current list includes Andorra, Argentina, Canada (under PIPEDA), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, Uruguay, the United Kingdom, and the United States (limited to companies certified under the Data Privacy Framework).
As of 5 September 2025, Brazil is on the verge of joining this exclusive group. The European Commission has issued a draft adequacy decision concluding that the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais – LGPD), in conjunction with Brazil’s broader legal and constitutional framework, offers protections that are essentially equivalent to those found in the GDPR. While Brazil’s rules offer somewhat more flexibility in specific areas of data processing, the foundational principles and safeguards are well-aligned with EU standards.
Once finalized, the adequacy decision will authorize the free flow of personal data from the EU to Brazil without the need for additional contractual clauses or technical safeguards. Such a development is not just regulatory — it also answers a core political argument made by LGPD advocates since its inception: that the absence of a comprehensive data protection framework was undermining Brazil’s international competitiveness by limiting data flows and discouraging investment. For businesses, the EU decision may finally mean the removal of a significant layer of compliance complexity — a development especially welcome by small and medium-sized enterprises engaged in cross-border trade or service provision. The draft is currently under review by the European Data Protection Board (EDPB) and the Member States of the EU.
The Commission’s assessment highlights several key aspects of Brazil’s data protection landscape. It begins by noting that the Brazilian Constitution expressly guarantees the right to privacy and the protection of personal data — a notable distinction among non-EU jurisdictions. These protections are further supported by Brazil’s ratification of the American Convention on Human Rights and its recognition of the jurisdiction of the Inter-American Court of Human Rights, reinforcing a commitment to fundamental rights and democratic oversight.
The LGPD mirrors the GDPR in many critical respects and defines its territorial scope clearly. It applies to: (i) data processing carried out within Brazilian territory, (ii) the offering of goods or services to individuals in Brazil, and (iii) data collected in Brazil, even if subsequently processed abroad. This aligns well with the extraterritorial provisions of the GDPR. The definitions of personal data, sensitive data, controller, and processor are materially similar, as are the key principles governing processing — including lawfulness, purpose limitation, data minimization, accuracy, transparency, and security. The law expressly excludes anonymized data from its scope and establishes specific exemptions for journalistic activities, public security, and scientific research.
Another strength is Brazil’s institutional framework. The National Data Protection Authority (ANPD) was recently transformed into an autonomous regulatory agency, enhancing its independence and technical capacity. The ANPD holds both regulatory and enforcement powers: it can issue binding regulations, impose administrative sanctions, and publish authoritative guidance. To date, it has issued key guidelines on topics such as consent, legitimate interest, the role of the Data Protection Officer (DPO), and security incident reporting. Internationally, the ANPD is an active participant in global data protection dialogue — it is a member of the Global Privacy Assembly and an official observer to the Council of Europe’s Convention 108.
The LGPD’s approach to international data transfers is also structurally aligned with the GDPR. It requires appropriate safeguards such as standard contractual clauses, allows for future adequacy decisions under a regime comparable to Article 45 of the GDPR, and includes detailed provisions for onward transfers and transit data — that is, data merely passing through Brazil without further processing. The rights of data subjects are robust and familiar to European practitioners: access, rectification, erasure, portability, and withdrawal of consent are guaranteed. Lawful bases for processing are also aligned — including consent, legal obligations, contract execution, and legitimate interest. Notably, the LGPD requires a documented balancing test when relying on legitimate interest, bringing additional accountability to this flexible legal basis.
Security incidents involving personal data must be notified to both the ANPD and affected data subjects when there is a significant risk of harm. The standard notification deadline is 72 hours, and the required content aligns closely with Articles 33 and 34 of the GDPR. The ANPD may also order public disclosure of incidents or require remedial measures, depending on the nature and scope of the breach.
Importantly, this process is not one-sided. In parallel to the European Commission’s adequacy decision, the ANPD is conducting its own adequacy assessment of the EU and EEA data protection frameworks. This process is regulated by the Brazilian Resolution CD/ANPD No. 19/2024, which governs international data transfers. Once the technical and legal evaluation is complete, the ANPD’s Board of Directors will issue a formal decision. This reciprocal move reflects Brazil’s commitment to mutual recognition and regulatory symmetry — a positive signal for companies on both sides of the Atlantic.
In conclusion: If confirmed, Brazil’s adequacy status will simplify international operations, reduce compliance costs, and expand opportunities for data-driven business and legal cooperation. For European lawyers advising SMEs with interests in Latin America, this development is a strategic signal: Brazil is emerging not just as a growing market, but as a legally compatible and data-safe jurisdiction for international partnerships.
On 23 August 2024, Brazil’s National Data Protection Authority (ANPD) issued Resolution No. 19, a landmark regulation governing the international transfer of personal data under the Brazilian General Data Protection Law (LGPD). Companies now have until 23 August 2025 to fully comply.
This deadline is especially relevant for European multinationals operating in Brazil, or Brazilian subsidiaries sharing data with foreign HQs or vendors. The new rules align Brazil more closely with global privacy frameworks like the GDPR—but with local twists that demand attention.
Why It Matters
Unlike previous guidance, Resolution No. 19 creates binding legal obligations and explicit deadlines. It introduces mechanisms such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and public transparency requirements—all within a strict 12-month timeframe.
For many international companies, this will require significant updates to internal governance, contract management, and cloud data strategies. Below are the key takeaways for foreign counsel.
Standard Contractual Clauses (SCCs): Now Mandatory
The ANPD has released its own set of Standard Contractual Clauses, which must be used for data transfers to jurisdictions not recognized as offering “adequate protection.”
Companies must adopt these clauses by 23 August 2025. This will likely require revisiting existing data processing agreements involving Brazilian parties and ensuring alignment with the ANPD template.
Important: The SCCs cannot be modified beyond inserting details in the annexes. Any deviations require prior approval from the ANPD and are limited to exceptional cases.
Broad Transparency Requirements
Data controllers are now required to publish, on their website, a plain-language document explaining:
- the purpose of the international data transfer,
- the categories of data involved,
- the countries of destination,
- and the legal mechanism used to legitimize the transfer.
Upon request, data subjects must also receive a copy of the full SCCs within 15 days. Multinationals will need protocols and document templates to respond efficiently—especially when dealing with requests in Portuguese.
Expanded Definition of “International Transfer”
The Resolution clarifies that a transfer occurs whenever:
- data is accessed or stored by an entity located abroad, or
- processing is outsourced to a cloud provider with servers or technical teams outside Brazil.
This has important implications for global companies that centralize services such as payroll, CRM, or cybersecurity outside Brazil—even if hosted on multinational platforms.
Binding Corporate Rules (BCRs): Now Recognized
Multinationals with mature privacy programs may apply to the ANPD for approval of their own Binding Corporate Rules, offering an alternative to SCCs.
This is a welcome development for companies seeking harmonized compliance across jurisdictions, but approval is expected to involve a complex and time-consuming process. Early preparation is essential.
