new data protection laws and case law trends in central & south america (iapp privacy academy,...

New Data Protection Laws and Case Law Trends in Central & South America

(final version)

Dallas, TX (USA) September 15, 2011

Cédric Laurant Ana Brian Nougrères Renato Opice Blum

© 2011

Presentation available at <http://cedriclaurant.com/wp-content/uploads/2011/09/110916-new_latam_data_prot_laws_case_law_trends-

fv.pdf.zip>

WWW.OPICEBLUM.COM.BR

@opiceblum

Renato Opice Blum [email protected]

Attorney and economist, Digital Law coordinator of GVLaw and of the MBA on Electronic Law at Escola Paulista de Direito; Invited-Professor at USP and Mackenzie Presbyterian University; President of the Council of Information Technology and Communication of the Commerce Federation of São Paulo/SP and of the Technology Law Committee of AMCHAM; Advisor of the Committee of High Technology Crimes of Brazilian Bar Association; International Lectures: Global Privacy Summit 2010, 73rd Conference of the International Law Association; ISSA International Conference 2010; HTCIA International Conference 2010; Inter American Bar Association: Reunión del Consejo y Seminario 2010, Invited Participant at The Sedona Conference 2010 and invited lecturer at the 3rd Annual Sedona Conference 2011; Seton Hall Law – 2011 and ABA annual meeting 2011; Coordinator and co-author of the book “Manual of Electronic Law and Internet” and “Electronic Law: internet and the courts”

New Data Protection Laws and Case Law Trends in Central & South America 2

Dra. Ana Brian Nougreres

Legal Consultant at the Uruguayan Parliament, Senate and Chamber of Representatives and at the Uruguayan College of Attorneys. Teacher at School of Law, Legal Informatics Chair, Universidad de la República Oriental del Uruguay. Chief Consultant at Estudio Jurídico Briann and Associates.

E-mail: abrian [at] netgate [dot] com [dot] uy

3 New Data Protection Laws and Case Law Trends in Central & South America


Cédric Laurant

Principal, Cedric Laurant Consulting (Brussels)

Attorney at law (Washington, DC)

E-mail: c [at] cedriclaurant [dot] com

Website: http://cedriclaurant.com

Blogs: http://cedriclaurant.org http://security-breaches.com

Linkedin: http://www.linkedin.com/in/cedriclaurant


Introduction

A. Brazil

B. Uruguay & Argentina

C. Colombia, Peru, Costa Rica

D. Key take aways

Q & A

Outline


Introduction (Cedric Laurant)

A. Brazil



D. Key take aways

Q & A

Outline


Most important privacy developments in Brazil, Argentina, Uruguay, Colombia, Peru and Costa Rica.

Recent regulatory and case law trends that affect how you do business in Central and South America.

How the most recent Latin American data protection laws are likely to be implemented.

Q & A

Introduction


Introduction

A. Brazil (Renato Opice Blum)



D. Key take aways

Q & A

Outline


Brazil

The children of darkness are always faster

than the children of light.

Lucas chapter 16 verse 8 12 New Data Protection Laws and Case Law Trends in Central & South America

MEDICAL CLINIC database copy / unfair competition

M COMPANY illegal video

BROKER COMPANY database breach / unfair competition

T COMPANY database breach

CHEMICAL INDUSTRY COMPANY database breach

RACE DRIVER image damage

BEVERAGE COMPANY 483 confidential files

BRAZIL – SOME CASES


Article 1. The aim of this project guarantees and protection, in the area personal i n f o r m a t i o n s p e c i a l l y d i g n i t y a n d fundamental rights of the person, specially with regard to his/her freedom, equality and personal privacy in terms of art 5 of Federal Constitution.

Article 2. Everybody has the right to the protection of his/her personal data.

PERSONAL DATA BILL OF LAW


Article 35. The international transfer of personal data is only allowed to countries that provide a level of data protection comparable to the one of this law, unless the following exceptions:

I - when the owner has expressed his own free consent, express and informed to the transfer;

II - when it is necessary for the implementation of obligation under a contract of which the holder is a party;

III - when it is necessary to guarantee a significant public interest specified by law;

IV - when it is necessary for international cooperation among government agencies for intelligence and research, according to international law instruments to which Brazil is bounded;

V - when it is necessary to defend a right in court, if the data are transferred solely for this purpose and for the necessary period of time;

VI - when it is necessary to protect the life or physical safety of the owner or third party, if the holder cannot provide its consent because of physical impossibility, incapacity to act or understand.

PERSONAL DATA BILL OF LAW


CONSTITUTION

Section 5.10 – Intimacy, privacy, honor and image of persons – INVIOLABLE. Section 5.12 – Secrecy of correspondence and Telecom – INVIOLABLE.

CIVIL CODE

Section 20 – Disclosure of writings, the transmission of the word, or publication, display or use of the image of a person. Section 21 – Private life of a person – INVIOLABLE.

EXPECTATION OF PRIVACY SÃO PAULO STATE COURT DECISION

Violation of image rights, privacy, intimacy and honor by being photographed and filmed (in intimacy) on locations – Spanish beach – Injunction to terminate the exhibition of movies and photos on web-sites because of the presumption of lack of consent to the publication. Filling with a daily penalty payment of $ 250,000.00, to inhibit infringement of the command to abstain. The paparazzi are known for aggressively working with the capture of images, which characterizes the illegality of their activities [voyeurism]. Denying injunctive relief would reward the work of these professionals that do not require authorization for their photos and, especially, to legalize the sensationalism and scandal propagated by the media, without permission of those involved.


