Reproduced with permission from World Data ProtectionReport, 16 WDPR 06, 6/28/16. Copyright � 2016 by The Bu-reau of National Affairs, Inc. (800-372-1033) http://www.bna.com

In this third article of a four-part series on the sta-tus of data protection laws, the author exploresdevelopments in the Western Hemisphere (LatinAmerica, the Caribbean, and Canada), where 15jurisdictions now have comprehensive data pro-tection laws.

Western Hemisphere

Data Privacy Laws in the Western Hemisphere(Latin America, Caribbean and Canada)

By Cynthia Rich

Introduction and Region at-a-Glance

Fifteen jurisdictions in the Western Hemisphere (LatinAmerica, Caribbean and Canada) now have compre-hensive privacy laws including: Antigua and Barbuda,Argentina, Aruba, Bahamas, Canada, Chile, Colombia,Costa Rica, Curacao, Dominican Republic, Mexico, Ni-caragua, Peru, Trinidad and Tobago (currently, theonly provisions in force pertain to the establishment ofthe data protection authority) and Uruguay. Saint Lu-cia adopted legislation in 2011, but the law hasn’t yetgone into effect. The laws in Argentina , Canada andUruguay (12 WDPR 16, 9/21/12) have been deemedby the European Commission to provide adequate pro-tection.

Other countries such as Bermuda, Brazil (16 WDPR 05,5/26/16), Ecuador, Jamaica and Panama, and territo-

Cynthia Rich is a senior advisor at the Washington officeof Morrison & Foerster LLP. As a member of the firm’sinternational Privacy and Data Security Practice since2001, Ms. Rich works with clients on legal issues relat-ing to privacy around the world.

News and analysis of data protection developments around the world. For the latest updates, visit www.bna.com

International Information for International Business

WORLD DATA PROTECTION REPORT >>>

BNA International Inc., a subsidiary of The Bureau of National Affairs, Inc., U.S.A.

VOLUME 16, NUMBER 6 >>> JUNE 2016

ries such as the Cayman Islands have draft bills that haveeither been or are expected to be introduced to theirlegislatures. In addition, Chile, which has had a high-level data protection law since 1999, may amend its ex-isting law to include registration, impose cross-border re-strictions and establish a data protection regulator .

This article examines the commonalities and differencesamong the privacy laws in the region and discusses cur-rent trends and new developments.

Common Elements Found in Latin American Laws

Notice:

All of the laws in this region include some type of noticeobligation. That is, every law requires that individuals betold what personal information is collected, why it is col-lected and with whom it is shared.

Choice:

Every privacy law also includes some kind of choice ele-ment. The level or type of consent varies significantlyfrom country to country. For example, Colombia has amuch stronger emphasis on affirmative opt-in consentthan Canada and Mexico, but all of the laws includechoice as a crucial element in the law.

Security:

Furthermore, all of the laws require organizations thatcollect, use and disclose personal information to takereasonable precautions to protect that information fromloss, misuse and unauthorized access, disclosure, altera-tion and destruction. Some of the countries, such as Ar-gentina and Mexico, have specified in greater detail howthese obligations are to be met. The Argentina require-ments are quite similar to Spain.

Access and Correction:

One of the core elements of every privacy law is the rightof all individuals to access the information that organi-zations have collected about them and, where possibleand appropriate, correct, update or suppress that infor-mation. Interestingly, compared to their European andAsian counterparts, most countries in the region requireorganizations to respond to access and correction re-quests in a much shorter period of time.

Data Integrity:

Organizations that collect personal information mustalso ensure that their records are accurate, completeand kept up-to-date for the purposes for which the infor-mation will be used.

Data Retention:

Generally, these laws require organizations to retain thepersonal information only for the period of time re-quired to achieve the purpose of the processing. Somelaws may mandate specific retention periods, while oth-ers set limits on how long data may be retained by an or-ganization once the purpose of use has been achieved.

Differences in Approaches.

While core data protection principles and requirementsare embodied in all of these laws, specific requirements,particularly with respect to cross-border transfers, regis-tration, data security, data breach notification and theappointment of a data protection officer (DPO) varywidely from each other and from laws in other regions.

For example, two-thirds of the countries in this regionrestrict cross-border transfers of personal information tocountries that do not provide adequate protection. How-ever, unlike the European approach (and more like theapproach in countries such as Kazakhstan, Singapore orSouth Korea), there is a heavy reliance on consent to le-gitimize transfers to inadequate countries. Some permitthe use of contracts or internal rules in lieu of consent,and some require both. In almost all cases, the data pro-tection authorities (DPAs) haven’t specified what mustbe contained in these contracts or rules. Most of the lawsin this region do permit companies to transfer data toanother country if it is a contractual necessity. But trans-fers in most countries can’t be legitimized based on thelegitimate interests of the company (unlike in many Eu-ropean countries). From a practical point of view, mostof the DPAs in the region have not issued lists of coun-tries that they believe provide adequate protection, thus,companies are left to assume that all countries aredeemed to be inadequate and must put in mechanisms(such as consent or contracts) to satisfy the rules.

Compared to their European and Asian

counterparts, most countries in the region require

organizations to respond to access and correction

requests in a much shorter period of time.

The differences widen when comparing their respectiverules on registration, data breach notification, securityand DPO obligations: More than one-third of the coun-tries require registration and notification in the event ofa data breach and one-quarter require the appointmentof a DPO. In addition, almost two-thirds of the laws inthe region require that access and/or correction re-quests be responded to within 10 days (an exceedinglyshort time frame), and almost one-quarter protect per-sonal information of both natural and legal persons.

