Brazil & Beyond: Privacy Trends in

Latin America
August 18, 2016

Privacy Insight Series

- truste.com/insightseries
v

1
TRUSTe Inc., 2016

Todays Speakers
Jacobo Esquenazi
Global Privacy Strategist,
HP, Inc.

Juan Luis Hernandez Conde

Founding Partner
Novus Concilium

Andrew McDevitt
Senior Privacy Consultant
TRUSTe

Privacy Insight Series

- truste.com/insightseries
v

2
TRUSTe Inc., 2016

Todays Agenda
Welcome & Introductions
Overview of Latin American Privacy
Understanding Database Registration Requirements
Proposed Legal Changes in the region including:

Brazil, Chile, Colombia, Mexico

Accountability and Data Subject Rights
Q&A

Privacy Insight Series

- truste.com/insightseries
v

3
TRUSTe Inc., 2016

Overview of Latin American Privacy

Andrew McDevitt, Senior Privacy Consultant, TRUSTe

Privacy Insight Series

- truste.com/insightseries
v

4
TRUSTe Inc., 2016

Basic Observations of Privacy in Latin America

There is no Latin American treaty, omnibus regional law, or a specific
regional body that assists and guides organizations about data
protection such as an EU Data Directive (soon to be GDPR)
However, data protections have been purposefully incorporated into the
constitutions of some Latin American countries

Some Latin American countries do require all organizations to register

with their DPA (Peru) while other dont require businesses to register
with their DPA (Mexico, Nicaragua)

Privacy Insight Series

- truste.com/insightseries
v

5
TRUSTe Inc., 2016

Data Protection in Latin America Falls into Four Groups

Constitutional/Habeas Data. Nations which utilize a constitutional
rights-based model for protecting individuals personal data rights
General Data Protection Laws. Nations which have enacted
comprehensive data protection laws
Hybrid Approach. Nations that employ a blend of habeas data and
general data protection laws
Unsettled or Transitioning Data Protection Rights.
Nations that lack a clearly defined constitutional or legislative structure
with respect to privacy rights.

Privacy Insight Series

- truste.com/insightseries
v

6
TRUSTe Inc., 2016

Overview of Latin American Privacy Requirements

Privacy Insight Series

- truste.com/insightseries
v

7
TRUSTe Inc., 2016

Understanding Database Registration

Requirements
Jacobo Esquenazi, Global Privacy Strategist, HP, Inc.

Privacy Insight Series

- truste.com/insightseries
v

8
TRUSTe Inc., 2016

Database Registration Requirements in LAR

Database Registration is one of the most burdensome requirements in
Data Protection Management. Is very common in LAR.
Five out of six countries that have Data Protection Laws in the region
include a Database Registration Requirement. Mexico is the only
notable exception.
Conditions for registering data bases and content of the registration
vary from country to country.
Three countries require an annual update or renewal of the registration,
one country requires update only when major changes occur, one
country requires monthly update when any changes occur, and one
requires that registry be kept up to date constantly.
In some countries Fees for registration need to be paid (source of
revenue for the DPA) and there is a cost of compliance in all cases.

Privacy Insight Series

- truste.com/insightseries
v

9
TRUSTe Inc., 2016

Database Registration Requirements by Country

Uruguay

Argentina

Article 29 of Data Protection Law creates a Database

registry. All Public and Private Databases need to be
registered before the DPA.
Applicable to all persons (natural and legal)
Registration includes Information about the database and
exercise of rights; Security measures; length of storage.
Registration needs to be renewed annually.
Registration can be done online.

Article 21 of Data Protection Law creates a Database

registry. All public and private DB must be registered
before the DPA.
Applicable to ALL databases.
Private DB should be registered before being created.
Registration needs to be renewed annually
Registration can be initiated online

Privacy Insight Series

- truste.com/insightseries
v

10
TRUSTe Inc., 2016

Data Base Registration Requirements by Country

Peru

Article 29 of Data Protection Law creates a Data Base

registry. All databases that are subject to Data Subject
rights (access, correction, etc.) need to be registered.
DPA can also include as part of the registry (searchable)
authorizations, sanctions, injunctions or corrective
measures imposed . Registry also includes approved
codes of conduct.
Communications related to transborder flows are also
registered.
Registration must be done on paper
Registration is done once unless DB undergoes changes.
All changes to the purpose, content, Security measures,
etc. must be registered.

Privacy Insight Series

- truste.com/insightseries
v

11
TRUSTe Inc., 2016

Data Base Registration Requirements by Country

Colombia

Costa Rica

Article 29 of Data Protection Law creates a Data Base

registry. Only Colombian Data Controllers (registered in
the chambers of commerce) need to register DBs.
Information to be registered: Types of data; security
measures; data origin; international transfers;
international transmissions; National data transfers;
request from data subjects to exercise their rights; and
security incidents (breaches).
Annual Registration or within 10 days of any substantial
changes.
Article 21 of Data Protection Law creates a Data Registry.
Databases for distribution, publication or
commercialization need to be registered.
Registration needs to be done by the data owner
(Notarized) includes physical placement of the database;
uses for the data base; types of data; description of
security measures; recipients of data transfers; list of
contracts for commercialization; creation of a super user
for the agency, etc.