PARANA STATE COURT 1819/2008

J U D G E O R D E R S GOOGLE TO SET UP A FILTER TO RANDOMIZE RESULTS WITH THE PLAINTIFF’S NAME, ENABLING VARIETY OF NEWS

NEWS ON THE INTERNET CAUSES HARM TO CITIZEN’S HONOR. HE WAS NOT GUILTY, BUT THERE WAS NO NEWS

ABOUT THAT, ONLY ABOUT THE ONGOING LAWSUIT.


The Brazilian National Transit Counsel has postponed to 2012 the obligation to install anti-theft devices in all the cars. According to the department, the change was made due to the complexity of the telecommunications infrastructure that may be needed to develop the Integrated System of Monitoring e Automatic Registry of Vehicles (SINRAV, in Portuguese). The installation of the tracking device is mandatory. The obligation to install this device has been postponed since 2009. The main reason is that this law is seen as harmful to the citizens’ liberty, since anyone can be monitored without consentiment and have their private life invaded.

Brazilian authority postpones to 2012 legislation that obliges tracking devices in new cars.


CONSUMER DEFENSE CODE

Section 43 – Database access.

Section 72 – Block access. Penalty – detention from six months to one year or a fine.

C o n s u m e r D e f e n s e A s s o c i a t i o n c a u s e s damages to consumers disclosing its database to third parties. Association must include a warning about the disclosure and ask for permission.

PRIVACY SANTA CATARINA STATE

COURT DECISION


WIRETAPPING – ACT 9296/1996

Section 1 – Interception of telephone communications – flow of communication.

Section 10 – Intercept communication or break secret of Justice, without judicial authorization – confinement from two to four years and fine.

PRIVACY SÃO PAULO STATE COURT DECISION

Breach of confidentiality of correspondence, telegraphic, data and telephone communications - Nonoccurrence - Seizure of emails in possession and knowledge of the recipient by a court order - strong suspicions that the material might enlighten the criminal infraction – interpretation of art. 5, XII of the Constitution.

THERE IS NO VIOLATION OF THE SECRECY OF CORRESPONDENCE.


APPEAL TO THE SUPERIOR COURT OF JUSTICE BRAZIL Nº 1.193.764 - SP (2010/0084512-0)

APPELLANT : I P DA S B APELLEE : GOOGLE BRASIL INTERNET LTDA

SUMMARY

CIVIL AND CONSUMER LAW. INTERNET. CUSTOMER RELATION. CDC (BRAZILIAN CONSUMER DEFENSE CODE). FREE SERVICE. INDIFFERENCE. CONTENT PROVIDER. PREVIOUS FISCALIZATION ON THE CONTENT OF THE USER POSTED INFORMATIONS ON THE WEBSITE. UNNECESSARY. MESSAGE WITH OFFENSIVE CONTENT. MORAL DAMAGE. INHERENT RISK TO BUSSINESS. INEXISTENCE. ACKNOWLEDGMENT OF THE FORBIDDEN CONTENT. IMMEDIATE REMOVAL OF THE CONTENT. DUTY. PROVIDE MEANS FOR THE IDENTIFICATION OF EACH USER. DUTY. REGISTER THE IP NUMBER. SUFFICIENT.


“(…) As a subscriber of the internet service provider, the company is responsible for its intern use, in accordance to laws. 8. Thus, if the employee eventually use the corporate email for personal reasons, he should be aware that the access to the content of the messages by the employer do not represent major violation of its mails, nor violation of privacy or intimacy, because we are talking about equipment and technology provided by the employer for usage to work and reach the goals of the company. 9. This way, we do not understand that it sets up no defense to the usage of evidence embodied in access to e-mail box, provided by the employer to his employees. Interlocutory appeal devoided.”

S U P E R I O R L A B O R C O U RT – C O R P O R A T E E M A I L A N D RECORDINGS AS VALID PROOF FOR DISMISSION


INTERLOCUTORY APPEAL IN A REVIEW APPEAL. PAIN AND

SUFFERING. GOOD CAUSE.

The sentence from the lower level court registred that it

does not hurt constitutional standard of financial

disclosure and corporate email, especially when the

employer, in advance, warn its employees about the rules

for using the system and the possibility of tracking and

monitoring their email. Interlocutory appeal devoided.

SUPER IOR LABOR COURT – C O R P O R A T E E M A I L A N D RECORDINGS AS VALID PROOF FOR DISMISSION


SECURITY

Law enforcement agencies use social networks in search of incriminating data users


GPS - Monitoring


3rd FEDERAL COURT – LETTERS ROGATORY?


Greetings

Ambassador Roberto Campos: "Those who remain in this house have before them wonderful agenda. I wish them, as in the words of theologist Reinhold Niehbuhr: "May God give the serenity to accept the things they cannot change, courage to change the things they can change and the wisdom to know the difference."


Recommendations and Practices for the Safe Use of Internet to Entire Family

Link: http://www.opiceblum.com.br/download/OABMack_Safety.pdf



Introduction

A. Brazil

B. Uruguay & Argentina (Ana Brian Nougreres)


D. Key take aways

Q & A

Outline

Decision 2003/490/CE November 21, 2003 Declaration of Adequation to the levels of data protection of Directive 95/46/EC of the European Parliament and the Council.

