European data protection board evaluates Brazil adequacy decision

The European Data Protection Board adopted Opinion 28/2025 on November 4, 2025, examining the European Commission's draft decision regarding adequate protection of personal data by Brazil. The opinion, spanning 145 pages, provides the EDPB's assessment of whether Brazil's data protection framework ensures a level of protection essentially equivalent to that guaranteed within the European Union.

The Commission initiated the adequacy process on September 5, 2025, when it requested the EDPB's evaluation of Brazil's General Data Protection Law (LGPD) and related regulatory framework. An adequacy decision would permit personal data to flow freely from Europe to Brazil without additional safeguards, joining countries like the United States, United Kingdom, and South Korea with similar arrangements for international data transfers.

Brazil's data protection system centers on the LGPD, enacted August 14, 2018, alongside Presidential Decree No. 10.474 of August 26, 2020, and Presidential Decree No. 11.758 of October 30, 2023. The framework includes binding regulations from Brazil's Agencia Nacional de Proteção de Dados, established as the national supervisory authority. The ANPD operates with "authority of special nature" status, designed to ensure autonomy in exercising legal functions and powers conferred by the LGPD.

Constitutional foundations and close alignment

The EDPB positively notes that Brazil's Federal Constitution enshrines privacy and data protection as fundamental rights through Articles 5(X), 5(XII), and 5(LXXIX). The Federal Supreme Court recognizes these protections for any person, including foreigners residing in Brazil or not. This constitutional framework creates a foundation similar to European data protection principles, where fundamental rights protections extend beyond citizenship.

The LGPD establishes data protection principles closely aligned with the General Data Protection Regulation. These include purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination, liability, and accountability. The Brazilian law defines "personal data," "pseudonymous information," "anonymous data," "data processing," "data controller," "data processor," and "sensitive data" in manners essentially equivalent to concepts in the GDPR.

The accountability principle requires controllers and processors to adopt appropriate technical and organizational measures demonstrating compliance with data protection obligations. Implementation measures include designation of Data Protection Officers, Data Protection Impact Assessments, keeping records of processing activities, and formulating internal rules for good practice and governance.

Article 6 of the LGPD establishes that activities processing personal data must be conducted in good faith and subject to specified principles. While the law does not explicitly include a storage limitation principle, Article 15 addresses data retention requirements by linking to the adequacy and necessity principles within Article 6. Article 16 establishes conditions for storage and erasure after processing ends, permitting data retention for compliance with legal obligations, research purposes with anonymization, transfers to third parties complying with LGPD requirements, or exclusive controller use with data anonymization.

Transparency limitations and commercial secrecy

The LGPD establishes a limitation to transparency and fairness principles based on "commercial and industrial secrecy," potentially impacting data subjects' ability to receive information about processing. The European Commission's draft decision explains this limitation should be interpreted through Brazil's Law on Access to Information and Presidential Decree No. 7.721 of May 16, 2012.

The interpretation requires that processing and disclosure of information not reveal business secrets or create competitive advantages while fulfilling data protection objectives. The EDPB notes this means the commercial and industrial secrecy limitation should not function as a blanket refusal ground for compliance, but rather require specific safeguards ensuring disclosure protects these interests.

The EDPB invites the Commission to monitor implementation of this provision in practice to understand its impact on information and access rights. The limitation could affect transparency requirements for data subjects' possibility to control how their data are processed, as well as obligations to cooperate with the supervisory authority.

Data protection impact assessments

The LGPD does not include clear obligation to conduct DPIAs when processing could result in high risk to rights and freedoms of natural persons, only referring to possible requests by the ANPD. The ANPD recommends conducting DPIAs when processing operations may result in high risk in "Frequently asked questions" relating to DPIAs.

The LGPD does not explicitly include assessment of necessity and proportionality within DPIA scope. However, the FAQs on DPIA recommend controllers and processors assess necessity and proportionality in their DPIAs. The EDPB invites the Commission to monitor practical implementation of these requirements to verify that DPIAs are conducted when processing operations can result in high risk and that assessment of necessity and proportionality is included.

Security measures and breach notification

The LGPD includes security and prevention principles requiring measures for protection of personal data and prevention of damages related to processing. Security measures not appropriately implemented render data processing unlawful. The law requires risk-based approach implementation through Articles 44, 46, and 47 and compliance with breach assessment and notification requirements in Articles 48 and 49.

