The European Commission and Brazil have today adopted mutual adequacy decisions confirming that their data protection levels are comparable. Recognising the high standards of data protection that protect consumers and citizens on both sides, these agreements now allow businesses, public authorities and researchers to freely exchange data between the EU and Brazil.
By ensuring that personal data can flow freely and securely between the EU and Brazil without any additional requirements, digital trade between the two jurisdictions will be boosted. The decisions will save costs and ensure legal certainty and stability for European companies that have already invested in Brazil and for Brazilian companies expanding into the EU market. They create the world’s largest area of free and secure data flows, benefiting a combined total of 670 million consumers across the EU and Brazil.
These mutual adequacy decisions are part of the historic Association Agreement (AEMP) and Interim Trade Agreement (ACI) signed on 17 January between the EU and Mercosur. The decisions will be a key element in strengthening trade between the EU and Brazil and send another strong geopolitical signal, demonstrating the EU and Brazil’s shared commitment to multilateralism and the rules-based international order.
The adoption of the mutual adequacy decisions follows an opinion from the European Data Protection Board and the green light from EU Member States in the so-called comitology procedure. The Commission will review the functioning of its adequacy decision after a period of four years.
Background
The Brazilian Constitution protects privacy and data protection as fundamental rights, as does the EU Charter of Fundamental Rights. In 2018, Brazil adopted the General Data Protection Law, equivalent to the General Data Protection Regulation in the EU. It subsequently created an independent data protection authority, the National Data Protection Authority, a fundamental principle of the EU data protection framework. Brazil’s General Data Protection Law offers a high degree of convergence with the scope, safeguards, rights, obligations, supervision, enforcement mechanism and remedies of the GDPR.
The European Commission has the power to determine, under the GDPR, whether a country or international organisation outside the EU ensures an adequate level of data protection. The Commission could then initiate the process for adopting an adequacy decision allowing the free flow of personal data from the EU and the European Economic Area to a third country or international organisation without further obstacles.
To date, the Commission has recognised, in various areas, that Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, the Republic of Korea, Switzerland, the United Kingdom under the General Data Protection Regulation and the Directive on data protection in criminal matters, the United States, Uruguay and the European Patent Organisation provide adequate protection.
Further information: European Commission.
Publicaciones relacionadas:
Child sexual abuse: Council reaches position on regulation to protect children from online abuse
Child sexual abuse online: effective measures, no mass surveillance
CJEU clarifies: the supervisory authority of a Member State may order the erasure of unlawfully processed data even in the absence of a prior request by the data subject
6 tips to spot and stop information manipulation
Commission preliminarily finds TikTok and Meta in breach of their transparency obligations under the Digital Services Act
Leave a Reply