Argentina 2003


Argentina 2011

Transfers to other countries only permitted if the country of destination ensures an adequate level of protection.

Exceptions to this principle only in special cases: explicit and unambiguous consent, execution of certain contracts, safeguard of public interests or individual vital interests, information of public registers.


Articles 25 and 26, Directive 95/46/CE European Economic Space

DATA TRANSFERS AEPD March 31, 2011


INTERNATIONAL DATA TRANSFERS WITH COUNTRIES WITH NO ADEQUATION AEPD March 31, 2011


AEPD March 31, 2011


AEPD March 31, 2011 35 New Data Protection Laws and Case Law Trends in Central & South America

Law 18331 - August 18, 2008 Decree 664/2008 Decree 437/2009 Decree 414/2009 Law 18719 - December 27, 2010 Law 18778 – July 15, 2011

Uruguay - Dispositions


Scope of application of the legislation Data protection principles Rights of the data holders Liability Enforcement mechanisms Control Sanctions

Uruguayan Data Protection System


The regime is applied to all personal data recorded in any kind of medium that makes them likely to be processed, and any kind of subsequent use of these data within public or private domains.

Scope


Purpose limitation principle Data quality and proportionality principle Principle of transparency Security principle

Principles


Access Rectification Opposition

Rights of the data holders


Countries that provide adequate levels of protection.

Transfers authorized by the control authority in cases that offer contractual clauses regarding privacy, rights, freedoms of individuals and the exercise of their rights.

Consent, contract, public interest, individual’s vital interest, public registry.

International data transfers restricted:


Definition as personal data revealing racial or ethnic origin, political preferences, religious or moral beliefs, trade union membership or information concerning health or sex life.

Explicit consent required for data processing.

Nobody can be compelled to provide sensitive data.

Sensitive data (9% of the data universe in Uruguay)


The data used for this purpose are home addresses, distribution of documents, advertising, sale or similar activities. In case this data is suitable for promotional profiling, commercial or advertising purposes, it should appear in documents accessible to the public or must have been supplied or consented by the affected individual. Right to access, remove and block data can be applied at any times.

Direct marketing


Decisions based on the processing of data should not affect people or their performance (employment, credit, reliability, behavior, etc.).

The affected person has the right to obtain information from the controller, both regarding the assessment criteria and the program used for the processing.

Automatic individual decision


URCDP : autonomous entity with technical autonomy Management: Executive Council of three members (Executive Director of AGESIC and the other two appointed by the Executive Power).

Assistance: Advisory Council of five members (Members appointed by Legislative and Judicial Power, Public Ministry, academy and private sector).

Supervisory Data Protection Authority


URCDP provides assistance, advice, regulations, registries of databases, monitors compliance with regulations, guarantees security and confidentiality of data provided, issues opinions. Investigation, Inspection and Sanctions are in charge of the URCDP Habeas data action, legal quick action.

Procedural and enforcement mechanisms


Warning (83 %) Fines (17 %) Suspension of database.

Sanctions


CONCLUDES that Uruguay ensures an adequate Level of protection within the meaning of Article 25 (6) of Directive 95/46/CE.

Opinion 6/2010 of the WP29 on the level of personal data protection in Uruguay, adopted October 12, 2010.


For the consumers, because they can control their own data and the information disseminated about them. For the enterprises, because then can prevent risks of vulnerability of the information they manage from their clients. For the countries, because then can attract investors, improve their positions and compliment international standards.

Why data protection systems work as a win-win process



Introduction

A. Brazil


C. Colombia, Peru, Costa Rica (Cedric Laurant)

D. Key take aways

Q & A

Outline


1. Colombia: case studies, problem-solving in real world situations

2. Peru: overview of the data protection law

3. Costa Rica: overview of the data protection law

See references at end of slide deck

Colombia, Peru & Costa Rica: Outline


7 real cases: How they might be solved with the upcoming

data protection law. Why are those cases relevant to you and for

your job?

Cases range from private to public and governmental aspects of data protection, not only for private businesses but also for public/government authorities.

Colombia


Trust


Case study: why do books always come wrapped in Colombian bookstores? Lack of trust towards customers? High price? Attitude towards books as sacred objects? Piracy?

Problem: lack of trust by businesses towards consumers.

Significance: lack of trust by businesses breeds lack of trust by consumers towards businesses.

Business context: B2C transactions between foreign companies and Colombian consumers.

Relevance for US/EU companies: foreign companies must be aware of, and understand, this essential feature of the commercial context in which personal information is

being processed in Colombia.

Trust


Resolution: Should bookstores unwrap all books to make better

sales? Will it demonstrate more trust by the shopkeeper towards its customers? Will it have a positive or negative impact on sales?

How is trust related to complying with new data protection legal requirements? Does it mean that for a company to be successful, it should be more transparent about how it processes its customers’ personal data?

How would the upcoming Colombian data protection law apply? What would have to change in current data management practices? (Take local commercial traditions and way of doing business into account.)

How could this have an impact on the level of enforcement of the new law?

Take away

Trust


Trust


Credit reporting system


Case study: Colombian real estate franchise of a US company (“Century 21 Luque Medina”).

