¡Viva La Privacidad!
Luis Salazar, CIPP
With so much data privacy activity focused on the United States, the European Union (EU) and Asia, it's easy to overlook our neighbors to the south — Latin America. Ironically, the region has some of the most unique and diverse privacy laws in the world, along with a growing need for more.
With more than half a billion inhabitants, trade between the U.S. and Latin America surpassed $500 billion in 2006, while trade between the EU and the region surpassed $177 billion Euros. U.S. businesses invest more than $350 billion annually in Latin America, and EU companies nearly $100 million Euros and many, if not most, major U.S. corporations and financial institutions have subsidiaries, back-office, or other direct operations in one or more Latin American countries.
Although Latin America still struggles with challenging economic issues, it expects to have more than 100 million Internet users by the end of 2007, not to mention a thriving e-commerce sector. In Mexico alone, e-commerce exceeded $38 billion last year, with estimates for the entire region to reach more than $100 billion by 2007. In fact, expectations are that a "youth boom" will continue to push this tech savvy growth for the foreseeable future.
For the data privacy professionals, Latin America's biggest challenge is its balkanization and effectively managing data flows through 28 countries, with 28 different privacy schemes. At the upcoming IAPP Privacy Academy 2007, I have the great pleasure of participating in and moderating a panel with Jose-Luis PiÃ±ar MiÃ±as, the former Spanish Data Protection Commissioner, and Zoe Strickland, CIPP, the Vice President and Chief Privacy Officer of Wal-Mart, on this issue — Managing Data Privacy in Latin America. Until then, this article will cover some of the larger issues in Latin American data privacy law.
Perhaps no single concept is more fundamental to understanding Latin American data privacy law than Habeas Data. Habeas Data, literally translated as â€˜you should have the data,' is a constitutional right granted individuals in many Latin American countries and is the predominant force in the region's data privacy law.
The right of Habeas Data appears to have its origin in certain decisions of the German Constitutional Tribunal involving an individual's data stored third-party in databases. Although its details vary by country, Habeas Data is generally the right of an individual to petition a court to help it protect his or her privacy, including his or her image, privacy, honor and freedom of information. The action can be brought against anyone holding information, and it empowers the complaining party to request a correction or even destruction of personal data held by a third party.
Brazil became the first country to officially enact a Habeas Data law in 1988, when it passed a new constitution and gave Habeas Data full constitutional authority. Thereafter, Columbia adopted the Habeas Data right in its new constitution in 1991; Paraguay in 1992; Peru in 1993; Argentina in 1994; Ecuador in 1996; and Bolivia in 2004. With each subsequent enactment, Habeas Data rights became clearer.
In Brazil, the power of Habeas Data is limited to the right of an individual to access and correct data, but not to update or destroy it. A subsequently enacted Habeas Data-enabling law granted individuals the additional power to add an annotation to their data stored in a database to note that it is under legal dispute. Enforcement of the Habeas Data right in Brazil, however, can be a challenge, because venue for the action changes depending on the defendant.
When Paraguay passed its version of Habeas Data, it enhanced the definition and simplified the procedural elements. Its Habeas Data constitutional provisions not only allow an individual to access information and data available on him or herself, but also to know how the information is used and for what purpose. A petitioner can request that a court of competent jurisdiction update, correct or destroy entities if they are wrong or if they are illegally affecting his or her rights. Paraguay allows only one court — the constitutional chamber of the Supreme Court — to hear and decide all Habeas Data cases.
The Peruvian Habeas Data provisions are similar to the Paraguayan ones, but do not allow for the correction or removal of erroneous data stored in a database. It does, however, forbid the broadcast, copy, transfer or distribution of that erroneous data.
The Argentinean Habeas Data provisions further refined Habeas Data rights. Actually referred to as an "amparo," the traditional label for certain constitutional guarantees in the Latin American civil system, the provisions include most of the previously mentioned Habeas Data enactments, including the right to access data, correct it, update it or destroy it. It also forbids the broadcast or transmission of incorrect or false information, but explicitly excludes the press from such actions.
Traditionally, Habeas Data has been seen as an individual right that can only be brought and asserted by the affected individuals. More recently, Latin American courts have begun to take a broader view. For example, the Supreme Court of Argentina ruled in Urteaga v. Estado Nacional (1999), that an individual had standing to assert a Habeas Data claim for information about his brother, who was killed during Argentina's "dirty war." In subsequent cases, the court has reinforced this trend. It may be possible, then, that Habeas Data will eventually become one way to seek privacy remedies for groups or classes of individuals.
