Recent Privacy and Data Protection Developments in Latin America and Their Impact on North American and European Multinational Companies - IAPP Global Privacy Summit (Washington, DC April 21, 2010)
Similar to Recent Privacy and Data Protection Developments in Latin America and Their Impact on North American and European Multinational Companies - IAPP Global Privacy Summit (Washington, DC April 21, 2010)
Similar to Recent Privacy and Data Protection Developments in Latin America and Their Impact on North American and European Multinational Companies - IAPP Global Privacy Summit (Washington, DC April 21, 2010) (20)
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Recent Privacy and Data Protection Developments in Latin America and Their Impact on North American and European Multinational Companies - IAPP Global Privacy Summit (Washington, DC April 21, 2010)
1. IAPP Global Privacy Summit
(Washington, DC April 21, 2010)
https://www.privacyassociation.org/
events_and_programs/
global_privacy_summit/
Alberto Cerda
Cédric Laurant
Renato Opice Blum
Recent Privacy and Data
Protection Developments in
Latin America
Their Impact on North American
and European Multinational
Companies
Presentation available at http://cedriclaurant.files.wordpress.com/2010/05/iapp_presentation-fv-ppt3.pdf
2. 2
Outline
Introduction
A. Recent legislative, case law and public policy developments in
privacy in Latin America
B. How new developments in the E.U. and the U.S. are influencing
the public policy debate about privacy in Latin America
C. Impact of new developments on multinational companies doing
business in the LAC region
Q&A
IAPP Global Privacy Summit
Washington, DC 2010
3. 3
Outline
Introduction
A. Recent legislative, case law and public policy developments in
privacy in Latin America
B. How new developments in the E.U. and the U.S. are influencing
the public policy debate about privacy in Latin America
C. Impact of new developments on multinational companies doing
business in the LAC region
Q&A
IAPP Global Privacy Summit
Washington, DC 2010
6. 6
Introduction
Habeas data:
onstitutional right granted in several Latin American
C
countries; designed to protect, by means of an
individual complaint presented to a constitutional
court, the image, privacy, honour, information self-
determination and freedom of information of a person.
IAPP Global Privacy Summit
Washington, DC 2010
7. 7
Outline
Introduction
A. Recent legislative, case law and public
policy developments in privacy in Latin
America
B. How new developments in the E.U. and the U.S. are influencing
the public policy debate about privacy in Latin America
C. Impact of new developments on multinational companies doing
business in the LAC region
Q&A
IAPP Global Privacy Summit
Washington, DC 2010
10. 10
PRIVACY
LEGAL VIEW
DATA PROTECTION
IAPP Global Privacy Summit
Washington, DC 2010
11. 11
BRAZIL
CONSTITUTION
Section 5.10 – Intimacy, privacy, honor and image of persons – INVIOLABLE.
Section 5.12 – Secrecy of correspondence and Telecom – INVIOLABLE.
CIVIL CODE
Section 20 – Disclosure of writings, the transmission of the word, or publication,
display or use of the image of a person.
Section 21 – Private life of a person – INVIOLABLE.
EXPECTATION OF PRIVACY
SÃO PAULO STATE COURT DECISION
Violation of image rights, privacy, intimacy and honor by being photographed and filmed (in
intimacy) on locations – Spanish beach – Injunction to terminate the exhibition of movies and
photos on web-sites because of the presumption of lack of consent to the publication. Filling with a
daily penalty payment of $ 250,000.00, to inhibit infringement of the command to abstain.
The paparazzi are known for aggressively working with the capture of images, which characterizes
the illegality of their activities [voyeurism]. Denying injunctive relief would reward the work of these
professionals that do not require authorization for their photos and, especially, to legalize the
sensationalism and scandal propagated by the media, without permission of those involved.
IAPP Global Privacy Summit
Washington, DC 2010
12. RIO DE JANEIRO STATE COURT - INTERLOCUTORY APPEAL 12
SEARCH ENGINE FILTER
“I note that the injunction has already been accomplished by placing a FILTER
ON THE SEARCH ENGINES, in this manner, it seems more reasonable to
maintain the status quo, pending the examination of the matter, without any
harm to the plaintiff and without prejudice for the defendant, which has fully
complied with the measure.”
(Interlocutory appeal 20006.002.05508)
ARGENTINA
In the two search engines (Google and Yahoo) it’s possible to make a search that avoids
the appearance of certain word search results. In fact, this procedure could be configured
to avoid a certain word being linked with others in certain types of search or any search,
it is technically possible to adapt the search for information, avoiding
certain words. IT IS POSSIBLE TO SET UP FILTERS THAT DO NOT ALLOW STATIC
LINKING SITES TO INDEX CERTAIN WORDS WITH PORNOGRAPHIC, EROTIC OR
SEXUAL CONTENT, AND ESTABLISH OTHER INDEX IMAGES THAT DO NOT
ALLOW CERTAIN PEOPLE(…) The content selection control can not affect the
operation of a search engine site and/or access to Internet content by users.