Privacy Insight Series

- truste.com/insightseries
v

12
TRUSTe Inc., 2016

Proposed Legal Changes in the

Region
Juan Luis Hernandez Conde, Founding Partner, Novus Concilium

Privacy Insight Series

- truste.com/insightseries
v

13
TRUSTe Inc., 2016

From Habeas Data to Omnibus Protection

Privacy Insight Series

- truste.com/insightseries
v

14
TRUSTe Inc., 2016

What is Habeas Data?

Constitutionally / Judicially protected right to

access, rectification and/or erasure of
personal information.

Privacy Insight Series

- truste.com/insightseries
v

15
TRUSTe Inc., 2016

Omnibus legislation

Legal regime imposing specific obligations

and requirements to Data Controllers and
Data Processors.

Privacy Insight Series

- truste.com/insightseries
v

16
TRUSTe Inc., 2016

Privacy evolution timetable

Costa Rica

Argentina

Colombia

Mexico

Peru

Uruguay
2000

2008

2010

Privacy Insight Series

- truste.com/insightseries
v

2011

2014

17
TRUSTe Inc., 2016

Laws being discussed right now

Brazil

Ecuador

Privacy Insight Series

- truste.com/insightseries
v

Chile

Panama

18
TRUSTe Inc., 2016

From Habeas Data to Omnibus Protection

Privacy Insight Series

- truste.com/insightseries
v

19
TRUSTe Inc., 2016

Accountability and Data

Subject Rights
Jacobo Esquenazi, Global Privacy Strategist, HP, Inc.

Privacy Insight Series

- truste.com/insightseries
v

20
TRUSTe Inc., 2016

Data Subject Rights In LAR

All Data Protection Laws in LAR are based (whole or in part) on EU
data protection concepts and more specifically on the first Spanish
implementation of the Privacy Directive.
All laws in LAR provide data subjects with the following rights:
Access: The right to know what Information a Controller holds about the Data
Subject.

Correction: The right to correct inaccurate information that a Data Controller

holds about a data subject.
Deletion: A Data Subject has the right to request that a Data Controller deletes
Information related to him/her (with some limitations).

Some data protection laws allow an intermediate phase before deletion

(opposition) which is the equivalent of the Right of Restriction of
Processing under the GDPR.
All rights have a Compliance period. After that period DS that feel their
requests have not been honored have a right of recourse before the
DPA and eventually before a court of Law.
Privacy Insight Series
- truste.com/insightseries
v

21
TRUSTe Inc., 2016

Infringement of Data Subject Rights

The infringement of Data Subject Rights can be penalized by
administrative sanctions (including monetary), applied by the DPA.
DPAs in LAR have increased their enforcement activity imposing
substantial fines for non-Compliance. In particular where Data Subject
complaints are involved activity has increased. DPAs do not have
prosecutorial discretion, therefore all complaints must be investigated.
All laws include the right of compensation if the infringement of Data
Subject rights results in harm. Process is carried out before the courts.

Privacy Insight Series

- truste.com/insightseries
v

22
TRUSTe Inc., 2016

Accountability
Mexico and Colombia included the concept of accountability to their
Data Protection Legislations. This is a similar concept as it has been
incorporated in the GDPR.
Having an Accountability based data protection program is not
mandatory, but companies that can demonstrate an accountability
based data protection program get benefits as lessening of fines or
ease in transborder flows.
Demonstrating accountability has some requirements that need to be
met (sometimes through codes of conduct).

Although Peruvian regulation does not include the accountability

concept, but does recognize some benefits by participating in voluntary
codes of conduct.

Privacy Insight Series

- truste.com/insightseries
v

23
TRUSTe Inc., 2016

Key Takeaways For Companies

Latin America is as diverse in its privacy regimes as it is in its
geographies.
Habeas data is a constitutionally-based remedy of legal action that may
be initiated by a citizen to discover what data is held about that person,
in order to facilitate correction or deletion of the information.

Privacy Insight Series

- truste.com/insightseries
v

24
TRUSTe Inc., 2016

Key Takeaways For Companies

More incentives than ever exist for Latin American governments to
modernize their data privacy laws in light of APEC membership, global
commerce and trade, and international adequacy/interoperability
opportunities.
With Chile, Mexico and Peru already APEC members, companies
should consider APEC CBPR Certification as a route to demonstrate
compliance in the region.
Companies should be aware of the data privacy quirks that exist in Latin
America but that are not widespread elsewhere,
Such as Costa Ricas super user database access for the government
The right to be forgotten in Nicaragua, and
Mexicos detailed privacy notice rules but lack of a registration requirement

Privacy Insight Series

- truste.com/insightseries
v

25
TRUSTe Inc., 2016

Questions?

Privacy Insight Series

- truste.com/insightseries
v

26
TRUSTe Inc., 2016

Contacts
Jacobo Esquenazi

jacobo.esquenazi@hp.com
@jesquenaziMX

Juan Luis Hernandez Conde

hcount@nclaw.mx
@TheRealHCount

Andrew McDevitt

amcdevitt@truste.com
@AndrewJMcDevitt

Privacy Insight Series

- truste.com/insightseries
v

27
TRUSTe Inc., 2016

Thank You!
Details of our 2016 Summer/Fall Webinar Series are now available. Register
now for our next webinar on September 22 Changing Role of the CPO in
todays Privacy Ecosystem
See http://www.truste.com/insightseries for the 2016 Privacy Insight Series
and past webinar recordings.
v
28
Privacy Insight Series
truste.com/insightseries
v
TRUSTe Inc., 2016