The convening of the 34th International Conference of Data Protection and Privacy Commissioners in Punta del Este, Uruguay on Oct. 22-26 — on the heels of last year’s conference in Mexico City — underscores the importance of the Latin American region in the global debate around data privacy regulation.

From 2000 to 2008, only Argentina and Uruguay created comprehensive data privacy regimes.  Yet in just a two-year span from 2010 to 2012, another five countries — Mexico, Colombia, Costa Rica, Peru, and most recently Nicaragua — have adopted comprehensive data privacy laws of their own.  Implementing regulations already have gone into effect in Mexico and are expected to come into force in Costa Rica and Peru shortly.  The Colombian law awaits a Presidential decree and implementing regulations.   

More laws and regulations are sure to follow.  Just within the past year, governments in Brazil, Chile, and Ecuador have publicly considered adoption of new data privacy laws.  

Of the laws on the books, all but that of Mexico have closely hewed to the example set by the European Union and its Data Protection Directive of 1995 and E-Privacy Directive of 2002.  In contrast to the case-by-case and sector-specific approach prevailing in the United States, a more prescriptive approach is favored in Europe.  Among the factors accounting for the commonality between the approaches by LatAm countries and the EU are:

  1. Many LatAm countries’ desire to obtain an “adequacy” determination from the European Commission so that data may flow freely from the EU to the subject country in LatAm, as Argentina and Uruguay have done;
  2. Cultural values prevailing in both regions that view data privacy as a fundamental human right; and  
  3. Formal ties between LatAm policymakers and counterparts in Spain, via the Red Iberoamericana de Protección de Datos

It therefore is not uncommon to see restrictions on cross-border data transfers based upon the “adequacy” of the destination country’s laws, requirements for express consent as a pre-condition to processing of personal data, and requirements to register databases with the national regulator.  

New data privacy laws in Latin America also reflect heightened attention in the region to rights of access, deletion, and rectification.  These elements arise from the “habeas data” rights enshrined in the democratic constitutions of many LatAm countries that emerged from dictatorships in the 1970s and 80s.  (Literally meaning “you have the right to the data,” habeas data rights allow citizens to petition a constitutional court for disclosure and other remedial actions with respect to information held about them by the government.)

Mexico is an important and notable exception to the EU-focused trend in other LatAm countries.  Its Ley de Proteccción de Datos Personales represents what may become a “third way” that builds upon elements from the EU, other laws in the LatAm region, and the Asia Pacific Economic Cooperation (APEC) framework, along with innovations of its own.   The Mexican legislation’s approach to international data transfer provides a case in point:

  • In its privacy notice, the data controller must describe and obtain consent with respect to the circumstances in which a customer’s data will be transferred to domestic or foreign third parties.  
  • The law holds the data controller accountable for ensuring that the third party to whom data is transferred adheres to the standards of the Mexican law. 
  • In short, Mexico’s data privacy law regulates data transfers but does so in a flexible, results-oriented manner that focuses on how rather than where the data is processed.  

Other innovations in the Mexican law include, in the implementing regulations to the law, the first-ever provision governing the use of cloud computing services by data controllers.  As other countries in the region consider and develop their own data protection frameworks, it will be interesting to see whether and how elements in the Mexican law are incorporated alongside, or in lieu of, EU-inspired rules.  

In any event, Latin America is sure to remain a major force in the international dialogue on data protection — both at the conference in Punta del Este later this month, and beyond.  

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Matthew DelNero Matthew DelNero

Matt DelNero provides expert regulatory counsel to companies of all sizes in the telecommunications, technology and media sectors. As a former senior official with the FCC and longtime private practitioner, Matt helps clients achieve their goals and navigate complex regulatory and public policy…

Matt DelNero provides expert regulatory counsel to companies of all sizes in the telecommunications, technology and media sectors. As a former senior official with the FCC and longtime private practitioner, Matt helps clients achieve their goals and navigate complex regulatory and public policy challenges.

Matt serves as co-chair of Covington’s Technology & Communications Regulation (“TechComm”) Practice Group and co-chair of the firm’s Diversity & Inclusion initiative.

Matt advises clients on the full range of issues impacting telecommunications, technology and media providers today, including:

  • Structuring and securing FCC and other regulatory approvals for media and telecommunications transactions.
  • Conducting regulatory due diligence for transactions in the telecommunications, media, and technology sectors.
  • Obtaining approval for foreign investment in broadcasters and telecommunications providers.
  • Universal Service Fund (USF) programs, including the FCC’s Rural Digital Opportunities Fund (RDOF).
  • FCC enforcement actions and inquiries.
  • Online video accessibility, including under the Communications and Video Accessibility Act (CVAA) and Americans with Disabilities Act (ADA).
  • Equipment authorizations for IoT and other devices.
  • Spectrum policy and auctions, including for 5G.
  • Privacy and data protection, with a focus on telecommunications and broadband providers.

Matt also maintains an active pro bono practice representing LGBTQ+ asylum seekers, as well as veterans petitioning for discharge upgrades—including discharges under ‘Don’t Ask, Don’t Tell’ and predecessor policies that targeted LGBTQ+ servicemembers.

Prior to rejoining Covington in January 2017, Matt served as Chief of the FCC’s Wireline Competition Bureau. He played a leading role in development of policies around net neutrality, broadband privacy, and broadband deployment and affordability under the federal Universal Service Fund (USF).

Chambers USA has recognized Matt as a “go-to attorney for complex matters before the FCC and other federal agencies, drawing on impressive former government experience.”