On July 28 2021, Francisco Sagasti will conclude a nine-month tenure as President of Peru.
Albeit not the shortest in recent Peruvian history (his predecessor lasted five days), his government steered Peru through the COVID-19 pandemic, profound institutional crisis, and a complex general election.
Amidst this context, the Sagasti administration sent an urgent request to Congress to discuss a draft law that would create a new, more independent data protection agency and overhaul Peru’s data protection regime to align more closely to the GDPR.
Significant Changes Introduced by Peru’s Draft Privacy Legislation
- Enforcement body: The “National Authority of Transparency, Access to Public Information and Protection of Personal Data” (DPA) would replace the “General Directorate of Personal Data”.
- While it remains part of the Ministry of Justice and Human Rights, it outlines its policies and gains functional autonomy to manage its budget and legal representation.
- Duty to appoint a Data Protection Officer: Private and public organizations would be obliged to designate a Data Protection Officer (DPO) under criteria outlined by the DPA.
- DPOs must coordinate with their Information Security Officers to report security incidents.
- Duty to appoint a local representative: Organizations that are not located in Peru but conduct business in Peru or process the personal data of Peruvian residents would have an obligation to designate a local representative under criteria outlined by the DPA.
- Right of Data Portability: §23-A would incorporate a right to data portability in terms that are comparable to §20 of the GDPR.
- Breach Response: The proposed legislation would create an explicit obligation to report security incidents involving personal data. Under current legislation, such reports only take place voluntarily.
With a population of 32.9 million and a GDP per capita of USD $6,977.70, Peru is an APEC member and has subscribed to free-trade agreements with the European Union and the United States.
Peru’s Internet Penetration grew from 3% in the year 2000 to almost 60% in 2019. A lot of growth is still possible and necessary.
Whether this draft legislation will pass before the end of July is hard to predict.
However, a more independent DPA, clear breach response obligations, and an overall privacy regime that conforms with current international standards should make compliance activities in Peru more consistent and therefore attainable.
As we see in other expanding digital economies, such as Bangladesh, interoperable data protection requirements are beneficial to both internal implementation and external growth.