SLIDES Privacy in Latin America Where is it Headed - JA ... · •The Fintech Law requires...
Transcript of SLIDES Privacy in Latin America Where is it Headed - JA ... · •The Fintech Law requires...
![Page 1: SLIDES Privacy in Latin America Where is it Headed - JA ... · •The Fintech Law requires Financial Entities and FTIs, among others, to establish application programming interfaces](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f3819f18821ba3bfd131de6/html5/thumbnails/1.jpg)
ISPF 2019
Privacy in Latin America – Where is it headed?
Laura Juanes MicasLaura Juanes, Global Director, Privacy Policy Engagement, Facebook
Isabel Davara
José Alejandro BermúdezFormer Colombian Data Protection Superintendent. Partner, Bermudez Durana
(Colombia)
Partner, Davara Abogados (Mexico)
Moderator – Javier SamaniegoJavier Fernández-Samaniego, Partner, Samaniego Law (Spain & USA)
![Page 2: SLIDES Privacy in Latin America Where is it Headed - JA ... · •The Fintech Law requires Financial Entities and FTIs, among others, to establish application programming interfaces](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f3819f18821ba3bfd131de6/html5/thumbnails/2.jpg)
Global View
![Page 3: SLIDES Privacy in Latin America Where is it Headed - JA ... · •The Fintech Law requires Financial Entities and FTIs, among others, to establish application programming interfaces](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f3819f18821ba3bfd131de6/html5/thumbnails/3.jpg)
![Page 4: SLIDES Privacy in Latin America Where is it Headed - JA ... · •The Fintech Law requires Financial Entities and FTIs, among others, to establish application programming interfaces](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f3819f18821ba3bfd131de6/html5/thumbnails/4.jpg)
![Page 5: SLIDES Privacy in Latin America Where is it Headed - JA ... · •The Fintech Law requires Financial Entities and FTIs, among others, to establish application programming interfaces](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f3819f18821ba3bfd131de6/html5/thumbnails/5.jpg)
Regional
Snapshot
![Page 6: SLIDES Privacy in Latin America Where is it Headed - JA ... · •The Fintech Law requires Financial Entities and FTIs, among others, to establish application programming interfaces](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f3819f18821ba3bfd131de6/html5/thumbnails/6.jpg)
OriginsHabeas Data
• Argentina
• Brazil
• Bolivia
• Chile
• Colombia
• Costa Rica
• Dominican Republic
• Honduras
• Mexico
• Panama
• Paraguay
• Uruguay
• Venezuela
Right to access, rectification, canc
ellation – enforced by the judiciary
![Page 7: SLIDES Privacy in Latin America Where is it Headed - JA ... · •The Fintech Law requires Financial Entities and FTIs, among others, to establish application programming interfaces](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f3819f18821ba3bfd131de6/html5/thumbnails/7.jpg)
1st GenerationComprehensive Laws
Enacted: • Argentina• Aruba• Brazil
• Bahamas• Colombia• Costa Rica• Curaçao• Dominican
Republic• Mexico• Nicaragua• Panamá• Peru• Trinidad & Tobago• St. Lucia• Uruguay
Work in progress:• Chile • Ecuador• Guatemala• Jamaica
• Honduras
2nd generation:Argentina
![Page 8: SLIDES Privacy in Latin America Where is it Headed - JA ... · •The Fintech Law requires Financial Entities and FTIs, among others, to establish application programming interfaces](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f3819f18821ba3bfd131de6/html5/thumbnails/8.jpg)
Highlights
![Page 9: SLIDES Privacy in Latin America Where is it Headed - JA ... · •The Fintech Law requires Financial Entities and FTIs, among others, to establish application programming interfaces](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f3819f18821ba3bfd131de6/html5/thumbnails/9.jpg)
New wave: GDPR-inspired…… with a twist
![Page 10: SLIDES Privacy in Latin America Where is it Headed - JA ... · •The Fintech Law requires Financial Entities and FTIs, among others, to establish application programming interfaces](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f3819f18821ba3bfd131de6/html5/thumbnails/10.jpg)
