More Than a Handshake
When Henna Virkkunen, the European Commission's Executive Vice-President for Tech Sovereignty, Security and Democracy, flew to Brasília on June 12, 2026, she was not signing a memorandum of intent. She and Brazil's Secretary for Trade Promotion Alex Giacomelli da Silva formalised a Digital Partnership backed by five months of legal groundwork — specifically, the mutual data adequacy decisions that both parties adopted on January 26, 2026. The distinction matters: most high-profile digital diplomacy produces communiqués. This one produced enforceable data-transfer rights for businesses, public authorities, and researchers on both sides of the Atlantic.
Brazil is the EU's fifth strategic digital partner, following Japan, South Korea, Singapore, and Canada. It is the first from the Global South. That asymmetry — four Indo-Pacific and North Atlantic economies before a single developing-world nation — reflects how digital governance has historically been shaped: at OECD clubhouses, not in Brasília.
The Legal Foundation: LGPD Meets GDPR
The adequacy decisions are the partnership's most concrete achievement. Brazil's Agência Nacional de Proteção de Dados (ANPD) adopted Resolution CD/ANPD No. 32 on January 26, 2026, formally recognising the EU as meeting LGPD standards. The European Commission simultaneously adopted its own adequacy finding, concluding that Brazil's Lei Geral de Proteção de Dados (LGPD) — enacted in 2018 and modelled closely on the GDPR — provides an essentially equivalent level of protection.
The practical effect is significant. Businesses can now transfer personal data between the EU and Brazil without standard contractual clauses, binding corporate rules, or any of the compliance scaffolding that currently burdens cross-border data flows. The European Data Protection Board, in its November 2025 opinion paving the way for the decision, flagged questions about Brazil's data protection impact assessment requirements — but concluded the LGPD's substantive framework was sound. The decisions exclude purely national-security transfers, consistent with how the EU has structured all its adequacy arrangements.
Together, the two instruments create what the IAPP described as "the world's largest area of safe, cross-border data flows," covering around 670 million consumers across the EU-27, EEA, and Brazil. That figure understates the commercial importance: EU-Brazil bilateral goods trade reached €87.1 billion in 2025, with services trade — the data-intensive category — growing 71 percent between 2021 and 2025, per EU trade data.
Five Workstreams, One Roadmap
The Digital Partnership itself organises cooperation across five pillars: data governance, artificial intelligence, digital infrastructure and connectivity, online platforms, and digital public goods and services. A separate administrative agreement between the European Commission and the ANPD addresses child protection online — covering age verification, joint enforcement strategies, and cross-border cooperation on systemic platform risks.
Implementation will run through technical workstreams and a Digital Partnership Council, the first meeting of which is expected within twelve months. That Council will endorse a joint cooperation roadmap and provide strategic oversight. The model mirrors the EU's approach with Japan — where a 4th Digital Partnership Council met in May 2026 — and with Singapore, where the second Council in December 2025 reaffirmed cooperation on AI, digital identity, and semiconductors.
Why Brazil Is Different
The critics of the EU's digital partnership approach — and they are not wrong to scrutinise it — argue that these agreements risk becoming regulatory export vehicles: the EU writing the rules, partners nodding along, with no genuine co-creation. There is something to this. The GDPR's influence on Brazil's LGPD is not coincidental; Brazilian legislators actively borrowed its architecture. When the EU then grants Brazil adequacy, it is partly rewarding a jurisdiction for converging toward its own standards.
But that reading misses why Brazil's membership in this club matters geopolitically. Unlike Japan or Singapore, Brazil chairs the G20's Digital Economy Working Group and carries agenda-setting weight at the UN, ITU, and ICANN. President Lula's government has consistently positioned Brazil as a bridge between the Global South and developed-economy digital governance blocs. An EU Digital Partnership gives Brasília formal institutional machinery to shape how those standards evolve — not just adopt them after the fact.
The partnership also arrives as Brazil navigates genuine AI governance choices. The country has a draft AI regulatory framework that borrows from the EU AI Act's risk-tiered approach but is explicitly adapted for Brazilian conditions, including provisions for socioeconomic inclusion and algorithmic impact on historically marginalised groups. Cooperation with the EU on AI under the Digital Partnership creates a channel to share implementation experience without mandating convergence — which is proportionate. Brazil is not an EU member state. It should not be governed as one.
Open Questions
The steelman case for caution is real. The adequacy decision will be reviewed in four years — and the LGPD's enforcement record is still maturing. The ANPD is a young institution; its 2023 enforcement cycle produced its first fines only in late 2024. The question of whether adequacy will survive a future review depends on Brazil maintaining regulatory discipline under political pressures that the EU's own data protection authorities do not face in quite the same form.
The child protection ANPD agreement is notable but thin on published specifics. The first Digital Partnership Council meeting is scheduled "within twelve months" — a timeline that leaves ample room for drift. And the partnership explicitly defers questions of platform liability harmonisation and AI liability rules to future workstreams, precisely the areas where EU and Brazilian approaches are most likely to diverge.
The Model Worth Expanding
None of that undermines the core case for the partnership. The EU-Brazil Digital Partnership is the right instrument done in the right sequence: legal foundation first (adequacy), strategic framework second (the partnership), implementation machinery third (the Council and workstreams). Contrast that with digital governance initiatives that announce grand frameworks with no underlying legal coherence.
More importantly, Brazil's membership signals that the EU's model of structured digital cooperation is not a rich-world-only project. If this template — mutual adequacy, a multi-pillar partnership, co-designed roadmaps — proves workable with Brasília, it becomes the argument for extending it to India, Indonesia, Nigeria, and Kenya. The alternative is a splintered global digital governance architecture where the Global South either adopts US or Chinese platform norms by default, with no deliberate third path.
The partnership signed in Brasília on June 12, 2026 is not that third path yet. It is the first substantive evidence that such a path is being built.