New Data Protection Laws and Case Law Trends in Central & South America by Cedric Laurant

New Data Protection Laws and Case Law Trends in Central & South America (final version)

Dallas, TX (USA) September 15, 2011

Presentation available at <http://cedriclaurant.com/wp-content/uploads/2011/09/110916-new_latam_data_prot_laws_case_law_trendsfv.pdf.zip>

WWW.OPICEBLUM.COM.BR

Renato Opice Blum @opiceblum

renato@opiceblum.com.br

Attorney and economist, Digital Law coordinator of GVLaw and of the MBA on Electronic Law at Escola Paulista de Direito; InvitedProfessor at USP and Mackenzie Presbyterian University; President of the Council of Information Technology and Communication of the Commerce Federation of São Paulo/SP and of the Technology Law Committee of AMCHAM; Advisor of the Committee of High Technology Crimes of Brazilian Bar Association; International Lectures: Global Privacy Summit 2010, 73rd Conference of the International Law Association; ISSA International Conference 2010; HTCIA International Conference 2010; Inter American Bar Association: Reunión del Consejo y Seminario 2010, Invited Participant at The Sedona Conference 2010 and invited lecturer at the 3rd Annual Sedona Conference 2011; Seton Hall Law – 2011 and ABA annual meeting 2011; Coordinator and co-author of the book “Manual of Electronic Law and Internet” and “Electronic Law: internet and the courts”

New Data Protection Laws and Case Law Trends in Central & South America

Dra. Ana Brian Nougreres Legal Consultant at the Uruguayan Parliament, Senate and Chamber of Representatives and at the Uruguayan College of Attorneys. Teacher at School of Law, Legal Informatics Chair, Universidad de la República Oriental del Uruguay. Chief Consultant at Estudio Jurídico Briann and Associates. E-mail: abrian [at] netgate [dot] com [dot] uy

New Data Protection Laws and Case Law Trends in Central & South America

Cédric Laurant  Principal, Cedric Laurant Consulting (Brussels)  Attorney at law (Washington, DC) E-mail:

c [at] cedriclaurant [dot] com

Website: http://cedriclaurant.com Blogs:

http://cedriclaurant.org http://security-breaches.com

Linkedin: http://www.linkedin.com/in/cedriclaurant

New Data Protection Laws and Case Law Trends in Central & South America

Outline Introduction A. Brazil B. Uruguay & Argentina C. Colombia, Peru, Costa Rica D. Key take aways Q & A

New Data Protection Laws and Case Law Trends in Central & South America

Outline Introduction (Cedric Laurant) A. Brazil B. Uruguay & Argentina C. Colombia, Peru, Costa Rica D. Key take aways Q & A

New Data Protection Laws and Case Law Trends in Central & South America

Introduction Most important privacy developments in Brazil, Argentina, Uruguay, Colombia, Peru and Costa Rica. Recent regulatory and case law trends that affect how you do business in Central and South America. How the most recent Latin American data protection laws are likely to be implemented. Q&A

New Data Protection Laws and Case Law Trends in Central & South America

Outline Introduction

A. Brazil (Renato Opice Blum) B. Uruguay & Argentina C. Colombia, Peru, Costa Rica D. Key take aways Q & A

New Data Protection Laws and Case Law Trends in Central & South America

Brazil

New Data Protection Laws and Case Law Trends in Central & South America

The children of darkness are always faster than the children of light. Lucas chapter 16 verse 8 12

New Data Protection Laws and Case Law Trends in Central & South America

BRAZIL â&#x20AC;&#x201C; SOME CASES MEDICAL CLINIC database copy / unfair competition M COMPANY illegal video BROKER COMPANY database breach / unfair competition T COMPANY database breach CHEMICAL INDUSTRY COMPANY database breach RACE DRIVER image damage BEVERAGE COMPANY 483 confidential files 13

New Data Protection Laws and Case Law Trends in Central & South America

PERSONAL DATA BILL OF LAW

Article 1. The aim of this project guarantees and protection, in the area personal information specially dignity and fundamental rights of the person, specially with regard to his/her freedom, equality and personal privacy in terms of art 5 of Federal Constitution. Article 2. Everybody has the right to the protection of his/her personal data.

New Data Protection Laws and Case Law Trends in Central & South America

PERSONAL DATA BILL OF LAW Article 35. The international transfer of personal data is only allowed to countries that provide a level of data protection comparable to the one of this law, unless the following exceptions: I - when the owner has expressed his own free consent, express and informed to the transfer; II - when it is necessary for the implementation of obligation under a contract of which the holder is a party; III - when it is necessary to guarantee a significant public interest specified by law; IV - when it is necessary for international cooperation among government agencies for intelligence and research, according to international law instruments to which Brazil is bounded; V - when it is necessary to defend a right in court, if the data are transferred solely for this purpose and for the necessary period of time; VI - when it is necessary to protect the life or physical safety of the owner or third party, if the holder cannot provide its consent because of physical impossibility, incapacity to act or understand.

New Data Protection Laws and Case Law Trends in Central & South America

CONSTITUTION Section 5.10 – Intimacy, privacy, honor and image of persons – INVIOLABLE. Section 5.12 – Secrecy of correspondence and Telecom – INVIOLABLE. CIVIL CODE Section 20 – Disclosure of writings, the transmission of the word, or publication, display or use of the image of a person. Section 21 – Private life of a person – INVIOLABLE.

EXPECTATION OF PRIVACY SÃO PAULO STATE COURT DECISION Violation of image rights, privacy, intimacy and honor by being photographed and filmed (in intimacy) on locations – Spanish beach – Injunction to terminate the exhibition of movies and photos on websites because of the presumption of lack of consent to the publication. Filling with a daily penalty payment of $ 250,000.00, to inhibit infringement of the command to abstain. The paparazzi are known for aggressively working with the capture of images, which characterizes the illegality of their activities [voyeurism]. Denying injunctive relief would reward the work of these professionals that do not require authorization for their photos and, especially, to legalize the sensationalism and scandal propagated by the media, without permission of those involved.