Problem: illustrates the current serious problem with the credit reporting system in Colombia: abusive use is detrimental to consumers, tenants and sureties; does not encourage accountability and business ethics by real estate companies.

Significance: lack of trust by Colombian tenants, landlords and sureties towards Colombian subsidiaries or franchises of foreign businesses.

Business context: B2C/B2B transactions between, on the one hand, foreign companies or Colombian subsidiaries or franchises of foreign companies, and, on the other hand, Colombian consumers.

Relevance for US/EU companies: negative impact on US/EU companies’ reputation.



The Colombian “FCRA”.

Applies in addition to the upcoming data protection law by focussing only on the protection of credit reports and the processing of financial personal information.

Lacks teeth to address international data transfer issues: scope too limited to provide enough protections for information processed by European companies’ subsidiary call centers based in Colombia.

No “adequate protection”. European Commission’s opinion: adequate to regulate the financial sector, but not medical, religious, ethnic, and other type of personal data.

Enforcement has started by supervisory authorities.

Law No. 1266 of 2008


Resolution: How does the Law No. 1266 of 2008 apply to this case?

Was it violated? No but did in fact unfairly treat the data subject.

What would have to change in current data management practices?

How has that law applied so far? Enforcement case by the Superintendencia de Industria y Comercio.

How will the upcoming data protection law have any impact? Purpose specification principle.

Take away: Doing business in a fair way will give the advantage to

foreign companies. Go beyond strict compliance of the letter of the law in

implementing it.



Authentication for private transactions


Case study: fingerprints required as means of authentication for all sorts of contracts between individuals and businesses (rental agreements, online password releases for online banking accounts, exchange of currencies, “pospago” contracts with mobile phone providers, shipment of packages abroad,…

Problem: need for a reliable way to authenticate individuals; signature not sufficient for authentication purposes. Main reason: high level of fraud.

Significance: processing of sensitive personal information (biometrics) by businesses.

Business context: B2C/B2B transactions between foreign companies and Colombian customers/clients or companies.



Relevance for US/EU companies: authentication procedures may prove very burdensome, bureaucratic and onerous; on the other hand, motivated by good reasons: to prevent fraud (cfr fraud statistics in Colombia) and money laundering.

Questions/Resolution: How will the upcoming Colombian data protection law

apply? (transparency, right of access, adequate security measures, …)

How will the new law impact those authentication practices? (proportionality and security measures)

How will current data management practices have to change? (more transparency, subject access and security)

Take away



Collection of biometrics for security purposes


Case study: digital biometric fingerprint scanner used as a security measure at the entrance of office buildings; required from everyone to get access to the premises.

Significance: higher risk of data breaches because of databases storing very sensitive personal information (biometrics) and higher risk for data subjects concerned.

Business context: B2C transactions between foreign companies and data subjects (Colombians or foreigners, individuals or clients).

Relevance for US/EU companies: higher risk for hacking and data breaches exists as sensitive personal information is being stored.

Problem: use of biometrics and other authentication and identification measures by private actors in a wide range of situations where collection, use and secondary use of personal information is not necessarily legitimate, transparent or proportionate (e.g., building access).



Questions: Why is a digital fingerprint required as opposed to a less

intrusive and less risky means of access security measure? Is it proportionate?

What happens with this data? With whom is it shared? Where is there any type of privacy policy explaining what

happens with the information collected? What happens if I am being denied access to the building?

Where can I complain? (transparency issue)

Resolution: How does the upcoming Colombian data protection law

apply? Proportionality; prior and express consent;

transparency;… What would have to change in current data management

practices to make this processing compliant with the law? What are the exemptions for law enforcement authorities?

Take away



Phone no. and ID for every purchase


Case study: Phone no. and ID no. are requested for every purchase made with an electronic means of payment. No explanation of reason why or what the information is ultimately used for; no privacy policy.

Significance: possibility to match all purchases made by individuals with their ID no. Link it with governmental databases? Relationships between those purchases and the stores’ discount grocery shopping cards?

Business context: B2C transactions between, on the one hand, foreign companies or their Colombian subsidiaries or franchises of foreign companies and, on the other, Colombian consumers.

Relevance for US/EU companies: Do US/EU businesses’ subsidiaries in Colombia using such information collect it legitimately and for valid reasons?



Problem: low level of trust in customer-business relationships, very low level of consumer protection and customer service; presumption of bad faith.

Questions/Resolution: How will the upcoming Colombian data protection law

apply? What would have to change in current data management

practices?

Take away: more transparency required from businesses towards their customers with respect to the processing of their personal information. Consumer protection mechanisms must be established that much better ensure a higher level of consumer protection and consumer privacy.



RFID transportation card


Case study: Medellin metro card is delivered upon identification and tracks all itineraries of travelers. Lack of information about availability of an anonymous card and its benefits (only drawbacks are mentioned to encourage adoption of individualized card).

Significance: use of customers’ personal location information by public and private entitie; is covered by the upcoming data protection law.

Business context: procurement contracts between Colombian government authorities and foreign companies.

Relevance for US/EU companies: Potential sale of data processing services to local governmental entities. Interest for foreign companies to understand how the upcoming data protection law applies to geo-location location personal information.



Problem: Data protection issues: transparency, access rights, potential secondary uses of travelers’ personal information. Concerns: no privacy policy; no information about the type of information being collected by the system; about the uses of the itinerary information now and later in time; about the current or considered secondary uses; and about the possibility to ask for an anonymous card. Use of data by private and public actors.

