Latin America

Image

Latin America Topic Page

Navigate by Topic

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to privacy in Latin America. The IAPP Resource Center also includes a “Brazil” topic page.

Featured Resources

Brazil

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to privacy in Latin America.
Read More

Privacy Around the Globe: Argentina

In this session, IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP/US, connects with Marval, O’Farrell & Mairal Partner Diego Fernández to take a close look at the changing privacy landscape in Argentina.
Read More

Cyber incident requirements in Latin American jurisdictions

It is critical to understand the requirements and procedures set by varying jurisdictions to ensure compliance and, at the same time, the security of personal data and data subjects. This article examines the cyber incident notification requirements in Argentina, Brazil, Colombia and Mexico.
Read More


Latin America Dashboard Digest newsletter

Keep up to date with the most important privacy and data protection news from Latin America by subscribing to the Latin America Dashboard Digest newsletter.

Additional News and Resources

Argentina's AAIP creates AI transparency and protection of personal data program

On 4 Sept., Argentina's data protection authority, the Agency of Access to Public Information, published Resolution No. 161/23. which created the Transparency and Protection of Personal Data Program in the use of Artificial Intelligence. The Director of the AAIP, Beatriz Anchorena, said, "We continue to strengthen institutional capacities to incorporate transparency and the protection of personal data … in the development and use of artificial intelligence."  The program's general objective is ... Read More

Ecuador's PDPL: Challenges before entry into force

The entry into force of the EU General Data Protection Regulation in May 2018 prompted the creation and adaptation of different regulations on personal data protection worldwide. Ecuador was no exception, and on 26 May 2021 the Organic Personal Data Protection Law, the first law in Ecuador focused exclusively on regulating and guaranteeing personal data protection, entered into force. The first transitory provision of the PDPL provided that "the corrective measures and the sanctioning regime wi... Read More

Argentina: Draft bill on personal data protection

In August, Argentina's Agency of Access to Public Information, the data protection authority of the Argentina Personal Data Protection Law, initiated the process aimed at reforming the personal data protection regime. Personal Data Protection Law No. 25,326 passed in 2000 and complemented by Regulatory Decree No. 1558/2001 and several resolutions, rules and guidelines issued by the DPA. During that time, no substantial amendments were introduced to the text of the PDPL. Meanwhile, Argentina joi... Read More

El Salvador passes Personal Data Protection Law

The Legislative Assembly of El Salvador's Economic Commission voted 56–0 to pass the Personal Data Protection Law. The regulation provides data subject rights, data security requirements and a tiered fining scheme. The law will take effect one year after it is published in the Official Gazette, but those covered under the law will receive a six-month grace period to transition their systems into compliance.Full Story... Read More

Ecuador's draft Data Protection Bill

Ecuador is on the cusp of having its first data protection law. The Data Protection Bill is currently being debated in Congress and follows the European regulatory standard. Data protection has not been a priority in the Ecuadorian legal system. Even though the Constitution recognizes the right of data protection and the constitutional guarantee of habeas data, there has not been a specific law created regarding the scope and obligations for data protection. Instead, data protection legislatio... Read More

Peru publishes 2020 activity report

Peru's National Authority for the Protection of Personal Data released its 2020 activity report. The ANPD carried out 305 inspections while processing 142 complaints and issuing fines totaling 3.5 million soles. The COVID-19 pandemic was noted as a factor for increased activity statistics as ANPD saw how "the massive collection of personal data by government agencies and individuals was intensified."Full Story... Read More

Updates to Argentina's health privacy laws

Recently and in the context of the COVID-19 pandemic, the Argentine Congress passed Law No. 27.553 on Electronic or Digital Prescriptions. The EoD Prescriptions Law provides for certain measures to modernize the Argentine health system. Among others, it allows health care providers to prescribe medicines through electronic or digital prescriptions and sign them by hand, electronically or digitally. The law also states the implementation of electronic and digital signatures on electronic or dig... Read More

Colombian DPA fines bank 269M pesos

Colombia's data protection authority, the Superintendencia de Industria y Comercio, announced Banco Popular was fined 269,046,492 pesos for violating the right to deletion under the Personal Data Protection Law. Following an investigation, the DPA concluded the bank took more than 10 months to delete an individual's personal data from its databases after requesting deletion for the purpose of halting advertising from the bank.Full Story... Read More

