On May 18, 2022, the Brazilian National Data Protection Authority (ANPD) opened a call for contributions to collect inputs from society in regard to the regulation of international personal data transfers.
The ANPD welcomes contributions to any of the questions listed below:
1) What are the current obstacles for companies to transfer data from Brazil to other countries? And from other countries to Brazil?
2) What is the best way to promote convergence and interoperability between contractual instruments for international data transfers with the instruments from other jurisdictions? And how can the ANPD act in this regard?
3) What are the most effective and most used instruments to enable international data transfers by large and small companies or organizations?
4) What are the main benefits and impacts of international data transfers? And what are the best alternatives for addressing them in each of the contractual instruments for data transfers included in the LGPD and in international practice?
5) Which criteria and/or requirements should be considered in regulating each of the following international data transfer mechanisms and why?
a. standard contractual clauses;
b. specific contractual clauses; and
c. binding corporate rules.
6) To what extent should the elements to be considered by ANPD also be taken into account within the scope of the rules for contractual instruments in assessing the level of data protection of foreign countries or international bodies for adequacy purposes (Article 34 of the LGPD)?
7) Should the standard contractual clauses be rigid and with predefined content? Or should their regulation allow certain flexibility concerning the text of the clauses, specifying the desired results and allowing changes as long as they are not in conflict with the available standard text?
8) What is the most appropriate format for ANPD to make models of standard contractual clauses available for international data transfers? Are there any relevant tools that could be used to this end (e.g., decision tree, forms, checkboxes)? Are there any experiences on the topic that can serve as an example for the ANPD?
9) Is it necessary to have different rules depending on the type of processing agents (e.g., specific modules for controllers or processors) as data exporters or importers in international data transfers based on contractual clauses? If so, what would they be?
10) Are there requirements for Binding Corporate Rules that need to be different from those usually required for Standard Contractual Clauses? If so, what would they be?
11) What criteria should be considered when defining a corporate or economic group for the purpose of applying Binding Corporate Rules?
12) What is the minimum information (level of detail) on personal data needed to allow proper compliance analysis by the ANPD of international transfers of data carried out by contractual instruments, so as to minimize negative impacts on business activities and to preserve a high degree of protection for the data subject?
13) What are the risks and benefits of allowing transfers between different economic groups whose binding corporate rules have been approved by the ANPD?
14) Are there any experiences with the verification and approval of specific contractual clauses and binding corporate rules that could serve as an example for the ANPD?
15) What are the data subject’s rights in case of changes in the original configuration of the transfer? In which situations is it essential to communicate directly with data subjects or to enable some type of intervention by them?
16) What are the best alternatives for resolving conflicts among processing agents and/or between said agents and data subjects involving contractual instruments for international data transfers? Could bilateral, multilateral, or international cooperation between data protection authorities assist in conflict resolution? If so, how?
17) What are the best alternatives to promote regulatory compliance (including in regard to importers) regarding international data transfers?
18) What are the best alternatives to resolve practical issues related to the accountability of stakeholders who transfer data overseas, especially in cases with onward transfers to other jurisdictions or when data is processed by other data processing agents in the same jurisdiction?
19) What obligations should be assigned to the importer and exporter in case of access to data by foreign public authorities?
20) What are the most appropriate mechanisms to provide data subjects with clear and relevant information about possible transfers of their personal data to other countries as well as to ensure the adequate protection of data subjects’ rights in international data transfers? How should these instruments be implemented?
Contributions must be sent exclusively through the “Participa Mais Brasil” platform, via the “Opine Aqui” option (https://www.gov.br/participamaisbrasil/), until June 17, 2022.
Our team is closely monitoring any measures regarding data protection and assisting clients in privacy and data protection matters. For more information on this, please email privacy@lickslegal.com.