Uruguay: New regulations regarding international data transfers
The Court of Justice of the European Union ('CJEU') published, on 16 July 2020, its highly anticipated judgment ('the Judgment') in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case') which impacted many data protection regimes around the world. The Uruguayan data protection authority ('URCDP') announced, in September 2021, changes to its data protection regime regarding international transfers of personal data, via Resolution No. 23/021 of 8 June 20211 ('Resolution 23/021'), which establishes important changes in the international data transfer regime in Uruguay, and Resolution No. 41/021 of 8 September 2021 ('Resolution 41/021'), which includes a guide for the drafting of contractual clauses2. Dr. Ana Brian Nougrères, Alejandra Saiz, and Ignacio Martinez, from Estudio Juridico Briann y Asociados, discuss the recent changes to international data transfer regulations and requirements, including adequacy status and exceptions to this.
Resolution 23/021 made some adjustments regarding the countries deemed 'adequate' for international data transfers, removing from the list the transfers made under the EU-US Privacy Shield program. The URCDP also took other complementary measures, such as establishing a term for the adequation of the existing contracts made under the Privacy Shield.
The URCDP established the countries deemed adequate for data transfers, including the EU Member States and EEA Agreement countries, Andorra, Argentina, the private sector of Canada, Guernsey, the Isle of Man, the Faroe Islands, Israel, Japan, Jersey, New Zealand, the UK, Northern Ireland, and Switzerland. The elimination of the Privacy Shield from the list was the only relevant change made.
An analysis done by the URCDP concluded it was necessary to adapt the list of adequate countries in the face of the Schrems II Case and the CJEU judgment. As stated by the URCDP regarding the Privacy Shield, '…there are some elements derived from the analysis made on the data processing from the USA that resulted in the invalidation of this framework.' The explicit idea behind this decision was to keep the country updated to comply with the international Standards for Personal Data Protection for Ibero-American States and the General Data Protection Regulations (Regulation (EU) 2016/679) ('GDPR'), allowing Uruguay to remain 'adequate,' as it was since 2012.
To bring the public and private sector up to date regarding privacy and data protection, the URCDP gave data controllers and processors six months from the publication of the Resolution to adjust to the new conditions for the data transfers previously made under the Privacy Shield program.
Data transfers are not permitted to countries which are not deemed adequate, with several exceptions stated in Article 23 of the Law No. 18.331 on the Protection of Personal Data and the Habeas Data Action 2008 ('the Law').
The following are regarded to be exceptions that allow the transfer of personal data to countries which are not deemed adequate:
- the data subject's express consent, which must be duly documented;
- transfers being done to cooperate with other countries' public authorities, including the transfer of sensitive health data for a person's medical treatment abroad or public health reasons;
- the transfer of financial personal data in case of international financial transactions;
- data transfers from a public source of information;
- data transfers made within the scope of an international convention or treaty that Uruguay has subscribed to; and
- data transfers made in cooperation with intelligence agencies against transnational organised crime, illicit drug trafficking, and the prevention of terrorism.
It is also possible to make international data transfers if they are done in fulfillment of a contract with the data subject (or to protect the data subject's interests), if it is necessary or mandatory to protect the people's best interest or the protection of an important human right in a judicial process, or if the transfer is done from a public source of information.
Even if the destination country does not provide adequate standards or is exempt by the Law, the controller can ask the URCDP for permission to perform the international data transfer. For this purpose, the URCDP establishes in Resolution 23/021 that when deciding whether or not to allow the transfer, it will take into account the adoption of contractual clauses, the location of the controller (and if the country in which he or she is located has adopted any data protection regulation), as well as the self-certification made available by the Federal Trade Commission.
Resolution 41/021 further expands the regime modifications started with Resolution 23/021, making available a guide for controllers and processors on drafting clauses in a data transfer contract. It serves as an example of good practices and as proof of compliance required by Article 23 of the Law when the URCDP needs to authorise the transfer.
