Normative Alert: Entry into Force of the MERCOSUR Agreement on Electronic Commerce
Data Privacy & Data Protection – Cybersecurity Department Report | Normative Alert: Entry into Force of the MERCOSUR Agreement on Electronic Commerce.
Dear All,
On January 7, 2026, the Ministry of Foreign Affairs, International Trade, and Worship announced via the Official Gazette the entry into force of the MERCOSUR Agreement on Electronic Commerce (available in Spanish here) (hereinafter, the “Agreement”). This instrument, originally signed in Montevideo on April 29, 2021, was approved by the Argentine Republic through Law No. 27,768 (available in Spanish here). Following the deposit of the instrument of ratification on December 11, 2025, the Agreement entered into force on January 10, 2026, as provided for in the relevant resolution.
The Agreement establishes a common legal framework to foster electronic commerce among the States Parties, promoting clarity and legal certainty in digital transactions.
Impact on Personal Data Protection
The most significant modifications and principles introduced by the Agreement include:
-Personal data protection (Article 6): The Parties commit to adopting or maintaining laws, regulations, or administrative measures for the protection of users’ personal information. It expressly recognizes individuals’ rights to access, rectify, and erase their data. Furthermore, it promotes the use of security mechanisms for personal information, as well as its dissociation or anonymization when such data is provided to third parties.
-Unsolicited direct commercial communications (Article 10): The Agreement establishes that:
-Commercial communications must not be sent to consumers who have not given their consent.
-Commercial communications may be sent to consumers whose contact details were obtained in the context of the sale of a product or service, provided that such communications relate to the sender’s own similar products or services.
-Such communications must be clearly identifiable and must offer a free and simple mechanism allowing users to request the cessation of such communications at any time.
-Cross-border transfer and data localization (Articles 7 and 8): Each Party shall permit the cross-border transfer of information for commercial activities and may not require the location of computing facilities within its territory as a condition for conducting business. Storing data in facilities located outside the national territory is recognized as an international transfer subject to the data protection standards established in the Agreement.
We remain at your disposal for any further information you may require.
Yours sincerely,