1. Introduction: MERCOSUR-EU Agreement and the legislation on Data Protection
As is well known, last year, after several rounds of negotiations, the agreement between Mercosur and the European Union on economic matters emerged. Said agreement included matters related to customs duties, exchange of goods and services, sanitary measures, intellectual and industrial property rights, SMEs, dispute resolution, among other issues of relevance to both blocks.
Among these issues, although not as an integral part of the text of the agreement, discussions related to the Protection of Personal Data were also included. Currently, the States of the European Union are governed by the General Data Protection Regulation, or by its acronym, the GDPR, which is mandatory since May 25, 2018. During her visit to Argentina, in July of last year, the European Commissioner for Justice, Consumers and Gender Equality Vera Jourova, spoke about the benefits that the regulation and harmonization of data protection legislation would bring to both blocs.
For sure the EU is at the forefront in this matter, and in order to enable the advancement of this agreement for both blocs and above all, for the MERCOSUR countries, it is necessary that their laws harmonize with the provisions and principles of the GDPR, as which would bring about a quantitative and qualitative leap towards respect for the individual rights of people, the self-determination of the person regarding the processing of their data on the internet and in files, the final recognition of data protection as a fundamental human right, among other conquests.
Nowadays, in the current global situation of the coronavirus pandemic that hits the whole world, the negotiations have stalled, since there are urgent issues to address regarding the countries that make up each block. However, it is noteworthy that the will to move forward is intact.
That is why is necessary to carry out a review of the situation in which the laws of the MERCOSUR countries are in relation to the Protection of Personal Data, and why it is almost mandatory to use this time to be able to adapt them to the required standards by the EU in order to finally reach the conclusion of the negotiations carried out at the time of carrying out the revision of the Agreement between the two trade blocs.
2. Country by Country: MERCOSUR-EU Agreement and the legislation on Data Protection
The law that regulates the protection of personal data in Argentina is Law 25326, enacted on October 4, 2000, and is currently in force.
This law regulates what pertains to the treatment of personal data, its classification, the principles that should govern its treatment, international transfer of data, the rights of its owners, and the resources and actions that they have both administrative as well as judicially to obtain the deletion, rectification, modification, addition and correction of the data found in files or databases, both public and private, and the obligations of the owners of said files or databases when collecting and processing personal data.
In Argentina, the enforcement authority regarding Personal Data and Access to Public Information is the National Agency of Access to Public Information, which has a secretariat that is in charge of regulating and supervising everything related to personal data and the compliance of the Personal Data Protection law, which is the National Office of Protection of Personal Data.
In 2018 a Bill was presented to amend the Data Protection law and bring it as closely as possible to the GDPR standards, but unfortunately, the bill lost parliamentary status this year.
In 2018 it was sanctioned the new Law on Personal Data Protection – No. 13,709 LGPD-. On August 26 the Brazilian Parliament decided that the suspension of its enforceability would not be extended, so it is the law that is currently in force in Brazil to regulate everything related to the protection of the personal data of natural persons, processed both within the borders of the country, and by foreign companies that process data of persons located in Brazil.
This law has many points in common with the European General Data Protection Regulation, establishing an adequate legal framework regarding the collection, processing, and storage of personal data in general and sensitive data in particular, as well as the obligations and responsibilities of those –processors and controllers- who collect, process, select and store personal data, and may be liable –in case of non-compliance with the provisions of the law-, to be sanctioned administratively, civilly and criminally.
Likewise, it establishes the rights of the holders of personal data to grant informed consent for the collection and processing of their data and to control access, correction, rectification, updating, anonymization, and deletion of their data that are contained in databases both public and private.
For this law, it is mandatory -in certain cases- the need to have a Data Protection Delegate, and the enforcement authority is the National Data Protection Agency of Brazil.
In Paraguay, the Protection of Personal Data is regulated not only in the country’s Constitution but is also based on Laws No. 1682/2001, 1969/2002, which amends the first one and Law 5542 / 2015.
This set of laws regulate, among other issues: the processing and treatment of personal data contained in files, records, and public and private databases. The collection, processing, and treatment of personal data is only allowed for scientific, economic, statistical, or marketing purposes.
However, the current legislation establishes nothing regarding the figures of the database administrator; but it does regulate obligations pertaining to those responsible for said bases. Nor does it make a distinction between processors and controllers. Nor does it establish any obligation to report data breaches or incidents that occur with personal data.
