Recent Privacy & Data Protection Developments in Latin America by Cedric Laurant

IAPP Global Privacy Summit (Washington, DC April 21, 2010)

Alberto Cerda CĂŠdric Laurant Renato Opice Blum

https://www.privacyassociation.org/ events_and_programs/ global_privacy_summit/

Recent Privacy and Data Protection Developments in Latin America Their Impact on North American and European Multinational Companies Presentation available at http://cedriclaurant.files.wordpress.com/2010/05/iapp_presentation-fv-ppt3.pdf

Outline Introduction A. Recent legislative, case law and public policy developments in privacy in Latin America B. How new developments in the E.U. and the U.S. are influencing the public policy debate about privacy in Latin America C. Impact of new developments on multinational companies doing business in the LAC region Q&A

IAPP Global Privacy Summit Washington, DC 2010

Introduction â&#x20AC;&#x2C6;Habeas data:

â&#x20AC;&#x2C6;Constitutional right granted in several Latin American countries; designed to protect, by means of an individual complaint presented to a constitutional court, the image, privacy, honour, information selfdetermination and freedom of information of a person.

IAPP Global Privacy Summit Washington, DC 2010

Outline Introduction

A. Recent legislative, case law and public policy developments in privacy in Latin America B. How new developments in the E.U. and the U.S. are influencing the public policy debate about privacy in Latin America C. Impact of new developments on multinational companies doing business in the LAC region Q&A

IAPP Global Privacy Summit Washington, DC 2010

PRIVACY

LEGAL VIEW DATA PROTECTION IAPP Global Privacy Summit Washington, DC 2010

BRAZIL CONSTITUTION Section 5.10 – Intimacy, privacy, honor and image of persons – INVIOLABLE. Section 5.12 – Secrecy of correspondence and Telecom – INVIOLABLE.

CIVIL CODE Section 20 – Disclosure of writings, the transmission of the word, or publication, display or use of the image of a person. Section 21 – Private life of a person – INVIOLABLE. EXPECTATION OF PRIVACY SÃO PAULO STATE COURT DECISION Violation of image rights, privacy, intimacy and honor by being photographed and filmed (in intimacy) on locations – Spanish beach – Injunction to terminate the exhibition of movies and photos on web-sites because of the presumption of lack of consent to the publication. Filling with a daily penalty payment of $ 250,000.00, to inhibit infringement of the command to abstain. The paparazzi are known for aggressively working with the capture of images, which characterizes the illegality of their activities [voyeurism]. Denying injunctive relief would reward the work of these professionals that do not require authorization for their photos and, especially, to legalize the sensationalism and scandal propagated by the media, without permission of those involved. IAPP Global Privacy Summit Washington, DC 2010

RIO DE JANEIRO STATE COURT - INTERLOCUTORY APPEAL

SEARCH ENGINE FILTER “I note that the injunction has already been accomplished by placing a FILTER ON THE SEARCH ENGINES, in this manner, it seems more reasonable to maintain the status quo, pending the examination of the matter, without any harm to the plaintiff and without prejudice for the defendant, which has fully complied with the measure.” (Interlocutory appeal 20006.002.05508)

ARGENTINA In the two search engines (Google and Yahoo) it’s possible to make a search that avoids the appearance of certain word search results. In fact, this procedure could be configured to avoid a certain word being linked with others in certain types of search or any search, it is technically possible to adapt the search for information, avoiding certain words. IT IS POSSIBLE TO SET UP FILTERS THAT DO NOT ALLOW STATIC LINKING SITES TO INDEX CERTAIN WORDS WITH PORNOGRAPHIC, EROTIC OR SEXUAL CONTENT, AND ESTABLISH OTHER INDEX IMAGES THAT DO NOT ALLOW CERTAIN PEOPLE(…) The content selection control can not affect the operation of a search engine site and/or access to Internet content by users. (99.620/06) IAPP Global Privacy Summit Washington, DC 2010

ARGENTINA – COURT DECISION SEARCH ENGINE FILTER

MARADONA FORBIDS GOOGLE TO ASSOCIATE HIM TO SITES WITH SEXUAL CONTENT

IAPP Global Privacy Summit Washington, DC 2010

BRAZIL – PARANA STATE COURT

NEWS ON THE INTERNET CAUSES HARM TO CITIZEN’S HONOR HE WAS NOT GUILTY, BUT THERE WAS NO NEWS ABOUT THAT, ONLY ABOUT THE ONGOING LAWSUIT.

