An Open Access International JournalExplore Your Research to the world....

September 2022

  • Home
  • SEPTEMBER 2022
VOlUME 05 ISSUE 09 SEPTEMBER 2022
How American Businesses Could Approach Trade with Companies in South America that Are Located in Adequate and Non-Adequate Countries
Donald L. Buresh, Ph.D., Esq.
Touro University Worldwide
DOI : https://doi.org/10.47191/ijsshr/v5-i9-14

Google Scholar Download Pdf
ABSTRACT

This essay discusses the legal data privacy issues faced when doing business with a European Union (EU) member or a GDPR-compliant country that is not a member of the EU. The EU data transfer requirements are briefly explained, followed by a description of the South American nations that are General Data Protection Regulation (GDPR)-complaint or near GDPR- compliant, including Argentina, Brazil, Chile, and Uruguay. The paper talks about whether the United States or any of the states in the Union can be considered by the European Commission (EC) to be an adequate country and the impacts of the United States not being an adequate country. The former United States Privacy Shield (Shield) and its predecessor, the International Safe Harbor Privacy Principles (ISHPP), both of which were invalidated by the EC. Although the United States and the EU recently announced the Trans-Atlantic Data Privacy Framework (TADPF), the EC is anticipated to invalidate this framework. It is recommended that companies employ the pre-approved standard contractual clauses (SCCs) as the least risky endeavor to assure personal data privacy. The paper then turns to the issues involved in leveraging existing privacy policies. In this regard, the United States’ sectoral approach to privacy is examined. The leverage issues that exist when interacting with GDPR-complaint countries are considered. Two lists of recommendations are presented, the first list being more general-purposes, while the second list is specific. The paper concludes by observing that a firm should analyze the privacy laws under which it is covered, select the most inclusive policies and procedures so that the company is compliant with the GDPR and state and federal sectoral laws, and implement the resulting conservative privacy framework.

KEYWORDS:

Adequate Country, Data Transfer Requirements, European Commission, General Data Protection Regulation, Standard Contractual Clauses, United States Privacy Shield

REFERENCES

1) Art. 45 GDPR: Transfers on the Basis of an Adequacy Decision, INTERSOFT CONSULTING (n.d.), available at https://gdpr-info.eu/art-45-gdpr/.

2) Adequate Country Definition, LAW INSIDER (n.d.), available at https://www.lawinsider.com/dictionary/adequate- country.

3) GDPR: Third Countries, INTERSOFT CONSULTING (n.d.), available at https://gdpr-info.eu/issues/third-countries/.

4) Donald L. Buresh, Should Personal Information and Biometric Data Be Protected under a Comprehensive Federal Privacy Statute that Uses the California Consumer Privacy Act and the Illinois Biometric Information Privacy Act as Model Laws?, 38 SANTA CLARA HIGH TECHNOLOGY LAW JOURNAL 1, 39-93 (Oct. 2021), https://digitalcommons.law.scu.edu/chtlj/vol38/iss1/2/.

5) Argentina Personal Data Protection Act (PDPA), MICROSOFT CORP. (Apr. 19, 2022), available at https://docs.microsoft.com/en-us/compliance/regulatory/offering-pdpa-argentina.

6) Lisandro Frene, 20 years of Argentinian Privacy Law: Its Current Status and What to Expect, INTERNATIONAL BAR ASSOCIATION (Jun. 24, 2021), available at https://www.ibanet.org/twenty-years-of-Argentinian-privacy-law.

7) Brazil - Data Protection Overview, DATA GUIDANCE (Mar.3, 2020), available at https://www.dataguidance.com/video/brazil-overview.

8) Brazil’s General Data Protection Law / Lei Geral de Proteção de Dados (LGPD) – An Overview, USERCENTRICS (Mar. 14, 2022), available at https://usercentrics.com/knowledge-hub/brazil-lgpd-general-data-protection-law- overview/#:~:text=The%20General%20Data%20Protection%20Law,effect%20on%20August%2016%2C%202020.

9) Brazil – Data Protection Overview, supra, note 39,

10) Chile’s Personal Data Protection Law, DATA PROTECTION LAWS OF THE WORLD (Jan. 24, 2022), available at https://www.dlapiperdataprotection.com/index.html?t=law&c=CL#:~:text=19%20N°%204,of%20his%2Fher%20persona l%20data.

