International data transfer mechanisms have become crucial instruments for the development of the digital economy and for ensuring the effective protection of personal data as they cross borders. In a globalized world, the dynamics of information sharing flows on a cross-border scale, especially through the Internet, require that the regulation of international transfer be one of the conditions of possibility not only for the protection of privacy and data subjects’ rights, but also for technological and economic development at both the international and national level.
The Brazilian General Data Protection Law (LGPD) defines international data transfer as the “[…] transfer of personal data to a foreign country or international body of which the country is a member” (Article 5, item XV). Interestingly, the provisions of the LGPD do not apply to the processing of personal data “originating from outside the national territory and which are not the object of communication, shared use of data with Brazilian processing agents or the object of international data transfer with a country other than the country of origin, provided that the country of origin provides a degree of protection of personal data adequate to that provided for” in the LGPD.
Chapter V of the LGPD, which deals specifically with International Data Transfers, presents, in its article 33, the legal hypotheses that authorize the international transfer of personal data. Under Brazilian law, the international transfer of data may occur provided that it is compatible with one of the following situations: (a) it is carried out only to countries or international bodies that provide a degree of protection of personal data adequate to that provided for in the LGPD; (b) when the controller offers and proves guarantees of compliance with the principles, the rights of the data subject and the data protection regime provided for in the LGPD, in the form of specific contractual clauses for a given transfer; standard contractual clauses; global corporate standards and seals, certificates and codes of conduct regularly issued; (c) when the transfer is necessary for international legal cooperation between public intelligence, investigation and prosecution bodies, in accordance with the instruments of international law; d) when the transfer is necessary for the protection of the life or physical safety of the data subject or of a third party; e) when the national authority authorizes the transfer; f) when the transfer results from a commitment made in an international cooperation agreement; g) when the transfer is necessary for the execution of a public policy or legal assignment of the public service; h) when the data subject has provided his or her specific and explicit consent to the transfer, with prior information on the international nature of the operation, clearly distinguishing it from other purposes and i) in compliance with certain legal bases present in article 7 of the LGPD.
Furthermore, article 35 of the LGPD states that the ANPD shall define the content of standard contractual clauses, as well as the verification of specific contractual clauses for a given transfer, global corporate standards or stamps, certificates and codes of conduct, described in article 33. Additionally, paragraph 1 of article 35 establishes that, for the verification provided in the head of article 35, the requirements, conditions and minimum guarantees for the observance of the rights, guarantees and principles of the LGPD must be considered when transferring personal data to another jurisdiction.
Although the Brazilian personal data protection legislation was strongly influenced by the European GPDR, the Brazilian legislator chose to leave the regulation of several provisions of the law to the National Data Protection Authority (ANPD). Thus, according to Ordinance No. 11/2021 (ANPD’s regulatory agenda for the biennium 2021-2022), the ANPD will begin the regulatory process on international data transfer that is provided for in articles 33 to 36 of the LGPD in the first half of 2022.
The ANPD, when regulating the subject, will have to take a position on which countries or international bodies will be recognized as having an adequate degree of protection to the provisions of the LGPD, as well as defining the content of standard contractual clauses, and also verifying specific contractual clauses for a particular transfer, global corporate standards, stamps, certificates or codes of conduct (according to articles 33 and 35 of the LGPD).
The regulation of the subject by the ANPD is in its first stage: the call for contributions to be made by experts and civil society. According to the authority itself, “the call for contributions consists of an important regulatory instrument that aims to obtain elements, information and data relevant to the regulatory process by listening to the different actors who will possibly be affected by the publication of the normative act”. The ANPD considers that there is urgency in regulating the subject, that starting with standard contractual clauses is the option that makes the most far-reaching mechanism available to society, and that the regulation of specific contractual clauses and global corporate standards follows fundamentally similar requirements to those of SCCs, so that the authority opted to include in a first block of regulation these three instruments, called “contractual instruments”. The deadline for submissions is the end of this month, and the questions can be accessed here.
LegalTech Talks
We at Opice Blum, Bruno e Vainzof believe that in the networked, globalized society in which we live, the point of view of a single industry or a single country is not sufficient to adequately conduct the discussions that must be held around issues such as data protection, privacy, artificial intelligence, content curation – to name a few. With this in mind, once a month we invite experts in their fields – entrepreneurs, lawyers, academics, politicians – for a brief conversation about the most relevant technology issues regarding the legal universe. From a global, multisectoral and multidisciplinary approach, we want to get insights that allow us to better reflect on how technological innovations affect – or may affect – our lives, and also how the Law can contribute to debates that are as important as they are urgent. We call it LegalTech Talks.
Our first meeting took place last month, and featured none other than Trevor Hughes, CEO and President of the International Association of Privacy Professionals (IAPP), the world’s largest comprehensive global information privacy community. Hughes spoke about his experience with privacy and data protection, and what led him to this field. Hot topics were also covered, such as the leaked draft opinion from the court that would overturn decades-old abortion rights enshrined by Roe v. Wade and the perspectives on US federal regulation of privacy and data protection. You can check out the whole conversation here. In the first week of July, we will be joined by Dr. Anna Zeiter, Associate General Counsel and Chief Privacy Officer at eBay. Don’t miss it!
