On 27 January 2026, Brazil and the European Union announced in Brasília a decision that, in practice, erases an invisible border: from that day, personal data can move between the European Economic Area and Brazil with the same freedom with which it travels from Paris to Berlin or from São Paulo to Lisbon. It is a mutual adequacy decision —each party recognises that the other protects personal data in a manner “essentially equivalent” to its own— and its scope is unprecedented: it covers the public and private sectors at once, it is the first adequacy Brazil has obtained in its history and, according to the lawyers who have analysed it, the most comprehensive the European Commission has ever adopted under the General Data Protection Regulation.
It is worth situating the magnitude before entering the nuances. The measure reduces regulatory barriers across a combined base of some 670 million people. For the companies, governments and researchers that move data between both shores of the Atlantic, it means they no longer need the additional mechanisms each transfer required until now —the EU’s standard contractual clauses, transfer impact assessments. Data becomes, legally, as transferable within the EU-Brazil bloc as it is between two European countries.
Four months later, in the week this analysis is written, the Brazilian conversation about data has turned to another point: the decrees the government signed on 20 May to expand the powers of the National Data Protection Authority (ANPD) —the same agency that underpins European adequacy— toward the oversight of digital platforms. The temporal coincidence of both facts —external recognition and internal expansion of the authority— is what makes this moment analytically interesting. It is worth examining each piece separately and then the tension between them.
What was signed, exactly, and under what rules
Adequacy is not a single act, but two unilateral, independent and legally autonomous decisions, adopted in a coordinated manner and announced together. The precision matters because it defines who answers for what.
| Side | Instrument | Legal basis | Date |
|---|---|---|---|
| European Union | Implementing Decision (EU) 2026/179 | Article 45 GDPR | 26 Jan 2026 |
| Brazil | Resolution CD/ANPD No. 32/2026 | Article 33, I, of the LGPD | 26 Jan 2026 |
| Both | Joint public announcement | — | 27 Jan 2026 |
On the European side, the Commission concluded —following an opinion from the European Data Protection Board on 4 November 2025 and approval from the Member States— that Brazil offers a level of protection “essentially equivalent” to the European one. On the Brazilian side, the ANPD itself adopted the reciprocal decision, recognising the EU as an adequate territory under the mechanism of Article 33 of the LGPD, the Brazilian data-protection law in force since 2020.
There is a limit worth underlining, because it bounds the agreement’s real scope: adequacy does not cover data transfers carried out for the exclusive purposes of public security, national defence, state security or criminal investigation and prosecution. That boundary —the same one the Brazilian framework already established— leaves out precisely the most sensitive uses from a civil-rights standpoint. It is a reminder that “adequacy” does not mean “no grey zones”, but equivalence in the ordinary commercial and administrative terrain.
Both decisions also incorporate a monitoring clause: they must be reassessed within a maximum of four years. The Commission committed to continuously monitoring developments in Brazil, and the Brazilian Resolution provides for the symmetrical regarding the EU. Adequacy, in other words, is not a perpetual blank cheque, but a recognition conditioned on the level of protection being maintained.
Why Brazil and why now: the logic of the “Brussels effect”
Brazilian adequacy is a textbook case of what academics call the “Brussels effect”: the EU’s ability to export its regulatory standards without formally imposing them, simply through the weight of its market. Brazil’s 2018 LGPD was designed, from the outset, in close tune with the European GDPR —they share architecture, principles and much of the legal vocabulary. That deliberate convergence is what now bears fruit: the European Data Protection Board highlighted “the close alignment” between both frameworks and with the case law of the EU Court of Justice as the basis for its favourable opinion.
To gauge how singular the Brazilian case is, it helps to compare it with the existing adequacy landscape. The EU has granted adequacy to a short list of jurisdictions —among them Argentina, Uruguay, Canada, Japan, the United Kingdom, Switzerland and Israel— but most were adopted unilaterally (only the EU recognises the third country) and many with limited scope. Japan’s 2019 decision, for example, was essentially confined to the private sector. Brazil’s is the first that is mutual —both parties recognise each other— and one of the few that cover both the public and the private spheres at once. That breadth is what makes it, according to legal analyses, the most comprehensive in the GDPR catalogue.
The house to put in order: the 20 May decrees
While Brazil displays the European gold seal, on the domestic plane the conversation is more turbulent. On 20 May 2026, President Luiz Inácio Lula da Silva signed two decrees that tighten the rules for social networks and expand the government’s oversight power over the big tech companies. The measures regulate recent decisions of the Federal Supreme Court on the Internet Civil Framework, and place the ANPD as responsible for monitoring whether platforms comply with the new obligations: content moderation, complaint channels, transparency of ads and paid boosts, artificial networks and systemic risks.
Here arises the observation several Brazilian jurists have raised, and which it is worth reproducing precisely because it is the core of the debate. The ANPD was originally created with a bounded mandate: to protect personal data and oversee compliance with the LGPD. The new decrees transform it, under the critical reading, into something closer to a content- and platform-regulating agency. Electoral-law professor Francieli Campos, a specialist in artificial intelligence, warned that the government turned the ANPD, by decree, into a kind of arbiter of the digital public debate. The detail that adds tension: the decrees take effect 60 days after publication, which places their application near the peak of the October electoral contest, in which Lula is a likely re-election candidate.
The tension, laid out without resolving it
The analytical value of this moment lies in holding both images at once without collapsing them into one. It is worth setting out the two readings with comparable weight.
On one reading, there is no real contradiction, but a sign of institutional maturity. Those who hold it argue that European adequacy is precisely the proof that the Brazilian framework works and that its data authority enjoys international credibility; that expanding the ANPD’s competences to oversee platforms is consistent with the global trend —the EU itself assigns digital-supervision functions to its authorities— and responds to Supreme Court decisions, not to an Executive whim. Under this reading, Brazil would be building robust digital governance on two complementary fronts: data protection outward and platform accountability inward.
On the contrary reading, the coincidence reveals a risk. Its defenders —electoral lawyers, civil-society organisations— hold that loading the data authority with the oversight of public debate, on the eve of an election and through a decree by the very Executive whose leader is running for re-election, strains the independence that European adequacy presupposes. The underlying argument is that the ANPD’s international credibility rests on its autonomy, and that expanding its powers into a terrain as politicised as content moderation could, over time, erode precisely the trust that earned it the European seal. Adequacy’s four-year review clause makes this question more than theoretical: the EU committed to monitoring developments in Brazil, and the institutional architecture of its data authority is one of those developments.
It is not for this outlet to rule which reading will prevail. It is to note the fact both share: Brazil has achieved external recognition that almost no Global South country possesses, and it has done so in the same quarter in which it redefines, internally and against an electoral clock, what exactly the authority that underpins it does. The gold seal and the house to put in order coexist, for now, in the same address.
Methodological note. The “relative breadth” on the cover is an in-house estimate on a 0-100 scale, built to compare the scope of different GDPR adequacy decisions, not an official measurement. It weighs two documented factors: sectoral coverage (whether adequacy spans public and private sectors or just one) and reciprocity (whether it is mutual or unilateral). Brazil scores the maximum for being mutual and covering both sectors; the others sit below according to their documented scope (Japan’s, for instance, was essentially confined to the private sector). The dates, legal instruments and the public-security limit come from the official texts: Implementing Decision (EU) 2026/179 and Resolution CD/ANPD No. 32/2026, as well as the European Data Protection Board opinion of November 2025. The figure of 670 million people and the detail of the 20 May decrees come from the cited press coverage. Data cutoff: 23 May 2026.