For years, Brazil's Lei Geral de Proteção de Dados (LGPD) has lived in the shadow of its older sibling, the EU's General Data Protection Regulation. The two share architecture, vocabulary, and even much of their philosophical DNA — but they did not, until recently, share an enforcement track record. That gap is the single biggest reason Brazil has spent five years on the EU's adequacy waiting list. New signals from Brussels suggest the wait may finally be ending — and the regulatory milestone that pushed the assessment forward is one Brazil's own data authority deserves credit for.
In mid-2024, the Autoridade Nacional de Proteção de Dados (ANPD) issued a preliminary order directing Meta to suspend processing of Brazilian users' personal data for training its generative AI models, citing Meta's revised privacy policy. Meta complied. The order was, in retrospect, a watershed: it demonstrated that ANPD could move quickly against the world's most powerful platforms, that its legal reasoning held up under scrutiny, and — most importantly for Brussels — that the Brazilian regime could deliver GDPR-equivalent outcomes in practice, not merely on paper.
Why adequacy matters more than the headlines suggest
An EU adequacy decision is, in technical terms, a Commission finding that a non-EU country offers a level of data protection "essentially equivalent" to the GDPR. In commercial terms, it is closer to a customs union for personal data: companies no longer need to paper over each transfer with standard contractual clauses, transfer impact assessments, or binding corporate rules. The legal friction simply disappears.
For Brazil — Latin America's largest digital economy and home to a vibrant fintech, agritech, and SaaS ecosystem — that friction is not abstract. It shows up as:
- Higher compliance costs for Brazilian exporters serving European customers
- Hesitation among EU-based partners considering Brazilian cloud or processing vendors
- Investment friction for startups that could otherwise scale into the EU single market
- Slower onboarding for multinationals choosing where to locate regional data infrastructure
Adequacy decisions have already proven their economic value. The UK's 2021 adequacy ruling preserved roughly £42 billion in annual data-enabled trade with the EU, according to UK government estimates. Japan and South Korea have made similar arguments. Brazil's prize would be commensurate with the size of its market.
The proportionality test ANPD is passing
What makes the Meta order notable is not just that it happened, but how it happened. ANPD did not impose a maximum fine. It did not ban a service. It did not demand structural separation or geographic data localisation. It issued a preliminary measure focused on a specific processing purpose — AI training — using a specific lawful basis assessment, and gave the company an opportunity to comply.
This is regulation working as it should: surgical, evidence-based, and reversible. It is also exactly the regulatory disposition the European Commission looks for when assessing adequacy. Brussels has rejected or stalled adequacy talks with countries whose data authorities are either toothless or, conversely, prone to disproportionate action. Brazil is threading the needle.
The adequacy assessment is fundamentally a credibility test. ANPD has spent the last two years building that credibility — and the Meta order is the clearest evidence yet that it has succeeded.
The innovation argument for getting this right
It is tempting, particularly in the AI policy debate, to frame data protection enforcement as anti-innovation. The opposite case is stronger. Adequacy would do more for Brazilian AI startups than almost any domestic industrial policy:
- Cross-border training data: Brazilian model developers could collaborate with EU partners without bespoke transfer mechanisms
- EU customers: Brazilian B2B SaaS firms could sell into Europe without each enterprise customer demanding a custom data flow audit
- Talent and capital: EU venture capital flows more easily into jurisdictions with adequacy status
- Cloud neutrality: Brazilian-hosted cloud services become viable processors for EU controllers
The Meta case also clarified a question that matters globally: can existing data protection law govern AI training without bespoke AI legislation? ANPD's answer — yes, through transparency, lawful basis, and purpose limitation — is the same answer Italy's Garante, France's CNIL, and the UK's ICO have given. That convergence is itself a form of regulatory interoperability, and it lowers compliance costs for any AI developer operating across these markets.
What Brazil still needs to do
Adequacy is not a foregone conclusion. The Commission will press Brazil on several outstanding issues:
- Government access: Safeguards around intelligence and law enforcement access to personal data, the issue that sank the EU-US Privacy Shield in Schrems II
- Independent oversight: ANPD's institutional independence, including its budget and the appointment process for its board
- Redress mechanisms: Effective remedies for EU data subjects whose data ends up in Brazil
None of these are insurmountable. They require legislative attention and institutional commitment, not a wholesale rewrite of Brazilian law.
The lesson for the region
Brazil's trajectory should be the template for Latin American data governance. The LGPD was not a regulatory cut-and-paste of the GDPR — it adapted the European model to Brazilian constitutional traditions, with proportionality built in. ANPD has, so far, enforced it the same way: firmly where necessary, restrained where possible.
If Brussels grants adequacy in 2026 or 2027, the message to Mexico, Chile, Colombia, and Argentina will be clear. The pathway to deeper integration with the world's largest privacy regime is not maximalism. It is competence, restraint, and evidence-based enforcement. That is good for users, good for regulators, and — perhaps counterintuitively to some — very good for innovators.