Technology is booming in Latin America, and privacy laws and regulations are becoming more complex since more technology generally means more data processing.
20 different and independent countries form Latin America, so getting acquainted with 20 different laws can seem quite an ordeal.
Here’s how to understand your business’s privacy risk exposure in Latin America and the five basic principles of LATAM privacy laws.
5 Basic Principles of LATAM Privacy Laws
There is no document such as the GDPR applicable to the whole region, although most of the laws are based on the EU Data Protection Directive 95/46 EC (the EU Directive).
In general, most countries have a right of data self-determination in their constitutions, but specifically, all the countries can be divided into two teams.
Team one, in which we can find Mexico, Argentina, Uruguay, Costa Rica, and Nicaragua, comprises countries with a detailed framework and even Data Protection Agencies (DPA) to enforce it.
Team two, where we can find countries such as El Salvador, Guatemala, Venezuela, and Cuba, groups countries who don’t have a specific omnibus law regarding data self-determination or a DPA.
There are, as well, a set of countries transitioning from team two to team one, for example, Brazil and Paraguay.
Habeas Data (which literally means “to show – the controller– has the data”) is a catchy phrase used to refer to data self-determination rights, such as the right to access, rectification, or erasure of personal information.
Most of the Latin American countries grant these types of rights to data subjects, and provide detailed legal procedures to enforce them.
Corporate Governance and Policies
Some laws require controller companies to develop some corporate structures and privacy policies according to certain legal principles.
For example, Mexican Law, requires controllers to appoint a Data Protection Officer in charge of reviewing any Habeas Data complaint complaint made by data subjects.
Information and Consent
The duty of information, plays an important role in the region.
In jurisdictions such as Argentina or Colombia, controller companies have a duty to disclose all the details regarding the processing of personal information they gather.
Information to be disclosed commonly includes:
- Personal information gathered,
- A detailed explanation about what do the controller use the data for,
- A list of transfers to third parties,
- The name and address of the legal entity responsible for the database and
- Procedures to exercise habeas data rights rights, among others.
Consent is paramount in most of the Latin American jurisdictions.
Almost every country with an omnibus legislation require it prior to the processing of data in their own unique ways.
For example, Mexico and Colombia, allow opt-out consent for general information, but require opt-in consent in special circumstances such as the processing of sensitive data (information regarding sexual orientation, religious views, ethnic origins, health condition, political preferences among others).
Whatever the case, the controller company will be responsible to show the DPA it disclosed the information required by law and that they got consent before processing data.
Rules on Data Transfers
The general rule is data transfers can only be made with prior consent from data subjects.
However, international data transfers are regulated as well. Some countries require transfers to only be made to countries that show an “adequate level of protection”
Either case you better double check before transferring data, since fines or even criminal charges (misdemeanors or felonies) may apply if the transfers aren’t done correctly. You don’t want to risk it.
Privacy in Latin America is a complex and continuously evolving subject, which varies depending on the country you are doing business in.
Brazil’s Data Protection Law: LGPD
After several postponements, the omnibus Brazilian privacy law, the Lei Geral de Proteção de Dados (“LGPD”), entered into application on 18 September 2020 .
The LGPD is a new law, providing the rules for the processing of personal data in Brazil by both private sector and public sector actors.
Immediately after the final vote deciding the entry date of the LGPD, the Brazilian government also published the decree establishing the Brazilian data protection authority.
Enforcement of the law, or at least to the extent that penalties can be imposed, is poised to start in August 2021, but will also be dependent on yet to be created guidance from the regulator.
The LGPD builds on earlier privacy laws in Brazil and aims to provide a harmonized approach to the processing of personal data in all sectors.
The law is clearly inspired by the EU General Data Protection Regulation (GDPR), providing for a similar approach to compliance.
Nevertheless, there are key differences that organizations will need to be aware of when complying with the law. Just complying with the GDPR is not sufficient for compliance with the Brazilian LGPD.
And as with the GDPR, a tick-box exercise will not prove to be sufficient to comply.