LATAM Data Privacy Frameworks

South America

Colombia

Law:?Statutory Law 1581 of 2012 (October 17) Which Issues General Provisions for the Protection of Personal Data (only available in Spanish?here) ('the Data Protection Law') and Decree 1377 of 2013 (June 27) Which Partially Regulates Law 1581 of 2012 (only available in Spanish?here) ('the Decree')

Regulator:?Colombian data protection authority?('SIC')

Summary:?The Data Protection Law provides the core legal framework for data protection within Colombia in combination with additional supplementary decrees and circulars which provide for the interpretation of the Data Protection Law. Articles 15 and 20 of the Colombian Political Constitution (only available in Spanish?here) ('the Constitution') explicitly recognize the right to privacy and the right to data rectification. The SIC currently holds the presidency of the?International Consumer Protection and Enforcement Network?('ICPEN') and will remain in this position until July 2020.

?

?Ecuador

Ecuador’s new data protection regulation has now become law. The?draft Organic Law?on the Protection of Personal Data received no objections from the President of the Republic and has been published in the Official Registry, therefore becoming law.

The new law?establishes a national data protection authority, regulates cross-border data transfers, and provides citizens with the rights including the right to request access to, amend and delete their personal data.

What does Ecuador’s new law look like?

This new regulation is Ecuador’s first dedicated data protection law, and some of the key areas are outlined below:

• Data protection principles:?The draft law recognizes many familiar data protection principles, including transparency, purpose limitation, confidentiality, limited retention, accountability and data accuracy, and processor and controller obligations.
• Extraterritorial scope:?Processors and controllers located outside of Ecuador must comply with the new law if they offer goods and services to Ecuadorian residents. Nevertheless, it does not oblige processors and controllers to have any representative in the country that will comply with the different obligations recognized in the law.
• Data subject rights:?The law brings with it new data subject rights, including the right to access, to rectification, to deletion, of cancellation, to portability, to object, not to be subject to a decision based solely on automated processing, and the to be forgotten.
• DPO requirements:?Establishes controller and processor obligations for appointing a data protection officer, depending on the data being processed, and requires all public authorities to have a DPO. The DPO will work with the data protection authority and be the point of contact for data subjects.
• Penalties:?The law makes a distinction between minor and major infringements, with sanctions ranging from 3% to 17% of an organization’s annual revenue from the previous year. The DPA will decide on the sanction based on the severity of the infringement and the intention of the relevant party.

?

?Peru

Summary

Law:?Law No. 29.733 on the Protection of Personal Data 2011 (only available in Spanish?here) ('the Law') and Supreme Decree No. 003-2013-JUS which Approves the Regulation of Law No. 29733 (only available in Spanish?here) ('the Regulation')

Regulator:?National Authority for the Protection of Personal Data?('ANPD')

Summary:?The right to data protection was first presented through the 1993 Political Constitution of Peru (only available in Spanish?here), before a comprehensive data protection law, the Law, came into force in 2011. The Law provides for various data subject rights, such as the right to access, rectify, object to processing, or to be informed of any processing. Moreover, the Law requires data controllers to register all personal databases in the National Registry of Personal Data Protection, managed by the APDP, as well as to notify the APDP of any cross-border data transfers. While the Law has not instituted general breach notification requirements in Peru, a 2020 Emergency Decree approving the Framework for Digital Trust and Measures for its Strengthening (only available in Spanish?here) provided that bodies which have suffered a breach must notify the National Digital Security Centre and any other authorities that may have an interest.?

Bolivia

Summary

Law:?There is no general data protection law.

Regulator:?There is currently no general data protection authority.

Summary:?Currently, Bolivia does not have a comprehensive data protection law regulating privacy and data protection matters. However, there are two draft laws that are in progress. In particular, bill No. 349/2020-2021 for the protection of personal data (only available in Spanish?here) was initially introduced to the Legislative Assembly on 19 October 2021. Thereafter, in March 2023, a motion for the reintroduction of the bill (only available in Spanish?here) was filed, on 3 March 2023, in the Legislative Assembly by National Deputy Renan Cabezas Veizan. Separately, OneTrust DataGuidance Research confirmed, on 25 April 2023, with Ana Valeria Escobar, Partner at PPO Abogados, that the?Electronic Government Agency and Information and Communication Technologies?('AGETIC') had presented, on 31 March 2023, to the Bolivian Senate, a new data protection bill (only available in Spanish?here). Both drafts would establish the Agency for the Protection of Personal Data ('APP') as the national regulatory authority, but in the meantime, the AGETIC often regulates such matters. Bolivia also has specific provisions ensuring the protection of personal data in the financial, healthcare, and telecommunications sectors.

