Technology is booming in Latin America, and privacy laws and regulations are becoming more complex as well, since more technology generally means more data processing.
Latin America is a region formed by 20 different and independent countries, so getting acquainted with 20 different laws can seem quite an ordeal. Juan Luis Hernandez Conde, Founding Partner at Novus Concilium will address this topic at the upcoming TRUSTe Privacy Risk Summit on June 8th in San Francisco. In this blog post he provides an introduction to the 5 basic principles of LATAM privacy laws.
- No “one stop shop”
There is no document such as the GDPR (Europe’s General Data Protection Regulations) applicable to the whole region, although, most of the laws are based on the EU Data Protection Directive 95/46 EC (the EU Directive). In general, most countries have a right of data self-determination in their constitutions, but specifically all the countries can be divided into two teams.
Team one, in which we can find Mexico, Argentina, Uruguay, Costa Rica, and Nicaragua, comprises countries with a detailed framework and even Data Protection Agencies (DPA) to enforce it. Team two, where we can find countries such as El Salvador, Guatemala, Venezuela and Cuba, groups countries who doesn’t have a specific omnibus law regarding data self-determination or a DPA. There are, as well, a set of countries transitioning from team two to team one, for example Brazil and Paraguay.
- “Habeas Data”
Habeas Data (which literally means “to show – the controller– has the data”) is a catchy phrase used to refer to data self-determination rights, such as the right to access, rectification, or erasure of personal information. Most of the Latin American countries grant these types of rights to data subjects, and provide detailed legal procedures to enforce them.
- Corporate governance and policies
Some laws require controller companies to develop some corporate structures and privacy policies according to certain legal principles. For example, Mexican Law, requires controllers to appoint a Data Protection Officer in charge of reviewing any Habeas Data complaint complaint made by data subjects.
- Information and Consent
The duty of information, plays an important role in the region. In jurisdictions such as Argentina or Colombia, controller companies have a duty to disclose all the details regarding the processing of personal information they gather. Information to be disclosed commonly includes:
- Personal information gathered,
- A detailed explanation about what do the controller use the data for,
- A list of transfers to third parties,
- The name and address of the legal entity responsible for the database and
- Procedures to exercise habeas data rights rights, among others.
Consent is paramount in most of the Latin American jurisdictions. Almost every country with an omnibus legislation require it prior to the processing of data in their own unique ways. For example, Mexico and Colombia, allow opt-out consent for general information, but require opt-in consent in special circumstances such as the processing of sensitive data (information regarding sexual orientation, religious views, ethnic origins, health condition, political preferences among others).
Whatever the case, the controller company will be responsible to show the DPA it disclosed the information required by law and that they got consent before processing data.
- Rules on data transfers
The general rule is data transfers can only be made with prior consent from data subjects.
However, international data transfers are regulated as well. Some countries require transfers to only be made to countries that show an “adequate level of protection”
Either case you better double check before transferring data, since fines or even criminal charges (misdemeanors or felonies) may apply if the transfers aren’t done correctly. You don’t want to risk it.
Privacy in Latin America is a complex and continuously evolving subject, which varies depending on the country you are doing business in. Find out more in the Latin America session at the TRUSTe Privacy Risk Summit.