New Data Protection Laws and Case Law Trends in Central & South America

NEWS ON THE INTERNET CAUSES HARM TO CITIZEN’S HONOR. HE WAS NOT GUILTY, BUT THERE WAS NO NEWS ABOUT THAT, ONLY ABOUT THE ONGOING LAWSUIT.

JUDGE ORDERS GOOGLE TO SET UP A FILTER TO RANDOMIZE RESULTS WITH THE PLAINTIFF’S NAME, ENABLING VARIETY OF NEWS

PARANA STATE COURT 1819/2008

New Data Protection Laws and Case Law Trends in Central & South America

Brazilian authority postpones to 2012 legislation that obliges tracking devices in new cars.

The Brazilian National Transit Counsel has postponed to 2012 the obligation to install anti-theft devices in all the cars. According to the department, the change was made due to the complexity of the telecommunications infrastructure that may be needed to develop the Integrated System of Monitoring e Automatic Registry of Vehicles (SINRAV, in Portuguese). The installation of the tracking device is mandatory. The obligation to install this device has been postponed since 2009. The main reason is that this law is seen as harmful to the citizensâ&#x20AC;&#x2122; liberty, since anyone can be monitored without consentiment and have their private life invaded.

New Data Protection Laws and Case Law Trends in Central & South America

CONSUMER DEFENSE CODE Section 43 – Database access. Section 72 – Block access. Penalty – detention from six months to one year or a fine. PRIVACY SANTA CATARINA STATE COURT DECISION

Consumer Defense Association causes damages to consumers disclosing its database to third parties. Association must include a warning about the disclosure and ask for permission. New Data Protection Laws and Case Law Trends in Central & South America

WIRETAPPING – ACT 9296/1996 Section 1 – Interception of telephone communications – flow of communication. Section 10 – Intercept communication or break secret of Justice, without judicial authorization – confinement from two to four years and fine.

PRIVACY SÃO PAULO STATE COURT DECISION Breach of confidentiality of correspondence, telegraphic, data and telephone communications - Nonoccurrence Seizure of emails in possession and knowledge of the recipient by a court order - strong suspicions that the material might enlighten the criminal infraction – interpretation of art. 5, XII of the Constitution. T H E R E I S N O V I O L AT I O N O F T H E S E C R E C Y O F CORRESPONDENCE. 20

New Data Protection Laws and Case Law Trends in Central & South America

APPEAL TO THE SUPERIOR COURT OF JUSTICE BRAZIL Nยบ 1.193.764 - SP (2010/0084512-0) APPELLANT : I P DA S B APELLEE : GOOGLE BRASIL INTERNET LTDA

SUMMARY CIVIL AND CONSUMER LAW. INTERNET. CUSTOMER RELATION. CDC (BRAZILIAN CONSUMER DEFENSE CODE). FREE SERVICE. INDIFFERENCE. CONTENT PROVIDER. PREVIOUS FISCALIZATION ON THE CONTENT OF THE USER POSTED INFORMATIONS ON THE WEBSITE. UNNECESSARY. MESSAGE WITH OFFENSIVE CONTENT. MORAL DAMAGE. INHERENT RISK TO BUSSINESS. INEXISTENCE. ACKNOWLEDGMENT OF THE FORBIDDEN CONTENT. IMMEDIATE REMOVAL OF THE CONTENT. DUTY. PROVIDE MEANS FOR THE IDENTIFICATION OF EACH USER. DUTY. REGISTER THE IP NUMBER. SUFFICIENT.

New Data Protection Laws and Case Law Trends in Central & South America

SUPERIOR LABOR COURT – CORPORATE EMAIL AND RECORDINGS AS VALID PROOF FOR DISMISSION “(…) As a subscriber of the internet service provider, the company is responsible for its intern use, in accordance to laws. 8. Thus, if the employee eventually use the corporate email for personal reasons, he should be aware that the access to the content of the messages by the employer do not represent major violation of its mails, nor violation of privacy or intimacy, because we are talking about equipment and technology provided by the employer for usage to work and reach the goals of the company. 9. This way, we do not understand that it sets up no defense to the usage of evidence embodied in access to e-mail box, provided by the employer to his employees. Interlocutory appeal devoided.” 22

New Data Protection Laws and Case Law Trends in Central & South America

SUPERIOR LABOR COURT â&#x20AC;&#x201C; CORPORATE EMAIL AND RECORDINGS AS VALID PROOF FOR DISMISSION INTERLOCUTORY APPEAL IN A REVIEW APPEAL. PAIN AND SUFFERING. GOOD CAUSE. The sentence from the lower level court registred that it does not hurt constitutional standard of financial disclosure and corporate email, especially when the employer, in advance, warn its employees about the rules for using the system and the possibility of tracking and monitoring their email. Interlocutory appeal devoided. 23

New Data Protection Laws and Case Law Trends in Central & South America

SECURITY Law enforcement agencies use social networks in search of incriminating data users

New Data Protection Laws and Case Law Trends in Central & South America

GPS - Monitoring

New Data Protection Laws and Case Law Trends in Central & South America

3rd FEDERAL COURT – LETTERS ROGATORY?

New Data Protection Laws and Case Law Trends in Central & South America

Greetings Ambassador Roberto Campos: "Those who remain in this house have before them wonderful agenda. I wish them, as in the words of theologist Reinhold Niehbuhr: "May God give the serenity to accept the things they cannot change, courage to change the things they can change and the wisdom to know the difference."

New Data Protection Laws and Case Law Trends in Central & South America

Recommendations and Practices for the Safe Use of Internet to Entire Family

Link: http://www.opiceblum.com.br/download/OABMack_Safety.pdf

New Data Protection Laws and Case Law Trends in Central & South America

Outline Introduction A. Brazil

B. Uruguay & Argentina (Ana Brian Nougreres) C. Colombia, Peru, Costa Rica D. Key take aways Q & A 29

New Data Protection Laws and Case Law Trends in Central & South America

Argentina 2003 Decision 2003/490/CE November 21, 2003 Declaration of Adequation to the levels of data protection of Directive 95/46/EC of the European Parliament and the Council.