Custom Clauses in Exceptional Circumstances
Companies unable to adopt the standard clauses—due to specific factual or legal constraints—may submit alternative clauses for ANPD approval. However, such flexibility is limited and subject to strict justification.
In practice, the official SCCs will be the default path for most international data transfers involving Brazil.
What Foreign Companies Should Do Now
The 12-month window is already ticking. International groups operating in Brazil or processing Brazilian data should urgently:
- Map all international data transfers involving Brazil;
- Identify contracts and vendors requiring updates;
- Insert ANPD’s SCCs where applicable;
- Publish the required transparency notice online in Portuguese;
- Monitor for further ANPD guidance or enforcement trends.
Strategic Compliance: Beyond Legal Risk
Resolution No. 19 is part of a global trend toward standardized but locally enforced privacy frameworks. For GDPR-compliant companies, Brazil’s new rules offer a chance to reaffirm leadership in data governance.
Those who act early can avoid last-minute fire drills, reduce regulatory exposure, and strengthen credibility with Brazilian regulators and consumers.
In today’s data economy, privacy compliance is more than a legal duty—it’s a business differentiator.
Brazil’s National Data Protection Authority (ANPD) released a long-awaited guidance document on how companies should interpret and apply the legal basis of legitimate interest under the Brazilian General Data Protection Law (LGPD).
This is not merely a local update. As Brazil continues to shape its data protection regime, foreign companies—particularly European SMEs with clients, platforms, or partners in Brazil—must adapt their compliance strategies to local expectations. This new guidance is a crucial development.
Below, I summarize what has changed, how it compares to the GDPR approach, and what steps you (or your clients) should take next.
Why Legitimate Interest Matters—But Remains Risky
Just like under the GDPR, Brazil’s LGPD allows personal data to be processed without consent when doing so is necessary for purposes aligned with the controller’s legitimate interests. However, due to the lack of regulation since the LGPD came into force, this legal basis has long been regarded as risky in Brazil – in fact, it was unclear on how to evaluate the «legitimacy» of the interest and balance it against data subject rights.
The ANPD’s «Guia Orientativo sobre o Legítimo Interesse» (Guidance on Legitimate Interest) fills that gap—providing a practical framework to assess, document, and justify this legal basis.
The ANPD’s Three-Step Balancing Test
The core of the new guidance is a three-step balancing test, which mirrors the GDPR’s Legitimate Interests Assessment (LIA) but with Brazilian nuances.
- Purpose Test : The controller must define a specific, concrete, and legitimate objective behind the data processing. Open-ended or abstract justifications (“marketing purposes”, “efficiency”) will not suffice. The processing must also align with the reasonable expectations of the data subject.
- Necessity Test : The data processing must be strictly necessary to achieve the defined purpose. If the same result could be achieved through less intrusive means (e.g. anonymized data or a different legal basis), the test will likely fail.
- Balancing Test and Safeguards : This step assesses whether the controller’s interest outweighs the rights and freedoms of the data subject. Controllers must consider the nature of the data, the context of the processing, and the potential risks involved. When risks are identified, appropriate safeguards must be implemented, such as transparency, opt-outs, pseudonymization, and impact assessments.
Takeaway: The ANPD recommends documenting the entire process. While this is not mandatory by law, it will be critical in case of investigations or complaints.
How This Affects Foreign Companies doing business in Brazil
Many foreign companies process personal data of Brazilian individuals—whether by offering digital services, interacting with Brazilian suppliers, or collecting contact information via websites or CRM tools.
Although some assume that GDPR compliance is sufficient, the ANPD may evaluate legitimate interest more restrictively than some EU supervisory authorities.
Foreign companies should:
- Revisit their legal bases for processing data of Brazilian individuals.
- Conduct a proper balancing test using the ANPD’s model, even for non-sensitive data.
- Keep written records of the analysis (especially if using legitimate interest for analytics or marketing).
- Update their privacy notices to reflect the legal basis and safeguards in place.
- Be aware of the extraterritorial reach of the LGPD—yes, it applies even if you have no office in Brazil.
Strategic Guidance
If you advise SMEs that operate across jurisdictions—including Brazil—this new guidance is a practical compliance tool and a risk-mitigation opportunity.
Here’s how to act now:
- Perform a Legitimate Interests Assessment (LIA) whenever your client relies on this basis in Brazil.
- Compare it with the GDPR LIA to identify overlaps and gaps.
- Align documentation—so your clients are ready in the event of a complaint or data subject request.
- Monitor ANPD updates—the ANPD has increased its activity and enforcement posture significantly in the past year.
Final Thoughts
The ANPD’s guidance reflects a growing maturity in Brazil’s data protection landscape. Legitimate interest is no longer a vague fallback—it requires structure, analysis, and above all, transparency.
European companies with operations or digital exposure in Brazil should approach this legal basis with care and diligence. The good news? The ANPD is now offering the roadmap. It’s up to us, as legal advisors, to make sure our clients follow it.
Want to see the full guidance? The original document (in Portuguese) is available here.
Brazil is increasingly in the global spotlight when it comes to cybersecurity threats. With over 10 billion cyberattack attempts recorded in 2023 alone, the country ranks among the most targeted worldwide. These incidents are not abstract: they affect sensitive sectors such as finance and healthcare, including data leaks involving over 220 million data subjects from national institutions and critical infrastructure operators.
While Brazil may seem like a distant jurisdiction, its data protection regime — shaped by the Lei Geral de Proteção de Dados (LGPD) — has growing significance for European businesses operating or partnering in the region. The LGPD, inspired by the GDPR, sets out specific obligations around data breach notification. However, unlike the GDPR’s mandatory 72-hour notification rule, not all security incidents must be reported to the Brazilian Data Protection Authority (ANPD).
So: when exactly should a security incident be reported in Brazil?
When Notification is Required: A Three-Step Test
Under Brazilian law, a security incident involving personal data must be reported to the ANPD only if the following three criteria are cumulatively met:
- The incident has been confirmed.
- It involves personal data subject to the LGPD.
- It poses a relevant risk or damage to data subjects.
This third threshold is critical. According to the ANPD’s Security Incident Communication Regulation (RCIS), relevant risks include incidents that may:
- Prevent the exercise of rights or access to services.
- Cause material or moral harm.
- Involve special categories of data such as: Sensitive personal data / Financial data / Large-scale datasets / Children’s or elderly persons’ data / Authentication credentials / Legally protected information (e.g., medical, legal, or professional secrets).
This approach offers some flexibility — but it also requires careful legal judgment.
When You Don’t Have to Notify
There is no obligation to notify the ANPD if the incident does not result in significant risk or damage. For instance, if the breached data is non-sensitive and publicly available (e.g., general contact information), and no additional harm is expected, companies may reasonably determine that notification is unnecessary.
However, this decision should not be taken lightly. Controllers are expected to assess several contextual factors, such as:
- The volume and nature of the affected data.
- Whether the data subjects can be identified.
- The likely impact on fundamental rights.
- The technical and security measures in place.
