No doubt, cross-border data transfers are going to be a top priority for many privacy regulators around the world in 2016. As is common knowledge by now, on October 6, 2015, the European Court of Justice issued a judgment (Schrems Judgment) declaring invalid the European Commission’s Decision 2000/520/EC which allowed transfers of personal data from the EU to U.S. companies that self-certified under the Safe Harbor Framework. While the Schrems Judgment directly concerns only data transfers from the EU to the U.S., its ramifications may indirectly affect cross-border data transfers more generally. In this post, we look at cross-border data transfers as a key compliance risk and offer a Latin-American (LatAm) perspective.
Moving data: a compliance risk
Cross border data transfers have long been identified as a corporate compliance risk for international companies. Technological progress has opened the door for vast amounts of electronic communications and global flow of information. While, in practice, data flows freely across geographic borders, the territorial scope of data protection laws is limited (although we are currently witnessing a trend towards a wider territorial scope of data protection laws). Given the varying levels of privacy protections around the world, countries with higher privacy standards frequently restrict the flow of data from their country to other countries in order to safeguard that data post-transfer. The key challenge in relation to cross-border data transfers lies in the differences in approach to privacy protection across the world. More and more countries follow the European model when enacting local privacy laws and calls for harmonization of data protection laws on a global level increase. Nonetheless, many differences between national data protection frameworks still exist – even within one region such as Latin America. For example, what might constitute consent in one jurisdiction, might not in another. Or the collection or transfer of sensitive data might be subject to specific restrictions in some countries but not in others. Given that numerous principles and concepts (such as notice, consent, purpose specification, etc.) come into play in cross-border transfer scenarios, understanding, and complying with, the applicable legal requirements across multiple jurisdictions, can be a challenging task.
Privacy laws and cross-border transfer rules in Latin America
While the concepts of a right to privacy and data protection legislation are still relatively new to some LatAm countries, they are certainly on the agenda of many of those countries and a lot of progress has been made in the past years. Approaches to data protection vary considerably amongst LatAm countries, but can be categorized as follows:
- Some countries, like Ecuador, Panama and Honduras guarantee a constitutional right to informational self-determination (“habeas data”) but do not have comprehensive privacy legislation in place. This constitutional right to privacy is of limited effect as it does not establish general data protection standards or a data protection authority.
- Other countries, like Argentina (2000), Uruguay (2008), Mexico (2010), Peru (2011), Costa Rica (2011) and Colombia (2012) have enacted comprehensive data protection legislation similar to European data protection legislation (and some of them also guarantee a constitutional right to privacy). Argentina and Uruguay are amongst the few countries around the globe that have been given adequacy status by the European Commission.
- Other countries like Paraguay and Chile have less comprehensive data protection laws in place – although Chile is in the process of upgrading its existing data protection law.
- A fourth category of countries, including Bolivia, Brazil, El Salvador, Guatemala, Nicaragua, Dominican Republic, Venezuela and Cuba, recognize basic privacy rights but do not have a constitutional right to privacy or comprehensive data protection legislation. That said, Brazil is in the process of adopting data protection legislation.
Not surprisingly, the requirements for cross-border transfers also vary considerably across LatAm jurisdictions. Many countries do not restrict cross-border data transfers at all. However, more and more countries, including Argentina, Peru, Uruguay and Colombia follow the European approach in relation to international transfers. They generally only allow data transfers out of their territories to countries that offer adequate levels of protection of personal data. Transfers to other countries are subject to further requirements such as the data subject’s consent or additional safeguards such as the implementation of international data transfer agreements, unless they fall under an exception to the transfer restrictions (e.g., data transfer is necessary for the performance of a contract or to protect public interests). As regards the process for designating third countries as providing an adequate level of data protection, most LatAm countries take a rather informal approach and have not issued lists of adequate countries. It is generally up to the transferor to assess the adequacy of the recipient country’s level of data protection. This requires a thorough review and comparative analysis of the relevant privacy frameworks and would often include consultations with the relevant data protection authorities. As a general rule, EU countries would be considered to provide adequate protection, while the U.S. are not. The situation is a little different for Uruguay. By way of a 2009 Resolution, Uruguay declared that the EU countries as well as those countries that have received adequacy status by the EU Commission are considered as providing an adequate level of data protection for the purposes of data transfers out of Uruguay. As regards the implications of the Schrems Judgment on Latin America, the Argentinian and Uruguayan adequacy decisions could now arguably be at risk of being invalidated if Argentinian and Uruguayan privacy legislation is found to not hold up to the standards set by the Schrems Judgment. While they still stand for now, the Schrems Judgment confirmed that national supervisory authorities have the power to investigate claims calling into question the adequacy of privacy protections afforded by a third country. While a supervisory authority would not have the power to invalidate these adequacy decisions, it has the power to refer such complaints to the courts, which in turn, might declare an adequacy decision invalid.
Overall, the international transfer of personal data is a process that has to be carefully handled by global companies. As for transfers from LatAm countries with European style privacy laws, generally, a thorough review and comparative analysis of the applicable regulations of both the transferor and the recipient country is required in order to determine whether the recipient country offers an adequate level of privacy protections. If the adequacy cannot be established, additional safeguards might need to be adduced. When it comes to transfers from the EU to LatAm countries, these will generally be allowed to Argentina and Uruguay, at least as long as the European Commission’s adequacy decisions in relation to those countries still stand following the Schrems Judgment. Transfers from the EU to other LatAm countries will generally need to be validated through alternative transfer mechanisms. A lot to consider but, at the end of the day, safely transferred data is a testimony that a company has implemented appropriate procedures and standards.