?

Chile

Summary

Law:?Law No. 19.628 on the Protection of Private Life 1999 (only available in Spanish?here) ('the Law')

Regulator:?Currently, oversight is carried out by the?Chilean Transparency Council?('CPLT').

Summary:?The legal regime regarding privacy and data protection in Chile dates back to 1999, with legal reforms underway to modernize the Law and bring about increased protections for data subjects. Currently, Bill No. 11144-07 Regulating the Processing and Protection of Personal Data and Creating the Personal Data Protection Authority (only available in Spanish?here) ('the Bill') is under discussion in the Chilean Senate, which takes inspiration from the EU's?General Data Protection Regulation (Regulation (EU) 2016/679)?('GDPR').?

In particular, the Bill would bring Chile in line with international standards by establishing rights for access, rectification, cancellation, or deletion of personal data, and data portability, as well as introducing new legal basis for data processing, and special categories of personal information. Lastly, Bill No. 14847-06 Establishing a Framework Law on Cybersecurity and Critical Information Infrastructure (only available in Spanish?here) ('the Cybersecurity bill') is under discussion in the?Chilean Senate. In particular, the Cybersecurity bill would regulate public and private institutions that possess critical information infrastructure and establish requirements associated with responses to cybersecurity incidents.

Argentina

Summary

Law:?Personal Data Protection Act, Act No. 25.326 of 2000 (only available in Spanish?here) ('the Act')?and Decree No. 1558/2001 Regulating Law No. 25.326 (only available in Spanish?here) ('the Decree'), amended by Decree No. 1160/10 (only available in Spanish?here)

Regulator:?Argentinian data protection authority?('AAIP')

Summary:?The Act sets forth the main principles and rules for the protection of personal data and has been followed by multiple decrees that detail rules for the implementation of the Act. Three years after the passing of the Act, Argentina was recognized by the?European Commission?as providing an adequate level of protection for personal data. The AAIP regularly issues resolutions which interpret the Act and guide compliance. These resolutions have, among other things, defined 'security measures' and provided guidance on Binding Corporate Rules ('BCRs') for international data transfers.

More recently, the AAIP published, on 10 November 2022, a draft bill to update the Act (only available in Spanish?here), following a public consultation on the Act during September 2022. Furthermore, the AAIP issued Resolution 4/2019 (only available in Spanish?here), which specifies mandatory guidelines for the application of the Act, and addresses topics including video surveillance, automated data processing, consent, and biometric data. In addition, the AAIP issued, on 1 December 2022, Resolution 240/2022 amending Provision No. 9 of 19 February 2015 on the National Directorate for the Protection of Personal Data and No. 13 of 10 March 2015 (only available in Spanish?here), which establishes the classification of offences under the Act respectively as minor, serious, and very serious, alongside the graduation of sanctions.

Paraguay

Summary

Law:?Law No. 1682 Which Regulates Private Information 2001 (only available in Spanish?here), as amended by Law No. 1969 of 2002 (only available in Spanish?here), and Law No. 5543 of 2015?(only available in Spanish?here) ('the Private Information Law')

Regulator:?There is no general data protection authority.

Summary:?Paraguay combines a constitutional rights-based model of data protection with its Private Information Law. The Private Information law regulates the collection, storage, distribution, publication, modification, destruction, duration, and overall processing of personal data in files, registers, data banks, or other technical means of processing of public or private data intended to provide reports. Violations of the provisions of the Private Information Law are enforced by the courts and subject to fines.

On 30 April 2021, the Chamber of Deputies announced a Bill on the Protection of Personal Data of the Republic of Paraguay (only available in Spanish?here) ('the Bill'). The Bill provides a more comprehensive data protection in Paraguay and proposes, among other things, new data subject rights, security standards and obligations, and new requirements associated with data protection officers. Other key areas of privacy regulation in Paraguay include its legal framework for anti-money laundering and countering the financing of terrorism ('AML/CFT'), which was recently amended on 26 December 2019 with the signing into law of Law No. 6497 (only available in Spanish?here).

?