- Any steps taken to mitigate the damage.
In practice, each case must be analyzed individually — and well documented — to ensure a defensible position.
How to Notify the ANPD (If Required)
If the thresholds for notification are met, companies must report the incident within three business days from the date they became aware that personal data was affected. The notification must include:
- A description of the breach and affected data.
- The number and profile of impacted data subjects.
- Security measures in place before and after the incident.
- Potential risks to the data subjects.
- Mitigation strategies.
- Identification of the controller and DPO (if applicable).
Notifications are submitted via the ANPD’s online platform (SUPER). Sensitive business information can be protected through a request for confidential treatment, provided it is properly justified.
Strategic Takeaways for European Stakeholders
For European companies and compliance officers, understanding the nuances of Brazilian data breach notification rules is essential for several reasons:
- Cross-border compliance: Companies transferring personal data to Brazil must ensure regulatory alignment under the GDPR’s international transfer rules.
- Due diligence: M&A or vendor screening in Brazil should include assessments of LGPD readiness and breach history.
- Incident response protocols: Global organizations must harmonize breach notification timelines and thresholds across jurisdictions, adapting to Brazil’s risk-based approach.
In a landscape of increasing cyber threats, aligning with the LGPD is not just a regulatory obligation — it’s a strategic necessity.
Final Thoughts
Brazil’s data protection authority does not adopt a «one size fits all» model for breach notification. The LGPD introduces a risk-based, case-by-case approach, which may offer more flexibility than the GDPR — but also places a greater burden on organizations to justify their decisions.
European companies doing business in Brazil must be prepared to evaluate security incidents in light of both local obligations and international expectations. Failing to notify a breach — or notifying too hastily — can have serious reputational, legal, and operational consequences.
Understanding when (and how) to notify the ANPD is a key part of navigating Brazil’s complex but maturing data protection landscape.
Spain | Franchising, Theory Of Risk and Guarantees By Franchisee
- Распространение
- Судебная практика
-
Испания
France | Pre-contractual disclosure in distribution and franchise agreements
- Распространение
- Франчайзинг
-
Франция
International distribution agreements | Key Clauses and Lessons learned from the history of Nike
- Контракты
- Распространение
-
Италия
Corporate Sustainability in Practice – How Contracts Shape Responsibility
- Контракты
- Распространение
-
Finland
Rising Oil Prices and International Contracts: How to Manage Hardship in Global Supply Chains
- Контракты
- Распространение
-
Италия
Why the African Continental Free Trade Agreement has not yet turned into Reality — and What That Means for Egypt
- Распространение
- Иностранные инвестиции
-
Египет
Brazil Advances Toward GDPR Alignment: ANPD’s 2026–2027 Priority Topics
- Конфиденциальность - Защита данных
-
Бразилия
Brazilian Healthtech – Neurotechnologies, LGPD and the GDPR’s Long-Arm Effect
- Закон о здравоохранении
- СЛИЯНИЯ И ПОГЛОЩЕНИЯ
-
Бразилия
Brazil — Deadline for Compliance on International Data Transfers
- Конфиденциальность - Защита данных
-
Бразилия
Brazil | Legitimate Interest under Data Protection Law: The official Guidance Explained
- Конфиденциальность - Защита данных
-
Бразилия
Security Incidents in Brazil: When and How to Notify the Data Protection Authority
- Конфиденциальность - Защита данных
-
Бразилия
Brazil | DPO Requirements — What foreign companies must do to stay compliant
- Соответствие требованиям
- Конфиденциальность - Защита данных
-
Бразилия
Scrivi a Leopoldo
Brazil | DPO Requirements — What foreign companies must do to stay compliant
13.04.2025
-
Бразилия
- Соответствие требованиям
- Конфиденциальность - Защита данных
Summary
Brazil’s new Digital Child Protection Law (ECA Digital – Law No. 15,211/2025) radically changes the compliance obligations for foreign technology companies operating in Brazil. The law introduces a proactive duty of care toward minors, replacing the previous reactive liability model under the Marco Civil da Internet. Any digital service accessible to children or adolescents — including social media, gaming, streaming, AI tools, and app stores — must now adopt safety-by-design and privacy-by-default principles.
Brazil Introduces a New Digital Protection Framework for Minors
When Law No. 15,211/2025, known as the ECA Digital or Digital Statute for Children and Adolescents, came into force on March 17, 2026, Brazil took a significant step in regulating the digital environment. For foreign technology companies that offer services to the Brazilian public, the legislation is far more than just another local rule. It represents a genuine paradigm shift in how platforms must be designed, operated, and monitored.
Until now, the Brazilian Internet Civil Framework (Marco Civil da Internet) of 2014 established essentially a reactive liability regime. Platforms were generally only held responsible for third-party content after receiving a specific court order or valid notification. The ECA Digital inverts this logic. Companies now face a proactive and continuous duty of care, something close to the “duty of care” we already know in Europe through the UK’s Online Safety Act or parts of the Digital Services Act (DSA).
The Best Interests of the Child Become the Central Compliance Principle
The central principle of the law is the best interests of the child and adolescent. Any information technology product or service that is targeted at minors or has a reasonable likelihood of being accessed by them must be developed with this interest as an absolute priority. This includes social networks, gaming apps, streaming platforms, app stores, and even artificial intelligence tools.
In practice, this means adopting the concepts of safety-by-design and privacy-by-default from the outset. It is no longer enough to fix problems after they arise. Companies must anticipate risks to the physical, mental, and moral integrity of younger users and build preventive safeguards.
Mandatory Impact Assessments and Platform Risk Analysis
One of the pillars of the new legislation is the requirement for impact assessments. Platforms must conduct periodic detailed analyses of the potential effects of their functionalities (recommendation algorithms, engagement mechanisms, advertising systems, and even augmented reality features) on children and adolescents. These reports need to be properly documented internally and, in many cases, generate transparent information that can be shared with authorities or made available to the public in a summarized version.
New Age Verification and Parental Control Obligations
Age verification has become significantly more rigorous. A simple self-declaration (“click here if you are over 18”) is no longer considered sufficient. The law requires effective and proportionate mechanisms that respect privacy but genuinely manage to distinguish adults from minors. For users up to 16 years old, accounts on social networks and similar platforms must, as a rule, be linked to a legal guardian.
Furthermore, companies are required to provide robust parental control tools. Guardians must have access to dashboards that allow them to set screen time limits, restrict contacts, approve or block in-app purchases, and disable personalized algorithmic recommendation systems. Many foreign clients I have spoken with still underestimate the weight of this requirement.
Restrictions on Advertising, Profiling, and Gaming Monetization
In the commercial sphere, the law is particularly restrictive. The use of advanced behavioral profiling, emotional analysis, or immersive technologies to target advertising at children and adolescents is prohibited. Monetization of content that inappropriately exploits the image of minors is also subject to severe limitations. In the gaming sector, there are express bans on “loot boxes” and randomized reward systems when the game is accessible to minors, precisely because of their addictive potential and the risk of uncontrolled spending.
