The European Commission confirms that Argentina has adequate legislation for the international transfer of personal data
More than 20 years ago, Argentina received a note of adequacy from the European Commission, regarding the international transfer of personal data from the European Community to our country. And it still holds this note.
For many years, Argentina was the only country in the region to receive this adequacy note. This allowed it to have competitive business advantages over other jurisdictions when different European companies decided where to establish their business in the region. Argentina allowed, and still does today, for the transfer of personal data protected under European local law, to our country, without further safeguards.
All of this is especially relevant in a world where business is increasingly digital. This adequacy note also makes it possible to interact with the multiple economies of the countries that make up the European Union. But, in addition, it allows competitive advantages over other jurisdictions which, on the basis of the European Commission's adequacy notes, also recognize by extension the suitability of these countries. This adequacy note, for all those countries that receive it, goes beyond the purely analysis of personal data protection and privacy, and at the same time becomes an element of economic development.
It is also worth remembering that our country's adequacy note was made considering the legal framework in force in Europe in 2003, that is, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
After the entry into force of the General Data Protection Regulation - Regulation 2016/679 (GDPR), and in accordance with the provisions of its articles 45 (9), 45 (3 and 5) and 97, the various adequacy notes in force remained fully in force until the Commission carried out a review of each of them (the GDPR establishes a review every four years). In this regard, the Commission formally initiated a review process with respect to those countries that had an adequacy note and, finally, resolved that all countries under review, including in particular Argentina, continue to provide an adequate level of protection of personal data for international transfers from the European Union.
All these countries are: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.
As a result, data transfers from the European Union to these countries do not require additional safeguards.
In the case of Argentina, the report specifically highlighted the evolution of the Argentine legal framework since the adoption of the adequacy decision, including legislative amendments, jurisprudence and the activities of supervisory bodies, which have contributed to a higher level of data protection.
In particular, it emphasized the independence of the Argentine data protection supervisory authority, significantly strengthened by the creation of the Agency for Access to Public Information ("AAIP") as the supervisory authority.
In the same way, it stressed the importance of the AAIP having issued a series of regulations and binding opinions clarifying how the Personal Data Protection Law No. 25,326 ("LPDP") should be interpreted and applied in practice, keeping the legal framework updated.
Moreover, it also positively highlighted the fact that Argentina strengthened its international commitments through its accession to Convention 108 and Convention 108+.
With regard to government access to personal data, a concern of the Commission and a debated issue in the various precedents of the European High Court of Justice – known as Schrems I and Schrems II – the Commission held that public authorities in Argentina are subject to clear, precise and accessible rules under which such authorities can access and subsequently use the transferred personal data for purposes of public interest, in particular for criminal law enforcement and security purposes, data transferred from the EU. These limitations and safeguards derive from the general legal framework and international commitments, particularly the National Constitution, the American Convention on Human Rights, Convention 108 and 108+, and the LPDP.
Finally, the Commission also mentioned the various resolutions of the AAIP to improve the application of the law and modernize its articles. In particular, it referred to the Personal Data Protection Bill presented in 2023 to the National Congress, as a way to codify all these advances and strengthen the local data protection regulations.
Article provided by INPLP member: Diego Fernandez (Marval O’Farrell Mairal, Argentina)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)