Uruguay

Summary

Law:?Law No. 18.331 on the Protection of Personal Data and the Habeas Data Action 2008 (only available in Spanish?here) ('the Law'), Decree No. 414/009 Regulating Law 18.331 Relating to the Protection of Personal Data (only available in Spanish?here) ('the Decree'), and Decree No. 64/020 on the Regulation of Articles 37-40 of Law No. 19.670 of 15 October 2018?(only available in Spanish?here) ('the 2020 Decree')

Regulator:?The?Uruguayan data protection authority?('URCDP')

Summary:?Uruguay has often been near the forefront of data protection developments in Latin America and in 2012 became the second jurisdiction in the region, after Argentina, to obtain an?adequacy decision?from the EU. While the Law and the Decree established an essential data protection framework that enabled this adequacy finding, several further laws and decrees have since been issued which have brought Uruguay into closer alignment with the EU's?General Data Protection Regulation (Regulation (EU) 2016/679)?('GDPR').?

Furthermore, the 2020 Decree established new obligations relating to, among other things, breach notifications, Privacy by Design, data protection officer appointments, Data Protection Impact Assessments, and security measures. Law No. 20075 of 20 October 2022 (only available in Spanish?here) ('Law No. 20075') entered into force on 1 January 2023 and amends the Uruguayan data protection system. Specifically, Law No. 20075 introduced amendments including disclosure to data subjects, as well as the powers of the URCDP.?

Brazil

Summary

Law:?Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019)?('LGPD')

Regulator:?The structure of the?Brazilian data protection authority?('ANPD') was created by Presidential Decree No. 10,474 of 26 August 2020 (only available in Portuguese?here) ('the Decree'). The Decree will come into force on the date of publication of the appointment of the ANPD's executive director in the Federal Official Gazette.

Summary:?The LGPD was passed in 2018 and entered into effect on 18 September 2020, although its enforcement provisions will not come into effect until 1 August 2021. The LGPD is a comprehensive data protection law which covers the activities of data controllers and processors and creates novel requirements on the processing of information of data subjects. It includes provisions on a variety of issues such as data protection officer appointments, Data Protection Impact Assessments, data transfers, and data breaches. It will be enforced by the ANPD which, when established, is expected to provide important guidance and clarity on the provisions of the LGPD. In addition, Law No. 12.965 of 23 April 2014 (only available in Portuguese?here) ('Marco Civil da Internet') has been in force since June 2014 and establishes principles, guarantees, rights and duties relating to the use of the internet in Brazil. So far, and before the establishment of the ANPD, the?Public Ministry of Federal Districts and Territories?has taken various enforcement actions in relation to privacy based on the provisions of Marco Civil da Internet.

?

Guyana

Summary

Law:?The?Data Protection Act No.18 of 2023

Regulator:?The Data Protection Office not yet established.

Summary:?On August 16, 2023, the Act received Presidential assent and will come into effect on the day the Minister responsible for data protection may, by order, appoint. The Act regulates the collection, keeping, processing, use, and dissemination of personal data and establishes data protection principles as well as legal basis for the processing of personal data.

The Act also introduces specific requirements for data controllers and processors including?conducting Data Protection Impact Assessments, appointing a data protection officer, registering with the Data Protection Office, and maintaining records of processing. Furthermore, the Act creates specific restrictions on the transfer of personal data outside of Guyana and provides data subjects with rights including rectification, access, erasure, data portability, among others.?

Suriname

Summary

Law:?Bill for the Privacy Protection Act and Personal Data (only available in Dutch?here) ('the Bill')

Regulator:?Not applicable

Summary:?The Bill?was presented to the Suriname National Assembly in 2018 and considered by the Committee of Rapporteurs on 21 January 2021. The Committee?had several questions and sought feedback on the Bill. However, there has been no further progress since this time, and the Bill is still under consideration in the National Assembly.

?

?

Mexico

Summary

Law:?Federal Law on Protection of Personal Data Held by Private Parties?('FLPPDPP'),?Regulations to the Federal Law on Protection of Personal Data Held by Private Parties?('the Regulations')

Regulator:?National Institute for Access to Information and Protection of Personal Data?('INAI')

Summary:?The FLPPDPP, the Regulations, and the Guidelines on Privacy Notices ('the Guidelines') (only available in Spanish?here)?establish the principles and minimum standards for processing personal data and form the bases of the regulatory framework for the protection of personal data in Mexico's private sector. There are also sector-specific laws in the financial services and health and pharmaceutical sectors. Notably, under the current legislative framework there is no requirement to inform the INAI or any other state authority when a data breach occurs.

