EU - Brazil adequacy decisions: practical implications for international data transfers

The European Commission’s (The Commission) adequacy decision for Brazil is a significant simplification of the legal framework for personal data transfers between the European Union (EU) and Brazil.

On 27 January 2026 the Commission and Brazil announced mutual adequacy decisions, confirming that the data protection laws in the EU and in Brazil provide an adequate level of protection for personal data for the purposes of their respective legal frameworks. Together, those decisions create a materially streamlined legal route for international personal data transfers between the EU and Brazil and were described by the Commission as creating the largest area of free and safe data flows in the world.

In this article, we first consider the scope of the EU adequacy decision for Brazil, before considering the practical consequences for organisations transferring personal data between the EU and Brazil.

Understanding the EU adequacy decision for Brazil

While the adequacy decision changes the legal analysis required for organisations transferring personal data from the EU to Brazil, it does not impact the wider compliance obligations for those organisations under the General Data Protection Regulation (GDPR).  We will first consider the legal basis of the decisions (A), and then assess their scope (B).

The legal basis and scope of the adequacy decision

In the context of the EU adequacy process, the Commission’s adequacy decision in respect of Brazil is governed by Article 45 of the GDPR. By contrast, in the context of the Brazilian adequacy process, the adequacy decision in respect of the EU was adopted by Brazil’s National Data Protection Authority (ANPD), under Article 33, I, of the General Personal Data Protection Law of Brazil (LGPD) and through Resolution CD/ANPD No. 32, of 26 January 2026. These are two separate, unilateral and legally autonomous adequacy decisions, albeit adopted in a coordinated manner and announced together on 27 January 2026.

The adequacy process for Brazil was initiated by the European Commission’s draft adequacy decision published in September 2025, and required the Commission to assess the Brazilian legal framework as a whole, including the LGPD, the constitutional protection of privacy and personal data, the available judicial and administrative redress mechanisms, and the powers and independence of the ANPD. It also required consultation of the European Data Protection Board (EDPB) and the approval of EU Member States through the applicable comitology procedure, before the Commission adopted Implementing Decision (EU) 2026/179 on 26 January 2026.

As part of this process, the EDPB opinion was delivered on 4 November 2025. In its Opinion 28/2025 on the draft Commission’s decision of adequacy for Brazil, the EDPB was broadly supportive of the draft adequacy decision and accepted that Brazil’s framework provides a level of protection that is closely aligned with the GDPR. The EDPB nevertheless invited the Commission to continue to monitor certain aspects of Brazil’s legal framework in practice, including aspects of data protection impact assessments (DPIAs), onward transfers, transparency restrictions and safeguards relating to access by public authorities.

The scope of the adequacy decisions

The scope of the Brazilian decision is wider than the EU adequacy decision in one important respect. Under Article 1 of Resolution CD/ANPD No. 32/2026, Brazil’s adequacy recognition extends not only to EU Member States, but also to Iceland, Liechtenstein and Norway, as EFTA states that are part of the EEA, as well as to the institutions, bodies and agencies of the European Union. Article 2 of the Resolution expressly excludes transfers carried out exclusively for purposes of public safety, national defence, State security, or criminal investigation and prosecution.

Both decisions are also subject to ongoing monitoring and periodic review. Under the Brazilian legal framework, Article 4 of Resolution CD/ANPD No. 32/2026 provides for continuous monitoring and requires reassessment within four years from the date the Resolution entered into force. Under the EU adequacy framework, the Commission has stated that it will monitor relevant developments in Brazil on an ongoing basis and will review the adequacy decision within four years of its adoption.

Implications of the EU-Brazil adequacy decisions 

The two adequacy decisions fundamentally change the legal mechanics associated with international data flows between the EU and Brazil and permit the free bilateral exchange of personal data between businesses, public authorities and researchers. They offer a significant simplification of the legal obligations arising from the applicable data transfer rules in each jurisdiction (A) but do not exclude wider legal compliance requirements and operational steps that organisations should now consider (B).

Bilateral simplification of the data transfer frameworks

The most immediate consequence of the two adequacy decisions is that they simplify the legal route for personal data transfers between the EU and Brazil. 