(99.620/06) IAPP Global Privacy Summit
Washington, DC 2010
13. ARGENTINA – COURT DECISION 13
SEARCH ENGINE FILTER
MARADONA FORBIDS GOOGLE TO ASSOCIATE
HIM TO SITES WITH SEXUAL CONTENT
IAPP Global Privacy Summit
Washington, DC 2010
14. BRAZIL – PARANA STATE COURT 14
NEWS ON THE INTERNET CAUSES HARM TO CITIZEN’S HONOR
HE WAS NOT GUILTY, BUT THERE WAS NO NEWS ABOUT THAT,
ONLY ABOUT THE ONGOING LAWSUIT.
JUDGE ORDERS
GOOGLE TO SET UP
A FILTER TO
R A N D O M I Z E
RESULTS WITH
THE PLAINTIFF’S
NAME, ENABLING
VARIETY OF NEWS
PARANA STATE COURT 1819/2008
IAPP Global Privacy Summit
Washington, DC 2010
16. BRAZIL 16
TRACKING DEVICE
PUBLIC ATTORNEY’S OFFICE REQUESTS THAT
VEHICLES NOT BE MANUFACTURED WITH TRACKING
DEVICE, CONSIDERING PEOPLE’S PRIVACY.
Source: IDG Now! (http://migre.me/oOUI)
IAPP Global Privacy Summit
Washington, DC 2010
17. BRAZIL 17
CONSUMER DEFENSE CODE
Section 43 – Database access.
Section 72 – Block access. Penalty – detention from six
months to one year or a fine.
PRIVACY
SANTA CATARINA STATE
COURT DECISION
Consumer Defense Association
causes damages to consumers
disclosing its database to third
parties. Association must include a
warning about the disclosure and
ask for permission. IAPP Global Privacy Summit
Washington, DC 2010
18. BRAZIL 18
WIRETAPPING – ACT 9296/1996
Section 1 – Interception of telephone communications – flow of
communication.
Section 10 – Intercept communication or break secret of Justice, without
judicial authorization – confinement from two to four years and fine.
PRIVACY
SÃO PAULO STATE COURT DECISION
Breach of confidentiality of correspondence, telegraphic, data and telephone
communications - Nonoccurrence - Seizure of emails in possession and knowledge
of the recipient by a court order - strong suspicions that the material might
enlighten the criminal infraction – interpretation of art. 5, XII of the Constitution.
THERE IS NO VIOLATION OF THE SECRECY OF CORRESPONDENCE.
IAPP Global Privacy Summit
Washington, DC 2010
19. ARGENTINA – CONSTITUTION 19
PRIVATE LIFE
Section 19.
The private actions of men which in no way offend public
order or morality, nor injure a third party, are only
reserved to God and are exempted from the authority of
judges. No inhabitant of the Nation shall be obliged to
perform what the law does not demand nor deprived of
what it does not prohibit.
IAPP Global Privacy Summit
Washington, DC 2010
20. ARGENTINA – CIVIL CODE 20
Section 1071 bis:
Whoever arbitrarily interferes in the lives of others,
publishing pictures, disclosing correspondence,
mortifying sentiments or disturbing privacy anyway, will
be compelled to cease such activities, if not previously
ceased, and to pay fair compensation to be determined by
the Court, under the circumstances.
IAPP Global Privacy Summit
Washington, DC 2010
21. ARGENTINA – DATA PROTECTION ACT – 25326/2000 21
GENERAL PRINCIPLES OF DATA PROTECTION. RIGHTS OF
HOLDERS OF DATA. AND USERS OF ARCHIVES, RECORDS
AND DATABASES
General Provisions (Section 1 to 2)
General principles of data protection (Section 3 to 12)
Rights of data holders (Section 13 to 20)
Users and files, records and databases responsible
(Section 21 to 28)
Control (Section 29 to 30)
Sanctions (Section 31 to 32)
Personal data protection actions (Section 33 to 48) IAPP Global Privacy Summit
Washington, DC 2010
22. ARGENTINA – COURT DECISION 22
COURT DENIES TEXT MESSAGE AS EVIDENCE OF
INFIDELITY OF WIFE
http://adirferreira.files.wordpress.com/2009/02/sms.jpg
“Inviolability of correspondence
and telecommunications, in this
case, the interception of text
messages is only possible with
request to Court.”
IAPP Global Privacy Summit
Washington, DC 2010
23. PARAGUAY – CONSTITUTION 23
Section 135.
Everyone may have access to information and data about
themselves, or on their property contained in official or
private records with public aspects, and to know the use
made of them and their purpose. Everyone may request
the Court to update, correct or destroy any records that
are erroneous or that unlawfully affect their rights.
IAPP Global Privacy Summit
Washington, DC 2010
24. PARAGUAY – PRIVACY ACT – 1682/2001 24
REGULATES PRIVATE INFORMATION
Section 3
It’s permitted the collection, storage, processing and publication of
data or personal characteristics, which are made for scientific,
statistics, surveys and public opinion or market studies, provided
that no publications individualize investigated persons or entities.
