The Brazilian DPA (ANPD) is examining ways to re-regulate international data transfers, moving away from the present GDPR-inspired restrictions. The Brazilian DPA has announced that it intends to base the new discipline on the SCCs of New Zealand and Singapore as they are more practical for companies.
International data transfer is very normal in today’s well-connected, electronic society – just look at the volume of data transported to data centres in other countries. That’s why the Brazilian Data Protection Authority (ANPD) is examining ways to re-regulate international data transfers, moving away from the present GDPR-inspired restrictions. The Brazilian DPA has announced that it intends to base the new discipline on the SCCs of New Zealand and Singapore as they are more practical for companies.
To better understand what’s happening, let’s look into Article 3 of the General Data Protection Act (LGPD), which states:
“this Act applies to any processing operation carried out by a natural or legal person under public or private law, whatever the medium, the country of its headquarters or the country where the data are located, provided that: II – the processing activity has as its object the offer or supply of goods or services or the processing of data of natural persons located in the national territory; or III – the personal data undergoing processing have been collected in the national territory. The personal data whose owner is present at the time of collection are considered collected in the national territory”.
The LGPD reserved articles 33 to 36 to deal with international data transfer to overseas countries or bodies. ANPD will evaluate the foreign country’s level of data protection, taking into account:
- the general and sectorial rules of the legislation in force in the country of destination or international body;
- the nature of the data;
- compliance with the general principles of personal data protection and the rights of holders provided in this Law; and
- the adoption of the security measures provided by regulation.
Article 33 emphasizes that international transfers may be permitted, among other things, when the data controller offers and proves guarantees of compliance with the principles, the data subject’s rights, and the data protection regime, or when the data subject has given his express and express consent to the transfer, after being informed of its international nature and clearly distinguishing it from other purposes.
ANPD has acted forcefully to govern the law; it has developed orientation guides, encouraged public hearings to listen to civil society, and has an agenda with deadlines and topics to be addressed, including international data transmission.
Professionals working in data protection are accustomed to examining European legislation because, in addition to the European Union’s level of development, it is obvious that Brazilian law was influenced by the General Data Protection Regulation (GDPR).
However, European legislation is not the sole source of guidance on the subject; other legislation, especially that of nations with circumstances more comparable to Brazil’s, has much to teach.
Those who have only learned from studying the GDPR will need to broaden their horizons; as Miriam Wimmer, director of the ANPD, stated during her participation in the 11th Internet Forum in Brazil, in terms of international data transfer, the ANPD appears to prefer standard contractual clauses (SCC).
“…after conversations with other countries, we thought it would be interesting to start with standard contractual clauses, because they are ready-to-use mechanisms that are easy for large companies to use in their international contracts, without generating too much cost and time”.
Director Miriam stressed that, while based on EU standard contract clauses, the New Zealand and Singapore standard clauses are the best way forward at the moment because they are simpler.
Given that the transnational flow of data will become more intense as the number of cross-border transactions increases, it is essential to simplify data transfer so as not to negatively impact business or impede international trade while also protecting personal data.
In the context of international data flow, it is necessary to mention Mercosur Decision No. 15/2020, published in January 2021, regarding the agreement on electronic commerce, in which the countries that are part of the mentioned economic area are entitled to the possibility of carrying out the cross-border transfer of information or data in a simplified manner for the purpose of carrying out commercial activity.
According to the aforementioned document, each member state may have its own regulatory instruments, including those related to data protection, with the rule being the free movement of data, obviously, with information security and instruments to ensure data transfer in a more secure manner, such as the anonymization mentioned in the agreement. The ANPD may choose to align the aforementioned agreement with the LGPD.