The Lei Geral de Proteção de Dados (LGPD) took effect on 18 September 2020 though the enforcement provisions do not come into effect until 1 August 2021.
The LGPD is like the GDPR and even maintains similar articles and chapters for ease of reference. Article 3 includes the geographic scope and Chapter V contains the data transfer mechanisms in both laws.
The LGPD applies to the processing of personal data carried out in Brazil, as well as processing related to the offering of goods or services to individuals in Brazil. If your company is processing data related to individuals in Brazil, the LGPD now applies regardless of the origin of that data.
The starting point is that personal data must remain within a physical territory unless certain circumstances exist. Chapter V outlines those transfer mechanisms.
Organisations can transfer personal data out of Brazil in the following cases:
- When the recipient country or international organization is deemed adequate by the Autoridade Nacional de Proteção de Dados (ANPD). (Adequacy Determination)
- Under the controller’s specific contractual clauses approved by the ANPD.
- Under the controller’s standard contractual clauses adopted by the ANPD. (SCCs)
- Pursuant to the controller’s binding corporate rules approved by the ANPD. (BCRs)
- When the controller has proven compliance via regularly issued stamps, certificates or codes of conduct as provided by the ANPD.
- With authorization from the ANPD.
- When the data subject has given specific and highlighted consent for the transfer with prior information about the international nature of the operation clearly distinct from other purposes.
- When necessary for the execution of a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject.
Six of the eight mechanisms require action by the ANPD, an agency in its nascent stage. The ANPD’s five directors were nominated by President Bolsonaro and took office on November 6, 2020. The ANPD has also hired 19 of the 31 staff members they are entitled to under the Presidential Decree 10.474/2020. It remains unclear how long it will take to assess, create, and approve the data transfer mechanisms as outlined. For now, companies may be limited to two data transfer mechanisms, specific and distinct consent or the necessity for the execution of a contract.
If history is any indication it will take some time for the ANPD to rule on any data transfer decisions. One possibility is that Brazil, like Israel and Columbia, could adopt a version of an EU+ model adopting the adequate countries already giving the designation by the EU and from there begin to make its own decisions. The ANPD could recognize existing EU SCCs and BCRs or lead the way in operationalizing certificates and codes of conduct, a feature of the GDPR though not yet functional. Until then, organisations should rely on consent or necessity for the performance of a contract for cross border data transfers.
The Law on Protection of Personal Data (LPPD) entered into force on 7 April 2016 and is largely based on the former European Data Protection Directive. The LPPD covers processing of personal data originating in Turkey. Since the LPPD went into effect, cross-border data transfers have been in legal limbo. The LPPD provides for methods of cross border data transfers similar to the GDPR. The LPPD includes:
- Adequacy Decision
- Explicit Consent
- Written Undertaking Obtaining Prior Approval from the DPA (Binding Corporate Rules)
- Standard Contractual Clauses
Despite providing these transfer mechanisms, the DPA has declared no list of adequate countries nor had any organisations obtained approval from the DPA to transfer data. On 9 February 2021, the Turkish Data Protection Authority approved the first data controller’s written undertaking for cross border transfers.
Regarding Standard Contractual Clauses (SCCs)
The DPA published the essential clauses to be included in contracts for the transfer of personal data to countries which Turkey has yet to issue an adequacy decision on 16 May 2018.
We are still awaiting further clarification from the Data Protection Authorities in Brazil and Turkey to clarify adequate countries as well as promulgating and adopting SCCs. In Brazil, the ANPD is still new and adapting to its role. The LPPD in Turkey has been in force for longer but questions remain over the legal manner for transferring data out of the country. In the interim in Brazil the transfer mechanisms have been limited to specific and distinct consent or the necessity for the execution of a contract.