European Union: European Commission adopted implementing decision on adequate level of protection of personal data by Brazil

On 26 January 2026, the European Commission adopted an implementing decision recognising that Brazil ensures an adequate level of protection for personal data under the General Data Protection Regulation (GDPR), while Brazil adopted a corresponding adequacy decision under its General Data Protection Law (LGPD) through the National Data Protection Authority (ANPD). These decisions confirm that the European Union and Brazil provide comparable levels of personal data protection, allowing personal data to be transferred freely between the two jurisdictions without the need for additional authorisations or safeguards. In reaching its decision, the European Commission examined Brazil’s LGPD (Law No. 13.709/2018), the independence and enforcement powers of the ANPD, and the safeguards governing access to personal data by public authorities for law enforcement and national security purposes. The European Commission will monitor the adequacy decision's functioning and review it after 4 years.