Data Protection Regulations in Latin America
The EU’s General Data Protection Regulation (GDPR) has created a domino effect across the world as its biggest trade partners rushed to align their existing data protection legislations to its strict requirements or passed new laws based on its example, in hopes of ensuring business operations with the European block will continue to run smoothly. The push for legislation came in the aftermath of a number of high profile data breaches that brought data privacy into the limelight.
In Latin America, most countries enacted data protection laws prior to the emergence of the GDPR and were generally tailored after its predecessor, the European Data Protection Directive of 1995. This means that, much like the Directive itself, they no longer address present day data protection concerns and must be updated both for the sake of Latin American data subjects and the facilitation of cross-border data transfers to and from the EU.
Brazil has so far taken the most significant step in this direction. In August 2018, it passed a comprehensive new general data protection law, the Lei Geral de Proteção de Dados (LGPD), modelled after the GDPR. The LGPD replaced over 40 often contradicting norms that previously governed personal data privacy in Brazil.
Many other countries in Latin America are looking to adjust their existing regulations to conform to the new international legislative context ushered in by the GDPR:
The main data protection legislation in Mexico is the Ley Federal de Protección de Datos Personales en Posesión de los Particulares or Federal Law on Protection of Personal Data Held by Individuals (LFPDPPP). The law came into force in July 2010 and was followed in December 2011 by secondary regulations that clarified the obligations of personal data controllers under the LFPDPPP.
A set of guidelines for privacy notices was issued in April 2013 with a series of recommendations on personal data security following only six months later in November 2013 and the parameters for self-regulation regarding personal data in May 2014. A new law regulating data protection for entities benefitting from public funds, the Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados or General Law for the Protection of Personal Data in Possession of Obligated Subjects entered into force in January 2017.
While Mexico has so far not taken any steps to align its existing legislation to the GDPR, it has recently adhered to the European Convention for the Protection of Individuals Regarding Automatic Processing of Personal Data (Convention 108) and its Additional Protocol regarding supervisory authorities and transborder data flows. Countries that have ratified Convention 108 are obligated to incorporate provisions regarding the processing of personal information into domestic law principles.
The protection of personal data is considered a fundamental right under the Peruvian Constitution. The Ley de Protección de Datos Personales or Law for Personal Data Protection No. 29733 was based on this key constitutional principle and was enacted in June 2011. However, it only came into force nearly two years later, in March 2013, when the Supreme Decree No. 003-2013-JUS approved its implementation regulation that included the rules that would govern the protection and safeguarding of data subjects’ rights and the obligations companies processing data would have to comply with.
A legislative reform was approved in 2017 which introduced a new classification for data breaches and infringements of data protection regulations.
The right to intimacy and data protection are guaranteed under the Colombian Constitution. They are regulated through Law 1581/2012 and Decree 1377/2013 which govern the protection of data subjects’ rights and the obligations that fall to entities collecting and processing data.
Law 1266/2008 governs the protection of credit reporting information, while Law 1273/2009 establishes a series of criminal offenses in relation to personal data such as disclosure or sale of personal data.
The Superintendence of Industry and Commerce (SIC) which acts as Colombia’s Data Protection Authority, recently created a list of countries that it deemed to have adequate measures of protection for cross-border data transfers under Law 1581. Among the countries on the list are some that have yet to receive an adequacy decision from the European Commission such as South Korea, Australia and Costa Rica.
Chile was the first South American country to pass a comprehensive data protection legislation, Law No. 19.628 On the Protection of Private Life, in 1999 and, in 2018, the National Congress of Chile amended article 19 of the Constitution to include the protection of personal data as an individual right. However, Law No. 19.628 which defines what personal data is and how it should be processed by third parties, does not cover the processing of information through digital media and does not put any proper supervisory mechanisms in place.
As a consequence, at present time, Chile does not have a data protection authority dedicated to the enforcement of its data protection legislation, but a bill to modify Law 19.628 to include provisions regarding the protection and processing of personal data and the creation of a data protection authority has been put forward. It received the general approval of the Senate in April 2018 but still has to pass rounds of discussions in both houses before it can become law.
Frequently Asked Questions
- Educating employees on security best practices
- Creating robust security policies for handling sensitive data
- Encrypting sensitive data
- Ensuring password security
- Introducing identity and access management (IAM)
- Deploying a Data Loss Prevention (DLP) solution
- Applying access controls
- Creating a data breach response plan
The LGPD (Lei Geral de Proteção de Dados) is Brazil’s new data protection law that establishes how the personal data of Brazilian users should be collected, handled, stored, and shared by organizations. The LGPD is similar to the EU’s General Data Protection Regulation (GDPR) and it applies to organizations that offer their services to people in Brazil.
A cross-border data transfer refers to the movement of information between servers across country borders. Cross-border data transfers are increasingly important in the modern global economy and many countries have introduced regulations to control data flows. A cross-border data protection law aims to ensure the safe movement of electronic, personal data around the world.
The number of countries that have enacted data protection laws is constantly growing. Currently, there are more than 120 countries that had put in place legislation to secure the protection of data and privacy. The EU’s General Data Protection Regulation (GDPR), implemented in May 2018, brought data protection into the public eye and onto legislative agendas the world over. Considered a landmark privacy law and a milestone for the digital age, the GDPR has introduced new rights for individuals, such as the Right to be Forgotten and the Right to Portability.
Download our free ebook on
A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.