From Adequacy to AI Governance: What the EU-Brazil Digital Partnership Means

by Jhonathan Campos, Founder

The signature

On 12 June 2026, in BrasĂ­lia, Brazil and the European Union signed a Digital Partnership. Read as diplomacy the event looks routine, yet the substance amounts to a structural change in how the two sides will regulate the digital economy between them, and the case made in what follows is that its real weight lies in the governance it tries to make compatible rather than in any market it opens.

Much of the groundwork was settled before the signing, most importantly the mutual data adequacy reached earlier in 2026, which now lets personal data move between the two jurisdictions without the transfer machinery that used to consume compliance teams and closes a question that had shaped the relationship for years. The partnership reaches past that settled point toward a harder one, asking whether two legal systems can govern the data, and the AI built on top of it, on terms each will trust. That question is what sets the order of everything below, so the analysis first places Brazil against the four countries the EU has run this format with before, then works through the plumbing of adequacy, into AI governance as the strand that touches every other, on to the child-safety regime where the cooperation will first be tested on real products, and only then to the economics and the limits, each layer resting on the one before it.

The instrument the two sides chose says almost as much as the signing did. The EU reserves this format for a short list of countries it expects to grow alongside on regulation, infrastructure and market trust, running the relationship through political dialogue, a Digital Partnership Council and technical workstreams that reach across artificial intelligence, data governance, cybersecurity, digital identity, platforms, semiconductors and high-performance computing. Until now that list held only Japan, South Korea, Singapore and Canada. Brazil joining it signals that the EU is treating this as a track meant to deepen over time, rather than as one more diplomatic dialogue that fills a calendar.

What these partnerships have done elsewhere

The four earlier cases are worth reading together, because they show the same instrument bending toward whatever each relationship needed. With Japan the weight fell on strategic hardware and the infrastructure around it, from semiconductors and next-generation networks to quantum research, high-performance computing and the security layer that has to hold all of it together. Korea took the instrument further into commerce, so much so that its partnership eventually grew into a full Digital Trade Agreement. Singapore narrowed the focus to trust, building out the plumbing that makes cross-border data movement routine rather than exceptional: trusted flows, digital identity, and standards designed to be interoperable from the start. Canada leaned toward resilience, pairing AI and cybersecurity cooperation with questions of media integrity, competitiveness and digital sovereignty.

Brazil will not slot neatly into any of these. What sets its case apart is the combination it brings, since no earlier partner arrived carrying Latin America's largest digital market, mutual data adequacy with the EU, a codified civil-law tradition, a working data-protection statute in the LGPD, a data authority whose remit is expanding by the month, a new child-safety regime already in force, and a pending AI bill, all at once. That mix is why the partnership reads differently here than it did in Tokyo or Singapore.

What Brazil's version contains, and why the timing matters

On paper the Brazilian partnership covers the familiar spread: data governance, AI, connectivity and digital infrastructure, online platforms, cybersecurity, digital public goods, semiconductors, high-performance computing, digital signatures and global digital-governance questions. The breadth is standard. The interesting part is when it arrived.

Brazil and the EU have run a Strategic Partnership since 2007, and for years their Digital Dialogue has done the quiet technical work on AI rules, online safety, 5G and 6G, digital public services and the data economy. Several of the pieces this partnership relies on were already in place before the signing. So the Digital Partnership is best understood as a promotion rather than a founding, taking a relationship that was already functioning at the technical level and giving it a political frame high enough to pull the legal, technical and strategic threads into the same room. It changes no domestic law and imposes no new compliance code on any single company. Its whole value is connective.

The legal bridge: mutual adequacy

The most concrete thing underneath the partnership is mutual data adequacy, reached in 2026 when each side formally recognised the other as offering comparable protection for personal data crossing the border. On the European side, an Article 45 GDPR adequacy finding lets data flow to Brazil without the extra transfer machinery that other destinations require. On the Brazilian side, the ANPD returned the recognition to the EU through Resolution No. 32/2026.

For anyone running a cross-border operation, adequacy resets the starting assumption. A fintech running fraud checks against European systems, or a SaaS vendor supporting EU clients out of SĂŁo Paulo, can now assume data moves without a fresh legal negotiation every time. What adequacy does not do is lighten the substance of data protection, and this is the distinction companies most often get wrong. Firms still owe lawful bases, transparency, purpose limitation, minimisation, security, records, vendor controls, data-subject rights, and impact assessments where the risk calls for them. In AI work the gap between the two matters even more, because moving training data across the border legally says nothing about whether the training, profiling or deployment on top of it is lawful.

AI governance as the strategic core

That gap between moving data legally and using it legally is where AI governance lives, and of all the strands in the partnership it is the one that touches every other. On the European side the AI Act has already set the working vocabulary, sorting systems by risk, banning some outright, and loading the high-risk tier with duties for documentation, human oversight, monitoring and incident reporting. On the Brazilian side PL 2338/2023 is still moving through the Chamber of Deputies, though the text the Senate has already approved points clearly toward a rights-based, risk-tiered regime that would rhyme with the European approach without copying it.

