Technology is booming in Latin America, and privacy laws and regulations are becoming more complex as well, since more technology generally means more data processing.
Latin America is a region formed by 20 different and independent countries, so getting acquainted with 20 different laws can seem quite an ordeal. Juan Luis Hernandez Conde, Founding Partner at Novus Concilium will address this topic at the upcoming TRUSTe Privacy Risk Summit on June 8th in San Francisco. In this blog post he provides an introduction to the 5 basic principles of LATAM privacy laws.
- No “one stop shop”
There is no document such as the GDPR (Europe’s General Data Protection Regulations) applicable to the whole region, although, most of the laws are based on the EU Data Protection Directive 95/46 EC (the EU Directive). In general, most countries have a right of data self-determination in their constitutions, but specifically all the countries can be divided into two teams.
Team one, in which we can find Mexico, Argentina, Uruguay, Costa Rica, and Nicaragua, comprises countries with a detailed framework and even Data Protection Agencies (DPA) to enforce it. Team two, where we can find countries such as El Salvador, Guatemala, Venezuela and Cuba, groups countries who doesn’t have a specific omnibus law regarding data self-determination or a DPA. There are, as well, a set of countries transitioning from team two to team one, for example Brazil and Paraguay.
- “Habeas Data”
Habeas Data (which literally means “to show – the controller– has the data”) is a catchy phrase used to refer to data self-determination rights, such as the right to access, rectification, or erasure of personal information. Most of the Latin American countries grant these types of rights to data subjects, and provide detailed legal procedures to enforce them.
- Corporate governance and policies
Some laws require controller companies to develop some corporate structures and privacy policies according to certain legal principles. For example, Mexican Law, requires controllers to appoint a Data Protection Officer in charge of reviewing any Habeas Data complaint complaint made by data subjects.
- Information and Consent
The duty of information, plays an important role in the region. In jurisdictions such as Argentina or Colombia, controller companies have a duty to disclose all the details regarding the processing of personal information they gather. Information to be disclosed commonly includes:
- Personal information gathered,
- A detailed explanation about what do the controller use the data for,
- A list of transfers to third parties,
- The name and address of the legal entity responsible for the database and
- Procedures to exercise habeas data rights rights, among others.
Consent is paramount in most of the Latin American jurisdictions. Almost every country with an omnibus legislation require it prior to the processing of data in their own unique ways. For example, Mexico and Colombia, allow opt-out consent for general information, but require opt-in consent in special circumstances such as the processing of sensitive data (information regarding sexual orientation, religious views, ethnic origins, health condition, political preferences among others).
Whatever the case, the controller company will be responsible to show the DPA it disclosed the information required by law and that they got consent before processing data.
- Rules on data transfers
The general rule is data transfers can only be made with prior consent from data subjects.
However, international data transfers are regulated as well. Some countries require transfers to only be made to countries that show an “adequate level of protection”
Either case you better double check before transferring data, since fines or even criminal charges (misdemeanors or felonies) may apply if the transfers aren’t done correctly. You don’t want to risk it.
Privacy in Latin America is a complex and continuously evolving subject, which varies depending on the country you are doing business in. Find out more in the Latin America session at the TRUSTe Privacy Risk Summit.
A joint study released today by the IAPP and TRUSTe finds more and more companies are turning to privacy expertise to enhance security results and protect against data breaches. The study – How IT & InfoSec Value Privacy – polled 550 privacy, IT and information security professionals across the globe in December and January.
The findings reveal a significant increase in privacy-related investments, with 42% of firms spending more on privacy technology, outpacing investment in external counsel and auditors. The study also confirms the well-documented extent of the cybersecurity threat as 39% reported an incident in the last two years and increased their information security and privacy investments alike to address the growing threat.
In fact, the study shows that the most important way to protect against cybersecurity risk is through constant communication between the privacy and security teams, many of which are now populated with staff from each discipline. Companies are also using core privacy functions to better understand the extent of their corporate risk, with 41% increasing use of privacy impact assessments and data inventory and classification, and 40% increasing use of data retention policies.
“The study shows a change in the way companies are protecting themselves against cybersecurity threats,” IAPP President and CEO J. Trevor Hughes, CIPP said. “As the threat of cybersecurity breaches increases every day, companies are getting smarter about protecting themselves against this threat, and more are recognizing the importance of security and privacy working hand in hand to mitigate the risk and enhance accountability.”
Chris Babel, CEO TRUSTe and Omer Tene Vice President of Research and Education, IAPP will be discussing the report findings at the RSA 2016 Conference in San Francisco this week in a panel session from 8.00-8.50am North | Room: 133 on Wednesday, March 2
To find out more about how TRUSTe’s privacy solutions can help strengthen your infosecurity program chat to the team in the North Expo Exhibit Hall, Booth #N3017 or call on 1-888-878-7830.