JUDGE ORDERS GOOGLE TO SET UP A FILTER TO R A N D O M I Z E RESULTS WITH THE PLAINTIFF’S NAME, ENABLING VARIETY OF NEWS PARANA STATE COURT 1819/2008 IAPP Global Privacy Summit Washington, DC 2010

CAMERAS, ZOOM, SATELLITES AND ‘STREET VIEW’

IAPP Global Privacy Summit Washington, DC 2010

BRAZIL TRACKING DEVICE PUBLIC ATTORNEY’S OFFICE REQUESTS THAT VEHICLES NOT BE MANUFACTURED WITH TRACKING DEVICE, CONSIDERING PEOPLE’S PRIVACY.

Source: IDG Now! (http://migre.me/oOUI) IAPP Global Privacy Summit Washington, DC 2010

BRAZIL CONSUMER DEFENSE CODE Section 43 – Database access. Section 72 – Block access. Penalty – detention from six months to one year or a fine.

PRIVACY SANTA CATARINA STATE COURT DECISION

Consumer Defense Association causes damages to consumers disclosing its database to third parties. Association must include a warning about the disclosure and ask for permission.

IAPP Global Privacy Summit Washington, DC 2010

BRAZIL

WIRETAPPING – ACT 9296/1996 Section 1 – Interception of telephone communications – flow of communication. Section 10 – Intercept communication or break secret of Justice, without judicial authorization – confinement from two to four years and fine.

PRIVACY SÃO PAULO STATE COURT DECISION Breach of confidentiality of correspondence, telegraphic, data and telephone communications - Nonoccurrence - Seizure of emails in possession and knowledge of the recipient by a court order - strong suspicions that the material might enlighten the criminal infraction – interpretation of art. 5, XII of the Constitution. THERE IS NO VIOLATION OF THE SECRECY OF CORRESPONDENCE. IAPP Global Privacy Summit Washington, DC 2010

ARGENTINA â&#x20AC;&#x201C; CONSTITUTION

PRIVATE LIFE Section 19. The private actions of men which in no way offend public order or morality, nor injure a third party, are only reserved to God and are exempted from the authority of judges. No inhabitant of the Nation shall be obliged to perform what the law does not demand nor deprived of what it does not prohibit. IAPP Global Privacy Summit Washington, DC 2010

ARGENTINA â&#x20AC;&#x201C; CIVIL CODE

Section 1071 bis: Whoever arbitrarily interferes in the lives of others, publishing pictures, disclosing correspondence, mortifying sentiments or disturbing privacy anyway, will be compelled to cease such activities, if not previously ceased, and to pay fair compensation to be determined by the Court, under the circumstances.

IAPP Global Privacy Summit Washington, DC 2010

ARGENTINA – DATA PROTECTION ACT – 25326/2000

GENERAL PRINCIPLES OF DATA PROTECTION. RIGHTS OF HOLDERS OF DATA. AND USERS OF ARCHIVES, RECORDS AND DATABASES

General Provisions (Section 1 to 2) General principles of data protection (Section 3 to 12) Rights of data holders (Section 13 to 20) Users and files, records and databases responsible (Section 21 to 28)

Control (Section 29 to 30) Sanctions (Section 31 to 32) Personal data protection actions (Section 33 to 48)

IAPP Global Privacy Summit Washington, DC 2010

ARGENTINA – COURT DECISION

“Inviolability of correspondence and telecommunications, in this case, the interception of text messages is only possible with request to Court.”

http://adirferreira.files.wordpress.com/2009/02/sms.jpg

COURT DENIES TEXT MESSAGE AS EVIDENCE OF INFIDELITY OF WIFE

IAPP Global Privacy Summit Washington, DC 2010

PARAGUAY â&#x20AC;&#x201C; CONSTITUTION

Section 135. Everyone may have access to information and data about themselves, or on their property contained in official or private records with public aspects, and to know the use made of them and their purpose. Everyone may request the Court to update, correct or destroy any records that are erroneous or that unlawfully affect their rights.

IAPP Global Privacy Summit Washington, DC 2010

PARAGUAY – PRIVACY ACT – 1682/2001 REGULATES PRIVATE INFORMATION Section 3 It’s permitted the collection, storage, processing and publication of data or personal characteristics, which are made for scientific, statistics, surveys and public opinion or market studies, provided that no publications individualize investigated persons or entities. Section 4 It is forbidden to publicize or disseminate sensitive information in who which people are explicitly individualized or identifiable. It’s considered sensitive data relating to the race or ethnicity, political preferences, individual health status, religious, philosophical or moral sexual intimacy and, generally, those who promote prejudice and discrimination, or affect the dignity, privacy, image, domestic intimacy and privacy of individuals or families.