New Data Protection Laws and Case Law Trends in Central & South America

Argentina 2011 Transfers to other countries only permitted if the country of destination ensures an adequate level of protection. Exceptions to this principle only in special cases: explicit and unambiguous consent, execution of certain contracts, safeguard of public interests or individual vital interests, information of public registers. 31

New Data Protection Laws and Case Law Trends in Central & South America

Articles 25 and 26, Directive 95/46/CE European Economic Space

DATA TRANSFERS AEPD March 31, 2011 32

New Data Protection Laws and Case Law Trends in Central & South America

INTERNATIONAL DATA TRANSFERS WITH COUNTRIES WITH NO ADEQUATION AEPD March 31, 2011 33

New Data Protection Laws and Case Law Trends in Central & South America

AEPD March 31, 2011 34

New Data Protection Laws and Case Law Trends in Central & South America

AEPD March 31, 2011 35

New Data Protection Laws and Case Law Trends in Central & South America

Uruguay - Dispositions Law 18331 - August 18, 2008 Decree 664/2008 Decree 437/2009 Decree 414/2009 Law 18719 - December 27, 2010 Law 18778 â&#x20AC;&#x201C; July 15, 2011 36

New Data Protection Laws and Case Law Trends in Central & South America

Uruguayan Data Protection System Scope of application of the legislation Data protection principles Rights of the data holders Liability Enforcement mechanisms Control Sanctions 37

New Data Protection Laws and Case Law Trends in Central & South America

Scope The regime is applied to all personal data recorded in any kind of medium that makes them likely to be processed, and any kind of subsequent use of these data within public or private domains.

New Data Protection Laws and Case Law Trends in Central & South America

Principles Purpose limitation principle Data quality and proportionality principle Principle of transparency Security principle

New Data Protection Laws and Case Law Trends in Central & South America

Rights of the data holders Access Rectification Opposition

New Data Protection Laws and Case Law Trends in Central & South America

International data transfers restricted: Countries that provide adequate levels of protection. Transfers authorized by the control authority in cases that offer contractual clauses regarding privacy, rights, freedoms of individuals and the exercise of their rights. Consent, contract, public interest, individualâ&#x20AC;&#x2122;s vital interest, public registry. 41

New Data Protection Laws and Case Law Trends in Central & South America

Sensitive data

(9% of the data universe in Uruguay) Definition as personal data revealing racial or ethnic origin, political preferences, religious or moral beliefs, trade union membership or information concerning health or sex life. Explicit consent required for data processing. Nobody can be compelled to provide sensitive data. 42

New Data Protection Laws and Case Law Trends in Central & South America

Direct marketing The data used for this purpose are home addresses, distribution of documents, advertising, sale or similar activities. In case this data is suitable for promotional profiling, commercial or advertising purposes, it should appear in documents accessible to the public or must have been supplied or consented by the affected individual. Right to access, remove and block data can be applied at any times. 43

New Data Protection Laws and Case Law Trends in Central & South America

Automatic individual decision Decisions based on the processing of data should not affect people or their performance (employment, credit, reliability, behavior, etc.). The affected person has the right to obtain information from the controller, both regarding the assessment criteria and the program used for the processing. 44

New Data Protection Laws and Case Law Trends in Central & South America

Supervisory Data Protection Authority URCDP : autonomous entity with technical autonomy Management: Executive Council of three members (Executive Director of AGESIC and the other two appointed by the Executive Power). Assistance: Advisory Council of five members (Members appointed by Legislative and Judicial Power, Public Ministry, academy and private sector). 45

New Data Protection Laws and Case Law Trends in Central & South America

Procedural and enforcement mechanisms URCDP provides assistance, advice, regulations, registries of databases, monitors compliance with regulations, guarantees security and confidentiality of data provided, issues opinions. Investigation, Inspection and Sanctions are in charge of the URCDP Habeas data action, legal quick action. 46

New Data Protection Laws and Case Law Trends in Central & South America

Sanctions Warning (83 %) Fines (17 %) Suspension of database.

New Data Protection Laws and Case Law Trends in Central & South America

Opinion 6/2010 of the WP29 on the level of personal data protection in Uruguay, adopted October 12, 2010. CONCLUDES that Uruguay ensures an adequate Level of protection within the meaning of Article 25 (6) of Directive 95/46/CE. 48

New Data Protection Laws and Case Law Trends in Central & South America

Why data protection systems work as a win-win process For the consumers, because they can control their own data and the information disseminated about them. For the enterprises, because then can prevent risks of vulnerability of the information they manage from their clients. For the countries, because then can attract investors, improve their positions and compliment international standards. 49

New Data Protection Laws and Case Law Trends in Central & South America

Outline Introduction A. Brazil B. Uruguay & Argentina

C. Colombia, Peru, Costa Rica (Cedric Laurant) D. Key take aways Q & A 50

New Data Protection Laws and Case Law Trends in Central & South America

Colombia, Peru & Costa Rica: Outline 1. Colombia: case studies, problem-solving in real world situations 2. Peru: overview of the data protection law 3. Costa Rica: overview of the data protection law See references at end of slide deck

New Data Protection Laws and Case Law Trends in Central & South America

Colombia 7 real cases:

How they might be solved with the upcoming data protection law. Why are those cases relevant to you and for your job?

Cases range from private to public and governmental aspects of data protection, not only for private businesses but also for public/government authorities.

New Data Protection Laws and Case Law Trends in Central & South America

Trust

New Data Protection Laws and Case Law Trends in Central & South America

Trust Case study: why do books always come wrapped in Colombian bookstores? Lack of trust towards customers? High price? Attitude towards books as sacred objects? Piracy? Problem: lack of trust by businesses towards consumers. Significance: lack of trust by businesses breeds lack of trust by consumers towards businesses. Business context: B2C transactions between foreign companies and Colombian consumers. Relevance for US/EU companies: foreign companies must be aware of, and understand, this essential feature of the commercial context in which personal information is being processed in Colombia.