• EU inspired norms (searching for adequacy)
• Adequacy based (significant restrictions on foreign data transfers - but few
whitelists)
• Abundant registration obligations
• Heavily consent based (Opt-in) (with exceptions)
• Extensive and formalistic individual rights (access, correction,
rectification…)
• Rare incentives for accountability (with exceptions)
• Criminal liability
• Limited precedent and case law
• Varied degree of enforcement
Need to keep in mind
![Page 11: SLIDES Privacy in Latin America Where is it Headed - JA ... · •The Fintech Law requires Financial Entities and FTIs, among others, to establish application programming interfaces](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f3819f18821ba3bfd131de6/html5/thumbnails/11.jpg)
Iberoamerican Network Standards
http://www.redipd.es/documentacion/common/Estandares_eng_Con_logo_RIPD.pdf
• Drafting led by the Mexican DPA
• Heavily GDPR - inspired
• Not binding – yet influential
• Aspirations of harmonization
![Page 12: SLIDES Privacy in Latin America Where is it Headed - JA ... · •The Fintech Law requires Financial Entities and FTIs, among others, to establish application programming interfaces](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f3819f18821ba3bfd131de6/html5/thumbnails/12.jpg)
• Extraterritorial application
• Heightened standard for consent
• Ample legal basis to collect & process, incl. legitimate interests
• Strict limitations to secondary uses
• Data breach notification obligations
• Right to object to profiling
• Right to portability
• Rights of the deceased
• PRAs
• DPO
• Independent DPAs, only subject to judicial review
The IAN standards in a nutshell
![Page 13: SLIDES Privacy in Latin America Where is it Headed - JA ... · •The Fintech Law requires Financial Entities and FTIs, among others, to establish application programming interfaces](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f3819f18821ba3bfd131de6/html5/thumbnails/13.jpg)
• Argentina and Uruguay are the only countries deemed as ‘adequate’ by
the European Commission
• Both countries’ adequacy findings are up for revision post GDPR
• Both countries are signatories of Convention 108+
• Convention 108+ of the Council of Europe has been gaining traction and is
de facto considered a stepping stone for EU adequacy
• Mexico has recently adhered to C 108+
• USCMA contemplates CBPRs as a possible mechanism (but not yet fully
implemented in Mexico nor Canada)
Global data flows
![Page 14: SLIDES Privacy in Latin America Where is it Headed - JA ... · •The Fintech Law requires Financial Entities and FTIs, among others, to establish application programming interfaces](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f3819f18821ba3bfd131de6/html5/thumbnails/14.jpg)
Global data flows: possible instruments
• Adequacy (‘white lists’) • Consent • Model Contracts • Individual authorizations
• Intra-group transfers• Combos (white lists + accountability)• Exceptional circumstances (eg. natural disasters, medical
emergencies)• Multilateral instruments / agreements (CBPRs, USCMA, PA)
![Page 15: SLIDES Privacy in Latin America Where is it Headed - JA ... · •The Fintech Law requires Financial Entities and FTIs, among others, to establish application programming interfaces](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f3819f18821ba3bfd131de6/html5/thumbnails/15.jpg)
• Iberoamerican Standards call for breaches to be notified without delay but, in
applying an accountability approach, not when there is unlikely risk for the data
subjects.
• Different standards are applicable throughout LatAm: voluntary notification to
data subjects in some jurisdictions (Colombia , Peru) mandatory in some (Mexico
and Brazil) and N/A in others (i.e. Argentina). Notifications to the DPA are
mandatory in Colombia, and Brazil and voluntary in other jurisdictions.