IAPP Global Privacy Summit Washington, DC 2010

URUGUAY – ACT – 18331/2008

GENERAL PROVISIONS (Section 1 to 4) GENERAL PRINCIPLES (Section 5 to 12) RIGHTS OF DATA HOLDERS (Section 13 to 17) SENSITIVE DATA (Section 18 to 23) PUBLIC DATABASE (Section 24 to 27) PRIVATE DATABASE (Section 28 to 30) CONTROL (Section 31 to 36) PERSONAL DATA PROTECTION ACTIONS (Section 37 to 45) TRANSITIONAL PROVISIONS (Section 46 to 49) IAPP Global Privacy Summit Washington, DC 2010

Telecommunications – Breach of confidentiality - "E-mail" sent from Brazil to the electronic address of the White House in the City of Washington, DC, written in English, containing threats to physical integrity of the person of the American President and his family – The Police Service Provider requested to provide identity and address of user connected at that moment to such “IP” number – Notification rejected under the protection that the data request is guaranteed by the Constitution for federal services telecommunications, so that they would be subject to the breaking procedures imposed by Law No. 9296/96, especially with regard to the need for a court order - Habeas Corpus to not be prosecuted for disobedience. Habeas corpus denied. Need of legal authorization for the breach of confidentiality of telecommunications - postal, telephone or transmission of messages or data.

IAPP Global Privacy Summit Washington, DC 2010

SUPREME LABOR COURT

PASSWORD IS A PROTECTION TOOL FOR THE EMPLOYER Password does not imply any expectation of privacy regarding corporate email, once the PASSWORD IS A PROTECTION TOOL OF THE EMPLOYER, TO PREVENT THIRD PARTIES NOT RELATED TO HIS CONFIDENCE TO ACCESS THE CONTENT OF MESSAGES. (â&#x20AC;Ś) Also, there is no harm to the principle of inviolability of intimacy and privacy (Sect. 5, X, FC), once there is no intimacy or privacy of the employee to be guarded with respect to the use of corporate email available by the Company. Otherwise, the employee had no reasonable expectation of privacy, which is conveyed by the statement that the corporate e-mail was intended "only to issues and matters affecting the service (fl. 636). Lastly, there is no harm to the principle that ensures admissibility in the process of evidence obtained by illegal means (Sect. 5, LVI), the corporate e-mail is a Company property, merely transferred to the employee for working purposes, the employer may exert control both on form and material (content) of the messages that travel through his information network.

IAPP Global Privacy Summit Washington, DC 2010

ARGENTINA – COURT DECISION

E-MAIL MONITORING E-mail at work. Private use. Importance as a work tool. Privacy. Need for clear policies on its use. Dismissal for cause. Rejection. (CAUSE 15198/2001 S. 36580) “e-mail has more privacy protection than the classic post, because to operate it, it is required the use of a service provider, a user name and password, no doubt, to prevent others from breaking into the data and content sent/received. (…) according to constitutional perceptions, addition of proofs concerning the alleged emails are violation of the privacy with the consequent harm of his dignity and selfdetermination.” (C. 35.369 Ins. 18/156)

IAPP Global Privacy Summit Washington, DC 2010

BRAZIL â&#x20AC;&#x201C; SOME CASES MEDICAL CLINIC database copy / unfair competition M COMPANY illegal video BROKER COMPANY database breach / unfair competition T COMPANY database breach CHEMICAL INDUSTRY COMPANY database breach RACE DRIVER image damage BEVERAGE COMPANY 483 confidential files

IAPP Global Privacy Summit Washington, DC 2010

THE ARROWS POINT TO…

IAPP Global Privacy Summit Washington, DC 2010

GREETINGS

Ambassador Roberto Campos: “the ones that stay in this House have before them a formidable reformist agenda. I wish them the same as theologian Reinhold Niehbuhr did: “That God give you the serenity to accept things that cannot change, courage to change those things that can change and wisdom to know the difference between them ”. IAPP Global Privacy Summit Washington, DC 2010

MEXICO CONSTITUTION

- Since 2007, the Constitution expressly acknowledges the right of personal data protection as a fundamental right. - “The information pertaining to private life and personal data shall be protected pursuant to the terms and exemptions set forth in the laws.” “Every person, without the need to prove his own legal interest or justify his use, shall have free access to public information, to his own personal data and the correction of such data.” - In 2009, the Constitution mandates Congress to enact a data protection law for the private sector within 12 months from the publication of the reform. Deadline is April 30, 2010. IAPP Global Privacy Summit Washington, DC 2010

MEXICO LEGAL FRAMEWORK AT THE FEDERAL LEVEL -

There is no comprehensive law on personal information protection.