The international transfer of data and its regulatory framework is not established in the legislation of Paraguay.
Likewise, there is no authority in Paraguay that regulates matters relating to the Protection of Personal Data and compliance with the law.
Finally, although the law does not establish anything regarding the possibility of making claims before administrative or judicial entities for violation of Personal Data, the penalties are established by other regulations, which allow those whose data have suffered any violation the right to claim before civil or criminal justice the pursue of a compensation.
There is a bill presented to the Paraguayan Parliament in 2019.
In Uruguay, personal data is ruled by Law No. 18,331, amended by Law No. 19,670, whose regulatory decree 64/020 modified certain articles of the first-mentioned law.
The law regulates the following aspects: a) it establishes a sort of glossary with definitions pertaining to personal data and the principles applicable; b) it also regulates the registration of the databases of the entities that collect and process personal data, whether they are located in Uruguay or process personal data of persons residing in Uruguay -under certain circumstances-; c) Establishes for public and private entities the need to have a Data Protection Officer and its obligations and responsibilities thereof; d) the need to have the informed consent of the owner of the data to collect, process and treat said data; e) the international transfer of data, the cases in which it proceeds and the requirements to transfer data to third parties; f) the obligations of the person in charge and the administrator of the databases; g) In the event of personal data breached or incidents that occur with them, the collectors, processors and responsible of the databases has to give notice and take the necessary measures to minimize risks; h) administrative sanctions concerning non-compliance with the rules contained in the law, ranging from warning to imposition of fines.
The application authority in the field of Data Protection in Uruguay is the Regulatory and Control Unit of Personal Data.
In February 2020, Law 19,670 was regulated, which among other issues complements Law 18,331 in terms of: 1) the adoption by the person responsible for the treatment of technical and/or organizational security measures to avoid and/or minimize incidents and breaches that may occur with personal data; 2) the promotion of national and international standards on cybersecurity; 3) the documentation of such measures and the planning and impact assessment regarding Personal Data.
3. Conclusion: MERCOSUR-EU Agreement and the legislation on Data Protection
After having made a brief reference to the Agreement between the European Union and Mercosur and the current state of the negotiations, reviewing the legislative situation of some of the countries that make up this last regional bloc, the truth is that it is essential to have an adequate level of protection of personal data, especially due to the extraterritoriality principle generated by compliance with the provisions of the GDPR and the cross-border flow of data.
Today we are witnessing a new era in human rights, where digital self-determination is no stranger. Where the right to digital existence of people cannot be overwhelmed over other issues such as those of an economic nature. That existence must be protected against any kind of violation.
Likewise, it is necessary to harmonize the laws of both economic blocs, which pushes MERCOSUR to take all the necessary steps to adapt its laws and regulate this new human right as an imperative, in order to achieve safer agreements in pursuit of a conciliatory and protective globalization of this new right that appears today.
Finally, it is worth highlighting the position that countries such as Argentina and Uruguay have in terms of recognition by the European Union regarding the adequate level of protection that these countries ensure to Personal Data, which places them at the forefront in the region.
However, it is mandatory for Argentina to update its law in order to continue maintaining that position in the face of the constant requirements of a globalized world both materially and digitally.
As announced by the Argentine authorities, the country has been chosen by some international laboratories, in order to test the effectiveness of vaccines against the coronavirus, which causes the disease known as COVID-19, by carrying out a series of tests on a sample of people, taking as parameters issues such as age, sex, previous disease conditions, among other factors.
In Argentina, there is a specific regulatory framework for conducting tests on the human body, which includes not only common law – civil law – but also specific rules and even provisions of public bodies that regulate issues related to said tests.
The main rules applicable to the development of this type of activities – going from the most general to the most specific – will be succinctly developed, in which are immersed questions about the disposition of the body itself, informed consent, transfer of personal data, sensitive data processing
a) Law 26,994. Civil and Commercial Code.
The civil and commercial code is applicable to the case of informed consent, regulating the acts of disposition that a person can carry out on the body itself, including investigations in human beings.
Article 58 establishes the requirements that need to be carried out when a person is a study subject or participant in medical research in humans through interventions, such as treatments, prevention methods, diagnostic or predictive tests, whose efficacy or safety are not scientifically proven.
Article 59 for its part, regulates informed consent regarding medical acts and health research.
b) Law 25326. Protection of Personal Data.