Section 4
It is forbidden to publicize or disseminate sensitive information in
who which people are explicitly individualized or identifiable.
It’s considered sensitive data relating to the race or ethnicity,
political preferences, individual health status, religious,
philosophical or moral sexual intimacy and, generally, those who
promote prejudice and discrimination, or affect the dignity,
privacy, image, domestic intimacy and privacy of individuals or
families. IAPP Global Privacy Summit
Washington, DC 2010
25. URUGUAY – ACT – 18331/2008 25
GENERAL PROVISIONS (Section 1 to 4)
GENERAL PRINCIPLES (Section 5 to 12)
RIGHTS OF DATA HOLDERS (Section 13 to 17)
SENSITIVE DATA (Section 18 to 23)
PUBLIC DATABASE (Section 24 to 27)
PRIVATE DATABASE (Section 28 to 30)
CONTROL (Section 31 to 36)
PERSONAL DATA PROTECTION ACTIONS (Section 37 to 45)
TRANSITIONAL PROVISIONS (Section 46 to 49)
IAPP Global Privacy Summit
Washington, DC 2010
26. 26
Telecommunications – Breach of confidentiality - "E-mail" sent from Brazil to
the electronic address of the White House in the City of Washington, DC,
written in English, containing threats to physical integrity of the person of the
American President and his family – The Police Service Provider requested to
provide identity and address of user connected at that moment to such “IP”
number – Notification rejected under the protection that the data request is
guaranteed by the Constitution for federal services telecommunications, so
that they would be subject to the breaking procedures imposed by Law No.
9296/96, especially with regard to the need for a court order - Habeas Corpus
to not be prosecuted for disobedience. Habeas corpus denied.
Need of legal authorization for the breach of confidentiality of
telecommunications - postal, telephone or transmission of messages or data.
IAPP Global Privacy Summit
Washington, DC 2010
27. SUPREME LABOR COURT 27
PASSWORD IS A PROTECTION TOOL FOR THE EMPLOYER
Password does not imply any expectation of privacy regarding corporate email,
once the PASSWORD IS A PROTECTION TOOL OF THE EMPLOYER,
TO PREVENT THIRD PARTIES NOT RELATED TO HIS
CONFIDENCE TO ACCESS THE CONTENT OF MESSAGES. (…) Also,
there is no harm to the principle of inviolability of intimacy and privacy (Sect.
5, X, FC), once there is no intimacy or privacy of the employee to be
guarded with respect to the use of corporate email available by the
Company. Otherwise, the employee had no reasonable expectation of privacy,
which is conveyed by the statement that the corporate e-mail was intended
"only to issues and matters affecting the service (fl. 636). Lastly, there is no
harm to the principle that ensures admissibility in the process of evidence
obtained by illegal means (Sect. 5, LVI), the corporate e-mail is a Company
property, merely transferred to the employee for working purposes, the
employer may exert control both on form and material (content) of the
messages that travel through his information network.
IAPP Global Privacy Summit
Washington, DC 2010
28. ARGENTINA – COURT DECISION 28
E-MAIL MONITORING
E-mail at work. Private use. Importance as a work tool. Privacy. Need
for clear policies on its use. Dismissal for cause. Rejection.
(CAUSE 15198/2001 S. 36580)
“e-mail has more privacy protection than the classic post, because to
operate it, it is required the use of a service provider, a user name and
password, no doubt, to prevent others from breaking into the data and
content sent/received. (…) according to constitutional perceptions,
addition of proofs concerning the alleged emails are violation of the
privacy with the consequent harm of his dignity and self-
determination.”
(C. 35.369 Ins. 18/156) IAPP Global Privacy Summit
Washington, DC 2010
29. BRAZIL – SOME CASES 29
MEDICAL CLINIC
database copy / unfair competition
M COMPANY
illegal video
BROKER COMPANY
database breach / unfair competition
T COMPANY
database breach
CHEMICAL INDUSTRY COMPANY
database breach
RACE DRIVER
image damage
BEVERAGE COMPANY
483 confidential files IAPP Global Privacy Summit
Washington, DC 2010
30. THE ARROWS POINT TO… 30
IAPP Global Privacy Summit
Washington, DC 2010
31. GREETINGS 31
Ambassador Roberto Campos: “the ones that
stay in this House have before them a
formidable reformist agenda. I wish them the
same as theologian Reinhold Niehbuhr did:
“That God give you the serenity to accept things
that cannot change, courage to change those
things that can change and wisdom to know the
difference between them ”.
IAPP Global Privacy Summit
Washington, DC 2010
32. 32
MEXICO
CONSTITUTION
- Since 2007, the Constitution expressly acknowledges the right
of personal data protection as a fundamental right.
- “The information pertaining to private life and personal data
shall be protected pursuant to the terms and exemptions set
forth in the laws.” “Every person, without the need to prove
his own legal interest or justify his use, shall have free access
to public information, to his own personal data and the
correction of such data.”
- In 2009, the Constitution mandates Congress to enact a data
protection law for the private sector within 12 months from the
publication of the reform. Deadline is April 30, 2010.
