As the leveraging of data by global firms becomes more pronounced, regulators are working hard to ensure that the governance of personal data collected remains robust. In August 2024, the Brazilian Data Protection Agency, the Autoridade Nacional de Proteção de Dados (ANPD), issued the International Data Transfer Regulation. This new framework, which became effective on August 23, 2025, is a crucial development for any organisation handling personal data originating from Brazil. 

The regulations establish a comprehensive framework for international data transfers under Brazil’s Data Protection Law, the Lei Geral de Proteção de Dados (LGPD). Similar to the EU's GDPR, the new rules outline various transfer mechanisms. However, the newly approved Brazilian Standard Contractual Clauses (SCCs) are, for now, the only viable and immediately implementable mechanism. 

Why Brazilian SCCs are the only available mechanism 

The International Data Transfer Regulation outlines four official mechanisms for legally transferring data from Brazil to other countries: 

  • Adequacy decisions: The ANPD can recognise that another country provides an adequate level of data protection. To date, no country has been granted this status, making this mechanism currently unavailable. 

  • Binding corporate rules (BCRs): These internal rules for multinational companies must be approved by the ANPD. This is a detailed and often lengthy process which is not a practical short-term solution. 

  • Specific contractual clauses: These are custom clauses that require specific approval from the ANPD on a case-by-case basis. Similar to BCRs, this is not an immediate option. 

  • Standard contractual clauses (SCCs): The ANPD has approved a set of pre-defined contractual provisions that can be immediately implemented. This makes them the only viable and readily available mechanism for organizations today. 

It is also important to note that the ANPD has not approved Equivalent Contractual Clauses from other jurisdictions, such as the EU SCCs. This means organisations cannot simply reuse existing EU SCCs to cover data transfers from Brazil. 

Adopting and implementing the Brazilian SCCs 

The Brazilian SCCs must be incorporated in full (and in both English and Portuguese) into any contract covering international data transfers, whether it is an intercompany agreement or a vendor contract. While companies can add supplementary provisions, the core text of the SCCs cannot be altered. 

For companies in Brazil, this means that every international transfer, even within the same economic group, must be covered. For example, a Brazilian subsidiary sending employee data to its foreign parent company for payroll administration can rely on the ANPD's SCCs. While employee consent is technically possible, its revocability makes it a less stable and reliable option. 

An important detail of the new regulations is how they address onward transfers. When a company outside Brazil receives personal data, it cannot share that data with other entities (like a parent company or subcontractor) unless the same level of protection is guaranteed. This means service agreements for Brazilian operations should require providers to ensure that any onward transfers are also carried out under the Brazilian SCCs or another valid mechanism. 

The regulations also clarify that a foreign entity directly collecting data from individuals in Brazil does not count as an "international transfer." However, that foreign entity is still subject to the LGPD, and any subsequent sharing of that data with a third party will be considered an international transfer and must be covered by a valid mechanism like the SCCs. 

What this means for your organisation 

The ANPD's International Data Transfer Regulation is a significant step, and organisations must act now to ensure compliance. To minimise risk and ensure accountability, organisations should: 

  • Map all international data transfers originating from Brazil, identifying the types of data, purposes, and recipients. 

  • Prioritise the implementation of the ANPD's SCCs. 

  • Update existing contracts, including intercompany and vendor agreements, to incorporate the mandatory Brazilian SCCs. 

  • Contractually address onward transfers, ensuring that data importers are required to execute valid SCCs with any downstream recipients. 

  • Ensure transparency, providing clear information to data subjects about international transfers, including the purpose, data categories, and legal mechanism used. 

Navigating these new regulations can be complex, but relying on the ANPD's SCCs is currently the only immediatelyviable legal mechanism for international data transfers. HewardMills can support your organisation with every step of this process, from conducting a data inventory to drafting and implementing the necessary contractual clauses and providing ongoing guidance to ensure your compliance.