Lastly, two of the countries, Nicaragua and Costa Rica,have unusual provisions. In Costa Rica, organizationsthat register databases with the DPA must provide theregulator with an access profile so that the DPA may ac-cess and consult the database, at any time and withoutrestriction. In Nicaragua, the law provides for the rightto be forgotten, a provision that is beginning to pop upwith greater frequency in privacy litigation and pro-posed legislation.

A careful read of these laws is imperative, therefore.These differences pose challenges to organizations withrespect to the adjustments that may be required toglobal and/or local privacy compliance practices as well

2

06/16 COPYRIGHT � 2016 BY THE BUREAU OF NATIONAL AFFAIRS, INC., WASHINGTON, D.C. WDPR ISSN 1473-3579

as privacy staffing requirements. Compliance programsthat comply with only European Union and Asian obli-gations will run afoul of many of the country obligationsin this region.

A country-by-country summary of the obligations inthese key areas is provided below. Other noteworthycharacteristics are also highlighted and, where appli-cable, the responsible enforcement authority is identi-fied. In addition, a chart is provided at the end to showat a glance the countries with mandatory cross-border,DPO, data security breach notification and registrationobligations.

Trends

Enforcement

Violations of these laws can result in significant criminaland civil and/or administrative penalties being imposed;however, the level of enforcement by the authoritieswithin the region has been relatively low, in part becauseit has taken time for some of the authorities to establishthemselves. Of all of the authorities in the region, theDPA in Mexico has been the most active in issuing fines,some of which have been quite high. For example, inSeptember 2015, the DPA announced its plans to im-pose three fines amounting to 32 million Pesos (approx.$2 million) on banking institution Grupo FinancieroBanorte for, among other things, collecting sensitivepersonal information without obtaining the individual’sexpress written consent, maintaining personal databasesthat contain present and future health data of personswithout a legal justification to process this information,and failing to provide notice.

DPAs in Colombia and Peru are also starting to becomemore active, and there have been recent cases in whichthey have imposed large fines for privacy violations. Forexample, in September 2015, the Colombian DPA fineda shopping mall $22,503 for violating its notice obliga-tions; in September 2014, it fined an umbilical cordstem cell bank $50,000 for privacy law violations involv-ing the use of sensitive personal information for market-ing purposes without the individual’s consent. In 2014,the Peruvian DPA fined the Peruvian company datospe-ru.org approximately $78,600 for publishing sensitivepersonal information of two citizens on it Web pagewithout their consent.

These differences in Western Hemisphere privacy

laws pose challenges to organizations with respect

to the adjustments that may be required to global

and/or local privacy compliance practices as well as

privacy staffing requirements.

The other country in the region that actively protectsprivacy rights is Brazil, despite the fact that it doesn’t yethave in place a comprehensive privacy law. Private law-suits and government enforcement actions are actively

pursued whenever an individual’s rights to privacy, asprovided for under the Constitution, Civil Code, Con-sumer Protection Law and the recently enacted InternetBill of Rights (Internet Law), are perceived to have beenviolated . In particular, the enactment of the InternetLaw in April 2014 has sparked enforcement actions bythe Consumer Protection Agency and the Public Attor-ney’s Offices at the federal and state levels. The InternetLaw prohibits Internet service providers, search engines,social media websites and online retailers who collectpersonal information from Brazilian consumers fromsharing personal information as well as connection andapplication access logs with third parties, except with theuser’s express consent. In addition, there is a provisionthat allows the government to enforce against offshorebusinesses that collect, maintain or store data from Bra-zilian users.

In 2014, the Consumer Protection Agency fined the Bra-zilian telecommunications company Oi SA 3.5 millionReals ($1.2 million) for recording and selling subscriberbrowser data . Oi partnered with a U.K.-based online ad-vertising company Phorm to develop profiles of users’browsing practices, which were then sold to online ad-vertising firms to generate customized advertisements.

Of all of the authorities in the region, the Data

Protection Authorities in Mexico has been the most

active in issuing fines, some of which have been

quite high.

Privacy Legislation Under Development

Several jurisdictions in the region that do have laws inplace are currently developing legislation. Three ofthese jurisdictions have held public consultations: Ber-muda, Brazil and the Cayman Islands. During its publicconsultation in July 2015, the Bermuda government un-veiled its draft model law which, in addition to the basicprivacy law elements discussed above, would require or-ganizations that transfer personal information to thirdparties to remain accountable for such transfers by en-suring that the third party provides a comparable levelof protection. The provisions resemble somewhat thosefound in the Australian law but with some additionalflexibility.

The Brazilian Ministry of Justice held its public consulta-tion in January 2015 . If adopted, Brazil’s proposed lawwould apply to the processing of personal informationby public and private sector organizations, regardless ofthe country in which the organizations are headquar-tered and the country in which the databases are lo-cated, provided that the processing is carried out in Bra-zil or the personal information is collected within Brazil(e.g., the individual is located in Brazil at the time thedata are collected).

The proposed scope of the law appears to cover out-sourced data processing in Brazil and, as a result, mayimpose a complex and burdensome set of rules on such

3

WORLD DATA PROTECTION REPORT ISSN 1473-3579 Bloomberg BNA 06/16

activities. Moreover, the proposed law would restrictcross-border transfers to countries that don’t providesimilar protection unless one of the limited exceptionsapplied or the individual specifically consented to thetransfer after being given information on the interna-tional character of the operation and the risks involvedin the transfer, based on the vulnerabilities specific tothe destination country. The regulator would identifywhich countries don’t provide similar protection. Thedraft law also would require the appointment of a DPOand the regulator to be notified about data breaches. In-dividuals would have to be given immediate notice of adata breach involving their personal information incases where the incident jeopardized their personalsafety or could cause them damage.

The Cayman Islands conducted its public consultationin late 2014. Its proposed law would establish a DPO, re-quire registration and data breach notification and re-strict cross-border transfers.