IAPP Global Privacy Summit
Washington, DC 2010
33. 33
MEXICO
LEGAL FRAMEWORK AT THE FEDERAL LEVEL
- There is no comprehensive law on personal information
protection.
- There are several laws about privacy and data protection in
specific fields, such as finance and banking, consumers' rights,
credit information, telecommunications and national security.
- The Federal Law of Transparency and Access to the Government
Public Information (LFTAIPG) standardizes principles under
which the various organs of the State must process citizens'
personal data.
- Federal Consumer Protection Law sets forth restrictions on
direct marketing and credit reporting agencies.
IAPP Global Privacy Summit
Washington, DC 2010
34. 34
MEXICO
LEGAL FRAMEWORK AT THE STATE LEVEL
- In the Mexican federal system, states have some leeway to
adopt a data protection law. In fact, some of them have
adopted such kind of regulation. For example:
- In 2003, the State of Colima enacted a Personal Data
Protection Law which purpose is to protect and guarantee
the protection of personal data as a fundamental human
right.
- In 2005, the State of Jalisco modified the state Civil Code
in order to regulate the protection of personal data,
including data contained in electronic registries of private
entities.
IAPP Global Privacy Summit
Washington, DC 2010
35. 35
MEXICO
LEGAL FRAMEWORK AT THE STATE LEVEL
- In 2006, the state of Guanajuato adopted the Personal Data
Protection Law, which includes the creation of the State´s
Personal Data Protection Register and the Institute of Access to
Public Information of Guanajuato, which is the authority in
charge of guaranteeing personal data protection.
- In 2009, the state of Tlaxcala passed an Access to Public
Information and Personal Data Protection Law, which
regulates processing of personal data by the public and the
private sector. The law creates the Personal Data Register and
the Commission for Access to Public Information and Personal
Data Protection of the State of Tlaxcala, the enforcement
authority.
IAPP Global Privacy Summit
Washington, DC 2010
36. 36
MEXICO
SELF-REGULATION
- In 2004, Mexico supported the APEC Privacy Framework, and became one of
the main actors promoting the self-regulation among APEC economy
members.
- In 2007, the Mexican Advertising Internet Association (AMIPCI) released its
trustmark, “Sello de Confianza AMIPCI.” The trustmark seeks to enhance
security on e-commerce transactions and represents an acknowledgement that
institutions and businesses adhering to AMIPCI’s trustmark, including privacy
and information policies based on international privacy guidelines.
- Around 300 organizations have adopted the trustmark.
- Unfortunately, the system does not promote standardization in privacy and
information policies among its users. Additionally, some data-findings have
shown inconsistencies, such as 5% memberships are expired, 5% websites do
not include the mark, and 17% websites do not make policies available. In the
overall, there is a 23% of non-compliance.
IAPP Global Privacy Summit
Washington, DC 2010
37. 37
MEXICO
OBSTACLES TO OVERCOME
1.- Proliferation of federal regulation and absence of a general legal
framework for the whole country.
2.- Differences between state regulations.
3.- Lack of provisions about transborder data flows.
4.- Absence of a national public authority in charge of supervising
compliance, providing assistance, and coordinating internationally.
RELEVANT INTERNATIONAL INSTRUMENTS
OECD Recommendations on Privacy.
Mexico is an OECD member since 1994.
APEC Privacy Framework, 2004.
Economic Partnership, Political Coordination and Cooperation
Agreement between the European Community and its Member
States, and the United Mexican States, 2000.
IAPP Global Privacy Summit
Washington, DC 2010
38. 38
MEXICO
BILLS ON PERSONAL DATA PROTECTION
- Since 2001, there have been six data and privacy bills, which are modeled loosely on
international data protection standards such as those found in the EU Data
Protection Directive, the Spanish Data Protection Law, the OECD Guidelines on the
Protection of Privacy and Transborder Flows of Personal Data, and the APEC Privacy
Framework.
- In 2007, the Federal Institute of Access to Public Information signed a MOU with
the Spanish data protection authority, in order to promote the protection of personal
information and improve the collaboration among them.
- In 2007, Commissioners of the Federal Institute of Access to Public Information
unanimously approved the creation of a working group to develop a data protection
bill.
- In 2009, the Constitution obliged the Congress to enact a data protection law for
the private sector within 12 months from the publication of the reform. The deadline
is April 30, 2010.
IAPP Global Privacy Summit
Washington, DC 2010
39. 39
CHILE
CONSTITUTION
Article 19 – Secures for all persons, the respect and
protection of private life, the honor of an individual and his
family, as well as the inviolability of the home and of all
forms of private communications. The home may be invaded
and private communications and documents intercepted,
opened, or inspected only in cases and manners determined
by law.
Article 20 – Judicial Remedy (Action of Protection)
2008: a Bill modifies the Constitution and introduces the
right to control the information about oneself.
IAPP Global Privacy Summit
Washington, DC 2010
40. 40
CHILE
GENERAL LAW
Law 19.628 the Protection of Private Life (1999) – A
comprehensive law that covers the processing and use of
personal data in the public and private sectors, and the rights
of individuals (of access, correction, and judicial control).