Latin America's open data risks

Many parts of the world are facing unique issues surrounding the COVID-19 pandemic. One thing that is for certain is that this pandemic will certainly revolutionize how open data, privacy and cybersecurity will interact with one another. As issues like contact tracing and suitable employer-employee conditions are presented, there will be an increased dependency on technology and information sharing. That is why it is important that there are appropriate conversations surrounding the protection o... Read More

Peru: Employers can process sensitive data without consent for now

The recent publication of the "Guidelines for Health Surveillance of Workers at Risk of Exposure to COVID-19" and the imminent economic reactivation of the country raised a number of questions and concerns regarding the correct treatment of the personal data of employees that would be subject to the monitoring of their health condition. That led the National Authority for the Protection of Personal Data to issue the non-binding Advisory Opinion No. 32-2020-JUS / DGTAIPD, which addresses these ma... Read More

Argentina and Uruguay publish 'Data Protection Impact Assessment Guidelines'

The Argentine Agency of Access to Public Information and Uruguayan Regulatory and Personal Data Control Unit recently published the “Data Protection Impact Assessment Guidelines.” The Uruguayan law already provides for mandatory privacy impact assessments, while that is not the case under current Argentinean law (although it has been included in the bill pending before Congress). The jointly published guidelines are primarily based on the laws of the EU member states and members of Convention 10... Read More

Argentina's DPA publishes annual report

The Agency of Access to Public Information, the controlling authority in charge of the enforcement of the Argentine Data Protection Law No. 25.326, has recently published its Annual Report 2018. Among other things,  the report highlighted the approval of two resolutions related to the guiding criteria for the implementation and enforcement of the applicable law (Resolution 4-E/2018 and Resolution 48/2018). Furthermore, taking into account the economic value of data in this digital age, it is st... Read More

The case for privacy education in K–12

The COVID-19 pandemic has accelerated the need to build privacy awareness among school-age kids. As students return to school virtually and busy parents adopt new educational applications and online classes to keep them busy, technology companies gather more data about us. They are aggregating and manipulating data in complex ways to help retailers and service providers sell goods and services, politicians get votes, and organizations influence individual opinions. Laws such as the U.S. Childre... Read More

Regional Resources

Argentina issues recommendations for reliable AI

During the last few months, much has been said about the use of artificial intelligence in all industries. Particularly, many have discussed the use of generative AI and, more precisely, ChatGPT (in its different versions), together with a letter signed by many technology industry leaders calling for precaution in developing and deploying AI tools. In that regard, Argentina does not have specific legislation regulating AI use, development and/or deployment. Although "artificial intelligence" ap... Read More

Ecuador's PDPL: Challenges before entry into force

The entry into force of the EU General Data Protection Regulation in May 2018 prompted the creation and adaptation of different regulations on personal data protection worldwide. Ecuador was no exception, and on 26 May 2021 the Organic Personal Data Protection Law, the first law in Ecuador focused exclusively on regulating and guaranteeing personal data protection, entered into force. The first transitory provision of the PDPL provided that "the corrective measures and the sanctioning regime wi... Read More

Chile's Chamber of Deputies approves personal data processing rules

Chile's Chamber of Deputies approved "the rules regarding the processing of personal data," which will now be taken up by the Senate. The rule would create the Agencia de Protección de Datos Personales to regulate the protection of personal data of Chilean citizens. Under the proposal, citizens are afforded the "right of access, rectification, deletion, opposition, portability and blocking of their personal data" and the processing of personal data is only lawful if the owner provides "free, inf... Read More

Privacy Around the Globe: Argentina

This LinkedIn Live is part of the IAPP Privacy Around the Globe series which takes a close look at the changing privacy landscape in different countries around the world. In this session, IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP/US, connects with Marval, O’Farrell & Mairal Partner Diego Fernández to take a close look at the changing privacy landscape in Argentina. Read More

Argentina: Draft bill on personal data protection

In August, Argentina's Agency of Access to Public Information, the data protection authority of the Argentina Personal Data Protection Law, initiated the process aimed at reforming the personal data protection regime. Personal Data Protection Law No. 25,326 passed in 2000 and complemented by Regulatory Decree No. 1558/2001 and several resolutions, rules and guidelines issued by the DPA. During that time, no substantial amendments were introduced to the text of the PDPL. Meanwhile, Argentina joi... Read More

