Brazil and the European Union have taken a historic step in international data protection with the formalization of mutual adequacy decisions that simplify cross-border personal data transfers between the two jurisdictions: on 26 January 2026, the European Commission adopted an adequacy decision finding that Brazil offers a level of personal data protection essentially equivalent to that of the EU. This was followed, on 27 January 2026, by Resolução CD/ANPD No. 32/2026, the first formal adequacy decision by Brazilian Data Protection Authority (Agência Nacional de Proteção de Dados – “ANPD”), recognizing that the EU provides a level of protection compatible with Brazil's General Data Protection Law (Lei Geral de Proteção de Dados – “LGPD”). Together, these decisions allow personal data to move in both directions between Brazil and the EU — including EU Member States and EEA countries such as Iceland, Liechtenstein and Norway — without the routine need for standard contractual clauses or similar transfer safeguards.
Brazil and the European Union have taken a historic step in international data protection with the formalization of mutual adequacy decisions that simplify cross-border personal data transfers between the two jurisdictions: on 26 January 2026, the European Commission adopted an adequacy decision finding that Brazil offers a level of personal data protection essentially equivalent to that of the EU. This was followed, on 27 January 2026, by Resolução CD/ANPD No. 32/2026, the first formal adequacy decision by Brazilian Data Protection Authority (Agência Nacional de Proteção de Dados – “ANPD”), recognizing that the EU provides a level of protection compatible with Brazil’s General Data Protection Law (Lei Geral de Proteção de Dados – “LGPD”). Together, these decisions allow personal data to move in both directions between Brazil and the EU — including EU Member States and EEA countries such as Iceland, Liechtenstein and Norway — without the routine need for standard contractual clauses or similar transfer safeguards.
These decisions materially affect companies that engage in Brazil–EU or EU–Brazil data flows, across industries and data-intensive business models.
While the legal consequences of adequacy are now relatively clear, a less explored — and more practical — question is how regulators, policymakers and market participants expect this new framework to operate in practice.
That question was directly addressed during a public webinar hosted by the Brazilian Data Protection Authority (Agência Nacional de Proteção de Dados – “ANPD”) on 28 January 2026, as part of International Data Protection Day. The event brought together representatives from ANPD, the European Commission, the Brazilian federal government, academia and the private sector to discuss the institutional, economic and operational implications of the new adequacy regime.
Below we summarize the key takeaways that are likely to matter most for companies with Brazil–EU or EU–Brazil data flows.
Adequacy as a structural shift, not a technical adjustment
From ANPD’s perspective, adequacy represents a structural change in Brazil’s international data-transfer regime.
In his opening remarks, ANPD President Waldemar Gonçalves emphasized that adequacy differs fundamentally from existing transfer tools such as contractual clauses or ad-hoc regulatory mechanisms. Unlike those instruments — which often involve additional documentation, internal approvals or regulatory interaction — adequacy is expected to significantly reduce friction, bureaucracy and processing time for routine cross-border transfers.
ANPD framed mutual adequacy as the outcome of a multi-year process of institutional maturation, legal consolidation and regulatory dialogue with the EU, and as a key driver of legal certainty for digital business models, cross-border services and international cooperation.
Data flows as economic infrastructure
The economic dimension of adequacy featured prominently in the discussion.
From the perspective of the Ministry of Development, Industry, Trade and Services (Ministério do Desenvolvimento, Indústria, Comércio e Serviços - “MIDIC”), Secretary Daniela Matos highlighted that cross-border data flows now function as core economic infrastructure, underpinning digital services, e-commerce, connected products and global value chains.
She stressed that adequacy reduces legal uncertainty and operational complexity for companies active between Brazil and the EU. Referring to international studies, she noted that adequacy decisions have been associated with measurable increases in bilateral digital trade — typically in the range of 7–9% — and positioned the Brazil–EU adequacy framework within the broader context of the evolving economic relationship between the two regions, including the Mercosur–EU agenda.
European Commission: Broad scope, practical effects
From the EU side, Anne Schilmöller (European Commission, Directorate-General for Justice and Consumers) reinforced that adequacy under the GDPR reflects a finding that the recipient jurisdiction ensures a level of protection that is “essentially equivalent” to that of the EU.
She emphasized that the EU’s adequacy decision for Brazil is broad in scope, covering both the private and public sectors. In practical terms, this allows personal data to flow from the EU to Brazil without additional transfer mechanisms, authorizations or derogations, while maintaining full protection of data subject rights under independent regulatory oversight by ANPD.
Beyond private-sector compliance, she also highlighted the importance of adequacy in facilitating administrative and regulatory cooperation between public authorities.
Adequacy as a starting point, not the end of the journey
An academic perspective was offered by Professor Laura Schertel, who described the adequacy decision as the culmination of more than a decade of legal and institutional development in Brazil — including constitutional recognition of data protection, the enactment of LGPD and the strengthening of ANPD as an independent authority.
Importantly, she cautioned against viewing adequacy as an endpoint. Instead, she framed it as a baseline from which companies and regulators should reassess data-governance structures, contractual arrangements and compliance strategies, particularly in light of emerging technologies and artificial intelligence.
Industry view: Opportunities, with compliance still in focus
From the private-sector perspective, Adriei Gutierrez, speaking on behalf of ABES (Associação Brasileira das Empresas de Software, the main Brazilian software and technology industry association), highlighted the opportunities created by the removal of transfer-related barriers, especially for Brazilian companies operating in or scaling into the EU.
Sectors such as fintech, healthtech, govtech, edtech and software were singled out as likely beneficiaries of increased legal certainty and reduced compliance friction.
At the same time, he underscored a recurring theme throughout the webinar: adequacy simplifies transfer-related compliance but does not replace broader regulatory obligations. Companies must continue to address adjacent requirements, including cybersecurity, operational resilience, interoperability and sector-specific EU regulation.
Practical implications for your business
From a business and compliance standpoint, the discussion reinforced several practical conclusions:
Operational simplicity
- Eliminates the need for traditional transfer mechanisms (e.g., standard contractual clauses) between Brazil and the EU.
- Reduces legal and administrative burden for ongoing and future data flows.
Commercial opportunity
- Strengthens legal certainty for digital services, cloud processing, analytics, AI, and software operations spanning these regions.
- Can improve competitiveness in markets that depend on agile, compliant cross-border data mobility.
Ongoing compliance obligations
- All core GDPR and LGPD requirements still apply to controllers and processors, including security, rights of data subjects, transparency and accountability measures.
- Adequacy simplifies transfers but does not replace data governance, cybersecurity, or sector-specific regulatory obligations.
Policy and contract updates
- Companies should update data-flow inventories to reflect adequacy as a basis for transfers.
- Existing agreements and policies can be simplified or rationalized but should be reviewed to confirm alignment with the new regime.
Next steps
Adequacy does not eliminate the need for strong data governance; it enables it. Businesses engaged in international processing should:
- Review Brazil–EU and EU–Brazil processing chains and contractual frameworks;
- Assess whether existing safeguards can be streamlined in light of adequacy;
- Monitor guidance from regulatory authorities (ANPD and European data protection bodies) on operationalizing adequacy in practice.
We continue to monitor regulatory developments and are available to discuss how the mutual adequacy decisions can affect your specific operations, contractual arrangements, and compliance frameworks.
[View source.]
