ISPF 2019

Privacy in Latin America – Where is it headed?

Laura Juanes MicasLaura Juanes, Global Director, Privacy Policy Engagement, Facebook

Isabel Davara

José Alejandro BermúdezFormer Colombian Data Protection Superintendent. Partner, Bermudez Durana

(Colombia)

Partner, Davara Abogados (Mexico)

Moderator – Javier SamaniegoJavier Fernández-Samaniego, Partner, Samaniego Law (Spain & USA)

Global View

Regional

Snapshot

OriginsHabeas Data

• Argentina

• Brazil

• Bolivia

• Chile

• Colombia

• Costa Rica

• Dominican Republic

• Honduras

• Mexico

• Panama

• Paraguay

• Uruguay

• Venezuela

Right to access, rectification, canc

ellation – enforced by the judiciary

1st GenerationComprehensive Laws

Enacted: • Argentina• Aruba• Brazil

• Bahamas• Colombia• Costa Rica• Curaçao• Dominican

Republic• Mexico• Nicaragua• Panamá• Peru• Trinidad & Tobago• St. Lucia• Uruguay

Work in progress:• Chile • Ecuador• Guatemala• Jamaica

• Honduras

2nd generation:Argentina

Highlights

New wave: GDPR-inspired…… with a twist

• EU inspired norms (searching for adequacy)

• Adequacy based (significant restrictions on foreign data transfers - but few

whitelists)

• Abundant registration obligations

• Heavily consent based (Opt-in) (with exceptions)

• Extensive and formalistic individual rights (access, correction,

rectification…)

• Rare incentives for accountability (with exceptions)

• Criminal liability

• Limited precedent and case law

• Varied degree of enforcement

Need to keep in mind

Iberoamerican Network Standards

http://www.redipd.es/documentacion/common/Estandares_eng_Con_logo_RIPD.pdf

• Drafting led by the Mexican DPA

• Heavily GDPR - inspired

• Not binding – yet influential

• Aspirations of harmonization

• Extraterritorial application

• Heightened standard for consent

• Ample legal basis to collect & process, incl. legitimate interests

• Strict limitations to secondary uses

• Data breach notification obligations

• Right to object to profiling

• Right to portability

• Rights of the deceased

• PRAs

• DPO

• Independent DPAs, only subject to judicial review

The IAN standards in a nutshell

• Argentina and Uruguay are the only countries deemed as ‘adequate’ by

the European Commission

• Both countries’ adequacy findings are up for revision post GDPR

• Both countries are signatories of Convention 108+

• Convention 108+ of the Council of Europe has been gaining traction and is

de facto considered a stepping stone for EU adequacy

• Mexico has recently adhered to C 108+

• USCMA contemplates CBPRs as a possible mechanism (but not yet fully

implemented in Mexico nor Canada)

Global data flows

Global data flows: possible instruments

• Adequacy (‘white lists’) • Consent • Model Contracts • Individual authorizations

• Intra-group transfers• Combos (white lists + accountability)• Exceptional circumstances (eg. natural disasters, medical

emergencies)• Multilateral instruments / agreements (CBPRs, USCMA, PA)

• Iberoamerican Standards call for breaches to be notified without delay but, in

applying an accountability approach, not when there is unlikely risk for the data

subjects.

• Different standards are applicable throughout LatAm: voluntary notification to

data subjects in some jurisdictions (Colombia , Peru) mandatory in some (Mexico

and Brazil) and N/A in others (i.e. Argentina). Notifications to the DPA are

mandatory in Colombia, and Brazil and voluntary in other jurisdictions.

• Argentina new draft bill has a 72 hour notification unless it’s unlikely that the

breach implies a risk to data subjects and should only be informed to data subjects

if high risk. In contrast, Colombia has moved towards strict interpretation of

breaches, with no guideline as to what makes up a breach, and how it should be

notified

Data breaches

• Chapter 19 is about Digital Trade and include specific provisions regarding

protection of personal data.

• Article 19.8 foresees that the parties:

• Recognize the economic and social benefits of protecting the personal

information of users of digital trade.

