What Counts as an International Data Transfer Under the LGPD
Article 33 of the LGPD (Law No. 13,709/2018) sets out nine scenarios in which personal data may leave Brazil. The list is exhaustive. If a transfer does not fit one of these categories, it is unlawful.
Resolution CD/ANPD No. 19/2024, published on 23 August 2024, clarified what qualifies as a transfer in the first place. A transfer occurs when a data exporter in Brazil transmits, shares, or makes personal data accessible to a data importer located abroad. Mere remote access to data stored in Brazil from a foreign location does not count - a distinction that matters for multinational teams accessing a single Brazilian database.
The Resolution also broadened the definition in one important way. Data sharing between two foreign entities - say, a US company passing data to a Japanese subsidiary - can be treated as an international transfer under the LGPD if the processing targets individuals located in Brazil. This extraterritorial reach mirrors the approach of the GDPR under its Article 3 scope rules.
The Five Transfer Mechanisms Under Resolution 19/2024
The ANPD's 2024 regulation operationalised five of the mechanisms listed in Article 33. Each carries different obligations and timelines.
1. Adequacy Decisions
An adequacy decision is a formal finding by the ANPD that a foreign country or international organisation offers a level of personal data protection equivalent to the LGPD. Once granted, data can flow freely to that jurisdiction without additional contractual safeguards.
The ANPD evaluates several factors before issuing a decision: the destination country's general and sectoral data protection laws, the existence of an independent supervisory authority, judicial and institutional guarantees, and the effectiveness of enforcement mechanisms. Article 34 of the LGPD spells out these criteria.
For years, no adequacy decisions existed. That changed in January 2026, when the ANPD and the European Commission simultaneously recognised each other's frameworks as adequate - creating a mutual adequacy agreement between Brazil and the EU. The EDPB had endorsed the alignment in its November 2025 opinion, noting that the LGPD closely mirrors EU legislation and CJEU case law.
2. Standard Contractual Clauses (SCCs)
For transfers to countries without an adequacy decision, standard contractual clauses are the primary mechanism. The ANPD published its own set of SCCs in Annex II of Resolution 19/2024, covering both controller-to-controller and controller-to-processor transfers.
These clauses must be adopted in full, without modification. They can form a standalone contract or be attached to an existing agreement. Unlike the European Commission's modular approach, the Brazilian SCCs use a single template with customisable fields rather than separate modules.
The grace period for incorporating these clauses expired on 23 August 2025. From that date, contractual clauses drafted independently by companies - including those based on EU SCCs - no longer satisfy the LGPD's transfer requirements on their own.
3. Equivalent Standard Contractual Clauses
The LGPD introduced a concept not found in the GDPR: the ANPD can recognise SCCs from other jurisdictions as equivalent, provided they are compatible with Brazilian law. This would spare companies from maintaining parallel sets of clauses for the same data flows. To date, no equivalence decisions have been issued, though market observers expect EU SCCs to be among the first assessed.
4. Specific Contractual Clauses
When standard clauses prove impractical due to exceptional circumstances, a controller may request ANPD approval for bespoke clauses. The bar is high. The applicant must demonstrate why the standard template cannot work and ensure the custom clauses still align with LGPD principles. Approval is granted through the ANPD's Electronic Information System (SEI).
5. Binding Corporate Rules (BCRs)
BCRs cover intra-group transfers within multinational companies. All entities subscribing to the rules are bound by them, and the rules themselves require prior ANPD approval. They must include a data privacy governance programme, clear transfer procedures, defined responsibilities, and mechanisms for ANPD oversight. Given the ANPD's limited staffing history, obtaining BCR approval can take months.
How the LGPD Compares to the GDPR on Data Transfers
Website owners already familiar with GDPR cross-border transfer rules will notice structural similarities - and a few meaningful differences.
| Aspect | LGPD (Brazil) | GDPR (EU) |
|---|---|---|
| Primary legislation | Articles 33-36, Law 13,709/2018 | Articles 44-49, Regulation 2016/679 |
| Supervisory authority | ANPD | National DPAs + EDPB |
| Adequacy decisions | EU recognised (Jan 2026); others pending | 16 countries + territories recognised |
| Standard contractual clauses | Single template with customisable fields; no modules | Modular approach (4 modules for different party combinations) |
| Equivalent SCCs from other jurisdictions | Yes - ANPD can recognise foreign SCCs | No equivalent concept |
| Transfer impact assessments | Importer must verify local law compatibility | Exporter must conduct TIA (post-Schrems II) |
| BCR approval | Requires prior ANPD approval | Requires lead DPA approval via cooperation procedure |
| Maximum fine for violations | 2% of Brazilian revenue, capped at BRL 50 million | 4% of global turnover or EUR 20 million |
One notable divergence: under the LGPD, the data importer bears responsibility for verifying that the laws of the destination country are compatible with the contractual clauses. Under the GDPR (particularly after Schrems II), that burden falls on the data exporter. This distinction affects how you allocate compliance work between your Brazilian entity and foreign partners.
The EU-Brazil Mutual Adequacy Decision: What It Means in Practice
The mutual recognition finalised on 27 January 2026 is a landmark. Personal data can now move between Brazil and all EU/EEA member states without SCCs, BCRs, or any additional transfer mechanism under the LGPD or ANPD Resolution 19/2024.
The process unfolded over several years. The European Commission published its draft adequacy decision on 5 September 2025. The EDPB issued a supportive opinion on 4 November 2025, requesting clarifications in areas such as data protection impact assessments, transparency limitations linked to commercial secrecy, and onward transfer rules. The Council of the EU also gave its support. In parallel, the ANPD conducted its own legal evaluation and presented its reciprocal decision to its Board of Directors.
