How American Businesses Could Approach Trade with Companies in South America that Are Located in Adequate and Non-Adequate Countries

Abstract

This essay discusses the legal data privacy issues faced when doing business with a European Union (EU) member or a GDPR-compliant country that is not a member of the EU. The EU data transfer requirements are briefly explained, followed by a description of the South American nations that are General Data Protection Regulation (GDPR)-complaint or near GDPR- compliant, including Argentina, Brazil, Chile, and Uruguay. The paper talks about whether the United States or any of the states in the Union can be considered by the European Commission (EC) to be an adequate country and the impacts of the United States not being an adequate country. The former United States Privacy Shield (Shield) and its predecessor, the International Safe Harbor Privacy Principles (ISHPP), both of which were invalidated by the EC. Although the United States and the EU recently announced the Trans-Atlantic Data Privacy Framework (TADPF), the EC is anticipated to invalidate this framework. It is recommended that companies employ the pre-approved standard contractual clauses (SCCs) as the least risky endeavor to assure personal data privacy. The paper then turns to the issues involved in leveraging existing privacy policies. In this regard, the United States’ sectoral approach to privacy is examined. The leverage issues that exist when interacting with GDPR-complaint countries are considered. Two lists of recommendations are presented, the first list being more general-purposes, while the second list is specific. The paper concludes by observing that a firm should analyze the privacy laws under which it is covered, select the most inclusive policies and procedures so that the company is compliant with the GDPR and state and federal sectoral laws, and implement the resulting conservative privacy framework.