The Brazil-European Union announcement of mutual adequacy from earlier this year means that data flowing between the countries is easier. As many are aware, each formally confirmed that the other’s privacy laws provide sufficient protection at the beginning of the year. This means that companies can transfer personal information between the regions without taking extra steps. These decisions are subject to review every four years.
Why did this happen? Both Brazil and Europe’s data privacy laws restrict extra-territorial personal data transfers unless the receiving entity is in a country with “adequate” laws. If they are not, then extra steps like executing standard contractual clauses would be needed. Prior to this year, neither Brazil nor the EU had formally found the other’s privacy laws adequate. This changed with the adequacy decisions from this January.
For businesses, the main impact is practical. Adequacy reduces paperwork, lowers compliance costs tied to data transfers, and gives clearer rules for working across borders. This helps digital trade and cooperation across a combined market of about 670 million people in Brazil and Europe.
There are limits. The adequacy decisions do not cover data transfers made only for public security or national defense reasons. They also do not apply to transfers made for state security or as part of criminal investigations. These limits follow rules that already exist under LGPD and related laws.
Putting it into Practice: These decisions are good news for companies sending personal information between Brazil and the EU. As a reminder, though, it does not remove the duty to follow the privacy laws of the two locations.
