On May 25, 2018, the General Data Protection Regulation (“GDPR”) of the European Union (EU) entered into force and propelled various Latin American countries to reform and update their local data protection regimes. Brazil, for instance, put together a comprehensive data protection regulation mirroring EU laws despite not having a previous regulation in place, while Chile, Argentina and Mexico are notably taking steps to increase privacy and security protection for their nationals. In this article, we discuss the ongoing data protection changes in some Latin American countries and to what extent they follow in the EU’s footsteps.
The Age of GDPR
The EU is traditionally known for setting the bar for data protection regulations globally and GDPR is no exception. Based on its cutting-edge data protection provisions and strict measures and sanctions, GDPR is already impacting the world´s legislation and is setting the highest standard in treatment of personal data.
GDPR achieved international relevance, not only because it contains broad provisions related to the protection of personal data and privacy but also due to its extraterritorial application. GDPR may impose obligations not only to companies located in the EU that process personal data, but also to companies located in non-EU countries which process the personal data of EU citizens.
This regulation has also vested EU authorities with the power to conduct adequacy findings. Authorities may assess whether a third country, territory or sector within a third party or an international organization ensures an adequate level of protection pursuant to the GDPR provisions. Non-EU countries may have a financial motivation to impose GDPR-level data protection obligations in order to reap the potential benefits of having their domestic provisions considered adequate under the GDPR for data transfers from the EU.
Latin American Regulation in the GDPR Age
Prior to 2018, several Latin American countries already had some measure of data protection policies in place. After the entry into force of the GDPR, we are witnessing an outbreak of privacy law amendments, as Latin American countries raise their data protection standards to meet those set forth in the EU regulation.
Argentina passed one of the first data protection laws in the Latin American region, yet it remains mostly unchanged since 2000. Argentina is seeking to revise the current privacy laws in order to maintain its status as a country with adequate level of protection from an EU perspective.
In 2018, a bill to replace Argentinian Law No. 25,326 was proposed to align with GDPR, and thus, includes similar rights and principles. These include:
- Incorporation of concepts like “genetic data”, “biometric data” and “cloud computing”;
- Limited scope referring only to natural persons, excluding legal entities;
- Obligation on governmental agencies to appoint a data protection officer if sensitive and big data are being processed; and
- Incorporation of standards for the lawfulness of data processing.
Additional data subject rights are also addressed; the bill expressly recognizes the right to object to or restrict the processing and right of data portability.
Until very recently, Brazil lacked a specific law to regulate data protection aspects and even lacked a definition of personal data. Instead, for years the country has maintained various sector-specific laws concerning general provisions on protection of individuals and their related data. The Consumer Protection Code, for instance, granted some privacy rights to access and correct consumer´s data. The Internet Legal Framework regulated the processing of personal data, including the collection, storage, retention, treating and communication of personal data. The Criminal Code, as amended by Law No. 12,737/12, also known as computer crime law, also covered certain aspects. This fragmented regulation came to an end in July 2018 when the Brazilian Senate approved the Brazilian General Data Protection Law, establishing a single data protection regime based on the provisions of GDPR.
The Brazilian General Data Protection Law governs rights and obligations related to the processing of personal data, as well as good practices, and also:
- Creates a national data protection authority;
- Incorporates the extraterritorial scope of GDPR; it will apply to private and public sectors if the processing occurs in Brazil or personal data is obtained from data subjects located in Brazil, despite the location of the controller;
- Obliges firms and public agencies handling personal data to appoint a data protection officer; and
- Creates the possible imposition of fines of up to 2% of a group’s gross revenues in Brazil in the last fiscal year for noncompliance.
Personal data protection in Chile has been regulated by Law No. 19,628 since 1999. Its purpose was to establish general provisions regarding personal data processed by third parties. Although this Chilean law sets forth that data subjects shall be informed about the purposes of the processing of their personal information and that their consent shall be collected, it does not establish mechanisms to supervise the proper compliance with legal obligations on this matter. In light of this, Chile is seeking to amend Law No. 19,628 to adjust it to the GDPR´s standards and provisions. This bill will:
- Regulate protection and processing of personal data;
- Create a data protection council to enforce law and impose fines up to $700,000 USD; and
- Introduce biometric data to the definition of sensitive data.
