The convening of the 34th International Conference of Data Protection and Privacy Commissioners in Punta del Este, Uruguay on Oct. 22-26 — on the heels of last year’s conference in Mexico City — underscores the importance of the Latin American region in the global debate around data privacy regulation.
From 2000 to 2008, only Argentina and Uruguay created comprehensive data privacy regimes. Yet in just a two-year span from 2010 to 2012, another five countries — Mexico, Colombia, Costa Rica, Peru, and most recently Nicaragua — have adopted comprehensive data privacy laws of their own. Implementing regulations already have gone into effect in Mexico and are expected to come into force in Costa Rica and Peru shortly. The Colombian law awaits a Presidential decree and implementing regulations.
More laws and regulations are sure to follow. Just within the past year, governments in Brazil, Chile, and Ecuador have publicly considered adoption of new data privacy laws.
Of the laws on the books, all but that of Mexico have closely hewed to the example set by the European Union and its Data Protection Directive of 1995 and E-Privacy Directive of 2002. In contrast to the case-by-case and sector-specific approach prevailing in the United States, a more prescriptive approach is favored in Europe. Among the factors accounting for the commonality between the approaches by LatAm countries and the EU are:
- Many LatAm countries’ desire to obtain an “adequacy” determination from the European Commission so that data may flow freely from the EU to the subject country in LatAm, as Argentina and Uruguay have done;
- Cultural values prevailing in both regions that view data privacy as a fundamental human right; and
- Formal ties between LatAm policymakers and counterparts in Spain, via the Red Iberoamericana de Protección de Datos.
It therefore is not uncommon to see restrictions on cross-border data transfers based upon the “adequacy” of the destination country’s laws, requirements for express consent as a pre-condition to processing of personal data, and requirements to register databases with the national regulator.
New data privacy laws in Latin America also reflect heightened attention in the region to rights of access, deletion, and rectification. These elements arise from the “habeas data” rights enshrined in the democratic constitutions of many LatAm countries that emerged from dictatorships in the 1970s and 80s. (Literally meaning “you have the right to the data,” habeas data rights allow citizens to petition a constitutional court for disclosure and other remedial actions with respect to information held about them by the government.)
Mexico is an important and notable exception to the EU-focused trend in other LatAm countries. Its Ley de Proteccción de Datos Personales represents what may become a “third way” that builds upon elements from the EU, other laws in the LatAm region, and the Asia Pacific Economic Cooperation (APEC) framework, along with innovations of its own. The Mexican legislation’s approach to international data transfer provides a case in point:
- In its privacy notice, the data controller must describe and obtain consent with respect to the circumstances in which a customer’s data will be transferred to domestic or foreign third parties.
- The law holds the data controller accountable for ensuring that the third party to whom data is transferred adheres to the standards of the Mexican law.
- In short, Mexico’s data privacy law regulates data transfers but does so in a flexible, results-oriented manner that focuses on how rather than where the data is processed.
Other innovations in the Mexican law include, in the implementing regulations to the law, the first-ever provision governing the use of cloud computing services by data controllers. As other countries in the region consider and develop their own data protection frameworks, it will be interesting to see whether and how elements in the Mexican law are incorporated alongside, or in lieu of, EU-inspired rules.
In any event, Latin America is sure to remain a major force in the international dialogue on data protection — both at the conference in Punta del Este later this month, and beyond.