SEVEN YEARS OF DATA PROTECTION LAW IN LATIN AMERICA BY PABLO A. PALAZZI

SEVEN YEARS OF DATA PROTECTION LAW IN LATIN AMERICA

BY PABLO A. PALAZZI

1. INTRODUCTION

Seven years of bad luck if you break a mirror, or so the superstition says. It seems that Latin America has not break any mirror in these last seven years. Luckily, the data protection and privacy legislation is spreading in the region. During the last seven years Chile, Argentina, Paraguay, Peru and Uruguay approved new data protection statutes regulating the collection and use of personal data, and in some cases prohibiting data transfer to countries that do not have adequate protection of privacy. Brazil, Mexico, Ecuador, Colombia and Venezuela have proposed legislation under consideration. Probably more countries will soon follow. 

Although these laws are based on the European “model” of data privacy laws, they have important differences. For example in Chile the law protects only individuals, while in Argentina and Peru legal entities are also within the scope of their privacy laws. While the Chilean and Argentinean statutes regulates public and private-sector uses of personal information, the Peruvian law only address private databases. In addition, the Chilean regime does not have a data protection agency, Peru uses its already existing consumer protection infrastructure and Argentina has created a new agency to enforce the law. 

Latin American countries does not have a convention or Directive as in the European Union to follow. Therefore, there is no harmonization of their privacy regimes. However, as it will be shown the spirit of the EU data protection model is present in every bill that has been introduced in the legislatures of Latin American countries.

This paper briefly outlines the state of data protection law in each of those countries and propose that those countries should try to converge in a unique model of data protection to avoid the problem encountered in Europe with different privacy rules.

2. DEVELOPMENT OF THE LAW

2.1. Chile

In 1999 Chile become the first Latin American country to enact a data protection law. The Act No. 19628, titled “Law for the protection of Private Life,” came into force on October 28, 1999. The law covers processing and use of personal data in the public and the private sector and the rights of individuals (to access, correction, and judicial control). The law specifically regulates the use of financial, commercial and banking data, and creates rules addressing the use of information by government agencies. The law includes fines and damages for the unlawful denial of access and correction rights. Only databanks in the government must be registered. There is no data protection authority, and enforcement of the law is done individually by each affected person. 

Chile also has legislated spam.

2.2 Argentina

On October 2000 the Argentinean Congress approved a new data protection act (Law n. 25.326) based on the European model of privacy laws. The legislation was  implemented by regulations enacted in the year 2001.

Because the Argentine law is based on the European model it incorporates all the regulatory principles found in the European approach to data protection. For example, use of personal data generally requieres consent and notification, one article forbids the transfer of personal data to countries or international organizations that do not have laws providing adequate protection of privacy, as it is also was modeled upon the European Data Protection Directive (article 25). In addition, the exceptions to this prohibition are very strict, and only allow transfers of personal data related to banking and financial transfers, but do not include all other kinds of transfers of personal information (such as transfers within a subsidiary and a parent, and contractual exceptions as provided in the European Directive). 

The Act imposes fines, and certain criminal sanctions for violations. The regulations also creates a data protection authority in charge of enforcing the law.  The authority started to organize the office in the year 2002. 

In the year 2005 the registry was created and many companies and individuals have registerd their databases (aproximately 20.000). Companies started to register their databases in May, 2005. The time-frame for this registration was 180 days (6 months), but the deadline weas extended until march 2006.

The data protection legal regime of Argentina was the first latin american country to be approved under the EU regime as providing adequate protection of personal data. This means that personal data in EU countries can freeley flow to Argentina because it is considered adequate.

The City of Buenos Aires enacted recently a do not call registry law. More provinces are to follow this trend.

2.3. Paraguay

At the end of 2000, Paraguay enacted its own privacy law. The law was enacted on December 28, 2000 and promulgated by the President of Paraguay on January 16, 2001. The Paraguayan law is mainly directed to commercial information. Processing of sensitive information is not permitted, and information about economic status requires prior written approval of the individual concerned or when that information is required by law. Commercial data has to be kept updated, and erased after certain periods of time. There is no data protection authority and no requirement to register. Under these new law, sanctions and fines will be applied by courts. 

2.4. Mexico. 

On January 2001, a data protection bill was introduced in Mexico. The bill is based in the 1992 Spanish Data Protection Act. In its recitals, it cites legislation of Europe and Latin America as a model as well as the Argentine law. In some cases this bill creates some significant potential problems for transactions involving the use of personal data such as restrictions on sensitive data, or forbids the transfer of personal data to countries or international organizations that do not have laws providing adequate protection of privacy. The act would also impose monetary penalties. 

In the year 2001 Mexico enacted a freedom of inormation law. The agency in charge of applying this law has been also actively involved in data protection. But to date Mexico lacks a general data protection act like Argentina or Chile.

2.5. Peru

Peru enacted a data protection law in July 2001, effective in August 2001 (Law No. 27.489). The law regulates the incorporation of credit bureaus, what sources of information they can use without consent of the individual, the information that must be provided where the data have not been obtained from the data subject (similar to art. 11 of EU Directive), and established a set of data protection principles. The Law protects both individuals and companies whose information is recorded in databases. In addition, the law prohibits credit bureaus to collect (i) sensitive information, (ii) data violating the confidentiality of bank or tax records; (iii) inaccurate or outdated information; (iv) bankruptcy records that are five years old; (iv) other debtor records five years after the debt was paid. Credit bureaus must adopt security measures. Individuals have the following rights: (i) access to information; (ii) right to modify or cancel their personal data; (iii) judicial relief for non consumers or consumer protection law. The law also creates strict liability for damages. The government’s agency for consumer protection is in charge of applying fines for violation of the law and issuing injunctions to correct errors. 

 

2.6. Uruguay

In the year 2004 Uruguay enacted a law addressing persona data and fair credit reporting issues.

2.7. Bills

There are data protection bills in Brazil, Mexico, Ecuador, Colombia and Venezuela. Most of this bills are based on the EU data protection model. 

3. SUMMARY

Four countries in Latin America have electronic data protection laws, and four more are likely to enact similar laws. For companies involved in both one country and cross border activities in Latin America, this clear trend underlines the importance of taking a coordinated regional approach, and a proactive stance.  Despite the proliferation of data protection laws (or privacy  protection laws) in many countries, uncertainty still reigns as to who or what such laws actually protect. Most data protection laws seem to have been drawn up rather diffusely, with the justification that the huge variety of types of information and specific contexts give rise to a complexity that cannot  be guessed at as information technology continues to develop.