FinTech in Costa Rica: The regulatory landscape and privacy as a priority

The thriving financial technology industry has transformed the financial products and services market. It encompasses a wide range of technology that allows users to make payments, obtain financing, invest and beyond. Fintech is attractive to users and companies alike due to the efficiency it offers by significantly reducing former challenges of time and distance. Also, inclusion is a key aspect of fintech: It makes managing financial tools accessible to more communities. However, the use of fin... Read More

Ransomware attacks lead to national emergency in Costa Rica

In the wake of cyberattacks targeting multiple government agencies, Costa Rica has declared a national emergency, BleepingComputer reports. The Conti ransomware group allegedly published 97% of the 672 GB of data it obtained from the agencies. The Ministry of Finance, Ministry of Labor and Social Security, and Ministry of Science, Innovation, Technology and Telecommunications are among the agencies impacted. President Rodrigo Chaves said the national emergency was enacted to give the country “a ... Read More

Russian ransomware group claims to publish Costa Rican government data on dark web

A Russian-linked ransomware group stole more than a terabyte of Costa Rican government data, Tech Monitor reports. Conti took credit for the attack, which targeted six Costa Rican governmental departments, including tax and customs administration and finance ministry. Conti demanded a $10 million payment by April 23. Following Costa Rica’s refusal to pay, the group claimed to release 80% of the stolen data on the dark web. The Costa Rican government website has been down since the attack took pl... Read More

Colombian DPA institutes alternative dispute resolution mechanism

According to the Red Iberoamerican Data Protection Network, Colombia's data protection authority, the Superintendencia de Industria y Comercio, rolled out an alternative dispute resolution mechanism for data controllers and data subjects. The virtual tool, SIC Facilita, will help parties mediate and reach an agreement on data protection claims. RIPD noted the benefits of the SIC's system, many of which drew back to time and costs saved for all parties while avoiding court proceedings.Full Story... Read More

El Salvador passes Personal Data Protection Law

The Legislative Assembly of El Salvador's Economic Commission voted 56–0 to pass the Personal Data Protection Law. The regulation provides data subject rights, data security requirements and a tiered fining scheme. The law will take effect one year after it is published in the Official Gazette, but those covered under the law will receive a six-month grace period to transition their systems into compliance.Full Story... Read More

Ecuador's draft Data Protection Bill

Ecuador is on the cusp of having its first data protection law. The Data Protection Bill is currently being debated in Congress and follows the European regulatory standard. Data protection has not been a priority in the Ecuadorian legal system. Even though the Constitution recognizes the right of data protection and the constitutional guarantee of habeas data, there has not been a specific law created regarding the scope and obligations for data protection. Instead, data protection legislatio... Read More

Updates to Argentina's health privacy laws

Recently and in the context of the COVID-19 pandemic, the Argentine Congress passed Law No. 27.553 on Electronic or Digital Prescriptions. The EoD Prescriptions Law provides for certain measures to modernize the Argentine health system. Among others, it allows health care providers to prescribe medicines through electronic or digital prescriptions and sign them by hand, electronically or digitally. The law also states the implementation of electronic and digital signatures on electronic or dig... Read More

Colombian DPA ratifies order for Uber to improve security measures

Colombia's data protection authority, the Superintendencia de Industria y Comercio, ratified security orders against Uber related to its 2016 data breach. The order, issued in June 2019, requires Uber to improve the security measures to ensure the protection of citizens' data. Uber has four months to comply with the order and must provide a certification issued by a national or foreign entity. Editor's note: University of the Andes' Alejandro Londoño Congote wrote about the DPA's order against U... Read More

COVID-19-related health data exposed in Argentina

The personal health data of 115,000 essential workers who applied for COVID-19 quarantine exemptions has been exposed in Argentina, Digital Journal reports. The data — including names and national and tax ID numbers — was contained in an unprotected Elasticsearch database and is believed to belong to the San Juan government and Ministry of Public Health, according to researchers.Full Story... Read More

Peru: Employers can process sensitive data without consent for now

The recent publication of the "Guidelines for Health Surveillance of Workers at Risk of Exposure to COVID-19" and the imminent economic reactivation of the country raised a number of questions and concerns regarding the correct treatment of the personal data of employees that would be subject to the monitoring of their health condition. That led the National Authority for the Protection of Personal Data to issue the non-binding Advisory Opinion No. 32-2020-JUS / DGTAIPD, which addresses these ma... Read More