Harmful Content Removal and Reporting Requirements
Another aspect that deserves attention is the swift removal of harmful content. The law establishes short deadlines — in some cases as little as 24 hours — for the removal of material related to sexual exploitation, violence, bullying, cyberbullying, incitement to suicide, self-harm, or drug use. In addition to removal, in serious situations platforms must notify the competent authorities, including through international cooperation when necessary.
Legal Representation and Enforcement Risks for Foreign Companies
For foreign companies without a physical presence in Brazil, the law strengthens enforcement mechanisms. It is mandatory to appoint a legal representative established in the country, with powers to receive judicial and administrative citations, respond to requests from the Public Prosecutor’s Office and the National Data Protection Authority (ANPD), and serve as the local point of contact.
In fact, the ANPD assumes a central role in supervising and regulating the law, acting in coordination with the Public Prosecutor’s Office. This creates a more robust enforcement scenario than many international players initially anticipated. Moreover, the law provides for joint and several liability: subsidiaries, branches, or companies within the same economic group in Brazil may be held accountable for violations committed by the foreign parent company.
Financial Penalties and Operational Sanctions
The sanctions are dissuasive. Fines can reach up to 10% of the economic group’s revenue in Brazil in the previous year, or up to R$ 50 million per individual violation, depending on the severity. In extreme cases or in the event of recurrence, authorities may order the temporary suspension or even the complete blocking of the service within Brazilian territory. For companies that depend on the Brazilian market, especially consumer technology firms, this operational risk is very real.
Relationship Between the ECA Digital and Brazil’s LGPD
It is worth noting that the ECA Digital interacts closely with the General Data Protection Law (LGPD). Many of the principles of privacy-by-default, data minimization, and impact assessments already existed under the LGPD, but they now take on more specific contours when the data subject is a child or adolescent. The processing of minors’ data requires even greater care, with more restrictive legal bases and heightened attention to consent and the rights of legal guardians.
Global Regulatory Trends and Brazilian Specificities
From a comparative perspective, the Brazilian law aligns with global trends. It bears clear similarities to the UK’s Age Appropriate Design Code, certain aspects of the European DSA, and ongoing discussions in other Latin American countries. However, it presents distinctly Brazilian nuances: strong influence from the Public Prosecutor’s Office, the tradition of integral protection of children established in the 1990 Child and Adolescent Statute (ECA), and an approach that combines state regulation with the shared responsibility of families, schools, and platforms.
Practical Compliance Steps for Foreign Technology Companies
Foreign legal advisors must act with urgency. A good starting point is to conduct a comprehensive gap analysis: mapping user onboarding flows, reviewing advertising and algorithmic recommendation policies, assessing the adequacy of age verification mechanisms, and verifying whether the legal representation structure in Brazil meets the new requirements.
In addition, it is important to prepare local teams or partners to handle administrative requests and potential audits. Investing in privacy-preserving age verification technologies, such as age estimation or document-based verification without excessive data storage, can make a difference both in compliance and in the user experience.
Conclusion
In summary, the ECA Digital is not merely a symbolic law. It imposes concrete obligations, with adaptation deadlines that have already expired for many companies, and carries real risks of financial and operational sanctions. For law firms advising international clients, especially small and medium-sized practices in Europe and Asia, the moment has come to help these players turn compliance into a competitive advantage.
Those who manage to implement robust protection measures from the design stage of their products will not only avoid heavy fines but may also build greater trust with the Brazilian public and authorities.
Summary: On January 25, 2026, Brazil and the EU mutually recognized each other as providing adequate personal data protection—removing, in many cases, the need for Standard Contractual Clauses (SCCs) or other transfer tools. This shifts the conversation from “copy-paste compliance” to strategy: deciding when to retire SCCs, updating cross-border transfer policies, and modernizing contractual models for future deals.
Why this matters in real transactions
Imagine you’re about to close a deal with a German business partner and your Brazilian client urgently asks for a data transfer clause. It’s always the same copy-paste: Standard Contractual Clauses (SCCs), Annex I and II in both languages, signatures on the dotted line. Now imagine this scene is finally unnecessary.
The mutual adequacy milestone (January 25, 2026)
On January 25, 2026, Brazil and the European Union mutually recognized each other as countries with adequate levels of personal data protection. It’s the first adequacy agreement signed between the EU and a Latin American country. In practical terms, it means that companies can transfer personal data between Brazil and the EU without the need for additional mechanisms, like SCCs or Binding Corporate Rules (BCRs). In strategic terms, it opens a new front of opportunities for Brazilian lawyers, especially those advising clients who export, import, invest, or operate in the EU.
A starting point, not a “compliance break”
This is a milestone and also a starting point. Mutual adequacy does not mean «relax your compliance programs»; on the contrary, it demands governance maturity and careful review.
Three concrete fronts for legal work
1. Retiring SCCs: Not Always Automatic
The adequacy decision makes SCCs optional in many cases, but that doesn’t mean you can simply tear them up. For existing contracts that already use SCCs, lawyers will need to assess whether they should keep, revise, or remove those clauses. The answer will depend on the risks, data flows, and reliance on third countries in the processing chain. There may also be internal policies, negotiated warranties, or obligations to supervisory authorities that require formal justifications.
In practice, companies with complex processing chains (e.g., European headquarters, shared Brazilian HR services, cloud servers in the U.S.) may continue using SCCs in certain flows even after the adequacy recognition. Lawyers will need to carefully document and track this hybrid model.
2. Reviewing Cross-Border Data Transfer Policies
Many companies, especially multinationals or those with multiple data protection obligations, have established cross-border data transfer policies («CBTPs») that classify countries into categories and associate specific safeguards for each. Brazil’s new status as an «adequate country» must now be reflected in those documents.
For instance, a Brazilian company that receives data from France and sends it to Argentina and India may now adjust internal protocols to reduce documentation and controls on the EU → Brazil leg, while reinforcing controls in the Brazil → Argentina or Brazil → India legs. These changes must be aligned with the company’s policies, contracts, and internal training materials.
3. Adapting Contractual Models for Future Deals
The mutual adequacy decision creates a new contractual scenario. Brazilian lawyers advising international clients can now use data transfer models aligned with GDPR—without needing SCCs or complex annexes—provided both parties are located in Brazil and the EU.
This reduces transaction costs, improves legal certainty, and increases speed in negotiations involving technology services, cross-border M&A, or shared service centers. A good contractual model should still include data protection clauses—but now focused on risk allocation, DPO cooperation, and incident response coordination, rather than formal compliance with Art. 46 GDPR or Arts. 33–36 LGPD.
Summary: Brazil’s data protection authority (ANPD) is signaling a clear move toward stronger, more GDPR-aligned enforcement and rulemaking through its 2026–2027 Priority Topics Map and updated Regulatory Agenda. The selected priorities mirror familiar EU themes—data subject rights, children’s data, public-sector processing, and AI—while adding practical predictability for organizations planning compliance. For European businesses operating in Brazil, the direction of travel suggests increasing convergence in governance, risk assessment, and transparency expectations. This trajectory may also strengthen the long-term case for Brazil to pursue an EU adequacy decision.
