- Introduction
In January 2026, the European Union (EU) and Brazil adopted mutual adequacy decisions for the protection of personal data transfers. (EC, 2026a; ANPD, 2026) Together, these instruments establish the largest area of free and secure personal data flows in the world, since entities can now rely on these decisions to transfer personal data from and to the EU and Brazil. (EC, 2026b) Previously, entities would have to adopt additional instruments, such as contractual clauses and standards, to proceed with legitimate international data transfers between these two jurisdictions. These other instruments, however, increase the complexity of transactions and are more volatile. Thus, the new adequacy decisions facilitate the (data) connections in this area.
While entities still need to comply with personal data protection rules from each regulatory system to the applicable extent, the decisions allow for more stability and security in international operations involving personal data processing, such as cloud computing. Free data flow allows for economic growth, facilitated access to services and products, and a broader dialogue between actors based on opposite sides of the Atlantic. This post will navigate the process that led us here and the challenges faced along the way.
- Let’s go back to the beginning
On 5 September 2025, the European Commission (EC) published its draft implementing decision on the adequate level of personal data protection by Brazil, kicking off the process for a possible adequacy decision for international transfers to the American country. (EC, 2025) Based on the analysis of the national legal order and following the European Data Protection Board’s (EDPB) adequacy referential, the Commission provided an initial conclusion of sufficient personal data protection in the Brazilian system,
In the document, the Commission details the Brazilian regulatory framework for personal data protection and how it provides enough protection for personal data. The constitutional protection, the Brazilian independent Data Protection Authority (Agência Nacional de Proteção de Dados – ANPD), the national general personal data protection law, alongside complementary acts, and the country’s ratification of international human rights instruments, including the binding authority of the Inter-American Court of Human Rights over the country, are some of the highlights. Additionally, a series of case- and soft-law instruments, which are not directly binding, together with secondary legal instruments, are evaluated since they further develop and detail the national system’s operation. Furthermore, the fact that any individual is entitled to the fundamental right of personal data protection, regardless of their nationality or place of residency, was also used as a justification for the EC’s conclusion of an adequate level of protection regarding personal data in Brazil.
Another aspect worth noticing in the draft decision is the evaluation of other legal instruments in the Brazilian jurisdiction, beyond the Brazilian Data Protection Law (Lei Geral de Proteção de Dados – LGPD), especially the habeas data and the Brazilian Access to Information Law (Lei de Acesso à Informação – LAI). Both instruments are of utmost importance when it comes to data governance in the Brazilian public sector. So much is true that the LGPD recognises that the data subjects’ rights procedures before government authorities must observe the already existing legal framework, including these two instruments.
Habeas data is a constitutional redress mechanism for access to, rectification, and deletion of personal data controlled by public authorities or present in public datasets or registries. Any individual can use this instrument as a safeguard to the protection of their personal data, enjoying an already established culture, jurisprudence, and framework regarding this mechanism.
The LAI, on the other hand, directly addresses the right to access to information, setting a number of rules on transparency for public bodies. In a not-so-evident manner, the LAI was understood by the EC as a relevant instrument to interpret the LGPD in different topics, including the protection of commercial and industrial secrecy.
Additionally, the EC recognises that Brazil does not have a specific law for data processing for public security, national defence, State security, or the investigation and prosecution of criminal offences. However, it is highlighted that, even in those cases, the data protection principles set by the LGPD apply, and the ANPD has some oversight power over these activities.
On this, it is worth noticing that since 2025, a cooperation agreement between the European Union Agency for Law Enforcement Cooperation (EUROPOL) and the Federal Police of Brazil is in place. This instrument allows for the transfer of personal and non-personal data between the entities to support and strengthen their actions, including the prevention and combat of criminal offences. (EU, 2025). The procedure that led to the agreement counted on an opinion from the EDPB, which already highlighted the existence of effective oversight of the Brazilian DPA over the Brazilian law enforcement authorities, which was deemed as sufficient for an adequate exchange of personal data among the entities (EDPB, 2025a).
- Can we make it better?
The draft decision did not encounter serious criticism. Nevertheless, following the usual procedure, on the same day as the publication of the draft decision, the Commission also requested the EDPB’s opinion on the matter to evaluate the draft decision itself and the Brazilian protection framework. After almost two months, the EDPB adopted Opinion 28/2025 regarding the Draft Decision.
