Brazil Set to Join the GDPR Adequacy Club

Since the General Data Protection Regulation (GDPR) took effect in 2018, the European Union (EU) has granted adequacy status to only a limited number of jurisdictions — those whose data protection regimes are deemed to provide an “essentially equivalent” level of protection to that of the EU. The current list includes Andorra, Argentina, Canada (under PIPEDA), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, Uruguay, the United Kingdom, and the United States (limited to companies certified under the Data Privacy Framework).

As of 5 September 2025, Brazil is on the verge of joining this exclusive group. The European Commission has issued a draft adequacy decision concluding that the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais – LGPD), in conjunction with Brazil’s broader legal and constitutional framework, offers protections that are essentially equivalent to those found in the GDPR. While Brazil’s rules offer somewhat more flexibility in specific areas of data processing, the foundational principles and safeguards are well-aligned with EU standards.

Once finalized, the adequacy decision will authorize the free flow of personal data from the EU to Brazil without the need for additional contractual clauses or technical safeguards. Such a development is not just regulatory — it also answers a core political argument made by LGPD advocates since its inception: that the absence of a comprehensive data protection framework was undermining Brazil’s international competitiveness by limiting data flows and discouraging investment. For businesses, the EU decision may finally mean the removal of a significant layer of compliance complexity — a development especially welcome by small and medium-sized enterprises engaged in cross-border trade or service provision. The draft is currently under review by the European Data Protection Board (EDPB) and the Member States of the EU.

The Commission’s assessment highlights several key aspects of Brazil’s data protection landscape. It begins by noting that the Brazilian Constitution expressly guarantees the right to privacy and the protection of personal data — a notable distinction among non-EU jurisdictions. These protections are further supported by Brazil’s ratification of the American Convention on Human Rights and its recognition of the jurisdiction of the Inter-American Court of Human Rights, reinforcing a commitment to fundamental rights and democratic oversight.

The LGPD mirrors the GDPR in many critical respects and defines its territorial scope clearly. It applies to: (i) data processing carried out within Brazilian territory, (ii) the offering of goods or services to individuals in Brazil, and (iii) data collected in Brazil, even if subsequently processed abroad. This aligns well with the extraterritorial provisions of the GDPR. The definitions of personal data, sensitive data, controller, and processor are materially similar, as are the key principles governing processing — including lawfulness, purpose limitation, data minimization, accuracy, transparency, and security. The law expressly excludes anonymized data from its scope and establishes specific exemptions for journalistic activities, public security, and scientific research.

Another strength is Brazil’s institutional framework. The National Data Protection Authority (ANPD) was recently transformed into an autonomous regulatory agency, enhancing its independence and technical capacity. The ANPD holds both regulatory and enforcement powers: it can issue binding regulations, impose administrative sanctions, and publish authoritative guidance. To date, it has issued key guidelines on topics such as consent, legitimate interest, the role of the Data Protection Officer (DPO), and security incident reporting. Internationally, the ANPD is an active participant in global data protection dialogue — it is a member of the Global Privacy Assembly and an official observer to the Council of Europe’s Convention 108.

The LGPD’s approach to international data transfers is also structurally aligned with the GDPR. It requires appropriate safeguards such as standard contractual clauses, allows for future adequacy decisions under a regime comparable to Article 45 of the GDPR, and includes detailed provisions for onward transfers and transit data — that is, data merely passing through Brazil without further processing. The rights of data subjects are robust and familiar to European practitioners: access, rectification, erasure, portability, and withdrawal of consent are guaranteed. Lawful bases for processing are also aligned — including consent, legal obligations, contract execution, and legitimate interest. Notably, the LGPD requires a documented balancing test when relying on legitimate interest, bringing additional accountability to this flexible legal basis.

Security incidents involving personal data must be notified to both the ANPD and affected data subjects when there is a significant risk of harm. The standard notification deadline is 72 hours, and the required content aligns closely with Articles 33 and 34 of the GDPR. The ANPD may also order public disclosure of incidents or require remedial measures, depending on the nature and scope of the breach.

Importantly, this process is not one-sided. In parallel to the European Commission’s adequacy decision, the ANPD is conducting its own adequacy assessment of the EU and EEA data protection frameworks. This process is regulated by the Brazilian Resolution CD/ANPD No. 19/2024, which governs international data transfers. Once the technical and legal evaluation is complete, the ANPD’s Board of Directors will issue a formal decision. This reciprocal move reflects Brazil’s commitment to mutual recognition and regulatory symmetry — a positive signal for companies on both sides of the Atlantic.

In conclusion: If confirmed, Brazil’s adequacy status will simplify international operations, reduce compliance costs, and expand opportunities for data-driven business and legal cooperation. For European lawyers advising SMEs with interests in Latin America, this development is a strategic signal: Brazil is emerging not just as a growing market, but as a legally compatible and data-safe jurisdiction for international partnerships.