As most of you will be aware for data protection purposes, in order to transfer personal data out of the EU to a third country, an appropriate mechanism or adequacy finding must be in place.
The European Commission (Commission) and Brazil have adopted mutual adequacy decisions, confirming that their levels of data protection are comparable. Recognising the high data protection standards that protect consumers and citizens on both sides, these agreements now allow businesses, public authorities and researchers to freely exchange data between the EU and Brazil - including EU Member States and EEA countries such as Iceland, Liechtenstein and Norway — without transfer safeguards or contractual clauses.
Adequacy
The Commission has the power to determine, under the EU GDPR, whether a country or international organisation outside the EU ensures an adequate level of data protection. Following this, the Commission might initiate the process for the adoption of an adequacy decision, which allows the free flow of personal data from the EU and the European Economic Area to a third-country or international organisation without further obstacles.
In a statement from the Commission it was noted that by ensuring that personal data can flow freely and securely between the EU and Brazil without any additional requirements, there will be a boost to digital trade between the two jurisdictions. From a business and compliance standpoint, the decisions will save costs and ensure legal certainty and stability for European companies already invested in Brazil and for Brazilian firms expanding into the EU's market. They create the largest area of free and safe data flows in the world, benefitting a combined 670 million consumers across the EU and Brazil. The Commission press release can be read here: EU-Brazil data adequacy agreement. All core EU GDPR and LGPD (Brazil’s general data protection law) requirements still apply to controllers and processors, including security, rights of data subjects, transparency and accountability measures and data governance, cybersecurity, or sector-specific regulatory obligations continue, albeit with the reduced burden an adequacy decision provides.
UK position
The UK does not currently recognise Brazil as an “adequate” destination for personal‑data transfers under the UK GDPR - Brazil does not appear on the UK’s adequacy list, which includes countries such as Argentina. The EU decision does not extend to the UK, which left the EU adequacy framework at Brexit. UK organisations transferring personal data to Brazil must rely on an alternative transfer mechanism; the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs). As a result of the EU – Brazil adequacy decision, in practical terms, UK controllers might need to check that SCCs are still used when dealing with Brazilian entities that might not be aware of the UK’s independent adequacy regime (or have an IDTA in place).
What’s next
The Commission will review the functioning of its adequacy decision after a period of four years. We will continue to monitor EC adequacy decisions, UK adequacy decisions and how data transfers will now look under the newly in force Data (Use and Access) Act provisions – discussed here: The Data (Use and Access) Act 2025: key reforms in force. The new test under the DUAA asks whether the standard of data protection in the destination country or organisation is “not materially lower” than in the UK which is an assessment for the UK government which might lead to more flexible considerations than those under EU GDPR and possibly result in a divergence of “adequate” countries in relation to the UK versus the EU - it remains to be seen if the UK will follow the EU and recognise Brazil as “adequate”.
