Demonstrating Compliance with Data Privacy Legislation

The data protection phenomenon originated in Europe and swept across Latin America in recent years. While Chile was the first country in the region to enact a law on data protection in 1999, several other countries followed this trend, including Argentina in 2000, Uruguay in 2008, Mexico in 2010, Costa Rica and Peru in 2011, Colombia in 2012, Brazil in 2018 and Panama in 2019, with many currently updating their previously enacted privacy laws.^[2] Privacy legislation in Latin America often follows the European Union’s General Data Protection Regulation (GDPR) model. Costa Rica, for instance, is engaged in a comprehensive reform of its data privacy laws based on the GDPR model. On 28 January 2021, Costa Rica proposed a reform of the existing data protection laws,^[3] aiming to restructure the existing data protection agency (PRODHAB) and to adopt Convention 108 of the European Union on Protection of Personal Data.^[4] The bill remains in discussion in the Costa Rican Congress.

Although Chile was the first country to regulate data privacy in Latin America, its legal framework soon became obsolete and in need of reforms due, in large part, to the lack of an official data privacy authority and the imposition of low fines.^[5] Inspired by the GDPR model, in 2017, Bill No. 11144-07 was introduced to the Chilean National Congress aiming to modernise the existing legal framework and to create a new data protection agency, which would allow for the enforcement of the data protection legislation. The approval process in Chile has been slow, but the bill was amended in October 2021 to incorporate the creation of an Agency for the Protection of Personal Data as the data protection authority. The bill was approved by the Chilean Senate and is currently under discussion in the Constitution, Legislation and Justice Committee of the Chamber of Deputies; it is expected to be enacted in 2023.^[6]

Colombian data privacy laws are widely viewed as the most modern data protection laws in Latin America and enforcement has been noted favourably. For instance, on 26 November 2020, the Colombian data protection authority mandated that a videoconference service provider implement measures to secure the personal data of its users in Colombia in accordance with the existing data protection law.^[7] Also, throughout 2020, several fines were imposed on companies for violation of the data protection rules. More recently, in May 2021, Colombia’s data protection authority ordered WhatsApp to comply with measures meant to protect users’ personal data, noting that the messaging app was not meeting 75 per cent of data protection rules.^[8] The Colombian government also issued Decree 338 of 2022, which sets out guidelines for public entities to prevent and manage cyber incidents, identify critical public cyber infrastructures, and improve cybersecurity governance.^[9]

Similarly, Mexico, Brazil and Argentina have undertaken measures to enhance data privacy protections. In 2010, Mexico adopted the Federal Law on the Protection of Personal Data in Possession of Individuals. Since then, the executive branch has issued several other regulations and guidelines establishing further parameters for the existing data protection law. In 2017, the General Law for the Protection of Personal Data in Possession of Obligated Subjects entered into force, regulating, among other aspects, data protection in connection with the use of data held by public entities, including law enforcement agencies.^[10] The Mexican data protection laws and regulations apply to all personal data information when it is processed (1) in a facility located in a Mexican territory; (2) anywhere in the world, if the information is processed on behalf of a Mexican data controller; (3) regardless of its location, if the Mexican legislation is applicable due to Mexico being part of an international convention; and (4) by using means located in Mexico.

As with other data protection laws throughout Latin America and the world, the Mexican, Brazilian and Argentinian laws and regulations broadly define personal data as any information pertaining to an identified or identifiable individual and impose stiff penalties for violations. For example, violation of privacy laws in Mexico may result in fines and imprisonment, including sanctions per violation calculated at many multiples of the Mexico City minimum wage (currently €138.9 per month). The law also provides for imprisonment (varying from three months to five years) depending on the seriousness of the violation.^[11] Violation of privacy laws in Brazil may result in warnings and fines in the range of up to two percent of the annual global turnover for the breaching entity, but limited to a total amount of 50 million reais per infraction.^[12] And, in Argentina, violations of privacy laws could result in both monetary fines and imprisonment.