The law contains a chapter dedicated to the use of financial,
commercial and banking data, and specific rules addressing
the use of information by government agencies. It also
includes fines and damages for the unlawful denial of access
and correction rights.
Several bills intend to modify the law, in order to improve
the consumer’s personal data protection, introduce
competitiveness in the market of credit reports, adopt
provisions about cross-border personal data transfer.
IAPP Global Privacy Summit
Washington, DC 2010
41. 41
CHILE
SPECIAL LAWS
LABOR CODE (LAW 19.759, 2001)
Employers cannot condition the hiring of an employee on the lack
of personal or economic debts.
Employers cannot violate the privacy of an employee in the
workplace.
LABOR DECISION
CONTROLLING E-MAIL AT THE WORKPLACE
Acoording to the law, managing his company, an employer
can regulate the use of e-mail within the company, but in
any case he can access to the private electronic comunication
sended or received by workers.
(Opinion No. 260-19, Labor Office (Dirección del Trabajo), Jan. 24,
2002)
IAPP Global Privacy Summit
Washington, DC 2010
42. 42
CHILE
SPECIAL LAWS
CREDIT REPORT
Supreme Decree (executive decision) 950, 1928, guarantees a virtual
monopoly to the Chamber of Commerce of Santiago (CCS) for processing
personal data related to credit reports. However, by the ‘90s, there are
other three main companies providing credit reports in the country, two of
them American.
Law 19.628 regulates also the kind of information can be included in such
reports, and set forth some requirements for its processing.
MODIFICATION ON CREDIT REPORTS
Starting in January 2010, new law guarantees the right to
modify and delete non-updated and/or wrong personal
infromation by personal data subjects, for free.
(Supreme Decree 998, 2006,
Minister of Economy and Minister of Treasury)
IAPP Global Privacy Summit
Washington, DC 2010
43. 43
CHILE
SPECIAL LAWS: SPAM REGULATION
LAW 19.955, 2004
Law 19.955, by modifying the Consumer Protection Law, regulates unsolicited
commercial communications (spam).
1.- Opt-out system
2.- Formal requirement for electronic commercial mail.
3.- Fines in case of new communication after opt-out.
ECONOMIC SANCTION AGAINST SPAMMERS
In December 2007, the National Service of Consumers took a
decision against a company that continued sending unsolicited
commercial mail, even after the plaintiffs requested removal
from the list. The decision imposed a fine of approximately.
$2,000.
(Court of Appeals of Santiago, December 17, 2007)
IAPP Global Privacy Summit
Washington, DC 2010
44. 44
CHILE
OBSTACLES TO OVERCOME
1. Some ambiguities exist in the applicable law, such as “public access
source”, “purpose of data processing”, “requirement of consent” (by data
subject), and scope of data processing by the public sector.
2. Lack of provisions about transborder data flows.
3. Absence of a data protection authority in charge of supervising
compliance, providing assistance, and coordinating internationally.
PERSONAL DATA PROTECTION COOPERATION
Chile entered into a bilateral association agreement with
the EU by which the two parties agree to cooperate on
increasing the level of data protection in their
jurisdictions.
(Article 30 of the European Union-Chile
Association Agreement, 2003 )
IAPP Global Privacy Summit
Washington, DC 2010
45. 45
CHILE
PRIVATE SECTOR SELF-REGULATION INITIATIVES
- Chile is part of the APEC Privacy Framework, 2004.
- E-Trust Initiatives: There have been some initiatives of self-regulation
and self-control, but none of them proved successful.
- Confiare, an e-trust service that provided protection in processing
children’s personal data, by the National Chamber of Commerce, 2003.
- Code of Best Practices for e-Commerce of the Chamber of Commerce of
Santiago, 2005.
PUBLIC ENFORCEMENT OF DATA PRIVACY LAWS
Starting in 2009, the Law of Public Transparency and
Access to Public Information provides the “Transparency
Council” shall supervise the implementation of the
personal data protection law, but only in the public sector.
Applies to government contractors.
(Law 20.285, August 20, 2008,
about access to public information)
IAPP Global Privacy Summit
Washington, DC 2010
46. 46
CHILE
RECENTS DEVELOPMENTS:
ENFORCING THE LAW IN THE PRIVATE SECTOR
- European Union-Chile Association Agreement, 2003.
- Agreement between the Chilean Government and the Spanish Data
Protection Authority, March 2008.
- Executive Branch introduces bill in Congress that modifies the Data
Protection Law, Nov. 2008.
- The proposal is still under discussion in Congress.
PURPOSE OF THE BILL
- Provides an “adequate level of protection” for personal
data.
- What does it mean?
1. Transparency Council will have competence over
private sector, in order to supervise the compliance.