New Data Protection Laws and Case Law Trends in Central & South America

Trust Resolution: Should bookstores unwrap all books to make better sales? Will it demonstrate more trust by the shopkeeper towards its customers? Will it have a positive or negative impact on sales? How is trust related to complying with new data protection legal requirements? Does it mean that for a company to be successful, it should be more transparent about how it processes its customers’ personal data? How would the upcoming Colombian data protection law apply? What would have to change in current data management practices? (Take local commercial traditions and way of doing business into account.) How could this have an impact on the level of enforcement of the new law? Take away

New Data Protection Laws and Case Law Trends in Central & South America

Trust

New Data Protection Laws and Case Law Trends in Central & South America

Credit reporting system

New Data Protection Laws and Case Law Trends in Central & South America

Credit reporting system Case study: Colombian real estate franchise of a US company (“Century 21 Luque Medina”). Problem: illustrates the current serious problem with the credit reporting system in Colombia: abusive use is detrimental to consumers, tenants and sureties; does not encourage accountability and business ethics by real estate companies. Significance: lack of trust by Colombian tenants, landlords and sureties towards Colombian subsidiaries or franchises of foreign businesses. Business context: B2C/B2B transactions between, on the one hand, foreign companies or Colombian subsidiaries or franchises of foreign companies, and, on the other hand, Colombian consumers. Relevance for US/EU companies: negative impact on US/ EU companies’ reputation.

New Data Protection Laws and Case Law Trends in Central & South America

Law No. 1266 of 2008 The Colombian “FCRA”. Applies in addition to the upcoming data protection law by focussing only on the protection of credit reports and the processing of financial personal information. Lacks teeth to address international data transfer issues: scope too limited to provide enough protections for information processed by European companies’ subsidiary call centers based in Colombia. No “adequate protection”. European Commission’s opinion: adequate to regulate the financial sector, but not medical, religious, ethnic, and other type of personal data. Enforcement has started by supervisory authorities.

New Data Protection Laws and Case Law Trends in Central & South America

Credit reporting system Resolution: How does the Law No. 1266 of 2008 apply to this case? Was it violated? No but did in fact unfairly treat the data subject. What would have to change in current data management practices? How has that law applied so far? Enforcement case by the Superintendencia de Industria y Comercio. How will the upcoming data protection law have any impact? Purpose specification principle. Take away: Doing business in a fair way will give the advantage to foreign companies. Go beyond strict compliance of the letter of the law in implementing it.

New Data Protection Laws and Case Law Trends in Central & South America

Authentication for private transactions

New Data Protection Laws and Case Law Trends in Central & South America

Authentication for private transactions Case study: fingerprints required as means of authentication for all sorts of contracts between individuals and businesses (rental agreements, online password releases for online banking accounts, exchange of currencies, “pospago” contracts with mobile phone providers, shipment of packages abroad,… Problem: need for a reliable way to authenticate individuals; signature not sufficient for authentication purposes. Main reason: high level of fraud. Significance: processing of sensitive personal information (biometrics) by businesses. Business context: B2C/B2B transactions between foreign companies and Colombian customers/clients or companies.

New Data Protection Laws and Case Law Trends in Central & South America

Authentication for private transactions Relevance for US/EU companies: authentication procedures may prove very burdensome, bureaucratic and onerous; on the other hand, motivated by good reasons: to prevent fraud (cfr fraud statistics in Colombia) and money laundering. Questions/Resolution: How will the upcoming Colombian data protection law apply? (transparency, right of access, adequate security measures, …) How will the new law impact those authentication practices? (proportionality and security measures) How will current data management practices have to change? (more transparency, subject access and security) Take away

New Data Protection Laws and Case Law Trends in Central & South America

Collection of biometrics for security purposes

New Data Protection Laws and Case Law Trends in Central & South America

Collection of biometrics for security purposes Case study: digital biometric fingerprint scanner used as a security measure at the entrance of office buildings; required from everyone to get access to the premises. Significance: higher risk of data breaches because of databases storing very sensitive personal information (biometrics) and higher risk for data subjects concerned. Business context: B2C transactions between foreign companies and data subjects (Colombians or foreigners, individuals or clients). Relevance for US/EU companies: higher risk for hacking and data breaches exists as sensitive personal information is being stored. Problem: use of biometrics and other authentication and identification measures by private actors in a wide range of situations where collection, use and secondary use of personal information is not necessarily legitimate, transparent or proportionate (e.g., building access).

New Data Protection Laws and Case Law Trends in Central & South America

Collection of biometrics for security purposes Questions: Why is a digital fingerprint required as opposed to a less intrusive and less risky means of access security measure? Is it proportionate? What happens with this data? With whom is it shared? Where is there any type of privacy policy explaining what happens with the information collected? What happens if I am being denied access to the building? Where can I complain? (transparency issue)

Resolution: How does the upcoming Colombian data protection law apply? Proportionality; prior and express consent; transparency;… What would have to change in current data management practices to make this processing compliant with the law? What are the exemptions for law enforcement authorities?

Take away

New Data Protection Laws and Case Law Trends in Central & South America

Phone no. and ID for every purchase

New Data Protection Laws and Case Law Trends in Central & South America

Phone no. and ID for every purchase Case study: Phone no. and ID no. are requested for every purchase made with an electronic means of payment. No explanation of reason why or what the information is ultimately used for; no privacy policy. Significance: possibility to match all purchases made by individuals with their ID no. Link it with governmental databases? Relationships between those purchases and the stores’ discount grocery shopping cards? Business context: B2C transactions between, on the one hand, foreign companies or their Colombian subsidiaries or franchises of foreign companies and, on the other, Colombian consumers. Relevance for US/EU companies: Do US/EU businesses’ subsidiaries in Colombia using such information collect it legitimately and for valid reasons?

New Data Protection Laws and Case Law Trends in Central & South America

Phone no. and ID for every purchase Problem: low level of trust in customer-business relationships, very low level of consumer protection and customer service; presumption of bad faith. Questions/Resolution: How will the upcoming Colombian data protection law apply? What would have to change in current data management practices? Take away: more transparency required from businesses towards their customers with respect to the processing of their personal information. Consumer protection mechanisms must be established that much better ensure a higher level of consumer protection and consumer privacy.