There are several laws about privacy and data protection in specific fields, such as finance and banking, consumers' rights, credit information, telecommunications and national security.

The Federal Law of Transparency and Access to the Government Public Information (LFTAIPG) standardizes principles under which the various organs of the State must process citizens' personal data.

Federal Consumer Protection Law sets forth restrictions on direct marketing and credit reporting agencies. IAPP Global Privacy Summit Washington, DC 2010

MEXICO LEGAL FRAMEWORK AT THE STATE LEVEL

- In the Mexican federal system, states have some leeway to adopt a data protection law. In fact, some of them have adopted such kind of regulation. For example: - In 2003, the State of Colima enacted a Personal Data Protection Law which purpose is to protect and guarantee the protection of personal data as a fundamental human right. - In 2005, the State of Jalisco modified the state Civil Code in order to regulate the protection of personal data, including data contained in electronic registries of private entities. IAPP Global Privacy Summit Washington, DC 2010

MEXICO LEGAL FRAMEWORK AT THE STATE LEVEL

- In 2006, the state of Guanajuato adopted the Personal Data Protection Law, which includes the creation of the State´s Personal Data Protection Register and the Institute of Access to Public Information of Guanajuato, which is the authority in charge of guaranteeing personal data protection. - In 2009, the state of Tlaxcala passed an Access to Public Information and Personal Data Protection Law, which regulates processing of personal data by the public and the private sector. The law creates the Personal Data Register and the Commission for Access to Public Information and Personal Data Protection of the State of Tlaxcala, the enforcement authority. IAPP Global Privacy Summit Washington, DC 2010

MEXICO SELF-REGULATION - In 2004, Mexico supported the APEC Privacy Framework, and became one of the main actors promoting the self-regulation among APEC economy members. - In 2007, the Mexican Advertising Internet Association (AMIPCI) released its trustmark, “Sello de Confianza AMIPCI.” The trustmark seeks to enhance security on e-commerce transactions and represents an acknowledgement that institutions and businesses adhering to AMIPCI’s trustmark, including privacy and information policies based on international privacy guidelines. - Around 300 organizations have adopted the trustmark. - Unfortunately, the system does not promote standardization in privacy and information policies among its users. Additionally, some data-findings have shown inconsistencies, such as 5% memberships are expired, 5% websites do not include the mark, and 17% websites do not make policies available. In the overall, there is a 23% of non-compliance. IAPP Global Privacy Summit Washington, DC 2010

MEXICO OBSTACLES TO OVERCOME 1.2.3.4.-

Proliferation of federal regulation and absence of a general legal framework for the whole country. Differences between state regulations. Lack of provisions about transborder data flows. Absence of a national public authority in charge of supervising compliance, providing assistance, and coordinating internationally.

RELEVANT INTERNATIONAL INSTRUMENTS OECD Recommendations on Privacy. Mexico is an OECD member since 1994. APEC Privacy Framework, 2004. Economic Partnership, Political Coordination and Cooperation Agreement between the European Community and its Member States, and the United Mexican States, 2000. IAPP Global Privacy Summit Washington, DC 2010

MEXICO BILLS ON PERSONAL DATA PROTECTION - Since 2001, there have been six data and privacy bills, which are modeled loosely on international data protection standards such as those found in the EU Data Protection Directive, the Spanish Data Protection Law, the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, and the APEC Privacy Framework. - In 2007, the Federal Institute of Access to Public Information signed a MOU with the Spanish data protection authority, in order to promote the protection of personal information and improve the collaboration among them. - In 2007, Commissioners of the Federal Institute of Access to Public Information unanimously approved the creation of a working group to develop a data protection bill. - In 2009, the Constitution obliged the Congress to enact a data protection law for the private sector within 12 months from the publication of the reform. The deadline is April 30, 2010. IAPP Global Privacy Summit Washington, DC 2010

CHILE CONSTITUTION

Article 19 â&#x20AC;&#x201C; Secures for all persons, the respect and protection of private life, the honor of an individual and his family, as well as the inviolability of the home and of all forms of private communications. The home may be invaded and private communications and documents intercepted, opened, or inspected only in cases and manners determined by law. Article 20 â&#x20AC;&#x201C; Judicial Remedy (Action of Protection) 2008: a Bill modifies the Constitution and introduces the right to control the information about oneself.

