ispf 2019
play

ISPF 2019 Privacy in Latin America Where is it headed? Moderator - PowerPoint PPT Presentation

ISPF 2019 Privacy in Latin America Where is it headed? Moderator Javier Samaniego Javier Fernndez-Samaniego, Partner, Samaniego Law (Spain & USA) Isabel Davara Partner, Davara Abogados (Mexico) Jos Alejandro Bermdez Former


  1. ISPF 2019 Privacy in Latin America – Where is it headed? Moderator – Javier Samaniego Javier Fernández-Samaniego, Partner, Samaniego Law (Spain & USA) Isabel Davara Partner, Davara Abogados (Mexico) José Alejandro Bermúdez Former Colombian Data Protection Superintendent. Partner, Bermudez Durana (Colombia) Laura Juanes Micas Laura Juanes, Global Director, Privacy Policy Engagement, Facebook

  2. Global View

  3. Regional Snapshot

  4. Origins Habeas Data • Argentina • Brazil • Bolivia • Chile Right to access, rectification, canc • Colombia ellation – enforced by the judiciary • Costa Rica • Dominican Republic • Honduras • Mexico • Panama • Paraguay • Uruguay • Venezuela

  5. 1 st Generation Comprehensive Laws Enacted: • Argentina • Aruba Work in progress: • Brazil • Chile • Bahamas • Ecuador • • Colombia Guatemala • Jamaica • Costa Rica • Honduras • Curaçao • Dominican 2 nd generation: Republic Argentina • Mexico • Nicaragua • Panamá • Peru • Trinidad & Tobago • St. Lucia • Uruguay

  6. Highlights

  7. New wave: GDPR-inspired… … with a twist

  8. Need to keep in mind • EU inspired norms (searching for adequacy) • Adequacy based (significant restrictions on foreign data transfers - but few whitelists) • Abundant registration obligations • Heavily consent based (Opt-in) (with exceptions) • Extensive and formalistic individual rights (access, correction, rectification…) • Rare incentives for accountability (with exceptions) • Criminal liability • Limited precedent and case law • Varied degree of enforcement

  9. Iberoamerican Network Standards • Drafting led by the Mexican DPA • Heavily GDPR - inspired • Not binding – yet influential • Aspirations of harmonization http://www.redipd.es/documentacion/common/Estandares_eng_Con_logo_RIPD.pdf

  10. The IAN standards in a nutshell • Extraterritorial application • Heightened standard for consent • Ample legal basis to collect & process, incl. legitimate interests • Strict limitations to secondary uses • Data breach notification obligations • Right to object to profiling • Right to portability • Rights of the deceased • PRAs • DPO • Independent DPAs, only subject to judicial review

  11. Global data flows • Argentina and Uruguay are the only countries deemed as ‘adequate’ by the European Commission • Both countries’ adequacy findings are up for revision post GDPR • Both countries are signatories of Convention 108+ • Convention 108+ of the Council of Europe has been gaining traction and is de facto considered a stepping stone for EU adequacy • Mexico has recently adhered to C 108+ • USCMA contemplates CBPRs as a possible mechanism (but not yet fully implemented in Mexico nor Canada)

  12. Global data flows: possible instruments Adequacy (‘white lists’) • Consent • Model Contracts • Individual authorizations • Intra-group transfers • Combos (white lists + accountability) • Exceptional circumstances (eg. natural disasters, medical • emergencies) Multilateral instruments / agreements (CBPRs, USCMA, PA) •

  13. Data breaches • Iberoamerican Standards call for breaches to be notified without delay but, in applying an accountability approach, not when there is unlikely risk for the data subjects. • Different standards are applicable throughout LatAm: voluntary notification to data subjects in some jurisdictions (Colombia , Peru) mandatory in some (Mexico and Brazil) and N/A in others (i.e. Argentina). Notifications to the DPA are mandatory in Colombia, and Brazil and voluntary in other jurisdictions. • Argentina new draft bill has a 72 hour notification unless it’s unlikely that the breach implies a risk to data subjects and should only be informed to data subjects if high risk. In contrast, Colombia has moved towards strict interpretation of breaches , with no guideline as to what makes up a breach, and how it should be notified

  14. USMCA • Chapter 19 is about Digital Trade and include specific provisions regarding protection of personal data. • Article 19.8 foresees that the parties: • Recognize the economic and social benefits of protecting the personal information of users of digital trade. • Shall adopt or maintain a legal framework to protect personal data taking into account principles and guidelines of relevant international bodies, such as the APEC Privacy Framework and the OECD Recommendation of the Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data (2013) . • Recognize the key principles of protection of personal data.

