[latam webinar slides] brazil & beyond: privacy trends in latin america
Post on 18-Feb-2017
2.700 Views
Preview:
TRANSCRIPT
1 v Privacy Insight Series - truste.com/insightseries v
© TRUSTe Inc., 2016
Brazil & Beyond: Privacy Trends in
Latin America
August 18, 2016
2 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Today’s Speakers
Andrew McDevitt
Senior Privacy Consultant
TRUSTe
Jacobo Esquenazi
Global Privacy Strategist,
HP, Inc.
Juan Luis Hernandez Conde
Founding Partner
Novus Concilium
3 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
• Welcome & Introductions
• Overview of Latin American Privacy
• Understanding Database Registration Requirements
• Proposed Legal Changes in the region including:
Brazil, Chile, Colombia, Mexico
• Accountability and Data Subject Rights
• Q&A
Today’s Agenda
4 v Privacy Insight Series - truste.com/insightseries v
© TRUSTe Inc., 2016
Overview of Latin American Privacy
Andrew McDevitt, Senior Privacy Consultant, TRUSTe
5 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
•There is no Latin American treaty, omnibus regional law, or a specific
regional body that assists and guides organizations about data
protection – such as an EU Data Directive (soon to be GDPR)
•However, data protections have been purposefully incorporated into the
constitutions of some Latin American countries
•Some Latin American countries do require all organizations to register
with their DPA (Peru) while other don’t require businesses to register
with their DPA (Mexico, Nicaragua)
Basic Observations of Privacy in Latin America
6 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
•Constitutional/Habeas Data. Nations which utilize a constitutional
rights-based model for protecting individuals’ personal data rights
•General Data Protection Laws. Nations which have enacted
comprehensive data protection laws
• Hybrid Approach. Nations that employ a blend of habeas data and
general data protection laws
• Unsettled or Transitioning Data Protection Rights.
Nations that lack a clearly defined constitutional or legislative structure
with respect to privacy rights.
Data Protection in Latin America Falls into Four Groups
7 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Overview of Latin American Privacy Requirements
8 v Privacy Insight Series - truste.com/insightseries v
© TRUSTe Inc., 2016
Jacobo Esquenazi, Global Privacy Strategist, HP, Inc.
Understanding Database Registration
Requirements
9 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
• Database Registration is one of the most burdensome requirements in
Data Protection Management. Is very common in LAR.
• Five out of six countries that have Data Protection Laws in the region
include a Database Registration Requirement. Mexico is the only
notable exception.
• Conditions for registering data bases and content of the registration
vary from country to country.
• Three countries require an annual update or renewal of the registration,
one country requires update only when major changes occur, one
country requires monthly update when any changes occur, and one
requires that registry be kept up to date constantly.
• In some countries Fees for registration need to be paid (source of
revenue for the DPA) and there is a cost of compliance in all cases.
Database Registration Requirements in LAR
10 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Database Registration Requirements by Country
• Article 29 of Data Protection Law creates a Database
registry. All Public and Private Databases need to be
registered before the DPA.
• Applicable to all persons (natural and legal)
• Registration includes Information about the database and
exercise of rights; Security measures; length of storage.
• Registration needs to be renewed annually.
• Registration can be done online.
• Article 21 of Data Protection Law creates a Database
registry. All public and private DB must be registered
before the DPA.
• Applicable to ALL databases.
• Private DB should be registered before being created.
• Registration needs to be renewed annually
• Registration can be initiated online
Uruguay
Argentina
11 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Data Base Registration Requirements by Country
• Article 29 of Data Protection Law creates a Data Base
registry. All databases that are subject to Data Subject
rights (access, correction, etc.) need to be registered.
• DPA can also include as part of the registry (searchable)
authorizations, sanctions, injunctions or corrective
measures imposed . Registry also includes approved
codes of conduct.
• Communications related to transborder flows are also
registered.
• Registration must be done on paper
• Registration is done once unless DB undergoes changes.
All changes to the purpose, content, Security measures,
etc. must be registered.
Peru
12 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Data Base Registration Requirements by Country
• Article 29 of Data Protection Law creates a Data Base
registry. Only Colombian Data Controllers (registered in
the chambers of commerce) need to register DB’s.
• Information to be registered: Types of data; security
measures; data origin; international transfers;
international transmissions; National data transfers;
request from data subjects to exercise their rights; and
security incidents (breaches).
• Annual Registration or within 10 days of any substantial
changes.
• Article 21 of Data Protection Law creates a Data Registry.
Databases for distribution, publication or
commercialization need to be registered.