Elsewhere in the region, legislation is reportedly underdevelopment in Ecuador, El Salvador, Jamaica, andPanama. In Jamaica, the State Minister for Science,Technology, Energy and Mining announced in Novem-ber 2015 that a draft Data Protection Act is being circu-lated for review and comment by key stakeholders andthe bill is expected to be tabled in Parliament by the endof the 2016 legislative year.

Amendments to Existing Privacy Laws

There are also countries in the region such as Canada,Chile, Costa Rica and Mexico that are working onamending their existing privacy laws. Late in 2014, thegovernment of Chile held a public consultation on itsproposed legislation. The proposed legislation was sub-mitted to Congress but no action has been taken yet. Ifadopted, the bill would, among other things, create adata protection authority, require registration of data-bases and impose restrictions on cross-border transfers.

In Costa Rica, amendments are under consideration toaddress concerns about certain provisions in the imple-menting regulations. In particular, the amendmentsseek to better define the transferring of personal datawithin companies belonging to the same economicgroup, as well as providing that not all transferring ofdata entails an economic profit for any of the parties.Furthermore, the proposed amendment seeks to re-move the provisions regarding the Super User.

There are also countries in the region such as

Canada, Chile, Costa Rica and Mexico that are

working on amending their existing privacy laws.

Canada amended its data privacy law, the Personal Infor-mation Protection and Electronic Documents Act (PI-PEDA), with the enactment of the Digital Privacy Act inJune 2015. Certain amendments took effect immediatelysuch as the narrowing of the exceptions for businesscontact information, the addition of several new consent

exceptions, including for disclosures to investigate lawviolations or carry out fraud detection and prevention.In addition, the Privacy Commissioner was given addi-tional authority to enter into a compliance agreementwith an organization if the Commissioner reasonably be-lieves that the organization has committed, is about tocommit or is likely to commit a breach of PIPEDA.

Lastly, in Mexico, there are plans to introduce a privacybill in 2016 that combines regulation over the publicand private sectors. According to an official at Mexico’sdata protection authority, the National Institute ofTransparency, Access to Information and Protection ofPersonal Data (INAI), the bill is expected to, amongother things, provide for extra-territorial jurisdictionover companies that aren’t located in Mexico but thathandle data in Mexico, establish the right to data porta-bility that will enable individuals to be able to migratetheir data from the cloud, e-mails or social media activi-ties from one company to the other, strengthen em-ployee privacy rules (e.g., prohibit ‘‘excessive monitor-ing’’ of employees at or outside of work), specify data se-curity measures for large and mid-size companies,require appointment of a DPO, and strengthen the IN-AI’s enforcement authority.

Country-by-Country Review of Differences

ANTIGUA AND BARBUDA

The Data Protection Act (Antigua and Barbuda Law),enacted in 2013, protects personal data processed bypublic and private sector organizations.

In Brief

The Antigua and Barbuda Law does not require database reg-istration, impose mandatory DPO, data security breach, or de-tailed security obligations, or restrict cross-border transfers.

Special Characteristics

Data Protection Authority

The Information Commissioner pursuant to the Free-dom of Information Act 2004 is responsible for enforce-ment of the Antigua and Barbuda Law. There is no web-site available for the Information Commissioner.

Consent

Consent is required to process personal data unless anexception applies (e.g., contractual necessity, legal obli-gation, or vital interests). Explicit consent is required toprocess sensitive personal data.

Definition of Personal Data

Personal data are defined as any information processedin the context of ‘‘commercial transactions’’. Such com-mercial transactions, whether contractual or not, in-clude any matters relating to the supply or exchange ofgoods or services, investments, financing, banking andinsurance. Sensitive personal data are defined as anypersonal data relating to the physical or mental healthor condition of an individual, sexual orientation, politi-

4

06/16 COPYRIGHT � 2016 BY THE BUREAU OF NATIONAL AFFAIRS, INC., WASHINGTON, D.C. WDPR ISSN 1473-3579

cal opinions, religious beliefs, or commission of criminaloffenses (proven or alleged).

ARGENTINA

The Personal Data Protection Act (Argentine Law (inSpanish)), enacted in 2000, protects all personal infor-mation of natural persons (living and deceased) and le-gal entities recorded in public or private data files, reg-isters and data banks, established for the purpose of pro-viding reports. Argentina was the first country, andcurrently only one of two countries in Latin America, tobe recognized by the European Union as providing anadequate level of protection for personal informationtransferred from the EU/European Economic Area .

In Brief

The Argentine Law restricts cross-border transfers to countriesthat don’t provide adequate protection, requires registrationand imposes detailed security requirements. However, there is noobligation to give notice in the event of a data security breachor appoint a DPO.

Special Characteristics

Data Protection Authority

The National Directorate for Personal Data Protection,located within the Justice and Human Rights Ministry, isresponsible for enforcement of the Argentine Law.

Countries with Privacy Laws

RegistrationRequirement

DPO Required 1

Cross- Border Limitations

Data Security Breach Notification Requirement 2

Western Hemisphere (15) 6 4 9 6

Antigua & Barbuda No No No No

Argentina Yes Yes Yes No

Aruba No No Yes No

Bahamas No No No No

Canada No Yes No Yes

Chile No No No No

Colombia Yes Yes Yes Yes

Costa Rica Yes No No Yes

Curacao No No Yes No

Dominican Republic No No Yes No

Mexico No Yes No Yes

Nicaragua Yes No Yes No

Peru Yes No Yes Yes

Trinidad & Tobago (law not yet fully in force)

No No Yes No

Uruguay Yes No Yes Yes

1 In some jurisdictions, the appointment of a DPO may exempt the organization from its registration obligations.

2 This chart identifies only those jurisdictions that have enacted legally binding data breach notification requirements. It does not reflect the local notification practices or the DPA’s expectations about whether organizations should provide notice. Consequently, organizations should consider a variety of factors, not just whether the rules are legally binding.