The ANPD adopted binding Regulation on Security Incidents Notifications providing incident concepts and severity assessment details. General rules require controllers to communicate security incidents to the ANPD within three working days of becoming aware. The regulation categorizes incidents as creating risks to data subjects or significantly affecting fundamental interests and rights, requiring both ANPD and data subject notification.

Notification requirements include information on technical and security measures used for data protection, adopted before and after incidents, observing commercial and industrial secrets. The EDPB invites the Commission to monitor implementation where information on incidents has been provided partially considering commercial and industrial secrets and its impact on ANPD powers.

Individual rights and lawfulness of processing

The LGPD provides individuals with rights similar to those in the GDPR, including access, rectification, portability, restriction, erasure, information, consent denial or withdrawal, objection, and petition rights. Article 20 LGPD grants data subjects the right to request review of decisions made solely based on automated processing affecting their interests, mirroring Article 22 of the GDPR.

Brazil's Habeas Data Law establishes specific provisions granting access and rectification rights within short timelines of 10 and 15 days respectively following individual requests. The EDPB considers the LGPD sets essentially equivalent requirements for data subject rights as those ensured in the GDPR.

Regarding lawfulness of processing, the LGPD's implementation through Articles 5(XII), 7, 8, and 10 aligns closely with GDPR provisions in Articles 4(11), 6, 7, and 9. Article 10 LGPD lists legitimate purposes for using legitimate interest as legal basis, including supporting and promoting the controller's activity.

The ANPD's Guide on Legal Bases for Processing Personal Data clarifies that for an interest to be legitimate, three conditions must be met: compatibility with the Brazilian legal system, reference to a specific situation, and processing linked to legitimate, specific, and explicit purposes. These conditions align with cumulative conditions specified by the Court of Justice of the European Union and EDPB Guidelines 1/2024 on processing personal data based on Article 6(1)(f) GDPR.

International data transfer requirements

Chapter V of the LGPD addresses onward transfer restrictions, further complemented by the ANPD's Data Transfer Regulation providing definitions of "transfer," "international data transfer," "importer," and "exporter" with detailed transfer requirements. The definition of "transfer" and "international data transfer" align with EDPB guidelines 05/2021.

Onward transfers can only occur for legitimate, specific, and explicit purposes when specific instruments or conditions are in place, as outlined in Article 33 LGPD and Articles 9 to 33 of the Data Transfer Regulation. These instruments approximate transfer tools in Chapter V GDPR. The EDPB invites the Commission to clarify whether transfers under Article 33 (III) to (IX) LGPD can be carried out only in exceptional circumstances where conditions under Article 33 (I) to (II) are not met.

The Data Transfer Regulation specifies that international transfers are allowed when data subjects provide specific and distinguishable consent with previous information on the international nature of intended operations. The EDPB invites the Commission to clarify whether data subjects are informed about possible risks of transfer arising from absence of adequate protection in third countries and absence of appropriate safeguards, as required under Article 49(1)(a) GDPR.

The Data Transfer Regulation requires controllers and processors to adopt effective measures demonstrating observance of and compliance with personal data protection rules and effectiveness of such measures, compatible with processing risk level and international transfer modality. The EDPB invites the Commission to clarify that effectiveness assessment should ensure local legislation of relevant third countries would not undermine continuity of protection for data subjects whose data are transferred.

Data subjects have the right to receive contractual instruments used for onward transfer and description of transfer, including duration, purpose, destination countries, parties' responsibilities, data subjects' rights, and means to exercise them, as outlined in Article 16 Data Transfer Regulation. The EDPB invites the Commission to clarify that same transparency obligations apply irrespective of transfer tool used.

Supervisory authority independence

The LGPD establishes the ANPD as the national supervisory authority monitoring and enforcing its provisions. The ANPD has been granted "authority of special nature" status, designed to ensure autonomy needed to fully exercise legal functions and powers, notably by revoking provisions subordinating the ANPD's functioning and financial operations to Executive authorizations.

Recent changes to Brazil's legal framework on September 15, 2025, recognize the ANPD as a regulatory agency. One main change is that the ANPD now submits its budget directly to the Ministry of Planification and Budget instead of through the Ministry of Justice. The ANPD budget remains a separate line in the Federal State Budget. The ANPD already had independence over budget and finance, but becoming a regulatory agency simplifies its administrative process.

Recent decisions increased ANPD staff with more than 200 new positions. The ANPD has been designated as the authority responsible for protection of children online, with Chapter IX of the LGPD providing necessary powers and missions ensuring compliance with data protection rights and promoting awareness, including investigatory and sanctioning powers.

