Commission Decision

of 30 June 2003

pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Argentina

(Text with EEA relevance)

(2003/490/EC)

THE COMMISSION OF THE EUROPEAN COMMUNITIES,

Having regard to the Treaty establishing the European Community,

Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data(1), and in particular Article 25(6) thereof,

Whereas:

(1) Pursuant to Directive 95/46/EC Member States are required to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection and if the Member States' laws implementing other provisions of the Directive are complied with prior to the transfer.

(2) The Commission may find that a third country ensures an adequate level of protection. In that case, personal data may be transferred from the Member States without additional guarantees being necessary.

(3) Pursuant to Directive 95/46/EC the level of data protection should be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations, and giving particular consideration to a number of elements relevant for the transfer and listed in Article 25(2) thereof. The Working Party on Protection of Individuals with regard to the processing of Personal Data, established under Article 29 of Directive 95/46/EC, issued guidance on the making of such assessments(2).

(4) Given the different approaches to data protection in third countries, the adequacy assessment should be carried out, and any decision based on Article 25(6) of Directive 95/46/EC should be made and enforced in a way that does not arbitrarily or unjustifiably discriminate against or between third countries where like conditions prevail, nor constitute a disguised barrier to trade, regard being had to the Community's present international commitments.

(5) As regards Argentina, the legal standards on the protection of personal data have been provided for in general and sector-specific rules. Both of them have binding legal effect.

(6) General rules are laid down in the Constitution, the Personal Data Protection Act No 25.326 and the Regulation approved by Decree No 1558/2001 (hereinafter "Argentine Law").

(7) The Argentine Constitution provides for a special judicial remedy for the protection of personal data, known as "habeas data". This is a subcategory of the procedure enshrined in the Constitution for the protection of constitutional rights and therefore makes the protection of personal data a fundamental right. According to Article 43.3 of the Constitution any person is entitled, under the "habeas data" rule, to know the content and purpose of all the data pertaining to him or her contained in public records or data banks, or in private ones whose purpose is to provide reports. According to that Article in case of falsehood of information or its use for discriminatory purposes, a person will be able to demand the deletion, correction, confidentiality or update of the data contained in the above records. The Article will not affect the secrecy of journalistic information sources. Argentine jurisprudence has recognised "habeas data" as a fundamental and directly applicable right.

(8) The Personal Data Protection Act No 25.326 of 4 October 2000 (hereinafter "the Act") develops and widens the Constitutional provisions. It contains provisions relating to general data protection principles, the rights of data subjects, the obligations of data controllers and data users, the supervisory authority or controlling body, sanctions, and rules of procedure in seeking "habeas data" as a judicial remedy.

(9) The Regulation, approved by Decree No 1558/2001 of 3 December 2001 (hereinafter "the Regulation"), lays down rules for the enactment of the Act, supplements its provisions, and clarifies points of the Act that may be subject to diverging interpretation.

(10) Argentine Law covers the protection of personal data recorded in data files, registers, data banks or other technical means, which are public; and the protection of personal data recorded in data files, registers, data banks or other technical means which are private, whose purpose is to provide reports. This includes those which go beyond an exclusively personal use, and those which are intended for the assignment or transfer of personal data, irrespective of whether the circulation of the data or information produced is performed for payment or free of charge.

(11) Certain provisions of the Act apply uniformly throughout Argentina. They include general provisions and provisions concerning general data protection principles, rights of the data subjects, obligations of data controllers and users of data files, registers and data banks, criminal sanctions, and the existence and main features of the "habeas data" judicial remedy as established in the Constitution.

(12) Other provisions of the Act apply to registers, data files, databases or data banks which are interconnected through networks at inter-jurisdictional (meaning "interprovincial"), national or international level, and which are considered as falling within federal jurisdiction. They concern the control exercised by the supervisory authority, sanctions imposed by the supervisory authority, and the rules of procedure concerning the "habeas data" judicial remedy. Other kinds of registers, data files, databases or data banks should be regarded as falling under provincial jurisdiction. The provinces may issue legal provisions on these matters.

(13) Data protection provisions are also contained in a number of legal instruments regulating different sectors, such as credit card transactions, statistics, banking or health.

(14) Argentine Law covers all the basic principles necessary for an adequate level of protection for natural persons, even if exceptions and limitations are also provided in order to safeguard important public interests. The application of these standards is guaranteed by a special, simplified and quick judicial remedy for the protection of personal data, known as "habeas data", along with the general judicial remedies. The Act provides for the establishment of a data protection controlling body charged with taking all actions necessary for compliance with the objectives and provisions of the Act and endowed with powers of investigation and intervention. Pursuant to the Regulation, the National Directorate for the Protection of Personal Data was established as the controlling body. Argentine Law provides for effective dissuasive sanctions, of both an administrative and a criminal nature. Furthermore, the provisions of Argentine law regarding civil liability (both contractual and extra-contractual) apply in the event of unlawful processing which is prejudicial to the persons concerned.

