The MERCOSUR-EU Agreement and the Legislation on Data Protection in the Countries of the Region.

By Manuel Lobato. Patents Lawyer.

1. Introduction: MERCOSUR-EU Agreement and the legislation on Data Protection

As is well known, last year, after several rounds of negotiations, the agreement between Mercosur and the European Union on economic matters emerged. Said agreement included matters related to customs duties, exchange of goods and services, sanitary measures, intellectual and industrial property rights, SMEs, dispute resolution, among other issues of relevance to both blocks.

Among these issues, although not as an integral part of the text of the agreement, discussions related to the Protection of Personal Data were also included. Currently, the States of the European Union are governed by the General Data Protection Regulation, or by its acronym, the GDPR, which is mandatory since May 25, 2018. During her visit to Argentina, in July of last year, the European Commissioner for Justice, Consumers and Gender Equality Vera Jourova, spoke about the benefits that the regulation and harmonization of data protection legislation would bring to both blocs.

For sure the EU is at the forefront in this matter, and in order to enable the advancement of this agreement for both blocs and above all, for the MERCOSUR countries, it is necessary that their laws harmonize with the provisions and principles of the GDPR, as which would bring about a quantitative and qualitative leap towards respect for the individual rights of people, the self-determination of the person regarding the processing of their data on the internet and in files, the final recognition of data protection as a fundamental human right, among other conquests.

Nowadays, in the current global situation of the coronavirus pandemic that hits the whole world, the negotiations have stalled, since there are urgent issues to address regarding the countries that make up each block. However, it is noteworthy that the will to move forward is intact.

That is why is necessary to carry out a review of the situation in which the laws of the MERCOSUR countries are in relation to the Protection of Personal Data, and why it is almost mandatory to use this time to be able to adapt them to the required standards by the EU in order to finally reach the conclusion of the negotiations carried out at the time of carrying out the revision of the Agreement between the two trade blocs.

2. Country by Country: MERCOSUR-EU Agreement and the legislation on Data Protection

a) ARGENTINA:

The law that regulates the protection of personal data in Argentina is Law 25326, enacted on October 4, 2000, and is currently in force.

This law regulates what pertains to the treatment of personal data, its classification, the principles that should govern its treatment, international transfer of data, the rights of its owners, and the resources and actions that they have both administrative as well as judicially to obtain the deletion, rectification, modification, addition and correction of the data found in files or databases, both public and private, and the obligations of the owners of said files or databases when collecting and processing personal data.

In Argentina, the enforcement authority regarding Personal Data and Access to Public Information is the National Agency of Access to Public Information, which has a secretariat that is in charge of regulating and supervising everything related to personal data and the compliance of the Personal Data Protection law, which is the National Office of Protection of Personal Data.

In 2018 a Bill was presented to amend the Data Protection law and bring it as closely as possible to the GDPR standards, but unfortunately, the bill lost parliamentary status this year.

b) BRAZIL:

In 2018 it was sanctioned the new Law on Personal Data Protection – No. 13,709 LGPD-. On August 26 the Brazilian Parliament decided that the suspension of its enforceability would not be extended, so it is the law that is currently in force in Brazil to regulate everything related to the protection of the personal data of natural persons, processed both within the borders of the country, and by foreign companies that process data of persons located in Brazil.

This law has many points in common with the European General Data Protection Regulation, establishing an adequate legal framework regarding the collection, processing, and storage of personal data in general and sensitive data in particular, as well as the obligations and responsibilities of those –processors and controllers- who collect, process, select and store personal data, and may be liable –in case of non-compliance with the provisions of the law-, to be sanctioned administratively, civilly and criminally.

Likewise, it establishes the rights of the holders of personal data to grant informed consent for the collection and processing of their data and to control access, correction, rectification, updating, anonymization, and deletion of their data that are contained in databases both public and private.

For this law, it is mandatory -in certain cases- the need to have a Data Protection Delegate, and the enforcement authority is the National Data Protection Agency of Brazil.

c) PARAGUAY:

In Paraguay, the Protection of Personal Data is regulated not only in the country’s Constitution but is also based on Laws No. 1682/2001, 1969/2002, which amends the first one and Law 5542 / 2015.

This set of laws regulate, among other issues: the processing and treatment of personal data contained in files, records, and public and private databases. The collection, processing, and treatment of personal data is only allowed for scientific, economic, statistical, or marketing purposes.