Western Hemisphere Privacy Laws

Source: BNA A BNA Graphic/rich07g1

5

WORLD DATA PROTECTION REPORT ISSN 1473-3579 Bloomberg BNA 06/16

Cross-Border Transfers

The transfer of personal information to countries out-side Argentina that do not provide an adequate level ofdata protection is prohibited, unless the individual hasprovided his/her express consent to the transfer or an-other exception applies. However, the DPA hasn’t offi-cially recognized any jurisdiction as having an adequateor inadequate level of data protection.

Consent is not required to transfer to a service providerin an inadequate country, provided that there is an ap-propriate contract in place. The DPA has approved spe-cific clauses for certain contracts, but it has done so ona case-by-case basis. Until recently, there were no modelsissued by the DPA. Now, however, the DPA has madeavailable text clauses that it will use as a parameter forassessing international transfer agreements.

Data Security

After the Argentine Law was enacted, regulations impos-ing additional security requirements were issued. See Dis-position 11/2006 (Security Measures), Sept. 20, 2006,available in English (unofficial translation), and in Span-ish. The security measures are divided into three levels:basic or low level measures for all databases containingpersonal information; medium level measures for pri-vate companies acting as public utilities or public com-panies, and the owner of the database is bound by a dutyof secrecy imposed by law (e.g., bank secrecy); and highlevel or critical level measures for all databases contain-ing sensitive personal information.

Registration

Organizations must register their databases with theDPA. The registration covers the processing of all per-sonal information for all purposes.

ARUBA

The Personal Data Protection Ordinance (Aruba Law),enacted in 2011, establishes rules for the protection ofprivacy in connection with the collection and disclosureof personal information of natural persons by both thepublic and private sectors. The Aruba Law applies to allfiles of data controllers established in Aruba, regardlessof where such files are located (in or outside Aruba),provided that the files contain personal information ofindividuals settled in Aruba.

In Brief

The Aruba Law imposes restrictions on cross-border trans-fers but doesn’t require database registration, the appoint-ment of a DPO or data security breach notification.

Special Characteristics

Data Protection Authority

The Minister of Justice is responsible for enforcement ofthe law.

Cross-Border Transfers

The Aruba Law prohibits transfers of personal informa-tion into the files to which the law isn’t applicable, to theextent that the Minister has declared that such transferswould result in a serious disadvantage for individuals’privacy. The Minister can issue a waiver for files locatedoutside Aruba if the law of the country in which the fileis located provides an equivalent level of privacy anddata protection.

BAHAMAS

The Data Protection (Privacy of Personal Information)Act 2003 (Bahamas Law) protects the personal informa-tion of natural persons and applies to processing of suchdata by both the public and private sectors.

In Brief. The Bahamas Law does not require database regis-tration, impose mandatory DPO and data security breach ob-ligations or restrict cross-border transfers. However, with re-spect to the latter three areas, the DPA has issued nonbind-ing guidance. In addition, the Bahamas Law is unusualbecause there are no explicit notice and consent require-ments.

Special Characteristics

Data Protection Authority

The Office of the Data Protection Commissioner is re-sponsible for investigating any contraventions of the Ba-hamas Law, either of its own volition or as a result of acomplaint by an individual concerned.

Notice and Consent

While there are no explicit notice and consent require-ments set forth in the Bahamas Law, the DPA interpretsthe obligation to collect and process personal informa-tion fairly to mean that individuals must be made awareof certain information regarding the processing of theirpersonal information and must consent to that process-ing, or one of the other conditions specified in the Ba-hamas Law must apply.

Cross-Border Transfers

The DPA has the authority to prohibit the transfer of in-formation outside the Bahamas where there is a failureto provide protection either by contract or otherwiseequivalent to that provided under the Bahamas Law.The DPA has issued nonbinding guidance listing theconditions, similar to those found in EU laws, whichneed to be met to transfer personal information cross-border.

Data Protection Officer

There is no obligation under the Bahamas Law to ap-point a DPO; however, the DPA recommends it.

Data Security Breach Notification

There is no obligation on organizations to give notice inthe event of a data security breach; however, there is vol-untary DPA Guidance on Managing a Data SecurityBreach. The guidance states that organizations may

6

06/16 COPYRIGHT � 2016 BY THE BUREAU OF NATIONAL AFFAIRS, INC., WASHINGTON, D.C. WDPR ISSN 1473-3579

choose to provide notice in the event of a breach of se-curity resulting in unauthorized access to; alteration, dis-closure or destruction; or accidental loss or destructionof personal information.

CHILE

Law No. 19.628 of Protection of Personal Data (ChileanLaw), the first privacy law enacted in Latin America in1999, regulates the processing of personal informationof natural persons by both the public and private sec-tors.

In Brief

The Chilean Law doesn’t restrict cross-border transfers or imposedata security breach notification, DPO or registration require-ments. Unlike most privacy laws, the Chilean Law doesn’t es-tablish a DPA to oversee enforcement; civil courts are responsiblefor enforcing the law.

CANADA

The Personal Information Protection and ElectronicDocuments Act regulates the collection, use, and disclo-sure of personal information of natural persons by pri-vate sector organizations for commercial purposes, withlimited exceptions (e.g., where the organization is han-dling personal information in a province with substan-tially similar provincial legislation and the organizationis provincially regulated).

In the context of an employment relationship, the col-lection, use and disclosure of employees’ personal infor-mation by an employer is covered only where the em-ployer is a private-sector Federal Work, Business or Un-dertaking, meaning a federally-regulated entity (e.g.,organizations in the transportation, communications,broadcasting and banking sectors). Canada is regardedas providing an adequate level of protection for per-sonal data transferred from the EU/EEA.

