The discussion on personal data protection has gained relevance in recent decades, mainly due to the profound transformations resulting from technological advances and the intense flow of cross-border data that support not only modern international trade and investment, but also improve business operations, especially in the creation of business models based on their use, processing and storage.

As a result of this situation, several countries began to establish data protection rules for international transfers in order to prevent regulatory justifications based on privacy and the protection of personal data from creating barriers to trade and other international transactions.

In Brazil, the international transfer of personal data still raises many questions. The topic was addressed in general terms by Law 13,709/2018 — the General Data Protection Law (LGPD) — but the application of these rules and safeguards still depends on regulation by the National Data Protection Authority (ANPD).

The definition of situations that constitute international data transfer, especially when the agent located abroad directly collects data in Brazil, without any sharing of such data, still generates much debate. A classic example of this situation is when applications used by users in Brazilian territory and whose servers are located in other countries directly collect the personal data of individuals located in Brazil without any sharing or transfer to third parties.

To clarify this point, the definition of what constitutes an international transfer provided in the LGPD is of little help. Article 5, item XV of the LGPD defines international data transfer as the “transfer of personal data to a foreign country or international organization of which Brazil is a member”. However, a joint reading of this provision with item XVI of the same article allows us to conclude that there is only an international transfer of personal data when two processing agents share personal data.

This is not a new discussion in the data protection scenario. This subject has already been widely debated in the European scenario, with the European Data Protection Board (EDPB) publishing Guideline 5/2021, which made clear the inapplicability of the special legal regime for international data transfer to situations in which “the controller in a third country collects data directly from a data subject in the EU”. The EDPB’s proposals presuppose the existence of a relationship between different processing agents, who act as data importers and exporters, and the transmission and sharing of data between such agents. Consequently, the EDPB understands that the direct collection of data from individuals located in the EU by a foreign entity does not constitute an international transfer.

In other words, when an individual provides their data to benefit from a service offered by a company located outside the country, this individual is not considered, according to Guideline 5/2021, as an exporting party, since it would not make sense to enter into international transfer instruments with companies, such as standard contractual clauses, to carry out common day-to-day operations.

A similar perspective can be considered for the conceptualization of what the legislator understood as subject to the special rules of international transfer in the LGPD. Article 3, item II of the LGPD determines that the Law must be applied to any operation of processing personal data that has been collected in national territory. In other words, the mere direct collection of personal data by a company located abroad in which there is no sharing necessarily attracts the rule of article 3, III of the LGPD, requiring the adaptation of the company located abroad, but not the special regime of international transfer of article 33 of the same legal diploma.

With the delimitation of situations that constitute an international transfer in line with the understanding proposed by the EDPB, processing agents that carry out the direct collection of data from individuals located in Brazil, although subject to the rules of the LGPD due to the territorial scope of application of the law, would not have the additional formal need to be supported by one of the hypotheses that authorize the transfer of data outside Brazilian territory.

Therefore, in addition to the systematic interpretation of the LGPD provisions, it is very important that the European Commission's adequacy decisions can, to some extent, anticipate the ANPD's decision-making challenges, using them as a normative reference for characterizing the concept of international transfer.

These parameters can ensure the protection of personal data throughout the processing cycle and provide greater legal certainty to processing agents involved in a globalized context of operations, contributing to the free circulation of data and reducing the costs and efforts for the ANPD to act.

Ellen Carolina da Silva – LGPD Specialist
Article published on the Conjur website on March 14, 2023