For nearly six years, multinationals operating in Brazil have lived with an awkward gap in the country's General Data Protection Law (LGPD). The statute, modeled closely on Europe's GDPR, has restricted the international transfer of personal data since 2020 — yet the Autoridade Nacional de Proteção de Dados (ANPD) had not finalized the actual mechanisms by which transfers could lawfully occur. That gap is now closing. Resolução CD/ANPD nº 19/2024, approved in August 2024, established Brazil's framework for Standard Contractual Clauses (SCCs), Binding Corporate Rules (Normas Corporativas Globais), and adequacy decisions, and its phased implementation is reshaping how companies move Brazilian user data abroad in 2026.
For a country that hosts one of the largest internet user bases in the world and a rapidly maturing cloud and AI ecosystem, getting these rules right is not a technical footnote. It is a question about whether Brazil joins the small club of jurisdictions whose data regimes attract investment, or instead drifts toward the kind of friction that has bogged down the EU–US transfer relationship for the better part of a decade.
What Resolução 19/2024 Actually Does
The resolution operationalizes Articles 33 through 36 of the LGPD, which authorize international transfers under several conditions: an adequacy decision by ANPD, the use of approved SCCs or BCRs, the data subject's specific consent, or one of several narrower legal bases. Until last year, none of these mechanisms had concrete templates or criteria. Companies were left relying on consent or contractual workarounds of uncertain validity.
Among the most consequential elements:
- Standard Contractual Clauses: ANPD published model clauses in an annex to the resolution. Unlike the EU SCCs, controllers and processors cannot freely modify the substantive obligations — the clauses must be adopted in full, though commercial terms can be added separately.
- Adequacy decision criteria: ANPD set out the factors it will weigh when assessing whether a foreign jurisdiction provides protection "equivalent" to the LGPD, including the existence of an independent supervisory authority, judicial redress for data subjects, and rules on government access to data.
- Implementation timeline: Companies were given a transition window to migrate existing transfer arrangements onto the new instruments, with deadlines that have been rolling out through 2025 and into 2026.
- Specific contractual clauses: As an alternative to standard clauses, parties may submit tailored contracts to ANPD for approval — a slower but more flexible path for unusual transfer scenarios.
The Pro-Innovation Case for Getting This Right
Cross-border data flows are not a niche concern. They underpin essentially every digital service Brazilians use, from cloud-hosted enterprise software to streaming, payments, fraud detection, and the foundation models powering the country's emerging AI sector. Restricting those flows imposes real costs: OECD analysis has repeatedly warned that data localization measures can meaningfully reduce GDP and trade in services, with developing economies often hit hardest because they depend more heavily on imported digital infrastructure.
By giving companies a workable legal pathway, Resolução 19/2024 is, on balance, a pro-business development. The previous limbo pushed firms toward conservative interpretations — sometimes refusing to onboard Brazilian customers to global products, sometimes building expensive in-country duplicates of services that already existed elsewhere. Predictable rules, even strict ones, are better than ambiguity.
Three Risks Worth Watching
That said, the framework's success depends entirely on how ANPD enforces it. Several warning signs from peer jurisdictions deserve attention.
First, the adequacy bottleneck. The European Commission has taken years — sometimes more than a decade — to issue adequacy decisions, and most of the world remains outside its list. If ANPD adopts a similarly cautious posture, Brazilian firms will be locked into SCC paperwork even for transfers to jurisdictions with robust data regimes. A faster, more pragmatic adequacy process, perhaps with mutual-recognition pilots, would serve Brazilian businesses better than mimicking Brussels.
Second, the rigidity of the standard clauses. By requiring adoption in full, ANPD has reduced legal risk for data subjects but also limited the ability of small and mid-sized Brazilian companies — which often act as processors for foreign controllers — to negotiate workable terms. The EU's experience with its 2021 SCCs shows that overly prescriptive templates create heavy compliance burdens without proportionate gains in actual protection.
Third, the Schrems trap. The EU's transfer regime has been repeatedly destabilized by Court of Justice rulings on government access to data in third countries. ANPD should resist any push to import that doctrine wholesale. Brazil's interests are not served by an enforcement model in which transfers can be invalidated overnight on geopolitical grounds.
A Brazilian Path, Not a Brussels Imitation
The sensible direction is for ANPD to use Resolução 19/2024 as a foundation for a distinctly Brazilian approach: clear baseline rules, fast-track adequacy where genuine equivalence exists, and proportionate enforcement that distinguishes between negligent operators and good-faith businesses navigating ambiguity. The agency has the discretion to take that path. Its first major adequacy decisions and enforcement actions over the next 12 to 18 months will signal whether it intends to.
Brazil's digital economy is large, growing, and globally connected. A transfer regime that reflects those realities — one that protects Brazilians without isolating them — is squarely within ANPD's reach. Resolução 19/2024 is a meaningful first step. The harder work is making sure it doesn't calcify into the kind of obstacle that nobody, regulator or regulated, actually wants.