In Brief

The Canadian Law requires the appointment of a DPO andwill require breach notification when the July 2015 amend-ments take effect. However, there are no cross border restrictionsor special security or registration requirements.

Special Characteristics

Data Protection Authority

The Privacy Commissioner of Canada (DPA) is respon-sible for investigating complaints, conducting audits andpursuing court action under two federal laws. It alsopublicly reports on the personal information-handlingpractices of public and private sector organizations andpromotes public awareness and understanding of pri-vacy issues. The DPA doesn’t have the authority to ordercompliance, award damages or levy penalties.

Cross-Border Transfers

There are no express limitations in the Canadian Lawon cross-border transfers. In fact, the Canadian Lawdoes not distinguish between domestic and interna-

tional transfers of data. However, any organization thathas transferred personal information to a third party(including an affiliate) for processing generally remainsresponsible for that personal information. The organiza-tion that transfers personal information to any foreignservice provider must use contractual or other means toprovide comparable level of protection while personalinformation is in possession of foreign entity.

Data Breach Notification

In June 2015, Parliament passed amendments to the Ca-nadian Law requiring mandatory breach notification ,which will come into force on a future date as yet to bespecified. Organizations will be required to report to theCommissioner and notify affected individuals of abreach where the breach poses a ‘‘real risk of significantharm’’ to affected individuals. Organizations must alsonotify government institutions and other organizationsin prescribed circumstances, including where the orga-nization believes that the government institution orother organization may be able to reduce or mitigate therisk of harm to affected individuals. Until these amend-ments come into force, there is currently no legal obli-gation to give notice in the event of a data securitybreach; however, the DPA has issued voluntary breachnotification guidelines.

The Guidelines recommend that notice be given whenthere is unauthorized access to or collection, use or dis-closure of personal information that creates a risk ofharm to the individual, based on a case-by-case basis ap-proach. The organization that has the direct relation-ship with the individual customer, client, or employeeshould notify the affected individuals, including whenthe breach occurs by a third party service provider, un-less in the given circumstances direct notice by the thirdparty service provider is more appropriate.

Data Protection Officer

Organizations must appoint an individual or individualswho are accountable for the organization’s compliancewith the Canadian Law. Although other individualswithin the organization may be responsible for the day-to-day processing of personal information, accountabil-ity rests with the designated individual.

COLOMBIA

Enacted in October 2012, Law No. 1581 ‘‘IntroducingGeneral Provisions for Personal Data Protection’’ (Co-lombian Law) sets forth general rules for the protectionof personal information of natural persons by both thepublic and private sectors, including special protectionsfor children . The Colombian Law is intended tocomplement a law enacted in 2008 that applies to per-sonal credit information only. Organizations had sixmonths (until April 17, 2013) to come into compliancewith the Colombian Law.

In Brief

The Colombian Law imposes DPO, data security breach notifi-cation and registration requirements and restricts cross-border

7

WORLD DATA PROTECTION REPORT ISSN 1473-3579 Bloomberg BNA 06/16

transfers to countries that don’t provide adequate protection. Inaddition, some additional data security measures are required.

Special Characteristics

Data Protection Authority

The Personal Data Protection Division, the organizationwithin the Superintendence of Industry and Commerceresponsible for performing the functions of the DPA, isauthorized to carry out investigations on the basis ofcomplaints or on its own initiative.

Cross-Border Transfers

The transfer of personal information to countries out-side Colombia that do nott provide an adequate level ofdata protection is prohibited, unless the individual hasprovided his/her express consent to the transfer, thetransfer is necessary to execute a contract between theindividual and the organization or another exceptionapplies. The DPA may approve transfers to non-adequate countries that don’t fall under one of theabove-listed exceptions by issuing a conformity declara-tion (declaracion de conformidad). The additional re-quirements and obligations that must be satisfied beforethe DPA may issue such declarations are expected to beaddressed in the forthcoming implementing regula-tions.

Data Protection Officer

Every organization and service provider must appoint aperson or department responsible for protecting per-sonal information and processing requests from indi-viduals who seek to exercise their rights under the law.

Data Security

The DPA is required to issue instructions related to thesecurity measures for processing personal information.If an organization breaches its duties and obligations un-der the law and the DPA has to decide whether or not toimpose penalties, it will take into account the extent towhich the organization has in place the proper securitypolicies and measures for the proper handling of thepersonal information.

Data Security Breach Notification

Both the organization and the service provider must in-form the DPA about any violations of security codes andany risks in the administration of information of indi-viduals. There is no obligation to give notice of suchbreaches directly to individuals.

Registration

Organizations and service providers that carry out pro-cessing of personal information in Colombia must regis-ter with the DPA. It is quite unusual to require serviceproviders to file registrations with the DPA. The Na-tional Registry was officially launched in November2015.

COSTA RICA

Law No. 8968 on the Protection of the Person Concern-ing the Treatment of Personal Data (Costa Rican Law)came into force Sept. 5, 2011 (11 WDPR 17, 10/28/11).It applies to automatic and manual processing of per-sonal information of natural persons by both public andprivate entities. Companies had until March 5, 2013 tobring their practices into compliance with the Costa Ri-can Law.

In Brief

The Costa Rican Law requires data security breach notificationand registration. It also imposes special data security and ‘‘Su-per User’’ obligations but doesn’t require the appointment of aDPO or restrict cross-border transfers. However, there are generalrules that apply to all data transfers.

Special Characteristics

Data Protection Authority

Prodhab, established in March 2012, is responsible forcreating a database registry, ensuring compliance withthe Costa Rican Law and issuing implementing regula-tions.

