Cross-Border Transfers in the GDPR AND LGPD Framework: Foundations and Challenges

In a globalised economy and society, data transfers for processing from one company to another or between different entities of the same group are routine and a natural consequence of this interconnectivity that surrounds us. The GDPR aims to ensure that the level of protection of European data subjects prescribed by the EU framework is not undermined by these data transfers. Therefore, it establishes special requirements regarding the transfer of personal data to third countries or international organisations (Chapter V). Convergently, the Brazilian framework, Lei Geral de Proteção de Dados (LGPD), adopts similar requirements, highlighting the strong influence of the GDPR in the Brazilian context and a solid reflection of the Brussels Effect in practice analysed on the first part of this edition focused on cross-border data transfers. 

Concretely, in the European context, these restrictions do not apply to EU member states and, by agreement, on the European Economic Area (EEA), which brings Iceland, Liechtenstein and Norway into the internal market. In fact, proscriptions of the free movement of personal data with the EEA are forbidden (Article 1(3)). In addition, cross-border personal data transfers are allowed to companies and entities based in parties to the Convention 108 of the Council of Europe, including non-member of the international organization like Argentina, Mauritius and Uruguay, which have ratified the Additional Protocol that updated the treaty, now known as Modernised Convention 108 or Convention 108+.

Focusing on the EU’s requirements for cross-border data transfers, there are three main mechanisms that entities can rely upon to abide to the GDPR’s provisions: a) adequacy decision, b) appropriate safeguards, including enforceable rights and legal remedies for the data subjects c) treaties and international agreement. However, the latter are restricted to specific sectors such as the Passenger Name Records (PNR) and the Terrorist Financing Tracking Programme (TFTP).

In the absence of such an adequacy decision, the controller and processor can rely on the list of Article 46 of acceptable safeguards. They range from legally binding and enforceable instruments between public authorities as well as binding corporate rules (Article 47) to more contractual solutions like standard data protection clauses approved by the EU Commission and authorised contractual clauses between controller or processor and the recipient in the third country. Codes of conduct binding the controller or processor in the third country to apply the appropriate safeguards and certification mechanisms pursuant article 42 are also accepted options.

Furthermore, special derogations are provided in Article 49, but they must be considered a last resort option due the limited scope. In absence of an adequacy decision and safeguards, data transfers will only be allowed based on explicit consent from the data subject, contractual relationship with the data subject where the transfer is required, public interest, exercise or defend legal claims. Finally, in a strictly exceptional way where none of the conditions above applies, cross-border data transfer may only occur if not repetitive, concerning a limited number of individuals and based on a compelling legitimate interest of the data controller that does not override the rights provided by the GDPR.

On a similar path, the LGPD mandates that the transfer of personal data abroad must adhere to a central principle, similar to that adopted by the European GDPR: the guarantee of equivalent protection. International transfers can only occur if the destination country or organization offers an adequate level of protection or if standard contractual clauses or binding corporate rules are utilized. The Resolution CD/ANPD Nº 19 provides detailed rules and procedures applicable to these international operations.

The regulatory architecture of the LGPD and the GDPR regarding international data flow is notably similar. However, the primary distinction lies in the level of maturity and regulatory consolidation. The GDPR operates with a long history of jurisprudence and a consolidated system of adequacy decisions and contract models. In contrast, the LGPD, while having established its mechanisms, is in an earlier phase of evaluating the adequacy of other nations and the practical application of these instruments.

Another significant difference lies in the procedure for issuing an adequacy decision. In Brazil, according to article 55-J of the LGPD and to article 10 of the Resolution CD/ANPD Nº 19, the National Data Protection Authority (ANPD) is the competent body to analyse and issue the adequacy decision. The procedure for this evaluation is defined through the Authority’s own regulation. In contrast, in the European Union system, the process under the GDPR involves a more distributed decision-making structure. The European Commission is responsible for the analysis and issuing the adequacy decision(Article 42(2)). The role of the European Data Protection Board (EDPB) is strictly consultative: the EDPB issues an opinion on the draft decision prepared by the European Commission, but it does not hold the power of the final decision (Article 70(1)(s)). 