Questions: How will the upcoming Colombian data protection law apply? What would have to change in current data management practices?

Resolution: comply in advance and better than local companies.



RFID transportation card (comparison with Uruguayan case)


General obligation of all government entities that use electronic resources to manage the information of citizens in a manner respectful to their privacy.

Decree No. 1151 of 2008 establishes general principles to follow in how online services are provided by the government.

Protection of privacy is further regulated by the Ministry of Communications’ “e-Government Policy Manual,” applicable throughout all governmental entities.

Privacy in e-government services

74


1. Get an edge over your competitors: be transparent, explain, clarify how your company/affiliate will use individuals/customers’ personal information.

2. Don’t wait for the Colombian companies to comply with the law: being seen as an early adopter will be good for business and reputation.

3. Trust your consumers; trust will breed reciprocal trust in your products, services, reputation and brand.

Colombia: take aways


4. Follow all consumer protection regulations, and go beyond strict compliance. Do better than Colombian companies. Mandate your franchisees to be consumer protection-friendly, like in the United States, not like in Colombia.

5. Develop a reputation for being fully reliable for your customers.

6. Get advice both from a local counsel (to conceive the most adequate data protection solution to fit in the cultural context) and from a global data protection counsel. Both professionals will be necessary to design how your company will comply with the local data protection rules.

Colombia: take aways


CENTRAL AMERICA

GUATEMALA

EL SALVADOR

COSTA RICA

HONDURAS

NICARAGUA

PANAMA

77


PROTECTION AT THE CONSTITUTIONAL LEVEL

- No Central American country has an express recognition for the right to data protection. - However, most countries provide constitutional protection for the “right to privacy”, except Panama and Guatemala. - Countries do not have “habeas data” at the constitutional level, but some of them have a general constitutional remedy.

PROTECTION IN THE LAW

- No Central American country has a comprehensive personal data protection law. - Most countries have legal provisions that protect personal data in their laws on access to information and public transparency (Panama, 2002; Honduras, 2006; Nicaragua, 2007; and Guatemala, 2008). - There are telecommunication laws and credit reporting laws.

CENTRAL AMERICA

78


INTERNATIONAL INSTRUMENTS - Political Dialogue and Cooperation Agreement between the EU and Central America (2003): parties agreed to cooperate on the protection in the processing of personal data.

BILLS ON PERSONAL DATA PROTECTION

- At least two Central American countries have had legislative discussion on bills that would regulate data protection: Costa Rica and Nicaragua. Costa Rica has a new data protection law since Sept. 7, 2011.

79

CENTRAL AMERICA


Sept. 7, 2011: new Personal Data Protection Law No. 8968 enters into force.

Regulates the processing of personal data carried out by public and private entities: all databases distributing or selling information. (Personal or corporate databases not covered by the law.)

Law modeled after the EU Data Protection Directive. Regulates almost all processing of all types of personal data.

Requires express written consent for many data processing activities.

Costa Rica


4 main categories of personal data: 1. sensitive data: include socioeconomic

level, and medical and genetic conditions. 2. restricted access data: data included in

a public database but with restricted access because only concerns person or public entity involved. Individual must give written consent for his personal data to be disclosed.

3. special restricted access data: data contained in public databases created by law.

4. credit records: data that allows financial institutions to evaluate an individual’s creditworthiness based on the general principles laid out in the new data

protection law.

Costa Rica


New data protection authority created within the Ministry of Justice (“Prodhab”) to implement the legislation, inspect registered databases and issue sanctions for legal violations.

Commercial databases must be registered before Prodhab and will be subject to an annual fee for their administration.

Data controller must pay a fee (“canon”) to Prodhab for sales made using commercial databases. Fee based on no. of data sold or contract value. Regulation to be implemented.

Costa Rica


July 2011: Peru has its first data protection law (“Ley N° 29733 de Protección de Datos Personales”).

Data protection authority will be part of the Ministry of Justice (independence?) and in charge of a National Registry of Personal Data; may levy fines for violations of the law.

Decree must now be drafted. Problem with the regulation of credit-

reporting databases: eludes crucial issue.

Peru


National Register of Personal Data Protection can record: 1) publicly or privately administered

personal databases; 2) authorizations issued pursuant to the

law; 3) sanctions imposed by the National

Authority; and 4) codes of conduct of the entities

representing the privately administered personal database controllers or processors.

Peru


Political willingness: Free trade agreements: Peru signed

them in Nov. 2008 with the US and Canada. Bilateral negociations under way with the EU, South Korea and China.

Call centers. Transborder data flows:

Destination country must have a sufficient level of protection for the personal data to be processed, or at least comparable to that provided by the law.

Peru

1.- Agencia Española de Protección de Datos, cuatro gráficas aportadas a la fecha 31032011. Anales del Seminario “El impacto de las transferencias internacionales de datos en América Latina. Las políticas preventivas y la autorregulación en la implantación de la normativa de protección de datos”, Cartagena de Indias, Colombia. Junio de 2011 <http://www.redipd.org/reuniones/seminario_2011_Cartagena/common/Ponencias/JesusRubiNavarreteMartes.pdf>.

2.- José Luis Piñar Mañas. Protección de datos de carácter personal en Iberoamérica, Red Iberoamericana de Protección de Datos, Agencia Española de Protección de Datos, Ed. Tirant Lo Blanch Libros, Valencia, España. 2005.

