The Brazilian National Authority of Data Protection (ANPD) has called for feedback on the regulation of international transfers of personal data. International data transfers are an essential instrument for developing the digital economy. The regulation of these mechanisms is essential to not only allow the competitive insertion of Brazilian companies in global value chains but also to ensure the effective protection of data subjects and their personal data.
Contributions must be sent through the Participa Mais Brazil platform via the Opine Aqui option. This is open until Friday 17th June 2022.
These are the questions that they are asking for feedback on:
1) What are the current obstacles for companies to transfer data from Brazil to other countries? And from other countries to Brazil?
2) What is the best way to promote convergence and interoperability between contractual instruments for international data transfers with instruments from other jurisdictions? And how can ANPD act in this regard?
3) What are the most effective and the most used instruments to enable international data transfers by large and small companies or organizations?
4) What are the main benefits and impacts of international data transfers, and what are the best alternatives for addressing them in each of the contractual instruments for data transfers included in the LGPD and in international practice?
5) Which criteria and/or requirements should be considered in regulating each of the following international data transfer mechanisms and why?
a. standard contractual clauses;
b. specific contractual clauses; and
c. binding corporate rules.
6) To what extent should the elements to be considered by ANPD in assessing the level of data protection of foreign countries or international bodies for adequacy purposes (article 34 of the LGPD) also be taken into account within the scope of the rules for contractual instruments?
7) Should the standard contractual clauses be rigid and with predefined content, or should their regulation allow certain flexibility concerning the text of the clauses, specifying the desired results and allowing changes as long as they do not conflict with the standard text made available?
8) What would be the most appropriate format for ANPD to make available models of standard contractual clauses for international data transfers? Are there any relevant tools that could be used to this end (e.g., decision tree, forms, checkboxes)? Are there any experiences on the theme that could serve as an example for ANPD? S
9) Is it necessary to have different rules depending on the type of processing agents (e.g., specific modules for controllers or processors) as data exporters or importers in international data transfers based on contractual clauses? If so, what would they be?
10) Are there requirements that need to be different for Binding Corporate Rules from those usually required for Standard Contractual Clauses? If so, what would they be?
11) How should a corporate group be defined for the purpose of application of Binding Corporate Rules?
12) What is the minimum information (level of detail) on personal data needed to allow proper compliance analysis by ANPD of the international transfers of data carried out by contractual instruments, in order to minimize negative impacts on business activities and preserve a high degree of protection for the data subject?
13) What are the risks and benefits of allowing transfers between different economic groups whose binding corporate rules have been approved by ANPD?
14) Are there any experiences with the verification and approval of specific contractual clauses and binding corporate rules that could serve as an example for ANPD?
15) What are the data subject’s rights in case of changes in the original configuration of the transfer? In which situations is it essential to communicate directly with the data subjects or to enable some type of intervention by them?
16) What are the best alternatives for resolving conflicts between processing agents and/or between those agents and data subjects involving contractual instruments for international data transfers? Could bilateral, multilateral or international cooperation between data protection authorities assist in conflict resolution? If so, how?
17) What are the best alternatives to promote regulatory compliance (including concerning the importer) regarding international data transfers?
18) What are the best alternatives to resolve practical issues related to the accountability of stakeholders who transfer data overseas, especially in cases where onward transfers to other jurisdictions occur or when data is processed by other data processing agents in the same jurisdiction?
19) What obligations should be assigned to the importer and exporter in case of access to data by foreign public authorities?
20) What are the most appropriate mechanisms to provide data subjects with clear and relevant information about the possible transfer of their personal data outside of Brazil as well as to ensure the adequate protection of data subjects’ rights in international data transfers? How should these instruments be implemented?