2. Adoption of provisions in transborder data flows.
3. Satisfies OECD and EU standards.
IAPP Global Privacy Summit
Washington, DC 2010
47. 47
CENTRAL AMERICA
COSTA RICA
EL SALVADOR
GUATEMALA
HONDURAS
NICARAGUA
PANAMA
IAPP Global Privacy Summit
Washington, DC 2010
48. 48
CENTRAL AMERICA
PROTECTION IN THE CONSTITUTIONAL LEVEL
- No Central American country has an expressed recognition for the
right to data protection.
- However, most countries provide constitutional protection for the
“right to privacy”, excepted Panama and Guatemala.
- Countries do not have “habeas data” at the constitutional level, but
some of them have a general constitutional remedy.
PROTECTION IN THE LAW
- No Central American country has a comprehensive personal data
protection law.
- Most countries have legal provisions that protect personal data in
their laws on access to information and public transparency
(Panama, 2002; Honduras, 2006; Nicaragua, 2007; and
Guatemala, 2008).
- There are telecommunication laws and credit reporting laws.
IAPP Global Privacy Summit
Washington, DC 2010
49. 49
CENTRAL AMERICA
INTERNATIONAL INSTRUMENTS
- Political Dialogue and Cooperation Agreement between the EU
and Central America, 2003, parties agree to cooperate on the
protection in the processing of personal data.
BILL ON PERSONAL DATA PROTECTION
- At least two Central American countries have
legislative discussion on bills that would regulate
data protection: Nicaragua and Costa Rica. One of
the proposal discussed in Costa Rica intends to adopt
a comprehensive regulation similar to the European
one. IAPP Global Privacy Summit
Washington, DC 2010
50. 50
BOLIVIA
CREATION OF A GOVERNMENTAL REGISTRY OF ALL MOBILE
PHONE USERS
to prevent, reduce and detect theft of mobile phones or
their loss;
in order to control their second hand sale or use for
criminal activities.
IAPP Global Privacy Summit
Washington, DC 2010
51. 51
COLOMBIA
NEW HABEAS DATA LAW (2008)
Regulates the constitutional right of habeas data (the right of data
subjects to know the data held about them in public or private
databases, update or correct it if necessary.
Focuses on the protection of credit reports and financial personal
information.
Lacks teeth to address international data transfer issues: scope
too limited to provide enough protections for information
processed by European companies’ subsidiary call centers based
in Colombia.
Adequate protection? No. European Commission’s opinion:
adequate to regulate the financial sector, but not medical,
religious, ethnic, and other type of personal data.
Does not solve most of the issues. Quick and limited fix for now.
Effectiveness of enforcement will depend on how supervisory
authorities will exercize their mission.
IAPP Global Privacy Summit
Washington, DC 2010
52. 52
COLOMBIA
NO-SPAM REGISTRY FOR MOBILE PHONE USERS
National telecoms regulatory authority proposed to create a
national registry where users could subscribe their mobile
phone number and request to be excluded from receiving
unwanted SMS messages.
Purpose: decrease the number of unsolicited text messages
on mobile phones.
ICT ACT 1341 OF 30 JULY 2009
Main objectives: protect users’ rights and regulate the sector
through the Superintendency of Industry and Commerce,
the National Radio Spectrum Agency and the telecoms
regulatory authority (CRT).
IAPP Global Privacy Summit
Washington, DC 2010
53. 53
COLOMBIA
WORKPLACE PRIVACY CASE
A company manager filmed a female co-worker with a
remote webcam linked to his laptop. He was sentenced to a
fine and the payment of moral damages worth about
$18,000. (Supreme Court, Ruling No. 26157 of July 29,
2008.) The court held that the filming and photographing of
workers’ intimacy without the workers’ consent, constitutes
a violation of privacy.
The Criminal Code establishes penalties for the violation of
communications, the offer, sale or purchase of instruments
to intercept private communications, and the violation of
privacy and intimacy in the workplace.
IAPP Global Privacy Summit
Washington, DC 2010
54. 54
COLOMBIA
NEW CYBERCRIME LAW 1273 OF 2009
Criminalizes the illegal acquisition and sale of personal data,
phishing, hacking, use of malware and viruses, computer
theft.
PRIVACY IN E-GOVERNMENT SERVICES
General obligation of all government entities that use
electronic resources to manage the information of citizens in
a manner respectful to their privacy.
Decree No. 1151 of 2008 establishes general principles to
follow in how online services are provided by the
government.
Protection of privacy is further regulated by the Ministry of
Communications’ “e-Government Policy Manual,”
applicable throughout all governmental entities.
IAPP Global Privacy Summit
Washington, DC 2010
55. 55
PERU
NO DATA PROTECTION LAW.
NO DATA PROTECTION AUTHORITY
BILL STILL UNDER DISCUSSION
In the Council of Ministers; not introduced yet in the
Parliament.
Draft bill contains provisions on data subjects' rights, data
controllers' obligations, the supervisory authority (assigned to
the National Office of e-Government and Informatics (ONGEI)
as well as sanctions. If the bill is passed, existing data
protection regulations (including bank, credit card and
medical information regulations) would have to be adapted.
