Author: Laureli Mallek, Legal Fellow, Privacy and Technology Project 2012
At the end of August, the European Union determined that Uruguay's privacy laws provide an adequate level of protection. This allows companies, governments, or individuals to transfer personal information from Europe to Uruguay without the use of model contract clauses, binding corporate rules, or the US-EU and US-Swiss Safe Harbor program. At first glance, achieving “adequacy” may not seem substantial. However with this classification, Uruguay has successfully joined an elite group of nations outside of the EU that includes only: Andorra, Argentina, Australia, Canada, Switzerland, Faeroe Islands, Guernsey, Israel, the Isle of Man, and the United States when certain conditions are satisfied.
The process began in October 2008 when Uruguay petitioned to have its data protection laws recognized as “adequate” by the European Commission, the body which governs the European Union. The request required analyzing Uruguayan data protection laws and procedures to assess whether they satisfy the requirements on processing and international transfers of personal data established in Article 25(6) of the 1995 EU Directive on Personal Privacy (95/46/EC) encapsulated in seven governing principles of: notice, purpose, consent, security, disclosure, access, and accountability.
Uruguay's 2008 request was reviewed at depth by the Article 29 Working Party, a group composed of one member from each EU member state which advises on data privacy and protection issues. Since the Working Party has experience investigating corporate practices – they have investigated data practices by companies including Facebook, Yahoo!, Microsoft – so investigating a history of practice, digging through layers of data, and balancing economic interests against privacy practices meet broadly defined technical standards is familiar territory. In evaluating Uruguay, the Working Party reviewed national laws including the Constitution, the statement of Habeas Data as stated in Ley No 18.331 de Protección de Datos Personales y de Acción de “Habeas Data,” administrative and judicial remedies, and relevant international agreements such as the American Convention of Human Rights. Between 2008 and 2010, the Working Party commissioned research and discussed enforcement questions with Uruguay’s data protection authorities.
Based on their findings, the Working Party released a 2010 opinion letter (pdf) detailing Uruguays management of data transfers, direct marketing, and sensitive data to remain aligned with EU protections. While the letter concluded that “the Working Party considers that the Eastern Republic of Uruguay ensures an adequate level of protection within the meaning of Article 25(6) of Directive 95/46/EC of the European Parliament,” it noted that “as part of any decision taken by the Commission, [the Working Party] will closely follow the evolution of data protection in Uruguay and the way in which the Data Protection Authority” continues to enforce the laws. No adequacy determinations have been revoked, but persistent monitoring may notify all countries that the Working Party expects even more consistent enforcement of existing laws.
As a result of the adequacy finding, a data controller in France can now transfer personal data to Uruguay as simply as transferring the data to Spain, without any additional protections requirements such as binding corporate rules, which only allow transfers between different branches of the same company, or model contract clauses that lock companies into substantial liabilities. This creates a great opportunity for Uruguay to expand its economy to further embrace technology as the second country in South America eligible to receive personal data without restriction.
This post was originally published on the Hastings Science & Technology Blog.