Inspired by the GDPR, in 2018, Brazil enacted its long-awaited data protection law, the LGPD. The LGPD attempted to unify over 40 different statutes that previously governed the use of personal data in Brazil. But the LGPD only became effective in September 2020, and its enforcement provisions did not become effective until August 2021. The LGPD anticipated the creation of a federal agency (the Brazilian National Data Protection Authority (ANPD)), which was officially created in October 2020 after the Brazilian Senate appointed the first officers to serve as the decision-making body of this entity.^[13] On 28 January 2021, the newly formed ANPD published its regulatory strategy for 2021 to 2023 and its work plan for 2021 to 2022. According to such strategies and plans, the agency aims to promote the strengthening of the culture of protection of personal data; establish an effective regulatory environment for the protection of personal data; and improve the conditions for legal compliance.^[14] In the work plan for 2021 to 2022, the agency established priority measures and time frames for implementation, with the most critical steps being the creation of the internal regulation and strategy plan for the ANPD, protection of data related to small- to medium-sized companies and start-ups, and the evolution of administrative rules regarding application of sanctions.^[15] During 2021, the ANPD adopted and published a number of guidance and FAQs regarding the LGPD. For example, in May 2021, it published the Guidance for Personal Data Processing Agents and Data Protection Officers, which sets out non-binding guidelines for data processing agents and explains who may exercise the roles of a data controller, operator, or data protection officer.^[16] In April 2022, it published a second version of the same guidance, clarifying several concepts under the LGPD and the previous guidance and providing practical examples and explanations.^[17]

The LGPD applies to any personal data processing operation, carried out by a natural person or by a legal person under public or private law, regardless of the means by which such information is processed or the country where the information is stored, provided that the information is processed within a Brazilian territory; the processing activity has the purpose of offering or supplying goods or services or the processing of data is related to individuals located in Brazil; or the personal data has been collected in Brazil.^[18] Notably, data that is anonymised is not considered personal data, unless the anonymisation process may be reversed by reasonable means.^[19]

Furthermore, in February 2022, the Brazilian Congress enacted an amendment to the Brazilian Constitution recognising the protection of personal data as a fundamental right.^[20] The proposal underpinning the amendment also gives the federal government the authority to legislate on the processing of personal data of individuals.^[21]

Pursuant to principles articulated in the Argentinean Constitution, Argentina has a comprehensive data protection legal framework established by Law 25.326/2000, as further regulated by Decree 1558/2001. Since 2017, the Agency for Access to Public Information (AAIP) has served as the data protection oversight authority in Argentina, responsible for enforcing the data protection law. Law 25.326/2000 applies throughout Argentina and to any processing of personal data carried out online.^[22] In August 2022, AAIP opened the public consultation process to begin reforming Law 25.236/2000.^[23] After this process, a new draft data protection bill was published in November 2022,^[24] with many provisions modeled after the GDPR. For example, the draft bill expands the territorial scope of Law 25.326/2000 to apply to organisations outside of Argentina if they offer goods or services to, or monitor the behaviour of, people located in Argentina.^[25] The draft bill also follows GDPR in introducing new definitions related to data and data processing, clarifying provisions on cross-border data transfers, adding new rights for data subjects, and implementing new requirements such as mandatory data protection impact assessments or the mandatory appointment of a data protection officer in specific situations.^[26] There is currently no indication of when the bill will be discussed in the Argentinian Congress.

Panama and Uruguay also adopted additional data protection measures in 2021 that apply to the protection of personal data. In May 2021, the president of Panama approved Executive Decree No. 285, which regulates Panama’s existing Personal Data Protection Law by developing minimum requirements with which data controllers must comply when collecting information, as well as the conditions under which the consent of data subjects must be obtained. The decree also created the obligation to notify the national Data Protection regulator of the subjects of personal data breaches within a 72-hour period after the breach is discovered.^[27] In September 2021, the Uruguayan data protection authority adopted Resolution No. 23/021 of 8 June 2021, which notably excluded the United States from the list of appropriate territories for the transfer of personal data without requiring prior administrative authorisations.^[28]

