This post was also written by Nick Tyler.

Having hosted and won the very first ‘soccer’ World Cup in 1930, and then having won it again twenty years later, Uruguay belongs to a very exclusive band of multiple-World Cup winning countries. Having reached the semi-finals of this year’s tournament (for the fifth time in total), this relatively small South American republic has a proud and enviable record as one of the most successful footballing nations.

This year is fast proving to be significant for Uruguay for more serious reasons than national sporting prowess (more serious that is if you do not subscribe to the philosophy of Liverpool FC’s legendary manager, Bill Shankly: “Some people think football is a matter of life and death. I assure you, it’s much more serious than that.”)

On 12 October the Article 29 Working Party of European data protection regulators issued an opinion approving Uruguay’s admission into another exclusive club—the list of countries that provide an ‘adequate level of protection’ within the meaning of Article 25(6) of European Data Protection Directive 95/46/EC.  The Article 29 Working Party’s opinion was issued after a two-year review process and is a pre-requisite to approval by the European Commission. Barring any unforeseen political hitches, as befell Israel’s bid for ‘adequacy’ earlier this year, such approval should follow.

Some background points to note about Uruguay’s data protection regime:

  • The relevant legislation consists of:
    • Law No. 18.331 of 11 August 2008, on the Protection of Personal Data and “Habeas Data” Action (abbreviated as LPDP in Spanish); and
    • Regulating Decree of 31 August 2009, developing LPDP (DPDP).
  • LPDP is comprehensive in its scope and reach, covering all sectors of activity.
  • The independent supervisory authority is called the Unit for Regulation and Control of Personal Data (URCDP in Spanish).
  • Together with the Unit for Access to Public Information (UAIP) URCDP forms the Agency for the Development of Electronic Government and the Knowledge-Based Society (AGESIC in Spanish).
  • URCDP operates a permanent register of databases.
  • URCDP has power to impose sanctions ranging from a warning and a fine to suspension of any database.
  • Article 8 of DPDP contains data breach notification requirements.
  • Article 15 of LPDP provides a right of correction to “every natural or legal person”.
  • In the case of any denial of the rights of subject access and correction, Article 38 of LPDP provides for an action or writ of habeas data, also exercisable on behalf of deceased persons.

The concept of Habeas data does feature in a number of other Latin American countries’ constitutions but, unlike those of Argentina and, imminently, Uruguay, these have not achieved the vaunted status of EU-approved ‘adequate’ data protection regimes.