New Data Protection Laws and Case Law Trends in Central & South America

RFID transportation card

New Data Protection Laws and Case Law Trends in Central & South America

RFID transportation card Case study: Medellin metro card is delivered upon identification and tracks all itineraries of travelers. Lack of information about availability of an anonymous card and its benefits (only drawbacks are mentioned to encourage adoption of individualized card). Significance: use of customers’ personal location information by public and private entitie; is covered by the upcoming data protection law. Business context: procurement contracts between Colombian government authorities and foreign companies. Relevance for US/EU companies: Potential sale of data processing services to local governmental entities. Interest for foreign companies to understand how the upcoming data protection law applies to geo-location location personal information.

New Data Protection Laws and Case Law Trends in Central & South America

RFID transportation card Problem: Data protection issues: transparency, access rights, potential secondary uses of travelers’ personal information. Concerns: no privacy policy; no information about the type of information being collected by the system; about the uses of the itinerary information now and later in time; about the current or considered secondary uses; and about the possibility to ask for an anonymous card. Use of data by private and public actors. Questions: How will the upcoming Colombian data protection law apply? What would have to change in current data management practices? Resolution: comply in advance and better than local companies.

New Data Protection Laws and Case Law Trends in Central & South America

RFID transportation card (comparison with Uruguayan case)

New Data Protection Laws and Case Law Trends in Central & South America

Privacy in e-government services General obligation of all government entities that use electronic resources to manage the information of citizens in a manner respectful to their privacy. Decree No. 1151 of 2008 establishes general principles to follow in how online services are provided by the government. Protection of privacy is further regulated by the Ministry of Communications’ “eGovernment Policy Manual,” applicable throughout all governmental entities.

New Data Protection Laws and Case Law Trends in Central & South America

Colombia: take aways 1. Get an edge over your competitors: be transparent, explain, clarify how your company/ affiliate will use individuals/customers’ personal information. 2. Don’t wait for the Colombian companies to comply with the law: being seen as an early adopter will be good for business and reputation. 3. Trust your consumers; trust will breed reciprocal trust in your products, services, reputation and brand.

New Data Protection Laws and Case Law Trends in Central & South America

Colombia: take aways â&#x20AC;&#x2C6; 4. Follow all consumer protection regulations, and go beyond strict compliance. Do better than Colombian companies. Mandate your franchisees to be consumer protection-friendly, like in the United States, not like in Colombia. â&#x20AC;&#x2C6; 5. Develop a reputation for being fully reliable for your customers. â&#x20AC;&#x2C6; 6. Get advice both from a local counsel (to conceive the most adequate data protection solution to fit in the cultural context) and from a global data protection counsel. Both professionals will be necessary to design how your company will comply with the local data protection rules.

New Data Protection Laws and Case Law Trends in Central & South America

CENTRAL AMERICA COSTA RICA EL SALVADOR GUATEMALA HONDURAS NICARAGUA PANAMA

New Data Protection Laws and Case Law Trends in Central & South America

CENTRAL AMERICA PROTECTION AT THE CONSTITUTIONAL LEVEL - No Central American country has an express recognition for the right to data protection. - However, most countries provide constitutional protection for the “right to privacy”, except Panama and Guatemala. - Countries do not have “habeas data” at the constitutional level, but some of them have a general constitutional remedy.

PROTECTION IN THE LAW - No Central American country has a comprehensive personal data protection law. - Most countries have legal provisions that protect personal data in their laws on access to information and public transparency (Panama, 2002; Honduras, 2006; Nicaragua, 2007; and Guatemala, 2008). - There are telecommunication laws and credit reporting laws.

New Data Protection Laws and Case Law Trends in Central & South America

CENTRAL AMERICA INTERNATIONAL INSTRUMENTS - Political Dialogue and Cooperation Agreement between the EU and Central America (2003): parties agreed to cooperate on the protection in the processing of personal data. BILLS ON PERSONAL DATA PROTECTION - At least two Central American countries have had legislative discussion on bills that would regulate data protection: Costa Rica and Nicaragua. Costa Rica has a new data protection law since Sept. 7, 2011. 79

New Data Protection Laws and Case Law Trends in Central & South America

Costa Rica Sept. 7, 2011: new Personal Data Protection Law No. 8968 enters into force. Regulates the processing of personal data carried out by public and private entities: all databases distributing or selling information. (Personal or corporate databases not covered by the law.) Law modeled after the EU Data Protection Directive. Regulates almost all processing of all types of personal data. Requires express written consent for many data processing activities.

New Data Protection Laws and Case Law Trends in Central & South America

Costa Rica 4 main categories of personal data:

1. sensitive data: include socioeconomic level, and medical and genetic conditions. 2. restricted access data: data included in a public database but with restricted access because only concerns person or public entity involved. Individual must give written consent for his personal data to be disclosed. 3. special restricted access data: data contained in public databases created by law. 4. credit records: data that allows financial institutions to evaluate an individual’s creditworthiness based on the general principles laid out in the new data protection law.

New Data Protection Laws and Case Law Trends in Central & South America

Costa Rica New data protection authority created within the Ministry of Justice (“Prodhab”) to implement the legislation, inspect registered databases and issue sanctions for legal violations. Commercial databases must be registered before Prodhab and will be subject to an annual fee for their administration. Data controller must pay a fee (“canon”) to Prodhab for sales made using commercial databases. Fee based on no. of data sold or contract value. Regulation to be implemented. 82

New Data Protection Laws and Case Law Trends in Central & South America

Peru July 2011: Peru has its first data protection law (“Ley N° 29733 de Protección de Datos Personales”). Data protection authority will be part of the Ministry of Justice (independence?) and in charge of a National Registry of Personal Data; may levy fines for violations of the law. Decree must now be drafted. Problem with the regulation of creditreporting databases: eludes crucial issue.

New Data Protection Laws and Case Law Trends in Central & South America

Peru National Register of Personal Data Protection can record:

1) publicly or privately administered personal databases; 2) authorizations issued pursuant to the law; 3) sanctions imposed by the National Authority; and 4) codes of conduct of the entities representing the privately administered personal database controllers or processors.