Introduction to GDPR

On 26 May 2018, the GDPR went into effect. The GDPR applies to an organisation established in the European Union that processes personal data, whether that processing occurs in the EU, and to an organisation established outside the EU that markets goods or services to the EU or monitors the behaviour of individuals in the EU. Several companies based in Latin America trigger this second prong of the GDPR. Compliance with the GDPR, and the derogations of the various EU Member States, requires implementing various technical, administrative and organisational measures.^[29]

Conducting a data inventory

Most entities will need to conduct a thorough review of data held, collected, or processed by the entity as a first step in complying with the GDPR. Through a review of this kind, often called data mapping or data inventory, an entity will gain insight into what personal data is collected and used, where such data is stored, processing activities, and retention practices. This information will allow the covered organisation to undertake (and later document) other compliance obligations, including creating a record of data processing activities as required under Article 30 of the GDPR and demonstrating a lawful basis for processing for each activity as required by Article 6 of the GDPR.

Identifying lawful bases for processing

Processing is only lawful under the GDPR to the extent that one of the bases listed in Article 6 applies to the processing activity. These bases include consent from the data subject (which can be withdrawn); performance of a contract; compliance with a legal obligation; demonstrated need for a task of public interest or official authority; and the existence of legitimate interests (where not overridden by the interest or fundamental rights or freedoms of the data subject). Although Article 6 states that processing is lawful where ‘at least one’ of the bases applies, the Article 29 Working Party’s guidance provides that ‘[a]s a general rule, a processing activity for one specific purpose cannot be based on multiple lawful bases.’ Companies should identify and document a lawful basis of processing for each of the activities identified in the data inventory and must furnish both the purpose of processing and its lawful basis when and where data is collected.

Understanding the rights of data subjects

In addition to requiring a lawful basis (e.g., consent or performance of a contract) for each processing activity, the GDPR provides the following rights to data subjects:

• Right to be informed. Data subjects have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
• Right of access. Data subjects have the right to access and receive a copy of their personal data and other supplementary information.
• Right to rectification. Data subjects have the right to have inaccurate personal data rectified or completed if it is incomplete.
• Right to erasure. Data subjects have the right to have personal data erased. This is also known as the ‘right to be forgotten.’ The right is not absolute and only applies in certain circumstances.
• Right to restrict processing. Data subjects have the right to request the restriction or suppression of their personal data.
• Right to data portability. Data subjects have the right to obtain and reuse their personal data for their own purposes across services.
• Right to object. Data subjects have the right to object in relation to all or a portion of the personal data held by an entity. Data subjects also may object to a particular purpose for which their data is processed.
• Rights related to automated decision-making. Data subjects have the right not to be subject to a decision that produces legal effects or significantly impacts the data subject based solely on automated processing, including profiling.

Prohibitions on special categories of data

According to Article 9 of the GDPR, any data ‘revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership,’ as well as ‘genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation,’ is prohibited unless it meets one of the exceptions set out in Article 9. The most notable and widely applicable Article 9 exception is ‘explicit consent’ to the processing for one or more specified purposes given by the data subject. The Working Party guidance suggests that ‘explicit consent’ is a more stringent requirement than ordinary Article 6 consent. Specifically, the Working Party has suggested that a written statement, signed by the data subject where appropriate, is one means of demonstrating this requirement. This specific consent exception does not apply where European Union or Member State law prohibits such processing of special categories of data.

Businesses with identified invested stakeholders are more likely to achieve successful compliance. A successful privacy team will be cross-discipline, including parties with technological expertise, as well as those with insight into current and planned business activities. In addition, Article 37 requires a business to appoint a data protection officer (DPO) under the GDPR when:

• it is a public authority or body;
• it conducts regular and systematic monitoring of data subjects on a large scale;
• the business’s core activities consist of processing on a large scale of special categories of data or of personal data relating to criminal cases; or
• it is required to do so by Member State law.