Calling all Privacy Innovators and Technologists! TRUSTe is sponsoring the Holiday Happy Hour for the PI&T group on Dec. 3rd with drinks, snacks and special raffle prizes. Don’t miss out on the fun!
To thank its members, PI&T is hosting an end-of-year celebration. Join PI&T at TRUSTe’s HQ for a special Holiday Happy Hour. All are welcome — whether you’re interested in learning more about the PI&T group and who’s lined up to speak in 2016, or you would just want to make merry with your colleagues and friends.
Please be prepared to select an Ice Breaker Topic upon arrival. Which privacy topic do you find most interesting?
• Privacy By Design
• Data Breach Communication Laws
• Internet of Things
• Or create your own!
The Privacy Innovation & Technology group brings together professionals working to identify, quantify, or solve privacy issues on the web, in mobile settings, or within corporations. The purpose of the group is to help the privacy and security communities network, as well as learn and discuss novel issues in the privacy space. We’re open to all kind of topics related to privacy including, but not limited to, big data issues, browser technology, tracking technology, forward thinking privacy practices, etc. The group is an excellent opportunity for anyone interested in learning more about the privacy world and for IAPP certificate holders to earn CPE (Continuing Professional Education) credits. Come as you are!
Find more details on the PI&T page or RSVP today here!
Location: TRUSTe HQ, 835 Market Street, Suite 800, San Francisco, CA 94103
Contact: Matthew Coleman, firstname.lastname@example.org
5:30PM – 6:30PM: Networking (Refreshments and snacks provided)
6:30PM – 7:00PM: Ice breaker session
7:00PM: Brief announcement from PI&T and pull raffle winners
7:00PM – 8:00PM: Continued networking
• The IAPP Information Privacy Case Book (the first, comprehensive analysis of the current state of privacy and data security enforcement around the world)
• Holiday Gift Basket
• TRUSTe Branded Timbuk2 Messenger Bag
In today’s webinar, “Top 5 Things the CISO Needs to Know About Data Privacy,” Senior Analyst at Forrester Research, Heidi Shey shared research on privacy in organizations with TRUSTe CEO Chris Babel.
Below are a few excerpts from the webinar:
“Privacy is one of those organizational functions that’s still emerging for many enterprises today,” Heidi said. “There are different ways that people are trying to bring these capabilities into the company and put people in charge of privacy and that creates some challenges as well as opportunities depending on how the privacy organization is structured.”
Heidi identified types of privacy organizations:
- “Compliance Cubs” – “This is probably the most common type we see today. They’re very compliance-driven; they’re focused on meeting compliance requirements around consumer data privacy.”
- “Security Satellites” – “These are companies that have pulled privacy in. [There’s] greater alignment between security and privacy.”
- “Marketing Mavens” – “Privacy, marketing and customer care initiatives are top-of-mind. In these companies you’ll typically find someone in marketing overseeing privacy.”
- “Business Boosters” – “These are the companies that approach privacy organization-wide. They’ve broken-down privacy silos.”
Several polls throughout the webinar provided some insight into viewers’ opinions on privacy. The second poll asked attendees about their plans for cross-border data transfers now that EU Safe Harbor has been ruled invalid.
“What solution is your company considering for data transfers following CJEU ruling?”
- Wait for Safe Harbor 2.0 (40%)
- Model Clauses (30%)
- Binding Corporate Rules (15%)
- Consent (14%)
With regard to the poll, Chris stressed that answers are individual and based on an organization’s needs: “It starts with understanding your data flows and how much data’s moving, where it’s moving because only by understanding that can you really say which of these options is best for you. If you’re just moving employee data, consent wouldn’t work. Different methods apply based on what you’re doing.”
Another tip Heidi gave for CISOs is “compliance is not a privacy strategy.”
“When we take this approach, the organization starts to view privacy as a cost center,” she said, adding that companies will strive to meet compliance at the lowest cost and then move on. It also creates silos within an organization in addition to a “head in the sand” environment in which “we start to overlook the potential of data and what we can do with it.”
To avoid this, she says it’s important to view privacy as a competitive differentiator.
To read about TRUSTe’s future webinars and events, click here.
TRUSTe’s most recent webinar in the Privacy Insight Series titled, “Building an Effective Privacy Program — Six Practical Steps” covered the process to build a privacy program while mitigating risk and keeping privacy best practices top-of-mind. Speakers were Beth Sipula, CIPP/US, Senior Consultant at TRUSTe, and Paola Zeni, Director, Global Privacy, Ethics and Compliance at Symantec Corporation.
This was the third webinar in our Fall/Winter Privacy Insight Series. The series consists of webinars with top privacy experts who discuss the major privacy issues of today. Watch this clip to get an idea of this webinar’s content.
Join us on Oct. 15 for a webinar titled, “Top 5 Things the CISO Needs to Know About Data Privacy.”