Resolution 198/2023 of the Argentine Agency for Access to Public Information, controlling authority of the Personal Data Protection Law, was published 13 Oct. in the Official Gazette. The resolution recognizes the standard contractual clauses drafted by the Ibero-American Data Protection Network, the RIPD, as a valid mechanism for transferring personal data to nonadequate jurisdictions.
About the RIPD and its SCCs
Established in 2003, the RIPD is an association of data protection authorities from Spanish and Portuguese speaking countries in North, Central and South America, Brazil, Spain and Portugal. It is represented by relevant authorities and experts in the field and one of its goals is to develop initiatives and projects related to the protection of personal data in Ibero-American countries. Argentina's AAIP is an active member of the RIPD, together with other regional supervisory authorities.
In September 2022, the RIPD released a guide for the implementation of standard contractual clauses that can be used to validate international data transfers. The document lists several recommendations and guidelines on the practical implementation of SCCs. It also proposes two sets of SCCs: one for transfers between controllers and the other for transfers between controllers and processors. These two sets are considered to be a preliminary step as the RIPD expects to create several templates addressing other situations in the future.
The RIPD's Personal Data Protection Standards for Ibero-American States, published in 2017, were taken as a reference for drafting both the guide and SCCs. Moreover, these model clauses were designed to contain elements and principles similar to the European Union's SCCs.
The guide does not replace either local legislation or the provisions approved by the relevant data protection authorities of the region. Indeed, the application of this guide and the use of the SCCs shall follow the recommendations, provisions and regulations of the local data protection authorities and, by all means, go in hand with local legislation.
Parties may freely use the proposed SCCs in a broader contract or include other contractual clauses or guarantees, provided that they do not directly or indirectly contravene, alter or modify, the SCCs or affect the data subjects' fundamental rights. These model clauses are not directly binding on the RIPD member.
Provisions on cross border data transfer in Argentina
As in most personal data protection legislations, international data transfers to countries that do not provide for adequate data protection legislation are permitted in Argentina only to the extent that certain safeguards are adopted, such as the use of standard contractual clauses. Indeed, Personal Data Protection Law No. 25,326 restricts the transfer of personal data to countries which do not ensure an adequate level of protection. This restriction does not apply to the following cases:
- International judicial collaboration.
- Certain cases in connection with medical treatments.
- Banking or stock exchange transactions conducted in accordance with applicable laws and regulations.
- Transfer of data under international treaties.
- Data transfers between government intelligence agencies for the purpose of fighting against organized crime, terrorism and drug-dealing.
Through Rules No. 60 – E/2016 and No. 34/2019, the DPA declared the following countries as adequate jurisdictions: member states of the European Union and the European Economic Area, Switzerland, Guernsey and Jersey, the Isle of Man, the Faeroe Islands, Canada (only the private sector), New Zealand, Andorra, Israel, Uruguay, the United Kingdom and Northern Ireland.
The transfer of personal data to nonadequate countries is permitted when the data subject consents to the transfer, or when adequate levels of protection arise from contractual clauses (as international data transfer agreements) or systems of self-regulation (as binding corporate rules).
DPA’s Rule No. 60 - E/2016 approved two sets of standard model clauses for data transfer agreements (controller to controller and controller to processor transfers). Pursuant to that rule, parties may freely use these templates or implement a different data transfer agreement as long as this reflects the principles, safeguards and content related to personal data protection provided in the standard model clauses.
In the event parties choose not to use these models and sign a data transfer agreement that does not reflect the principles, safeguards and content contained in the model clauses, then such agreement will need to be submitted to the DPA for approval within 30 calendar days from the data transfer agreement execution.
Conclusion
Argentina is the third country in the region to endorse the use of SCCs created by the RIPD, joining Peru and Uruguay. Thus, now any Argentine controller will be allowed to use either the SCCs drafted by the DPA in 2016 or the clauses developed by the RIPD to validate cross-border data transfers to nonadequate jurisdictions.