Brazil & Beyond: Privacy Trends in Latin America August 18, 2016
Privacy Insight Series - truste.com/insightseries v
v
1 © TRUSTe Inc., 2016
Today’s Speakers Jacobo Esquenazi Global Privacy Strategist, HP, Inc.
Juan Luis Hernandez Conde Founding Partner Novus Concilium
Andrew McDevitt Senior Privacy Consultant TRUSTe
Privacy Insight Series - truste.com/insightseries v
2 © TRUSTe Inc., 2016
Today’s Agenda • Welcome & Introductions • Overview of Latin American Privacy • Understanding Database Registration Requirements • Proposed Legal Changes in the region including:
Brazil, Chile, Colombia, Mexico • Accountability and Data Subject Rights • Q&A
Privacy Insight Series - truste.com/insightseries v
3 © TRUSTe Inc., 2016
Overview of Latin American Privacy Andrew McDevitt, Senior Privacy Consultant, TRUSTe
Privacy Insight Series - truste.com/insightseries v
v
4 © TRUSTe Inc., 2016
Basic Observations of Privacy in Latin America •There is no Latin American treaty, omnibus regional law, or a specific regional body that assists and guides organizations about data protection – such as an EU Data Directive (soon to be GDPR) •However, data protections have been purposefully incorporated into the constitutions of some Latin American countries
•Some Latin American countries do require all organizations to register with their DPA (Peru) while other don’t require businesses to register with their DPA (Mexico, Nicaragua)
Privacy Insight Series - truste.com/insightseries v
5 © TRUSTe Inc., 2016
Data Protection in Latin America Falls into Four Groups •Constitutional/Habeas Data. Nations which utilize a constitutional rights-based model for protecting individuals’ personal data rights •General Data Protection Laws. Nations which have enacted comprehensive data protection laws • Hybrid Approach. Nations that employ a blend of habeas data and general data protection laws • Unsettled or Transitioning Data Protection Rights. Nations that lack a clearly defined constitutional or legislative structure with respect to privacy rights.
Privacy Insight Series - truste.com/insightseries v
6 © TRUSTe Inc., 2016
Overview of Latin American Privacy Requirements
Privacy Insight Series - truste.com/insightseries v
7 © TRUSTe Inc., 2016
Understanding Database Registration Requirements Jacobo Esquenazi, Global Privacy Strategist, HP, Inc.
Privacy Insight Series - truste.com/insightseries v
v
8 © TRUSTe Inc., 2016
Database Registration Requirements in LAR • Database Registration is one of the most burdensome requirements in Data Protection Management. Is very common in LAR. • Five out of six countries that have Data Protection Laws in the region include a Database Registration Requirement. Mexico is the only notable exception. • Conditions for registering data bases and content of the registration vary from country to country. • Three countries require an annual update or renewal of the registration, one country requires update only when major changes occur, one country requires monthly update when any changes occur, and one requires that registry be kept up to date constantly. • In some countries Fees for registration need to be paid (source of revenue for the DPA) and there is a cost of compliance in all cases.
Privacy Insight Series - truste.com/insightseries v
9 © TRUSTe Inc., 2016
Database Registration Requirements by Country
Uruguay
Argentina
• Article 29 of Data Protection Law creates a Database registry. All Public and Private Databases need to be registered before the DPA. • Applicable to all persons (natural and legal) • Registration includes Information about the database and exercise of rights; Security measures; length of storage. • Registration needs to be renewed annually. • Registration can be done online.
• Article 21 of Data Protection Law creates a Database registry. All public and private DB must be registered before the DPA. • Applicable to ALL databases. • Private DB should be registered before being created. • Registration needs to be renewed annually • Registration can be initiated online
Privacy Insight Series - truste.com/insightseries v
10 © TRUSTe Inc., 2016
Data Base Registration Requirements by Country
Peru
• Article 29 of Data Protection Law creates a Data Base registry. All databases that are subject to Data Subject rights (access, correction, etc.) need to be registered. • DPA can also include as part of the registry (searchable) authorizations, sanctions, injunctions or corrective measures imposed . Registry also includes approved codes of conduct. • Communications related to transborder flows are also registered. • Registration must be done on paper • Registration is done once unless DB undergoes changes. All changes to the purpose, content, Security measures, etc. must be registered.
Privacy Insight Series - truste.com/insightseries v
11 © TRUSTe Inc., 2016
Data Base Registration Requirements by Country
Colombia
Costa Rica
• Article 29 of Data Protection Law creates a Data Base registry. Only Colombian Data Controllers (registered in the chambers of commerce) need to register DB’s. • Information to be registered: Types of data; security measures; data origin; international transfers; international transmissions; National data transfers; request from data subjects to exercise their rights; and security incidents (breaches). • Annual Registration or within 10 days of any substantial changes. • Article 21 of Data Protection Law creates a Data Registry. Databases for distribution, publication or commercialization need to be registered. • Registration needs to be done by the data owner (Notarized) includes physical placement of the database; uses for the data base; types of data; description of security measures; recipients of data transfers; list of contracts for commercialization; creation of a super user for the agency, etc.