A maturing authority with a strategic alignment to GDPR
While European regulators refine enforcement mechanisms for mature frameworks, Brazil is quietly building one of the world’s most GDPR-aligned data protection systems outside the EU. The release of Priority Topics Map for 2026–2027 and its updated Regulatory Agenda by the National Agency of Personal Data Protection (ANPD) reveals an authority no longer in its infancy, but one strategically positioning itself as a credible counterpart to European supervisory bodies.
ANPD’s priority topics for 2026–2027
The four priority topics chosen by Brazil’s National Data Protection Authority («ANPD») tell a familiar tale to anyone working with GDPR compliance: data subject rights, protection of children and adolescents in digital environments, processing by public authorities, and artificial intelligence with emerging technologies.
Why these priorities feel familiar to GDPR practitioners
These are not arbitrary choices but deliberate alignments with the core concerns that have shaped European enforcement over the past seven years, from the fundamental rights guarantees in Articles 12 through 22, to the heightened scrutiny of processing involving minors, to the evolving regulatory treatment of algorithmic systems that now spans both GDPR recitals and the EU AI Act itself.
Children and adolescents: new authority and converging expectations
Brazil’s recent Digital Statute for Children and Adolescents hands ANPD substantial new authority over age verification and parental consent mechanisms, creating a regulatory bridge that should look strikingly familiar to companies navigating the UK’s Age Appropriate Design Code or implementing EDPB guidance on child data. European digital services operating in Brazil, particularly in social media, gaming, education, or wellness sectors, now face converging compliance expectations on both sides of the Atlantic. The technical architectures and consent flows designed for GDPR are increasingly fit for purpose in the Brazilian context as well.
Artificial intelligence and emerging technologies
The elevation of artificial intelligence to priority status represents ANPD’s clearest statement yet about where Brazilian regulation is headed – in fact, no big news in the move, since it is worrying every regulator in every industry. While the LGPD lacks specific AI provisions, the authority has been methodically laying groundwork through public consultations on automated decision-making and studies on algorithmic profiling. For companies already deep in EU AI Act preparation, such a convergence offers something rare in global privacy compliance: the potential for genuine efficiency gains through shared governance frameworks, unified risk assessment methodologies, and harmonized transparency protocols rather than duplicative regional adaptations.
Data subject rights and DPIAs: reinforcing accountability
ANPD’s continued emphasis on data subject rights and Data Protection Impact Assessments reinforces the structural similarities with GDPR’s accountability model. The Brazilian approach increasingly mirrors European expectations around documented risk assessment, standardized response protocols for individual rights requests, and transparency obligations for profiling activities. Multinational organizations can now reasonably contemplate unified DPIA templates and centralized rights management systems that serve both jurisdictions without fundamental architectural splits.
The updated Regulatory Agenda for 2025–2026: predictability as a compliance asset
The updated Regulatory Agenda for 2025–2026 provides something perhaps more valuable than new rules: predictability. One should not underestimate the importance of predictability in Brazil, since it is a rare asset, even before courts – former Treasury Minister Pedro Malana once iroonically stated that «in Brazil, even the past is uncertain».
What ANPD is telegraphing next
By telegraphing upcoming initiatives on biometric data processing, inspection methodologies, sanctioning procedures, cybersecurity standards, and privacy program governance, ANPD offers companies the planning visibility that makes cross-border compliance feasible rather than reactive. These topics map directly onto GDPR’s controller obligations, security requirements, and Data Protection Officer independence provisions in Articles 24 through 39.
Beyond compliance: what convergence could mean for data flows
The regulatory convergence carries implications beyond operational compliance. The structural alignment between LGPD and GDPR, reinforced by ANPD’s strategic choices, strengthens the case for an eventual EU adequacy decision recognizing Brazil under Article 45.
For European businesses and their counsel, the trajectory suggests not just reduced friction in managing trans-Atlantic data flows, but the emergence of genuinely compatible regulatory ecosystems. The challenge will be maintaining attention to Brazilian developments with the same intensity devoted to EDPB guidelines and Commission decisions, recognizing that convergence is a continuous process rather than a static achievement.
Conclusion
Brazil’s ANPD is increasingly setting priorities that mirror the main pressure points of GDPR compliance, while using its Regulatory Agenda to add clarity and sequencing to what comes next. For organizations operating across the EU and Brazil, the message is practical: governance structures, rights-handling processes, and risk assessment tooling built for GDPR are becoming progressively reusable in the Brazilian context. At the same time, staying alert to ANPD’s evolving guidance—especially around children’s data, AI, biometrics, cybersecurity, and enforcement methodology—will be key to turning regulatory convergence into real operational efficiency and reduced cross-border friction.
Summary
This article explores the ANPD’s 2025 Tech Radar on neurotechnologies and how it reshapes compliance risks for Brazilian healthtechs—especially in M&A contexts involving GDPR exposure. It outlines key regulatory concerns, the GDPR’s extraterritorial impact, major due-diligence red flags, and the essential deliverables investors should require.
Introduction
Brazil’s latest ANPD Tech Radar brings neurotechnologies to the forefront of data-protection compliance, exposing significant risks for healthtech companies and investors. With GDPR’s extraterritorial reach, sensitive data processing, opaque AI, and cross-border transfers, data governance has become a critical M&A due-diligence factor requiring structured reviews and robust contractual safeguards.
Key Compliance Risks Shaping Brazilian Healthtech M&A
Brazil’s Data Protection Authority (ANPD) released its 4th Tech Radar in June 2025, focusing entirely on neurotechnologies—marking the first time the regulator targeted this field so directly. The report explores brain-computer interfaces, advanced wearables, AI-driven cognitive therapies, and predictive diagnostics, highlighting risks far beyond traditional health data processing.
For investors and lawyers working M&A deals in Brazil’s healthtech sector, this Radar signals that data protection is no longer a secondary compliance issue—it is now a major source of legal, reputational, and operational risk.
GDPR’s Extraterritorial Relevance
Many Brazilian healthtechs handle personal data from foreign individuals, particularly Europeans—through expats, medical tourists, cross-border clinical trials, or partnerships with EU-based vendors. When this occurs, GDPR Article 3(2) extends jurisdiction to the Brazilian company, even without any EU establishment.
Main Risks Identified by ANPD (Tech Radar #4)
- Inferring health data without explicit consent
Example: wearables identifying depression through sleep or stress patterns without informing users. - Lack of transparency in predictive algorithms
Black-box AI models making clinical decisions without accessible documentation. - Cybersecurity vulnerabilities in connected devices
Neural implants or neurostimulators vulnerable to hacking, with potentially physical consequences. - Automated processing that impacts human dignity
Behavioral profiling influencing insurance eligibility, discrimination, or patient autonomy in therapy environments.