  15. Mexico Fintech Law

  16. Background • Mexican Fintech Law (MFL) is an innovative and unique legal framework in the world. • Several provisions of the Fintech Law require further development through secondary regulations. Currently the competent authorities have issued a broad set of regulations to implement the MFL. • The MFL was published on March 9th 2018 in the Federal Official Gazette. • The law regulates the services provided by the Financial Technology Institutions (“FTIs"), including their organization and operation. • FTIs include Crowdfunding entities and E-payment entities.

  17. Need to Know • The Fintech Law requires Financial Entities and FTIs, among others, to establish application programming interfaces ("APIs") to allow connectivity and access to interfaces developed or managed by other Financial Entities and FTIs (with the prior consent of users). • The purpose of the APIs is to share users’ open financial , aggregate and transactional data . • The information mentioned in the article 76 of the Law can only be used for the purposes strictly authorized by the client. • As private entities, FTIs are subject to the Federal Law on Protection of Personal Data Held for Private Parties.

  18. Questions?

  19. Addendum. Country Profiles

  20. Chile - Body of law: Constitution (recently amended) + Law 19628 (1999) - Supervision and enforcement by the civil courts (no DPA) - Comprehensive bill currently under discussion in Congress - Chile will be the next APEC host in 2019 - Little to no enforcement so far (but criminal liability) - Proposed bill based on OECD Principles with GDPR influence (eg. right to portability, strengthened consent, references to biometrics, profiling, automated decision making…) - Proposed bill will also create an independent DPA and a public registry of offenders

  21. Peru - Body of law: Constitution + Comprehensive Law n.29733 (2011), amended in 2017 + Developing Regulation - Supervision and enforcement under DGTAIPD (Transparency & Data Protection Agency under the Ministry of Justice) - Database registration is required - Multiple mechanisms for data transfers available (not CBPRs) - DPO is required - Data breach notification obligations imposed by the DPA - Fines up to 150k USD + criminal liability - Recent decision re. Processing of information under FATCA

  22. Mexico - Body of law: Constitution + Comprehensive Law ‘LFPDPP’ (2010)+ Developing Regulation (2012)+ State Laws - Supervision and enforcement under INAI (Independent Transparency & Data Protection Agency) + State Agencies - Only LatAm country adhered to CBPRs (but no agent) - Strict formalities around privacy notices (long / short forms) - Implicit consent as default - Explicit incentives for binding self-regulation - Intra-group data transfers are authorized - Recent guidance issued on Biometrics - Fines up to 3m USD + criminal liability

  23. Colombia Colombia - Body of law: Constitution + Law 1581 of 2012 - Supervision and enforcement under SIC, a technical supervisory body also charged with Competition, IP registration and Consumers - Strict controller obligations, with only consent as a basis to process (with legalexceptions). - Active DPA with relatively large fining power (in excess of USD$500.000). - Published Accountability Guidelines in 2015 as a consequence of Colombia’s OECD accession process. - Stringent DB registration and data breach notification obligations - Published a Data Transfer adequacy “white list” in 2018 with intense debate over decision to include the US as adequate.

  24. Argentina - Body of law: Section 43 of the Argentine National Constitution and regulated in the Law 25,326 (PDPL), the Regulatory Decree 1558/2001 (DP Decree) and provisions issued by the DPA. - Supervision and enforcement under AAIP (Independent Transparency & Data Protection Agency) - Database registration is required - There is no specific requirement to appoint a DPO - Cross-border transfer of personal data is prohibited to countries or international or supranational organization which do not provide adequate protection to such data - Personal data may only be transferred for legitimate purposes of the transferor and the transferee, and generally with the prior consent of the data subject who must be informed of the transfer’s purpose and of the transferee’s identity - Data breach notification is not specifically required - Argentine President submitted to National Congress Bill No. MEN-2018-147-APN-PTE, aiming to replace in its entirety the Personal Data Protection Law No. 25,326

  25. Thank You

Recommend


More recommend