• Argentina new draft bill has a 72 hour notification unless it’s unlikely that the
breach implies a risk to data subjects and should only be informed to data subjects
if high risk. In contrast, Colombia has moved towards strict interpretation of
breaches, with no guideline as to what makes up a breach, and how it should be
notified
Data breaches
![Page 16: SLIDES Privacy in Latin America Where is it Headed - JA ... · •The Fintech Law requires Financial Entities and FTIs, among others, to establish application programming interfaces](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f3819f18821ba3bfd131de6/html5/thumbnails/16.jpg)
• Chapter 19 is about Digital Trade and include specific provisions regarding
protection of personal data.
• Article 19.8 foresees that the parties:
• Recognize the economic and social benefits of protecting the personal
information of users of digital trade.
• Shall adopt or maintain a legal framework to protect personal data taking into
account principles and guidelines of relevant international bodies, such as the
APEC Privacy Framework and the OECD Recommendation of the Council
concerning Guidelines governing the Protection of Privacy and Transborder
Flows of Personal Data (2013).
• Recognize the key principles of protection of personal data.
USMCA
![Page 17: SLIDES Privacy in Latin America Where is it Headed - JA ... · •The Fintech Law requires Financial Entities and FTIs, among others, to establish application programming interfaces](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f3819f18821ba3bfd131de6/html5/thumbnails/17.jpg)
Mexico Fintech Law
![Page 18: SLIDES Privacy in Latin America Where is it Headed - JA ... · •The Fintech Law requires Financial Entities and FTIs, among others, to establish application programming interfaces](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f3819f18821ba3bfd131de6/html5/thumbnails/18.jpg)
• Mexican Fintech Law (MFL) is an innovative and unique legal framework in
the world.
• Several provisions of the Fintech Law require further development
through secondary regulations. Currently the competent authorities have
issued a broad set of regulations to implement the MFL.
• The MFL was published on March 9th 2018 in the Federal Official Gazette.
• The law regulates the services provided by the Financial Technology
Institutions (“FTIs"), including their organization and operation.
• FTIs include Crowdfunding entities and E-payment entities.
Background
![Page 19: SLIDES Privacy in Latin America Where is it Headed - JA ... · •The Fintech Law requires Financial Entities and FTIs, among others, to establish application programming interfaces](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f3819f18821ba3bfd131de6/html5/thumbnails/19.jpg)
• The Fintech Law requires Financial Entities and FTIs, among others, to
establish application programming interfaces ("APIs") to allow
connectivity and access to interfaces developed or managed by other
Financial Entities and FTIs (with the prior consent of users).
• The purpose of the APIs is to share users’ open financial, aggregate and
transactional data.
• The information mentioned in the article 76 of the Law can only be used
for the purposes strictly authorized by the client.
• As private entities, FTIs are subject to the Federal Law on Protection of
Personal Data Held for Private Parties.
Need to Know
![Page 20: SLIDES Privacy in Latin America Where is it Headed - JA ... · •The Fintech Law requires Financial Entities and FTIs, among others, to establish application programming interfaces](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f3819f18821ba3bfd131de6/html5/thumbnails/20.jpg)
Questions?
![Page 21: SLIDES Privacy in Latin America Where is it Headed - JA ... · •The Fintech Law requires Financial Entities and FTIs, among others, to establish application programming interfaces](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f3819f18821ba3bfd131de6/html5/thumbnails/21.jpg)
Addendum. Country Profiles
![Page 22: SLIDES Privacy in Latin America Where is it Headed - JA ... · •The Fintech Law requires Financial Entities and FTIs, among others, to establish application programming interfaces](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f3819f18821ba3bfd131de6/html5/thumbnails/22.jpg)
Chile
- Body of law: Constitution (recently amended) + Law 19628 (1999)- Supervision and enforcement by the civil courts (no DPA)- Comprehensive bill currently under discussion in Congress - Chile will be the next APEC host in 2019
- Little to no enforcement so far (but criminal liability)- Proposed bill based on OECD Principles with GDPR influence (eg.
