After the Government of the USA announced a bilateral trade agreement with Argentina on Thursday of last week, one of the points that put digital law specialists on alert was the “cross-border data transfer including personal data.” What does it mean and what impact can it have for Argentine citizens?
Although for now little is known about this declaration of intent and the “fine print” has not yet transcended, what was signed points to a sensitive topic of the digital economy: personal data. The aim is to establish a legal framework that allows the circulation without regulatory obstacles of customer databases, commercial operations and personal data.
For companies, this defines whether they can operate platforms, cloud services or artificial intelligence tools. with fewer regulations and bureaucratic layers. But, at the same time, it has a side that affects citizens, because it determines under what rules their data travels and which country guarantees its protection once they leave the national territory.
Beyond the fact that the announcement is oriented towards trade, it also raises questions about how regulatory models will be compatible and what guarantees users will have, especially considering that the United States does not have a federal regulatory standard of personal data.
Clarion contacted the Agency for Access to Public Information (AAIP) and the National Directorate for Personal Data Protectionto understand what this point of the agreement means. However, neither of the two entities responded to the request for a comment to find out their position and clarify doubts about the possible consequences for citizens.
Also consulted was the United States Embassy in Argentinawhich, at the time of publication of this article, did not prepare a response. As this media learned, they would not comment on any section of the announcement until the final details are known.
Those who expressed questions and pointed out potential problems were specialists in the field of law and personal data.
Personal data: the relationship with the US today
“Personal data” are those that allow a citizen to be identified and individualized, such as name, surname, address or telephone number, email and biometric data. These are direct identifiers.
But there are also indirect identifiers that, in the discussion about online surveillance carried out by large technology companies such as Amazon, Meta, Google and Microsoft, allow us to reconstruct a user: cookies, search histories, navigation by algorithms on networks and more, which allow us to build a online person based on usage and consumption patterns: no data says that a citizen lives at a specific address, but they are unique in the sense that they allow us to build a online profile. GDPRwhich is the European regulatory standard, considers them personal data.
In its section on digital trade, the White House text states: “Argentina committed to facilitating digital commerce with the United States by recognizing the United States as an appropriate jurisdiction, under Argentine law, for the cross-border transfer of data, including personal data, and not applying discrimination against US digital services or products.”
How is the use of personal data regulated today? “Our Personal Data Protection Law (25,326) is based on a fairly simple rule: as a general principle, personal data cannot be transferred to countries that do not offer an adequate level of protection,” Lucas Barreiro, a lawyer specializing in personal data protection, explains to this medium.
“Countries that do have that ‘adequate status’ can receive data from Argentina without special restrictions, because it is understood that their level of protection is equivalent to ours. Adequacy decisions are usually adopted by the data protection authority of each country; in our case, the Agency for Access to Public Information. Now, when a country is not considered “adequate”there the law requires complementary guarantees so that the transfer is legal,” he warns.
This is the current situation until the adequacy decision is formalized: The United States is not considered a suitable country for these exchanges.
“If an Argentine company wants to transfer personal data to another company located, for example, in Texasthen you have to implement additional safeguards or verify if the operation falls within any of the exceptions provided for in the law,” Barreiro exemplifies.
The intention of the agreement presented last week will try to make the United States and Argentina have a direct flow of this data: “Once this adequacy decision becomes effective, the scenario changes. Those responsible established in the United States will no longer be required to provide additional guarantees to receive personal data from Argentina. This will mean the elimination of a regulatory barrier that makes it easier for companies to transfer personal data to any part of the United States, simplifying contracting and promoting commercial traffic”.
One difficulty: the US does not have a national personal data law
Pablo Palazzi, director of the CETYS of the University of San Andrés and partner of the Allende & Brea studio, believes that “the agreement can be very positive for the country and its economy”, although he warned that “we will have to see the fine print once it is implemented, because there may be many variants on how to do it.”
Regarding the protection of personal data, Palazzi recalled that, as a regulatory framework, “Argentina has followed for a quarter of a century the European data protection system“, based on Law 25,326, approved in 2000.
In fact, Argentina was the first country in the region to be considered “adequate” by the European Union and to allow the free transfer of data from Europe to Argentina. “Later, the EU also recognized Uruguay and Brazil a few months ago,” added the specialist, who wrote a thesis 25 years ago, titled “The international transmission of personal data and the protection of privacy,” on this problem.
But data protection in the United States has a particularity that is not minor: There is no federal law on the protection of personal data. In a country that is “more focused on innovation and technology, and less regulation.” “In the United States, only 20 of the 50 states have general privacy laws and there is still no federal law, so more things are allowed to be done with personal data, including AI, without any limits, unlike Europe, where the restrictions are greater,” he explained.
Daniel Monastersky, a lawyer specializing in personal data protection, was one of the first to point out this point as soon as the news broke: “When an Argentine citizen transfers their data through a digital platform, they could end up in California (where there is robust regulatory oversight, independent authorities, and significant sanctions for non-compliance) or they could end up in any other US state where there is practically no protection,” he told Clarion.
And he called for a correction: “The current Framework would allow both scenarios to be treated as equivalent. That is imprecise. That is unfair. And precisely for that reason, the window to correct it is open now.”
This, for Beatriz Busaniche, president of the Vía Libre Foundationrepresents a problem of asymmetry: “Argentina has a national data protection law, but the United States does not have equivalent federal regulation. California has very robust regulations, but most states do not. So how is that harmonized?” he asks.
“Many times they tell me: ‘Well, if Google already has all our data‘. But this type of agreement enables something different: they make transparent and facilitate the transfer of much more sensitive data (medical, financial, insurance and consumer) to a jurisdiction where we will be completely unprotected. And that data is very valuable, especially for doctors,” he says in dialogue with this medium.
“In any case, the entire content of the agreement It is for the benefit of Washington, I don’t think we have any benefitthe relationship that arises is totally and absolutely asymmetrical,” he closes.
Tomás Pomar, lawyer, member of the Argentine Computer Law Observatory (ODIA), believes that there is a fundamental issue of underlying sovereignty. “The discussion about data traffic in today’s world is a discussion of political and technological sovereignty. I think the biggest mishap is that under the title of ‘Digital Commerce’ they are discussing human rights: it is a mercantilist view of data protection, which goes against the discussions that have taken place in the world, for 15 years now with the case of Edward Snowden”.
Snowden revealed in 2013 how the NSA and other US intelligence agencies used the global digital infrastructure to collect massive information on citizens and governments, often without effective judicial control. His case established the idea that data is a nerve center of the sovereignty of nations: who controls it, who accesses it and with what limits, even with cases of abuse by the State itself.
“Added to this is another uncomfortable element: the United States maintains surveillance standards very intrusive. It is true that during the Biden administration some limits and control mechanisms were introduced, but in no way can we say that it is a privacy paradise,” adds Barreiro.
“And not to mention that the weakest point of something like this is that an agreement of this type It has to go through Congress”, closes Pomar.
Clarion was able to know that the adequacy decision, under the orbit of the AAIP, is going to be made: “The Agency was left in a complicated place and I don’t think they will raise objections: they are going to throw it over their heads and, at the end of the day, they are going to have to approve it,” said a source close to the case.
It remains to know the fine print to understand how this can benefit or harm Argentine citizens, but the doubts of those who have been working on these issues for more than 20 years are raised.