Written by: Haim Ravia, Dotan Hammer
The European Data Protection Board (EDPB) adopted an opinion on the European Commission’s draft implementing decision under Article 45 of the GDPR, recognizing that Brazil ensures an essentially equivalent level of protection for personal data. The opinion acknowledges Brazil’s comprehensive framework as closely aligned with the EU’s General Data Protection Regulation (GDPR).
However, the EDPB highlighted several key areas requiring clarification and monitoring by the EU Commission:
- The scope and practical implementation of Data-Protection Impact Assessments (DPIAs) in Brazil.
- Transparency limitations linked to information disclosure based on “commercial and industrial secrecy” and their potential impact on data-subjects’ rights. and the powers of the supervisory authority
- The regime governing onward-transfers of data from Brazil to third countries and the corresponding safeguards.
- The extent of LGPD applicability to public-authority processing, law-enforcement, or intelligence operations (given that LGPD generally excludes processing for surveillance, national defense, or criminal investigation).
The review of the adequacy finding will be conducted by the EU Commission at least every four years, as well as ongoing monitoring of Brazil’s “government-access” regime to ensure adequacy remains fact-based and justified. From a compliance standpoint, organizations transferring EU-origin personal data to Brazil should begin planning for a post-adequacy-decision regime and should assess whether their transfer-mechanisms (e.g., SCCs, binding-corporate-rules) may need adaptation pending formal adoption. The development signals continuing momentum in cross-border data-flows reform, especially for Latin-American jurisdictions.
Click here to read the EDPB Opinion on the Draft Brazil Adequacy Decision.