In this document, the consultative body recognises the similarities between the Brazilian and the EU’s personal data protection systems, especially when it comes to the principles, the data subject rights, international data transfers, oversight, and redress mechanisms. Nevertheless, the EU body presented a list of advice to improve the draft decision. (EDPB, 2025)
First, the EDPB highlighted that a data protection impact assessment should be mandatory in high-risk processing activities, and how this plays out in Brazil should be followed by the EU. Also, the EC was invited to closely follow how the implementation of the commercial and industrial limits impacts the rights of information and access.
When it comes to onward international transfers, more clarity was needed to understand when the Brazilian derogations could be used to justify such sharing activities. In the same lines, it should be clarified what information is provided to the subjects when consenting to these sharing processing. Besides, more emphasis could be put on explaining the tasks of the Brazilian National Council for Personal Data and Privacy Protection (CNPD) and how they interact with the ANPD. (EDPB, 2025)
The majority of suggestions, however, were related to the government’s access to personal data, especially in activities outside of the scope of the LGPD. Although the EDPB welcomes the Brazilian case-law that extends the partial applicability of the LGPD to processing activities for criminal investigations and maintenance of public order, this should be further detailed in the adequacy decision. One should be able to better understand the ANPD’s powers in these situations and other applicable oversight and redress mechanisms. Finally, the adequacy decision should also clarify the concept of national security in Brazilian law and how this definition relates to the personal data-sharing between public entities within the Brazilian Intelligence System. (EDPB, 2025)
- The final decision
After the EDPB’s considerations, on 26 January 2026, the EC adopted its final implementing decision recognising Brazil’s adequacy level of personal data protection. In the last version of the document, more details were added on all the aspects related to government access and sharing of personal data, including a comprehensive evaluation of the processing activities on which the LGPD only partially applies. More specifics were added on the advisory role of the CNPD, the requirements related to a high-risk processing activity, and the procedures allowing the onward data transfers.
Nothing substantial was added on the protection of commercial and industrial secrets, maintaining the connection with the LAI and explaining how these limits also apply to the right to review an automated decision. In line with Brazilian scholars (e.g., LINDOSO, 2025), this interpretation showcases how the limitation for commercial and industrial secrecy protection shall be interpreted in a way to avoid anti-competitive practices, such as revealing business secrets or creating competitive advantages for other actors (EC, 2026a). How this will play out in practice is still to be determined.
- Brazilian counterpart
It was definitely not a surprise that, in parallel, Brazil also adopted an adequacy decision regarding the EU. Since the Brazilian personal data protection system is marked by a large influence from the EU framework, the adequacy recognition regarding the European jurisdiction was highly expected.
The Brazilian decision regarding the EU is way shorter and less detailed. Adopted by the Board of the Directors of the Brazilian DPA (ANPD), the document recognises the EU as an international organization that provides an adequate level of personal data protection according to the Brazilian data protection law. With this, entities can also choose this instrument to base their personal data transfers from Brazil to the EU, adding to the list of instruments already available. The Resolution clarifies that the adequacy decision applies to general international data transfers among the jurisdictions and excludes data transfers carried out for the purposes of public safety, national defence, State security, or investigation and prosecution of criminal offenses. And, just like the EU’s decision, Brazil will continuously monitor the EU, and the decision will be reassessed in 4 years (ANPD, 2026).
- Conclusion
Having a mutual adequacy decision between the EU and Brazil illustrates a movement of approximation, relationship strengthening, and free trade partnership between these two jurisdictions and other Latin American countries. Alongside adequacy decisions from the EC regarding Argentina and Uruguay, the EUROPOL-Brazilian federal police collaboration agreement, and the recent EU-Mercosur trade agreement are other examples of this scenario.
Considering all the mutual efforts put into this outcome and the legal protection in place by both jurisdictions, the deal was mainly welcomed and not criticised, showing the potential of the largest area of free flow of personal data created by the decisions. While new relationships are formed and existing ones are strengthened and facilitated, the minor differences between the two frameworks should be overseen by the competent authorities, and a reassessment is already foreseen for 2030, which can bring even more answers to data subjects affected by one of these jurisdictions.