The LGPD establishes that the ANPD is composed of several bodies, including the National Council for Personal Data and Privacy Protection. The Council's composition includes representatives of the Federal Executive Branch, Legislative, and Judiciary. Article 58-B LGPD specifies the Council is responsible for proposing strategic guidelines and providing background information for preparing the National Policy for Personal Data and Privacy Protection and for ANPD's activities, and recommending actions to be performed by the ANPD.

The EDPB considers it important to gain clearer understanding of how these tasks are implemented and the extent to which the Council's proposals and recommendations influence the ANPD's work. It invites the Commission to elaborate further on these tasks and on interaction between the Council and ANPD to better assess the Council's influence on ANPD activities.

Redress mechanisms and sanctions

The LGPD provides data subjects with the right to lodge complaints with the ANPD and to challenge its decisions by presenting appeals to its Board of Directors. Individuals may then appeal Board decisions in court and present recourse against the ANPD for failing to comply with obligations under the LGPD. The EDPB invites the Commission to further clarify functioning of these two avenues, including whether use of recourse is only limited to refusal to handle complaints or rejection on substance.

The LGPD also provides the right to compensation for material and non-material damages, as well as collective redress through Article 22. The existence of effective and dissuasive sanctions plays an important role in ensuring respect for data protection rules, as a sign of high degree of accountability and awareness that the system ensures.

The ANPD's corrective powers, exercised in several occasions, include warning, fines up to two percent of gross revenue of private legal entities involved, daily fines, blocking of personal data related to infringement until regularization, temporary suspension of relevant data processing activities, and erasure of personal data concerned. These sanctions can be imposed toward public or private entities, with exceptions that fines and daily fines cannot be imposed on public entities.

The ANPD issued binding Regulation on Sanctions categorizing sanctions into different levels using objective factors such as type and volume of data processed or impact of data subjects' rights, providing methodology in calculating fines aligned with Article 83 GDPR requirements. The EDPB invites the Commission to monitor consistent application of sanctions.

Criminal law enforcement access

Access and subsequent use of personal data by Brazilian law enforcement authorities is regulated by a system of legal acts of different legal nature. Data protection and privacy, including secrecy of correspondence and communications, are enshrined in Article 5 of the Constitution as fundamental rights. The scope of protection of such rights is not limited to Brazilian citizens only but encompasses foreigners residing in Brazil or not.

Several specialized sectoral laws govern possible access to personal data for law enforcement purposes. Particularly relevant are the Penal Code, the Telephonic Interception Law, the Civil Framework for the Internet, the Law on the Confidentiality of Financial Institutions, and the Law Related to Criminal Organisations and Criminal Investigations. These legal acts are publicly accessible and could be deemed sufficiently clear to give data subjects an indication of circumstances and conditions under which public authorities are empowered to access their data.

The scope of applicability of the LGPD in case of personal data processing for criminal law enforcement purposes is partial, which may lead to legal uncertainty. The LGPD does not apply to data processing conducted for exclusive purposes of public safety, national defence, State security, or investigation and prosecution of criminal offenses. Data processing in these areas will be governed by specific legislation, which must encompass principles and rights of data subjects outlined in the LGPD.

Brazil has not yet adopted specific legislation regarding personal data processing in criminal justice and law enforcement field similar to the EU Law Enforcement Directive. The Federal Supreme Court of Brazil in its case-law has interpreted the LGPD in a way that expanded its partial applicability to processing of personal data for criminal investigations and maintenance of public order.

The ANPD fully supports this interpretation and holds that absence of specific legislation does not grant broad and unrestricted authorization to security agencies to process citizens' personal data for exclusive purposes of public security and investigation and prosecution of criminal offenses without limits. At the same time, pursuant to Article 4(III) paragraph 3 LGPD, for some specific processing of data done exclusively for law enforcement purposes, the ANPD seems to have mainly an advisory role vis-à-vis law enforcement authorities at the moment.

The EDPB invites the Commission to further assess and clarify in the draft Decision the applicability of the LGPD in case of personal data processing for criminal law enforcement purposes, including powers of the ANPD, and to take into careful consideration any relevant development in this regard in future monitoring.

Necessity and proportionality safeguards

Access to communication data, both content and metadata, as well as to other categories of protected confidential information such as banking and tax data, requires prior judicial authorization as general rule. Regarding access to communication data, pursuant to the Telephonic Interception Law and Federal Supreme Court case-law, such measure is considered exceptional and subject to strict conditions ensuring its necessity and proportionality.

