In August 2024, Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados (ANPD), issued Resolution CD/ANPD No. 19/2024, finally operationalising the international data transfer chapter of the Lei Geral de Proteção de Dados (LGPD). Nearly two years later, the regulation is quietly reshaping how Brazilian personal data moves to Asia-Pacific — not by banning transfers, but by making compliant ones procedurally expensive enough that on-shore processing becomes the path of least resistance.
For a country that has positioned itself as a digital trade champion in BRICS and as a Mercosur anchor, this is a meaningful shift. And it is worth interrogating whether the design serves the proportionality LGPD's drafters originally aspired to.
What Resolution 19/2024 actually requires
Resolution 19/2024 implements Articles 33–36 of LGPD, which had sat largely dormant since the law's 2020 enactment. The resolution sets out the legal bases for international data transfer, including:
- Adequacy decisions issued by ANPD, modelled on the GDPR's adequacy mechanism, recognising third countries with comparable protection levels.
- Standard Contractual Clauses (SCCs) annexed to the resolution itself — Brazilian SCCs in Portuguese, structurally similar to the European Commission's 2021 modules.
- Binding Corporate Rules for intra-group transfers within multinationals.
- Recognition of specific contractual clauses, codes of conduct, and certifications, subject to ANPD approval.
Importantly, transfers based on data subject consent or contractual necessity remain available, but ANPD has signalled that these should be treated as exceptions rather than routine compliance posture.
The APAC problem: very few adequacy options
The practical consequence is that, as of mid-2026, ANPD has not formally designated any Asia-Pacific jurisdiction as offering adequate protection. The European Commission has adequacy findings for Japan and South Korea; Brazil does not. That means Brazilian controllers exporting personal data to Tokyo, Seoul, Singapore, Sydney, Mumbai, or Jakarta must rely on SCCs or other Article 33 instruments — each carrying paperwork, impact assessments, and supervisory exposure.
This is not a small population of transfers. Brazilian fintechs depend on cloud regions in Singapore and Tokyo for redundancy. E-commerce sellers route customer data through Shopify and Shopee infrastructure that touches multiple APAC nodes. Major hyperscalers — AWS, Google Cloud, Microsoft Azure, Oracle — operate Brazilian regions but increasingly mesh them with APAC capacity for disaster recovery, machine learning training, and latency-sensitive services. As recent reporting on hyperscaler infrastructure resilience illustrates, modern cloud architectures rely on flexible cross-border routing; rigid jurisdictional gating cuts against that grain.
De facto localisation by friction
Brazilian authorities have been clear that Resolution 19/2024 is not a localisation mandate. Technically, that is correct. But policy that imposes contractual, documentary, and audit burdens on every outbound transfer — while leaving on-shore processing burden-free — pushes the market toward localisation through cost gradients rather than statute. We have seen this pattern before. India's earlier attempts to govern cross-border flows under the now-repealed PDPB drafts, and the EU's post-Schrems II reality, both produced significant on-shoring even without explicit mandates.
The European Data Protection Board's experience is instructive: after Schrems II, many SMEs simply abandoned non-EEA vendors rather than execute Transfer Impact Assessments. The compliance fixed costs were prohibitive. Brazil's SME ecosystem — heavily dependent on APAC SaaS and cloud — risks the same outcome, with the added complication that ANPD's enforcement capacity and adequacy pipeline remain in early stages.
What proportionate reform would look like
None of this is an argument against international data transfer governance. LGPD's protections matter, and unconstrained data export to jurisdictions with weak rule-of-law guarantees raises legitimate rights concerns. But proportionality demands the regime distinguish between high-risk and low-risk flows.
Three reforms would meaningfully reduce friction without weakening protection:
- Accelerate adequacy assessments for APAC jurisdictions that have already been recognised as adequate by the EU — Japan and South Korea — and for those with mature, audited regimes such as Singapore (PDPA), Australia (Privacy Act 1988, as amended in 2024–25), and New Zealand. Mutual recognition with the European Commission's adequacy work would be a low-cost confidence shortcut.
- Provide a tiered SCC pathway, with a lightweight track for B2B transfers of business-contact data and a fuller track for sensitive categories. The European Commission's 2021 modular SCCs offer a workable template.
- Publish clear guidance for SMEs, including pre-approved templates and a de minimis exemption for low-volume transfers, mirroring the proportionality logic embedded in Article 27 of the GDPR.
The wider stakes
Brazil's relationship with Asia is not optional infrastructure. Mercosur–ASEAN dialogue is intensifying. China is Brazil's largest trading partner. Japanese investment in Brazilian renewables and Korean investment in mobility are growing. Each of these economic relationships now generates data that LGPD touches.
If Resolution 19/2024 hardens into a de facto localisation regime by default, Brazilian firms will pay twice: in higher cloud and SaaS costs, and in reduced competitiveness when their APAC counterparts run on globally meshed infrastructure. ANPD has a narrow window to publish adequacy decisions, simplify SCC procedures, and signal that proportionate cross-border data flow is part — not enemy — of Brazil's digital strategy. The text of the resolution leaves room for that recalibration. The question is whether the political appetite exists to use it.