Privacy & Cybersecurity Law Blog

On August 21, 2012, the European Commission formally approved Uruguay’s status as a country providing “adequate protection” for personal data within the meaning of the European Data Protection Directive (Article 25(6) of Directive 95/46/EC). This follows the Article 29 Working Party’s earlier favorable Opinion issued in 2010, and takes into account certain interpretative assurances and clarifications provided by Uruguay. Accordingly, transfers of personal data from the EU to Uruguay may now take place without additional intergovernmental guarantees and in accordance with applicable data protection provisions.

The Article 29 Working Party’s Opinion was issued pursuant to an official request Uruguay filed with the European Commission in October 2008. While the Article 29 Working Party’s Opinion is an important step toward adequacy, the European Commission must make the formal decision whether the Uruguayan legal framework provides an adequate level of data protection under EU data protection law. That said, the European Commission does take the Article 29 Working Party’s Opinion into account when determining whether to issue an “adequacy decision.”

Under the EU Data Protection Directive, transfers of personal data to countries outside of the European Economic Area that are not considered to provide an “adequate” level of data protection are subject to very strict conditions. To date, the European Commission has recognized the adequacy of Andorra, Argentina, the Canadian Personal Information Protection and Electronic Documentation Act, Faeroe Islands, Guernsey, Israel, Jersey, the Isle of Man, Switzerland and the U.S. Department of Commerce Safe Harbor Privacy Principles.