However, the current legislation establishes nothing regarding the figures of the database administrator; but it does regulate obligations pertaining to those responsible for said bases. Nor does it make a distinction between processors and controllers. Nor does it establish any obligation to report data breaches or incidents that occur with personal data.

The international transfer of data and its regulatory framework is not established in the legislation of Paraguay.

Likewise, there is no authority in Paraguay that regulates matters relating to the Protection of Personal Data and compliance with the law.

Finally, although the law does not establish anything regarding the possibility of making claims before administrative or judicial entities for violation of Personal Data, the penalties are established by other regulations, which allow those whose data have suffered any violation the right to claim before civil or criminal justice the pursue of a compensation.

There is a bill presented to the Paraguayan Parliament in 2019.

d) URUGUAY:

In Uruguay, personal data is ruled by Law No. 18,331, amended by Law No. 19,670, whose regulatory decree 64/020 modified certain articles of the first-mentioned law.

The law regulates the following aspects: a) it establishes a sort of glossary with definitions pertaining to personal data and the principles applicable; b) it also regulates the registration of the databases of the entities that collect and process personal data, whether they are located in Uruguay or process personal data of persons residing in Uruguay -under certain circumstances-; c) Establishes for public and private entities the need to have a Data Protection Officer and its obligations and responsibilities thereof; d) the need to have the informed consent of the owner of the data to collect, process and treat said data; e) the international transfer of data, the cases in which it proceeds and the requirements to transfer data to third parties; f) the obligations of the person in charge and the administrator of the databases; g) In the event of personal data breached or incidents that occur with them, the collectors, processors and responsible  of the databases has to give notice and take the necessary measures to minimize risks; h) administrative sanctions concerning non-compliance with the rules contained in the law, ranging from warning to imposition of fines.

The application authority in the field of Data Protection in Uruguay is the Regulatory and Control Unit of Personal Data.

In February 2020, Law 19,670 was regulated, which among other issues complements Law 18,331 in terms of: 1) the adoption by the person responsible for the treatment of technical and/or organizational security measures to avoid and/or minimize incidents and breaches that may occur with personal data; 2) the promotion of national and international standards on cybersecurity; 3) the documentation of such measures and the planning and impact assessment regarding Personal Data.

3. Conclusion: MERCOSUR-EU Agreement and the legislation on Data Protection

After having made a brief reference to the Agreement between the European Union and Mercosur and the current state of the negotiations, reviewing the legislative situation of some of the countries that make up this last regional bloc, the truth is that it is essential to have an adequate level of protection of personal data, especially due to the extraterritoriality principle generated by compliance with the provisions of the GDPR and the cross-border flow of data.

Today we are witnessing a new era in human rights, where digital self-determination is no stranger. Where the right to digital existence of people cannot be overwhelmed over other issues such as those of an economic nature. That existence must be protected against any kind of violation.

Likewise, it is necessary to harmonize the laws of both economic blocs, which pushes MERCOSUR to take all the necessary steps to adapt its laws and regulate this new human right as an imperative, in order to achieve safer agreements in pursuit of a conciliatory and protective globalization of this new right that appears today.

Finally, it is worth highlighting the position that countries such as Argentina and Uruguay have in terms of recognition by the European Union regarding the adequate level of protection that these countries ensure to Personal Data, which places them at the forefront in the region.

However, it is mandatory for Argentina to update its law in order to continue maintaining that position in the face of the constant requirements of a globalized world both materially and digitally.

Sources:

https://www.mercosur.int/mercosur-cierra-un-historico-acuerdo-de-asociacion-estrategica-con-la-union-europea/

https://www.efe.com/efe/america/economia/el-pacto-con-mercosur-mejorara-las-politicas-de-proteccion-datos-segun-la-ue/20000011-4021149

https://www.impo.com.uy/bases/leyes/18331-2008

http://www2.congreso.gob.pe/sicr/cendocbib/con2_uibd.nsf/8F7EC36BB743626D052577C1007243CC/$FILE/Protecci%C3%B3n_d_Datos.pdf

https://www.jornaldocomercio.com/_conteudo/especiais/jornal_da_lei/2020/01/720955-prontos-para-a-lei-geral-de-protecao-de-dados.html

Minimizing The Data Risks

By Manuel Lobato. Patents Lawyer.

