Argentina’s new resolution No. 34/2019 of the Argentine Agency of Access to Public Information, the controlling authority of Personal Data Protection Law No. 25,326, has included the U.K and Northern Ireland in the white list of adequate jurisdictions for the transfer of personal data. This resolution was published Feb.26 in the Official Gazette.
Pursuant to the PDPL, the transfer of personal data to countries that have not enacted adequate legislation on personal data protection is restricted.
In 2016, the former Personal Data Protection Authority issued Rule 60-E/2016 recognizing the following countries as providing adequate protection: member states of the European Union and the European Economic Area, Switzerland, Guernsey and Jersey, the Isle of Man, the Faroe Islands, Canada (private sector only), New Zealand, Andorra and Uruguay.
Rule 60-E/2016 also approved two sets of model clauses for controller-to-controller transfers, as well as controller-to-processor transfers. Both model clauses were based on the EU Standard Model Contracts for the transfer of personal data to third countries approved by Decision 2001/497/CE and 2010/87/UE. Parties may freely use these templates or implement a different data-transfer agreement as long as this reflects the principles, safeguards and content related to personal data protection provided in the standard model clauses. Then, in 2018, the Argentine Data Protection Authority provided a set of guidelines for binding corporate rules.
As a member of the EU, the U.K. was previously recognized as an adequate destination for cross-border data transfers, but as a consequence of the Brexit negotiations and following a formal request from the U.K. government, the Argentine authorities have specifically declared this jurisdiction as adequate to maintain the transfer of data post Brexit. Resolution No. 34/2019 maintains that any data transfer to the U.K. and Northern Ireland will not be subject to restrictions, regardless of the withdrawal of the U.K. from the EU.
It should be recalled that international data transfer to countries without adequate legislation on personal data protection, such as the United States, is also permitted when a derogation to the transfer prohibition applies; the data subjects consent to the transfer; or when adequate protection levels arise from contractual clauses, international data transfer agreements, or self-regulation systems, such as binding corporate rules.
Resolution No. 34/2019 gives certainty to the specific situation arising from Brexit and the long and complicated negotiations conducted with the EU, allowing data to flow freely from Argentina to the U.K. and Northern Ireland.
If you want to comment on this post, you need to login.