GDPR Article 22 prohibits automated decision-making with significant effects unless strict safeguards are implemented—making this a critical risk during due diligence.
Most Common Red Flags in Brazilian Healthtech Due Diligence
No clear legal basis for sensitive data (health, genetic, biometric)
LGPD Impact (Brazil): Breach of LGPD Art. 11
GDPR Parallel (Europe): Art. 9 (special categories)
Practical Recommendation: Require full data-mapping and warranties
Generic or “click-to-accept” consents
LGPD Impact (Brazil): Invalid consent (Art. 7 & 11)
GDPR Parallel (Europe): Art. 6 + 7
Practical Recommendation: Ensure all consents are granular, specific, and revocable
Third-party sharing without processor agreements
LGPD Impact (Brazil): Breach of LGPD Art. 28 & 33
GDPR Parallel (Europe): Art. 28
Practical Recommendation: Verify existence and adequacy of all DPAs
Missing or incomplete ROPA
LGPD Impact (Brazil): Serious regulatory violation
GDPR Parallel (Europe): Art. 30
Practical Recommendation: Make ROPA delivery a closing condition
Non-existent or conflicted DPO
LGPD Impact (Brazil): Non-compliance with ANPD Resolution CD nº 2
GDPR Parallel (Europe): Art. 37–39
Practical Recommendation: Require interview + independence confirmation
No DPIA for high-risk products
LGPD Impact (Brazil): Mandatory (ANPD Res. 15/2023)
GDPR Parallel (Europe): Art. 35
Practical Recommendation: Include pre-closing DPIA audit clause
International transfers without safeguards
LGPD Impact (Brazil): Arts. 33–35
GDPR Parallel (Europe): Arts. 44–50
Practical Recommendation: Verify SCCs (2021/2023) or adequacy status
Real Cases Illustrating the Scale of Risk
- Telepsychology platforms investigated for using automated triage without informed consent or AI transparency.
- ANPD actions against genomics startups due to cross-border transfers without SCCs or DPIAs.
- Outsourced cloud hosting increasing irregular data transfer risks.
Until Brazil receives an EU adequacy decision, SCCs and BCRs remain mandatory for compliant transfers.
Essential Due Diligence Deliverables
A robust data-protection review is now essential in healthtech M&A. Key deliverables include:
- LGPD ↔ GDPR gap analysis
- ROPA and DPIA review
- Sub-processor contract verification
- Mapping of all international transfers
- Privacy-specific warranties and indemnities
- Escrow or holdback for regulatory risk exposure
Conclusion
Data protection is no longer secondary in healthtech M&A—especially when neurodata is involved. With ANPD scrutinizing neurotechnologies and GDPR obligations extending across borders, investors must prioritize structured due diligence and strong contractual safeguards.
FAQ
Is neurodata considered sensitive personal data under the LGPD?
Yes—ANPD treats neurodata as highly sensitive because it reveals cognitive, emotional, and health patterns.
Does GDPR apply to Brazilian companies with no EU presence?
Yes, via Article 3(2), whenever EU data subjects’ information is processed.
Are SCCs still required for Brazil–EU transfers?
Yes, until Brazil receives an EU adequacy decision.
What are the top investor red flags?
Missing DPIAs, unclear legal bases, opaque algorithms, and irregular transfers.
Since the General Data Protection Regulation (GDPR) took effect in 2018, the European Union (EU) has granted adequacy status to only a limited number of jurisdictions — those whose data protection regimes are deemed to provide an «essentially equivalent» level of protection to that of the EU. The current list includes Andorra, Argentina, Canada (under PIPEDA), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, Uruguay, the United Kingdom, and the United States (limited to companies certified under the Data Privacy Framework).
As of 5 September 2025, Brazil is on the verge of joining this exclusive group. The European Commission has issued a draft adequacy decision concluding that the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais – LGPD), in conjunction with Brazil’s broader legal and constitutional framework, offers protections that are essentially equivalent to those found in the GDPR. While Brazil’s rules offer somewhat more flexibility in specific areas of data processing, the foundational principles and safeguards are well-aligned with EU standards.
Once finalized, the adequacy decision will authorize the free flow of personal data from the EU to Brazil without the need for additional contractual clauses or technical safeguards. Such a development is not just regulatory — it also answers a core political argument made by LGPD advocates since its inception: that the absence of a comprehensive data protection framework was undermining Brazil’s international competitiveness by limiting data flows and discouraging investment. For businesses, the EU decision may finally mean the removal of a significant layer of compliance complexity — a development especially welcome by small and medium-sized enterprises engaged in cross-border trade or service provision. The draft is currently under review by the European Data Protection Board (EDPB) and the Member States of the EU.
The Commission’s assessment highlights several key aspects of Brazil’s data protection landscape. It begins by noting that the Brazilian Constitution expressly guarantees the right to privacy and the protection of personal data — a notable distinction among non-EU jurisdictions. These protections are further supported by Brazil’s ratification of the American Convention on Human Rights and its recognition of the jurisdiction of the Inter-American Court of Human Rights, reinforcing a commitment to fundamental rights and democratic oversight.
The LGPD mirrors the GDPR in many critical respects and defines its territorial scope clearly. It applies to: (i) data processing carried out within Brazilian territory, (ii) the offering of goods or services to individuals in Brazil, and (iii) data collected in Brazil, even if subsequently processed abroad. This aligns well with the extraterritorial provisions of the GDPR. The definitions of personal data, sensitive data, controller, and processor are materially similar, as are the key principles governing processing — including lawfulness, purpose limitation, data minimization, accuracy, transparency, and security. The law expressly excludes anonymized data from its scope and establishes specific exemptions for journalistic activities, public security, and scientific research.
Another strength is Brazil’s institutional framework. The National Data Protection Authority (ANPD) was recently transformed into an autonomous regulatory agency, enhancing its independence and technical capacity. The ANPD holds both regulatory and enforcement powers: it can issue binding regulations, impose administrative sanctions, and publish authoritative guidance. To date, it has issued key guidelines on topics such as consent, legitimate interest, the role of the Data Protection Officer (DPO), and security incident reporting. Internationally, the ANPD is an active participant in global data protection dialogue — it is a member of the Global Privacy Assembly and an official observer to the Council of Europe’s Convention 108.
The LGPD’s approach to international data transfers is also structurally aligned with the GDPR. It requires appropriate safeguards such as standard contractual clauses, allows for future adequacy decisions under a regime comparable to Article 45 of the GDPR, and includes detailed provisions for onward transfers and transit data — that is, data merely passing through Brazil without further processing. The rights of data subjects are robust and familiar to European practitioners: access, rectification, erasure, portability, and withdrawal of consent are guaranteed. Lawful bases for processing are also aligned — including consent, legal obligations, contract execution, and legitimate interest. Notably, the LGPD requires a documented balancing test when relying on legitimate interest, bringing additional accountability to this flexible legal basis.
