Latin America Privacy Regimes: Nations at a Glance
Last summer TRUSTe hosted its Privacy Risk Summit, which included a session on doing business in Latin America, and also issued a client advisory on the data protection laws of Latin America, available here. The note included information on the privacy frameworks of several different countries, including Argentina.
As a review, Argentina employs a hybrid approach to its data protection framework, meaning that it combines constitutional protection with expansive data protection regulations. Its data protection law, which was passed in 2000, provides general protection for personal data stored in public or private databases and other processing platforms, just as Chapter VII of the Federal Constitution recognizes individuals’ habeas data rights to access and correct information stored about them. These protections and others contributed to Argentina being deemed by the EU to provide a level of protection “essentially equivalent” to the EU.
At the end of 2016, the Argentina Data Protection Agency (DPA) released a new regulation governing international personal data transfers: DIRECCIÓN NACIONAL DE PROTECCIÓN DE DATOS PERSONALES Disposición 60 – E/2016. This new regulation includes model forms for international data transfers to data controllers and/or data processors. While model forms fashioned after EU standard contractual clauses were provided, controllers may still use other forms if submitted to the DPA for approval.
The Regulation also lists the following “adequate” countries (those that have an adequate level of data protection) for cross-border data transfers:
Article 3 Translation:
“Member States of the EUROPEAN UNION and members of the European Economic Area (EEA), SWISS CONFEDERATION, GUERNSEY, JERSEY, ISLE OF MAN, FAROE ISLANDS, CANADA only for its private sector, PRINCIPAL OF ANDORRA, NEW ZEALAND, URUGUAY and STATE OF ISRAEL only with respect to data that is received by automated means. This list will be periodically reviewed by this National Directorate, publishing the list and its updates on their official website.” Whereas countries such as the United States and Mexico do not appear this list, they may petition for adequacy.
This new Regulation should make doing business with Argentina easier for global corporations. It aligns with EU regulations, making it familiar to businesses already meeting EU requirements. Moreover, if organizations use the models provided by the Regulation, they can more efficiently operate within the data privacy confines of Argentine law.
If you have any questions about conducting cross-border data transfers in Latin America, including Argentina, please contact us.