Brazil achieves adequacy decision

By Felipe Berer, Tyler Thompson, and Mike Summers

In January 2026, authorities of the European Union (“EU”) and Brazil adopted mutual adequacy decisions, recognizing each other as having comparable levels of data protection. These decisions allow the freer flow of personal data to commence between the jurisdictions and reduce the need for entities transferring personal data to rely on more restrictive transfer mechanisms, such as standard contractual clauses. However, such adequacy decisions highlight the need to comply with the other aspects of EU and Brazilian data protection laws.

Mutual adequacy decisions

Brazil's National Data Protection Agency (“ANPD”) has formally recognized the European Union as providing an adequate level of data protection under Brazilian law. The agency issued Resolution No. 32 on January 26, 2026, with publication in the Official Gazette following the next day. This determination confirms that the EU's data protection framework meets the standards established by Brazil's General Personal Data Protection Law (“LGPD”). On the same date, the European Commission announced its adequacy decision on Brazil, confirming that the EU and Brazil have comparable levels of data protection, including with the EU's General Data Protection Regulation (“GDPR”).

As a result of these mutual adequacy determinations, personal data may now flow freely between Brazil and the European Union without requiring organizations to implement additional transfer mechanisms, such as standard contractual clauses or binding corporate rules. This significantly reduces the compliance burden for multinational companies, financial institutions, and other organizations that routinely transfer personal data across these jurisdictions. 

However, this adequacy decision does not affect other data transfers, such as those from Brazil to the United States. As further noted below, those transfers require a different transfer mechanism, such as the execution of standard contractual clauses. 

Other Brazilian requirements

The LGPD regulates the processing of personal data, which is broadly defined to include any information regarding an identified or identifiable natural person. While the adequacy decision may reduce some compliance obligations for some entities, the LGPD still requires companies who operate in Brazil or sell into the Brazilian market to comply with stringent requirements.

Legal basis and consent

Brazil's LGPD establishes ten legal bases for processing personal data under Article 7, making it broader than the GDPR's six lawful bases. These include consent, performance of a contract, and legitimate interests of the controller or third party. Consent under the LGPD must be free, informed, unambiguous, and provided for a specific purpose. Data subjects may revoke consent at any time through a simple and free procedure. For sensitive personal data, the LGPD imposes stricter requirements under Article 11, limiting processing primarily to consent or specific enumerated purposes.

Data subject rights

The LGPD grants data subjects a comprehensive set of rights under Article 18. These include the right to confirmation of the existence of processing, the right to access personal data, the right to correction of incomplete, inaccurate, or outdated data, and the right to anonymization, blocking, or deletion of unnecessary or excessive data or data processed in violation of the law. Data subjects also have the right to data portability, the right to deletion of data processed on the basis of consent, and the right to information about public and private entities with which data has been shared. Additionally, the law provides the right to information about the consequences of denying consent and the right to revoke consent.

Transfer mechanisms

International data transfers are governed by Article 33 of the LGPD. The law permits transfers to countries or international organizations that provide an adequate level of data protection as recognized by the ANPD. In the absence of an adequacy determination, transfers may occur through standard contractual clauses approved by the ANPD, binding corporate rules, global codes of conduct, or certifications regularly issued by the ANPD. Transfers are also permitted when the data subject provides specific and highlighted consent for the transfer, with prior information about the international nature of the processing.

Other obligations

The LGPD imposes several additional compliance obligations on controllers and processors. Organizations must implement appropriate technical and administrative security measures to protect personal data from unauthorized access, destruction, loss, alteration, or any form of improper processing. Controllers must appoint a Data Protection Officer whose responsibilities include receiving complaints and communications from data subjects and the ANPD, providing guidance to employees regarding data protection practices, and executing other duties determined by the controller.

Controllers must also conduct Data Protection Impact Assessments when processing may pose risks to civil liberties and fundamental rights. In the event of a security incident that may create risk or relevant harm to data subjects, controllers must notify the ANPD and the affected data subjects within a reasonable time period, as defined by the ANPD. The law also requires organizations to maintain records of processing activities and to adopt privacy by design principles to ensure compliance throughout the data processing lifecycle.

Penalties

The LGPD establishes a graduated sanctions regime under Article 52, enforced by the ANPD. Administrative penalties range from warnings with deadlines for corrective measures to fines of up to two percent of the revenue of the private legal entity, group, or conglomerate in Brazil for the preceding fiscal year, excluding taxes, capped at 50 million Brazilian reais per violation. The ANPD may also impose daily fines to compel compliance, subject to the same overall cap. Beyond financial penalties, the authority may order the public disclosure of the infringement after it has been duly investigated and confirmed, the blocking of personal data involved in the violation until regularization, and the deletion of personal data related to the infringement. In cases of repeated violations or systematic non-compliance, the ANPD may impose partial or total suspension of database operations or prohibition of processing activities.

Consequences

The adequacy decision is a welcome development as it reduces compliance obligations for data transfers between the EU and Brazil. However, the LGPD still requires controllers and processors to adhere to specific compliance obligations to avoid potential high fines or other actions imposed by the ANPD. In addition, the adequacy decision does not affect transfers to and from other jurisdictions such as the United States, which require alternative transfer mechanisms. It is recommended that entities subject to the LGPD review their processing activities in the country to ensure compliance.