Brazil's data protection authority, the ANPD, has finalised Resolution CD/ANPD No. 19/2024 on international personal data transfers, completing a piece of regulatory plumbing that the Lei Geral de Proteção de Dados (LGPD, Law 13.709/2018) has been missing since it took effect in 2020. The resolution sets out standard contractual clauses (SCCs), the criteria the ANPD will use to recognise foreign jurisdictions as adequate, and the procedural mechanics for binding corporate rules. Implementation guidance is continuing to roll out into 2026.
For Brazilian exporters of data — fintechs settling cross-border payments, agritech firms working with Asian buyers, SaaS vendors serving multinational clients — this is unambiguously good news. After four years of legal grey zone, companies finally have a defensible toolkit for moving personal data out of Brazil without inventing bespoke arguments under Article 33 of the LGPD. The ANPD has broadly tracked the architecture of the European Union's General Data Protection Regulation (GDPR), which lowers compliance costs for firms already operating under EU rules.
The real friction is on the receiving end
The harder problem is not how data leaves Brazil — it is what happens when it arrives in the Asia-Pacific. Three jurisdictions in particular illustrate why a well-designed Brazilian transfer regime can only do so much when the destination country imposes its own gravity well.
China's PIPL and the security assessment regime
China's Personal Information Protection Law (PIPL), in force since November 2021, layers a cross-border transfer regime on top of the Cybersecurity Law and the Data Security Law. Personal information processors above certain thresholds must undergo a security assessment by the Cyberspace Administration of China (CAC), sign CAC-issued standard contracts, or obtain certification. The CAC's March 2024 "Provisions on Promoting and Regulating Cross-Border Data Flows" loosened some thresholds — particularly for free-trade zones and lower-volume transfers — but the overall framework still presumes that personal data, and a much broader category of "important data," should stay onshore unless explicitly cleared to leave.
The practical consequence for a Brazilian company is that even with perfect ANPD-compliant SCCs in place, a Chinese counterparty may be unable to receive data without its own outbound assessment when sending data back. Bilateral flows, in other words, are gated by the more restrictive end.
India's DPDP Act: a different kind of uncertainty
India's Digital Personal Data Protection Act, 2023 took the opposite drafting approach to the EU and Brazil. Rather than enumerate adequate jurisdictions, Section 16 empowers the central government to blacklist countries to which transfers are restricted. The list, and much of the operational detail, depends on subordinate rules that have been rolling out gradually. For Brazilian businesses, the ambiguity is structural: there is no formal mechanism today by which Brazil can be "recognised" by India in the GDPR sense. Sectoral rules — particularly the Reserve Bank of India's 2018 payment-data localisation directive — continue to require certain categories of data to be stored within India regardless of any general transfer regime.
Vietnam's Decree 53 and the storage mandate
Vietnam's Decree 53/2022/ND-CP, implementing the 2018 Cybersecurity Law, requires both domestic and certain foreign service providers to store specified categories of Vietnamese-user data in Vietnam and, in some cases, to establish a local branch or representative office. Decree 13/2023/ND-CP on personal data protection added a separate transfer-impact-assessment requirement. The cumulative effect is that data "transferred" from Brazil to Vietnam may need to be mirrored locally — a duplication cost that no SCC can paper over.
Why the ANPD's restraint is the right call
It would have been tempting for Brazil to respond to APAC localism with reciprocal hard rules — "if your data must stay in your country, ours stays in ours." The ANPD has wisely declined to go down that road. Reciprocal localisation is a lose-lose equilibrium: it raises costs for domestic companies, fragments cloud infrastructure, weakens cybersecurity (because data ends up replicated across more jurisdictions), and rarely delivers the sovereignty benefits its proponents promise.
The OECD's 2022 "Going Digital" work, the World Bank's 2021 World Development Report on data, and successive analyses from think tanks including the Information Technology and Innovation Foundation have all reached a similar conclusion: cross-border data flows are a net contributor to GDP, and forced localisation imposes measurable drag on small and medium enterprises in particular. Brazil's services exports — a growing share of its trade — depend on the country remaining a credible, GDPR-adjacent transfer partner.
What to watch in 2026
- Adequacy decisions: whether the ANPD issues its first adequacy recognitions, and whether the EU reciprocally recognises Brazil. Mutual adequacy with the EU would be the single biggest unlock for Brazilian exporters.
- Mercosur alignment: Argentina is already on the EU's adequacy list. A Mercosur-wide transfer framework would give the bloc real bargaining power with APAC counterparts.
- Sectoral carve-outs: financial services and health data are where APAC localisation bites hardest. Watch for ANPD–Banco Central coordination on payment data flows.
Resolution 19/2024 is a model of proportionate regulation: it gives businesses certainty without erecting new barriers. The harder diplomatic work — convincing APAC partners that interoperability beats isolation — is just beginning.