[LATAM Webinar Slides] Brazil & Beyond: Privacy Trends in Latin America

1 v Privacy Insight Series - truste.com/insightseries v

© TRUSTe Inc., 2016

Brazil & Beyond: Privacy Trends in

Latin America

August 18, 2016

2 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

Today’s Speakers

Andrew McDevitt

Senior Privacy Consultant

TRUSTe

Jacobo Esquenazi

Global Privacy Strategist,

HP, Inc.

Juan Luis Hernandez Conde

Founding Partner

Novus Concilium


• Welcome & Introductions

• Overview of Latin American Privacy

• Understanding Database Registration Requirements

• Proposed Legal Changes in the region including:

Brazil, Chile, Colombia, Mexico

• Accountability and Data Subject Rights

• Q&A

Today’s Agenda



Overview of Latin American Privacy

Andrew McDevitt, Senior Privacy Consultant, TRUSTe


•There is no Latin American treaty, omnibus regional law, or a specific

regional body that assists and guides organizations about data

protection – such as an EU Data Directive (soon to be GDPR)

•However, data protections have been purposefully incorporated into the

constitutions of some Latin American countries

•Some Latin American countries do require all organizations to register

with their DPA (Peru) while other don’t require businesses to register

with their DPA (Mexico, Nicaragua)

Basic Observations of Privacy in Latin America


•Constitutional/Habeas Data. Nations which utilize a constitutional

rights-based model for protecting individuals’ personal data rights

•General Data Protection Laws. Nations which have enacted

comprehensive data protection laws

• Hybrid Approach. Nations that employ a blend of habeas data and

general data protection laws

• Unsettled or Transitioning Data Protection Rights.

Nations that lack a clearly defined constitutional or legislative structure

with respect to privacy rights.

Data Protection in Latin America Falls into Four Groups


Overview of Latin American Privacy Requirements



Jacobo Esquenazi, Global Privacy Strategist, HP, Inc.

Understanding Database Registration

Requirements


• Database Registration is one of the most burdensome requirements in

Data Protection Management. Is very common in LAR.

• Five out of six countries that have Data Protection Laws in the region

include a Database Registration Requirement. Mexico is the only

notable exception.

• Conditions for registering data bases and content of the registration

vary from country to country.

• Three countries require an annual update or renewal of the registration,

one country requires update only when major changes occur, one

country requires monthly update when any changes occur, and one

requires that registry be kept up to date constantly.

• In some countries Fees for registration need to be paid (source of

revenue for the DPA) and there is a cost of compliance in all cases.

Database Registration Requirements in LAR


Database Registration Requirements by Country

• Article 29 of Data Protection Law creates a Database

registry. All Public and Private Databases need to be

registered before the DPA.

• Applicable to all persons (natural and legal)

• Registration includes Information about the database and

exercise of rights; Security measures; length of storage.

• Registration needs to be renewed annually.

• Registration can be done online.

• Article 21 of Data Protection Law creates a Database

registry. All public and private DB must be registered

before the DPA.

• Applicable to ALL databases.

• Private DB should be registered before being created.

• Registration needs to be renewed annually

• Registration can be initiated online

Uruguay

Argentina


Data Base Registration Requirements by Country

• Article 29 of Data Protection Law creates a Data Base

registry. All databases that are subject to Data Subject

rights (access, correction, etc.) need to be registered.

• DPA can also include as part of the registry (searchable)

authorizations, sanctions, injunctions or corrective

measures imposed . Registry also includes approved

codes of conduct.

• Communications related to transborder flows are also

registered.

• Registration must be done on paper

• Registration is done once unless DB undergoes changes.

All changes to the purpose, content, Security measures,

etc. must be registered.

Peru


Data Base Registration Requirements by Country

• Article 29 of Data Protection Law creates a Data Base

registry. Only Colombian Data Controllers (registered in

the chambers of commerce) need to register DB’s.

• Information to be registered: Types of data; security

measures; data origin; international transfers;

international transmissions; National data transfers;

request from data subjects to exercise their rights; and

security incidents (breaches).

• Annual Registration or within 10 days of any substantial

changes.

• Article 21 of Data Protection Law creates a Data Registry.

Databases for distribution, publication or

commercialization need to be registered.

