Agenda 1. Current State: LatAm 2. LatAm vs. GDPR 3. How GDPR may influence LatAm 4. Leveraging GDPR solutions in
LatAm 5. Questions
© 2018 Baker McKenzie
Latin America – Current State of Data Protection*
4
Mexico: • Federal Law on Protection of Personal Data Held by
Private Parties • Regulations to the LFPDPPP • Guidelines regarding Personal Data Security Colombia:
• Law No. 1,581 • Law No. 1,266 • Decree 1,377/13
Peru: • Law No. 29,733 (Data Protection Law) • Supreme Decree No. 003-2013-JUS • Law No. 30,096 (Cybercrime Law)
Chile: • Computing Crimes Act (Act Nro. 19,223) • Personal Data Protection Act (Act Nro. 19.628)
Brazil: • Brazilian Consumer Protection Code
(Law No. 8,078) • Internet Legal Framework (Law No.
12,737) • Brazilian Criminal Code (as
amended by Law No. 12,737/12)
Argentina: • Personal Data Protection Act No. 25,326 • Personal Data Protection Decree No. 1558/2001 • Disposition No. 11/2006 (Security Measures) • Law No. 24,766 (Confidential Information) • Law No. 26.388 (Criminal penalties for unauthorized
access to information)
* Select countries described. Additional countries with specific data protection laws include Nicaragua, Costa Rica, Panama, Uruguay, and Paraguay
© 2018 Baker McKenzie
GDPR – 13 Key Areas of Compliance
6
1. Data Mapping
2. Data Breach Reporting
3. Cross-border Data Transfer
4. Consent
5. Data Protection Officers (DPOs)
6. Rights for Data Subjects
7. Enforcement and Sanctions
8. Data Processor Obligations
9. Data Protection by Design & by Default
10. Data Protection Impact Assessments
11. The Accountability Principle
12. Profiling and the GDPR
13. One-Stop-Shop
© 2018 Baker McKenzie
Compared to GDPR - Argentina
7
GDPR Argentina Extraterritorial Application No
Registration Requirement Yes
Notice/Consent Mandatory notice requirements – Consent is the sole standard for lawful processing (Express, informed, voluntary and in writing (or any comparable means)
Data subject rights Rights of information, access, correction, and deletion
Cross-border data transfer restriction
Yes
Appropriate security Yes, appropriate security
Breach notification No specific mandatory obligation
© 2018 Baker McKenzie
Compared to GDPR - Brazil
8
GDPR Brazil (no specific data protection law)
Extraterritorial Application Yes, to some extent based on case law (consumer protection)
Registration Requirement No
Notice/Consent Yes, generally must obtain consent for processing (Express, informed, voluntary and in writing (or any comparable means))
Data subject rights In certain cases, there may be rights of information, access, correction, and deletion
Cross-border data transfer restriction
No specific rules, but consent generally used
Appropriate security No specific rules, but generally appropriate security
Breach notification No specific rules addressing data security breaches (however, Data Controllers are generally liable for any data security breach)
© 2018 Baker McKenzie
Compared to GDPR - Chile
9
GDPR Chile Extraterritorial Application No
Registration Requirement No
Notice/Consent Must be voluntary, informed, and unambiguous, and must be in writing
Data subject rights Rights of information, access, correction, and deletion
Cross-border data transfer restriction
None
Appropriate security No specific requirements
Breach notification No specific requirements
© 2018 Baker McKenzie
Compared to GDPR - Colombia
10
GDPR Colombia Extraterritorial Application Yes, to some extent
Registration Requirement Yes
Notice/Consent Prior express, informed consent required for processing
Data subject rights Rights of information, access, correction, and deletion
Cross-border data transfer restriction
Yes
Appropriate security Yes, appropriate security
Breach notification Yes, to the DPA, not to Data Subjects.
© 2018 Baker McKenzie
Compared to GDPR - Mexico
11
GDPR Mexico Extraterritorial Application Yes, to some extent
Registration Requirement No
Notice/Consent Yes, consent generally required, which must be voluntary, informed, explicit and unambiguous
Data subject rights Rights of information, access, correction, and deletion
Cross-border data transfer restriction
Yes, but is flexible when transfers are to processors and affiliates under contract or internal policy
Appropriate security Yes, appropriate security
Breach notification Yes, mandatory data breach notification requirements to data subjects
© 2018 Baker McKenzie
Compared to GDPR - Peru
12
GDPR Peru Extraterritorial Application Yes, to some extent
Registration Requirement Yes
Notice/Consent Processing of Personal Data generally requires prior, informed, express and unequivocal consent
Data subject rights Rights of information, access, correction, and deletion
Cross-border data transfer restriction
Yes, requires consent and be documented in contract
Appropriate security Yes, appropriate security
Breach notification Arguably, yes, as the security rule is interpreted as requiring that any data breach should be notified to the Data Subjects
© 2018 Baker McKenzie
LatAm Regulation in the GDPR Age
14
• EU traditionally sets the bar for data protection regulations globally • Extraterritorial application of GDPR imposes its obligations to some
extent on operations located in non-EU countries • Adequacy findings by EU authorities:
• The Commission, after assessing the adequacy of the level of protection, may decide, by means of implementing act, that a third country, a territory or one or more specified sectors within a third country, or an international organization ensures an adequate level of protection within the meaning of [the GDPR].