A DPO will guide the organisation’s GDPR compliance efforts, while serving as a point of contact for data subjects and working with data protection authorities as necessary. DPOs should remain available to company leadership and the privacy team, while maintaining sufficient independence. If an organisation appoints a DPO even when not required by the GDPR, all the requirements of the GDPR related to DPOs remain applicable. Therefore, appointing a ‘data protection officer’ versus a ‘data privacy officer’ should be considered carefully. If an organisation decides that a DPO should not be appointed, that decision should be documented for later reference.

Contracting with data processors

Article 29 explicitly prevents processors from processing personal data except on the controller’s instructions. Article 28 provides details on documenting these instructions by written agreement. In particular, Article 28 dictates that controllers ‘use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of [the GDPR] and ensure the protection of the rights of the data subject.’ Contracts under Article 28 should include:

• the subject matter, duration, nature and purposes of the processing;
• the controller’s documented instructions for processing;
• the categories of personal data to be processed, as well as the categories of impacted data subjects;
• the controller’s obligations and processor’s promises to assist with the controller’s compliance efforts; and
• the processor’s obligation to implement technical and organisational security measures, maintain confidentiality, delete or return personal data at the conclusion of the relationship, submit to audits, and bind sub-processors to requirements under the GDPR.

Choosing a data transfer mechanism

The GDPR also regulates the processing of data within the European Economic Area (EEA), as well as transfers of personal data outside of the EEA. Under the GDPR, there are three scenarios in which an entity legitimately can transfer personal data to a receiver outside the EEA: (1) the receiver is located within an area covered by an adequacy decision; (2) appropriate safeguards have been established to protect individuals’ rights to their personal data; or (3) an exception, such as explicit consent, covers the transfer.

Adequacy decisions are made by the European Commission (the Commission) and establish that a given country has adequate data protection and privacy measures. The countries with current adequacy decisions are: Andorra, Argentina, Canada (for commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay, and the United Kingdom (pending approval). In 2016, the Commission issued a partial adequacy decision for the United States, ruling that only personal data transfers covered by the EU–US Privacy Shield (the Privacy Shield) provide sufficient protection. On 16 July 2020, however, the Court of Justice of the European Union (CJEU) announced its decision in case C-311/18, better known as Schrems II, upholding the use of standard contractual clauses but striking down the Privacy Shield. This is the second time in five years that the CJEU found a safe harbour programme between the European Union and United States inadequate.

In March 2022, the European Commission and United States announced a preliminary agreement to implement a new Trans-Atlantic Data Privacy Framework to replace the previous Privacy Shield, and this is expected to provide a durable basis for trans-Atlantic data flows. Under the new Framework, the United States has committed to put safeguards in place to ensure that any surveillance activities are necessary and proportionate in the pursuit of defined national security objectives and to establish a related independent redress mechanism. Although the Framework is still a work in progress, US President Joseph Biden issued an executive order in October 2022 to implement the United States’s surveillance-related commitments.^[30]

For transfers that do not fall within the scope of an existing adequacy decision, ‘appropriate safeguards’ must be established. While the GDPR lists several kinds of appropriate safeguards, one of the most common is the SCCs. SCCs are template clauses that are preapproved by the Commission that companies can use in their contracts to ensure sufficient data protection and GDPR compliance. In June 2021, the Commission published new SCCs that place more responsibilities on data importers, such as additional representations and warranties, new sensitive data and accuracy obligations, expanded security and data breach requirements, and more direct liability to individuals and authorities in Europe for data importers.^[31] Companies were required to migrate all existing international data transfer agreements entered into before 27 September 2021 to the new SCCs by 27 December 2022. At this point, companies should not be using prior SCC forms without an adequacy decision. The United Kingdom is a special case. It has not adopted the Commission’s new SCCs, but it received an adequacy decision from the Commission, which means SCCs currently are not required for transfers of personal data from the European Union to the United Kingdom. However, the United Kingdom’s adequacy decision carries with it a ‘sunset’ clause under which the decision will automatically terminate on 27 June 2025, unless renewed.

