International Data Transfers – Brazil Recognized as Offering an Adequate Level of Protection

International Data Transfers – Brazil Recognized as Offering an Adequate Level of Protection

Brazil has just been recognized by the European Commission as offering an adequate level of protection for the processing of personal data. It is the 15th country or territory outside the European Union to benefit from this special status with regard to cross-border transfers of personal data.


On 26 January 2026, the European Commission adopted a new adequacy decision concerning Brazil. (1) This decision was followed by the publication, on January 27, of a reciprocal adequacy decision by Brazil. (2)

These two mutual adequacy decisions now allow organizations to transfer personal data to recipients and processors located, on the one hand, in the European Union and, on the other hand, in Brazil, without the need for additional transfer safeguards or specific formalities. (3) They apply to both private-sector and public-sector entities.

It should be noted that these decisions were adopted following the signing of agreements between the European Union and the Mercosur on 17 January 2026 (EU Mercosur Partnership Agreement – EMPA, and Interim Trade Agreement – ITA).

Adequacy decisions are granted by the European Commission pursuant to Article 45 of the General Data Protection Regulation (GDPR). They are based on a comprehensive assessment of the third country’s data protection regulations to assess their level of equivalence with European regulations. This assessment goes beyond the mere existence of personal data protection legislation and examines, in particular, the existence and effective functioning of an independent supervisory authority, the respect for the rule of law, and the international commitments entered into by that country.

The adequacy procedure consists of four stages: 1. an adequacy proposal issued by the European Commission; 2. an opinion issued by the European Data Protection Board (EDPB); 3. the approval by the representatives of the EU Member States; and 4. the formal adoption of the adequacy decision by the Commission.

The preliminary review process may take several months, or even several years, and may involve requests for amendments to the third country’s legal or regulatory framework. However, an adequacy decision does not require the third country’s regulation to be identical to the GDPR, but only that it provides an essentially equivalent level of protection.

The right to privacy and the protection of personal data are recognized as fundamental rights under the Brazilian constitution. Brazil adopted its general data protection law in 2018, followed by the establishment of an independent supervisory authority, the National Data Protection Agency (Agência Nacional de Proteção de Dados – ANPD), which performs functions comparable to those of European data protection authorities. (4)

Adequacy decisions adopted by the European Commission are not final. In order to ensure that the third country’s legal framework continues to meet the adequacy requirements under EU data protection law, adequacy decisions are subject to periodic review. Where the country concerned no longer ensures an adequate level of protection, the adequacy decision may be withdrawn.

With regard to Brazil, the adequacy decision should be reviewed by the Commission within four years.


     After Argentina and Uruguay, Brazil is the third country in South America to obtain an adequacy decision. This development reflects a broader trend across the American continent, where most countries have adopted or recently updated their personal data protection legislation, thereby aligning more closely with international data protection standards. (5)


* * * * * * * * * * *


(1) Commission Implementing Decision (EU) 2026/179 of 26 January 2026 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data by Brazil.

(2) Resolução CD/ANPD No. 32/2026

(3) This adequacy decision covers the European Economic Area (EEA), which includes, in addition to EU Member States, Iceland, Liechtenstein, and Norway.

(4) Brazilian General Data Protection Law (Lei Geral de Proteção de Dados – LGPD), Law No. 13,709 of 14 August 2018.

(5) See in this regard our articles relating to the Global CBPR system: “The Global CBPR System: A Compliance Framework for Cross-Border Data Flows Between Non-EU Countries” and “Personal Data Protection: A Comparative Analysis of the GDPR (EU) and the Global CBPR System”.

Bénédicte DELEPORTE
Avocat

Deleporte Wentz Avocat
www.dwavocat.com

February 2026

Retourner à la page des Actualités et Publications

Mots clés :

accessibilité numérique (8) adwords (3) ai (27) anssi (3) arcep (5) arcom (21) audiovisuel (4) audit (4) base de données (4) bitcoin (1) blockchain (8) cbpr (7) cgv (1) chine (1) cjue (1) cloud computing (3) cnil (22) commerce (4) communication (9) compliance (40) confidentialité (3) conformité (23) consommateurs (4) contrat (11) contrefaçon (10) cookies (6) copyright (5) cryptologie (1) csa (1) cybercriminalité (5) cybersquatting (3) data (1) data privacy framework (2) dma (4) données à caractère personnel (21) données personnelles (37) dpf (2) droit d'auteur (11) dsa (10) e-commerce (15) e-consommateurs (1) enfance (6) etats-unis (6) eu (24) europe (23) formation (4) fraude (3) gdpr (34) google (4) hébergeur (5) ia (19) ico (1) informatique (14) informatique et libertés (4) intelligence artificielle (18) internet (36) jeu vidéo (3) liberté d'expression (3) logiciel (13) loi informatique et libertés (5) loi sren (6) marque (3) métavers (3) méthode agile (2) monnaie électronique (1) moteur de recherche (7) nda (1) nft (4) nom de domaine (1) numérique (14) originalité (5) privacy shield (2) propriété intellectuelle (15) protection des données (15) publicité (6) référencement (4) réglementation (13) réseau (2) réseaux sociaux (11) responsabilité (10) responsable du traitement (14) rgpd (27) robotique (7) rpa (6) salariés (4) santé publique (1) sécurité (7) singapour (8) site web (5) us (3) vie privée (23)