blog
Ano XVIII – nº 42
ANPD APPROVES RESOLUTION 19/2024 ON INTERNATIONAL TRANSFER OF PERSONAL DATA
14 de October de 2024 | PublicationsI. INTRODUCTION
1. Companies often do not realize that in their operational activities they carry out international data transfers. For example, if a company located here in Brazil contracts a cloud data storage service with a local subsidiary of a foreign company, and the data is collected here and stored on a local server, but subsequently transferred to other servers abroad, an international data transfer has already occurred.
2. Therefore, in order to characterize an international data transfer, one must first identify whether the data was collected in Brazil and subsequently shared, transferred, or made available to third parties located abroad. ¹
3. The international transfer of personal data is provided for in articles 33 and 35 of the LGPD (Law 13.709/2018). It can be inferred from article 33 that the premise for the international transfer of personal data to occur without the express consent of the data subject is that the country to which the data will be transferred adopts data protection standards equal to or higher than those adopted by Brazil. If this guarantee is not provided within the scope of Brazilian regulation, then in the private sphere, protective clauses should be guaranteed, either as standard clauses or with clauses negotiated between the parties.
4. There are other mechanisms available for a legitimate international transfer of personal data occurs without the consent of the data subject, such as: (i) the protection of life or physical safety of the data subject or of a third party; (ii) if the transfer is necessary for international legal cooperation between public intelligence, investigation and criminal prosecution agencies, such as in the fight against terrorism and money laundering; (iii) for the execution of a contract, or procedures preceding it; (iv) for compliance with a legal or regulatory obligation by the data Controller
5. Thus, in order to clarify the rules applicable to the international data transfers, the Brazilian Data Protection Authority (“ANPD”) approved Resolution CD/ANPD 19/2024, the main topics of which are summarized below.
II. OVERVIEW
1. Publication. With the publication, on August 23, 2024, of Resolution 19 of the Board of Directors of the ANPD (“Resolution CD/ANPD 19/2024”), the international data transfers now have their own regulation, which is already in force.
2. Structure of the Resolution. Annex I of Resolution CD/ANPD 19/2024 establishes the procedures and rules for the international transfer of personal data (“Regulation”), whether through the recognition of adequacy of other countries or international organizations, or through standard contractual clauses, specific contractual clauses or global corporate rules. Annex II of Resolution CD/ANPD 19/2024 contains standard contractual clauses.
3. Applicability. The Regulation applies to transfer processing operations (transmission, sharing or making available) of personal data between a data processing agent (exporter) to another data processing agent (importer) located in another country or international organization of which Brazil is a member.
4. General Requirements. International data transfers may only be carried out to meet legitimate, specific, explicit and informed purposes to the data subject, without the possibility of subsequent processing in a manner incompatible with these purposes. Furthermore, international data transfers must be supported by one of the legal hypotheses provided for in articles 7 and 11 of the LGPD and by one of the valid mechanisms for carrying out international transfers. We will discuss two of these mechanisms below.
5. Responsibility of Data Processing Agents. The Controller is responsible for verifying whether the processing operation:
(i) characterizes an international data transfer;
(ii) is subject to national personal data protection laws; and
(iii) is supported by a valid legal hypothesis and international data transfer mechanism.
5.1 The Operator shall assist the Controller by providing necessary information it may held.
5.2 The Controller and the Operator shall adopt effective measures capable of proving compliance with data protection standards and the effectiveness of these measures, in a manner compatible with the degree of risk of the processing and the international transfer mechanism used.
III. ADEQUACY DECISION BY ANPD
1. The Regulation provides for a specific procedure for the ANPD to issue a decision that the legislation of a given country is in line with national legislation, including the criteria for assessing the level of protection, in addition to the analysis of the risks and benefits provided by the adequacy and the impacts of the decision on the international flow of data.
2. To date, the ANPD has not issued any adequacy decision. While awaiting a list of countries to which international transfers of personal data may be made without the consent of data subjects, Controllers may seek support from another valid mechanism for international data transfers, such as Standard Contractual Clauses, Equivalent Standard Contractual Clauses, Specific Contractual Clauses and Global Corporate Rules.
IV. STANDARD CONTRACTUAL CLAUSES
1. Standard Contractual Clauses: Regarding the use of standard contractual clauses approved by the ANPD, they establish minimum guarantees and valid conditions for carrying out international transfers. When opting to use standard clauses, it is assumed that they will be adopted in full and without alteration of the text, by means of a contractual instrument signed between the data importing/exporting processing agents.