Other compliance obligations

The GDPR’s requirements are numerous and multifaceted. Companies beginning to work toward compliance should seek the advice of counsel. For additional information on the specific compliance and documentation requirements contained in the GDPR, please reference the table below.

Jurisdictional differences in privacy regimes

Data protection regimes can vary dramatically from nation to nation and even from state to state within the United States. What qualifies as sensitive personal information in one nation, requiring more stringent consent and processing requirements, may receive less protection in another nation. Some nations require specific data protection programme elements that can be more onerous on a company, such as the GDPR’s ‘privacy by design’ control environment requirements, registration of processing databases with national supervisory authorities, or the appointment of a specific data protection officer to oversee privacy issues.

Companies may find it beneficial to target investment in or shift operations to jurisdictions with fewer data protection requirements. Depending on the type of data on which the company relies, and its degree of global integration, there are significant potential compliance cost savings even among countries in Latin America that have recently heightened their data oversight. But in an increasingly global economy that relies on cross-border marketing, internet traffic and business partners, those benefits may be limited. Before starting to forum shop, companies must consider not only where their data will be stored or processed, but from whom the data will be collected and where it will be transferred. Data privacy laws often reach beyond national borders when their residents’ data is at issue.

For example, if a company collects personal information from citizens and residents in the European Union, even if it hosts its website or processes the data in Panama, the data is still subject to the GDPR requirements. Segregating data into separate databases with more stringent protections based on the country of origin is possible, but requires additional administrative overhead. If a company intends to establish operations in Brazil or Ecuador that would rely on international data transfers from other countries, it will be required (either by contract or by law) to follow the data protection rules of the origin country. And some countries prohibit the transfer of data internationally unless the destination country has data protection laws that are at least as robust as their own. As discussed in the previous section, the European Union’s GDPR mandates strict international transfer standards. The privacy regimes of Argentina, Brazil and Colombia also incorporate this type of comparative protection. So by setting up shop in a jurisdiction with few data protection laws, a company may restrict the ability to efficiently interact with companies or even internal divisions of the same company in other parts of the world.

Even if a company’s aim is not to engage in regulatory arbitrage, but more simply to evaluate opportunities for international expansion, it is critical to understand the differences in data protection laws among neighbouring countries. These differences may require significant modifications to data processing policies, procedures and security that could result in major capital expenses for the company, or even subject it to liability for noncompliance. Below are some examples of factors that are treated differently under the laws of various jurisdictions discussed elsewhere in this chapter.

Definition of sensitive personal information

Most privacy regimes recognise that certain types of personal information are more intimate or sensitive, requiring enhanced protection or consent procedures when companies collect and use the data. This usually does not include directory-type information (names, addresses, phone numbers, emails) or transactional data (purchase history, etc.), which would qualify as personally identifiable information subject to some protections, but not sensitive information requiring enhanced protection.

In many Latin American countries, enhanced protections are provided for information more intimately linked to an individual’s personal, physical or moral characteristics, such as racial and ethnic origin; religious, political or philosophical beliefs and affiliations; membership in labour unions; and information related to an individual’s health and sex life. Many jurisdictions, including Colombia, Costa Rica, Mexico, Brazil, the European Union and some US states offer enhanced protections for biometric data (fingerprints, retina scans, facial recognition, etc.). Genetic information is also afforded specific protections in Costa Rica, the United States, Mexico, Brazil and European Union Member States. Notably, though, Chile does not require special treatment of these categories. In Argentina, biometric data is only considered to be sensitive if it can reveal additional information, the use of which may potentially result in the discrimination of the data subject.^[32]

Mexico’s data privacy regime includes a more expansive definition of sensitive personal information than many other jurisdictions, specifically covering pictures, videos, geolocation and the data subject’s signature. It is also one of the few regimes in the region to include banking information as a sensitive category.^[33]

Consent-conscious jurisdictions

The definition of sensitive information is commonly accompanied by restrictions on use that are predicated on specific notice to, or consent from, the data subject. Informed consent is often required before processing sensitive data, and almost always before selling or disclosing that information to any third parties. In some jurisdictions, though, consent is required before a company can collect or process even non-sensitive personal information. A company that has built its data protection policies on the rules of one nation may open itself up to liability by applying those policies in a jurisdiction that demands a greater degree of control for data subjects.