IAPP Global Privacy Summit Washington, DC 2010

CHILE GENERAL LAW

Law 19.628 the Protection of Private Life (1999) â&#x20AC;&#x201C; A comprehensive law that covers the processing and use of personal data in the public and private sectors, and the rights of individuals (of access, correction, and judicial control). The law contains a chapter dedicated to the use of financial, commercial and banking data, and specific rules addressing the use of information by government agencies. It also includes fines and damages for the unlawful denial of access and correction rights. Several bills intend to modify the law, in order to improve the consumerâ&#x20AC;&#x2122;s personal data protection, introduce competitiveness in the market of credit reports, adopt provisions about cross-border personal data transfer. IAPP Global Privacy Summit Washington, DC 2010

CHILE SPECIAL LAWS LABOR CODE (LAW 19.759, 2001) Employers cannot condition the hiring of an employee on the lack of personal or economic debts. Employers cannot violate the privacy of an employee in the workplace. LABOR DECISION CONTROLLING E-MAIL AT THE WORKPLACE Acoording to the law, managing his company, an employer can regulate the use of e-mail within the company, but in any case he can access to the private electronic comunication sended or received by workers. (Opinion No. 260-19, Labor Office (Direcci贸n del Trabajo), Jan. 24, 2002) IAPP Global Privacy Summit Washington, DC 2010

CHILE SPECIAL LAWS CREDIT REPORT Supreme Decree (executive decision) 950, 1928, guarantees a virtual monopoly to the Chamber of Commerce of Santiago (CCS) for processing personal data related to credit reports. However, by the â&#x20AC;&#x2DC;90s, there are other three main companies providing credit reports in the country, two of them American. Law 19.628 regulates also the kind of information can be included in such reports, and set forth some requirements for its processing.

MODIFICATION ON CREDIT REPORTS Starting in January 2010, new law guarantees the right to modify and delete non-updated and/or wrong personal infromation by personal data subjects, for free. (Supreme Decree 998, 2006, Minister of Economy and Minister of Treasury) IAPP Global Privacy Summit Washington, DC 2010

CHILE SPECIAL LAWS: SPAM REGULATION LAW 19.955, 2004 Law 19.955, by modifying the Consumer Protection Law, regulates unsolicited commercial communications (spam). 1.- Opt-out system 2.- Formal requirement for electronic commercial mail. 3.- Fines in case of new communication after opt-out.

ECONOMIC SANCTION AGAINST SPAMMERS In December 2007, the National Service of Consumers took a decision against a company that continued sending unsolicited commercial mail, even after the plaintiffs requested removal from the list. The decision imposed a fine of approximately. $2,000. (Court of Appeals of Santiago, December 17, 2007) IAPP Global Privacy Summit Washington, DC 2010

CHILE OBSTACLES TO OVERCOME 1. Some ambiguities exist in the applicable law, such as “public access source”, “purpose of data processing”, “requirement of consent” (by data subject), and scope of data processing by the public sector. 2. Lack of provisions about transborder data flows. 3. Absence of a data protection authority in charge of supervising compliance, providing assistance, and coordinating internationally.

PERSONAL DATA PROTECTION COOPERATION Chile entered into a bilateral association agreement with the EU by which the two parties agree to cooperate on increasing the level of data protection in their jurisdictions. (Article 30 of the European Union-Chile Association Agreement, 2003 ) IAPP Global Privacy Summit Washington, DC 2010

CHILE PRIVATE SECTOR SELF-REGULATION INITIATIVES - Chile is part of the APEC Privacy Framework, 2004. - E-Trust Initiatives: There have been some initiatives of self-regulation and self-control, but none of them proved successful. - Confiare, an e-trust service that provided protection in processing children’s personal data, by the National Chamber of Commerce, 2003. - Code of Best Practices for e-Commerce of the Chamber of Commerce of Santiago, 2005.

PUBLIC ENFORCEMENT OF DATA PRIVACY LAWS Starting in 2009, the Law of Public Transparency and Access to Public Information provides the “Transparency Council” shall supervise the implementation of the personal data protection law, but only in the public sector. Applies to government contractors. (Law 20.285, August 20, 2008, about access to public information) IAPP Global Privacy Summit Washington, DC 2010

CHILE RECENTS DEVELOPMENTS: ENFORCING THE LAW IN THE PRIVATE SECTOR

- European Union-Chile Association Agreement, 2003. - Agreement between the Chilean Government and the Spanish Data Protection Authority, March 2008. - Executive Branch introduces bill in Congress that modifies the Data Protection Law, Nov. 2008. - The proposal is still under discussion in Congress.