Guide of Impact on the Personal Data Protection

On January 29, to commemorate the International Data Protection Day, the control authorities of the countries of Argentina and Uruguay prepared a Guide for the study of Impact on the Personal Data Protection. Hose main objectives are:

1) minimize the risks of projects faced by entities –publics and privates- that manage personal data.

2) the implementation and standardization of preventive rules to which these entities must comply when carrying out said projects.

3) By developing an Impact Assessment, comply with current regulations on the matter.

Personal data

The document begins by enunciating general concepts within which the one that stands out the most, is the meaning of ¨personal data¨ -because of its breadth-, encompassing all kinds of information, not only of individuals but also legal entities, in line with current regulations in the countries of Argentina and Uruguay.

Then, the need and importance of carrying out risk assessments that could affect personal data through its treatment is determined in the different projects or operations carried out by both public and private entities. These evaluations require going through different phases ranging from internal/operational matters, through regulations and security measures to be adopted, until finally reaching the preparation of the guide that will serve as the basis for the treatment of personal data that will be involved in the development of the activities carried out by the company.

Finally, and from the previous phases, the risk analysis that involves the development of the project or operation for the treatment of the data, through the phases of its development, is prepared. It should be noted that not only personal data is involved in any project, but other constitutional rights recognized such as the right to honor, self-image and privacy are collaterally achieved.

Implementation of an EIPD

As a corollary, the implementation of an EIPD in each project that a company develops and that involves the use of personal data is necessary to fully comply with local regulations on data protection. In the event that the risks of data collection and processing are high, it should be weighed if the measures developed, manage to minimize them, or if, on the contrary, they also pose a high risk, to which alternative ways of managing the data should be sought. In this way, the law and its postulates comply.

Source: https://www.argentina.gob.ar/sites/default/files/guia_final.pdf

Copyright Protection Will Remain for 50 Years

By Maria Sol Porro. Trademarks Lawyer and University Professor.

“Copyright and Related Rights Law No. 9,739”

The Uruguayan Senate refused to treat as “seriously and urgently” the bill of the Senator of the Independent Party, Pablo Mieres, to increase the term of protection of the economic rights of Uruguayan artists.

The rejected initiative proposed to modify the “Copyright and Related Rights Law No. 9,739” of December 17, 1937, which establishes the moral and patrimonial protection of the works for their authors. This same law was modified by Law Nº 17.616, of January 10, 2003, establishing in its Article 8 the current term of 50 years, which Senator Mieres sought to extend to 70 years with his new proposal.

While Senator Mieres and the traditional parties, that supported his proposal, based this extension on the need to align Uruguay with the world on this issue and make national industries more attractive as the that foreign industries, since the 70-year term is used in the European Union and almost throughout Latin America, the ¨Frente Amplio¨ and different groups of artists and people linked to culture repudiated this proposal, claiming that it would harm the access to cultural heritage and the right of access to culture.

In this context, the topic is going to be analyzed by the Committee on Education and Culture, which will have until 2020 to approve it.

Source: ladiaria.com.uy

Reduction in the number of office actions during patent examination

By Marta Garcia

On October 26, 2018, the Uruguayan PTO published Official Notice 5/2018 which establishes a maximum number of two office actions issued during the substantive examination of patent applications and utility models.

This Official Notice, which will enter into force on November 1, 2018, revokes previous Notice 11/2015, which stated that the Patent Office could issue a maximum of three office actions during the examination of patent, utility models and industrial design applications.

Regarding the terms to file a response to the office actions issued during the examination of patent and utility model applications, Notice 5/2018 further establishes that:

– The term to respond to an office action issued during substantive examination will be of 45 days, which can be extended once for an additional 45-day term.

– If after the reply to the office action or within the deadline to answer it, new elements arose, which could affect the patentability, the examiner may issue a further single office action granting a term of 30 days to respond, extendable once for an additional 30-day term. In these cases, the examiner must expressly indicate the new elements causing the issuance of a further office action.

Source: http://www.miem.gub.uy

Parliament debates draft law to join Patent Cooperation Treaty

by Marta Garcia

In March 2017, the Uruguayan government sent a draft law to Parliament to become a member of the Patent Cooperation Treaty (PCT), which is now being discussed before proceeding to vote.