For website owners, the practical effect is straightforward: if your only cross-border data flows are between Brazil and the EU, you no longer need contractual clauses to legitimise those transfers. You do still need a valid legal basis for processing the data in the first place - adequacy decisions do not replace consent, legitimate interest, or other grounds under Article 7 of the LGPD.
Transfers to Countries Without an Adequacy Decision
The EU is currently the only jurisdiction with an ANPD adequacy finding. Transfers to the United States, Canada, the United Kingdom, Australia, Japan, or any other country still require one of the contractual mechanisms described above - most commonly, the ANPD's standard contractual clauses.
If you operate a website that uses third-party services hosted in the US (analytics platforms, CDNs, email marketing tools), your data flows likely qualify as international transfers under the LGPD. Each of those service providers is a data importer. You, as the controller, are the data exporter.
The steps to comply are concrete. Map every personal data flow that crosses Brazil's borders. For each flow, identify whether the destination has an adequacy decision. If not, incorporate the ANPD's SCCs into your contracts with each importer. Publish information about these transfers in your privacy notice, and be prepared to provide the full SCC text to any data subject who requests it within 15 days.
Cookies and International Transfers
Third-party cookies present a specific transfer challenge. When your website loads a _ga cookie from Google Analytics or a _fbp pixel from Meta, data about your Brazilian visitors is transmitted to servers outside Brazil. Under the LGPD, each of these cookie-driven data flows is an international transfer that needs a lawful basis.
A consent management platform helps you manage this by blocking third-party scripts until visitors grant valid consent. But consent alone is not enough - you also need the contractual layer (SCCs or an adequacy decision) to cover the transfer itself. Cookie consent addresses the collection; the transfer mechanism addresses the destination.
Enforcement and Penalties for Non-Compliant Transfers
The ANPD can impose fines of up to 2% of a company's gross revenue in Brazil, capped at BRL 50 million (roughly USD 9.3 million) per infraction under Article 52 of the LGPD. Non-monetary sanctions include public disclosure of violations, data blocking, deletion orders, and suspension of processing activities for up to six months.
Enforcement activity has been accelerating. In 2024, the ANPD sanctioned three public entities - the Regional Department of Education of the Federal District (SEEDF), the National Social Security Institute (INSS), and the Ministry of Health - primarily for security incident failures and inadequate breach notification. Preventive measures were issued against Meta in July 2024 for processing personal data for AI training without consent, and against X Corp in December 2024 for processing children's data to train generative AI.
While no fines have yet been levied specifically for unlawful international transfers, the ANPD has signalled that post-August 2025 enforcement will focus on transfer compliance now that the SCC grace period has ended. Twenty large companies were already under investigation in 2024 for failing to appoint a data protection officer.
Practical Compliance Checklist for Website Owners
Start by auditing your data flows. Identify every third-party service, cookie category, and analytics tool that transmits personal data outside Brazil. For each destination country, determine whether an adequacy decision applies. If the data goes to the EU, you are covered by the mutual adequacy agreement. If it goes anywhere else, you need SCCs in place.
Review your existing contracts with data importers. Any pre-August 2025 contractual clauses that were not based on the ANPD's approved template are now insufficient. Replace them with the standard clauses from Annex II of Resolution 19/2024, or confirm that your importers' contracts already include them.
Update your privacy notice to disclose international transfers, the countries involved, and the safeguards used. Data subjects have a right to request the full text of the contractual clauses - be ready to respond within 15 days.
Run a cookie scan on your website to identify all third-party scripts that trigger cross-border data flows. Many website owners are surprised to find 15 or 20 cookies they did not knowingly set, each one potentially representing an international transfer that needs documenting.
Frequently Asked Questions
Does the LGPD apply to websites outside Brazil that collect data from Brazilian visitors?
Yes. Article 3 of the LGPD gives it extraterritorial scope. If your website offers goods or services to people in Brazil or processes personal data of individuals located there, the LGPD applies regardless of where your company is based.
Can I still use EU standard contractual clauses for transfers from Brazil?
Not on their own. Since 23 August 2025, only the ANPD's own SCCs (or ANPD-approved equivalents) satisfy the LGPD's requirements. The ANPD has not yet recognised EU SCCs as equivalent, so you need to adopt the Brazilian template for transfers originating from Brazil.
Do I need SCCs for transfers from Brazil to the EU after the mutual adequacy decision?
No. The mutual adequacy agreement finalised in January 2026 allows personal data to flow freely between Brazil and the EU without additional contractual safeguards. You still need a lawful basis for processing the data itself under Article 7 of the LGPD.
What happens if I transfer personal data from Brazil to the US without SCCs?
The US does not have an ANPD adequacy decision. Transferring personal data there without the ANPD's standard contractual clauses (or another valid mechanism) is an unlawful transfer. Penalties can reach up to 2% of your Brazilian revenue, capped at BRL 50 million per infraction.
Are cookies that send data abroad considered international transfers under the LGPD?
Yes. When a third-party cookie like _ga or _fbp transmits data from a Brazilian visitor to servers outside Brazil, this qualifies as an international data transfer. You need both valid consent and a transfer mechanism (adequacy decision or SCCs) to comply.
How long does it take to get ANPD approval for binding corporate rules?
There is no fixed timeline. The ANPD reviews BCR applications through its Electronic Information System, and the process can take several months given the authority's workload. Companies should begin the application well in advance of any planned intra-group transfers.
Get Your Cross-Border Data Flows in Order
If your website serves visitors in Brazil and relies on third-party tools hosted abroad, your data transfers need a lawful footing under the LGPD. Kukie.io scans your site for cookies and third-party scripts, categorises them, and helps you manage consent - giving you a clear view of where your data goes and what safeguards you need.