New Data Protection Laws and Case Law Trends in Central & South America

Peru Political willingness:

Free trade agreements: Peru signed them in Nov. 2008 with the US and Canada. Bilateral negociations under way with the EU, South Korea and China. Call centers.

Transborder data flows: Destination country must have a sufficient level of protection for the personal data to be processed, or at least comparable to that provided by the law.

New Data Protection Laws and Case Law Trends in Central & South America

General references 1.- Agencia Española de Protección de Datos, cuatro gráficas aportadas a la fecha 31032011. Anales del Seminario “El impacto de las transferencias internacionales de datos en América Latina. Las políticas preventivas y la autorregulación en la implantación de la normativa de protección de datos”, Cartagena de Indias, Colombia. Junio de 2011 <http:// www.redipd.org/reuniones/seminario_2011_Cartagena/common/Ponencias/ JesusRubiNavarreteMartes.pdf>. 2.- José Luis Piñar Mañas. Protección de datos de carácter personal en Iberoamérica, Red Iberoamericana de Protección de Datos, Agencia Española de Protección de Datos, Ed. Tirant Lo Blanch Libros, Valencia, España. 2005. 3.- José Luis Piñar Mañas, La Red Iberoamericana de Protección de Datos, Declaraciones y documentos. Ed. Tirant Lo Blanch. Valencia, 2006. 4.- Oscar Puccinelli, El habeas data en Indoiberoamerica. Ed. Temis, Bogota, Colombia. 1999. 5.- Ana Brian Nougreres. De la protección de datos personales y la cooperación internacional. Anuario de Derecho Informático, Instituto de Derecho Informático, Facultad de Derecho, Universidad de la República. FCU. 2005.

New Data Protection Laws and Case Law Trends in Central & South America

General references 6.- Cédric Laurant, “Emerging Data Protection Laws in Latin America and Doing Business in the EU”, Cedric’s Privacy Blog, Sept. 15, 2011 <http://blog.cedriclaurant.org/2011/09/15/ emerging_data_protection_laws_in_latin_america_doing_business_in_eu/>. 7.- Alberto Cerda, Cédric Laurant & Renato Opice Blum, “Recent Privacy and Data Protection Developments in Latin America and Their Impact on North American and European Multinational Companies”, IAPP Global Privacy Summit (Washington, DC – April 21, 2010) <http://www.slideshare.net/cedriclaurant/quotrecent-privacy-and-dataprotection-developments-in-latin-america-and-their-impact-on-north-american-andeuropean-multinational-companiesquot>. 8.- Marcos Normativos en materia de Protección de Datos Personales. Actas del Seminario. Antigua, Guatemala, 2003.

New Data Protection Laws and Case Law Trends in Central & South America

References (Argentina) 1.- Declaration regarding Argentina’s Adequation to the levels of data protection of the Directive 95/46/EC of the European Parliament and the Council, November 21, 2003 <http://ec.europa.eu/justice/policies/privacy/docs/ adequacy/decision-c2003-1731/decision-argentine_en.pdf>. 2.- Carlos E. Delpiazzo, Protección de datos en Uruguay y el Mercosur, Fundación de Cultura Universitaria. Montevideo, Uruguay, 2005. 3.- “Argentina” country report in Privacy & Human Rights 2006, Electronic Privacy Information Center & Privacy International, December 18, 2007 <https://www.privacyinternational.org/article/phr2006-argentine-republic>.

New Data Protection Laws and Case Law Trends in Central & South America

References (Brazil) 1.- Brazilian Constitution, Title 2, Chapter 1, Article 5, X. http://www.planalto.gov.br/ccivil_03/constituicao/constitui%C3%A7ao.htm 2.- Brazilian Constitution, Title 2, Chapter 1, Article 5, XI. http://www.planalto.gov.br/ccivil_03/constituicao/constitui%C3%A7ao.htm 3.- Brazilian Constitution, Title 2, Chapter 1, Article 5, XII. http://www.planalto.gov.br/ccivil_03/constituicao/constitui%C3%A7ao.htm 4.- Brazilian Constitution, Title 2, Chapter 1, Article 5, XIV. http://www.planalto.gov.br/ccivil_03/constituicao/constitui%C3%A7ao.htm 5.- Brazilian Constitution, Title 2, Chapter 1, Article 5, LXXII. http://www.planalto.gov.br/ccivil_03/constituicao/constitui%C3%A7ao.htm 6.- Federal Law No. 9.507/1997 (Habeas Data). http://www.planalto.gov.br/ccivil_03/leis/l9507.htm 7.- Federal Law No. 9.507/1997, Article 4 ยง 1. http://www.planalto.gov.br/ccivil_03/leis/l9507.htm

New Data Protection Laws and Case Law Trends in Central & South America

References (Brazil) 8.- Federal Law No. 9.507/1997, Article 4 § 2. http://www.planalto.gov.br/ccivil_03/leis/l9507.htm 9.- Federal Law No. 10.406, January 12, 2002 (Civil Code). http://www.planalto.gov.br/ccivil_03/leis/2002/L10406.htm 10.- Federal Law No. 7.232, October 29, 1984 (National Computer Policy). http://www.planalto.gov.br/ccivil_03/leis/L7232.htm 11.- Federal Law No. 9.472, July 16, 1997, Book 1, Art. 3, IX. (Telecommunications Act). http://www.consumidorbrasil.com.br/consumidorbrasil/textos/legislacao/l9472.htm 12.- Federal Law No. 9.454, April 7, 1997 (National Identity Registration). http://www.planalto.gov.br/ccivil_03/Leis/L9454.htm 13.- Federal Law No. 8.078, Article 43, September 11, 1990 (Consumer´s Code). http://www.planalto.gov.br/ccivil_03/leis/L8078.htm 14.- Document nº 05/2002, of the Economic Law Secretariat, Ministry of Justice (Secretaria de Direito Econômico (SDE) do Ministério da Justiça).

