Meer documenten
The EU and Brazil conclude agreements to create the biggest area of free and safe data flows in the world
Today, the European Commission and Brazil adopted mutual adequacy decisions, confirming that their levels of data protection are comparable. Recognising the high data protection standards that protect consumers and citizens on both sides, these agreements now allow businesses, public authorities and researchers to freely exchange data between the EU and Brazil.
By ensuring that personal data can flow freely and securely between the EU and Brazil without any additional requirements, there will be a boost to digital trade between the two jurisdictions. The decisions will save costs and ensure legal certainty and stability for European companies already invested in Brazil and for Brazilian firms expanding into the EU's market. They create the largest area of free and safe data flows in the world, benefitting a combined 670 million consumers across the EU and Brazil.
These mutual adequacy decisions come in the backdrop of the historic Partnership Agreement (EMPA) and Interim Trade Agreement (iTA) signed on 17 January between the EU and Mercosur. The decisions will be a building block for strengthening trade between the EU and Brazil and sends yet another strong geopolitical signal, demonstrating the EU and Brazil' shared commitment to multilateralism and the rules-based international order.
The adoption of the mutual adequacy decisions follows an opinion by the European Data Protection Board and the EU Member States' greenlight in the so-called comitology procedure. The Commission will review the functioning of its adequacy decision after a period of four years.
Background
The Constitution of Brazil protects privacy and data protection as fundamental rights, as is also the case under the EU Charter of Fundamental Rights. In 2018, Brazil adopted the General Data Protection Law, the equivalent of the General Data Protection Regulation in the EU. It subsequently created an independent data protection authority, the National Data Protection Authority, a fundamental tenet of the EU's data protection framework. Brazil's General Data Protection Law offers a very high degree of convergence with the scope, safeguards, rights, obligations, oversight, enforcement mechanism, and remedies of the GDPR.
The European Commission has the power to determine, under the GDPR, whether a country or international organisation outside the EU ensures an adequate level of data protection. Following this, the Commission might initiate the process for the adoption of an adequacy decision, which allows the free flow of personal data from the EU and the European Economic Area to a third-country or international organisation without further obstacles.
The Commission has so far recognised, in varying scopes, Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, the Republic of Korea, Switzerland, the United Kingdom under the General Data Protection Regulation and the Law Enforcement Directive, the United States, Uruguay and the European Patent Organisation as providing adequate protection.
For more information