Brazil and the European Union recognize mutual adequacy in the protection of personal data

Brazil and the European Union recognize mutual adequacy in the protection of personal data

On 26 January, Brazil and the European Union mutually recognized that their respective legal frameworks ensure a compatible level of protection of personal data for the purposes of international data transfers. As a result, personal data may flow between the two jurisdictions without the requirement of prior or specific authorization, under conditions equivalent to those applicable to intra-jurisdictional transfers within each legal order.

Within the framework of the European Union’s General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, transfers of personal data from the European Union to third countries may take place either on the basis of specific authorization, pursuant to Article 46, or through an adequacy decision under Article 45, when the European Commission concludes that the recipient country ensures an adequate level of protection. Such assessment takes into account, inter alia, respect for fundamental rights, the existence and effective functioning of an independent supervisory authority, and the rules governing access to personal data by public authorities.

With the adequacy decision, it was concluded that Brazil and the EU offer equivalent levels of personal data protection, allowing for the direct, secure, and streamlined flow of data between the parties, without the need for additional transfer mechanisms.

Within the Brazilian legal framework, the possibility of recognizing adequacy is likewise expressly provided for. Resolution CD/ANPD No. 19, of 23 August 2024, lays down the rules applicable to international transfers of personal data and provides that the National Data Protection Authority (Autoridade Nacional de Proteção de Dados – ANPD) may recognize, by means of an adequacy decision, that a foreign country or international organization affords a level of personal data protection equivalent to that established under Brazilian law. On that basis, the ANPD, by Resolution No. 32 of 26 January 2026, recognized that the European Union ensures a level of protection compatible with Brazil’s General Data Protection Law (Lei Geral de Proteção de Dados – LGPD).

The mutual recognition of adequacy establishes a framework of trust for international transfers of personal data, by removing the need for instruments such as standard contractual clauses or binding corporate rules. This reduces regulatory costs and administrative burdens for economic operators active in both markets, facilitates digital trade, enhances competitiveness, and expands access to opportunities within the European market of approximately 450 million consumers. It also contributes to the attraction of investment by strengthening legal certainty and demonstrating the institutional maturity of Brazil’s data protection regime.

In the area of scientific and digital cooperation, the adequacy decision reinforces the bilateral agenda on science, technology and innovation by creating favorable conditions for the development of joint initiatives in strategic areas such as connectivity, artificial intelligence, data governance, biodiversity, health, sustainable cities and space cooperation. As highlighted by Minister Luciana Santos, existing flagship projects, including the Bella submarine cable connecting research networks in Europe and Latin America, are expected to benefit from renewed momentum.

Notwithstanding the facilitation introduced by the adequacy decision, experts have underlined that adequacy should be regarded as a starting point rather than an end point. In a webinar organized by the ANPD, Andriei Gutierrez emphasized that Brazilian companies must continue to comply with requirements relating to cybersecurity, interoperability and digital sovereignty. In order to export services to the European Union, economic operators will remain subject to additional sector-specific EU legislation, particularly in the financial, health and technology sectors, including Directive (EU) 2022/2555 on measures for a high common level of cybersecurity (NIS 2), the European Health Data Space (EHDS), Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA), and the EU Artificial Intelligence Act (AI Act).

For natural persons, mutual adequacy strengthens the protection of the fundamental rights to privacy and to the protection of personal data, ensuring that such rights are respected in cross-border data flows through effective supervision and enforcement mechanisms consistent with the standards recognized in both legal systems. This protective environment provides the foundation for the expansion of secure and trustworthy digital services, including online platforms, banking services and technological applications that rely on international transfers of personal data.

The EU Adequacy Decision is available at: Adequacy Decision

The GDPR is available at: Regulation (EU) 2016/679 – GDPR – EUR-Lex

Resolution CD/ANPD No. 19, of 23 August 2024, is available at: ANPD – Resolution CD/ANPD No. 19

Resolution No. 32, of 26 January 2026, is available at: Official Gazette (DOU) – Resolution No. 32

The webinar organised by the ANPD is available at: Webinar – Adequacy Decision between Brazil and the European Union

Note: For quick release, this English version is provided by automated translation without human review.