No treaty makes the AI Act binding in Brazil, and none was meant to. The partnership works upstream of legislation, nudging regulators and firms toward compatible methods well before the statutes actually converge. The four earlier partnerships explain why this upstream pressure is worth taking seriously, because in every one of them AI never travelled alone. It came bundled with compute, identity, data quality, standards and cybersecurity, since a model is only as governable as the infrastructure and records surrounding it. Brazil will follow the same logic. Whether an AI system can be governed will turn less on the rules written for the model and more on the data feeding it, the compute running it, the audit trail behind it and the humans accountable for it.

That is what makes AI governance the demanding part of the agenda rather than a side file, and it points to where the real work will sit. A company operating both markets will find that regulators increasingly want claims proven rather than asserted. Telling a supervisor that a hiring model treats candidates fairly settles little on its own, because what the regulator now expects to see is the evaluation record behind the claim, the lineage of the data the model learned from and a log of who reviewed its output and when. The partnership does not invent that burden so much as sharpen the reason to build the evidence now, because the corridor between the two markets will increasingly run on it.

Children online: ECA Digital, ANPD and the first real test

Nowhere is that demand for evidence sharper, or closer to the actual design of a product, than in the rules Brazil has just written for children online. The country's ECA Digital, Law No. 15.211/2025, governs how digital environments treat children and adolescents, reaching social networks, apps, games, app stores, operating systems and video platforms whenever they are aimed at minors or simply likely to be used by them. It turns on practical questions of age assurance, safety by default, parental supervision, advertising limits and workable reporting channels.

What makes this layer institutionally heavy is who now runs it. A sequence of measures over roughly a year handed the ANPD the authority to apply and supervise much of the ECA Digital framework, detailed the rules for protecting minors online, and finally, through Law No. 15.352/2026, turned the ANPD into a full regulatory agency. Brazil's privacy authority has therefore grown into something broader, sitting at the meeting point of data protection, child safety, platform design and algorithmic oversight, which is a wider brief than most data authorities anywhere hold.

An administrative arrangement between the ANPD and the Commission services responsible for the Digital Services Act plugs directly into this space, opening a channel for cooperation on platform transparency, risk assessment, algorithms and shared study of the problems both systems are now trying to manage. It gives the Commission no enforcement reach inside Brazil and makes the DSA binding nowhere it was not already. The point of it is mutual learning between two regulators facing the same risks from different legal starting points.

The first place all of this gets tested will almost certainly be age assurance, and Brazil is not theorising about it. The ANPD is already inside the app stores, pressing Apple, Google and Microsoft for detail on system architecture, data flows, the mechanics of their age-assurance systems and evidence that any of it works. App stores and operating systems draw the scrutiny because they sit above every individual service, which is exactly what makes them the high-stakes choice. Reliable age signals delivered at that layer could make protection scalable and comparatively unintrusive, sparing users a fresh identity check inside every app. Built badly, the same design collapses into over-identification, false exclusions, quiet surveillance and a handful of global platforms controlling a piece of civic infrastructure. Either way it forces the abstract AI-governance debate down to something concrete, since age estimation, recommendation, moderation and ad targeting all turn on questions about data sources, error rates and review that a regulator can actually inspect. Child safety is likely to be where the partnership first stops being a document and starts shaping how products get built.

Why Brazil is a credible partner

Attention this detailed says something about how much the EU thinks Brazil is worth, and the first part of the answer is the sheer size and shape of the trade between them. The EU is Brazil's second-largest trading partner after China, while Brazil ranks only tenth for the EU, and goods trade reached €87.1 billion in 2025. Europe is also Brazil's largest foreign investor, with direct-investment stocks above €300 billion. The volume is real, but its shape is old, since Brazil ships Europe soy, ore and oil while Europe ships back machinery, chemicals, regulated industrial goods and, increasingly, rules. Digital cooperation is the attempt to open a third column in that ledger, one built around cloud, cybersecurity, digital identity, electronic signatures, AI governance, research infrastructure and digital health, the kind of trade priced for expertise rather than tonnage.

Brazil's legal system is what makes the ambition plausible, though it does not carry the case alone. Because the country works in a codified, civil-law tradition with constitutional rights, statutory regulation, administrative authorities and judicial review, European institutions arrive to find a legal grammar they already read fluently. Legality, proportionality, risk assessment, regulatory supervision and fundamental rights do not have to be translated or invented for the partnership to function. They are already load-bearing terms in Brazilian law, which lets the two sides cooperate as peers without turning Brazil into an outpost of EU regulation.

What it changes, and for whom

Several effects run at once here, and they pull in the same direction. The legal centre of gravity moves off the settled question of whether data can leave Brazil for Europe and onto the harder one of whether two systems can govern that data on terms each will trust, which depends far more on institutions than on transfer paperwork. In Brazil the institution left holding that question is the ANPD, whose expansion is now the pivot the whole relationship turns on.