For example, Costa Rica’s Law on the Protection of Persons Regarding the Processing of their Personal Data makes it mandatory to obtain informed and express consent from data subjects to process any personal data. That consent must specify (among other things) the purpose for collecting the data, how the data will be processed, and all recipients and parties with access to the data. Additional consents are required before a company can transfer that data to a third party.

Similarly, Argentina’s Personal Data Protection Act states that data processing is only legal with prior, express and informed consent of the data subject. But a number of exceptions apply that broadly carve out categories of personal information companies typically collect. No consent is required to process directory-type information, including name, address, date of birth or even taxpayer identification numbers. Nor is consent required when the data arises from a contractual or professional relationship with a data subject. Use of data for marketing, provision of credit services or by third-party service providers, is also allowed without consent (though is limited by other rules). Sensitive data, however, may only be collected and processed where necessary and with consent.

Mexico requires some level of consent for all processing of personal data, but allows implicit consent (where the data subject is given notice of the use and an opportunity to opt-out) for processing personal information, generally. Heightened thresholds for consent are required for processing more sensitive data. Express consent (opt-in) is required to process financial or asset data, and express written consent is necessary to process sensitive personal information.

Again, segregating data by degree of sensitivity and place of origin is possible. It is even recommended in some circumstances – for example, more sensitive data may be protected with additional encryptions or be subject to access restrictions to reduce the potential harm of a data breach. But it may be particularly onerous to maintain different standards and protocols for different employees, customers, and business partners in different locations. And if a company’s use of the data (analytics, marketing, etc.) would be diminished by segregating along jurisdictional lines, the value in collecting the data in the first place could be reduced.

Breach notification requirements

Possibly the most notorious and feared event in the world of data processing is the breach. Whether the result of hacking, phishing, insider misappropriation, or stolen device, a data breach that compromises the security of a data subject’s information (sensitive or otherwise) can cause substantial harm to a company’s customers. For that reason, many jurisdictions require that breaches be disclosed to data subjects, government authorities, and sometimes even the media. And while some of the world’s largest companies have publicly fallen victim to significant data breaches, breach notification rules can still subject a company to substantial reputational harm and business disruptions.

Several Latin American countries require strict and robust disclosures:

• Colombia’s Statutory Law 1581^[34] requires both a data controller (the entity that collects and directs use of the data) and the data processor (the entity that carries out the processing instructions) to notify the Superintendent of Industry and Commerce of a security breach, or even a known risk of a breach, within 15 days;
• Costa Rica’s Executive Decree No. 37554-JP^[35] requires notification to data subjects and to the national data protection authority (PRODHAB) within five business days. Companies must also complete a thorough review of the breach and its impact during that short time period, and incorporate details of the breach and remediations in their notification; and
• Mexico and Brazil require breach notifications, but only under certain circumstances where the breach is likely to materially affect the property or moral rights of the data subject (Mexico) or likely to result in a risk of harm to the data subjects (Brazil).

While there are currently no breach notification requirements in Chile or Argentina, as a best practice, companies should follow recommended guidelines by their data protection authority. For example, while Argentina’s Personal Data Protection Law does not require breach notification, the Agency for Access to Public Information (AAPI) has published Recommended Security Measures calling for data controllers to notify the AAPI about the details of the breach and measures the data controller has taken to mitigate and prevent data breaches.^[36] Argentina’s new draft data protection bill would impose an obligation to notify the AAIP of a data breach without undue delay and within 48 hours if the breach is likely to result in a risk to data subjects’ rights.^[37] In Chile, the Commission for the Financial Market (CMF) requires banks and financial institutions to notify CMF of data breaches within 30 minutes of acknowledgement of the breach.^[38]

It is critical to remember that data protection laws are often drafted to protect the residents of that jurisdiction, wherever their data is processed. A breach that results in the disclosure of unencrypted personal information of Californians or Belgians will require notification pursuant to those jurisdictions’ privacy rules, even if the hacked server was located in Chile, for example. The common rule for evaluating any jurisdictional nuance is to understand the source and use of the data at issue.