3.- José Luis Piñar Mañas, La Red Iberoamericana de Protección de Datos, Declaraciones y documentos. Ed. Tirant Lo Blanch. Valencia, 2006.

4.- Oscar Puccinelli, El habeas data en Indoiberoamerica. Ed. Temis, Bogota, Colombia. 1999.

5.- Ana Brian Nougreres. De la protección de datos personales y la cooperación internacional. Anuario de Derecho Informático, Instituto de Derecho Informático, Facultad de Derecho, Universidad de la República. FCU. 2005.

General references


6.- Cédric Laurant, “Emerging Data Protection Laws in Latin America and Doing Business in the EU”, Cedric’s Privacy Blog, Sept. 15, 2011 <http://blog.cedriclaurant.org/2011/09/15/emerging_data_protection_laws_in_latin_america_doing_business_in_eu/>.

7.- Alberto Cerda, Cédric Laurant & Renato Opice Blum, “Recent Privacy and Data Protection Developments in Latin America and Their Impact on North American and European Multinational Companies”, IAPP Global Privacy Summit (Washington, DC – April 21, 2010) <http://www.slideshare.net/cedriclaurant/quotrecent-privacy-and-data-protection-developments-in-latin-america-and-their-impact-on-north-american-and-european-multinational-companiesquot>.

8.- Marcos Normativos en materia de Protección de Datos Personales. Actas del Seminario. Antigua, Guatemala, 2003.

General references


1.- Declaration regarding Argentina’s Adequation to the levels of data protection of the Directive 95/46/EC of the European Parliament and the Council, November 21, 2003 <http://ec.europa.eu/justice/policies/privacy/docs/adequacy/decision-c2003-1731/decision-argentine_en.pdf>.

2.- Carlos E. Delpiazzo, Protección de datos en Uruguay y el Mercosur, Fundación de Cultura Universitaria. Montevideo, Uruguay, 2005.

3.- “Argentina” country report in Privacy & Human Rights 2006, Electronic Privacy Information Center & Privacy International, December 18, 2007 <https://www.privacyinternational.org/article/phr2006-argentine-republic>.

References (Argentina)


1.- Brazilian Constitution, Title 2, Chapter 1, Article 5, X. http://www.planalto.gov.br/ccivil_03/constituicao/constitui%C3%A7ao.htm

2.- Brazilian Constitution, Title 2, Chapter 1, Article 5, XI. http://www.planalto.gov.br/ccivil_03/constituicao/constitui%C3%A7ao.htm

3.- Brazilian Constitution, Title 2, Chapter 1, Article 5, XII. http://www.planalto.gov.br/ccivil_03/constituicao/constitui%C3%A7ao.htm

4.- Brazilian Constitution, Title 2, Chapter 1, Article 5, XIV. http://www.planalto.gov.br/ccivil_03/constituicao/constitui%C3%A7ao.htm

5.- Brazilian Constitution, Title 2, Chapter 1, Article 5, LXXII. http://www.planalto.gov.br/ccivil_03/constituicao/constitui%C3%A7ao.htm

6.- Federal Law No. 9.507/1997 (Habeas Data). http://www.planalto.gov.br/ccivil_03/leis/l9507.htm

7.- Federal Law No. 9.507/1997, Article 4 § 1. http://www.planalto.gov.br/ccivil_03/leis/l9507.htm

References (Brazil)


8.- Federal Law No. 9.507/1997, Article 4 § 2. http://www.planalto.gov.br/ccivil_03/leis/l9507.htm

9.- Federal Law No. 10.406, January 12, 2002 (Civil Code). http://www.planalto.gov.br/ccivil_03/leis/2002/L10406.htm

10.- Federal Law No. 7.232, October 29, 1984 (National Computer Policy). http://www.planalto.gov.br/ccivil_03/leis/L7232.htm

11.- Federal Law No. 9.472, July 16, 1997, Book 1, Art. 3, IX. (Telecommunications Act). http://www.consumidorbrasil.com.br/consumidorbrasil/textos/legislacao/l9472.htm

12.- Federal Law No. 9.454, April 7, 1997 (National Identity Registration). http://www.planalto.gov.br/ccivil_03/Leis/L9454.htm

13.- Federal Law No. 8.078, Article 43, September 11, 1990 (Consumer´s Code). http://www.planalto.gov.br/ccivil_03/leis/L8078.htm

14.- Document nº 05/2002, of the Economic Law Secretariat, Ministry of Justice (Secretaria de Direito Econômico (SDE) do Ministério da Justiça).


References (Brazil)

15.- Personal Data Bill: regulates the protection of personal data, privacy and other matters <http://www.cgu.gov.br/acessoainformacao/arquivos/anteprojeto-lei-protecao-dados-pessoais.pdf>.

16.- Renato Leite Monteiro & Caio César Carvalho Lima, Comentários ao Anteprojeto de Lei Brasileiro sobre Proteção de Dados Pessoais, Information Security Breaches & The Law Blog, May 2011 <http://securitybreaches.files.wordpress.com/2011/05/anteprojeto-de-lei-brasileiro-sobre-protecao-de-dados-pessoais.pdf>.