PURPOSE OF THE BILL - Provides an “adequate level of protection” for personal data. - What does it mean? 1. Transparency Council will have competence over private sector, in order to supervise the compliance. 2. Adoption of provisions in transborder data flows. 3. Satisfies OECD and EU standards. IAPP Global Privacy Summit Washington, DC 2010

CENTRAL AMERICA COSTA RICA EL SALVADOR GUATEMALA HONDURAS NICARAGUA PANAMA IAPP Global Privacy Summit Washington, DC 2010

CENTRAL AMERICA PROTECTION IN THE CONSTITUTIONAL LEVEL - No Central American country has an expressed recognition for the right to data protection. - However, most countries provide constitutional protection for the “right to privacy”, excepted Panama and Guatemala. - Countries do not have “habeas data” at the constitutional level, but some of them have a general constitutional remedy. PROTECTION IN THE LAW - No Central American country has a comprehensive personal data protection law. - Most countries have legal provisions that protect personal data in their laws on access to information and public transparency (Panama, 2002; Honduras, 2006; Nicaragua, 2007; and Guatemala, 2008). - There are telecommunication laws and credit reporting laws. IAPP Global Privacy Summit Washington, DC 2010

CENTRAL AMERICA INTERNATIONAL INSTRUMENTS

- Political Dialogue and Cooperation Agreement between the EU and Central America, 2003, parties agree to cooperate on the protection in the processing of personal data.

BILL ON PERSONAL DATA PROTECTION

- At least two Central American countries have legislative discussion on bills that would regulate data protection: Nicaragua and Costa Rica. One of the proposal discussed in Costa Rica intends to adopt a comprehensive regulation similar to the European one.

IAPP Global Privacy Summit Washington, DC 2010

BOLIVIA

CREATION OF A GOVERNMENTAL REGISTRY OF ALL MOBILE PHONE USERS

to prevent, reduce and detect theft of mobile phones or their loss; in order to control their second hand sale or use for criminal activities.

IAPP Global Privacy Summit Washington, DC 2010

COLOMBIA NEW HABEAS DATA LAW (2008) Regulates the constitutional right of habeas data (the right of data subjects to know the data held about them in public or private databases, update or correct it if necessary. Focuses on the protection of credit reports and financial personal information. Lacks teeth to address international data transfer issues: scope too limited to provide enough protections for information processed by European companies’ subsidiary call centers based in Colombia. Adequate protection? No. European Commission’s opinion: adequate to regulate the financial sector, but not medical, religious, ethnic, and other type of personal data. Does not solve most of the issues. Quick and limited fix for now. Effectiveness of enforcement will depend on how supervisory authorities will exercize their mission. IAPP Global Privacy Summit Washington, DC 2010

COLOMBIA NO-SPAM REGISTRY FOR MOBILE PHONE USERS

National telecoms regulatory authority proposed to create a national registry where users could subscribe their mobile phone number and request to be excluded from receiving unwanted SMS messages. Purpose: decrease the number of unsolicited text messages on mobile phones. ICT ACT 1341 OF 30 JULY 2009

Main objectives: protect users’ rights and regulate the sector through the Superintendency of Industry and Commerce, the National Radio Spectrum Agency and the telecoms regulatory authority (CRT).

IAPP Global Privacy Summit Washington, DC 2010

COLOMBIA WORKPLACE PRIVACY CASE

A company manager filmed a female co-worker with a remote webcam linked to his laptop. He was sentenced to a fine and the payment of moral damages worth about $18,000. (Supreme Court, Ruling No. 26157 of July 29, 2008.) The court held that the filming and photographing of workers’ intimacy without the workers’ consent, constitutes a violation of privacy. The Criminal Code establishes penalties for the violation of communications, the offer, sale or purchase of instruments to intercept private communications, and the violation of privacy and intimacy in the workplace.

IAPP Global Privacy Summit Washington, DC 2010

COLOMBIA NEW CYBERCRIME LAW 1273 OF 2009

Criminalizes the illegal acquisition and sale of personal data, phishing, hacking, use of malware and viruses, computer theft. PRIVACY IN E-GOVERNMENT SERVICES

General obligation of all government entities that use electronic resources to manage the information of citizens in a manner respectful to their privacy. Decree No. 1151 of 2008 establishes general principles to follow in how online services are provided by the government. Protection of privacy is further regulated by the Ministry of Communications’ “e-Government Policy Manual,” applicable throughout all governmental entities. IAPP Global Privacy Summit Washington, DC 2010

PERU NO DATA PROTECTION LAW. NO DATA PROTECTION AUTHORITY BILL STILL UNDER DISCUSSION

In the Council of Ministers; not introduced yet in the Parliament. Draft bill contains provisions on data subjects' rights, data controllers' obligations, the supervisory authority (assigned to the National Office of e-Government and Informatics (ONGEI) as well as sanctions. If the bill is passed, existing data protection regulations (including bank, credit card and medical information regulations) would have to be adapted.