Cross-Border Transfers

There are no limitations on cross-border transfers; how-ever, the general rules for any transfer of databasesand/or personal information apply. In particular, ex-press written consent (or a contract) is required to shareor transfer personal information. The Costa Rican Lawdoes not include any other legal bases for transferringdata, and this rule applies broadly to all transfers with-out explicit indication of whether the transfer occurswithin or outside Costa Rica.

Data Security

In addition to the basic security obligations, the CostaRican Law requires organizations to issue a ‘‘Perfor-mance Protocol’’ that will regulate all the measures andrules to be followed in the collection, management andhandling of the personal information. In order to beconsidered valid, the Performance Protocol (and anysubsequent amendments) must be registered with theDPA.

Data Security Breach Notification

Organizations must inform individuals about any irregu-larities in the processing or storage of their personal in-formation, or when the organization becomes aware ofsuch irregularities. Irregularities include but are not lim-ited to loss, destruction and/or misuse that result froma security vulnerability or breach. They must inform in-dividuals within five working days from the time the vul-nerability occurs so the individuals may take appropriateaction.

Registration

Every database that is established for distribution, pro-motion or commercialization purposes must be regis-

8

06/16 COPYRIGHT � 2016 BY THE BUREAU OF NATIONAL AFFAIRS, INC., WASHINGTON, D.C. WDPR ISSN 1473-3579

tered with the DPA. According to a FAQ posted on theDPA website, human resources databases that are usedfor the exclusive use of the company do not need to beregistered.

‘Super User’

The Costa Rican Law has a very unusual requirementnot found in any other privacy law worldwide. Organiza-tions that registered databases with the DPA must pro-vide the regulator with an access profile so that the DPAmay access and consult the database, at any time andwithout restriction. In FAQs issued by the DPA on itswebsite, the DPA states that it will only access databasesin response to a complaint or when there is evidence ofpossible law violations. It further states that the ‘‘SuperUser’’ provision should not be interpreted as providingthe DPA with absolute power to access all informationcontained in these databases. In particular, the DPAdoes not have the ability to access databases containinginformation on banking transactions, suppliers and cor-porate financial statements.

CURACAO

The Personal Data Protection Act (Curacao Law), whichtook effect Oct. 1, 2013, regulates the processing of per-sonal information of natural persons by both the publicand private sectors. The Curacao Law is modeled on theDutch Data Protection Law.

In Brief

The Curacao Law restricts the cross-border transfer of personalinformation to countries that don’t provide adequate protection.However, there are no DPO, data security breach notificationand registration requirements. There is also no required timeframe specified for responding to access or correction requests.

Special Characteristics

Data Protection Authority

The College Bescherming Persoonsgegevens supervisescompliance with the Curacao Law.

Cross-Border Transfers

Personal information may only be transferred to a coun-try outside the Kingdom of the Netherlands (Editor’snote: the Kingdom of the Netherlands consists of theNetherlands, Aruba, Curacao and Sint Maarten) if thatcountry ensures an adequate level of protection. Wherethere is no adequate level of protection, the data trans-fer may take place provided that:

s the individual has provided his/her explicit consent;

s the transfer is necessary for the performance of acontract between the individual and the data control-ler or for actions to be carried out at the request ofthe individuals and which are necessary for the con-clusion of a contract;

s the transfer is necessary for the conclusion or perfor-mance of a contract concluded or to be concluded

between the data controllers and third parties in theinterests of the individuals;

s the transfer is necessary on account of an importantpublic interest, or for the establishment, exercise ordefense in law of any right;

s the transfer is necessary to protect the vital interestsof individuals;

s the transfer is carried out from a public register setup by law or from a register that can be consulted byanyone or by any persons who can invoke a legitimateinterest, provided that in the case concerned the le-gal requirements for consultation are met; and

s the transfer has been approved by the DPA.

DOMINICAN REPUBLIC

The Organic Law 172-13] on the Protection of PersonalData (Dominican Law), which took effect Dec. 13, 2013,is the most recent law enacted in the region. The Do-minican Law protects personal information filed in pub-lic or private archives, public records and data banks in-tended to provide reports. The Dominican Law alsoregulates credit information companies, the provision ofcredit reference services and the supply of informationon the market to ensure respect for privacy and therights of the information owners.

In Brief

In contrast to the cross-border rules found in other countries inthe region, the Dominican Law imposes a common set of legalbases for all international transfers, regardless of their destina-tion. Registration/supervision requirements apply only to pub-lic or private data banks that are intended to provide credit re-ports. Such data banks are subject to the inspection and super-vision of the Superintendence of Banks. There is also noobligation to appoint a DPO or to notify individuals or theregulator in the event of a data security breach. The DominicanLaw does not establish a DPA to oversee compliance; however,the Superintendence of Banks is the entity authorized to regu-late credit information companies.

Special Characteristics

Cross-Border Transfer

Personal information may only be transferred interna-tionally in certain circumstances such as:

s the individual consents to authorize the transfer of in-formation or when the laws so allow;

s the transfer is necessary for the execution of a con-tract between the individual and the organization, orfor the execution of pre-contractual measures;

s the transfer concerns bank or security transfers withregard to the respective transactions and in accor-dance with the applicable legislation;

9

WORLD DATA PROTECTION REPORT ISSN 1473-3579 Bloomberg BNA 06/16

s the transfer has been agreed or considered in theframework of international treaties or conventions, orin free-trade treaties of which the Dominican Repub-lic is a part; or

s the transfer of legally required information is to safe-guard public interest or for the acknowledgement,exercise or defense of a right in a judicial process, oris required by a tax or customs administration to ful-fill its duties.

MEXICO

The Federal Law on Protection of Personal Data Held byPrivate Parties, enacted in 2010, regulates the processingof personal information of natural persons by privatesector organizations but doesn’t apply to duly licensedcredit reporting companies .