11) Macarena Gatica, Chile - Data Protection Overview, DATA GUIDANCE (Nov. 2021), available at https://www.dataguidance.com/notes/chile-data-protection-overview.

12) Mariela Ruanova, GDPR Three Years Later - Data Protection Legal framework in Uruguay, DENTONS (n.d.), available at https://www.dentons.com/en/insights/articles/2021/may/10/gdpr-three-years-later-data-protection-legal-framework-in- uruguay.

13) Ana Brian Nougrères, Uruguay - Data Protection Overview, DATA GUIDANCE (Mar. 2022), available at https://www.dataguidance.com/notes/uruguay-data-protection-overview#.

14) Territory, MERRIAM-WEBSTER DICTIONARY (n.d.), available at https://www.merriam- webster.com/dictionary/territory#:~:text=Legal%20Definition%20of%20territory,political%20subdivision%20of%20a% 20country

15) Emelda M., Difference Between Territory and State, DIFFERENCEBETWEEN.NET (n.d.), available at http://www.differencebetween.net/miscellaneous/politics/political-institutions/difference-between-territory-and- state/#:~:text=Summary%3A,political%20organization%20which%20enjoys%20sovereignty.

16) Will Kenton, Sector, INVESTOPEDIA (May 28, 2022), available at https://www.investopedia.com/terms/s/sector.asp.

17) U.S. Const., Art. I, Sec. 10.

18) Brian Carlson, 30 Common Logical Fallacies–A Study Starter, ACADEMIC INFLUENCE (Jul. 23, 2021), available at https://academicinfluence.com/inflection/study-guides/logical-fallacies.

19) What is Data Localization?, CLOUDFLARE (n.d.), available at https://www.cloudflare.com/learning/privacy/what-is- data-localization/.

20) Erol Yayboke, Caroline G. Ramos, & Lindsey R. Sheppard, The Real National Security Concerns over Data Localization, CENTER FOR STRATEGIC AND INTERNATIONAL STUDIES (Jul. 23, 2021), available at https://www.csis.org/analysis/real-national-security-concerns-over-data-localization.

21) EU Commission and United States Agree on New Framework for Transatlantic Data Flows: EU-US Privacy Shield, EUROPEAN COMMISSION (Feb. 2, 2016), available at https://ec.europa.eu/commission/presscorner/detail/en/IP_16_216.

22) E. L., The New Trnsatlantic Data “Privacy Shield”, THE ECONOMIST (Feb. 2, 2016), available at https://www.economist.com/the-economist-explains/2016/02/02/the-new-transatlantic-data-privacy-shield.

23) Commissioner Jourová's Remarks on Safe Harbour EU Court of Justice Judgement before the Committee on Civil Liberties, Justice and Home Affairs (Libe), EUROPEAN COMMISSION (Oct. 26, 2015), available at https://ec.europa.eu/commission/presscorner/detail/en/SPEECH_15_5916.

24) Article 29 working party archives 1997 – 2016, EUROPEAN COMMISSION (2016), available at https://ec.europa.eu/justice/article-29/documentation/index_en.htm.

25) Privacy Shield: More Robust and Sustainable Solution Needed, EUROPEAN DATA PROTECTION SUPERVISOR (May 30, 2016), available at https://web.archive.org/web/20160625142411/https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Doc uments/EDPS/PressNews/Press/2016/EDPS-2016-11-PrivacyShield_EN.pdf.

26) European Commission Launches EU-U.S. Privacy Shield: Stronger Protection for Transatlantic Data Flows, EUROPEAN COMMISSION (Jul. 12, 2016), available at https://ec.europa.eu/commission/presscorner/detail/en/IP_16_2461.

27) Donald J. Trump, Executive Order: Enhancing Public Safety in the Interior of the United States, THE WHITE HOURS (Jan. 25, 2017), available at https://trumpwhitehouse.archives.gov/presidential-actions/executive-order-enhancing-public- safety-interior-united-states/.

28) Joseph R. Biden, Executive Order on the Revision of Civil Immigration Enforcement Policies and Priorities, THE WHITE HOURS (Jan. 20, 2021), available at https://www.whitehouse.gov/briefing-room/presidential- actions/2021/01/20/executive-order-the-revision-of-civil-immigration-enforcement-policies-and-priorities/.