IAPP Global Privacy Summit Washington, DC 2010

PERU CREATION OF NEW PUBLIC AND PRIVATE DATABASES ON THE RISE NEW REGULATION ON ELECTRONIC SIGNATURES

All governmental agencies’ procedures, as well as all personal data stored in databases, must follow the Legal Privacy Guidelines.

IAPP Global Privacy Summit Washington, DC 2010

PERU NEW ELECTRONIC ID

Purposes: provide more security and reduce forgery. May be used as a means of payment to file documents through e-government portals (e.g., tax filing), for e-voting, and to hold various types of information such as medical information. May also be used later in cybercafes. ANTI-SPAM LAW

Was modified to clarify the complaint procedure and increase applicable fines. In Sept. 2009, the Consumer Protection Commission (INDECOPI) passed a resolution sanctioning a Peruvian company for sending spam.

IAPP Global Privacy Summit Washington, DC 2010

PERU FREE TRADE AGREEMENTS

Peru signed them in Nov. 2008 with the US and Canada. Bilateral negociations under way with the EU, South Korea and China. The e-commerce chapter of the Peru-Canada free trade agreement includes a data protection clause: Article 1507: Protection of Personal Information: the Parties recognize the importance of the protection of personal information in the online environment. To this end, each Party should “adopt or maintain legal, regulatory and administrative measures for the protection of personal information of users engaged in electronic commerce; and exchange information and experiences regarding their domestic regimes on the protection of personal information.

IAPP Global Privacy Summit Washington, DC 2010

PERU ELAC REGIONAL INITIATIVE Considers ICTs as instruments for economic development and social inclusion. Long-term vision (until 2015) in line with the Millennium Development Goals and those of the World Summit on the Information Society. “SAN SALVADOR COMMITMENT” (2008) 2nd Ministerial Conference on the Information Society in Latin America and the Caribbean. Mandates the Working Group on the Information Society’s Legal Framework to “facilitate dialogue and coordination of various regulatory initiatives at the regional and local levels that may contribute to the region’s regulatory harmonization, especially on the topics of privacy and data protection”; “invites countries to consider the possibility of ratifying or acceding to the Council of Europe Cybercrime Convention as an instrument to facilitate [the] integration and regulatory adaptation in this area within the framework of principles of protection of the right to privacy.” IAPP Global Privacy Summit Washington, DC 2010

PERU MAJOR CORRUPTION AND POLITICAL AND CORPORATE ESPIONAGE CASE (2008-2009)

Prompted the Ministry of Transport and Communications to enact a Ministerial Resolution to safeguard the right to the inviolability of communications and data protection, and to regulate the supervisory and control activities of franchisee companies. Among the new obligations, the operators must submit an annual report on measures and procedures established to protect the secrecy of telecommunications and the protection of personal data of their subscribers to the General Directorate for Control of the MTC.

The case: illegally obtained wiretapped conversations revealed the corruption of the Director of Petro-Peru (the government body responsible for promoting oil investment) and a former Peruvian Minister by a Norwegian oil company that was bidding for oil lots in its favor. The disclosure of the audio recordings on national TV caused the resignation of the entire cabinet and the Peruvian government suspended all contracts with the Norwegian company. A company, Business Track, was allegedly hired to intercept telephone communications for an oil company that competed with the Norwegian company. In Jan. 2009, the Prosecutor convicted five marines and three civilians involved in the illegal wiretapping. IAPP Global Privacy Summit Washington, DC 2010

Outline Introduction A. Recent legislative, case law and public policy developments in privacy in Latin America

B. How new developments in the E.U. and the U.S. are influencing the public policy debate about privacy in Latin America C. Impact of new developments on multinational companies doing business in the LAC region Q&A

IAPP Global Privacy Summit Washington, DC 2010

B. How new developments in the E.U. and the U.S. are influencing the public policy debate about privacy in Latin America

US bilateral free trade agreements APEC Privacy Framework EU “adequate protection” D ata protection authorities’ work and best practices

IAPP Global Privacy Summit Washington, DC 2010

C. Impact of new developments on multinational companies doing business in the LAC region Q&A

IAPP Global Privacy Summit Washington, DC 2010

C. Impact of new developments on multinational companies doing business in the LAC region STATE OF THE ART Legal mosaic Fragmentary approach on the regulation of personal data protection: - each country adopts its own regulation - no serious multilateral initiative on the matter. - OASâ&#x20AC;&#x2122;s initiative did not work. - Nothing done by MERCOSUR, Andean Commission, and CARICOM (Caribbean Community). International standardization not successful in Latin America In spite of the efforts of the EU, the OECD, and APEC, there is no harmonization among economy members. Lack of political commitment on the matter. In general, quite difficult to find political or technical counterparts in Latin-American countries. Too much is going in Latin America. But, in general, it is possible to identify at least two clear tendencies: 1) Harmonization around EU standards; and 2) Inclusion IAPP Global Privacy Summit of privacy in public transparency and access to information laws. Washington, DC 2010