For EU organisations, the direct consequence of the Commission’s adequacy decision is that personal data may now be transferred from the EU to Brazil without the need for additional transfer safeguards under Chapter V of the GDPR, such as the standard contractual clauses, provided that the transfer falls within the scope of the decision. For Brazilian organisations, Resolution CD/ANPD No. 32/2026 has the corresponding effect under Article 33, I, of the LGPD in relation to transfers from Brazil to the EU.

Businesses with regular EU-Brazil or Brazil-EU data flows will enjoy the removal of one layer of legal and contractual complexity. Existing transfer arrangements that were structured around standard contractual clauses or equivalent transfer tools solely because the transfer was international may now be capable of simplification. That may be relevant in particular to intra-group arrangements, outsourcing structures, cloud services, shared services models, research collaborations and customer or supplier data flows spanning both jurisdictions.

That simplification is nevertheless strictly subject to the scope of the two decisions. On the Brazilian side, the ANPD Resolution extends beyond the EU Member States to Iceland, Liechtenstein and Norway, as EFTA states forming part of the EEA, and to the institutions, bodies and agencies of the European Union. It also excludes transfers carried out exclusively for public safety, national defence, State security, or criminal investigation and prosecution purposes. Organisations should therefore still check that the transfer in question genuinely falls within the scope of the relevant adequacy decision before treating the transfer analysis as complete.

Practical operational and commercial consequences for organisations

It is anticipated that there will be a material increase in digital trade between the EU and Brazil, as parties will be able to save costs and rely on legal certainty and stability across both markets. The more direct impact is that the adequacy decisions should reduce friction in existing transfer arrangements and increase legal certainty for organisations operating across both jurisdictions.

The Brazilian data protection agency noted the decision "should boost cooperation in areas such as scientific research, health, artificial intelligence, data science, and emerging technologies, facilitating joint projects between universities, research centres, public agencies and companies."

The adequacy decisions will bring relief to organisations with operations, suppliers, customers or group entities across the EU and Brazil which had previously implemented contractual transfer mechanisms.

For many organisations, the most immediate consequence will be the opportunity to revisit existing transfer arrangements in place with a view to streamline contractual documentation and artefact in place. Where personal data flows between the EU and Brazil are currently structured through standard contractual clauses or equivalent transfer tools solely because the transfer is international, those arrangements may now no longer need to include SCCs or other transfer tools and, where they were prepared solely for those transfers, related transfer impact assessments. That may reduce drafting burden, shorten contract negotiations and make intra-group, supplier and customer data flows easier to structure contractually.

That simplification is likely to be particularly relevant for organisations operating shared services models, cloud and outsourcing arrangements, customer support functions, research collaborations, digital platforms and other data-driven business models spanning both jurisdictions. It should also provide greater legal certainty for future projects involving regular personal data flows between the EU and Brazil, including in sectors such as technology, life sciences, health, financial services and retail.

The practical effect should not, however, be overstated. The adequacy decisions simplify the transfer route itself, but organisations still need to check carefully whether a particular transfer genuinely falls within the scope of the relevant decision, whether any onward transfer issues arise, and whether their existing contractual and governance documents should now be updated to reflect the new position. In practice, this is a welcome prompt to review transfer maps, template contracts and internal data governance documentation where EU-Brazil or Brazil-EU personal data flows are part of day-to-day operations.

The significance of the mutual adequacy decisions lies not simply in easier transfers, but in the greater legal certainty they bring to organisations operating across the EU and Brazil. For businesses with cross-border data flows between the two jurisdictions, that should provide a firmer basis for structuring future operations, services and investment

From a UK perspective, the position is different. The mutual adequacy decisions do not automatically extend to transfers from the UK, because the UK operates its own adequacy regime under UK GDPR and the Data Protection Act 2018. At the date of writing, Brazil does not appear on the UK’s adequacy regulations list. UK organisations transferring personal data to Brazil must therefore continue to rely on a valid UK transfer mechanism, unless and until the UK adopts its own adequacy regulations in respect of Brazil.

Related items: The EU and Brazil conclude agreements to create the biggest area of free and safe data flows in the world