European Data Protection Board Opinion: EU Draft Adequacy Decision For Brazil – LGPD

On 5 September 2025, the European Commission published its draft decision recognizing that Brazil ensures an adequate level of protection for personal data under Article 45 of the General Data Protection Regulation ("GDPR"). Following this publication, on 4 November, the European Data Protection Board ("EDPB") released Opinion 28/2025 assessing the draft decision. The Opinion examines Brazil's General Data Protection Law ("LGPD"), the Brazilian Data Protection Authority ("ANPD&ardquo;), and the safeguards applicable to personal data transferred from the European Union.

The EDPB found that Brazil's data protection framework, particularly the LGPD and the regulations issued by the ANPD, is closely aligned with the GDPR and the case law of the Court of Justice of the European Union. The ANPD also stated that it is working on issuing an adequacy decision recognizing the European Union, with this decision expected to be presented by the end of 2025.

Mutual recognition would simplify the flow of data between Brazil and the European Union, acknowledge the equivalence of their data protection regimes, and offer competitive advantages to both sides.

The EDPB welcomed the overall alignment of Brazil's data protection framework with the GDPR, but identified areas requiring additional clarification, monitoring, and continued review. These key points are to:

• DPIA and Accountability: Verify that Data Protection Impact Assessments (DPIAs) are actually carried out for high-risk processing under the LGPD, and that they include a clear necessity and proportionality test. Clarify how LGPD rules interact on storage limitation in practice.
• Commercial and industrial secrecy: Monitor how the LGPD's limitation on "commercial and industrial secrecy" affects data-subject information and access rights, and ANPD's ability to obtain information, especially when companies invoke secrecy in supervisory or incident contexts.
• Security incidents and breaches: Align the Draft Decision with ANPD's security-incident notification regulation, with both timelines and content, and monitor any impact when trade-secret claims limit the detail shared with data subjects or the ANPD.
• Onward transfers: Clarify that LGPD derogations are truly exceptional. Confirm data subjects are informed about third-country risks for consent-based transfers. Ensure transparency duties apply regardless of the transfer tool and note potential gaps in binding corporate rules compared to EU practice, and assess whether foreign laws could undermine protections.
• Governance and oversight: Further explain the National Council's role and interaction with the ANPD. Clarify redress pathways for individuals and monitor consistency and proportionality in ANPD's enforcement and sanctioning.
• Law-enforcement processing: Clarify the LGPD's applicability to criminal law enforcement processing and ANPD's powers over such authorities. Describe conditions for access to basic subscriber/registration data and safeguards and monitor access to retained communications data.
• National security scope and the Brazilian Intelligence system: Describe more precisely what "national security" covers under Brazilian law. Clarify how LGPD exemptions operate for national-security purposes, and explain the Brazilian Intelligence system data-sharing rules and whether international intelligence-sharing arrangements affect onward transfers and safeguards.
• Ongoing monitoring and review: Commit to periodic reviews with EDPB involvement and keep a close watch on legal and regulatory developments that could affect the adequacy finding.

Next Steps

The EDPB's review is a standard stage in the adequacy process. The Commission is expected to incorporate the EDPB's clarifications, seek approval from the Member States, and, if endorsed, adopt the decision with a defined review cycle, bringing it into force.

If formally confirmed, Brazil will join the group of countries recognized by the European Union as providing adequate protection for personal data, and the decision may also open the way for additional bilateral recognitions.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2025. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.