Proposed Regulation on International Personal Data Transfers and Standard Contractual Clauses.
ANPD's strategic objective of "Promoting the strengthening of the culture of Personal Data Protection" brings together actions aimed at preventing and detecting breaches of the LGPD, as well as actions aimed at training and guiding companies and society on the rules of Personal Data Protection. To that effect, the ANPD has made significant strides in the field of data protection since its inception, culminating in its recent public consultation on the proposed Regulation on International Personal Data Transfers and Standard Contractual Clauses ("Regulation"). This development signifies a momentous stride towards reinforcing the protection of personal data in the global context.
This regulatory proposal addresses the intricate challenges associated with international data transfers and provides clarity on compliance requirements. ANPD's decision to engage the public, businesses, and experts in shaping the Regulation is emblematic of its commitment to a robust data protection framework. This public consultation goes beyond ANPD’s commitment to inclusivity and transparency. By soliciting input from a broad spectrum of stakeholders, ANPD ensures that the final regulations consider diverse needs and perspectives when it comes to international data transfers and that compliance is achievable without undue burden.
Pursuant to the proposed Regulation, companies would be able to carry out international data transfers provided they: (a) adopt procedures that are simple and compatible with recognized international standards and best practices; (b) adopt responsibility and accountability measures that are in line with the principles of the LGPD and data subject rights; (c) implement effective transparency measures providing clear, accurate, and easily accessible information regarding the details of the transfer; and (d) adopt best practices, and appropriate prevention and security measures, that are compatible with the criticality of the data processed and the risks involved in the operation.
The Regulation provides that international data collection will not be deemed international data transfers. As a result, restrictions on international data transfers would not apply to collection by foreigners of personal data directly from individuals located in Brazil.
The text of the proposed Regulation also states that international personal data transfers can only be carried out to fulfill legitimate, specific, and explicit purposes that have been previously communicated to the data subject. Transfers cannot be processed in a manner incompatible with the stated purposes and must be supported by one of the LGPD’s lawful bases for processing provided.
The Regulation proposes standard contractual clauses that controllers can adopt as a safeguard to ensure that international data transfers will be compliant with LGPD standards and that enforceable rights and effective legal remedies will be available for data subjects.
In addition, the Regulation would allow companies to use global corporate standards (“GCS”) to govern international personal data transfers provided that the GCS is consistent with the Regulation and does not violate the company's privacy governance program. Also, Chapters VI and VII of the Resolution indicate ANPD’s understanding that GCS are the equivalent to binding corporate rules under the GDPR.
Before the ANPD moves forward with the Regulation, it will collect contributions through a public consultation ("Information Gathering"). After that, ANPD will hold a public hearing ("Public Hearing") to discuss the contributions. Then, ANPD will consider all contributions and determine whether to pass the Regulation. Please see below information on relevant details and deadlines:
The Information Gathering phase: From August 15, 2023 until October 14, 2023.
Method of collecting contributions: online, via the platform Participa Mais Brasil (here).
Draft of the Regulation: Available here (in Portuguese).
The Public Hearing phase: Occurred on September 12, 2023
Location: It was a virtual event streamed on ANPD's YouTube channel.
Lastly, past instances have demonstrated that ANPD may take several months to finalize and release a resolution and that the final draft of ANPD's Resolution could remain closely aligned with the version shared for public consultation.
Preliminary study exploring legitimate interests in data protection
The ANPD, in fulfillment of its duties under the LGPD, has undertaken several significant initiatives, including the creation of specific regulations, conducting in-depth studies, and providing guidance on the application of the law. One notable example is ANPD's exploration of the possibility of processing non-sensitive personal data to meet the legitimate interests of data controllers or third parties, ensuring that such processing aligns with fundamental rights and freedoms requiring personal data protection.
One of the key areas where interpretation of LGPD has raised questions is the use of legitimate interest as a legal basis for data processing. ANPD recognizes the variations in interpretation and the practical implications associated with this concept. To address this challenge, ANPD has prepared a Preliminary Study ("Preliminary Study") with the objective of guiding companies in comprehending and effectively utilizing legitimate interest as a legal basis under the LGPD.
Here's an overview of its key facets:
Enhancing Legal Certainty: The LGPD requires clear and unambiguous legal bases for processing personal data. ANPD's Preliminary Study aims to eliminate ambiguity by offering guidance on the specific conditions under which legitimate interest can be invoked. This ensures legal certainty for data controllers and promotes compliance with data protection principles.
Protection of Fundamental Rights: By stipulating that legitimate interests must not violate the fundamental rights and freedoms of data subjects, ANPD ensures that the use of this legal basis aligns with the overarching principles of data protection and privacy. Scholars generally consider that those fundamental rights would encompass constitutional guarantees such as the right to privacy and the right to intimacy under the Brazilian Federal Constitution, as well as data subject rights provided under LGPD and other Brazilian Laws, such as the Consumer Code and the Internet Bill of Rights.
Personal data of children and adolescents: It is possible to use the legitimate interest as a basis for processing personal data of children and adolescents, provided that the processing does not conflict with the best interests of concerned children/adolescents. “Best interests” is a subjective concept and there is no specific guidance on what it means in this context. Nevertheless, we should expect courts to interpret it favorably to children/adolescents because courts are very protective towards children/adolescents.
Balancing Interests: The processing of data based on the legitimate interest basis must be preceded by a balancing test that takes into account, on the one hand, the interests of the controller (or a third party) and, on the other, the fundamental rights and freedoms of the data subjects. The Preliminary Study seeks to strike this balance by defining criteria that protect data subjects' rights and freedoms while enabling legitimate data processing activities. This approach aligns with the core objectives of the LGPD.
ANPD will collect contributions through a public consultation via the platform Participa Mais Brasil (here) until September 30, 2023. The preliminary Study is available here (in Portuguese). Then, ANPD will consider all contributions prepare guidance data processing under legitimate interests.
Since its inception, the LGPD has encouraged businesses and organizations to adopt transparent data practices, ensuring that data collection and processing are carried out ethically and with the consent of the owners of the data. The five-year anniversary marks a milestone in promoting accountability, fostering trust, and harmonizing Brazil's data protection standards with that of the larger global community, in particular with those in effect in the European Union under the General Data Protection Regulation (GDPR).
ANPD's proposed Regulation on International Personal Data Transfers and Standard Contractual Clauses represents a significant stride towards fortifying data protection in Brazil. By engaging the public in this crucial phase, ANPD demonstrates its commitment to creating a forward-looking, robust, inclusive, and internationally aligned data protection framework.
Lastly, ANPD’s Preliminary Study represents a significant milestone in ensuring compliance with data protection regulations while fostering a favorable environment for innovation and responsible data management. By adhering to the principles and guidelines outlined in this study, organizations can operate confidently within the framework of the LGPD, ensuring that their data processing activities are both lawful and respectful of individuals' privacy rights.
Authored by Julio Cesar de Oliveira Alves and Rafael Scatamacchia.
*Hogan Lovells is registered and licensed as a foreign legal consultancy with the Brazilian Bar Association. In accordance with Brazilian Bar Association rules, Hogan Lovells does not practice Brazilian law and the discussion above regarding Brazilian laws, rules and/or regulations has been obtained from publicly-available sources and is for informational purposes only. The discussion above is limited by the nature of our practice in Brazil and is solely derived from publicly-available information. The information contained herein should not to be construed as legal advice or otherwise be a substitute for advice provided by practitioners licensed to practice Brazilian law.