On January 28th, 1981, in France, the “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data” (Convention 108) was signed, followed on November 8th, 2001, by the additional protocol on supervisory authorities and transborder data flows.
Although this international instrument was developed by the Council of Europe (an international organization for regional cooperation composed of 47 European States), it was determined that once it entered into force, any non-member State of the Council of Europe could be invited to accede to the Convention. In Latin America, only Argentina, Mexico and Uruguay are officially party to Convention 108.
However, even if we owe the international data protection day to Convention 108, it was not the Council of Europe that set the Latin American standard for personal data, but the Council of the European Union (EU) with its 1995 “Data Protection Directive” (Directive 95/46/EC). According to its guidelines, its member countries could only transfer personal data to countries outside the EU that guaranteed an “adequate level of protection”. This restriction obliged the countries of our region to seek to achieve this level through the formulation of personal data laws and thus avoid being hindered in their commercial exchanges.
Nowadays, Directive 95/46/EC has been overtaken by the “General Data Protection Regulation of the European Union” (GDPR), a new and more demanding guideline in the field of personal data. And in Latin America, what is the current scenario in terms of personal data?
Chile was a pioneer in the region by being the first Latin American country to enact a personal data protection law: Law 19628 on the protection of private life in 1999. More than 20 years have passed since then, and although the reality is very different from that time, the same law is still being applied in the country, unable to meet the current needs arising from technological advances and the ability to process large volumes of data in an automated way. However, this situation could change soon if the bill on personal data protection, currently under discussion in the legislature, is approved. Last January 25th, after four years in the Senate, the bill was sent to the Chamber of Deputies, passing to its second constitutional stage. It is a bill strongly inspired by the GDPR, although with some modifications that, far from being adaptations to the local reality, show the lack of knowledge of Congress on the matter. An example of the above is the elimination of the principle of loyalty, one of the essential principles of the European regulation that is sought to be imitated.
At the constitutional level, in 2018 the right to the protection of personal data was incorporated into the Chilean Constitution as an autonomous right, independent from the right to privacy. Furthermore, in the context of the constituent process that Chile is currently undergoing, several initiatives on the matter have been presented, among which we highlight the proposal of the Center for Information Technology Law Studies (CEDI).
In 2000, Argentina took the lead in data protection by enacting its Personal Data Protection Act 25.326 (PDPA), and three years later, it became the first Latin American country to obtain an adequacy decision from the European Commission. This means, in summary, that Argentina is a country eligible for the international transfer of personal data from European Union countries, without the need to comply with further requirements. In addition to the PDPA Law, the Argentine legal framework on the matter is composed of rules contained in its Constitution, and by the Regulatory Decree 1558/2001.
However, many years have passed since then, and today Argentina’s regulations are not only outdated, but it is also possible to observe a significant deterioration in its personal data protection system. Recently, it has been denounced that the Argentinian public sector would be the biggest violator of the PDPA, and last year the authority on the matter resigned after the scandal of the leakage of the information of national identity documents from the National Registry of Persons (RENAPER), without a replacement having been appointed to date. In addition, the government announced that the census for the year 2022, as a novelty, will include univocal identification information such as the national identity number (DNI), an issue incompatible with the guarantee of anonymity necessary to protect sensitive information.
In Peru, the main pillar of personal data protection is provided by the Personal Data Protection Law (29733) of 2011, and its regulations of 2013. Among the aspects to be highlighted, we find the obligation to register data banks in the National Registry of Personal Data Protection, so that citizens can know which personal data categories are collected by a given entity and for what purpose. Another significant point is the existence and activity of the National Authority for the Protection of Personal Data, which through various activities, such as campaigns and presentations, seeks to promote the culture of protection of personal data.
In 2012 Uruguay became the second and last Latin American country approved by the European Commission as a country providing “adequate protection” for personal data within the meaning of the Data Protection Directive. Among the considerations for its adequacy decision, the EU highlighted that, although the Uruguayan Constitution of 1967 does not expressly recognize the right to privacy and the protection of personal data, it does recognize that its catalog of fundamental rights is not a closed list. Besides that there were the fact that the Uruguayan law 18. 331 on the Protection of personal data and habeas data action, of 2008, expressly states that “The right to the protection of personal data is inherent to the human person, and is therefore included in Article 72 of the Constitution of the Republic”; and that it was largely based on Directive 95/46/EC. The Uruguayan law is complemented by Decree 414/009 of 2009, which clarified certain aspects of the law and regulated in detail the organization, faculties and functions of the data protection authority.
Just as Chile was a pioneer in enacting its data protection law based on European regulations in 1999, Brazil was the first country in the region to enact a personal data protection law directly inspired by the European model of the 2016 GDPR: the General Data Protection Law, LGPD (13.709/2018).
Brazil has a National Data Protection Authority (ANPD), which recently launched the “Orientation Guide — Application of the General Personal Data Protection Law” for data processing agents, in the context of the upcoming elections in October 2022. The ANPD had previously published an information security guide aimed at small processing agents, in addition to other publications of tools and templates in fulfillment of its guiding role, to support the various organizations in complying with the LGPD.
On May 26th, 2021, Ecuador’s long-awaited Organic Law on Personal Data Protection (LOPD) was finally enacted. However, it was only last January 26th that the draft regulation to the Personal Data Protection Law, a 107-article document inspired by the GDPR, was submitted to the Executive. Access Now, the Association for Progressive Communications (APC) and Derechos Digitales collaborated in this legislative process from the beginning, sending suggestions on the basic assumptions for the development of the law, as well as comments to improve the project that are now law.
Bolivia is one of the few countries in the world that does not have a specific law for the protection of personal data, despite the fact that its Political Constitution contemplates the right to privacy, intimacy, honor, self-image (article 21), and the right to informational self-determination (article 130).
However, Bolivia has been undergoing a digital transformation process for some years now. This process includes, among other things, data interoperability between public agencies, some advances in digital citizenship, digital economy and e-government. All these processes involve the collection and treatment of large volumes of data, so it is urgent for Bolivia to have a law that comprehensively regulates the protection of personal data, establishing clear obligations for those who deal with personal data, and rights in favor of the data owners.
Venezuela is another country that does not have a personal data protection law, nor structural policies to protect this right. This situation takes place despite the fact that its Constitution recognizes the right to privacy and the right of individuals to “access information and data about themselves or their property contained in official or private records”.
The case of Venezuela is particularly worrisome, since there are indications of improper access to personal data, involving public resources, as well as the direct involvement of public entities in information theft practices. Last January 28th, the report “Privacy and personal data in Venezuela: an approach to current legislation and practice” was presented, based on a compilation of laws, regulations and cases that portray structural patterns of violation of freedom of expression and information, in connection with data protection and privacy.
The disparity between different countries in the region makes our work towards identifying trends and risks to personal data more important than ever. We expect to keep advocating for the protection of all fundamental rights, including those that involve the use and defense of personal information.