• Registration needs to be done by the data owner

(Notarized) includes physical placement of the database;

uses for the data base; types of data; description of

security measures; recipients of data transfers; list of

contracts for commercialization; creation of a super user

for the agency, etc.

Colombia

Costa Rica



Juan Luis Hernandez Conde, Founding Partner, Novus Concilium

Proposed Legal Changes in the

Region


From Habeas Data to Omnibus Protection


Constitutionally / Judicially protected right to

access, rectification and/or erasure of

personal information.

What is Habeas Data?


Legal regime imposing specific obligations

and requirements to Data Controllers and

Data Processors.

Omnibus legislation


Privacy evolution timetable

2000 2008 2010 2011 2014

Argentina

Uruguay

Mexico

Costa Rica

Peru

Colombia


Laws being discussed right now

Brazil

Ecuador

Chile

Panama


From Habeas Data to Omnibus Protection



Jacobo Esquenazi, Global Privacy Strategist, HP, Inc.

Accountability and Data

Subject Rights


• All Data Protection Laws in LAR are based (whole or in part) on EU

data protection concepts and more specifically on the first Spanish

implementation of the Privacy Directive.

• All laws in LAR provide data subjects with the following rights:

– Access: The right to know what Information a Controller holds about the Data

Subject.

– Correction: The right to correct inaccurate information that a Data Controller

holds about a data subject.

– Deletion: A Data Subject has the right to request that a Data Controller deletes

Information related to him/her (with some limitations).

• Some data protection laws allow an intermediate phase before deletion

(opposition) which is the equivalent of the Right of Restriction of

Processing under the GDPR.

• All rights have a Compliance period. After that period DS that feel their

requests have not been honored have a right of recourse before the

DPA and eventually before a court of Law.

Data Subject Rights In LAR


• The infringement of Data Subject Rights can be penalized by

administrative sanctions (including monetary), applied by the DPA.

• DPA’s in LAR have increased their enforcement activity imposing

substantial fines for non-Compliance. In particular where Data Subject

complaints are involved activity has increased. DPA’s do not have

prosecutorial discretion, therefore all complaints must be investigated.

• All laws include the right of compensation if the infringement of Data

Subject rights results in harm. Process is carried out before the courts.

Infringement of Data Subject Rights


• Mexico and Colombia included the concept of accountability to their

Data Protection Legislations. This is a similar concept as it has been

incorporated in the GDPR.

• Having an Accountability based data protection program is not

mandatory, but companies that can demonstrate an accountability

based data protection program get benefits as lessening of fines or

ease in transborder flows.

• Demonstrating accountability has some requirements that need to be

met (sometimes through codes of conduct).

• Although Peruvian regulation does not include the accountability

concept, but does recognize some benefits by participating in voluntary

codes of conduct.

Accountability


•Latin America is as diverse in its privacy regimes as it is in its

geographies.

•Habeas data is a constitutionally-based remedy of legal action that may

be initiated by a citizen to discover what data is held about that person,

in order to facilitate correction or deletion of the information.

Key Takeaways For Companies


•More incentives than ever exist for Latin American governments to

modernize their data privacy laws in light of APEC membership, global

commerce and trade, and international adequacy/interoperability

opportunities.

•With Chile, Mexico and Peru already APEC members, companies

should consider APEC CBPR Certification as a route to demonstrate

compliance in the region.

•Companies should be aware of the data privacy quirks that exist in Latin

America but that are not widespread elsewhere,

–Such as Costa Rica’s “super user” database access for the government

–The “right to be forgotten” in Nicaragua, and

–Mexico’s detailed privacy notice rules but lack of a registration requirement

Key Takeaways For Companies



Questions?



Jacobo Esquenazi [email protected]

@jesquenaziMX

Juan Luis Hernandez Conde [email protected]

@TheRealHCount

Andrew McDevitt [email protected]

@AndrewJMcDevitt

Contacts

mailto:[email protected]





Details of our 2016 Summer/Fall Webinar Series are now available. Register

now for our next webinar on September 22 “Changing Role of the CPO in

todays Privacy Ecosystem”

See http://www.truste.com/insightseries for the 2016 Privacy Insight Series

and past webinar recordings.

Thank You!

http://www.truste.com/insightseries

[LATAM Webinar Slides] Brazil & Beyond: Privacy Trends in Latin America

Law

Transcript of [LATAM Webinar Slides] Brazil & Beyond: Privacy Trends in Latin America