Data protection laws in Latin America – an overview

Unfortunately, Latin America still suffers from a great digital divide, maybe one of the biggest in the world. But some, or almost all, of its economies have, in parallel, also witnessed an exponential increase in the number of people with access to the Internet and different electronic devices. This variable has caught the attention of foreign Internet companies, which started to focus on and provide their services to these countries. Sometimes, they are used in manners never foreseen by the companies, mainly due to the creative inherent characteristic of Latin Americans, who have to adapt to periods of economic, financial and political struggles.

These adaptions often lead to precarious business models, which frequently lack strict respect to rights enshrined on internal legal frameworks. Sometimes, survival is the key to success. The combination of a boom on the use of digital devices and the growth on the use of different Internet services that monetize data for profit have led to the need for data protections laws to protect citizens from misuse of their personal data, to provide them with tools to clarify who will collect their data, in which manner and for what reasons, so they can properly authorize such uses.

Data protections laws in Latin America aim to protect citizens not only from private companies undue practices, but also from disproportional and unreasonable state intrusion in their private lives. Unfortunately, Latin America's recent history can only be told by mentioning long periods in which countries were governed by dictatorships. Some of the most efficient tools these types of governments had in order to maintain control over citizens included surveillance methods and collection of information in obscure and corrupt ways. After democracy was restored, several countries enacted state transparency laws and, in consequence, general data protections laws. Though occasionally limiting their scope to not include state activities, these laws lay out general data protection principles that must be complied with, even in cases of national security and criminal investigations.

Therefore, the data protection legal framework of Latin America has suffered several changes over the last years. Countries such as Argentina, Chile, Mexico, Peru, Uruguay and Venezuela have enacted general and overall laws. However, countries such as Brazil still provide protection with sectoral laws, leaving gaps that are filled by private and public duvidosos interests. This brief analysis will show some of the most recent changes to the data protection scenario of some Latin American countries, in order to provide an overview of the efervescente discussions that current take place on this part of the world.

Argentina

Protection of Personal Data (Federal Law 25.326/2000): This law has the goal to provide general protection to personal data stored in archives, registers, databases and other data processing platforms, public or private, in order to guarantee the right to privacy and correlated rights, such as honor, image and intimacy. Article 43 of the Federal Constitution also grants the right to individuals to access to information about them stored on public databases. In 2003 the European Commission recognized that Argentina provides an adequate level of protection according to the current European Data Protection Directive. The country also has a Data Protection Authority with enforcement powers.

Brazil

Brazil does not have a specific law on data protection. Even though it is one of the emerging countries of the world, and in Latin America, despite its current economic and political downturns, personal data has not been correctly approached when it comes to protection. The following legal Brazilian texts have requirements on privacy and data protection:

1. The Brazilian Constitution, which considers privacy and intimacy as a fundamental right conferred to every person, national or foreigner;
2. The Civil Code, which states that privacy and intimacy are inviolable rights and can only be exposed with the person´s consent;
3. The Consumer Code, which regulates credit and commercial databases;
4. Federal Law 9296/96, which regulates the interception of computer and telephonic communications, which can only take place on ongoing criminal investigations;
5. Access to Information Law (Federal Law 12.527/11): regulates the access to information stored on public databases, either managed by public or private entities, and also imposes transparency obligations to entities to disclose government data on their websites;  
6. The Telecommunications Act, which provides that telecommunication companies must preserve their clients’ data and maintain its confidentiality;
7. The Child’s Protection Act regulates the use of children´s names and their protection against pornography, both on the Internet and in physical media;
8. The Electoral Code, which regulates electoral databases;
9. The Complementary Federal Law 105/01, which regulates confidentiality of financial data;
10. Internet Civil Rights Framework – Federal Law 12.965/14 (also know as “Marco Civil da Internet”), that regulates Internet services in Brazil and provides for several data protection rights to data subjects.

On top of that, for years a general data protection law has been under discussion. Several bills of law are currently being discussed at the National Congress. However, the most promising one is still under the arms of Executive Branch. The draft bill is influenced by the EU data protection and the General Data Protection Regulation, but in some aspects, such exceptions to consent based not only on legitimate interests of the data controller but also on legitimate expectations of the data subject, it is even more advanced than the GDPR. But all of these general regulation attempts might still take years to be enacted, leaving only a legal framework composed of sectoral protection.

Colombia

The Colombian Constitution provides for the fundamental rights to intimacy and data protection. Such rights are regulated by the Law 1266/08, which tackles obligations regarding credit, financial and banking use of personal data, and Law 1581/2012, which encompasses comprehensive data protection provisions. This law was complemented by the Decree 1377/2013, that enacted proceedings related to consent, treatment of sensitive data, how data subjects can exercise their rights and cross borders transfer of personal data.

Costa Rica

General Law on the Protection of Personal Data (Federal Law 8.968): This act is public and has the goal of guaranteeing to any person, regardless of their nationality, home address or domicile, the respect to their fundamental rights, especially the right to informational self-determination regarding their lives or private activities. It also highlights the protection to other personality rights, such as the defense of liberties and equality when it comes to automated or manual processing of data related to the person or their assets.

Mexico

Federal Law on Protection of Personal Data: This act aims to protect personal data stored by private entities, with the scope of regulating its legit treatment, in order to guarantee the privacy and right of people's informational self-determination. This act, which was enacted in 2010, was complemented in 2013 to provide guidelines to privacy notices, and in 2014 to implement parameters to self regulation.

Peru

Data Protection of Personal Data (Act 29.733/2011): This act has the scope of guaranteeing the fundamental right to protection of personal data, according to section 02, subsection 06 of the Political Constitution of Peru. This protection will be provided through the correct treatment of personal data, as a way to respect other fundamental rights recognized by the constitution. Even though the law was enacted in 2011, most of its provisions only entered into force in 2013 based on further regulation by decrees.

Uruguay

Protection of Personal Data (Act 18.331/2008): The first country in Latin American to enact a general law on the protection of personal data, this act provides that the right to protection of personal data is inherent to the human being, according to section 72 of the Republic Constitution. The data protection regime will be applied to personal data stored on any platform in which they can be processed and all manners in which the data can be of posterior use. The European Union recognized Uruguay with an adequate level of protection, which allows for international transfer of data to this country.

Venezuela

Even though Venezuela does not have a general data protection law, the Federal Constitution sets forth fundamental rights such as right to private life, intimacy, reputation and access to information stored on public databases. These rights and principles in general have been widely interpreted by the Supreme Court, which provided a body of precedents that can be used to protect personal data. The following principles have conferred based on Supreme Court’s binding decisions: purpose limitation principle; accuracy and self-determination principle; lawful data processing principle; and security principle, among others.

These are only general appointments regarding the current data protection body of laws in Latin America. Several other initiatives are also into place which might change the legal landscape of the future to come.

photo credit: ::In the middle of America:: via photopin(license)