17.- Renato Leite Monteiro & Cédric Laurant, “New Brazilian Data Protection Bill Adopts Data Breach Notification Regime”, Information Security Breaches & The Law Blog, May 9, 2011 <http://blog.security-breaches.com/2011/05/09/new_brazilian_data_protection_bill_adopts_data_breach_notification_regime/>.

18. Renato Leite Monteiro , “Comentários ao Anteprojeto de Lei Brasileiro sobre Proteção de Dados Pessoais”, Information Security Breaches & The Law Blog, May 1, 2011 <http://blog.security-breaches.com/2011/05/01/comentarios-ao-anteprojeto-de-lei-brasileiro-sobre-protecao-de-dados-pessoais/>.

References (Brazil)


19.- “Brazil” country report in Privacy & Human Rights 2006, Electronic Privacy Information Center & Privacy International, December 18, 2007 <https://www.privacyinternational.org/article/phr2006-federative-republic-brazil>.

20.- Danilo Doneda, Da privacidade a proteção de dados pessoais, Ed. Renovar. Rio de Janeiro, Brasil, 2006.

21.- Stefano Rodota. A vida na sociedade da vigilancia, a privacidade hoje, Ed. Renovar, trad. Maria Celina Bodin de Moraes, Rio de Janeiro, 2008.

22.- Temis Limberger. O direito a intimidade na era da informática. Ed. Livraria do Avogado, Brasil, 2007.

References (Brazil)


1.- Informe de conciliación al Proyecto de Ley Número 046 de 2010 Cámara, 184 de 2010 Senado (upcoming Colombian data protection law) <http://www.habeasdata.org.co/wp-content/uploads/2010/12/Informe-Conciliación1.pdf>.

2.- Fernando Triana and Carolina Díaz (Triana, Uribe & Michelsen), “Data Protection: Colombia”, April 1, 2010 <http://ipandit.practicallaw.com/7-502-5167?source=relatedcontent>.

3.- Observatorio de la protección de datos personales en Colombia <http://www.habeasdata.org.co/>.

4.- Nelson Remolina-Angarita, “¿Tiene Colombia un nivel adecuado de protección de datos personales a la luz del estándar europeo?, 16 International Law, Revista Colombiana de Derecho Internacional, 489-524 (2010) <http://www.habeasdata.org.co/wp-content/uploads/2010/08/colombia-y-nivel-adecuado-de-proteccion-de-datos-nelson-remolina-il-julio-de-2010.pdf>.

5.- Nelson Remolina-Angarita, “Propuestas para mejorar y aprobar el proyecto de ley estatutaria sobre el derecho fundamental del habeas data y la protección de los datos personales”, Documento GECTI No 11, Noviembre 24 de 2010 <http://www.habeasdata.org.co/wp-content/uploads/2010/12/documento-gecti-11-de-2010.pdf>.

References (Colombia)


6.- Cédric Laurant, Summer course of continuing legal education: “Data Protection & Privacy around the World”, School of Law, Universidad de los Andes (Bogota, Colombia – June 17 - July 7, 2008).

7.- Spanish Data Protection Agency, “Report on International Data Transfers – Ex Officio Sectorial Inspection of Spain-Colombia at Call Centres”, July 2007 <http://www.agpd.es/portalwebAGPD/jornadas/transferencias_internacionales_datos/common/pdfs/report_Inter_data_transfers_colombia_en.pdf>.

8.- “Colombia” country report in Privacy & Human Rights 2006, Electronic Privacy Information Center & Privacy International, December 18, 2007 <https://www.privacyinternational.org/article/phr2006-colombia>.

References (Colombia)


1.- Personal Data Protection Law No. 8968 of Sept. 7, 2011 (Ley de “Protección de la Persona frente al tratamiento de sus datos personales”) <http://www.pgr.go.cr/scij/Busqueda/Normativa/Normas/nrm_repartidor.asp?param1=NRTC&nValor1=1&nValor2=70975&nValor3=85989&strTipM=TC>.

2.- “Protection of the Person in the Processing of His Personal Data” (Data protection bill, “Ley de protección de la persona frente al tratamiento de sus datos personales”) <http://www.elderechoinformatico.com/index.php?option=com_content&view=article&id=508:ley-proteccion-de-datos-personales-costa-rica&catid=1:datos-personales&Itemid=54>.

3.- Roberto Lemaitre, “Proyecto de Ley - Expte. 16.679 “Protección de la Persona frente al tratamiento de Datos Personales”, 11 de Junio de 2011 <http://www.elderechoinformatico.com/index.php?option=com_content&view=article&id=583:proyecto-de-ley-expediente-16679-proteccion-de-la-persona-frente-al-tratamiento-datos-personales&catid=118:elderechoinformatico-costa-rica&Itemid=122>.

4.- Costa Rica country report in Privacy & Human Rights 2006, Electronic Privacy Information Center & Privacy International, December 18, 2007 <https://www.privacyinternational.org/article/phr2006-costa-rica>.

References (Costa Rica)


1.- Ley de Protección de Datos personales, 3 de julio de 2011 <http://securitybreaches.files.wordpress.com/2011/07/110703-ley_peruana-pdp-no29733.pdf>.

2.- Department of Commerce, English translation of Peru’s Law for Personal Data Protection (Ley de Protección de Datos Personales) <http://www.huntonprivacyblog.com/uploads/file/Peru%20Data%20Protection%20Law%20July%2028_EN%20_2_.pdf>.

