latin american privacy with gdpr as model · leveraging gdpr solutions for latam 18 benefits •...

Latin American Privacy with GDPR as Model International Privacy + Security Forum

February 26, 2018

Agenda 1.  Current State: LatAm 2.  LatAm vs. GDPR 3.  How GDPR may influence LatAm 4.  Leveraging GDPR solutions in

LatAm 5.  Questions

1 Current State: LatAm vs. GDPR

3

© 2018 Baker McKenzie

Latin America – Current State of Data Protection*

4

Mexico: •  Federal Law on Protection of Personal Data Held by

Private Parties •  Regulations to the LFPDPPP •  Guidelines regarding Personal Data Security Colombia:

•  Law No. 1,581 •  Law No. 1,266 •  Decree 1,377/13

Peru: •  Law No. 29,733 (Data Protection Law) •  Supreme Decree No. 003-2013-JUS •  Law No. 30,096 (Cybercrime Law)

Chile: •  Computing Crimes Act (Act Nro. 19,223) •  Personal Data Protection Act (Act Nro. 19.628)

Brazil: •  Brazilian Consumer Protection Code

(Law No. 8,078) •  Internet Legal Framework (Law No.

12,737) •  Brazilian Criminal Code (as

amended by Law No. 12,737/12)

Argentina: •  Personal Data Protection Act No. 25,326 •  Personal Data Protection Decree No. 1558/2001 •  Disposition No. 11/2006 (Security Measures) •  Law No. 24,766 (Confidential Information) •  Law No. 26.388 (Criminal penalties for unauthorized

access to information)

* Select countries described. Additional countries with specific data protection laws include Nicaragua, Costa Rica, Panama, Uruguay, and Paraguay

2 LatAm vs. GDPR

5


GDPR – 13 Key Areas of Compliance

6

1. Data Mapping

2. Data Breach Reporting

3. Cross-border Data Transfer

4. Consent

5. Data Protection Officers (DPOs)

6. Rights for Data Subjects

7. Enforcement and Sanctions

8. Data Processor Obligations

9. Data Protection by Design & by Default

10. Data Protection Impact Assessments

11. The Accountability Principle

12. Profiling and the GDPR

13. One-Stop-Shop


Compared to GDPR - Argentina

7

GDPR Argentina Extraterritorial Application No

Registration Requirement Yes

Notice/Consent Mandatory notice requirements – Consent is the sole standard for lawful processing (Express, informed, voluntary and in writing (or any comparable means)

Data subject rights Rights of information, access, correction, and deletion

Cross-border data transfer restriction

Yes

Appropriate security Yes, appropriate security

Breach notification No specific mandatory obligation


Compared to GDPR - Brazil

8

GDPR Brazil (no specific data protection law)

Extraterritorial Application Yes, to some extent based on case law (consumer protection)

Registration Requirement No

Notice/Consent Yes, generally must obtain consent for processing (Express, informed, voluntary and in writing (or any comparable means))

Data subject rights In certain cases, there may be rights of information, access, correction, and deletion


No specific rules, but consent generally used

Appropriate security No specific rules, but generally appropriate security

Breach notification No specific rules addressing data security breaches (however, Data Controllers are generally liable for any data security breach)


Compared to GDPR - Chile

9

GDPR Chile Extraterritorial Application No


Notice/Consent Must be voluntary, informed, and unambiguous, and must be in writing



None

Appropriate security No specific requirements

Breach notification No specific requirements


Compared to GDPR - Colombia

10

GDPR Colombia Extraterritorial Application Yes, to some extent


Notice/Consent Prior express, informed consent required for processing



Yes


Breach notification Yes, to the DPA, not to Data Subjects.


Compared to GDPR - Mexico

11

GDPR Mexico Extraterritorial Application Yes, to some extent


Notice/Consent Yes, consent generally required, which must be voluntary, informed, explicit and unambiguous



Yes, but is flexible when transfers are to processors and affiliates under contract or internal policy


Breach notification Yes, mandatory data breach notification requirements to data subjects


Compared to GDPR - Peru

12

GDPR Peru Extraterritorial Application Yes, to some extent


Notice/Consent Processing of Personal Data generally requires prior, informed, express and unequivocal consent



Yes, requires consent and be documented in contract


Breach notification Arguably, yes, as the security rule is interpreted as requiring that any data breach should be notified to the Data Subjects

3 LatAm Regulation in the GDPR Age

13


LatAm Regulation in the GDPR Age

14

•  EU traditionally sets the bar for data protection regulations globally •  Extraterritorial application of GDPR imposes its obligations to some

extent on operations located in non-EU countries •  Adequacy findings by EU authorities:

•  The Commission, after assessing the adequacy of the level of protection, may decide, by means of implementing act, that a third country, a territory or one or more specified sectors within a third country, or an international organization ensures an adequate level of protection within the meaning of [the GDPR].

