The Brazil Data Protection Agency (“ANPD”) on August 15, 2023 released a draft of the International Transfer of Personal Data Regulation (“Regulation Draft”) and the standard contractual clauses (“SCCs”) for public comment. Interested parties can submit comments to the provisions of the Regulation between August 15 and September 14, 2023. After the comments period is closed, the ANPD will hold a public hearing to discuss the draft at a date to be determined. Once the Regulation Draft is approved, it will take effect immediately upon publication and companies will have 180 days to incorporate in their existing SCCs agreements the ANPD’s version or implement new agreements with the ANPD SCCs.
By way of background, the ANPD is the agency charged with implementing Brazil’s General Data Protection Law (“LGPD”). The LGPD is Brazil’s all-encompassing data protection law similar to the European Union’s GDPR. The LGPD imposes certain requirements on data processing agents (which include controllers and processors of data) to safeguard the data privacy rights of individuals (data subjects).
The newly issued Regulation Draft provides that the ANPD will determine which jurisdictions have an adequate level of data protection that will allow the free flow of personal data between Brazil and such countries, but the ANPD will prioritize the review of jurisdictions that provide reciprocal protections. It may take some time before we have a list of countries with data protection levels the ANPD deems adequate. In the interim, multinational countries will have to rely on other possible mechanisms to transfer personal data from Brazil.
According to the Regulation Draft, the ANPD may recognize as an equivalent the SCCs of other countries, upon their review and approval. The review procedure may be started by the ANPD or an interested party, but the ANPD will prioritize the review of those SCCs that can be widely used by processing agents performing international transfers of data in similar circumstances. Foreign SCCs recognized by the ANPD as equivalent will be considered a valid alternative.
The Regulation Draft also provides for the approval process of specific contractual clauses and global corporate rules, but it does not include the expected timeline for the review and approval of such.
A more readily available mechanism will be the ANPD SCCs, and the Regulation Draft includes a SCC Draft template, which companies may eventually choose to use, although there will be some challenges if the SCC Draft remains as-is after the public consultation.
The ANPD opted to create only one module of SCCs and it is in many aspects different from the EU SCCs. One provision that immediately catches one’s attention is that regardless of whether the exporter or importer is named as the responsible party for certain measures (as the Designated Party), the controller will ultimately remain responsible for (i) compliance with the obligations under the law and the agreement, (ii) responding to the ANPD, (iii) guaranteeing the data subject’s rights and (iv) the reparation of damage they may suffer. Moreover, when exporter and importer are processors, the controller, which instructs the processor that exports the personal data to the importer outside Brazil (the “Third-Party Controller”), must co-sign the SCCs and be ultimately responsible for the obligations mentioned above.
By Renata Neeser via Littler.