On January 27, 2026, the Brazilian National Data Protection Authority (“ANPD”) and the European Commission announced a landmark decision: the mutual recognition of adequacy between Brazil’s General Data Protection Law (“LGPD”) and the European Union’s General Data Protection Regulation (“GDPR”).

This regulatory milestone acknowledges that the legal frameworks of Brazil and the EU provide an equivalent level of protection to personal data subjects. As a result, it establishes a solid legal basis of trust and legal certainty for international data transfers between these jurisdictions.

Although certain legal formalities will still be required in cases involving the sharing of personal data, many of them will be significantly simplified, including, for example, the elimination of the need for standard contractual clauses pre-defined or approved by the Brazilian Authority, as well as the need to conduct technical audits.

With reduced bureaucracy and lower digital compliance costs, the measure is expected to accelerate business activities and strengthen commercial and technological relations, creating further opportunities for Brazilian companies to operate in the European market and vice versa.

The decision applies to the 27 Member States of the European Union as well as to the countries of the European Economic Area (Iceland, Liechtenstein, and Norway), covering a total of 30 jurisdictions. In practical terms, this represents a significant impact, as Brazil and the EU now form the world’s largest secure data-flow area, reaching approximately 700 million people.