Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
In late April, the non-governmental organization VE Sin Filtro identified a data breach that exposed the personally identifiable information of more than 3.25 million Venezuelans and users of Movistar, a subsidiary of a telecommunications company in Spain.
Impacting more than 10% of Venezuela's nearly 30 million residents, the breach could be one of the largest recorded in the country.
Individuals' national identification numbers, full names, city of residence and phone numbers were exposed, opening up those affected to identity theft and other related crimes. At the time of the writing of this article, Movistar does not appear to have publicly addressed the breach or notified its customers.
Venezuela's lack of comprehensive data privacy regulation has enabled this situation to a large extent. In this day and age, a lack of standards regarding the protection of individuals' PII poses significant challenges and risks.
Venezuela's legal framework
In Venezuela, conversations and action around data protection have been reactive, emerging in response to individual cases brought before the courts. Considering Venezuela is a civil law country, most judicial precedent is merely a persuasive authority — aside from the Supreme Tribunal of Justice and the Constitutional Chamber of the Supreme Tribunal of Justice.
The country has taken a different route from the Organisation for Economic Co-operation and Development's privacy principles and has not followed the approaches of the EU or the U.S., which have developed comprehensive frameworks and regulations.
In 2011, the Venezuelan Supreme Tribunal of Justice established certain data protection principles in the Venezuelan Constitution. Article 28 ensures the right of habeas data, to access and know what data is being collected, and to correct and/or destruct personal data that could harm a citizen. Additionally, Article 60 ensures a right to privacy and to limit digital information gathering to protect citizens' rights.
The court further developed constitutional protections by providing guiding principles for personal data handling:
- Consent must be revocable and given prior to personal data use and collection.
- Data usage must comply with legal provisions relevant to what information is collected.
- Collection must have a predetermined valid purpose and should not be excessive.
- Data must be preserved until its intended purpose is fulfilled.
- Data should be complete and up-to-date with a clear procedure for the data subject's access.
- Protection must begin from the moment of collection and extend to any potential additional processing.
- Third parties are prohibited from altering data and must guarantee confidentiality.
- The government is tasked with creating an oversight agency to safeguard those rights.
- Violations will be subject to civil, criminal and administrative penalties.
Other decisions from the Constitutional Chambers have further developed interpretation of these rights as well as other standalone legal provisions and interpretations of existing regulations.
Finally, in August 2024, the government created the National Cybersecurity Council of Venezuela to implement cybersecurity measures. It is still not clear how the council will aid in the enforcement of data protection policies.
What's next?
Though Venezuela has made progress in incorporating data privacy into its legal landscape, its scattered regulation challenge the pragmatic protection of privacy rights.
Due to this fragmented approach, data privacy is not a subject in itself but becomes derivative of another matter. The decentralized nature of existing regulation poses several challenges for individuals seeking to know and understand their rights and how to enforce them.
For legal professionals and government agencies, the lack of comprehensive regulation makes it hard to integrate and incorporate privacy practices into their functions due to a lack of procedural guidance and clear policy frameworks.
A clear stance on data privacy and protection would help to foster potential innovation while protecting people from the misuse of their data through potential repercussions.
Months after the Movistar breach, key questions remain unanswered — including how it happened, whether affected users were notified, or if Movistar was legally obligated to issue any such notifications. Moreover, with no clear regulation requiring notification of a data breach to a government agency, it is uncertain whether the government launched an investigation.
As data breaches continue and sensitive data is exposed, more countries are implementing robust legal and technical protections, including restricting international transfers of sensitive data to jurisdictions with inadequate legal safeguards.
In this digital, global and interconnected age, being disconnected from the markets is a luxury Venezuela can't afford; this security incident highlights the need for improvements to remain competitive in the international economy.
The Movistar breach presents a critical opportunity to push for the development and enforcement of comprehensive data privacy regulations in Venezuela — ensuring that future breaches are properly addressed and the affected individuals have access to proper redress.
Eduardo Monteverde, CIPP/E, CIPP/US, CIPM, is senior contract analyst for the Public Service Enterprise Group.