The General Data Protection Regulation (GDPR) has prompted a series of legislative proposals in Latin American countries to update data protection regulations, many of which reflect the higher standards of the GDPR. With a large number of European and U.S. companies operating in the region, we look at some of the latest developments below.
Argentina was the first Latin American country to implement data protection laws and the first non-European country to be recognised by the European Commission as having adequate levels of data protection. The need to revisit the current legislation is a result of technological advances and the changed international landscape with the introduction of the GDPR since the Argentinian Personal Data Protection Act 2000 came into force.
Argentina's new draft data protection bill proposes further changes to bring the country's data protection law in line with the GDPR. The bill acknowledges the right to be forgotten and the right to data portability. Other changes include stricter provisions in the area of cross-border transfers to countries with inadequate levels of data protection, new legal bases for data processing other than data subject consent, including legitimate interests, and new definitions of biometric and genetic data.
Brazil's data protection law, Lei Geral de Proteção de Dados (LGPD), enters into force in August 2020. Before the LGPD, the data protection legislation in Brazil was sector-based and primarily regulated by the country's civil rights framework for the internet (Internet Act) and Consumer Protection Code. LGPD imposes detailed rules for the collection, use, processing, and storage of personal data. This new regulation replaces more than 40 different regulations that deal with data protection. The final version of LGPD also introduced important revisions to the original version of the law, such as the creation of the National Data Protection Authority that will be responsible for overseeing and enforcing the LGPD.
Chile has a comprehensive data protection regulation, Law No. 19.628 On the Protection of Private Life, as amended in 2018. While Law No. 19.628 requires data subjects to be informed about the purposes of the processing of their personal data and requires data subject consent, it fails to establish mechanisms to supervise compliance with the laws.
The National Congress of Chile is currently considering a new data protection bill. The new bill includes additional rights for data subjects, introduces provisions on consent and new obligations for data controllers, and amends the definitions of sensitive data to include biometric data.
Data protection laws in Colombia were established through Law No. 1581 of 2012. Law No. 1581 is applicable to all sectors except the financial sector, which instead is regulated by Law No. 1266 of 2008. Law No. 1581 applies to all data processing carried out in Colombia, including any operation carried out on personal data, such as collection, storage, use, deletion, update and transfer of information.
Presently, there is a bill in congress that will supplement the current Law No. 1581. The draft bill will, among other things, allow the local data protection authority to impose fines on data controllers and processors.
The GDPR has provided the necessary momentum for Latin American countries to update their existing laws governing data protection. As data transcends international borders, these developments are relevant to any organisation that does business in the region, particularly as recent trends suggest that data protection authorities are becoming increasingly active in enforcing data protection legislation in Latin America. Organisations that have adopted a GDPR standard across their business should take note of, and update its procedures in relation to, any local requirements that diverge from the GDPR (for example, data subject access request response time) once the final legislation has been released.
We expect further developments in this area. Keep an eye on this blog for updates.