Security incidents involving personal data must be notified to both the ANPD and affected data subjects when there is a significant risk of harm. The standard notification deadline is 72 hours, and the required content aligns closely with Articles 33 and 34 of the GDPR. The ANPD may also order public disclosure of incidents or require remedial measures, depending on the nature and scope of the breach.
Importantly, this process is not one-sided. In parallel to the European Commission’s adequacy decision, the ANPD is conducting its own adequacy assessment of the EU and EEA data protection frameworks. This process is regulated by the Brazilian Resolution CD/ANPD No. 19/2024, which governs international data transfers. Once the technical and legal evaluation is complete, the ANPD’s Board of Directors will issue a formal decision. This reciprocal move reflects Brazil’s commitment to mutual recognition and regulatory symmetry — a positive signal for companies on both sides of the Atlantic.
In conclusion: If confirmed, Brazil’s adequacy status will simplify international operations, reduce compliance costs, and expand opportunities for data-driven business and legal cooperation. For European lawyers advising SMEs with interests in Latin America, this development is a strategic signal: Brazil is emerging not just as a growing market, but as a legally compatible and data-safe jurisdiction for international partnerships.
On 23 August 2024, Brazil’s National Data Protection Authority (ANPD) issued Resolution No. 19, a landmark regulation governing the international transfer of personal data under the Brazilian General Data Protection Law (LGPD). Companies now have until 23 August 2025 to fully comply.
This deadline is especially relevant for European multinationals operating in Brazil, or Brazilian subsidiaries sharing data with foreign HQs or vendors. The new rules align Brazil more closely with global privacy frameworks like the GDPR—but with local twists that demand attention.
Why It Matters
Unlike previous guidance, Resolution No. 19 creates binding legal obligations and explicit deadlines. It introduces mechanisms such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and public transparency requirements—all within a strict 12-month timeframe.
For many international companies, this will require significant updates to internal governance, contract management, and cloud data strategies. Below are the key takeaways for foreign counsel.
Standard Contractual Clauses (SCCs): Now Mandatory
The ANPD has released its own set of Standard Contractual Clauses, which must be used for data transfers to jurisdictions not recognized as offering “adequate protection.”
Companies must adopt these clauses by 23 August 2025. This will likely require revisiting existing data processing agreements involving Brazilian parties and ensuring alignment with the ANPD template.
Important: The SCCs cannot be modified beyond inserting details in the annexes. Any deviations require prior approval from the ANPD and are limited to exceptional cases.
Broad Transparency Requirements
Data controllers are now required to publish, on their website, a plain-language document explaining:
- the purpose of the international data transfer,
- the categories of data involved,
- the countries of destination,
- and the legal mechanism used to legitimize the transfer.
Upon request, data subjects must also receive a copy of the full SCCs within 15 days. Multinationals will need protocols and document templates to respond efficiently—especially when dealing with requests in Portuguese.
Expanded Definition of “International Transfer”
The Resolution clarifies that a transfer occurs whenever:
- data is accessed or stored by an entity located abroad, or
- processing is outsourced to a cloud provider with servers or technical teams outside Brazil.
This has important implications for global companies that centralize services such as payroll, CRM, or cybersecurity outside Brazil—even if hosted on multinational platforms.
Binding Corporate Rules (BCRs): Now Recognized
Multinationals with mature privacy programs may apply to the ANPD for approval of their own Binding Corporate Rules, offering an alternative to SCCs.
This is a welcome development for companies seeking harmonized compliance across jurisdictions, but approval is expected to involve a complex and time-consuming process. Early preparation is essential.
Custom Clauses in Exceptional Circumstances
Companies unable to adopt the standard clauses—due to specific factual or legal constraints—may submit alternative clauses for ANPD approval. However, such flexibility is limited and subject to strict justification.
In practice, the official SCCs will be the default path for most international data transfers involving Brazil.
What Foreign Companies Should Do Now
The 12-month window is already ticking. International groups operating in Brazil or processing Brazilian data should urgently:
- Map all international data transfers involving Brazil;
- Identify contracts and vendors requiring updates;
- Insert ANPD’s SCCs where applicable;
- Publish the required transparency notice online in Portuguese;
- Monitor for further ANPD guidance or enforcement trends.
Strategic Compliance: Beyond Legal Risk
Resolution No. 19 is part of a global trend toward standardized but locally enforced privacy frameworks. For GDPR-compliant companies, Brazil’s new rules offer a chance to reaffirm leadership in data governance.
Those who act early can avoid last-minute fire drills, reduce regulatory exposure, and strengthen credibility with Brazilian regulators and consumers.
In today’s data economy, privacy compliance is more than a legal duty—it’s a business differentiator.
Brazil’s National Data Protection Authority (ANPD) released a long-awaited guidance document on how companies should interpret and apply the legal basis of legitimate interest under the Brazilian General Data Protection Law (LGPD).
This is not merely a local update. As Brazil continues to shape its data protection regime, foreign companies—particularly European SMEs with clients, platforms, or partners in Brazil—must adapt their compliance strategies to local expectations. This new guidance is a crucial development.
Below, I summarize what has changed, how it compares to the GDPR approach, and what steps you (or your clients) should take next.
Why Legitimate Interest Matters—But Remains Risky
Just like under the GDPR, Brazil’s LGPD allows personal data to be processed without consent when doing so is necessary for purposes aligned with the controller’s legitimate interests. However, due to the lack of regulation since the LGPD came into force, this legal basis has long been regarded as risky in Brazil – in fact, it was unclear on how to evaluate the «legitimacy» of the interest and balance it against data subject rights.
The ANPD’s «Guia Orientativo sobre o Legítimo Interesse» (Guidance on Legitimate Interest) fills that gap—providing a practical framework to assess, document, and justify this legal basis.
The ANPD’s Three-Step Balancing Test
The core of the new guidance is a three-step balancing test, which mirrors the GDPR’s Legitimate Interests Assessment (LIA) but with Brazilian nuances.
- Purpose Test : The controller must define a specific, concrete, and legitimate objective behind the data processing. Open-ended or abstract justifications (“marketing purposes”, “efficiency”) will not suffice. The processing must also align with the reasonable expectations of the data subject.
- Necessity Test : The data processing must be strictly necessary to achieve the defined purpose. If the same result could be achieved through less intrusive means (e.g. anonymized data or a different legal basis), the test will likely fail.
- Balancing Test and Safeguards : This step assesses whether the controller’s interest outweighs the rights and freedoms of the data subject. Controllers must consider the nature of the data, the context of the processing, and the potential risks involved. When risks are identified, appropriate safeguards must be implemented, such as transparency, opt-outs, pseudonymization, and impact assessments.
Takeaway: The ANPD recommends documenting the entire process. While this is not mandatory by law, it will be critical in case of investigations or complaints.
How This Affects Foreign Companies doing business in Brazil
Many foreign companies process personal data of Brazilian individuals—whether by offering digital services, interacting with Brazilian suppliers, or collecting contact information via websites or CRM tools.
Although some assume that GDPR compliance is sufficient, the ANPD may evaluate legitimate interest more restrictively than some EU supervisory authorities.