Registration requirements

One consideration that is perhaps more straightforward is whether the jurisdiction in which the company plans to process data requires registration of data processing activities with the national authority. This type of registration is not required in most US states (with some specific exceptions for data brokers and telemarketers). But it is required in numerous Latin American jurisdictions and can be a significant administrative burden. For example, Costa Rica’s Law on the Protection of Persons Regarding the Processing of their Personal Data No. 8968,^[39] requires any entity that manages a database containing personal information, and that distributes, discloses or commercialises such personal information in any manner, to register with PRODHAB. Some exceptions and exemptions exist, including for entities that manage databases for entirely internal purposes and for financial institutions governed by other specific bank secrecy regulations. But for those entities that must register, a substantial submission is required, including details about the data owner, an appointed employee responsible for the databases, a list of all processors and transfer recipients, the type of data to be stored, the purposes and foreseen uses, collection procedures, technical safeguards and risk assessments, and a certified copy of minimum security protocols that details all processes followed by the company to manage the data.

Similarly, Colombia’s Statutory Law 1581, in addition to the breach notification rules described above, created the National Register of Databases and requires mandatory registration of databases that store and process personal data by any data controller entities that have total assets above 100,000 tax value units (approximately 3.63 billion Colombian pesos or US$1.07 million). Argentina’s Data Protection Authority (AAIP) also maintains a National Registry of Personal Databases.^[40] To be deemed a lawful database, all archives, registries, databases and data banks – whether public or private – must be registered. The registration does not require disclosure of the contents of the database, but rather a more general description of the database, its creation, maintenance, and details of compliance with various aspects of Argentina’s data protection laws. In contrast, there are no registration requirements in Brazil or Mexico, and only public databases must be registered with Chile’s Civil Registry and Identification Service.

In sum, substantial differences exist in the substantive and administrative application of data protection laws from nation to nation. Depending on how a company’s current data compliance programme is constructed, those differences can present either an opportunity or a potential liability pitfall when considering entering a new market. And operating within a global economy often requires attention to multiple regimes at once. There is no secret safe harbour where companies can seek shelter from oversight. There is also no easy one-size-fits-all global compliance solution, and the rate of legislative change occurring in Latin America over the last several years is evidence that companies will need to continue to stay abreast of the applicable privacy rules and to adapt accordingly.

Data compliance programmes

While developing a programme that addresses the significant requirements governing the use, collection and treatment of individuals’ personal information in our increasingly globalised world may appear to be a substantial challenge, resources exist to help meet the challenge and to avoid the liabilities that derive from failing to mitigate these risks. When embarking on developing or updating a data compliance programme, companies can be guided by the fair information practice principles (FIPPs), which underpin all data privacy laws. Those principles include awareness, consent, participation, security and enforcement. The key questions when developing or updating such a programme, as outlined above, can generally be traced back to these FIPPs, including the initial requirement of data mapping and inventory, asking what data is held, how it is used, and what the lawful bases are for processing it; determining what data subject rights pertain to the data; and assessing whether prohibitions on special categories of data apply. Appointing a DPO who is responsible for these questions and staying abreast of the applicable regulations is crucial to the success of the programme. Moreover, having a well-designed data compliance programme in place, implemented, tested, and continuously updated, will not only help prevent violations of data privacy laws, including serious data security breaches, it will help the company defend itself from potential lawsuits and regulatory investigations should incidents occur.

