Brazil and EU announce Mutual Adequacy Decision on Personal Data Protection
Brazil and the European Union have taken a significant step toward consolidating a safer and more efficient flow of international personal data transfers through the mutual recognition of adequacy between the two regions. This alignment results from coordinated autonomous decisions confirming that both Brazil and the European Union provide a level of personal data protection adequate to that established under the GDPR and the LGPD, respectively.
On the Brazilian side, the decision was formalized through Resolution No. 32/2026 of the Brazilian Data Protection Authority (ANPD), which recognizes the European Union as an international entity that ensures an adequate level of protection. The Resolution authorizes international data transfers to all EU Member States, the three EFTA countries that are part of the European Economic Area (Iceland, Liechtenstein, and Norway), as well as EU institutions, bodies, and agencies.
The Resolution also provides for ongoing cooperation between the ANPD and European authorities for information exchange and regulatory harmonization, while establishing continuous monitoring of the level of data protection maintained by the European Union, which will be reassessed in four years. Additionally, the text clarifies that the adequacy recognition does not preclude organizations from using other international transfer mechanisms provided under the LGPD when more appropriate to their needs.
In practical terms, personal data may now flow directly and more simply between Brazil and the European Union, with a high level of protection and without the need for additional international transfer mechanisms (although these remain permitted). The measure reduces costs, enhances legal certainty, and strengthens relationships between Brazilian and European data controllers, processors, and data subjects.
The Resolution also specifies that the adequacy decision does not apply to international data transfers carried out exclusively for purposes of public security, national defense, State security, or activities related to the investigation and prosecution of criminal offenses.
For further information, please contact the heads of the Privacy and Data Protection team, Adriano Chaves and Marcia Issler Mandelbaum.
This bulletin is for information purposes only and should not be relied upon for legal advice on any of the topics covered here. For further information, please contact the leaders of the Privacy and Data Protection Team. CGM Advogados. All rights reserved.