For business, the effects sort roughly by how close a sector sits to trust and evidence. Privacy and data-transfer advisers gain first, because adequacy forces every company to revise its transfer assumptions without letting go of ordinary GDPR and LGPD discipline. Cloud, SaaS, outsourcing, fintech and cybersecurity providers benefit next from lower uncertainty over EU-Brazil flows, provided they can show the auditability and security to back it up. AI-governance work is where the largest fees will land, and not on legal interpretation alone, since the demand will be for the operational proof described earlier: the inventories, documentation, testing and monitoring that turn a compliance claim into something an auditor can check, which is work that pulls lawyers, privacy staff, engineers and product teams into the same project. Identity, electronic-signature, consent and age-assurance providers rise in strategic value too, because they are the layer that turns legal trust into running systems, and any progress on compatible trust services would put them at the centre of the cross-border architecture.

The scrutiny falls hardest on anything children can reach. App stores, operating systems, games, social and messaging services, EdTech and video platforms should expect weak age assurance, profiling of minors, dark patterns, opaque recommenders and thin moderation evidence to become genuinely difficult to defend. Health and research sit in a similar high-sensitivity band, since adequacy and stronger institutional trust help, but health data, children's data and research ethics will keep demanding safeguards well above ordinary commercial processing, as will any AI used in mental health, education, employment, credit or public services.

The industrial effects are the most speculative, and honesty requires flagging them as such. Semiconductors, high-performance computing and connectivity appear in the partnership because digital regulation now overlaps with supply-chain resilience and technological sovereignty, and for Brazil these could open a route into a higher-value relationship with Europe while giving the EU another trusted partner in strategic infrastructure. That is a forecast, not a present legal effect, and it will hold only if the partnership generates real workstreams rather than ceremonial meetings.

Under the commercial calculation sits a geopolitical one. Europe has its own reasons to cultivate trusted technology partners beyond its usual transatlantic and Pacific circles, and Brazil has every reason to be read as a country that helps write the rules rather than one that only inherits them.

Limits and risks

None of this makes Brazil an easy market. Tariff and non-tariff barriers, tax complexity, procurement friction, infrastructure gaps and uneven enforcement will keep shaping any entry, so the fair conclusion is narrow: the partnership can lower uncertainty in the specific corners where trust and predictable data flows decide outcomes, while leaving Brazil's deeper structural difficulties untouched.

Adequacy itself is conditional, a recognised trust status rather than a permanent exemption from scrutiny, and its durability will rest on the ANPD's independence, the quality of its enforcement, and the safeguards around public-authority access to data. The same discipline governs the AI side, which should never be mistaken for deregulation or automatic convergence. Well-run AI operations will find themselves easier to justify across the corridor, while opaque systems, informal data practices, weak child-safety controls and undocumented models come under more pressure than before.

Brazil's real exposure is execution. The country holds the legal materials for a serious digital-governance role, from the LGPD and constitutional data protection through the ANPD, ECA Digital and a pending AI bill. Those materials convert into market credibility only if enforcement quality, regulatory capacity and institutional independence actually hold up under load, which is the one variable no partnership can supply from outside.

The thesis

Adequacy made the data flow. The Digital Partnership asks the larger question of whether Brazil and the EU can make the governance around that data interoperable, and AI is where the answer will show first. Data movement, model governance, child safety, platform accountability, digital identity and public infrastructure have stopped behaving like separate compliance silos and started to function as parts of one trust architecture. The real measure of the partnership is whether the two sides can build a corridor in which innovation, fundamental rights, commercial reliability and hard regulatory evidence manage to hold together at once.


Sources: European Commission, "EU and Brazil deepen ties through Digital Partnership" (12 June 2026); "Digital partnerships," Shaping Europe's Digital Future; "13th EU-Brazil Digital Dialogue reinforces digital cooperation" (12 February 2025); "Adequacy decisions"; and "AI Act." ANPD, "ECA Digital" institutional page, and the decree detailing protection of children and adolescents online (18 March 2026). Ministry of Justice and Public Security of Brazil, statement on strengthening the ANPD and the entry into force of ECA Digital (26 February 2026). Brazilian Senate, PL 2338/2023. European Commission, "EU trade relations with Brazil." European Council, statement on President Costa's Brazil visit (23 May 2025). EU sources on the Japan, Korea, Singapore and Canada Digital Partnerships.

More articles

Before the AI Model, Anonymisation as an AI Governance Control

A practical analysis of EDPB Guidelines 02/2026 on anonymisation, and why the assessment belongs before data enters the AI training pipeline.

Read more

AI Governance Has Moved Into the Dependency Chain

A practical analysis of why AI governance now reaches cyber resilience, suppliers, infrastructure, recovery paths, and the evidence behind operational control.

Read more

Tell us about your project

Our office

  • Berlin
    Schöneberg, 10829