•  Non-EU countries may have a financial motivation to impose GDPR-level data protection obligations in order to reap potential benefits of being found “adequate” for data transfers from the EU



15

Movement to GDPR-level Regulations has already begun in Argentina Proposed draft bill:

•  Scope: limits the scope of Data Subjects to natural persons, excluding legal entities, and adopts a more comprehensive approach for protection of Personal Data (whether or not such data is stored in a database);

•  New Concepts: incorporates new concepts such as genetic data, biometric data and cloud computing; •  Accountability: includes accountability obligations and eliminates the registration requirement for

databases; •  Breach Notification: provides for the obligation to notify both the supervisory authority and Data Subjects of

a data security breach of their Personal Data, providing for specific terms and information requirements in each case;

•  Data Protection Officer: imposes the obligation on governmental agencies/bodies and companies processing sensitive and large-scale data (big data) to appoint a Data Protection Officer, specifying duties, tasks and technical requirements applicable to that role.

•  Legal Bases for Processing: standards for the lawfulness of data processing (in addition to consent); •  Information Requirements: information requirements to be provided to Data Subjects when collecting their

Personal Data •  Cross-Border Solutions: safeguards recognized as legitimate cross-border data transfer tools, such as

Binding Corporate Rules, approved codes of conduct and certification mechanisms. •  Additional Data Subject Rights: expressly recognizes the right to object to processing (including

processing for marketing purposes) and the right to restrict processing and data portability. New regulations in connection with cloud computing (admitted as a data processing tool), sensitive data, minors’ consent, impact analysis and data protection by design and default are also addressed.



16

Mexico: •  Mexican BCR’s Registry is fully operative •  New Government Data Protection Law mirrors

Private Law. •  No expected reforms for Private sector in the next

year. Colombia: •  Recently created an

“adequacy” list for cross border transfers

Chile: •  New draft bill to replace the Personal Data

Protection Act •  Creates new Data Protection Council to

enforce law and impose fines •  Introduction of higher fines (expected to be

up to US$700,000)

Argentina: •  Draft bill for the Protection of Personal Data

which aligns more fully with GDPR

Where do we see the rest of LatAm going?

Peru: •  Recent updates to expand legal bases

for processing beyond consent (e.g., execution of contract with data subject)

Brazil: •  On 13 May 2016, the draft was sent to

Congress under No. 5,276/2016 (the “Bill of Law”) that would heavily regulate the processing and protection of Personal Data in Brazil.

4 Leveraging GDPR Solutions for LatAm

17


Leveraging GDPR Solutions for LatAm

18

Benefits •  Leverages existing (or soon to be existing) documentation, policies,

procedures and solutions •  Could enhance your LatAm compliance under current requirements

(e.g., data protection officer requirements in LatAm, data protection impact assessments, information on processing)

•  Ensures a level of consistency in the organization’s global data protection compliance program



19

Risks •  May not be full aligned with local requirements, for example:

•  Argentina does not currently recognized BCRs •  Mexico doesn’t utilize the same terminology in GDPR and does not

have the same level of data transfer restrictions •  Colombia not fully aligned with the EU on its “adequacy” findings

(e.g., the US is considered to provide “adequate” protection by Colombia)

•  May impose greater restrictions on operations and data flows than may be necessary for the business

•  May not want to provide additional rights to data subjects (e.g., employees) that are not provided under local law



20

Best Practices 1.  Determine your privacy approach for the region 2.  Leverage GDPR documentation, but ensure notices and other data

subject-facing documents are compliant with the laws of the applicable Latin American countries

3.  Identify gaps between GDPR solution and local requirements (e.g., database registration requirements in LatAm)

5 Questions?

21


Thank you

22

Michael Egan Partner, Baker McKenzie Washington, D.C. [email protected]

Carlos Vela Partner, Baker McKenzie Mexico City [email protected]

latin american privacy with gdpr as model · leveraging gdpr solutions for latam 18 benefits •...

Documents