IAPP Global Privacy Summit
Washington, DC 2010
56. 56
PERU
CREATION OF NEW PUBLIC AND PRIVATE DATABASES ON
THE RISE
NEW REGULATION ON ELECTRONIC SIGNATURES
All governmental agencies’ procedures, as well as all personal
data stored in databases, must follow the Legal Privacy
Guidelines.
IAPP Global Privacy Summit
Washington, DC 2010
57. 57
PERU
NEW ELECTRONIC ID
Purposes: provide more security and reduce forgery.
May be used as a means of payment to file documents
through e-government portals (e.g., tax filing), for e-voting,
and to hold various types of information such as medical
information. May also be used later in cybercafes.
ANTI-SPAM LAW
Was modified to clarify the complaint procedure and
increase applicable fines. In Sept. 2009, the Consumer
Protection Commission (INDECOPI) passed a resolution
sanctioning a Peruvian company for sending spam.
IAPP Global Privacy Summit
Washington, DC 2010
58. 58
PERU
FREE TRADE AGREEMENTS
eru signed them in Nov. 2008 with the US and Canada.
P
ilateral negociations under way with the EU, South
B
Korea and China.
he e-commerce chapter of the Peru-Canada free trade
T
agreement includes a data protection clause:
rticle 1507: Protection of Personal Information: the Parties
A
recognize the importance of the protection of personal
information in the online environment. To this end, each
Party should “adopt or maintain legal, regulatory and
administrative measures for the protection of personal
information of users engaged in electronic commerce; and
exchange information and experiences regarding their
domestic regimes on the protection of personal information.
IAPP Global Privacy Summit
Washington, DC 2010
59. 59
PERU
ELAC REGIONAL INITIATIVE
Considers ICTs as instruments for economic development and
social inclusion. Long-term vision (until 2015) in line with the
Millennium Development Goals and those of the World
Summit on the Information Society.
“SAN SALVADOR COMMITMENT” (2008)
2nd Ministerial Conference on the Information Society in Latin
America and the Caribbean.
Mandates the Working Group on the Information Society’s Legal
Framework to “facilitate dialogue and coordination of various
regulatory initiatives at the regional and local levels that may
contribute to the region’s regulatory harmonization, especially on the
topics of privacy and data protection”; “invites countries to consider
the possibility of ratifying or acceding to the Council of Europe
Cybercrime Convention as an instrument to facilitate [the] integration
and regulatory adaptation in this area within the framework of
principles of protection of the right to privacy.”
IAPP Global Privacy Summit
Washington, DC 2010
60. 60
PERU
MAJOR CORRUPTION AND POLITICAL AND CORPORATE
ESPIONAGE CASE (2008-2009)
Prompted the Ministry of Transport and Communications to
enact a Ministerial Resolution to safeguard the right to the
inviolability of communications and data protection, and to
regulate the supervisory and control activities of franchisee
companies. Among the new obligations, the operators must
submit an annual report on measures and procedures
established to protect the secrecy of telecommunications
and the protection of personal data of their subscribers to
the General Directorate for Control of the MTC.
The case: illegally obtained wiretapped conversations revealed the corruption of
the Director of Petro-Peru (the government body responsible for promoting oil
investment) and a former Peruvian Minister by a Norwegian oil company that was
bidding for oil lots in its favor. The disclosure of the audio recordings on national
TV caused the resignation of the entire cabinet and the Peruvian government
suspended all contracts with the Norwegian company. A company, Business
Track, was allegedly hired to intercept telephone communications for an oil
company that competed with the Norwegian company. In Jan. 2009, the
Prosecutor convicted five marines and three civilians involved in the illegal
wiretapping. IAPP Global Privacy Summit
Washington, DC 2010
61. 61
Outline
Introduction
A. Recent legislative, case law and public policy developments in
privacy in Latin America
B. How new developments in the E.U. and the
U.S. are influencing the public policy debate
about privacy in Latin America
C. Impact of new developments on multinational companies doing
business in the LAC region
Q&A
IAPP Global Privacy Summit
Washington, DC 2010
62. 62
B. How new developments in the E.U. and the U.S. are
influencing the public policy debate about privacy in
Latin America
S bilateral free trade agreements
U
PEC Privacy Framework
A
U “adequate protection”
E
ata protection authorities’ work and best
D
practices
IAPP Global Privacy Summit
Washington, DC 2010
63. 63
Outline
Introduction
A. Recent legislative, case law and public policy developments in
privacy in Latin America
B. How new developments in the E.U. and the U.S. are influencing
the public policy debate about privacy in Latin America
C. Impact of new developments on
multinational companies doing business in the
LAC region
Q&A
IAPP Global Privacy Summit
Washington, DC 2010
64. 64
C. Impact of new developments on multinational
companies doing business in the LAC region
STATE OF THE ART
Legal mosaic
Fragmentary approach on the regulation of personal data protection:
- each country adopts its own regulation
- no serious multilateral initiative on the matter.
- OAS’s initiative did not work.
- Nothing done by MERCOSUR, Andean Commission, and
CARICOM (Caribbean Community).
International standardization not successful in Latin America
In spite of the efforts of the EU, the OECD, and APEC, there is no harmonization
among economy members.