New Data Protection Laws and Case Law Trends in Central & South America

References (Brazil) 15.- Personal Data Bill: regulates the protection of personal data, privacy and other matters <http://www.cgu.gov.br/acessoainformacao/arquivos/ anteprojeto-lei-protecao-dados-pessoais.pdf>. 16.- Renato Leite Monteiro & Caio César Carvalho Lima, Comentários ao Anteprojeto de Lei Brasileiro sobre Proteção de Dados Pessoais, Information Security Breaches & The Law Blog, May 2011 <http:// securitybreaches.files.wordpress.com/2011/05/anteprojeto-de-lei-brasileirosobre-protecao-de-dados-pessoais.pdf>. 17.- Renato Leite Monteiro & Cédric Laurant, “New Brazilian Data Protection Bill Adopts Data Breach Notification Regime”, Information Security Breaches & The Law Blog, May 9, 2011 <http://blog.security-breaches.com/2011/05/09/ new_brazilian_data_protection_bill_adopts_data_breach_notification_regime/>. 18. Renato Leite Monteiro , “Comentários ao Anteprojeto de Lei Brasileiro sobre Proteção de Dados Pessoais”, Information Security Breaches & The Law Blog, May 1, 2011 <http://blog.security-breaches.com/2011/05/01/comentarios-aoanteprojeto-de-lei-brasileiro-sobre-protecao-de-dados-pessoais/>.

New Data Protection Laws and Case Law Trends in Central & South America

References (Brazil) 19.- “Brazil” country report in Privacy & Human Rights 2006, Electronic Privacy Information Center & Privacy International, December 18, 2007 <https:// www.privacyinternational.org/article/phr2006-federative-republic-brazil>. 20.- Danilo Doneda, Da privacidade a proteção de dados pessoais, Ed. Renovar. Rio de Janeiro, Brasil, 2006. 21.- Stefano Rodota. A vida na sociedade da vigilancia, a privacidade hoje, Ed. Renovar, trad. Maria Celina Bodin de Moraes, Rio de Janeiro, 2008. 22.- Temis Limberger. O direito a intimidade na era da informática. Ed. Livraria do Avogado, Brasil, 2007.

New Data Protection Laws and Case Law Trends in Central & South America

References (Colombia) 1.- Informe de conciliación al Proyecto de Ley Número 046 de 2010 Cámara, 184 de 2010 Senado (upcoming Colombian data protection law) <http:// www.habeasdata.org.co/wp-content/uploads/2010/12/InformeConciliación1.pdf>. 2.- Fernando Triana and Carolina Díaz (Triana, Uribe & Michelsen), “Data Protection: Colombia”, April 1, 2010 <http://ipandit.practicallaw.com/ 7-502-5167?source=relatedcontent>. 3.- Observatorio de la protección de datos personales en Colombia <http:// www.habeasdata.org.co/>. 4.- Nelson Remolina-Angarita, “¿Tiene Colombia un nivel adecuado de protección de datos personales a la luz del estándar europeo?, 16 International Law, Revista Colombiana de Derecho Internacional, 489-524 (2010) <http:// www.habeasdata.org.co/wp-content/uploads/2010/08/colombia-y-niveladecuado-de-proteccion-de-datos-nelson-remolina-il-julio-de-2010.pdf>. 5.- Nelson Remolina-Angarita, “Propuestas para mejorar y aprobar el proyecto de ley estatutaria sobre el derecho fundamental del habeas data y la protección de los datos personales”, Documento GECTI No 11, Noviembre 24 de 2010 <http://www.habeasdata.org.co/wp-content/uploads/2010/12/documentogecti-11-de-2010.pdf>.

New Data Protection Laws and Case Law Trends in Central & South America

References (Colombia) 6.- Cédric Laurant, Summer course of continuing legal education: “Data Protection & Privacy around the World”, School of Law, Universidad de los Andes (Bogota, Colombia – June 17 - July 7, 2008). 7.- Spanish Data Protection Agency, “Report on International Data Transfers – Ex Officio Sectorial Inspection of Spain-Colombia at Call Centres”, July 2007 <http://www.agpd.es/portalwebAGPD/jornadas/ transferencias_internacionales_datos/common/pdfs/ report_Inter_data_transfers_colombia_en.pdf>. 8.- “Colombia” country report in Privacy & Human Rights 2006, Electronic Privacy Information Center & Privacy International, December 18, 2007 <https://www.privacyinternational.org/article/phr2006-colombia>.

New Data Protection Laws and Case Law Trends in Central & South America

References (Costa Rica) 1.- Personal Data Protection Law No. 8968 of Sept. 7, 2011 (Ley de “Protección de la Persona frente al tratamiento de sus datos personales”) <http://www.pgr.go.cr/scij/Busqueda/Normativa/Normas/nrm_repartidor.asp? param1=NRTC&nValor1=1&nValor2=70975&nValor3=85989&strTipM=TC>. 2.- “Protection of the Person in the Processing of His Personal Data” (Data protection bill, “Ley de protección de la persona frente al tratamiento de sus datos personales”) <http://www.elderechoinformatico.com/index.php? option=com_content&view=article&id=508:ley-proteccion-de-datospersonales-costa-rica&catid=1:datos-personales&Itemid=54>. 3.- Roberto Lemaitre, “Proyecto de Ley - Expte. 16.679 “Protección de la Persona frente al tratamiento de Datos Personales”, 11 de Junio de 2011 <http://www.elderechoinformatico.com/index.php? option=com_content&view=article&id=583:proyecto-de-leyexpediente-16679-proteccion-de-la-persona-frente-al-tratamiento-datospersonales&catid=118:elderechoinformatico-costa-rica&Itemid=122>. 4.- Costa Rica country report in Privacy & Human Rights 2006, Electronic Privacy Information Center & Privacy International, December 18, 2007 <https://www.privacyinternational.org/article/phr2006-costa-rica>.

