The following article was written by Gabriela Szlak, Luciano N. Gutman and Delfina Bianchi and published in the Latin American Digest of the IAPP (International Association of Privacy Professionals). The original version in Spanish can be read here.
Nearly five years after its signature, on January 10th, 2026, the MERCOSUR E-Commerce Agreement entered into force. This instrument was designed to promote a legal framework that facilitates the development of regional e-commerce by harnessing its economic potential and the opportunities it provides.
Beyond this primary goal, the Agreement also focuses on the protection of users’ personal data, establishing that the signatory countries must adopt or maintain regulatory mechanisms that protect the personal information of individuals participating in e-commerce. In doing so, they must take into consideration international standards, promote security and transparency in data processing, and establish “(…) common measures for the protection and free flow of data within MERCOSUR”.
In this regard, the Agreement has an impact on two aspects of particular relevance in the field of personal data protection: direct commercial communications and international data transfers.
With respect to unsolicited direct commercial communications, the signatory countries undertake to ensure that such communications are not sent to consumers without their prior consent (opt-in). Additionally, as an exception, companies are permitted to send unsolicited direct commercial communications relating to their own and similar products or services where the contact details were obtained in the context of a previous sale (soft opt-in). The Agreement also requires that unsolicited messages be clearly identifiable as commercial communications and include mechanisms allowing recipients to request the cessation of such communications free of charge at any time (opt-out), thereby reinforcing principles of transparency and consumer control. All these standards are aligned with those set forth in Article 10.52 of the MERCOSUR–European Union Trade Agreement and in Directive 2002/58/EC of the European bloc (known as the ePrivacy Directive).
From a systematic perspective, the Agreement consolidates prior consent as the legal basis for direct commercial communications, except for the aforementioned soft opt-in exception. This is complemented by the requirement to identify commercial communications and to provide mechanisms allowing recipients to object, leaving a certain margin for the States to define the conditions for the lawfulness of direct marketing in the digital environment. Nevertheless, a strict interpretation of the terms of the Agreement could pose challenges for the Argentine legal framework.
Although Argentina’s current Personal Data Protection Law establishes consent (opt-in) as the general rule for direct commercial communications, in line with the Agreement, certain ancillary regulations have opened the door, in some cases, to the sending of unsolicited advertising. For instance, the regulatory decree implementing the Law allows the processing of personal data for advertising purposes without the prior consent of the data subject, provided that the data are limited to the creation of generic profiles of the data subjects and to what is strictly necessary for sending advertising to them, and provided that recipients are offered the possibility to unsubscribe from the distribution database (opt-out). This consent exception could be considered problematic in light of a strict interpretation of the commitments undertaken by Argentina under the Agreement.
With regard to international transfers of personal data, the Agreement seeks to guarantee the free flow of information when such transfers are necessary for the conduct of commercial activities among the countries of the bloc, and provided that the importing countries maintain legal frameworks aligned with international standards that ensure adequate levels of protection. Therefore, the instrument encourages the free circulation of information within MERCOSUR, whether through adequacy decisions or international agreements between the countries, or through the implementation by the private sector of self-regulatory mechanisms or other contractual commitments. Argentina and Uruguay, for example, mutually recognize each other as adequate countries and have also adopted the model contractual clauses of the Ibero-American Data Protection Network.
This Agreement reflects the country’s broader commitment towards a dynamic and integrated digital economy, while upholding high standards for the protection of its citizens’ personal data.
Gabriela Szlak T° 79 F° 516 C.P.A.C.F.
Luciano N. Gutman T° 145 F° 535 C.P.A.C.F.
Delfina Bianchi T° 155 F° 376 CPACF
