Brazil and the European Union Mutually Recognize Adequacy in Personal Data Protection (Resolution No. 32, dated January 26, 2026)

Summary

Brazil and the European Union have taken a historic step in international cooperation on personal data protection with the announcement of their reciprocal recognition that each provides an adequate level of personal data protection. The measure was formalized in Brazil through the publication of Resolution CD/ANPD No. 32, dated January 26, 2026, by the Brazilian Data Protection Agency (ANPD), which recognizes, for the purposes of international transfer of personal data, the European Union as an international body with a level of personal data protection adequate to what is provided under the Brazilian Data Protection Law (LGPD).

In practice, the recognition of adequacy allows personal data to circulate between Brazil and the European Union in a direct, secure, and simplified manner, without the need to adopt additional mechanisms for international data transfer, pursuant to Article 33, I, of the LGPD.

To whom it applies 

The adequacy decision applies to public and private processing agents that transfer personal data internationally between Brazil and:

• the Member States of the European Union;
• the countries of the European Free Trade Association (EFTA) that are part of the European Economic Area (EEA) – Iceland, Liechtenstein, and Norway; and
• the institutions, bodies, and agencies of the European Union, under the terms of applicable European legislation.

What is an adequacy decision?

An adequacy decision is an act issued by a regulatory authority recognizing that a particular country or international entity offers guarantees of personal data protection equivalent to those required by the local personal data protection legislation. This recognition serves as a fast track for the international circulation of personal data between jurisdictions, eliminating additional adequacy steps and allowing data to flow directly and securely.

In the case of Brazil and the European Union, these are unilateral, independent, and legally autonomous decisions, adopted in a coordinated manner between the two entities. The European Commission recognizes that Brazil adequately protects personal data as described in the General Data Protection Regulation (GDPR), while Brazil, through Resolution CD/ANPD No. 32/2026, recognizes that the European Union offers a level of protection compatible with the LGPD.

Institutional cooperation and monitoring

Resolution CD/ANPD No. 32/2026 provides that the ANPD may establish cooperation mechanisms with the European Commission and European data protection authorities, including regarding:

• exchange of information on the application and interpretation of the legislation;
• convergence of regulatory practices and sharing of best practices; and
• continuous monitoring of the level of data protection maintained by the European Union.

In addition, it establishes that the adequacy decision will be reassessed within four (4) years from the entry into force of Resolution CD/ANPD No. 32/2026, considering, among other aspects, any subsequent changes in personal data protection legislation.

Limits of application

Under the terms of Resolution CD/ANPD No. 32/2026, the adequacy decision does not apply to international data transfers carried out exclusively for purposes of public security, national defense, state security, or criminal investigation and prosecution activities, in accordance with the limits established by the LGPD itself.

Entry into force

Resolution CD/ANPD No. 32 came into force on the date of its publication, January 26, 2026.