• Non-EU countries may have a financial motivation to impose GDPR-level data protection obligations in order to reap potential benefits of being found “adequate” for data transfers from the EU
© 2018 Baker McKenzie
LatAm Regulation in the GDPR Age
15
Movement to GDPR-level Regulations has already begun in Argentina Proposed draft bill:
• Scope: limits the scope of Data Subjects to natural persons, excluding legal entities, and adopts a more comprehensive approach for protection of Personal Data (whether or not such data is stored in a database);
• New Concepts: incorporates new concepts such as genetic data, biometric data and cloud computing; • Accountability: includes accountability obligations and eliminates the registration requirement for
databases; • Breach Notification: provides for the obligation to notify both the supervisory authority and Data Subjects of
a data security breach of their Personal Data, providing for specific terms and information requirements in each case;
• Data Protection Officer: imposes the obligation on governmental agencies/bodies and companies processing sensitive and large-scale data (big data) to appoint a Data Protection Officer, specifying duties, tasks and technical requirements applicable to that role.
• Legal Bases for Processing: standards for the lawfulness of data processing (in addition to consent); • Information Requirements: information requirements to be provided to Data Subjects when collecting their
Personal Data • Cross-Border Solutions: safeguards recognized as legitimate cross-border data transfer tools, such as
Binding Corporate Rules, approved codes of conduct and certification mechanisms. • Additional Data Subject Rights: expressly recognizes the right to object to processing (including
processing for marketing purposes) and the right to restrict processing and data portability. New regulations in connection with cloud computing (admitted as a data processing tool), sensitive data, minors’ consent, impact analysis and data protection by design and default are also addressed.
© 2018 Baker McKenzie
LatAm Regulation in the GDPR Age
16
Mexico: • Mexican BCR’s Registry is fully operative • New Government Data Protection Law mirrors
Private Law. • No expected reforms for Private sector in the next
year. Colombia: • Recently created an
“adequacy” list for cross border transfers
Chile: • New draft bill to replace the Personal Data
Protection Act • Creates new Data Protection Council to
enforce law and impose fines • Introduction of higher fines (expected to be
up to US$700,000)
Argentina: • Draft bill for the Protection of Personal Data
which aligns more fully with GDPR
Where do we see the rest of LatAm going?
Peru: • Recent updates to expand legal bases
for processing beyond consent (e.g., execution of contract with data subject)
Brazil: • On 13 May 2016, the draft was sent to
Congress under No. 5,276/2016 (the “Bill of Law”) that would heavily regulate the processing and protection of Personal Data in Brazil.
© 2018 Baker McKenzie
Leveraging GDPR Solutions for LatAm
18
Benefits • Leverages existing (or soon to be existing) documentation, policies,
procedures and solutions • Could enhance your LatAm compliance under current requirements
(e.g., data protection officer requirements in LatAm, data protection impact assessments, information on processing)
• Ensures a level of consistency in the organization’s global data protection compliance program
© 2018 Baker McKenzie
Leveraging GDPR Solutions for LatAm
19
Risks • May not be full aligned with local requirements, for example:
• Argentina does not currently recognized BCRs • Mexico doesn’t utilize the same terminology in GDPR and does not
have the same level of data transfer restrictions • Colombia not fully aligned with the EU on its “adequacy” findings
(e.g., the US is considered to provide “adequate” protection by Colombia)
• May impose greater restrictions on operations and data flows than may be necessary for the business
• May not want to provide additional rights to data subjects (e.g., employees) that are not provided under local law
© 2018 Baker McKenzie
Leveraging GDPR Solutions for LatAm
20
Best Practices 1. Determine your privacy approach for the region 2. Leverage GDPR documentation, but ensure notices and other data
subject-facing documents are compliant with the laws of the applicable Latin American countries
3. Identify gaps between GDPR solution and local requirements (e.g., database registration requirements in LatAm)
© 2018 Baker McKenzie
Thank you
22
Michael Egan Partner, Baker McKenzie Washington, D.C. [email protected]
Carlos Vela Partner, Baker McKenzie Mexico City [email protected]