In 2016, the Uruguayan Patent Office (National Directorate of Industrial Property) organized different activities and events to promote and disseminate info regarding the PCT system. Moreover, in previous years, the Uruguayan government had expressed on several occasions its intention to join the PCT. However, until now the necessary steps have not been taken to finally become a PCT member.

The draft highlights the advantages of the PCT system for both applicants and patent offices. For applicants, filing a patent application under the PCT simplifies the process and reduces costs, allows delay of prosecution, and provides the applicant with an international search report, a useful indication of the prior art related to the application.

Regarding the advantages for the national patent offices, the draft points out that PCT applications are easier to process, since formalities already have been assessed during the international phase. Additionally, when a PCT application enters the national phase, the corresponding national office has access to valuable reports from international search authorities, which facilitates the substantive examination stage.

The draft law stresses the fact that the adhesion to the PCT will not increase the number of filed patent applications in Uruguay: the general tendency shows that there is an initial decrease, due to the delay in entering the national phase, which subsequently increases up to the number of applications in the same range as before the implementation of the PCT system.

Additionally, the draft law emphasizes that the implementation of the PCT system willinterfere neither with Uruguayan sovereignty – since each office applies its internal patentability criteria – nor with the use of TRIPS (Trade-Related Aspects of Intellectual Property Rights) agreement flexibilities.

Source: http://www.dnpi.gub.uy

Major Customs operation leads to welfare donation

By Mariano Tabanera

In 2014 an operation was carried out in which two brothers were found smuggling over 700 pieces of clothing from China with well-known trademarks. The pair was caught by the Uruguayan Custom’s Response and Intelligence Group (GRIA). The pieces of clothing were afterwards resold through different Internet websites to the consumer public, either as original or fake products.

The sellers had a warehouse or deposit, and distribution center in Pocitos, a neighborhood in the Capital City of Montevideo, from where the buyers would pick up the items. When the GRIA officers identified this place, a major operation took place, and over 700 infringing products were confiscated, and the perpetrators faced the criminal legal actions included in the Trademarks Act.

Approximately two years later and after a resolution of the Criminal Court of Uruguay, on July 22, 2016, all the infringing products were donated by the Custom’s Authority to the National Rehabilitation Institute; after the removal of all trademarks, logos and devices from the articles. The National Rehabilitation Institute is the Uruguayan authority in charge of the national prison system, which aims to rehabilitate and reintegrate the prisoners into society through specific work and education programs.

This way, in a surprising and successful effort, the infringing products were not destroyed, as happens in most cases but were rather destined to a greater good, while still protecting the rightholder’s intellectual property prerogatives.

Source: http://www.aduanas.gub.uy

Draft Law to become member of the Patent Cooperation Treaty

On July 28, 2016, the Minister of Industry, Energy and Mining of Uruguay, Carolina Cosse, reported that the government intends to submit a draft law for Uruguay to become a member of the Patent Cooperation Treaty (PCT) to the Parliament shortly.

The announcement took place during an event organized by the Uruguayan PTO (DNPI) to inform about the implementation in the following weeks of an online system for the filing of patents and trademarks.

The draft law to adhere to the PCT has not yet been sent to Parliament.

We will keep you informed about any updates as they arise.

Resolution to keep patent applications alive

On January 27, 2016, the Uruguayan National Directorate of Industrial Property (DNPI) published Resolution No. 02/2016, which states that applicants of pending patent applications filed before 2010 will receive an Office Action to clarify to the DNPI whether or not they wish to continue with the prosecution of the applications.

The resolution neither clarifies how the notifications to patent applicants will be implemented nor specifies the deadlines for response. Both aspects are still to be defined by the PTO. However, according to the Regulations to the Patent Law, the period of time to respond to an Office Action is 30 days.

Resolution No. 02/2016 is aimed at reducing the current backlog of examinations for patent applications by identifying those patent applications which are still important to their applicants, and then only those will be examined.

Although the resolution does not explain the consequences to applicants not expressing their interest in a patent application within the deadline that DNPI establishes, according to general rules the PTO is entitled to deem said applications abandoned.

Should you require any further information, please contact us. We will follow the implementation of this resolution closely and will keep you updated regarding any further developments on this matter.

Source: http://www.dnpi.gub.uy