*This is an AI-powered machine translation of the original text in Portuguese

International data transfer mechanisms play a central role in ensuring efficient data flow between different countries. Among the possibilities that legitimize this data exchange is the recognition of foreign countries as capable of receiving personal data, which is known as "adequacy decisions." Typically, this recognition is carried out by the National Authority of each jurisdiction as a way to facilitate the flow of information from their country to others considered secure.

The National Data Protection Authority (ANPD) has initiated a public consultation for social discussion regarding the regulation of international transfers of personal data and the model of standard contractual clauses that Brazil will adopt. Among the possibilities outlined in the draft regulation are adequacy decisions. This step is significant not only to allow data controllers in Brazil to perform international transfers but also for Brazil to be recognized as a reliable recipient of personal information from other jurisdictions through this streamlined process.

In the ANPD's proposal, reciprocity is a key factor and should guide the Brazilian assessment of other jurisdictions in terms of personal data protection. This element makes it even clearer that regulation is essential not only for the outbound flow of data from Brazil but also for the inbound flow:

Art. 12 § single "The ANPD will prioritize the evaluation of the level of data protection in foreign countries or international organizations that ensure reciprocal treatment to Brazil and whose recognition of adequacy enables the expansion of the free flow of international transfers of personal data between countries."

According to the words of the ANPD director, Nairane Rabelo, the inclusion of the adequacy decision mechanism in the agency's regulatory proposal is crucial for advancing integration between Brazil and the European Union.

European Adequacy Decision Procedure

A leader in data protection, the European Union establishes some requirements in its adequacy decision procedure to be evaluated:

1. Rule of Law and Respect for Human Rights: Evaluates the formal existence and implementation of the rule of law, as well as fundamental rights and human rights guarantees.
2. Data Protection Legislation: Assesses general and sectoral laws related to personal data protection, professional conduct, security measures, and laws that may influence these guarantees and the actions of public authorities.
3. Rules for Continuing Data Transfers: Evaluates the criteria that the jurisdiction applies to determine the possibility of sending data to a third location.
4. Data Subject Rights: Evaluates the existence and effectiveness of data subject rights in the jurisdiction.
5. Independent Authority: Checks for the existence of an independent supervisory authority that can enforce data protection rules.
6. International Commitments: Assesses international commitments related to data protection.

Following this multifactorial evaluation, the decision may or may not recognize the third country as suitable to receive personal data. There is also the possibility that recognition may be limited to certain parts of the territory or a specific sector. Recognition is subject to periodic review, which can confirm or withdraw the "safe country" status depending on the local developments. Currently, the following jurisdictions are considered safe: Andorra, Argentina, Canada (for commercial organizations only), South Korea, Guernsey, Isle of Man, Faroe Islands, Israel, Japan, Jersey, New Zealand, United Kingdom, Switzerland, and Uruguay.

Although the relevance and weight of each element need to be analyzed by the European Union, an assessment of GDPR adequacy decision criteria indicates that there are factors that could justify Brazil's recognition as a safe jurisdiction for receiving personal data from the EU, pending the determination of international transfer rules currently under discussion.

1. Rule of Law and Human Rights: Recognition by the Federal Constitution, high ratification of international human rights treaties (e.g., the Pact of San Jose of Costa Rica), and strong engagement with the Universal Periodic Review (UPR).
2. Data Protection Legislation: General Data Protection Law.
3. International Transfer: Ongoing consultation.
4. Data Subject Rights: "It is worth noting that, in 2022, CGF received 1,045 requests, including complaints and data subject petitions. Of these, only 1 complaint is pending proper closure." Monitoring cycle report, 2022.
5. Independent Authority: Article 55-A. The National Data Protection Authority (ANPD) is created, a special autarky with technical and decision-making autonomy, its own assets, and headquarters in the Federal District. (Text amended by Law No. 14,460, 2022). General Data Protection Law.
6. International Commitments: Ratification of Convention 108.

Rabelo emphasizes that in the past, the lack of independence of the ANPD prevented Brazil from being recognized as a safe location for receiving personal data, but this hurdle was overcome in 2022 with the transformation of the ANPD into an autarky. The director also highlights that "if we already have the Brazilian regulation on the subject, recognition decisions in other countries and international organizations can be expedited."

It is important to note that the absence of recognition of a jurisdiction as "safe" does not prevent international data transfer, as other alternatives, such as standard contractual clauses, can be used to ensure this flow. However, the adequacy decision simplifies data exchanges with foreign controllers by reducing the negotiation steps that need to be discussed between the parties, which tends to intensify transnational relations.

Therefore, the consultation regarding the Regulation of International Transfers of Personal Data and the model of Standard Contractual Clauses, more than governing the way personal data will be sent to other countries, is a crucial step in consolidating Brazil internationally as a safe location for receiving personal data from other jurisdictions.

Originally published in JOTA.