By Angelique Carson, CIPP/US
While Latin American privacy laws have largely been based on European frameworks in order to facilitate business, their prescriptive nature on data breach disclosures and cross-border transfers may more likely keep businesses away than draw them in.
That was the message in a recent IAPP web conference on “Keeping Up with Data Privacy Developments in Latin America,” led by Matthew S. DelNero, partner at Covington & Burling, and Mariana Tavares de Arujo, partner at Levy & Salomao Advogados. The in-depth program described the evolution of privacy laws in Latin America since Argentina blazed a trail with the passage of its law in 2000. In the 13 years following, seven countries on the continent have passed their own laws, largely based on Europe’s framework.
Data use and creation is exploding in Latin America—defined here as Mexico, Central America and South America. The geographic area saw a more-than-two-fold increase in Internet population within the past five years of available data, from 110 million in 2007 to 235 million in 2012. Such an increase has raised the eyebrows of data protection enforcers, according to de Arujo.
Argentina passed its law in 2000, followed by Uruguay in 2008, Mexico in 2010 and four countries— Costa Rica, Colombia, Peru and Trinidad—in 2011. In 2012, Nicaragua followed suit, and Brazil is now considering its own law. The countries based their laws on European models in hopes of being deemed “adequate” by the EU and thus drawing commerce to the regions, according to de Arujo.
“But that was in the mid ’90s,” when the first of these laws was being formulated, she said. “Things have changed a lot.”
DelNero said the challenge for any multinational doing business in Latin America is that while there are legislative similarities from country to country, there is not a common framework—unlike the EU, where the data protection directive applies to all 27 member states.
“It’s a more complex region to comply with than what we see in Europe because of those variations,” DelNero said.
The basis of data protection laws found in the constitutions of many Latin American countries is the principle of “habeas data,” which translates essentially to “you should have the data.” The principle gives data subjects the right to access and demand rectification or destruction of their personal data and can be exercised by a petition to constitutional court.
While the privacy principles of Latin American laws tend to be basic—for example, Mexican law on data held by private parties states data controllers must “adhere to the principles of legality, consent, notice, quality purpose, fidelity, proportionality and accountability under the law”—nuances can be quite restrictive, DelNero said.
For example, with the exception of Mexico, many countries require express, opt-in consent from the data subject in order to process data. Peruvian law, for example, states that consent must be obtained unless there is “authoritative law to the contrary. The consent must be prior, informed, express and unequivocal.”
Additionally, there are rarely exceptions for commonly accepted practices. For example, DelNero said, while it’s generally safe to assume consumers have certain expectations for first-party marketing, even that requires express prior consent.
“When I go to Amazon and look for a couch, I’m not going to be surprised that they record the fact that I’m looking for a couch. That would be considered a commonly accepted practice that doesn’t require consent. But a lot of these laws are not making exceptions, so arguably, even first-party marketing would require prior express consent,” he said.
Besides express consent, Latin American countries tend to have similarities when it comes to audits, sanctions and security requirements.
“We also see some similarities to what companies deal with these days in terms of the U.S. and all the different state data privacy regimes, particularly around security breaches,” DelNero said. There are 46 different breach laws in the U.S., and Latin American regulations around breach notification requirements are similarly disparate and can be very exacting, he said. For example, some countries require notification of a breach to the data protection authority within five days of its occurrence—not discovery.
“If you have breach, you will have to look at each law to see the requirements in each jurisdiction,” DelNero warned.
When it comes to data transfers, interested parties may find themselves in a pickle. Strict prohibitions are based on the EU directive’s rules on adequacy. However, Latin American data transfers are difficult to administer as they often require express consent from the data subject. Such is true in Costa Rica, for example.
“In Latin America, theoretically you can’t transfer data now from Costa Rica to Colombia to Peru,” DelNero said. “There have not yet been many adequacy decisions even made by regulators since these are new laws. We still don’t yet know how that’s all going to play out, but, there is not yet any kind of U.S.-Costa Rica Safe Harbor.”
How this will play out in practice remains to be seen, DelNero said.
Looking Ahead to Brazil
Brazil currently has 78.5 million Internet users who spend an average of 47 hours per month online, according to Ibope Nielsen. Its growth has it mentioned in the same sentences as India and China.
Its constitution revolves around such primary rights as the protection of intimacy and private life as well as the inviolability of mail, phone and telecommunication data. It also contains a provision on habeas data, the remedy to seek access to personal data held by the government.
The draft bill on data protection and privacy was opened to public consultation in 2011. It received 700 submissions and largely leans toward the EU model on data protection. It calls for express and informed consent—in writing or otherwise—in order to process data. However, exceptions are permitted for contractual or pre-contractual purposes; to fulfill a legal obligation; where public records are involved; to protect public health and safety, or where necessary for defense or to assert a right in court.
The bill includes provisions for access to data and correction rights within five days’ time.
While the law’s introduction is an important step in terms transparency and consistency around consent rules, it has some problems, DelNero said in giving her opinion, including that it overregulates consent.
The government should perhaps restrict such consent requirements to only sensitive data, she proposed, “because it is not only complicated and costly for the company obtaining consent, but from a consumer perspective, receiving too many requests may make the mechanism meaningless.”
The law would also see companies fined up to 20 percent of their annual turnover, which DelNero says may be disproportionate and may dissuade companies from exporting services to Brazil.
While Brazil’s law isn’t expected to pass any time soon, DelNero predicted we would see something passed within five years’ time.
Editor’s Note: For more on this topic, purchase the audio of this web conference. The next IAPP web conference, “Employee Social Media Accounts—Financial Regulators Want Access,” will be broadcast on Friday, June 7, from 1 to 2:30 p.m. EDT.