right to portability, strengthened consent, references to biometrics, profiling, automated decision making…)
- Proposed bill will also create an independent DPA and a public registry of offenders
![Page 23: SLIDES Privacy in Latin America Where is it Headed - JA ... · •The Fintech Law requires Financial Entities and FTIs, among others, to establish application programming interfaces](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f3819f18821ba3bfd131de6/html5/thumbnails/23.jpg)
Peru
- Body of law: Constitution + Comprehensive Law n.29733 (2011), amended in 2017 + Developing Regulation
- Supervision and enforcement under DGTAIPD (Transparency & Data Protection Agency under the Ministry of Justice)
- Database registration is required- Multiple mechanisms for data transfers available (not CBPRs)- DPO is required- Data breach notification obligations imposed by the DPA- Fines up to 150k USD + criminal liability- Recent decision re. Processing of information under FATCA
![Page 24: SLIDES Privacy in Latin America Where is it Headed - JA ... · •The Fintech Law requires Financial Entities and FTIs, among others, to establish application programming interfaces](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f3819f18821ba3bfd131de6/html5/thumbnails/24.jpg)
Mexico
- Body of law: Constitution + Comprehensive Law ‘LFPDPP’ (2010)+ Developing Regulation (2012)+ State Laws
- Supervision and enforcement under INAI (Independent Transparency & Data Protection Agency) + State Agencies
- Only LatAm country adhered to CBPRs (but no agent)
- Strict formalities around privacy notices (long / short forms)- Implicit consent as default - Explicit incentives for binding self-regulation- Intra-group data transfers are authorized- Recent guidance issued on Biometrics- Fines up to 3m USD + criminal liability
![Page 25: SLIDES Privacy in Latin America Where is it Headed - JA ... · •The Fintech Law requires Financial Entities and FTIs, among others, to establish application programming interfaces](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f3819f18821ba3bfd131de6/html5/thumbnails/25.jpg)
Colombia
- Body of law: Constitution + Law 1581 of 2012 - Supervision and enforcement under SIC, a technical supervisory
body also charged with Competition, IP registration and Consumers
- Strict controller obligations, with only consent as a basis to process (with legalexceptions).
- Active DPA with relatively large fining power (in excess of USD$500.000).
- Published Accountability Guidelines in 2015 as a consequence of Colombia’s OECD accession process.
- Stringent DB registration and data breach notification obligations- Published a Data Transfer adequacy “white list” in 2018 with
intense debate over decision to include the US as adequate.
Colombia
![Page 26: SLIDES Privacy in Latin America Where is it Headed - JA ... · •The Fintech Law requires Financial Entities and FTIs, among others, to establish application programming interfaces](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f3819f18821ba3bfd131de6/html5/thumbnails/26.jpg)
Argentina
- Body of law: Section 43 of the Argentine National Constitution and regulated in the Law25,326 (PDPL), the Regulatory Decree 1558/2001 (DP Decree) and provisions issued by theDPA.
- Supervision and enforcement under AAIP (Independent Transparency & Data ProtectionAgency)
- Database registration is required- There is no specific requirement to appoint a DPO- Cross-border transfer of personal data is prohibited to countries or international or
supranational organization which do not provide adequate protection to such data- Personal data may only be transferred for legitimate purposes of the transferor and the
transferee, and generally with the prior consent of the data subject who must be informedof the transfer’s purpose and of the transferee’s identity
- Data breach notification is not specifically required- Argentine President submitted to National Congress Bill No. MEN-2018-147-APN-PTE,
aiming to replace in its entirety the Personal Data Protection Law No. 25,326
![Page 27: SLIDES Privacy in Latin America Where is it Headed - JA ... · •The Fintech Law requires Financial Entities and FTIs, among others, to establish application programming interfaces](https://reader034.fdocuments.in/reader034/viewer/2022042420/5f3819f18821ba3bfd131de6/html5/thumbnails/27.jpg)
Thank You