White Paper – Assessing the Right to Personal Data Portability in Mexico

The right to personal data portability arises as a new complementary modality to the right of access to personal data that had its origin in the EU General Data Protection Regulation. Mexico, by enacting the personal data protection regulations in the public sector in January 2017, adopted this figure, creating an asymmetry among the personal data protection regulations held by private parties. Read More

Argentina and Uruguay publish 'Data Protection Impact Assessment Guidelines'

The Argentine Agency of Access to Public Information and Uruguayan Regulatory and Personal Data Control Unit recently published the “Data Protection Impact Assessment Guidelines.” The Uruguayan law already provides for mandatory privacy impact assessments, while that is not the case under current Argentinean law (although it has been included in the bill pending before Congress). The jointly published guidelines are primarily based on the laws of the EU member states and members of Convention 10... Read More

CPLT advocates for Chilean data protection law

The Chilean Transparency Council, Consejo para la Transparencia, proposed the country create data protection legislation to address issues brought forth by the COVID-19 outbreak. CPLT President Jorge Jaraquemada discussed the need to protect patient and individual privacy by creating an agency to ensure those protections are upheld. "It is necessary to establish an agency that is guarantor of the rights and responsibilities in data processing," Jaraquemada said. (Original post is in Spanish.)Ful... Read More

Argentina's DPA publishes annual report

The Agency of Access to Public Information, the controlling authority in charge of the enforcement of the Argentine Data Protection Law No. 25.326, has recently published its Annual Report 2018. Among other things,  the report highlighted the approval of two resolutions related to the guiding criteria for the implementation and enforcement of the applicable law (Resolution 4-E/2018 and Resolution 48/2018). Furthermore, taking into account the economic value of data in this digital age, it is st... Read More

What are privacy pros grappling with in Brazil, Mexico?

Privacy professionals all over the world have a lot on their plate. Laws continue to be proposed, passed and amended, and each piece of legislation comes with a brand new set of challenges to solve. No one has all of the answers. A panel at the IAPP Privacy. Security. Risk. conference took a look recent developments in Brazil and Mexico and some of the questions privacy professionals are grappling with in those two countries. An area of concern in both Brazil and Mexico is one that privacy pro... Read More

The Privacy Advisor Podcast: A look at privacy in Mexico and Brazil

While it's true privacy and data protection laws are undergoing shifts in many parts of the world, this is especially true for Latin America, where there is no shortage of legislative action. Brazil approved its general data protection law last year, and it will come into effect in early 2020. Just as the U.S. is seeing with the California Consumer Privacy Act, Brazil's law is now being amended in all kinds of ways ahead of implementation. Amendments to the LGPD, the acronym used for its formal ... Read More

Obtaining adequacy standing for Colombia

Many countries aspire to an adequacy decision from the European Commission. However, only a handful of countries have achieved that goal. In order to obtain an adequacy decision, a country needs to evaluate whether its data protection framework meets the new EU standards rather than focus on the novelties of the EU General Data Protection Regulation such as privacy by design, data protection impact assessments, the right to be forgotten or the right to data portability. The appropriate focus, t... Read More

Personal data protection is a constitutional right in Chile

Law No. 21.096 amending the Chilean Constitution was published June 16, thus establishing the protection of personal data as a constitutional right. Through this amendment, personal data protection was established as an autonomous right, but related to the right to privacy found in the same Article 19, N° 4 of the Constitution. By doing so, Chile has joined other Latin American countries, including Colombia, Mexico, and Ecuador, which have included in their respective constitutions the right to ... Read More

GDPR matchup: Mexico's Federal Data Protection Law Held by Private Parties and its Regulations

In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you move toward GDPR compliance and help you focus your efforts. In this installment, Miguel Recio, LLM in Data Protection, Transparency and Access to Public Information, compares key provisions of the Federal Data Protection Law Held by Private Parties and its Regu... Read More

Mexico's new public-sector data protection law

After several years and an essential constitutional reform, finally Mexico has a new Federal Law on Data Protection for the Public Sector. On Jan. 26, the General Law on Data Protection Held by Obligated Parties (in Spanish, Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados) was published in the Official Federal Gazette. The law entered into force the following day and requires that the Federal Law on Transparency and Access to Public Information as well as other fe... Read More