By Angelique Carson, CIPP/US

While Latin American privacy laws have largely been based on European frameworks in order to facilitate business, their prescriptive nature on data breach disclosures and cross-border transfers may more likely keep businesses away than draw them in. 

That was the message in a recent IAPP web conference on “Keeping Up with Data Privacy Developments in Latin America,” led by Matthew S. DelNero, partner at Covington & Burling, and Mariana Tavares de Arujo, partner at Levy & Salomao Advogados. The in-depth program described the evolution of privacy laws in Latin America since Argentina blazed a trail with the passage of its law in 2000. In the 13 years following, seven countries on the continent have passed their own laws, largely based on Europe’s framework.

Data use and creation is exploding in Latin America—defined here as Mexico, Central America and South America. The geographic area saw a more-than-two-fold increase in Internet population within the past five years of available data, from 110 million in 2007 to 235 million in 2012. Such an increase has raised the eyebrows of data protection enforcers, according to de Arujo.

Argentina passed its law in 2000, followed by Uruguay in 2008, Mexico in 2010 and four countries— Costa Rica, Colombia, Peru and Trinidad—in 2011. In 2012, Nicaragua followed suit, and Brazil is now considering its own law. The countries based their laws on European models in hopes of being deemed “adequate” by the EU and thus drawing commerce to the regions, according to de Arujo.

“But that was in the mid ’90s,” when the first of these laws was being formulated, she said. “Things have changed a lot.”

DelNero said the challenge for any multinational doing business in Latin America is that while there are legislative similarities from country to country, there is not a common framework—unlike the EU, where the data protection directive applies to all 27 member states.

“It’s a more complex region to comply with than what we see in Europe because of those variations,” DelNero said.

The basis of data protection laws found in the constitutions of many Latin American countries is the principle of “habeas data,” which translates essentially to “you should have the data.” The principle gives data subjects the right to access and demand rectification or destruction of their personal data and can be exercised by a petition to constitutional court.

While the privacy principles of Latin American laws tend to be basic—for example, Mexican law on data held by private parties states data controllers must “adhere to the principles of legality, consent, notice, quality purpose, fidelity, proportionality and accountability under the law”—nuances can be quite restrictive, DelNero said.

For example, with the exception of Mexico, many countries require express, opt-in consent from the data subject in order to process data. Peruvian law, for example, states that consent must be obtained unless there is “authoritative law to the contrary. The consent must be prior, informed, express and unequivocal.”

Additionally, there are rarely exceptions for commonly accepted practices. For example, DelNero said, while it’s generally safe to assume consumers have certain expectations for first-party marketing, even that requires express prior consent.

“When I go to Amazon and look for a couch, I’m not going to be surprised that they record the fact that I’m looking for a couch. That would be considered a commonly accepted practice that doesn’t require consent. But a lot of these laws are not making exceptions, so arguably, even first-party marketing would require prior express consent,” he said.

Besides express consent, Latin American countries tend to have similarities when it comes to audits, sanctions and security requirements.

“We also see some similarities to what companies deal with these days in terms of the U.S. and all the different state data privacy regimes, particularly around security breaches,” DelNero said. There are 46 different breach laws in the U.S., and Latin American regulations around breach notification requirements are similarly disparate and can be very exacting, he said. For example, some countries require notification of a breach to the data protection authority within five days of its occurrence—not discovery.

“If you have breach, you will have to look at each law to see the requirements in each jurisdiction,” DelNero warned.

When it comes to data transfers, interested parties may find themselves in a pickle. Strict prohibitions are based on the EU directive’s rules on adequacy. However, Latin American data transfers are difficult to administer as they often require express consent from the data subject. Such is true in Costa Rica, for example.

“In Latin America, theoretically you can’t transfer data now from Costa Rica to Colombia to Peru,” DelNero said. “There have not yet been many adequacy decisions even made by regulators since these are new laws. We still don’t yet know how that’s all going to play out, but, there is not yet any kind of U.S.-Costa Rica Safe Harbor.”

How this will play out in practice remains to be seen, DelNero said.

Looking Ahead to Brazil

Brazil currently has 78.5 million Internet users who spend an average of 47 hours per month online, according to Ibope Nielsen. Its growth has it mentioned in the same sentences as India and China.

Its constitution revolves around such primary rights as the protection of intimacy and private life as well as the inviolability of mail, phone and telecommunication data. It also contains a provision on habeas data, the remedy to seek access to personal data held by the government.

The draft bill on data protection and privacy was opened to public consultation in 2011. It received 700 submissions and largely leans toward the EU model on data protection. It calls for express and informed consent—in writing or otherwise—in order to process data. However, exceptions are permitted for contractual or pre-contractual purposes; to fulfill a legal obligation; where public records are involved; to protect public health and safety, or where necessary for defense or to assert a right in court.

The bill includes provisions for access to data and correction rights within five days’ time.

While the law’s introduction is an important step in terms transparency and consistency around consent rules, it has some problems, DelNero said in giving her opinion, including that it overregulates consent.

The government should perhaps restrict such consent requirements to only sensitive data, she proposed, “because it is not only complicated and costly for the company obtaining consent, but from a consumer perspective, receiving too many requests may make the mechanism meaningless.”

The law would also see companies fined up to 20 percent of their annual turnover, which DelNero says may be disproportionate and may dissuade companies from exporting services to Brazil.

While Brazil’s law isn’t expected to pass any time soon, DelNero predicted we would see something passed within five years’ time.

Editor’s Note: For more on this topic, purchase the audio of this web conference. The next IAPP web conference, “Employee Social Media Accounts—Financial Regulators Want Access,” will be broadcast on Friday, June 7, from 1 to 2:30 p.m. EDT.

Read more by Angelique Carson:
Constant Contact’s “Training Day”
When Shopping for Cyberinsurance, Semantics Matter
IN FOCUS: The Directive
ZIP Codes: Are Courts Set To Protect Consumers from Marketing?



If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»