Guatemala

Summary

Law:?There is no general data protection law.

Regulator:?There is no general data protection authority.

Summary:?At present, Guatemala does not operate a comprehensive legal framework for data protection. However, there is currently a draft data protection law under consideration, Bill No. 6105 of 23 June 2022 for the Approval of the of the Personal Data Protection Law (only available in Spanish?here) ('the Bill'). In the absence of a comprehensive data protection legislative regime, the?Constitutional Court of Guatemala?has recognized the existence of data privacy as a human right and at a minimum guarantees and procedures that must be observed when processing personal data.

In addition, Article 31 of the Political Constitution of the Republic of Guatemala 1985 (only available in Spanish?here) ('the Constitution') provides that each individual has the right to access, know the purposes of, and correct personal data held within public files, records or government registries, while Article 24 of the Constitution guarantees the protection of correspondence, documents and books. Other relevant privacy legislation includes Decree No. 57-2008 on the Law of Access to Public Information (only available in Spanish?here), which provides for the regulation of access to information by public bodies.

?

Honduras

Summary

Law:?Draft Law on the Protection of Personal Data (only available in Spanish?here) ('the Draft Law')

Regulator:?There is no general data protection regulator.

Summary:?Honduras does not operate a comprehensive legal framework for data protection as, at present, the Draft Law has not been enacted and a large portion of its provisions remains to be approved by the?Honduras Congress. Discussions of the Draft Law reached a peak in 2018 as several articles were approved by Congress, and it was expected that the Draft Law may come into effect in 2019. However, progress of the Draft Law has since stalled and it remains to be seen when, and if, it will come into force.

Currently, Article 182 of the Political Constitution of 1982 (only available in Spanish?here) establishes the existence of data privacy as a human right by regulating access to personal data. Other relevant privacy legislation includes the Law of Transparency and Access to Public Information (only available in Spanish?here). In general terms, the constitutional provisions and other legislation provide that consent should be obtained prior to personal data processing activities.

?

Nicaragua

Summary

Law:?Law on Personal Data Protection No. 787 of 21 March 2012 (only available in Spanish?here) ('the Law') and Regulation of Law No. 787, Decree No. 36-2012 of 17 October 2012 (only available in Spanish?here) ('the Regulation')

Regulator:?The Nicaraguan data protection authority ('DIPRODAP') (not yet established)

Summary:?The?Nicaraguan Constitution?recognises explicitly the right to privacy under Article 26. The purpose of the Law and the Regulation is to protect the personal information of natural and legal persons and to guarantee the right to privacy. In addition, they establish obligations for data controllers and processors and provide various rights to data subjects. However, since the DIPRODAP has not yet been established, the Law and the Regulation are not yet practically enforceable. In addition to?the Law and the Regulation, there are specific laws for the financial sector which create further obligations regarding processing and security of certain categories of information.

?

Belize

Summary

Law:?Data Protection Act, 2021

Regulator:?Data Protection Commissioner not yet established.

Summary:?In 2021, the National Assembly in Belize adopted the Data Protection Act, 2021 ('the Act') which will enter into force on a day to be appointed by the Minister by Order published in the Gazette.?The Act regulates the collection, keeping, use, and dissemination of personal data and establishes data protection principles as well as legal basis for the processing of personal data.

The Act also introduces specific requirements for data controllers and processors including conducting Data Protection Impact Assessments, appointing a data privacy officer, and maintaining records of processing. Furthermore, the Act creates specific restrictions on the transfer of personal data outside of Belize and provides data subjects with rights including rectification, access, erasure, data portability, among others. Importantly, the Act introduces fines of up to BZ 500,000 (approx. $248,240) for violations of its provisions.

?

Costa Rica

Summary

Law:?Law on the Protection of Persons Regarding the Processing of their Personal Data No. 8968 of 2011 (only available?in Spanish?here) ('the Law'), and Executive Decree No. 37554-JP of 30 October 2012 Regulating Law No. 8968 (only available in Spanish?here)

Regulator:?Costa Rican data protection authority?('PRODHAB')

Summary:?The right to privacy has been recognised and protected since the mid-1990s in Costa Rica through the?Constitution. The Law then introduced additional data subject rights, including the right to access, rectify, or delete personal data, and established express consent of the data subject as a central principal. The Law further requires that databases must be registered with PRODHAB and that data controllers and processors ensure that adequate security safeguards are in place to protect data. Please note that?Bill No. 22.388 (only available in Spanish?here), aiming?to reform the Law, was published on 12 February 2021 in the Official Gazette.