It is worth noting that Mexico, which does have fairly broad constitutional privacy rights, does not have Habeas Data.
Data Protection Laws
Despite this rich and unusual Habeas Data tradition, several Latin American states also have adopted data protection laws, some based on the European model. In November 2000, for example, Argentina passed The Law for the Protection of Personal Data (the LPDP), which is based on the EU Data Protection Directive and the Spanish Data Protection Acts of 1992 and 1999. The LPDP contains data privacy legal provisions most privacy professionals are used to — general data protection principles, obligations of data controllers, supervisory authority, sanctions and more. But perhaps most importantly, it bars transfer of personal information to countries without legal systems that "adequately protect" that data. In fact, the EU has determined that Argentina meets the requirement of the EU directive and provides an adequate level of personal data protection. A bill proposing a similar data protection scheme has been proposed and has been pending in Brazil for several years.
More EU-type data laws may be coming, as El Salvador and other Central American countries signed a Political Dialog and Cooperation Agreement with the EU and several member states. That agreement provides that the parties will work to cooperate and protect the processing of personal data and will work toward the free movement of personal data among their jurisdictions. On the other hand, Mexico has 27 different statutes that address data privacy, but no comprehensive data protection plan, nor immediate plans to enact one.
Chile, which never enacted Habeas Data, was the first Latin American country to enact a data protection statute — The Law for the Protection of Private Life, passed on October 28, 1999. That law covers the intake and use of personal data in both personal and private sectors, as well as the rights of individuals to access, correct and control that data. The law covers the use of financial, commercial and banking data, and addresses governmental use of private data.
All in all, as data privacy issues become more complex and numerous, Latin American countries appear ready to respond with more comprehensive data protection laws.
Spam and Internet Regulations
Just like the rest of the world, "El Spam" drives Latin American Internet users crazy. A number of Latin American countries have passed laws to respond to the spam challenge, with perhaps the most well-known of these being Section 27 of the 2000 Argentinean Data Protection Law. Among other things, that law gives recipients the right to opt out of spam. In a recent case, plaintiffs successfully sued a spammer who did not comply with the law and continued to send unsolicited emails. The court enjoined the spammer and awarded damages.
Peru enacted a "Ley AntiSpam" which was recently the subject of what most likely will be a precedent-setting decision fining a Peruvian spammer $5,458 for repeated violations. Notably, this successful effort was made possible by the dedication and persistence of the author of the "Peru Sin Spam" (Peru Without Spam) blog.
Likewise, spyware is no less a problem in the region than in the U.S. or the EU. In Argentina, the LPDP makes spyware illegal because it bars the surreptitious collection of data. Enforcement of these restrictions, however, would likely be by means of an individual bringing a Habeas Data action against a spyware user — probably a fruitless effort. In Chile, spyware likely would be covered by The Ley Contra Delitos InformÃ¡ticos (The Law Against Information Crimes), which makes the destruction of a computer or unlawful access to its contents, a crime punishable by 1- to 5-year prison term.
There are a number of entities actively shaping the future of data privacy in Latin America. The Ibero American Data Protection Network (IDPN), in particular, appears to have the broadest impact across the region. Founded by the Spanish Data Protection Agency, and formerly headed by our panelist Dr. PiÃ±ar MaÃ±as, it conducts various outreach efforts to promote data protection laws similar to the EU Directive. Its efforts are credited with leading to the passage of Argentina's LPDP and qualifications as an acceptable country under the EU Directive.
The LPDP's passage also created another influential body — the Argentinean Data Protection Agency. It is charged with enforcement of the law and is generally thought to have the potential to take precedent-setting actions with potentially region-wide repercussions.
Chambers of commerce and other business associations also have actively promoted good privacy principles. In Mexico, for example, the Mexican Internet Association (AMIPCI), along with the Ministry of the Economy and the Office of the Federal Attorney for Consumer Protection, introduced the "AMIPCO" trusted site seal, designed to identify sites that comply with data privacy regulations, properly use personal data and reduce bad Internet practices.
Finally, there are a number of private commentators and critics who champion data privacy, and closely monitor the many twists and turns of its development. Perhaps the best known of these is habeasdata.org and its related state-specific habeas data blogs. These sites deserve credit for raising the profile of data privacy throughout the region.
The overview in this article is only "La punta del iceberg." Data privacy impacts so many other areas of the Latin American economy — money wiring, mobile phone use and marketing, travel requirements, bank secrecy laws, labor, and much more. A more in-depth discussion will be provided on privacy in Latin America at the Academy, which will feature more than 120 speakers during the 3-day event, Oct. 22-24, at The Westin St. Francis in San Francisco.