EU and Mercosur strike first trade agreement : a tech and data protection perspective

By Jose Belo (Data Protection and Privacy Senior Consultant, Exigo s.a.)

The European Union is the first major partner to strike a deal with Mercosur (Brazil, Paraguay, Argentina and Uruguay). It is also the largest trade agreement ever signed by the EU, which creates a 780 million people market and 4 billion EUR in savings at the border for EU companies.

This “new” market can and should be a priority for EU tech companies, as there seems to be space for these type of companies to be contemplated in the trade agreement, even if it’s in the non-discrimination of EU companies, especially in Government contracts.

In data protection terms, this has major implications. Argentina has adequacy status so Argentina is a market where GDPR compliant companies could take advantage of the adequacy status of the country, to do all the cross-border transfers needed.

Brasil has just enacted its first data protection law, the LGPD. Although not completely equal to the GDPR, the principles are, in essence, the same. And the aim of Brazil to approach its data protection law to the GDPR is obvious. The trade agreement now becomes essential for the EU’s decision on adequacy, which has become a necessity with the trade deal. With Brazil gaining adequacy, it’s to be expected that tech companies can more easily enter the Brazilian market, without may changes to their already done GDPR compliances.

Uruguay, on the other hand, has established itself firmly in tech terms. The Government’s Uruguay Digital 2020 agenda has been the cornerstone of the country’s move into technology. Based on four pillars, Uruguay’s tech play is focused on public and private sector equally, through social policies, using technology to make the citizen-State relationship easier but also focusing on how to make Uruguay a competitive country in tech.

Paraguay, when it comes to data protection, has been the less active of the four countries. However, a bill similar to the Data Retention Directive was refused by Parliament, who voted against it, with the reasoning to dismiss it very similar to the ECJ’s Digital Rights Ireland decision, showcasing an interest in data protection that is seldom seen in many EU countries, for instance, who remain with the law that transposes the Data Retention Directive to national legislation in force.

With the advent of 5G, a look into what is happening in these countries is also warranted.

Brasil’s telecom operators have all said that 5G isn’t a priority right now, fully aware of the low radius coverage of each tower and the investment needed to cover such a huge country. For Brasil, 5G will start to be deployed commercially in 2021, but there is no certainty on the date.

Uruguay, on the other hand, has understood the gamechanging promise of 5G and has become the first country in South America to deploy 5G commercially, through a partnership between ANTEL and Nokia.

Although still in a limited area (Maldonaldo and Colonia), the partnership between Europe and South America is evident, as Nokia and ANTEL have been having a successful parternship for a long time.

Argentina is also trying to move fast into 5G, having already done a public test.  Lab condition tests delivered a speed of 22 Gigabits per second, clearly making a point on the need for 5G, when compared to 4G.

Argentina’s Movistar and Ericsson have reached an agreement and have done testing back in 2017. However, like many of its neighboring countries, deployment is going to be phased, due to the low-radius coverage of 5G stations, when compared to 4G, and the inherent costs the need for more 5G stations brings.

Paraguay reached an agreement with Ericsson, which has commited to “expand TIGO’s existing network and modernize the existing 2G/3G and 4G sites, making the network the best fit for TIGO to deliver 5G and IoT services in the future.

With the GDPR and the data protection laws in each country, questions regarding cross-border transfers, proper safeguards could become an issue for companies.

Also, with a market this large, a company should take great care in the way they deal with personal data, taking into consideration jurisdiction issues that may arise. As such, and having experience in these specific markets, proper due diligence and proactive measures to reduce risk and exposure to supervisory authorities should be at the forefront of any expansive business plan.