Introduction

In recent years, data protection has emerged as one of the most important issues in corporate compliance. As the global digital economy expands, the instantaneous exchange of data across different countries has made international data transfer a central point for data protection compliance. For all companies involved in cross-border transactions, ensuring compliance has become not only a regulatory obligation, but also a decisive competitive advantage.

In Brazil, the Federal Law No. 13,709/2018 (“Brazilian General Data Protection Law” or “LGPD”) provides for the appropriate processing of personal data by an individual or legal entity, including appropriate procedures for international data transfers. On this topic, the National Data Protection Agency Authority (“ANPD”) published Resolution No. 19/2024 (“Resolution”), which regulates the procedures for international data transfer.

This article aims to outline the key obligations introduced by Resolution No. 19/2024 and to provide guidance on how companies should address international data transfer in order to comply with data protection rules.

Regulatory framework for international data transfer

Brazilian law establishes that international data transfers are allowed in certain occasions and under specific safeguards. Examples include situation where the recipient country or international organization ensures an adequate level of data protection, the controller offers sufficient guarantees of compliance with the principles, rights, and safeguards set forth in the LGPD or when there is specific consent for the international data transfer.

It is worth mentioning that the Resolution applies specifically to operations involving the transfer of personal data from a processing agent located in Brazil to another processing agent located abroad or to an international organization of which Brazil is a member. Therefore, the mere collection of personal data directly from data subjects through cross-border platforms (such as e-commerce websites) does not, by itself, constitute an international data transfer subject to the Resolution's requirements.

In this context, processing agents have until August 2025 to implement the necessary compliance measures before becoming subject to the sanctions provided under the LGPD. Among these measures is the adoption of standard contractual clauses (“SCCs”), which are pre-approved contractual instruments that establish minimum guarantees and safeguards for international data transfers and that must be adopted without any modification. The SCCs impose obligations on both the data exporter (the Brazilian entity) and the data importer (the foreign recipient), including commitments to process data solely for specified purposes, implement appropriate technical and organizational security measures, and cooperate with the ANPD in the event of investigations or enforcement actions.

In exceptional circumstances, the processing agent may seek ANPD’s approval for specific contractual clauses that deviate from the standard language in order to align them with the scope of a specific agreement. This option is available when the SCCs are not fully compatible with the services and obligations outlined in the contract – in such instances, a formal justification must be submitted for review and assessment of the authority.

Another available mechanism is the adoption of Binding Corporate Rules (“BCRs”) – which are internal data protection policies designed to govern company’s operations both domestically and internationally. This strategy is particularly effective for multinational groups with integrated activities across multiple jurisdictions, as it standardizes data processing procedures and simplifies internal transfers among group members, thereby reducing the risk of compliance breaches. The implementation of BCRs, however, requires specific approval from the ANPD.

These are only a few possibilities that the LGPD outlines for the compliance with its rules. The other ones usually require for a prior approval or a formal determination by ANPD.

Conclusion

As evidenced by recent developments, is firmly positioning itself as a trusted global player in data protection and the country’s regulatory effort is not in vain. In September 2025, the European Commission issued a Draft Adequacy Decision recognizing that Brazil provides a level of data protection essentially equivalent to the GDPR’s requirements. This development represents a major advancement in Brazil's integration into the global data protection framework as it is the initial step of the formal procedure to facilitate bilateral data flows between Brazil and the European Union without the need for additional safeguards.

Brazil’s data protection framework signals a broader institutional commitment to protecting the rights of data subjects, and the obligations introduced by the Resolution require companies to undertake an active effort to comply with it. In this regard, since the deadline for complying with the Resolution expired in August 2025, organizations that have not yet implemented the required safeguards may face sanctions under LGPD.

Accordingly, a key measure is adopting a Data Protection Policy tailored to the specific activities of the company, alongside with the implementation of a data protection program designed to ensure the compliance with regulatory requirements.

In this scenario, many organizations, particularly those with complex cross-border operations, may need for specialized counsel to provide the adequate assistance to grant that the mechanisms adopted are tailored to each organization. By complying with their obligations, organizations may transform data protection from an obligation into a strategic asset that enhances their reputation, strengthens their relationships with business partners and customers in an increasingly data-driven economy.

Authors: Salim Saud, Leonardo Kozlowski, Ana Chaves, Isabelly Nunes, Ana Loiola.