Brazilian law provides that interception of communications without judicial authorization or for purpose not authorized by law constitute a crime punishable by up to four years in prison. The strict implementation of safeguards for access to communication data is particularly relevant given existence in Brazil of general data retention obligation for internet connection and online application service providers to retain connection logs for one year.

Access to retained data is only possible subject to judicial authorization. The EDPB positively notes additional information provided by the Commission regarding absence of mass data retention in the country. The EDPB recalls strict approach and restrictions on general and indiscriminate retention of communication metadata in the European Union and encourages the Commission to pay specific attention on legal regime and practice in Brazil concerning access to communication data during monitoring and review of the draft Decision.

Similar safeguards apply regarding access by law enforcement authorities to tax and banking data, requiring prior judicial authorization, permitted only for serious crimes, with criminal sanctions in case of abuse. According to the draft Decision, there is an exception from general requirement for prior judicial authorization for access by law enforcement authorities to certain categories of personal data.

Pursuant to Articles 15 and 16 of the Law Related to Criminal Organisations and Criminal Investigations, a police chief and the Public Prosecutor's Office may access without judicial authorization registration data of investigated persons about personal qualification, affiliation and address maintained by the Electoral Court, telephone companies, financial institutions, internet providers and credit card administrators. Transport companies will allow, for five years, direct and permanent access by a judge, Public Prosecutor's Office or police chief to databases of reservations and travel records.

The scope of the Law Related to Criminal Organisations and Criminal Investigations is limited to investigation and sanctioning of organised criminal groups and terrorist organisations, which pose significant risk for citizens and society and are capable of justifying more serious interference with fundamental rights to privacy and data protection. The information about these exceptions provided in the draft Decision is very general and not complete, particularly whether access to personal data is subject to ex post judicial review of necessity and proportionality.

The EDPB invites the Commission to further clarify and explain in the draft Decision the scope and nature of cases where access to data by law enforcement authorities does not require judicial authorization as well as applicable safeguards in Brazilian legislation. The EDPB also considers the Commission should pay specific attention on application of these exceptions under Brazilian law during its monitoring of the draft Decision.

Further use and onward transfers

The level of protection afforded to personal data transferred from the EU/EEA to Brazil must not be undermined by further use or sharing of data with recipients in Brazil or third countries. Onward transfers should be permitted only where continued level of protection essentially equivalent to that provided under EU law is ensured.

The Federal Supreme Court of Brazil has ruled that sharing of personal data between public bodies, including when shared between law enforcement and intelligence agencies, presupposes definition of legitimate, specific, and explicit purpose for data processing, compatibility of processing with informed purposes, limiting sharing to minimum necessary to meet informed purpose, and full compliance with requirements, safeguards, and procedures laid down in the LGPD insofar as compatible with public sector.

Given the complexity, exact scope, and modalities of LGPD application to law enforcement authorities, the EDPB invites the Commission to monitor closely developments and practice in this area. Concerning onward transfer of personal data to criminal law enforcement authorities in third countries, the draft Decision refers to Article 33 (III) LGPD establishing that international data transfers may take place when necessary for international legal cooperation between public bodies of intelligence, investigation, and prosecution, in accordance with international legal instruments.

The EDPB considers this explanation too general and invites the Commission to further elaborate in the draft Decision on conditions and safeguards governing onward transfers.

National security framework considerations

Access and use by Brazilian public authorities of personal data transferred to controllers and processors in Brazil for national security purposes involves several legal instruments. The LGPD does not apply to data processing conducted for exclusive purposes of public safety, national defence, State security, or investigation and prosecution of criminal offenses. The Federal Supreme Court of Brazil in its case-law has interpreted the LGPD in a way that expanded its partial applicability to processing of personal data for criminal investigations and maintenance of public order.

Brazilian legislation on "Seguranca Nacional" (National Security), as laid out in Law No. 14.197 of September 1, 2021, modifying the Penal Code and revoking the 1983 Law on National Security, expresses the Brazilian concept of national security based on an exhaustive list of criminal offenses addressing different threats to integrity of the Brazilian State as an institution, including national sovereignty, espionage, and crimes against democratic institutions. The norms of Law No. 14.197 have been established as integral part of the Brazilian Penal Code.