Lack of political commitment on the matter. In general, quite difficult to find
political or technical counterparts in Latin-American countries.
Too much is going in Latin America. But, in general, it is possible to identify at
least two clear tendencies: 1) Harmonization around EU standards; and 2) Inclusion
of privacy in public transparency and access to information laws. IAPP Global Privacy Summit
Washington, DC 2010
65. 65
C. Impact of new developments on multinational
companies doing business in the LAC region
DOING BUSINESS: IF YOU NEED AN ADEQUATE LEVEL OF
PROTECTION
“Adequate level of protection” is the standard adopted and
recognized for the European Union to third countries when a data
controller exports data from the EU to one of those countries.
Argentina is the only country that complies with EU adequacy
standards. In 2003, the EU certified the Argentinean economy as one
that provides adequate level of protection.
1st “B PLAN”: Business initiatives in other LATAM countries require
authorization by European authorities. It has been the preferred
solution adopted in Colombia and Chile.
Keep in mind the cost of getting the European authorization (money,
time, and expertise). IAPP Global Privacy Summit
Washington, DC 2010
66. 66
C. Impact of new developments on multinational
companies doing business in the LAC region
DOING BUSINESS: IF YOU NEED AN ADEQUATE LEVEL OF
PROTECTION
2nd “B Plan”: Adopting Binding Corporate Rules. Those are binding
rules adopted by companies and approved by the European Union and
allow them to process personal data in global initiatives.
Also keep in mind the cost of getting the European homologation (money,
time, and expertise); in fact, those rules fix better the requirements of
multinational initiatives.
Legislative landscape is changing. Because comparative advantages
of being a country that provides adequate level of protection, Latin-
American countries are walking in that direction.
Uruguay should soon qualify as an “adequate” country by the EU.
Chile, Colombia and Mexico are legislating on the subject.
IAPP Global Privacy Summit
Washington, DC 2010
67. 67
C. Impact of new developments on multinational
companies doing business in the LAC region
DOING BUSINESS:
IF YOU DO NOT NEED TO COMPLY WITH THE EUROPEAN
‘ADEQUACY’ STANDARD
Do not confuse lack of “adequate level of protection” with no protection
at all. The fact that most countries do not have a comprehensive data protection
law does not mean that those countries do not have any protection at all.
It ain’t the ‘Wild West’. Almost each Latin-American country has constitutional
protection and general provisions about privacy in civil and criminal laws.
Sometimes that level of protection can be enforced against the private sector.
=> Even without a privacy law, a company can be sued under most LAC countries’
constitutions.
Several countries have a fragmentary regulation. This is particularly true in
fields such as telecommunications, public transparency and access to information,
consumer protection, credit reports, and spam regulation.
=> Compliance requires hiring local counsels.
IAPP Global Privacy Summit
Washington, DC 2010
68. 68
C. Impact of new developments on multinational
companies doing business in the LAC region
HOW LIKELY ARE LAC COUNTRIES TO ADOPT NEW DATA
PROTECTION LAWS?
TRANSBORDER DATA FLOWS AND CALL CENTERS -
DIFFERENCE BETWEEN US AND EU COMPANIES
) Brazil
a
) Chile
b
) Colombia
c
BPO sector and call centers intend to get a broader Habeas
Data law in order to obtain the acknowledgment of adequate
protection pursuant to the EU DP Directive and establish
call centers that are subsidiaries of EU companies.
Adequacy examination started in March 2010 and may last
until 2012.
Colombia is losing ground against competition (Argentina
and other countries) for a sector that could give up to
100,000 new employees to Colombia in 2010. IAPP Global Privacy Summit
Washington, DC 2010
69. 69
C. Impact of new developments on multinational
companies doing business in the LAC region
CONSUMER PROTECTION, CONSUMER TRUST AND DATA
PROTECTION
ower in LAC countries; no strong consumer
L
protection agency and poor enforcement of consumer
protection laws.
atio legis of data protection laws: promotion of
R
consumer trust and cross-border flows of personal
data.
hat business stance to adopt in Latin America?
W
IAPP Global Privacy Summit
Washington, DC 2010
70. 70
Outline
Introduction
A. Recent legislative, case law and public policy developments in
privacy in Latin America
B. How new developments in the E.U. and the U.S. are influencing
the public policy debate about privacy in Latin America
C. Impact of new developments on multinational companies
doing business in the LAC region
Q&A
IAPP Global Privacy Summit
Washington, DC 2010
71. 71
Alberto Cerda, Law Professor, University of
Chile Law School; LL.M. Student (Georgetown
University)
acerda [at] uchile [dot] cl
Cédric Laurant, Independent Privacy
Consultant
http://blog.cedriclaurant.org - cedric [at] laurant [dot]
org
Renato Opice Blum, CEO and Partner, Opice
Blum Advogados Associados (Brazil)
http://www.opiceblum.com.br - renato [at] opiceblum [dot]
com [dot] br
IAPP Global Privacy Summit
Washington, DC 2010