Due to its key geographic location, Panama´s economy has been inclined in favor of a well-developed service sector that has been traditionally attractive to both local and international companies. As such, it came somewhat as a surprise to many that, unlike other jurisdictions, Panama did not provide for a general legal framework that regulated data protection. There are some general concepts providing for the protection of personal data and privacy included in the Constitution and in the Criminal Code. The issue has been regulated in more detail in certain sector specific legislation, such as credit reporting, patients' history, banking and insurance sectors, amongst others. However, the rules provided therein are not applicable to other sectors in general.

The lack of a general regulation posted certain challenges, particularly when providing legal opinions to our multinational clients in connection with their efforts to align their own internal data privacy policies with local legislations and requirements.   

After many years of numerous discussion and failed attempts, a comprehensive new data privacy law is expected to be enacted by the Government in the short term. Bill No. 665 concerning the protection of personal data was recently approved by the National Assembly on October 24th, 2018. As of the date this article was prepared, the approval of the Executive is still pending, but is expected. Upon publication of the bill with the Official Gazette, it will become law; however, the law will enter into force on the second anniversary of its publication in the gazette.

The new law regulates much needed aspects such as the electronic consent and providing guidance in connection to the geographic location of servers and international transfer of data. Unfortunately, it does not address the opt-in / opt-out conundrum. Other aspects regulated by the new law are the obligation to maintain a data collection register available for inspection by the local regulator (known as the Autoridad Nactional de Transparencia y Acceso a la Información), rights of data holders to have information deleted or rectified (which the law requires to occur within 10 business days), privacy policy disclosure requirements and certain carve-outs regarding medical and criminal record data. Automated decision processes based on personal data is also regulated, as is the joint liability of the "responsible entity for data management" (which may be a legal or natural entity) with the entity actually utilizing the data.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.