Panama

Summary

Law:?Law No. 81 on Personal Data Protection 2019 (only available in Spanish?here) ('the Law'), and Executive Decree No. 285 of 18 May 2021 that regulates Law No. 81 on Personal Data Protection?(only available in Spanish?here) ('the Decree')

Regulator:?National Authority for Transparency and Access to Information?('ANTAI')

Summary:?The Law entered into force on 29 March 2021. The Law, which is further regulated by the Decree, governs the principles, rights, obligations, and procedures in relation to the protection of personal data in Panama. More specifically, the law provides for, among other things, consent procedures for the processing of personal data, obligations for the cross-border processing of personal data originating in Panama, and a Personal Data Protection Council with advising power and functions.

In addition, there are several other laws, such as the National Constitution of the Republic of Panama, which regulate personal data protection. The Constitution outlines the right to privacy of personal communications and documents, the right to access information contained in databases held by public bodies or by private persons providing public services, as well as to request the correction, rectification, or deletion of such information.

Cuba

Summary

Law:?Law 149/2022 on Personal Data Protection (only available in Spanish?here) ('the Law')

Regulator:?Ministry of Justice?('MINJUS')

Summary:?In Cuba, the Law regulates the protection of personal data, consolidating the right to privacy provided under Article 97 of the Constitution of the Republic of Cuba. The Law applies to public and private bodies, introduces the concepts of data owners, with specific rights, as well as responsible persons, and designated persons. Processing of personal data in Cuba is underpinned by 12 personal data protection principles which must be complied with in any such activities. Interestingly, the Law details an extensive definition for personal data and requires the establishment of a data retention regime and even specifies a statutory retention period of five years, if it is not otherwise stated by law for a category of record.

Although the Law does not establish a new data protection authority, the MINJUS is tasked with ensuring compliance and various public bodies are permitted to authorise cross-border transfers of personal data. To support the Law, the Regulation for Safety and Protection of Personal Data in an Electronic Format governs the processing of personal data by public telecommunications and ICT services providers.?Having been published on 25 August 2022 in the Official Gazette, both the Law and the Regulation will enter into force 180 days from this date i.e. 21 February 2023.

Dominican Republic

Summary

Law:?Law No. 172-13 on the Comprehensive Protection of Personal Data Contained in Archives, Public Registries, Databases or Other Technical Means of Data Processing Used for Reporting, Whether Public or Private 2013 (only available in Spanish?here) ('the Law')

Regulator:?There is no general data protection authority.

Summary:?The Dominican Constitution (only available in Spanish?here) provides for the right to the protection of personal data in public or private records under Article 44(2). In addition, the Law provides that data controllers and processors must comply with certain principles, including data security, professional secrecy, data quality and data loyalty. The Law does not require the notification or registration of databases, however, it establishes data subject rights and sanctions for violations of its provisions. Although there is no general data breach notification requirement under the Law, the?Dominican Telecommunications Institute?('INDOTEL') requires the adoption of security measures, classified as basic, medium, or high depending on the type of information, and the notification of data breaches if they occur. Under the Law, the?Banking Authority?is responsible for supervising the data processing activities of credit information companies.

Lastly, Bill 00636-2021 On Cybersecurity Management in the Dominican Republic (only available in Spanish?here) is currently under discussion in the?Senate of the Dominican Republic, and would regulate the prevention, management, and responses to threats and cybersecurity incidents as well as other aspects related to cybersecurity of critical infrastructure, and would establish the National Cybersecurity Center.

About Usercentrics

Usercentrics provides useful insights and market updates and can support your organization to gain compliance in accordance with new data protection laws and regulations

• Consent Management Platform:?Operationalize and introduce automation to your country’s compliance requirements including opt-outs, consumer rights, and privacy governance operations.
• Regulatory Research:?Usercentrics regional research team updates our website with in-depth and up to date regulatory research to make sure you stay on top of the latest developments.
• Professional Services:?Get support with planning and implementing your compliance program with our implementation and validation services.

?

Please contact me for more information.

Nicholas CM Consultant & GDPR Data Protection Practitioner

[email protected] - www.usercentrics.com