EU starts GDPR adequacy process with Brazil to enable secure cross-border data flows
The European Commission has initiated the procedure to adopt an adequacy decision recognising that Brazil ensures an adequate level of data protection comparable to the EU’s GDPR. If adopted, this will be the first EU adequacy decision for a Latin American country since Argentina (3 June 2003) and Uruguay (21 August 2012). The decision would permit personal data to flow freely and securely between the EU and Brazil for businesses, public authorities and research, while preserving protections required under EU law.
The draft adequacy document runs 52 pages and 238 paragraphs and assesses Brazil’s constitutional and statutory framework, particularly the Lei Geral de Proteção de Dados (LGPD). It analyses the material and territorial scope of the LGPD, the rights and safeguards available to data subjects, and the obligations placed on controllers and processors. The text also examines oversight and enforcement mechanisms, including judicial and administrative routes for redress and compensation.
A central focus of the draft is access and use of personal data transferred from the EU by Brazilian public authorities. The European Commission stresses that effective safeguards must be in place to ensure transparency, necessity and proportionality when public bodies access data. The draft also requires ongoing cooperation between EU and Brazilian authorities to ensure that enforcement and remedies meet EU-equivalent standards.
Next steps include review by the European Data Protection Board and scrutiny by the Council of the European Union; the European Parliament may also review the draft. The Commission will carry out periodic reviews of the adequacy decision together with EU data protection authorities. Once mutual arrangements are finalised, freer cross-border flows will benefit an estimated combined population of around 670 million consumers.