In Brief

The data protection rules in the Mexican Law have a numberof important differences from those found elsewhere in the re-gion. For example, the notice and data security obligations aresubject to detailed rules. Unlike many laws in the region, theMexican Law does not require registration, but it does requirethe appointment of a DPO and data security breach notifica-tion. In addition, domestic and international transfers arelargely subject to the same requirements.

Special Characteristics

Data Protection Authority

The Federal Institute for Access to Information andData Protection (IFAI) is responsible for disseminatinginformation on data protection and compliance with theMexican Law.

Notice

In 2013, the DPA issued Guidelines that provide forthree different types of privacy notices: comprehensive,simplified and short. A comprehensive privacy noticemust always be made available; however, depending onthe circumstances of the data collection, a simplified orshort privacy notice may be provided first. The Guide-lines state expressly that provision of a simplified orshort privacy notice doesn’t relieve the organization ofits obligation to make available a comprehensive privacynotice.

Simplified or Short Privacy Notice. Where personal informa-tion is obtained directly from the individual by any elec-tronic, optical, audio or visual means, or through anyother technology, the organization must immediatelyprovide the individual with at least the information re-garding the identity and domicile of the organizationand the purposes of the data processing, as well as pro-vide the mechanisms for the individual to obtain the fulltext of the privacy notice. Where cookies, Web beaconsor similar technologies are used, a communication orwarning must be placed in a conspicuous place to in-form the individual about the use of these technologiesand how the technologies can be disabled by the indi-vidual.

Data Protection Officer or Office

The Mexican Law requires any entity that collects per-sonal information to appoint a DPO or office to pro-mote the protection of personal information within itsorganization and process requests (such as access andcorrection requests) received from individuals who wishto exercise their rights under the Mexican Law.

Data Security

The Regulations, issued in 2011 (12 WDPR 34,1/30/12), define what constitutes physical, technicaland administrative measures and, in particular, require:the establishment of an internal supervision and moni-toring system; implementation of a training program forpersonnel to educate and generate awareness abouttheir obligations to protect personal information; andexternal inspections or audits to check compliance withprivacy policies. The list of security measures must beupdated when security improvements or changes aremade or there are breaches of the systems. In addition,the organization is encouraged to consider undertakinga risk analysis of personal information to identify dan-gers and estimate the risks for the personal information,conduct a gap analysis and prepare a work plan toimplement the missing security measures arising fromthe gap analysis.

Whenever there is a security violation involving personalinformation, the DPA may take into account the organi-zation’s compliance with DPA recommendations to de-termine the attenuation of the corresponding sanction.

Data Security Breach Notification

Security breaches that occur ‘‘at any stage of processingthat materially affect the property or moral rights’’ ofthe individual must be reported to the individual by theorganization so the individual can take appropriate ac-tion to protect his or her rights. The Mexican Law doesnot require notice to any public authority or regulator.

NICARAGUA

Nicaragua enacted the Law on Personal Data ProtectionMarch 21, 2012 (Act No. 787) and the Regulation of theLaw on Personal Data Protection (Decree No. 36-2012)(Nicaraguan Law) Oct. 17, 2012. The Nicaraguan Lawprotects the personal information of natural and legalpersons in private and public databases.

In Brief

The Nicaraguan Law restricts cross-border transfers and re-quires registration; however, the registration procedure is not yetestablished. Data security, breach notification and the appoint-ment of a DPO are not required. Unlike other laws in the re-gion, the Nicaraguan Law has a provision of the right to ‘‘digi-tal oblivion.’’

Special Characteristics

Data Protection Authority

The Nicaraguan Law calls for the creation of a Director-ate for Personal Data Protection within the Ministry of

10

06/16 COPYRIGHT � 2016 BY THE BUREAU OF NATIONAL AFFAIRS, INC., WASHINGTON, D.C. WDPR ISSN 1473-3579

Finance that will be responsible for the regulation, su-pervision and protection of the processing of personalinformation; however, as of March 2015, the Directoratehas not yet been established. The Directorate will be re-sponsible for a wide range of data protection-related ac-tivities, including issuing regulations, monitoring com-pliance and imposing administration sanctions in theevent of violations.

Cross-Border Transfers

The assignment and transfer of personal information tocountries or international organizations that do not pro-vide adequate security and protection for personal infor-mation are prohibited except in very limited circum-stances, such as where:

s the transfer is for the purposes of international judi-cial cooperation;

s the exchange of personal information is for healthmatters;

s the transfer is necessary to carry out epidemiologicalinvestigations, wire transfers or exchanges;

s the transfer is required by law;

s the transfer is agreed upon under any internationaltreaties ratified by Nicaragua; or

s the transfer pertains to international cooperationwith intelligence agencies or to criminal matters cov-ered by specified laws.

Such transfers must be carried out at the request of a le-gally authorized person; the request must state the ob-ject and purpose of the intended processing; the organi-zation must comply with the data security and confiden-tiality measures and verify that the receivingorganization complies equally with these measures; andthe individual must be informed about and consent tothe transfer by the organization and the intended pur-poses of the processing.

Right to Digital Oblivion

The Nicaraguan Law is one of the first laws to includethe right to be forgotten, which has been so controver-sial in the EU. In particular, the individual has the rightto request that social networks, browsers and servers sup-press or cancel his or her personal information con-tained in their databases. In the case of databases ofpublic and private institutions that offer goods and ser-vices and collect personal information for contractualreasons, individuals may request that their personal in-formation be canceled once the contractual relationshipends. This provision isn’t particularly detailed, and it isnot clear how organizations will implement these obliga-tions.

PERU

The Law for Personal Data Protection (Peruvian Law),which protects the personal information of natural per-sons processed by public and private sector organiza-

tions, entered into force July 4, 2011; however, many ofthe provisions and its Regulations did not become effec-tive until May 2013 (13 WDPR 24, 4/25/13). Organiza-tions had until March 2015 to conform their existingpersonal data banks to the Peruvian Law.