The EDPB asks the Commission to clarify in the draft Decision whether data processing related to prosecution of criminal offenses listed in Law No. 14.197 are governed by data protection regime applicable to law enforcement activities or by another regime. If it is the latter case, the EDPB invites the Commission to further explain data protection rules applicable to criminal prosecution of these offenses for purposes of national security.

The codified legal framework consists of Law No. 14.197 from 2021, Law No. 9.883 of December 7, 1999, establishing the Brazilian Intelligence System and related Decree No. 4.376 of 2002. These set up the Brazilian Intelligence system (Sistema Brasileiro des Inteligência or SISBIN) and its functioning. They are followed by binding Presidential Decree No. 8.793 of 2016 defining the national intelligence policy (Política Nacional de Inteligência or PNI), as well as the LGPD in 2018.

Presidential Decree No. 8.793 of 2016 describes the subject, aims, and limits of PNI. Activities under this decree aim at producing and spreading knowledge to competent authorities related to facts and situations occurring within or outside national territory with immediate or potential influence on decision-making process, governmental action, and safety of society and state intelligence.

SISBIN was initially established comprising eighteen federal entities, among them thirteen ministries, and subsequently extended to 48 agencies under Decree No. 11.693 of September 6, 2023, on organization and functioning of SISBIN. Cooperation within SISBIN integrates entities beyond classical security institutions, such as Ministry of science, agriculture, energy, and Federal Attorney general.

The EDPB is mindful that States are granted broad margin of discretion in defining matters of national security, which allows for national security exemptions in processing of personal data. The EDPB calls upon the Commission to describe and explain more precisely in the draft Decision the outline of concept of national security under Brazilian law, particularly in relation to collection and sharing of data between and by entities on behalf of SISBIN's activities and with regard to implementation of PNI.

Oversight and redress mechanisms

The draft adequacy decision presents different bodies to oversee activities of Brazilian national security authorities, notably by the Executive Branch, Legislative Branch, ANPD, and Judiciary. Regarding the ANPD, considerations and conclusions made about criminal law enforcement remain valid for national security oversight.

The Chamber of External Relations and National Defence of the Council of Government is responsible for overseeing implementation of Intelligence National Police, and the Institutional Security Office is responsible for coordinating federal intelligence activity. This control only refers to ensuring that objectives to be achieved by Intelligence System and their implementation, but does not include any investigating or sanctioning powers and does not cover actual processing of personal data.

The Joint Committee for Control of Intelligence Activities (CCAI) exercises control in relation to intelligence activities, encompassing its legitimacy and effectiveness. The EDPB welcomes that CCAI's structure and powers have been strengthened, increasing transparency over its activities and allowing the body to exercise proper control, such as conducting post hoc review, audits, and controls of operations in progress. The CCAI can handle data subjects' complaints as part of its competence to investigate complaints about violations of fundamental rights and guarantees.

The Judiciary's competence to hear cases brought by citizens against public authorities is a positive aspect, particularly as it enables judicial oversight of activities carried out in name of national security, ensuring compliance with constitutional rights including right to data protection and LGPD. Possibility of appeal is provided via the Federal Supreme Court and ultimately via the Inter-American Court of Human Rights.

In context of national intelligence activities, data subjects are provided with rights as enshrined in the LGPD as consequence of Federal Supreme Court decision dated September 15, 2022, right to obtain access and rectification of personal data through constitutional redress avenue of Habeas Data, and right to compensation for material and non-material damage.

The EDPB welcomes existence of such rights and that they can be invoked through judicial and administrative mechanisms, particularly the CCAI, and that these avenues for redress are accessible to all individuals regardless of nationality.

Monitoring and review requirements

According to case law of the Court of Justice of the European Union, in light of the fact that level of protection ensured by third country is liable to change, it is incumbent upon the Commission after adopting an adequacy decision to check periodically whether finding relating to adequacy of level of protection ensured by third country in question is still factually and legally justified. Such check is required when evidence gives rise to doubt in that regard.

The review of adequacy finding will take place at least every four years, in accordance with Article 45(3) GDPR. The EDPB welcomes that the draft Decision foresees participation of the EDPB in meetings organized between the Commission and Brazilian authorities dedicated to performing review of functioning of adequacy decision.

Concerning practical involvement of EDPB and its representatives in preparation and proceeding of future periodic reviews, the EDPB reiterates that any relevant documentation, including correspondence, should be shared in writing with the EDPB sufficiently in advance of reviews.