• Registration needs to be done by the data owner
(Notarized) includes physical placement of the database;
uses for the data base; types of data; description of
security measures; recipients of data transfers; list of
contracts for commercialization; creation of a super user
for the agency, etc.
Colombia
Costa Rica
13 v Privacy Insight Series - truste.com/insightseries v
© TRUSTe Inc., 2016
Juan Luis Hernandez Conde, Founding Partner, Novus Concilium
Proposed Legal Changes in the
Region
14 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
From Habeas Data to Omnibus Protection
15 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Constitutionally / Judicially protected right to
access, rectification and/or erasure of
personal information.
What is Habeas Data?
16 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Legal regime imposing specific obligations
and requirements to Data Controllers and
Data Processors.
Omnibus legislation
17 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Privacy evolution timetable
2000 2008 2010 2011 2014
Argentina
Uruguay
Mexico
Costa Rica
Peru
Colombia
18 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Laws being discussed right now
Brazil
Ecuador
Chile
Panama
19 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
From Habeas Data to Omnibus Protection
20 v Privacy Insight Series - truste.com/insightseries v
© TRUSTe Inc., 2016
Jacobo Esquenazi, Global Privacy Strategist, HP, Inc.
Accountability and Data
Subject Rights
21 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
• All Data Protection Laws in LAR are based (whole or in part) on EU
data protection concepts and more specifically on the first Spanish
implementation of the Privacy Directive.
• All laws in LAR provide data subjects with the following rights:
– Access: The right to know what Information a Controller holds about the Data
Subject.
– Correction: The right to correct inaccurate information that a Data Controller
holds about a data subject.
– Deletion: A Data Subject has the right to request that a Data Controller deletes
Information related to him/her (with some limitations).
• Some data protection laws allow an intermediate phase before deletion
(opposition) which is the equivalent of the Right of Restriction of
Processing under the GDPR.
• All rights have a Compliance period. After that period DS that feel their
requests have not been honored have a right of recourse before the
DPA and eventually before a court of Law.
Data Subject Rights In LAR
22 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
• The infringement of Data Subject Rights can be penalized by
administrative sanctions (including monetary), applied by the DPA.
• DPA’s in LAR have increased their enforcement activity imposing
substantial fines for non-Compliance. In particular where Data Subject
complaints are involved activity has increased. DPA’s do not have
prosecutorial discretion, therefore all complaints must be investigated.
• All laws include the right of compensation if the infringement of Data
Subject rights results in harm. Process is carried out before the courts.
Infringement of Data Subject Rights
23 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
• Mexico and Colombia included the concept of accountability to their
Data Protection Legislations. This is a similar concept as it has been
incorporated in the GDPR.
• Having an Accountability based data protection program is not
mandatory, but companies that can demonstrate an accountability
based data protection program get benefits as lessening of fines or
ease in transborder flows.
• Demonstrating accountability has some requirements that need to be
met (sometimes through codes of conduct).
• Although Peruvian regulation does not include the accountability
concept, but does recognize some benefits by participating in voluntary
codes of conduct.
Accountability
24 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
•Latin America is as diverse in its privacy regimes as it is in its
geographies.
•Habeas data is a constitutionally-based remedy of legal action that may
be initiated by a citizen to discover what data is held about that person,
in order to facilitate correction or deletion of the information.
Key Takeaways For Companies
25 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
•More incentives than ever exist for Latin American governments to
modernize their data privacy laws in light of APEC membership, global
commerce and trade, and international adequacy/interoperability
opportunities.
•With Chile, Mexico and Peru already APEC members, companies
should consider APEC CBPR Certification as a route to demonstrate
compliance in the region.
•Companies should be aware of the data privacy quirks that exist in Latin
America but that are not widespread elsewhere,
–Such as Costa Rica’s “super user” database access for the government
–The “right to be forgotten” in Nicaragua, and
–Mexico’s detailed privacy notice rules but lack of a registration requirement
Key Takeaways For Companies
27 v Privacy Insight Series - truste.com/insightseries v
© TRUSTe Inc., 2016
Jacobo Esquenazi jacobo.esquenazi@hp.com
@jesquenaziMX
Juan Luis Hernandez Conde hcount@nclaw.mx
@TheRealHCount
Andrew McDevitt amcdevitt@truste.com
@AndrewJMcDevitt
Contacts
28 v Privacy Insight Series - truste.com/insightseries v
© TRUSTe Inc., 2016
Details of our 2016 Summer/Fall Webinar Series are now available. Register
now for our next webinar on September 22 “Changing Role of the CPO in
todays Privacy Ecosystem”
See http://www.truste.com/insightseries for the 2016 Privacy Insight Series
and past webinar recordings.
Thank You!
top related