Emerging litigation trends in data privacy and data protection

Privacy-related litigation has been on the uptick in the United States, including large-scale class action cases brought on behalf of hundreds and sometimes tens of thousands of plaintiffs that can generate damages in the hundreds of millions of dollars. These emerging litigation trends are important to note for Latin American companies doing business in or serving customers and website visitors located in the United States.

Biometric privacy laws

For several years now, plaintiffs’ firms have been bringing claims concerning the use of individuals’ biometric identifiers, such as fingerprints, retinal scans and facial recognition. As at 1 March 2023, three states have implemented legislation regulating the use of biometrics: Texas, Illinois and Washington. Several additional states are considering similar legislation.

Illinois’ Biometric Information Privacy Act (BIPA) has drawn some of the most attention due to the number and size of cases that have been brought. For example, in Cothron v. White Castle, where the Illinois Supreme Court held that each use of a fingerprint system to authenticate employees entailed a separate violation of the BIPA. If the claims are upheld, White Castle estimates that its damages could exceed US$17 billion and involve a class of as many as 9,500 current and former employees. In Texas, the state government has pursued privacy violations against Facebook and Google related to biometric information harvested from uploaded images, videos and voice data. Companies that employ this kind of technology either for internal uses or as customer-facing services should monitor this space closely.

Wiretapping claims

There has been a recent emergence of wiretapping-type claims brought under the California Invasion of Privacy Act (CIPA), which prohibits any person from using electronic means to ‘learn the contents or meaning’ of any communication ‘without consent’ or in an ‘unauthorized manner’.^[41] The new wave targets online tracking tools that collect data about internet visitors’ interactions with websites. Websites that use third-party vendors to process user forms or online chat functions, or that use ‘session replay’ software – a programme that records a website visitor’s keystrokes and mouse movements to create a replay of user’s interactions with the website – have been frequent targets for this type of litigation. The wiretapping statutes contain a ‘party exception’ for the website operator itself, because they are considered the intended recipients of the communication and cannot eavesdrop on their own conversations.^[42] And that exception may extend to the operator’s third-party vendors as long as the information collected is used exclusively for the operator’s internal purposes.^[43] CIPA liability is also limited to interceptions of a communication’s ‘content’ rather than more basic ‘record information’. Data collections that are limited to details such as the date and time of visit, IP address, location and browser type would not violate the statute.^[44]

Artificial intelligence

As the uses of artificial intelligence (AI) have multiplied, multiple jurisdictions have taken steps to respond to the privacy implications. For example, a class action case is pending in California regarding Google’s AI assistant, alleging that users may have had their reasonable expectation of privacy violated when Google Assistant recorded their conversations.^[45] Additionally, in September 2022, the European Commission released the proposed AI Liability Directive, which would require national courts to compel providers of ‘high-risk’ AI systems, as defined by the European Union’s AI Act, to disclose relevant evidence to potential claimants.^[46] Examples of high-risk AI systems include biometric identification systems, AI systems used in education, employment, or worker management, and AI systems used to evaluate individuals’ creditworthiness.^[47] If passed, the Directive would create a rebuttable ‘presumption of causality’ linking non-compliance with the damage caused by the AI system. This presumption would be applied by default to high-risk AI systems and difficult to overcome.^[48]

Video Privacy Protection Act

The Video Privacy Protection Act, or VPPA, is a US data privacy statute enacted in 1988 that prohibits ‘video tape service provider[s]’ from disclosing video viewing histories of their subscribers. 18 U.S.C. § 2710(b)(1). The impetus for the legislation was US Supreme Court nominee Robert Bork’s contentious confirmation process, which resulted in Judge Bork’s video rental history being published by the press. Though the VPPA was originally understood to apply in the context of tangible materials like cassette tapes, that began to change in the early 2000s with the rise of video streaming on the internet. Frequently, companies use third party advertising or analytics tracking in conjunction with their streaming video content. Dozens of class action lawsuits have been brought in the last two years under the VPPA against companies in a variety of industries because of their use of these third-party tracking tools. The viability and scope of these types of claims will be heavily shaped in the next few years.

Footnotes