It is of great significance to mention that Chile has also agreed to amend their constitution to include the right of protection of personal data.
Colombia is aware of the need to incorporate relevant provisions to their current data protection laws, Law No. 1,581 and Law No. 1,266, that address contemporary technological innovations. The GDPR includes obligations that are not regulated under existing Colombian laws, such as the right to be forgotten and the appointment of data protection officers. One of the most important topics in Colombia is the legislative bill which pretends to endow data privacy Law No. 1,581 with the international scope of GDPR, including:
- New definitions of sensitive data, public data and privacy notice, and
- Specification of certain requirements for privacy policies.
Colombia recently created an “adequacy” list for cross-border transfers, which contains a list of countries that comply with adequate data protection level standards under Colombian criteria.
The Mexican Federal Law on Protection of Personal Data Held by Private Parties, effective since 2010, is the foundation of a comprehensive privacy system which governs the processing of personal data, including its collection, use, transfer and storage. Under these current laws, rights such as access, rectification, cancellation or opposition to the treatment of data are granted to data subjects.
The most active data protection authority in Latin America
Data Subjects are increasingly more aware of these rights and actively exercise them. Between January 2012 and June, 2017, the Mexican Data Protection Authority (known as “INAI”) handled: (a) 820 Protection of ARCO Rights Procedures and; (b) 2,094 claims filed by data subjects before INAI, which have resulted in 1,520 procedures (discovery phase) and 208 Verification Procedures. Further, INAI is probably the most active data protection authority in Latin America. Between January 2012 and June, 2017, INAI has imposed sanctions to companies operating in Mexico in 147 cases, for a total amount of approximately $16.7 million USD in fines.
While Mexican law also provides lots of room for flexibility and self-regulation, Mexico is likely to adopt, at least to a certain degree, data protection and security provisions comparable to European regulations. For instance, Mexico recently adhered to the European Convention for the Protection of Individuals regarding Automatic Processing of Personal Data (“Convention 108”) and its Additional Protocol regarding Supervisory Authorities and Transborder data flows. Convention 108 imposes obligations to Member States, such as incorporating into their domestic laws principles and provisions for the processing of individual´s personal data.
Since Mexico is fully aware of the relevance of complying with privacy provisions to the greatest extent possible, important reforms to the current privacy law are expected in the short term to bring Mexican regulations in line with GDPR and Convention 108.
In 2011, Peru enacted Law No. 29,733, the provisions of which seek a broad protection and grant appropriate rights to data subjects in the event that companies processing personal data fail to comply with their obligations.
The data protection law in Peru has been recently updated to expand legal guidelines for data processing and to strengthen their data protection regime. Some relevant provisions related to data transfer have been incorporated:
- The data controller is obliged to notify any data transfer resulting from a company´s mergers and acquisitions and to register international data transfers in a Peruvian national registry.
- New exemptions to obtaining consent for data processing are also included, mainly to prevent money laundering and terrorism financing.
Compliance with the highest standards is important since the EU plays an important role in many Latin American markets and industries. Amending the current domestic data protection laws may enhance the relationship with European trading partners and may provide further international recognition. This is the momentum for Latin America to make their global presence known in a data-driven world.
For further information on current Data Privacy requirements and upcoming issues worldwide, please check Baker McKenzie online privacy handbook at https://tmt.bakermckenzie.com/-/media/minisites/tmt/files/global_privacy_handbook-_2018.pdf?la=en.
Guest post contributed by Paulina Bojalil, Associate at Baker McKenzie Mexico, Michael Egan, International Commercial Partner at Baker McKenzie Washington, D.C. and Carlos Vela-Treviño, TMT/Privacy Partner at Baker McKenzie Mexico.