(15) The Argentine government has provided explanations and assurances as to how the Argentine law is to be interpreted, and has given assurances that the Argentine data protection rules are implemented in accordance with such interpretation. This Decision is based on these explanations and assurances, and is therefore conditional upon them. In particular, this decision relies on the explanations and assurances given by the Argentine authorities as to how the Argentine law is to be interpreted as regards which situations fall within the scope of the Argentine law in data protection.

(16) Argentina should therefore be regarded as providing an adequate level of protection for personal data as referred to in Directive 95/46/EC.

(17) In the interest of transparency and in order to safeguard the ability of the competent authorities in the Member States to ensure the protection of individuals as regards the processing of their personal data, it is necessary to specify the exceptional circumstances in which the suspension of specific data flows may be justified, notwithstanding the finding of adequate protection.

(18) The Working Party on Protection of Individuals with regard to the processing of Personal Data established under Article 29 of Directive 95/46/EC has delivered an opinion on the level of protection of personal data in Argentina(3), which has been taken into account in the preparation of this Decision.

(19) The measures provided for in this Decision are in accordance with the opinion of the Committee established under Article 31(1) of Directive 95/46/EC,

HAS ADOPTED THIS DECISION:

Article 1

For the purposes of Article 25(2) of Directive 95/46/EC, Argentina is regarded as providing an adequate level of protection for personal data transferred from the Community.

Article 2

This Decision concerns only the adequacy of protection provided in Argentina with a view to meeting the requirements of Article 25(1) of Directive 95/46/EC and does not affect other conditions or restrictions implementing other provisions of that Directive that pertain to the processing of personal data within the Member States.

Article 3

1. Without prejudice to their powers to take action to ensure compliance with national provisions adopted pursuant to provisions other than Article 25 of Directive 95/46/EC, the competent authorities in Member States may exercise their existing powers to suspend data flows to a recipient in Argentina in order to protect individuals with regard to the processing of their personal data in cases where:

(a) a competent Argentine authority has determined that the recipient is in breach of the applicable standards of protection; or

(b) there is a substantial likelihood that the standards of protection are being infringed; there are reasonable grounds for believing that the competent Argentine authority is not taking or will not take adequate and timely steps to settle the case at issue; the continuing transfer would create an imminent risk of grave harm to data subjects and the competent authorities in the Member State have made reasonable efforts in the circumstances to provide the party responsible for processing established in Argentina with notice and an opportunity to respond.

The suspension shall cease as soon as the standards of protection are assured and the competent authority concerned in the Community is notified thereof.

2. Member States shall inform the Commission without delay when measures are adopted on the basis of paragraph 1.

3. The Member States and the Commission shall inform each other of cases where the action of bodies responsible for ensuring compliance with the standards of protection in Argentina fails to secure such compliance.

4. If the information collected under paragraphs 1, 2 and 3 provides evidence that any body responsible for ensuring compliance with the standards of protection in Argentina is not effectively fulfilling its role, the Commission shall inform the competent Argentine authority and, if necessary, present draft measures in accordance with the procedure referred to in Article 31(2) of Directive 95/46/EC with a view to repealing or suspending this Decision or limiting its scope.

Article 4

1. This Decision may be amended at any time in the light of experience with its functioning or of changes in Argentine legislation, its implementation and interpretation.

The Commission shall monitor the functioning of this Decision and report any pertinent findings to the Committee established under Article 31 of Directive 95/46/EC, including any evidence that could affect the finding in Article 1 of this Decision that protection in Argentina is adequate within the meaning of Article 25 of Directive 95/46/EC and any evidence that this Decision is being implemented in a discriminatory way.

2. The Commission shall, if necessary, present draft measures in accordance with the procedure referred to in Article 31(2) of Directive 95/46/EC.

Article 5

Member States shall take all the measures necessary to comply with this Decision at the latest at the end of a period of 120 days from the date of its notification to the Member States.

Article 6

This Decision is addressed to the Member States.

Done at Brussels, 30 June 2003.

For the Commission

Frederik Bolkestein

Member of the Commission

(1) OJ L 281, 23.11.1995, p. 31.

(2) Opinion 12/98, adopted by the Working Party on 24 July 1998: Transfers of personal data to third countries: applying Articles 25 and 26 of the EU Data Protection Directive (DG MARKT D/5025/98), available on Europa, the website hosted by the European Commission:

http://europa.eu.int/comm/ internal_market/en/dataprot/wpdocs/ wpdocs_98.htm.

(3) Opinion 4/2002 on the level of protection of personal data in Argentina - WP 63 of 3 October 2002 available at

http://europa.eu.int/comm/ internal_market/en/dataprot/wpdocs/ index.htm.