In brief

On 5 September 2025, the European Commission published the Draft Adequacy Decision recognizing Brazil as a country that ensures an adequate level of protection for personal data, pursuant to Article 45 of the General Data Protection Regulation (GDPR). This proposal marks the beginning of the formal procedure to authorize the transfer of personal data from the European Union to Brazil without the need for additional safeguards, effectively treating such transfers as equivalent to those occurring within the EU. The decision must still undergo several procedural steps, including the issuance of an opinion by the European Data Protection Board (EDPB), approval by the Member States, and its subsequent adoption by the European Commission. Once formally adopted, the measure is expected to facilitate international data flows and strengthen regulatory cooperation between Brazil and the European Union in the field of data protection.

Further details

On 5 September 2025, the European Commission presented a draft adequacy decision regarding Brazil, recognizing that the country ensures a level of protection for personal data substantially equivalent to that required under the GDPR, in accordance with Article 45 of the Regulation. If confirmed, the decision will allow the transfer of personal data from the European Union to Brazil without the need for additional safeguards, such as standard contractual clauses or binding corporate rules, significantly simplifying the dynamics of cross-border operations. The European process, however, is not yet complete: the proposal must still be reviewed by the EDPB, approved by Member State representatives, and subsequently submitted to the European Parliament and the Council for formal adoption.

An adequacy decision, as provided for in Article 45 of the GDPR, has the legal effect of treating data transfers to a third country as if they were taking place within the Union. To that end, the third country’s legal framework must provide strong guarantees of respect for fundamental rights, oversight by an independent supervisory authority, and effective redress mechanisms. Countries such as Japan, South Korea, Canada, Argentina, and Uruguay have already received this recognition, forming a select group that Brazil may soon join.

In Brazil’s case, the assessment considered the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados, or LGPD), constitutional guarantees of privacy and intimacy, and the role of the Brazilian Data Protection Authority (Autoridade Nacional de Proteção de Dados, or ANPD) as an independent body with regulatory, supervisory, and enforcement powers. LGPD sets forth rights and principles that closely mirror those of the GDPR, including purpose limitation, necessity, transparency, security, and accountability. This alignment was further strengthened on 23 August 2024, when ANPD issued Resolution No. 19/2024, establishing the Regulation on International Data Transfers and approving Brazilian Standard Contractual Clauses (BR-SCCs). The regulation set a 12-month adaptation period, which ended on 23 August 2025, after which only SCCs approved by the authority, or instruments deemed equivalent by ANPD, became valid transfer mechanisms for compliance with LGPD. The framework also allows for the use of other mechanisms, such as binding corporate rules or specific clauses if authorized by the ANPD.

The publication of the draft decision by the European Commission takes place in parallel with the ANPD’s own efforts to finalize its technical and legal assessment aimed at recognizing the European Union as an adequate jurisdiction under the LGPD. If confirmed, this would establish a mutual recognition regime, consolidating regulatory interoperability and legal certainty between the two jurisdictions. According to ANPD, such assessment is in its final stages and should be concluded soon.

* * * * *

Trench Rossi Watanabe and Baker McKenzie have executed a strategic cooperation agreement for consulting on foreign law.