On January 26, the European Commission adopted an adequacy decision under Article 45 GDPR finding that Brazil's general data privacy law (the Lei Geral de Proteção de Dados or “LGPD”) ensures an “essentially equivalent” level of protection for personal data transferred from the EU to Brazilian controllers and processors subject to Brazil’s LGPD, allowing such transfers without additional transfer tools and binding EU Member State authorities accordingly. The Commission’s assessment applies the CJEU’s essential equivalence standard and draws on GDPR, CJEU case law, and the EDPB adequacy referential to evaluate both Brazil’s private/public-sector data protection framework and limits on public authority access to data. 

Scope and core findings

The adequacy decision applies to transfers of personal data from the EU to Brazilian controllers and processors that fall within the material and territorial scope of the LGPD, Brazil’s comprehensive data protection statute. The Commission emphasizes that the LGPD mirrors the core architecture of the EU framework, with clearly articulated principles, lawful bases, and enforceable data subject rights, and that these protections are underpinned by constitutional guarantees for privacy and the right to personal data protection that extend to Brazilians and foreigners, including non-residents. In practical terms, this means routine business transfers--HR data, customer information, vendor records, and cloud processing--can flow to entities in Brazil subject to the LGPD without supplementary transfer tools, provided the receiving entity’s processing falls squarely under the LGPD’s remit. 

The LGPD’s scope is broad but not unlimited. Properly anonymized information lies outside the statute, while merely pseudonymized data remains in scope. Household activities are exempt, as are limited public-interest activities, notably (and unsurprisingly) public safety, national defense, state security, and criminal investigations; however, these carve-outs do not create an accountability vacuum. Brazil's Federal Supreme Court has clarified that core LGPD principles and data protection rights continue to bind public authorities even for intelligence and law enforcement purposes, constraining inter-agency access and sharing and ensuring purpose definition, necessity, and proportionality. This jurisprudence, read together with the constitutional baseline, makes clear that any exemptions are interpreted narrowly and accompanied by enforceable safeguards. 

Substantively, the LGPD embeds GDPR-like principles--lawfulness and good faith, transparency, purpose limitation, data minimization/necessity, accuracy, and proportionality--that structure compliance assessments and documentation duties for controllers and processors. These principles are complemented by robust transparency obligations, including clear disclosures on purposes, retention periods, and the identity and contact details of the controller and its data protection officer where appointed. The framework guarantees data subject rights to access, rectification, deletion, portability, and objection, with special rules for sensitive data and children’s data, and expects organizations to implement privacy governance measures such as DPIAs, security controls, and incident notification where risk thresholds are met. 

Sectoral and institutional instruments reinforce these protections. The Habeas Data mechanism and the Law on Access to Information provide powerful transparency and access avenues against public bodies, including deadlines and procedural guarantees for obtaining, correcting, or completing personal information held by the state. These pathways operate in tandem with LGPD rights, giving individuals multiple, complementary routes to seek information and redress when their data is processed by public authorities. In combination, these elements led the Commission to conclude that Brazil’s normative and institutional framework offers a level of protection that is, in substance and in practice, essentially equivalent to that in the EU for data transferred under the decision. 

Transfers, oversight, and government access safeguards

The Commission places particular weight on Brazil’s international transfer regime and on the effectiveness of institutional oversight and redress. Under the LGPD and ANPD’s 2024 Data Transfer Regulation, cross-border transfers require cumulative conditions: a legitimate, specific, and explicit purpose; the absence of incompatible further processing; a valid LGPD legal basis; and an approved transfer mechanism such as adequacy, SCCs, BCRs, or certifications. These conditions must be documented and operationalized, and they travel with the data through onward transfers to ensure continuity of protection across the chain of processing. In practice, this means EU exporters relying on adequacy can send data to LGPD-subject importers in Brazil without additional tools, while Brazilian importers must implement contractual and organizational measures that maintain the LGPD standard for downstream recipients. 

To operationalize these requirements, the ANPD has issued modular model clauses with non-negotiable core protections and optional modules calibrated to processing roles and transfer scenarios, alongside granular BCR requirements covering binding effect, scope, data subject rights, liability, verification, training, complaint handling, and approval/maintenance procedures. Together, these instruments mirror the GDPR’s SCCs and BCRs in substance, offering regulated, auditable pathways for transfers that are adaptable to varied business models. The ANPD also expects controllers to demonstrate compliance through records, DPIAs where risk warrants, and transparent notices that clearly explain international transfers and their implications for data subjects. 

Oversight and enforcement are anchored in the ANPD’s independence and powers. The authority can investigate, order corrective measures, mandate security improvements or impact assessments, suspend or prohibit processing, and impose administrative fines proportionate to the gravity and duration of violations. Individuals have layered redress: they may complain to the controller, escalate to the ANPD, and seek judicial remedies, including injunctions and damages; Brazilian courts can shift the burden of proof in appropriate cases to protect data subjects, enhancing the practical enforceability of rights. 

Regarding government access, the Commission examined Brazil’s legal constraints on criminal law enforcement and national security activities. Access must rest on a clear legal basis and satisfy necessity and proportionality, with prior judicial authorization required for intrusive measures like communications interception and access to traffic or content data. Generalized or indiscriminate retention and bulk collection of internet communications data are generally not authorized, and confidentiality rules protect banking and tax data, which may be lifted only by court order in defined, serious circumstances. The Federal Supreme Court has further held that the LGPD’s principles apply to inter-agency data sharing, including among law enforcement and intelligence bodies, requiring purpose specification, strict necessity, safeguards commensurate with risk, and accountability, with state liability for violations. Layered oversight is provided through judicial control, ANPD supervision, and legislative mechanisms for the intelligence sector, ensuring that individuals retain avenues to challenge unlawful access or use of their data. 

Conclusion and monitoring

The Commission concludes that Brazil’s legal order-centered on the LGPD and strengthened by constitutional guarantees, independent oversight by the ANPD, robust transfer rules, and effective limits and remedies around government access-ensures an adequate level of protection essentially equivalent to the GDPR for in-scope transfers. The decision is binding on Member State authorities and enables transfers without further authorization, and the Commission will continuously monitor developments and conduct a first formal review within four years, with powers to suspend, repeal, or amend the decision if adequacy is no longer ensured. As a result, data transfer between EU and Brazilian controllers and processors should be significantly simplified.