In Brief

The Peruvian Law requires registration and restricts cross-border transfers. The DPA has also established data securitybreach notification requirements. There is no obligation to ap-point a DPO.

Special Characteristics

Data Protection Authority

The Peruvian Law established the National Authority forProtection of Personal Data to oversee compliance and,in particular, administer and keep up-to-date the Na-tional Register of Personal Data Protection, hear and in-vestigate complaints lodged by individuals, issue provi-sional and/or corrective measures and impose adminis-trative sanctions in cases of violations.

Cross-Border Transfers

Cross-border transfers of personal information are al-lowed if the recipient has adequate data protection asmay be determined by the DPA. Thus far, the DPA hasn’tissued a list of adequate recipients. The Peruvian Lawprovides certain exceptions to this provision, includingwhere the transfer of personal information is necessaryto complete a contract to which the individual whose in-formation is being transferred is a party; where the indi-vidual has given consent; or where otherwise establishedby regulation issued under the Peruvian Law.

The Regulations additionally provide that cross-bordertransfers are permitted when the importer assumes thesame obligations as the exporting organization. The ex-porter may transfer personal information on the basis ofcontractual clauses or other legal instruments that pre-scribe at least the same obligations to which the ex-porter is subject as well as the conditions under whichthe individual consented to the processing of his or herpersonal information. Therefore, if a contract is inplace, consent or one of the other legal bases listedabove would not be required.

Authorization for cross-border transfers is not required;however, the organization and the service provider mayrequest the opinion of the DPA as to whether the pro-posed transfer of personal information cross-bordermeets the provisions of the Peruvian Law.

Data Security Breach Notification

The Peruvian Law itself doesn’t impose data securitybreach notification requirements; however, it authorizesthe DPA to establish the security requirements and con-ditions to be met by data controllers. In October 2013,the DPA issued an Information Security Directive thatinstructs data controllers to notify individuals of ‘‘any in-cidents that significantly affect their proprietary ormoral rights.’’

11

WORLD DATA PROTECTION REPORT ISSN 1473-3579 Bloomberg BNA 06/16

Registration

All organizations must register with the DPA. In addi-tion, organizations that voluntarily adopt codes of con-duct to govern their transfers to affiliated entities mustregister them with the DPA.

URUGUAY

Law No. 18.331 on the Protection of Personal Data andHabeas Data Action (Uruguayan Law), enacted in 2008and amended in 2010, regulates the processing of per-sonal information of natural and legal persons by boththe public and private sectors . Uruguay was the secondcountry in South America to be recognized by the EU asproviding an adequate level of protection for personalinformation transferred from the EU/EEA (12 WDPR16, 9/21/12).

In Brief

The Uruguayan Law requires data security breach notificationand registration and restricts cross-border transfers to countriesthat do not provide adequate protection. There is no require-ment to appoint a DPO; however, the person responsible for thedatabase is liable for violations of the provisions of the law, andhis or her name will be identified in the registration.

Special Characteristics

Data Protection Authority

The Regulatory and Control Unit for the Protection ofPersonal Data was created as an entity decentralizedfrom the Agency for the Development of Government ofElectronic Management and Information Society andKnowledge (AGESIC).

Cross-Border Transfers

The transfer of personal information of any kind tocountries or international organizations that fail to pro-vide adequate levels of protection according to the stan-dards of regional or international law in this area is pro-hibited except where the following cases apply:

s international judicial cooperation, according to therelevant international instrument, whether treaty orconvention, subject to the circumstances of each case;

s exchange of medical data, when necessary for thetreatment of the sick person and due to reasons ofpublic health or hygiene;

s bank or stock exchange transfers, in regard to thecorresponding transactions and pursuant to the ap-plicable legislation;

s agreements within the framework of internationaltreaties to which the Republic of Uruguay is a party;and

s international cooperation between intelligence agen-cies fighting against organized crime, terrorism anddrug trafficking.

It also is possible to make international transfers of datain the following cases:

s the interested party has given his or her consent tothe proposed transfer;

s the transfer is necessary for the execution of a con-tract between the interested party and the person re-sponsible for the processing or to implement pre-contractual measures taken at the interested party’srequest;

s the transfer is necessary to execute an agreement en-tered into now or hereafter on behalf of the inter-ested party, between the person responsible for theprocessing and a third party;

s the transfer is necessary or legally required to safe-guard an important public interest, or for the recog-nition, exercise or defense of a right in a legal proce-dure;

s the transfer is necessary for safeguarding the vital in-terests of the interested party; or

s the transfer is effected from a record which, by virtueof legal or regulatory provisions, is designed to pro-vide information to the public and is open to consul-tation by the general public or any person who canprove a legitimate interest, provided that the condi-tions established by law for consultation are met ineach particular case.

Regardless of the cases listed above, the DPA may autho-rize a transfer or a series of transfers of personal infor-mation to a third country that does not guarantee an ad-equate level of protection when the person responsiblefor the processing offers sufficient guarantees regardingthe protection of privacy, fundamental rights and free-doms of individuals as well as to the exercise of the cor-responding rights.

Such guarantees may arise from appropriate contractualclauses.

Data Security Breach Notification

When the data controller or the data processor realizesthat there has been a data security breach that could af-fect the individual’s rights in a significant way, the datacontroller or the data processor must inform the indi-vidual.

Registration

All organizations that create, modify or eliminate data-bases of personal information must register their data-bases.

12

06/16 COPYRIGHT � 2016 BY THE BUREAU OF NATIONAL AFFAIRS, INC., WASHINGTON, D.C. WDPR ISSN 1473-3579