2. Obligations of the Controller: With use of standard contractual clauses and aiming to guarantee transparency to the data subject, the Controller must:
(i) make available to the data subject, if requested and within 15 days, the full
clauses relating to international transfers, taking into account commercial
and industrial secrets; and
(ii) publish on its website a document containing information in Portuguese, in
a clear, precise and accessible manner, about the international data transfer,
including certain information such as: (a) the form, duration and specific
purpose of the international transfer; (b) the country of destination of the
transferred data; (c) the identification and contact details of the Controller;
(d) the shared use of data by the Controller and the purpose; (e) the
responsibilities of the agents who will carry out the processing and the
security measures adopted; and (f) the rights of the data subject and the
means for exercising them, including an easily accessible channel and the
right to petition the Controller before the ANPD.
3. Deadline for Adapting Contracts: Data processing agents that carry out international data transfers through standard contractual clauses will have a period of 12 months from the publication of the Regulation (up to August 23, 2025) to incorporate them into their respective contractual instruments.
V. SPECIFIC CONTRACTUAL CLAUSES
The Controller may also submit specific contractual clauses for ANPD´s prior approval. This will be permitted in exceptional situations, only when the international data transfer cannot be carried out through the standard contractual clauses, situations that depend on proof. The Regulation provides for the procedures and analysis criteria for approval by the ANPD.
VI. GLOBAL CORPORATE RULES
1. The Regulation also deals with global corporate rules for international data transfers between entities in the same group or conglomerate of companies, which are binding on the members of the group that subscribe to them.
2. These rules must be linked to the implementation of a privacy governance program that meets the requirements established in the LGPD (article 50, §2) and must also meet the minimum content determined in the Regulation itself, such as detailing the structure of the group or conglomerate of companies, with the list of entities involved, the role that each of them plays in the processing of data and the contact details of each entity that processes personal data.
3. Global corporate rules must be submitted for prior approval by the ANPD in the manner provided for in the Regulation.
VII. PRACTICAL MEASURES
IN PRACTICE, a series of measures can be taken to comply with the Regulation, such as:
• Controllers must review their records of processing operations to verify which operations constitute international transfers of personal data, on what legal basis they are supported and which international data transfer mechanism was adopted.
• Further, Controllers must review the Privacy Policies or equivalent documents that they have already prepared, in order to adapt them to the requirements of the new Regulation on the international transfer of personal data, providing transparency to the data subject about the mechanisms for international data transfer and their compliance with ANPD Resolution 19/2024. The Controller must publish on its website, either on a specific page or integrated in a prominent and easily accessible manner, in the Privacy Policy, or in an equivalent instrument, information in a simple and clear manner about the international data transfers, containing the items provided for in the Regulation.
• Controllers must also review the terms of contracts involving international data transfer. If they adopt the standard clauses set out in Annex II of the Regulation, the adaptation period is 12 months from the publication of Resolution CD/ANPD 19/2024.
• If other mechanisms are adopted (Equivalent Standard Contractual Clauses, Specific Contractual Clauses and Global Corporate Rules), Controllers may start taking steps to request ANPD’s approval, following the procedures set out in Resolution CD/ANPD 19/2024.
VIII. ADMINISTRATIVE SANCTIONS
Any failure to comply with Resolution CD/ANPD 19/2024 will subject the offender to the sanctions provided for in article 52 of the LGPD, such as warning, fine, suspension of the exercise of the activity of processing personal data, blocking of data, among others, which will be investigated in an administrative process provided for in Resolution ANPD 1/2021, also observing the provisions of Resolution CD/ANPD 4/2023, with regard to the dosage and application of administrative sanctions.
This article is not intended to be a legal opinion or advice. Each case should be analyzed based on its particularities.
BRENTANI RONCOLATTO ADVOGADOS
1. It is important to emphasize that the mere international collection of personal data – that carried out directly by the processing agent located abroad – does not characterize an international transfer. For example, in the B2C (business to consumer) operations of foreign websites, this does not characterize an international transfer, but rather a mere collection of personal data. Although it does not constitute an international transfer, the international collection of data is subject to the provisions of the LGPD whenever one of the connecting elements that attract the application of Brazilian law to the processing is verified, that is: (i) the processing of personal data is carried out in Brazil; (ii) the processing is aimed at offering or providing goods or services or processing data of individuals located in the country; or (iii) when the personal data subject to the processing have been collected in the country.