ANPD publishes Regulation on International Data Transfer
On August 23, 2024, the National Data Protection Authority (ANPD) published Resolution CD/ANPD No. 19/2024, which approves the International Data Transfer Regulation and establishes the content of the standard contractual clauses (Regulation).
The Regulation establishes procedures and rules to authorize international transfers of personal data, including contractual mechanisms and guidelines for the recognition of adequacy of other countries or international organizations by ANPD.
What is new
The first contribution of the Regulation is conceptual. ANPD has defined the meaning of “transfer” (the transmission, sharing, or availability of access to personal data between processing agents), “international transfer” (the transfer of personal data to a foreign country or international organization of which the country is a member), and “international collection” (when a processing agent located abroad collects data from a data subject).
Based on this, the Regulation clarifies that the international collection of personal data directly from the data subject, through a website, for example, is not an international transfer of personal data. Article 8, paragraph 1, also informs the situations in which the LGPD will not be applicable in case of data processing from abroad.
Another relevant concept is that of “international data transfer mechanism”, which refers to the hypotheses provided by article 33 of the LGPD. Although the international data transfer is a processing activity, it cannot be justified only on the legal basis that authorizes the “general” processing of personal data: it is also necessary to indicate the mechanism that authorizes the international transfer itself.
The Resolution assigns to the controller the responsibility for verifying whether a given transfer (i.) is international, (ii.) is subject to the LGPD and (iii.) is supported by some legal hypothesis and a valid international transfer mechanism. However, two new concepts are introduced for the purposes of applying data protection legislation that are not to be confused with the already known “processor” and “controller”. When it comes to international data transfer, the ANPD will also look at the “exporter”, which is the processing agent who sends the data abroad (and may be a controller or processor) and the “importer”, who receives the data abroad (and may also be a controller or processor).
What mechanisms were detailed in the Regulation?
1. Adequacy Decision
This is an important mechanism to allow the free international flow of data, which dismisses, for example, the use of standard contractual clauses, if the importer is in a country or is an international organization recognized by the ANPD. The applicability of this mechanism will depend, however, on the publication of a decision by the ANPD recognizing the adequacy of countries or international organizations that provide a level of protection for personal data adequate to that provided for in the Brazilian legal system.
To this end, the Regulation establishes the procedures and criteria for the recognition of adequacy. The procedures for the adequacy decision include technical and legal analysis and deliberation by ANPD’s Council of Directors through a specific Resolution. Among the points to be considered is the fact that the legislation applicable to the importer establishes obligations for processing agents to implement adequate security measures, as well as the existence and operation of an independent regulatory body, with competence to ensure compliance with data protection rules.
2. Standard Contractual Clauses
This mechanism should be the most used while ANPD does not issue adequacy decisions. ANPD opted for a rigid model of standard contractual clauses, so that the validity of the international transfer supported by this mechanism will depend on the use of the draft attached to the Regulation without any change in the text (which also cannot be modified or contradicted by other contractual instruments signed between the exporter and the importer).
If the mechanism adopted by processing agents to carry out international transfers is contractual clauses, it will be necessary to incorporate the standard contractual clauses approved by the ANPD into the contractual instruments within twelve months.
However, ANPD could also recognize the equivalence of standard contractual clauses from other countries or international organizations. The procedure for this recognition can also be initiated at the request of interested parties, which could avoid the review of multiple contracts already entered into based on the standard clauses of the European Union or ASEAN (Association of Southeast Asian Nations), for example.
Finally, it should be noted that the Regulation introduced transparency measures related to the standard clauses, determining that the controller must make available to the data subject the full text of the clauses used to carry out the international transfer and publish on its website information on international transfers, such as the country of destination of the transferred data. Therefore, it will be important to update privacy policies.
3. Specific Contractual Clauses
The controller may request ANPD to approve specific contractual clauses, provided that they offer and prove a guarantee of compliance with the principles, the rights of the data subject and the data protection regime provided for in the LGPD.
Please note: these clauses have been regulated as a residual mechanism, which can only be approved when the controller proves that the data transfer cannot be carried out by the contractual standard clauses.
4. Binding Corporate Rules
International transfers of personal data between companies of the same group or conglomerate can be based on the use of “binding corporate rules” or BCRs, a mechanism provided for in the LGPD. However, it is necessary to be careful: the BCRs must be approved by ANPD (and submitted for new approval whenever they change). The list of approved BCRs will be published on ANPD’s website, alongside the list of specific contractual clauses.
The full text of ANPD Resolution No. 19 is available at this link.
Souto Correa’s Data Protection & Cybersecurity team is available to provide more information on the subject and assist in adapting to the new Regulation.