Step by Step: Preliminary EU-Brazil Adequacy Decision 

A recent milestone was the release, in September 2025, of the preliminary draft adequacy decision by the European Commission. This document acknowledges that Brazil possesses a standard of personal data protection equivalent to that defined by European Union law.

Once formalized, this decision will establish a more cohesive and stable regulatory environment, providing greater predictability and security for economic actors and social entities across both continents. In practice, this standardization is expected to optimize international transactions, elevate the standard of protection offered to data subjects, and generate clear competitive advantages for both Brazilian and European companies.

The Director-President of the ANPD, Waldemar Gonçalves, emphasized that this decision is vital for facilitating international data transfers between Brazil and the European Union. He underscored that, beyond the economic value, the measure is strategic because it safeguards the rights of data subjects. The ANPD, as the central body, is responsible for interpreting the LGPD and ensuring every citizen’s constitutional right to the protection of their personal data.

So Far, So Good: The EDPB Opinion 

In November 2025, the European Data Protection Board (EDPB) issued its Opinion on the aforementioned preliminary draft decision. Overall, the EDPB’s assessment was positive, confirming that Brazilian legislation, particularly the LGPD, is broadly aligned with the protection principles and individual rights set forth by the EU’s GDPR.

Nevertheless, the Opinion requested further clarification and monitoring in certain areas, such as transparency limitations related to commercial and industrial secrecy, and some ambiguities regarding subsequent international transfers. A crucial part of the analysis focused on the rules governing governmental access to personal data by Brazilian authorities for law enforcement and national security purposes. While the EDPB noted that the Brazilian Supreme Federal Court (STF) has expanded the LGPD’s partial applicability in these sensitive contexts, legal uncertainty persists in the absence of specific legislation dedicated to law enforcement activities. The EDPB, in its concluding remarks, urged the European Commission to define the concept of national security more precisely and to closely monitor the practical implementation of the LGPD and the supervisory powers of the ANPD.

The Quest Continues: Next Steps in the Process

On the Brazilian side, the ANPD still needs to finalize the technical analysis of equivalence between the LGPD and the GDPR before the process moves forward for final deliberation by the agency’s Board of Directors.

On the European side, regardless of the acceptance of the suggestions in the Opinion 28/2025 of the EDPB, the draft adequacy decision must be submitted for approval by the representatives of the EU member states and subsequently be definitively adopted by the European Commission.

Finally, it is essential to remember that obtaining an adequacy decision is not a permanent guarantee. Article 45(3) of the GDPR stipulates that the European Commission is obligated to re-examine, at least every four years, whether the granted adequacy status remains justified both factually and legally. Concretely, the draft of the Adequacy Decision refers to a four years review window on its Article 3. 

In an interconnected landscape marked by regulatory fragmentation and conflicting norms, adequacy decisions emerge as crucial instruments for legal certainty for cross-border data transfer. Beyond recognizing equivalent levels of data protection afforded to Brazilian and British citizens, such decisions hold strategic relevance: they consolidate the European Union’s connection with the United Kingdom in post-Brexit context, where the UK plays a key role in Europe’s economy, particularly in data-driven industries. They also foster an institutionalized rapprochement with Latin America, where countries like Argentina and Uruguay already have adequacy decisions in place.

Suggested citation:

Larissa Campos and Elio Machado Neto, ‘A New Era for Adequacy Decisions? The Roadmap for Brazil’ (Comparative Digital Law Blog, 19 December 2025) <https://lawandtech.ie/a-new-era-for-adequacy-decisions-the-roadmap-for-brazil>.

About the author:

Larissa Campos holds an Erasmus Mundus Joint Master in Personal Data Protection and Artificial Intelligence (EMILDAI), awarded by Dublin City University. LL.B. from FGV Direito Rio. Attorney specializing in Digital Law at BFBM Advogados.

Elio Machado Neto is an Associate at Zeidler Group and a European Master in Law, Data and Artificial Intelligence (EMILDAI) graduate. In addition, Elio is a co-editor of the Comparative Digital Law Blog.