29) Pub. L. 114-126, JUDICIAL REDRESS ACT OF 2015 (2015), available at https://www.congress.gov/114/plaws/publ126/PLAW-114publ126.pdf.

30) Phil Muncaster, Trump Order Sparks Privacy Shield Fears, INFO SECURITY (Jan. 27, 2017), available at https://www.infosecurity-magazine.com/news/trump-order-sparks-privacy-shield/

31) EU-US Privacy Shield for Data Struck Down by Court, BBC NEWS (Jul. 16, 2020), available at https://www.bbc.com/news/technology-53418898.

32) David McCabe, & Martina Stevis Grindal, U.S. and European Leaders Reach Deal on Trans-Atlantic Data Privacy, THE NEW YORK TIMES (Mar. 25, 2022), available at https://www.nytimes.com/2022/03/25/business/us-europe-data- privacy.html.

33) Standard Contractual Clauses (SCC), EUROPEAN COMMISSION (Jun. 4, 2021), available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual- clauses-scc_en.

34) The Organisation for Economic Co-operation and Development (OECD) has codified the Fair Information Privacy Practices (FIPPs) guidelines into the following eight principles: (1)Collection Limitation Principle; (2) Data Quality Principle; (3) Purpose Specification Principle; (4) Use Limitation Principle; (5) Security Safeguards Principle; (6) Openness Principle; (7) Individual Participation Principle; and (8) Accountability Principle

35) Tech Target Staff, Fair Information Practices (FIP), TECH TARGET (Mar, 2011), available at https://www.techtarget.com/whatis/definition/Fair-Information-Practices-FIP.

36) OECD Staff, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, ORGANISATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT (n.d.), available at https://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm.

37) Garry Kranz, Gramm-Leach-Bliley Act (GLBA), TECH TARGET (Jun. 2021), available at https://www.techtarget.com/searchcio/definition/Gramm-Leach-Bliley-Act.

38) Peter F. Edemekong, Pavan Annamaraju, & Micelle J. Haydel, Health Insurance Portability and Accountability Act, NATIONAL LIBRARY OF MEDICINE (n.d.), available at https://www.ncbi.nlm.nih.gov/books/NBK500019/.

39) HHS Staff, HITECH Act Enforcement Interim Final Rule, U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES (Jun. 16, 20917), available at https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim- final-rule/index.html.

40) DOE Staff, Family Educational Rights and Privacy Act (FERPA), U.S. DEPARTMENT OF EDUCATION (Aug. 25, 2021), available at https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html.

41) FTC Staff, CAN-SPAM Act: A Compliance Guide for Business, Federal Trade Commission (Jan. 2022), available at https://www.ftc.gov/business-guidance/resources/can-spam-act-compliance-guide-business.

42) United States v. Katz, 389 U.S. 347, 388 (1967).

43) Understanding Data Privacy: A Compliance Strategy Can Mitigate Cyber Threats, THOMPSON REUTERS (n.d.), available at https://legal.thomsonreuters.com/en/insights/articles/understanding-data-privacy-a-compliance-strategy-can- mitigate-cyber-threats.

44) John P. Mello, 5 Keys to Data Protection Compliance, TECHBEACON (n.d.), available at https://techbeacon.com/security/go-beyond-policy-5-keys-data-protection-compliance.

45) Jay Rosen, How to Reposition Compliance as a Revenue Generator, CORPORATE COMPLIANCE INSIGHTS (Apr. 18, 2019), available at https://www.corporatecomplianceinsights.com/how-to-reposition-compliance-as-a-revenue-generator/.

46) Drayton Mayers, Strong Cybersecurity Can Be a Revenue Generator – Here Is Why and How, MEMPHIS BUSINESS JOURNAL (May 20, 2020), available at https://www.bizjournals.com/memphis/news/2020/05/20/strong-cybersecurity- can-be-a-revenue-generator.html.

47) PAUL KRUGMAN, & ROBIN WELLS, ECONOMICS (Worth Publishers 6th ed. 2021).

VOlUME 05 ISSUE 09 SEPTEMBER 2022

Indexed In

Avatar Avatar Avatar Avatar Avatar Avatar Avatar Avatar Avatar Avatar Avatar Avatar Avatar Avatar Avatar Avatar