C. Impact of new developments on multinational companies doing business in the LAC region DOING BUSINESS: IF YOU NEED AN ADEQUATE LEVEL OF PROTECTION “Adequate level of protection” is the standard adopted and recognized for the European Union to third countries when a data controller exports data from the EU to one of those countries. Argentina is the only country that complies with EU adequacy standards. In 2003, the EU certified the Argentinean economy as one that provides adequate level of protection. 1st “B PLAN”: Business initiatives in other LATAM countries require authorization by European authorities. It has been the preferred solution adopted in Colombia and Chile. Keep in mind the cost of getting the European authorization (money, time, and expertise). IAPP Global Privacy Summit Washington, DC 2010

C. Impact of new developments on multinational companies doing business in the LAC region DOING BUSINESS: IF YOU NEED AN ADEQUATE LEVEL OF PROTECTION 2nd “B Plan”: Adopting Binding Corporate Rules. Those are binding rules adopted by companies and approved by the European Union and allow them to process personal data in global initiatives. Also keep in mind the cost of getting the European homologation (money, time, and expertise); in fact, those rules fix better the requirements of multinational initiatives. Legislative landscape is changing. Because comparative advantages of being a country that provides adequate level of protection, LatinAmerican countries are walking in that direction. Uruguay should soon qualify as an “adequate” country by the EU. Chile, Colombia and Mexico are legislating on the subject. IAPP Global Privacy Summit Washington, DC 2010

C. Impact of new developments on multinational companies doing business in the LAC region DOING BUSINESS: IF YOU DO NOT NEED TO COMPLY WITH THE EUROPEAN ‘ADEQUACY’ STANDARD Do not confuse lack of “adequate level of protection” with no protection at all. The fact that most countries do not have a comprehensive data protection law does not mean that those countries do not have any protection at all. It ain’t the ‘Wild West’. Almost each Latin-American country has constitutional protection and general provisions about privacy in civil and criminal laws. Sometimes that level of protection can be enforced against the private sector. => Even without a privacy law, a company can be sued under most LAC countries’ constitutions. Several countries have a fragmentary regulation. This is particularly true in fields such as telecommunications, public transparency and access to information, consumer protection, credit reports, and spam regulation. => Compliance requires hiring local counsels. IAPP Global Privacy Summit Washington, DC 2010

C. Impact of new developments on multinational companies doing business in the LAC region HOW LIKELY ARE LAC COUNTRIES TO ADOPT NEW DATA PROTECTION LAWS? TRANSBORDER DATA FLOWS AND CALL CENTERS DIFFERENCE BETWEEN US AND EU COMPANIES

a) Brazil b) Chile c) Colombia

BPO sector and call centers intend to get a broader Habeas Data law in order to obtain the acknowledgment of adequate protection pursuant to the EU DP Directive and establish call centers that are subsidiaries of EU companies. Adequacy examination started in March 2010 and may last until 2012. Colombia is losing ground against competition (Argentina and other countries) for a sector that could give up to 100,000 new employees to Colombia in 2010.

IAPP Global Privacy Summit Washington, DC 2010

C. Impact of new developments on multinational companies doing business in the LAC region CONSUMER PROTECTION, CONSUMER TRUST AND DATA PROTECTION

Lower in LAC countries; no strong consumer protection agency and poor enforcement of consumer protection laws. Ratio legis of data protection laws: promotion of consumer trust and cross-border flows of personal data. What business stance to adopt in Latin America?

IAPP Global Privacy Summit Washington, DC 2010

C. Impact of new developments on multinational companies doing business in the LAC region

Q&A

IAPP Global Privacy Summit Washington, DC 2010

Alberto Cerda, Law Professor, University of Chile Law School; LL.M. Student (Georgetown University) acerda [at] uchile [dot] cl

CĂŠdric Laurant, Independent Privacy Consultant http://blog.cedriclaurant.org - cedric [at] laurant [dot] org

Renato Opice Blum, CEO and Partner, Opice Blum Advogados Associados (Brazil) http://www.opiceblum.com.br - renato [at] opiceblum [dot] com [dot] br IAPP Global Privacy Summit Washington, DC 2010