3.- Iriarte & Asociados, Handbook IA N° 6 - Protección de Datos Personales- Entidades Privadas, v. 1.0, julio de 2011 <http://www.iriartelaw.com/apc-aa-iriartelaw/img_upload/80fbc41a7158c9c9b59314f28f167fb1/Handbook_IA_N__6_ley_de_Protecci_n_de_Datos_Personales.pdf>.

4.- Carlos Ferreyros Soto, “Los desafios digitales del Ministerio de Justicia: El Sistema Peruano de Información Judicial, SPIJ y la Ley de Datos Personales”, 30 June 2011, <http://derecho-ntic.blogspot.com/2011/06/los-desafios-digitales-del-ministerio.html>.

5.- José Miguel Silva, “Ley de protección de datos personales: Todo lo que usted debe saber”, LaRepublica.pe, 23 June 2011 <http://www.larepublica.pe/23-06-2011/ley-de-proteccion-de-datos-personales-todo-lo-que-usted-debe-saber>.

References (Peru)


6.- Cédric Laurant, “Perspectivas europeas sobre la protección de los consumidores y usuarios peruanos del Internet. Interpretando el nuevo Código peruano de Protección y Defensa del Consumidor (Ley No. 29571)” (Conferencia internacional: “Implicancias del Nuevo Codigo de Proteccion y Defense del Consumidor: Nuevos Retos”), Asociación Nacional de Defensa del Consumidor, Universidad Nacional Jorge Basadre Grohmann, Tacna, Peru – December 21, 2010) <http://www.slideshare.net/cedriclaurant/perspectivas-europeas-sobre-la-proteccin-de-los-consumidores-y-usuarios-peruanos-del-internetinterpretando-el-nuevo-cdigo-peruano-de-protecciny-defensa-del-consumidor-ley-no-29571>.

7.- “Peru” country report in Privacy & Human Rights 2006, Electronic Privacy Information Center & Privacy International, December 18, 2007 <https://www.privacyinternational.org/article/phr2006-republic-peru>.

References (Peru)


1.- The Uruguayan laws can be consulted at <http://www.parlamento.gub.uy>.

2.- Text of the Uruguayan decrees can be consulted at <http://www.presidencia.gub.uy>.

3.- Ana Brian Nougreres, “El sistema legal uruguayo en protección de datos personales y acceso a la información pública,” Universidad de Los Andes, Bogotá, Colombia, 2010.

4.- Opinion 6/2010 on the level of protection of personal data in the Eastern Republic of Uruguay, adopted October 12, 2010, 0475/10/EN WP 117 <http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp177_en.pdf>.

5.- Ana Brian Nougreres. Taller sobre Protección de Datos Personales, Colegio de Abogados del Uruguay, Montevideo, 2010.

6.- Augusto Duran Martinez, Derecho a la Protección de Datos personales y al acceso a la información pública, Ed. Amalio Fernández, Montevideo, Uruguay,, 2009.

References (Uruguay)


7.- Carlos E. Delpiazzo, Protección de datos en Uruguay y el Mercosur, Fundación de Cultura Universitaria. Montevideo, Uruguay, 2005.

8.- Ana Brian Nougreres, “Integración Iberoamericana en materia de protección de Datos Personales”, Anuario de Derecho Informático, Montevideo, Uruguay, 2007.

9.- Ana Brian Nougreres. Protección de datos personales en Uruguay. Imp. Teijeiro. Montevideo, Uruguay, 2009.

10.- “Uruguay” country report in Privacy & Human Rights 2006, Electronic Privacy Information Center & Privacy International, December 18, 2007 <https://www.privacyinternational.org/article/phr2006-republic-uruguay>.

12.- Ana Brian Nougreres, “El sistema de transporte metropolitano y la protección de datos personales de los uruguayos”, Anuario de Derecho Informatico, Instituto de Derecho Informático, Facultad de Derecho, Universidad de la República, FCU, 2007.

References (Uruguay)



Introduction

A. Brazil



D. Key take aways (Cedric Laurant)

Q & A

Outline


• 1. Get an edge over your competitors: be transparent, explain, clarify how your company/affiliate will use individuals/customers’ personal information.

• 2. Being seen as an early adopter will be good for business and reputation.

• 3. Trust your consumers (trust breeds trust, in your products, services, reputation, brand).

Key take aways


• 4. Follow all consumer protection regulations and go beyond strict compliance.

• 5. Build your company’s reputation as being fully reliable for your customers.

• 6. Get advice not only from local counsel, but also from global ones.

Key take aways


Introduction

A. Brazil



D. Key take aways

Q & A

Outline


Panelists: contact info Cedric Laurant, Esq., LL.M. Principal, Cedric Laurant Consulting (Belgium) http://cedriclaurant.com – Twitter: @cedric_laurant c [at] cedriclaurant [dot] com

Dra. Ana Brian Nougreres Law Professor, Universidad de la República Oriental del Uruguay; Chief Consultant, Estudio Jurídico Briann & Associates (Uruguay) abrian [at] netgate [dot] com [dot] uy

Renato Opice Blum CEO and Partner, Opice Blum Advogados Associados (Brazil) http://www.opiceblum.com.br – Twitter: @opiceblum renato [at] opiceblum [dot] com [dot] br

new data protection laws and case law trends in central & south america (iapp privacy academy,...

Documents