Privacy Insight Series - truste.com/insightseries v
12 © TRUSTe Inc., 2016
Proposed Legal Changes in the Region Juan Luis Hernandez Conde, Founding Partner, Novus Concilium
Privacy Insight Series - truste.com/insightseries v
v
13 © TRUSTe Inc., 2016
From Habeas Data to Omnibus Protection
Privacy Insight Series - truste.com/insightseries v
14 © TRUSTe Inc., 2016
What is Habeas Data?
Constitutionally / Judicially protected right to access, rectification and/or erasure of personal information.
Privacy Insight Series - truste.com/insightseries v
15 © TRUSTe Inc., 2016
Omnibus legislation
Legal regime imposing specific obligations and requirements to Data Controllers and Data Processors.
Privacy Insight Series - truste.com/insightseries v
16 © TRUSTe Inc., 2016
Privacy evolution timetable
Costa Rica
Argentina
Colombia
Mexico
Peru
Uruguay 2000
2008
2010
Privacy Insight Series - truste.com/insightseries v
2011
2014
17 © TRUSTe Inc., 2016
Laws being discussed right now
Brazil
Ecuador
Privacy Insight Series - truste.com/insightseries v
Chile
Panama
18 © TRUSTe Inc., 2016
From Habeas Data to Omnibus Protection
Privacy Insight Series - truste.com/insightseries v
19 © TRUSTe Inc., 2016
Accountability and Data Subject Rights Jacobo Esquenazi, Global Privacy Strategist, HP, Inc.
Privacy Insight Series - truste.com/insightseries v
v
20 © TRUSTe Inc., 2016
Data Subject Rights In LAR • All Data Protection Laws in LAR are based (whole or in part) on EU data protection concepts and more specifically on the first Spanish implementation of the Privacy Directive. • All laws in LAR provide data subjects with the following rights: – Access: The right to know what Information a Controller holds about the Data Subject.
– Correction: The right to correct inaccurate information that a Data Controller holds about a data subject. – Deletion: A Data Subject has the right to request that a Data Controller deletes Information related to him/her (with some limitations).
• Some data protection laws allow an intermediate phase before deletion (opposition) which is the equivalent of the Right of Restriction of Processing under the GDPR. • All rights have a Compliance period. After that period DS that feel their requests have not been honored have a right of recourse before the DPA and eventually before a court of Law. Privacy Insight Series - truste.com/insightseries v
21 © TRUSTe Inc., 2016
Infringement of Data Subject Rights • The infringement of Data Subject Rights can be penalized by administrative sanctions (including monetary), applied by the DPA. • DPA’s in LAR have increased their enforcement activity imposing substantial fines for non-Compliance. In particular where Data Subject complaints are involved activity has increased. DPA’s do not have prosecutorial discretion, therefore all complaints must be investigated. • All laws include the right of compensation if the infringement of Data Subject rights results in harm. Process is carried out before the courts.
Privacy Insight Series - truste.com/insightseries v
22 © TRUSTe Inc., 2016
Accountability • Mexico and Colombia included the concept of accountability to their Data Protection Legislations. This is a similar concept as it has been incorporated in the GDPR. • Having an Accountability based data protection program is not mandatory, but companies that can demonstrate an accountability based data protection program get benefits as lessening of fines or ease in transborder flows. • Demonstrating accountability has some requirements that need to be met (sometimes through codes of conduct).
• Although Peruvian regulation does not include the accountability concept, but does recognize some benefits by participating in voluntary codes of conduct.
Privacy Insight Series - truste.com/insightseries v
23 © TRUSTe Inc., 2016
Key Takeaways For Companies •Latin America is as diverse in its privacy regimes as it is in its geographies. •Habeas data is a constitutionally-based remedy of legal action that may be initiated by a citizen to discover what data is held about that person, in order to facilitate correction or deletion of the information.
Privacy Insight Series - truste.com/insightseries v
24 © TRUSTe Inc., 2016
Key Takeaways For Companies •More incentives than ever exist for Latin American governments to modernize their data privacy laws in light of APEC membership, global commerce and trade, and international adequacy/interoperability opportunities. •With Chile, Mexico and Peru already APEC members, companies should consider APEC CBPR Certification as a route to demonstrate compliance in the region. •Companies should be aware of the data privacy quirks that exist in Latin America but that are not widespread elsewhere, –Such as Costa Rica’s “super user” database access for the government –The “right to be forgotten” in Nicaragua, and –Mexico’s detailed privacy notice rules but lack of a registration requirement
Privacy Insight Series - truste.com/insightseries v
25 © TRUSTe Inc., 2016
Questions?
Privacy Insight Series - truste.com/insightseries v
v
26 © TRUSTe Inc., 2016
Contacts Jacobo Esquenazi
jacobo.esquenazi@hp.com @jesquenaziMX
Juan Luis Hernandez Conde
hcount@nclaw.mx @TheRealHCount
Andrew McDevitt
amcdevitt@truste.com @AndrewJMcDevitt
Privacy Insight Series - truste.com/insightseries v
v
27 © TRUSTe Inc., 2016
Thank You! Details of our 2016 Summer/Fall Webinar Series are now available. Register now for our next webinar on September 22 “Changing Role of the CPO in todays Privacy Ecosystem” See http://www.truste.com/insightseries for the 2016 Privacy Insight Series and past webinar recordings. v 28 Privacy Insight Series truste.com/insightseries v © TRUSTe Inc., 2016