Context within broader adequacy framework

The Brazilian adequacy assessment occurs amid increasing global attention to international data transfer mechanisms. The EU court dismissed a challenge to the US Data Privacy Framework in the Latombe case on September 3, 2025, upholding the Commission's July 10, 2023, adequacy decision for transatlantic data transfers despite independence concerns raised by French Member of Parliament Philippe Latombe.

The Irish regulator ruled that remote access constitutes data transfer in a €530 million TikTok penalty, establishing that when staff in third countries remotely access personal data of European Economic Area users, that access itself constitutes transfer under GDPR. This precedent affects organizations with cross-border data processing arrangements involving remote access from countries lacking adequacy decisions.

Indonesia agreed to US data transfer framework in a historic trade deal announced July 22, 2025, requiring data protection adequacy recognition. The arrangement represents the most significant cross-border data transfer arrangement between the US and a Southeast Asian nation, requiring Indonesia to recognize the US as providing adequate data protection standards under Indonesian law.

The EU court ordered the Commission to pay damages over Meta data transfer breach on January 8, 2025, marking significant development in international data protection enforcement. The judgment establishes precedent regarding institutional accountability for third-country data transfers and reinforces requirement for concrete safeguards when EU institutions enable data flows to non-EU countries.

The EDPB has been actively developing guidance on international data protection matters. European data protection board clarifies DSA compliance for marketers through Guidelines 3/2025 adopted September 11, 2025, establishing how digital marketers must navigate complex intersection between Digital Services Act and General Data Protection Regulation.

The European Data Protection Board unveiled work programme for 2024-2025 on October 8, 2024, emphasizing the board's role in global data protection efforts including continued work on data transfer mechanisms under GDPR and Law Enforcement Directive. The board issues opinions on adequacy decisions, administrative arrangements, and standard contractual clauses.

Enforcement patterns across Europe demonstrate varying approaches to data protection compliance. German DPAs face court action over 'Pay or OK' inactivity, with lawsuits filed June 17, 2025, challenging authorities' nearly four-year failure to decide complaints about consent systems achieving 99%+ consent rates despite only 3-10% of users wanting personalized advertising.

The Austrian court ruled "Pay or Okay" model illegal for DerStandard newspaper on August 18, 2025, confirming that the consent model violates European data protection laws. The court highlighted that only 1-7% of users genuinely want tracking for online advertising when asked directly, while "Pay or Okay" mechanisms achieve 99.9% user agreement to online tracking.

The EDPB continues providing guidance on emerging technologies and practices. European data watchdog clarifies privacy rules for artificial intelligence models through opinion released December 19, 2024, addressing when AI models can be considered truly anonymous, how companies can justify legitimate interests for processing data, and implications of using unlawfully processed data.

Timeline

• September 5, 2025: European Commission initiates adequacy process, requesting EDPB opinion on Brazil draft decision
• September 15, 2025: ANPD recognized as regulatory agency, simplifying administrative process
• November 4, 2025: EDPB adopts Opinion 28/2025 evaluating Brazil's data protection framework

Summary

Who: The European Data Protection Board evaluated Brazil's data protection framework at request of European Commission, examining standards established by Brazil's Agencia Nacional de Proteção de Dados under General Data Protection Law enacted August 14, 2018.

What: Opinion 28/2025 assesses whether Brazil ensures level of protection essentially equivalent to that guaranteed within European Union, examining data protection principles, individual rights, transfer restrictions, supervisory authority independence, redress mechanisms, and government access provisions for criminal law enforcement and national security purposes.

When: The European Commission initiated the adequacy process September 5, 2025, requesting EDPB evaluation. The EDPB adopted Opinion 28/2025 on November 4, 2025, following two months of assessment examining Brazil's legal framework and documentation publicly available from Brazilian authorities.

Where: The adequacy decision would enable personal data transfers from European Economic Area member states to Brazil without additional safeguards, covering commercial transfers, law enforcement cooperation, and data flows between public authorities in 27 EU member states plus Iceland, Liechtenstein, and Norway to Brazilian entities.

Why: Adequacy decisions recognize continuous protection of personal data transferred from EEA to third countries and provide robust transfer tool ensuring data subject rights are safeguarded when data are transferred outside EEA. The assessment matters for marketing community because adequacy facilitates digital marketing operations, programmatic advertising, customer analytics, and cross-border technology services between European and Brazilian markets without implementing additional contractual safeguards like Standard Contractual Clauses that add complexity and legal risk to data transfer arrangements.