In this privacy espresso Luiza Sato, a leading expert in Brazil in data protection digital law and intellectual property, speaks about a recent call for comments by the Brazilian DPA (ANPD) on a new resolution on international data transfer.
Cross-border data transfer is highly relevant in Brazil. The actual Brazilian data protection regulation (LGPD) is really based on GDPR, so Brazil also wanted to add provisions to adequate its standards on a global scale. This is a very relevant and complex point for the ANPD, requiring the right balance. Brazil has many multinationals, so the requirements should protect data without overcomplicating their activities.
In this regard, the critical elements of the proposal are:
- Indicating the essential requirements for the ANPD to deem a country adequate or not. In this regard, it is worth to be noted the possibility for the Brazilian DPA to copy the list of countries made by the EU, relying on their due diligence.
- Set a mechanism to allow transfer with non-adequate countries, such as BCR and SCC. These instruments are used the same way as GDPR, but there is no indication of the requirements and contents they should have under the Brazilian legislation.
- Indications on how to communicate to the data subject that their data will be transferred abroad. Should this have a specific structure? This will also be part of the call for contributions.
Based on the given framework, Luiza’s advice on how to approach this matter is the following:
- Prepare well-written agreements to transfer data and set obligations for importing and exporting parties.
- Follow the transparency principle, so do your best to let data subjects know about the transfer abroad through policies, banners and other similar tools.
- Follow the best practices and take good care of data by following principles like necessity and minimisation.
Learn more about this topic; listen to this privacyespresso here.