Uruguay Achieves Adequacy Under EU Regulations

On 21 August 21, 2012, the EU Commission finally recognized Uruguay’s legal framework as providing “adequate protection” for personal data under the EU Data Protection Directive 95/46/EC, in a decision on 23 August 2012. This comes almost two years after the EU Article 29 Working Party delivered a favourable opinion on the country’s data protection regime:

“The legal data protection standards applicable in the Eastern Republic of Uruguay cover all the basic principles necessary for an adequate level of protection for natural persons, and also provide for exceptions and limitations in order to safeguard important public interests. These legal data protection standards and the exceptions reflect the principles laid down by Directive 95/46/EC.”

Uruguayan Context

The data protection framework in Uruguay is mostly based on the standards set out in Directive 95/46/EC and are laid down in Act No. 18.331 on the Protection of Personal Data and Habeas Data Action of 11 August 2008. This Act is complemented by Decree No. 414/009, which details the regulation, powers and functioning of the data protection supervisory authority.

The Response

According to Uruguay’s presidential website,

“In Europe, personal data protection is ruled by [the EU Data Protection] Directive [95/46/EC] stating that EU member states can only transfer their citizens’ data to third countries that have established a level of protection, and Uruguay has reached this stage.”

The Uruguayan independent regulator – known as the Unit for the Regulation and Control of Personal Data (or Unidad Reguladora y de Control de Datos Personales; URCDP) – responded positively:

“To achieve this distinction, Uruguay has had to prove the competent authorities, the appropriate adoption and compliance with the provisions on protection of personal data. It’s a recognition of Uruguay as a country in a position to take on the challenge of complying with the controls required by the European Union on the use of personal data and the work carried out by the URCDP. [This will favor] the increase in investments in different sectors in the country.”

This adequacy finding means that EU member states can freely transfer personal data to Uruguay without additional guarantees. “This is a much expected decision and another reminder of the interesting developments taking place outside the EU,” said Eduardo Ustaran, Partner at Field Fisher Waterhouse LLP. “Uruguay and its privacy authority have been working hard to get this right, so full credit must be given to them. In particular, Uruguay’s approach to international data transfers make something like Binding Corporate Rules (BCRs) very useful for global organizations.”

This is a significant milestone for Uruguay, one that both confirms the G29 pronouncement issued in 2010, while at the same time reinforcing the approval of regulations and national actions that guarantee the protection of the fundamental human right of privacy, an essential component in any technological and globalized society.

Under the EU Data Protection Directive, transfers of personal data to countries outside the European Economic Area that are not considered to provide an “adequate level” of data protection are subject to stringent privacy conditions. Currently, the EC has recognized adequacy in the privacy frameworks of the following: Andorra, Argentina, the Canadian Personal Information Protection and Electronic Documentation Act (PIPEDA), Faeroe Islands, Guernsey, Israel, Jersey, the Isle of Man, Switzerland, and the US Department of Commerce Safe Harbor Privacy Principles.


In August 2012, the European Parliament and the Council on adequate protection of personal data deemed that Uruguay’s data protection framework is at an adequate level, meaning that it meets or exceeds the requirements stipulated in the EU’s Data Protection Directive 94/46/EC. The adequacy finding means the EU member states can freely transfer personal data to Uruguay without additional guarantees.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/European Privacy (CIPP/E) exam, a privacy professional should be comfortable with topics related to this post, including:

  • European Parliament (I.B.c.)
  • European Commission (I.B.d.)
  • EU Data Protection Directive 95/46/EC (I.C.b.)
  • International data transfers – safe jurisdictions (II.I.b.)
  • Article 29 Working Party (II.J.b.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>