Data Protection Regulations in Latin America
The EU’s General Data Protection Regulation (GDPR) has created a domino effect across the world as its biggest trade partners rushed to align their existing data protection legislations to its strict requirements or passed new laws based on its example, in hopes of ensuring business operations with the European block will continue to run smoothly. The push for legislation came in the aftermath of a number of high profile data breaches that brought data privacy into the limelight.
In Latin America, most countries enacted data protection laws prior to the emergence of the GDPR and were generally tailored after its predecessor, the European Data Protection Directive of 1995. This means that, much like the Directive itself, they no longer address present day data protection concerns and must be updated both for the sake of Latin American data subjects and the facilitation of cross-border data transfers to and from the EU.
Brazil has so far taken the most significant step in this direction. In August 2018, it passed a comprehensive new general data protection law, the Lei Geral de Proteção de Dados (LGPD), modelled after the GDPR. The LGPD replaced over 40 often contradicting norms that previously governed personal data privacy in Brazil.
Many other countries in Latin America are looking to adjust their existing regulations to conform to the new international legislative context ushered in by the GDPR:
The main data protection legislation in Mexico is the Ley Federal de Protección de Datos Personales en Posesión de los Particulares or Federal Law on Protection of Personal Data Held by Individuals (LFPDPPP). The law came into force in July 2010 and was followed in December 2011 by secondary regulations that clarified the obligations of personal data controllers under the LFPDPPP.
A set of guidelines for privacy notices was issued in April 2013 with a series of recommendations on personal data security following only six months later in November 2013 and the parameters for self-regulation regarding personal data in May 2014. A new law regulating data protection for entities benefitting from public funds, the Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados or General Law for the Protection of Personal Data in Possession of Obligated Subjects entered into force in January 2017.
While Mexico has so far not taken any steps to align its existing legislation to the GDPR, it has recently adhered to the European Convention for the Protection of Individuals Regarding Automatic Processing of Personal Data (Convention 108) and its Additional Protocol regarding supervisory authorities and transborder data flows. Countries that have ratified Convention 108 are obligated to incorporate provisions regarding the processing of personal information into domestic law principles.
The protection of personal data is considered a fundamental right under the Peruvian Constitution. The Ley de Protección de Datos Personales or Law for Personal Data Protection No. 29733 was based on this key constitutional principle and was enacted in June 2011. However, it only came into force nearly two years later, in March 2013, when the Supreme Decree No. 003-2013-JUS approved its implementation regulation that included the rules that would govern the protection and safeguarding of data subjects’ rights and the obligations companies processing data would have to comply with.
A legislative reform was approved in 2017 which introduced a new classification for data breaches and infringements of data protection regulations.
The right to intimacy and data protection are guaranteed under the Colombian Constitution. They are regulated through Law 1581/2012 and Decree 1377/2013 which govern the protection of data subjects’ rights and the obligations that fall to entities collecting and processing data.
Law 1266/2008 governs the protection of credit reporting information, while Law 1273/2009 establishes a series of criminal offenses in relation to personal data such as disclosure or sale of personal data.
The Superintendence of Industry and Commerce (SIC) which acts as Colombia’s Data Protection Authority, recently created a list of countries that it deemed to have adequate measures of protection for cross-border data transfers under Law 1581. Among the countries on the list are some that have yet to receive an adequacy decision from the European Commission such as South Korea, Australia and Costa Rica.
Chile was the first South American country to pass a comprehensive data protection legislation, Law No. 19.628 On the Protection of Private Life, in 1999 and, in 2018, the National Congress of Chile amended article 19 of the Constitution to include the protection of personal data as an individual right. However, Law No. 19.628 which defines what personal data is and how it should be processed by third parties, does not cover the processing of information through digital media and does not put any proper supervisory mechanisms in place.
As a consequence, at present time, Chile does not have a data protection authority dedicated to the enforcement of its data protection legislation, but a bill to modify Law 19.628 to include provisions regarding the protection and processing of personal data and the creation of a data protection authority has been put forward. It received the general approval of the Senate in April 2018 but still has to pass rounds of discussions in both houses before it can become law.