Data privacy is a real concern across the globe causing Latin American countries to look for ways to implement new laws to tackle the problem.
Legislation around the world, such as the European Union's General Data Protection Regulation (GDPR), have highlighted the need for countries to create and update their current data privacy frameworks and regulations to fit today's business environment.
Brazil is leading the way in Latin America with its new data privacy laws that will consolidate the over 40 different regulations currently in effect in the country. Lei Geral de Proteção de Dados (LGPD), which will come into effect in August 2020, includes some parts of GDPR but also puts significant compliance obligations on companies that process data or offer services to individuals in Brazil. "The law is about the protection of all personal data, similar to the GDPR, affecting all companies that deal with data," says Vanessa Mello, director of client legal compliance operations at TMF Brazil. The new law covers names, signatures, addresses, IP address, tax ID in addition to other personal data that it collected before.
The LGPD applies to all legal entities that process personal data, whether public or private, operating in Brazil or that supply goods or services to individuals located in Brazil. Companies must expressly seek consent from the owner of the data, informing them exactly what data is being collected, why, and for how long it will be stored. In addition, the data must be destroyed when the company no longer has any need for it.
While companies have 17 months to adapt, they must make sure all their data collection systems and technology are compliant. There are 2% annual revenue penalties as a consequence for a data protection breach.
Colombia has the most developed data protection legislation in Latin America with laws that have been on the books since 2012. The laws have been updated and now contain information about how to store the personal data, treatment of it, how it used, amended or deleted as well as different measures depending on type and size of businesses. Permission is needed from users when using the data.
The data privacy legislation is always changing and currently there is a bill in congress that will complement the current legislation and will introduce new concepts like, privacy by design with separate laws for companies and financial institutions. For companies, the focus would be on personal data while financial institutions would have a focus on financial data protection such as, credit.
Estefania Arteaga, legal supervisor at TMF Colombia explains, "It is very important to comply with the regulations even though they are not new. Every year the SIC (Superintendents of Industry and Commerce) which regulates the data privacy laws conducts audits to make sure companies are following the laws. Companies in Colombia must have a data policy, a data privacy officer and register their databases with the National Database Registry (RNBD). The policy must be available to the public so they can see how the data is being used and stored."
Mexico does have data privacy legislation that has been around for a few years longer than GDPR but it's not well defined which makes it unenforceable. Comparing it to GDPR, which has a very clear penalty of 4% of a business' annual revenue as a fine for non-compliance, Mexico lacks a true way to enforce the laws with consequences. There also are no data inventory specific laws which would require companies to properly maintain the data.
Paola Fonseca, regional legal counsel for the Americas at TMF Group explains, "Another gap in the current law is legitimate interest. In order for you to have the data, there has to be reason. You can't just collect data. But, there is no definition of legitimate interest. The current law allows almost anyone to collect data, meaning there are no provisions about how the data is transferred to anyone else."
There are no real plans to change the federal laws to make them more enforceable. This task falls on the states to create laws to protect data. Mexico City has been a positive example with some new laws but the country is still waiting to see how the federal government decides to regulate data privacy accountability.
Argentina's congress continues to review a new data privacy bill that would replace the outdated legislation currently in effect since 2000. The proposed changes are closely aligned with GDPR and account for addressing new risks from technological advances. It includes new concepts such as genetic data and biometric data. Legal entities are excluded from the bill, meaning that only human persons can be classified as data holders. The bill also eliminates the requirement to register databases by data controllers and processors and establishes the creation of an autonomous data protection body (DPA) to enforce the law.
Luciana Calia, legal and compliance manager at TMF Argentina explains, "For local companies the new regulations will represent a big challenge for them to improve their data privacy monitoring as well as an increase in their budgets for IT tools and compliance. Companies may have to appoint a data protection officer (DPO) who will be in charge of advising on the treatment of data and also training employees on their obligations to stay compliant with the regulations."
While there are still questions about what the final bill will include, these changes will move Argentina into a position as a leader on data protection in Latin America.
We can help
Compliance and data privacy are huge trends affecting many countries in Latin America as well as around the world. Companies must stay ahead and put more time and money towards protecting their user's data. TMF Group has local offices in Brazil, Colombia, Mexico and Argentina with experts that can help your company. We can provide full data protection health checks for companies that wish to assess their current processes and determine what changes need to be made to comply with new rules. We can also act as a compliance officer to allow companies to focus on their core business. Talk to us about how we can help with data privacy compliance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.