Brazil | Deadline for Compliance on International Data Transfers

On 23 August 2024, Brazil’s National Data Protection Authority (ANPD) issued Resolution No. 19, a landmark regulation governing the international transfer of personal data under the Brazilian General Data Protection Law (LGPD). Companies now have until 23 August 2025 to fully comply.

This deadline is especially relevant for European multinationals operating in Brazil, or Brazilian subsidiaries sharing data with foreign HQs or vendors. The new rules align Brazil more closely with global privacy frameworks like the GDPR—but with local twists that demand attention.

Why It Matters

Unlike previous guidance, Resolution No. 19 creates binding legal obligations and explicit deadlines. It introduces mechanisms such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and public transparency requirements—all within a strict 12-month timeframe.

For many international companies, this will require significant updates to internal governance, contract management, and cloud data strategies. Below are the key takeaways for foreign counsel.

Standard Contractual Clauses (SCCs): Now Mandatory

The ANPD has released its own set of Standard Contractual Clauses, which must be used for data transfers to jurisdictions not recognized as offering “adequate protection.”

Companies must adopt these clauses by 23 August 2025. This will likely require revisiting existing data processing agreements involving Brazilian parties and ensuring alignment with the ANPD template.

Important: The SCCs cannot be modified beyond inserting details in the annexes. Any deviations require prior approval from the ANPD and are limited to exceptional cases.

Broad Transparency Requirements

Data controllers are now required to publish, on their website, a plain-language document explaining:

• the purpose of the international data transfer,
• the categories of data involved,
• the countries of destination,
• and the legal mechanism used to legitimize the transfer.

Upon request, data subjects must also receive a copy of the full SCCs within 15 days. Multinationals will need protocols and document templates to respond efficiently—especially when dealing with requests in Portuguese.

Expanded Definition of “International Transfer”

The Resolution clarifies that a transfer occurs whenever:

• data is accessed or stored by an entity located abroad, or
• processing is outsourced to a cloud provider with servers or technical teams outside Brazil.

This has important implications for global companies that centralize services such as payroll, CRM, or cybersecurity outside Brazil—even if hosted on multinational platforms.

Binding Corporate Rules (BCRs): Now Recognized

Multinationals with mature privacy programs may apply to the ANPD for approval of their own Binding Corporate Rules, offering an alternative to SCCs.

This is a welcome development for companies seeking harmonized compliance across jurisdictions, but approval is expected to involve a complex and time-consuming process. Early preparation is essential.

Custom Clauses in Exceptional Circumstances

Companies unable to adopt the standard clauses—due to specific factual or legal constraints—may submit alternative clauses for ANPD approval. However, such flexibility is limited and subject to strict justification.

In practice, the official SCCs will be the default path for most international data transfers involving Brazil.

What Foreign Companies Should Do Now

The 12-month window is already ticking. International groups operating in Brazil or processing Brazilian data should urgently:

• Map all international data transfers involving Brazil;
• Identify contracts and vendors requiring updates;
• Insert ANPD’s SCCs where applicable;
• Publish the required transparency notice online in Portuguese;
• Monitor for further ANPD guidance or enforcement trends.

Strategic Compliance: Beyond Legal Risk

Resolution No. 19 is part of a global trend toward standardized but locally enforced privacy frameworks. For GDPR-compliant companies, Brazil’s new rules offer a chance to reaffirm leadership in data governance.

Those who act early can avoid last-minute fire drills, reduce regulatory exposure, and strengthen credibility with Brazilian regulators and consumers.

In today’s data economy, privacy compliance is more than a legal duty—it’s a business differentiator.