Foreign companies should:
- Revisit their legal bases for processing data of Brazilian individuals.
- Conduct a proper balancing test using the ANPD’s model, even for non-sensitive data.
- Keep written records of the analysis (especially if using legitimate interest for analytics or marketing).
- Update their privacy notices to reflect the legal basis and safeguards in place.
- Be aware of the extraterritorial reach of the LGPD—yes, it applies even if you have no office in Brazil.
Strategic Guidance
If you advise SMEs that operate across jurisdictions—including Brazil—this new guidance is a practical compliance tool and a risk-mitigation opportunity.
Here’s how to act now:
- Perform a Legitimate Interests Assessment (LIA) whenever your client relies on this basis in Brazil.
- Compare it with the GDPR LIA to identify overlaps and gaps.
- Align documentation—so your clients are ready in the event of a complaint or data subject request.
- Monitor ANPD updates—the ANPD has increased its activity and enforcement posture significantly in the past year.
Final Thoughts
The ANPD’s guidance reflects a growing maturity in Brazil’s data protection landscape. Legitimate interest is no longer a vague fallback—it requires structure, analysis, and above all, transparency.
European companies with operations or digital exposure in Brazil should approach this legal basis with care and diligence. The good news? The ANPD is now offering the roadmap. It’s up to us, as legal advisors, to make sure our clients follow it.
Want to see the full guidance? The original document (in Portuguese) is available here.
Brazil is increasingly in the global spotlight when it comes to cybersecurity threats. With over 10 billion cyberattack attempts recorded in 2023 alone, the country ranks among the most targeted worldwide. These incidents are not abstract: they affect sensitive sectors such as finance and healthcare, including data leaks involving over 220 million data subjects from national institutions and critical infrastructure operators.
While Brazil may seem like a distant jurisdiction, its data protection regime — shaped by the Lei Geral de Proteção de Dados (LGPD) — has growing significance for European businesses operating or partnering in the region. The LGPD, inspired by the GDPR, sets out specific obligations around data breach notification. However, unlike the GDPR’s mandatory 72-hour notification rule, not all security incidents must be reported to the Brazilian Data Protection Authority (ANPD).
So: when exactly should a security incident be reported in Brazil?
When Notification is Required: A Three-Step Test
Under Brazilian law, a security incident involving personal data must be reported to the ANPD only if the following three criteria are cumulatively met:
- The incident has been confirmed.
- It involves personal data subject to the LGPD.
- It poses a relevant risk or damage to data subjects.
This third threshold is critical. According to the ANPD’s Security Incident Communication Regulation (RCIS), relevant risks include incidents that may:
- Prevent the exercise of rights or access to services.
- Cause material or moral harm.
- Involve special categories of data such as: Sensitive personal data / Financial data / Large-scale datasets / Children’s or elderly persons’ data / Authentication credentials / Legally protected information (e.g., medical, legal, or professional secrets).
This approach offers some flexibility — but it also requires careful legal judgment.
When You Don’t Have to Notify
There is no obligation to notify the ANPD if the incident does not result in significant risk or damage. For instance, if the breached data is non-sensitive and publicly available (e.g., general contact information), and no additional harm is expected, companies may reasonably determine that notification is unnecessary.
However, this decision should not be taken lightly. Controllers are expected to assess several contextual factors, such as:
- The volume and nature of the affected data.
- Whether the data subjects can be identified.
- The likely impact on fundamental rights.
- The technical and security measures in place.
- Any steps taken to mitigate the damage.
In practice, each case must be analyzed individually — and well documented — to ensure a defensible position.
How to Notify the ANPD (If Required)
If the thresholds for notification are met, companies must report the incident within three business days from the date they became aware that personal data was affected. The notification must include:
- A description of the breach and affected data.
- The number and profile of impacted data subjects.
- Security measures in place before and after the incident.
- Potential risks to the data subjects.
- Mitigation strategies.
- Identification of the controller and DPO (if applicable).
Notifications are submitted via the ANPD’s online platform (SUPER). Sensitive business information can be protected through a request for confidential treatment, provided it is properly justified.
Strategic Takeaways for European Stakeholders
For European companies and compliance officers, understanding the nuances of Brazilian data breach notification rules is essential for several reasons:
- Cross-border compliance: Companies transferring personal data to Brazil must ensure regulatory alignment under the GDPR’s international transfer rules.
- Due diligence: M&A or vendor screening in Brazil should include assessments of LGPD readiness and breach history.
- Incident response protocols: Global organizations must harmonize breach notification timelines and thresholds across jurisdictions, adapting to Brazil’s risk-based approach.
In a landscape of increasing cyber threats, aligning with the LGPD is not just a regulatory obligation — it’s a strategic necessity.
Final Thoughts
Brazil’s data protection authority does not adopt a «one size fits all» model for breach notification. The LGPD introduces a risk-based, case-by-case approach, which may offer more flexibility than the GDPR — but also places a greater burden on organizations to justify their decisions.
European companies doing business in Brazil must be prepared to evaluate security incidents in light of both local obligations and international expectations. Failing to notify a breach — or notifying too hastily — can have serious reputational, legal, and operational consequences.
Understanding when (and how) to notify the ANPD is a key part of navigating Brazil’s complex but maturing data protection landscape.
Spain | Franchising, Theory Of Risk and Guarantees By Franchisee
- Распространение
- Судебная практика
-
Испания
France | Pre-contractual disclosure in distribution and franchise agreements
- Распространение
- Франчайзинг
-
Франция
International distribution agreements | Key Clauses and Lessons learned from the history of Nike
- Контракты
- Распространение
-
Италия
Corporate Sustainability in Practice – How Contracts Shape Responsibility
- Контракты
- Распространение
-
Finland
Rising Oil Prices and International Contracts: How to Manage Hardship in Global Supply Chains
- Контракты
- Распространение
-
Италия
Why the African Continental Free Trade Agreement has not yet turned into Reality — and What That Means for Egypt
- Распространение
- Иностранные инвестиции
-
Египет
Brazil Advances Toward GDPR Alignment: ANPD’s 2026–2027 Priority Topics
- Конфиденциальность - Защита данных
-
Бразилия
Brazilian Healthtech – Neurotechnologies, LGPD and the GDPR’s Long-Arm Effect
- Закон о здравоохранении
- СЛИЯНИЯ И ПОГЛОЩЕНИЯ
-
Бразилия
Brazil — Deadline for Compliance on International Data Transfers
- Конфиденциальность - Защита данных
-
Бразилия
Brazil | Legitimate Interest under Data Protection Law: The official Guidance Explained
- Конфиденциальность - Защита данных
-
Бразилия
Security Incidents in Brazil: When and How to Notify the Data Protection Authority
- Конфиденциальность - Защита данных
-
Бразилия
Brazil | DPO Requirements — What foreign companies must do to stay compliant
- Соответствие требованиям
- Конфиденциальность - Защита данных
-
Бразилия
Tutte le categorie