The conduct of clinical trials also involves sensitive personal data, by relating such trials to very personal and fundamental issues related to the dignity of the person, which have the status of human rights.
In Argentina, the law that regulates the protection of personal data in general, and sensitive data in particular is Law 25326.
This law establishes that sensitive data is “… Personal data that reveals the racial and ethnic origin, political opinions, religious, philosophical or moral convictions, affiliation, and information regarding health or sexual life.”
Likewise, in its article 7, when dealing with the category of data, and when referring to sensitive data, the law prescribes the following: “ARTICLE 7 – (Category of data). 1. No person can be forced to provide sensitive data. 2. Sensitive data can only be collected and processed when there are reasons of general interest authorized by law. They may also be treated for statistical or scientific purposes when their holders cannot be identified. ”
In section 2, the law refers to the process of data anonymization that consists of dissociating the data itself in relation to the determined or determinable person, holder of that data, through a certain process.
Article 8 of the law also mandates that, regarding health-related data, “Public or private healthcare establishments and professionals linked to the health sciences may collect and process personal data related to the physical or mental health of patients who come to them or who are or have been under treatment by them, respecting the principles of professional secrecy. “
Regarding the consent of the owner of personal data, Article 5 of the Data Protection Law prescribes that “(…) the free, express and informed consent will be required, which must be in writing, or by any other means that allows match it, according to the circumstances. The aforementioned consent given with other declarations must appear expressly and prominently, prior notification to the requested data, of the information described in article 6 of this law. “
Specifically speaking of international personal data transfer –sensitive data in particular-, article 12 exceptionally authorizes the transfer of said type of data only in an epidemiological investigation, as long as it is carried out under the terms of subsection e) of Article 6 –only when an anonymization procedure is applicable to the data collected-.
c) Resolution 1480/2011 and Disposition 6677/2010 from the Health Regulatory Authority –ANMAT-
c.1) Res. 1480/2011, Point A3. provides a definition of what informed consent has to be considered when a clinical trial is being carried out. The rule establishes that “As a general principle, consent must be obtained for all research involving human beings or carried out with biological samples or personal data.” In connection with this, the test subject will have to be informed the measures that will be taken to protect the confidentiality of personal data.
Regarding the confidentiality of the information obtained from the test subjects, point A6 prescribes that personally identifiable data should not be used when a study can be done without it. When it is necessary to record personal identification data, researchers must justify that need. For this purpose the consent has to be obtained. Furthermore, point A8. Regarding the management of the data and the results, prescribes the obligation for the researches to secure the personal data.
c.2) Disposition 6677/2010 from the Argentinean Health Regulatory Authority. Regime of Good Clinical Practices for Clinical Pharmacology Studies.
This provision states:
- a) That researchers must ensure the confidentiality of the information in the stages of preparation, execution and completion of the study, as well as the identity of the people incorporated into it;
- b) That the protocols contain confidentiality considerations;
- c) That it is an indispensable requirement for the approval of a clinical trial, the presentation of an informed consent form in which the person is informed: objectives, methods, advantages, therapeutic alternatives and possible risks inherent in the study and that it is free to withdraw their consent to participate, at any time, without explaining the causes.
As a corollary of this report, in order to carry out clinical trials in Argentina on people, the following aspects must be taken into account:
a) Minimum consent requirements.
- The confidential nature of the information related to the study, and the personal data of the patient.
- The objectives, methods, and potential benefits provided in the study.
- Therapeutic alternatives.
- The possible risks inherent in the trial, and the damages that may be caused to the patient.
- The freedom of the participant to withdraw their consent at any time, without explaining the causes or resulting in harm to them.
- That the researcher will provide the medication free of charge in the study.
- That if the patient / healthy volunteer cannot provide consent on their own, it must be obtained from their legal representative.
- That the researcher will bear the costs arising from the clinical investigation, both the expenses of the procedures used for the study and the damages caused to the patient as a consequence of their participation.
- That the signing of the informed consent does not imply the resignation of the patient to any of the rights provided in the current legal regulations.
b) Data Protection Principles that have to be complied with during Clinical Trials:
- The obtention of the informed consent;
- The rights that the subject has regarding his personal and sensitive data;
- The informed consent has to include the right of professional secrecy;
- Indicate the pseudonymization and anonymization procedures;
- The right of the person to access, control, rectify and erase their personal data from the database;
- Respect the principle of data quality and the purpose of its collection