• Shall adopt or maintain a legal framework to protect personal data taking into

account principles and guidelines of relevant international bodies, such as the

APEC Privacy Framework and the OECD Recommendation of the Council

concerning Guidelines governing the Protection of Privacy and Transborder

Flows of Personal Data (2013).

• Recognize the key principles of protection of personal data.

USMCA

Mexico Fintech Law

• Mexican Fintech Law (MFL) is an innovative and unique legal framework in

the world.

• Several provisions of the Fintech Law require further development

through secondary regulations. Currently the competent authorities have

issued a broad set of regulations to implement the MFL.

• The MFL was published on March 9th 2018 in the Federal Official Gazette.

• The law regulates the services provided by the Financial Technology

Institutions (“FTIs"), including their organization and operation.

• FTIs include Crowdfunding entities and E-payment entities.

Background

• The Fintech Law requires Financial Entities and FTIs, among others, to

establish application programming interfaces ("APIs") to allow

connectivity and access to interfaces developed or managed by other

Financial Entities and FTIs (with the prior consent of users).

• The purpose of the APIs is to share users’ open financial, aggregate and

transactional data.

• The information mentioned in the article 76 of the Law can only be used

for the purposes strictly authorized by the client.

• As private entities, FTIs are subject to the Federal Law on Protection of

Personal Data Held for Private Parties.

Need to Know

Questions?

Addendum. Country Profiles

Chile

- Body of law: Constitution (recently amended) + Law 19628 (1999)- Supervision and enforcement by the civil courts (no DPA)- Comprehensive bill currently under discussion in Congress - Chile will be the next APEC host in 2019

- Little to no enforcement so far (but criminal liability)- Proposed bill based on OECD Principles with GDPR influence (eg.

right to portability, strengthened consent, references to biometrics, profiling, automated decision making…)

- Proposed bill will also create an independent DPA and a public registry of offenders

Peru

- Body of law: Constitution + Comprehensive Law n.29733 (2011), amended in 2017 + Developing Regulation

- Supervision and enforcement under DGTAIPD (Transparency & Data Protection Agency under the Ministry of Justice)

- Database registration is required- Multiple mechanisms for data transfers available (not CBPRs)- DPO is required- Data breach notification obligations imposed by the DPA- Fines up to 150k USD + criminal liability- Recent decision re. Processing of information under FATCA

Mexico

- Body of law: Constitution + Comprehensive Law ‘LFPDPP’ (2010)+ Developing Regulation (2012)+ State Laws

- Supervision and enforcement under INAI (Independent Transparency & Data Protection Agency) + State Agencies

- Only LatAm country adhered to CBPRs (but no agent)

- Strict formalities around privacy notices (long / short forms)- Implicit consent as default - Explicit incentives for binding self-regulation- Intra-group data transfers are authorized- Recent guidance issued on Biometrics- Fines up to 3m USD + criminal liability

Colombia

- Body of law: Constitution + Law 1581 of 2012 - Supervision and enforcement under SIC, a technical supervisory

body also charged with Competition, IP registration and Consumers

- Strict controller obligations, with only consent as a basis to process (with legalexceptions).

- Active DPA with relatively large fining power (in excess of USD$500.000).

- Published Accountability Guidelines in 2015 as a consequence of Colombia’s OECD accession process.

- Stringent DB registration and data breach notification obligations- Published a Data Transfer adequacy “white list” in 2018 with

intense debate over decision to include the US as adequate.

Colombia

Argentina

- Body of law: Section 43 of the Argentine National Constitution and regulated in the Law25,326 (PDPL), the Regulatory Decree 1558/2001 (DP Decree) and provisions issued by theDPA.

- Supervision and enforcement under AAIP (Independent Transparency & Data ProtectionAgency)

- Database registration is required- There is no specific requirement to appoint a DPO- Cross-border transfer of personal data is prohibited to countries or international or

supranational organization which do not provide adequate protection to such data- Personal data may only be transferred for legitimate purposes of the transferor and the

transferee, and generally with the prior consent of the data subject who must be informedof the transfer’s purpose and of the transferee’s identity

- Data breach notification is not specifically required- Argentine President submitted to National Congress Bill No. MEN-2018-147-APN-PTE,

aiming to replace in its entirety the Personal Data Protection Law No. 25,326

Thank You