International data transfers to countries deemed 'not adequate' by the URCDP (as per Resolution 23/021) must be preceded by a Privacy Impact Assessment ('PIA') that has to be annexed to the contract.
The guide provided by the URCDP does not include any actual clauses, as does the European regulations. The guide contains some stipulations regarded as of utmost importance and as minimum content of every data transfer contract, but not clauses themselves. It has 'General Clauses' and 'Specific Clauses,' the first ones state the provisions that must be in any international data transfer contract of any nature; the second ones that the content needed depends on the parties subscribing to that contract (Controller-Controller, Controller-Processor, Processor-Processor).
The general requirements for the contract consist mostly in the need for certain information to be stated explicitly, although some particular solutions are mandatory. This is the case for the purpose of the transfer, which must be clearly established in the contract, as well as the right of information of the data subject, as stated on Article 13 of the Law, which establishes the information that must be given to the data subject when data is collected, including the identity of the processor and the sub-processors (if applicable). This information must be available permanently or to be given at the data subject's request.
In any case, the contract must stipulate that in case of non-compliance, the competent administrative authority must be the Uruguayan one, with exception of the certain cases in which the importer is subject to a regulatory authority in the destination country.
The mandatory PIA, under Article 6(f) of Decree No. 64/020 on the Regulation of Articles 37-40 of Law No. 19.670 of 15 October 2018, must be annexed to the contract as a demonstration of due diligence on security and data privacy.
Regarding the information that is to be explicitly stated in the contract, the specific data transferred to the third country must be listed in detail. In case there is sensitive data, the content and purpose of each datum should be detailed.
The processing methods applied to the data must be stated, and the operational and security measures must be explicit in the clauses to fulfill the requisites of data security and proactive approach to data privacy of Articles 10 and 12 of the Law.
If there are subsequent data transfers, the controller must also establish the conditions under which the data will be consequently transferred to another party.
About dispute resolutions, the parties can stipulate any mechanism as long as it does not alter the rights of the data subject, modify in any way the processing operations in interest of the data subject, nor establish an undue retention of information, which should be deleted according to the applicable law.
The conditions under which the data will be preserved (by the exporter, importer, and third parties) must be also stated in the clauses. The data must be always available to the URCDP, as established in Article 34(d) of the Law.
Confidentiality clauses must also be stated in the contract, as well as the fact that only the supervisory authorities from the destination country can access the database with a court order with the safety and confidentiality of the data ensured and accessing only the data which is strictly necessary to comply with such court order.
The specific clauses on the legal bases for that particular transfer and all the subsequent ones, provide special attention on the responsibility of each party for damages done to the data subject's rights.
Even though the clauses are mandatory for data transfers made to countries that are 'not adequate' according to the URCDP, Resolution 23/021 exhorts every controller to take these clauses into account when making a contract for the transfer of personal data to third countries.
The impact these resolutions have on the companies that make transfers to third countries, particularly when those transfers are done to non-adequate countries, is first of all creating new burdens on the controllers and processors, in particular those of the private sector. Modifications must be made in all contracts that are made under the Privacy Shield program.
This can bring a drop in foreign investment in the country, affecting the business' sector as well as the telecommunication sector overall. However, the URCDP gave a fair amount of time for the companies' adjustments to be made, and the changes in the regulation are in no way a radical shift in the Uruguayan legal system, but a continuation of the European data privacy approach.
Companies will have to adapt to make contracts acceptable to the URCDP and the international data protection standards. This might take time but will result in a more adequate, humane, and accountable data protection system.
Dr. Ana Brian Nougrères Director and Principal Consultant
Alejandra Saiz Senior Associate and Expert
Ignacio Martinez Legal Assistant
Estudio Juridico Briann y Asociados, Montevideo
1. See: https://www.gub.uy/unidad-reguladora-control-datos-personales/institucional/normativa/resolucion-n-23021 (only available in Spanish)
2. See: https://www.gub.uy/unidad-reguladora-control-datos-personales/institucional/normativa/resolucion-n-41021 (only available in Spanish)