New Data Protection Laws and Case Law Trends in Central & South America

References (Peru) 1.- Ley de Protección de Datos personales, 3 de julio de 2011 <http:// securitybreaches.files.wordpress.com/2011/07/110703-ley_peruana-pdpno29733.pdf>. 2.- Department of Commerce, English translation of Peru’s Law for Personal Data Protection (Ley de Protección de Datos Personales) <http:// www.huntonprivacyblog.com/uploads/file/Peru%20Data%20Protection%20Law %20July%2028_EN%20_2_.pdf>. 3.- Iriarte & Asociados, Handbook IA N° 6 - Protección de Datos PersonalesEntidades Privadas, v. 1.0, julio de 2011 <http://www.iriartelaw.com/apc-aairiartelaw/img_upload/80fbc41a7158c9c9b59314f28f167fb1/ Handbook_IA_N__6_ley_de_Protecci_n_de_Datos_Personales.pdf>. 4.- Carlos Ferreyros Soto, “Los desafios digitales del Ministerio de Justicia: El Sistema Peruano de Información Judicial, SPIJ y la Ley de Datos Personales”, 30 June 2011, <http://derecho-ntic.blogspot.com/2011/06/los-desafios-digitales-delministerio.html>. 5.- José Miguel Silva, “Ley de protección de datos personales: Todo lo que usted debe saber”, LaRepublica.pe, 23 June 2011 <http://www.larepublica.pe/ 23-06-2011/ley-de-proteccion-de-datos-personales-todo-lo-que-usted-debesaber>.

New Data Protection Laws and Case Law Trends in Central & South America

References (Peru) 6.- Cédric Laurant, “Perspectivas europeas sobre la protección de los consumidores y usuarios peruanos del Internet. Interpretando el nuevo Código peruano de Protección y Defensa del Consumidor (Ley No. 29571)” (Conferencia internacional: “Implicancias del Nuevo Codigo de Proteccion y Defense del Consumidor: Nuevos Retos”), Asociación Nacional de Defensa del Consumidor, Universidad Nacional Jorge Basadre Grohmann, Tacna, Peru – December 21, 2010) <http://www.slideshare.net/cedriclaurant/perspectivas-europeas-sobre-laproteccin-de-los-consumidores-y-usuarios-peruanos-del-internetinterpretando-elnuevo-cdigo-peruano-de-protecciny-defensa-del-consumidor-ley-no-29571>. 7.- “Peru” country report in Privacy & Human Rights 2006, Electronic Privacy Information Center & Privacy International, December 18, 2007 <https://www.privacyinternational.org/article/phr2006-republic-peru>.

New Data Protection Laws and Case Law Trends in Central & South America

References (Uruguay) 1.- The Uruguayan laws can be consulted at <http://www.parlamento.gub.uy>. 2.- Text of the Uruguayan decrees can be consulted at <http:// www.presidencia.gub.uy>. 3.- Ana Brian Nougreres, “El sistema legal uruguayo en protección de datos personales y acceso a la información pública,” Universidad de Los Andes, Bogotá, Colombia, 2010. 4.- Opinion 6/2010 on the level of protection of personal data in the Eastern Republic of Uruguay, adopted October 12, 2010, 0475/10/EN WP 117 <http:// ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp177_en.pdf>. 5.- Ana Brian Nougreres. Taller sobre Protección de Datos Personales, Colegio de Abogados del Uruguay, Montevideo, 2010. 6.- Augusto Duran Martinez, Derecho a la Protección de Datos personales y al acceso a la información pública, Ed. Amalio Fernández, Montevideo, Uruguay,, 2009.

New Data Protection Laws and Case Law Trends in Central & South America

References (Uruguay) 7.- Carlos E. Delpiazzo, Protección de datos en Uruguay y el Mercosur, Fundación de Cultura Universitaria. Montevideo, Uruguay, 2005. 8.- Ana Brian Nougreres, “Integración Iberoamericana en materia de protección de Datos Personales”, Anuario de Derecho Informático, Montevideo, Uruguay, 2007. 9.- Ana Brian Nougreres. Protección de datos personales en Uruguay. Imp. Teijeiro. Montevideo, Uruguay, 2009. 10.- “Uruguay” country report in Privacy & Human Rights 2006, Electronic Privacy Information Center & Privacy International, December 18, 2007 <https:// www.privacyinternational.org/article/phr2006-republic-uruguay>. 12.- Ana Brian Nougreres, “El sistema de transporte metropolitano y la protección de datos personales de los uruguayos”, Anuario de Derecho Informatico, Instituto de Derecho Informático, Facultad de Derecho, Universidad de la República, FCU, 2007.

New Data Protection Laws and Case Law Trends in Central & South America

Outline Introduction A. Brazil B. Uruguay & Argentina C. Colombia, Peru, Costa Rica

D. Key take aways (Cedric Laurant) Q & A

100

New Data Protection Laws and Case Law Trends in Central & South America

Key take aways • 1. Get an edge over your competitors: be transparent, explain, clarify how your company/affiliate will use individuals/customers’ personal information. • 2. Being seen as an early adopter will be good for business and reputation. • 3. Trust your consumers (trust breeds trust, in your products, services, reputation, brand). 101

New Data Protection Laws and Case Law Trends in Central & South America

Key take aways • 4. Follow all consumer protection regulations and go beyond strict compliance. • 5. Build your company’s reputation as being fully reliable for your customers. • 6. Get advice not only from local counsel, but also from global ones.

102

New Data Protection Laws and Case Law Trends in Central & South America

Outline Introduction A. Brazil B. Uruguay & Argentina C. Colombia, Peru, Costa Rica D. Key take aways

Q & A

103

New Data Protection Laws and Case Law Trends in Central & South America

Panelists: contact info Cedric Laurant, Esq., LL.M.

Principal, Cedric Laurant Consulting (Belgium) http://cedriclaurant.com – Twitter: @cedric_laurant c [at] cedriclaurant [dot] com

Dra. Ana Brian Nougreres

Law Professor, Universidad de la República Oriental del Uruguay; Chief Consultant, Estudio Jurídico Briann & Associates (Uruguay) abrian [at] netgate [dot] com [dot] uy

Renato Opice Blum

CEO and Partner, Opice Blum Advogados Associados (Brazil)

http://www.opiceblum.com.br – Twitter: @opiceblum renato [at] opiceblum [dot] com [dot] br

104

New Data Protection Laws and Case Law Trends in Central & South America