Daily Business Review: Latin American laws pose challenges for U.S. firms

January 29, 2014 Posted in Firm News

By: Luis Salazar

These days, you can be sitting sipping your cafecito in Miami, while running an e-commerce site that sells into Latin America, or logging into an Orkut account, or receiving business information via email from your business partner in Chile. The internet and mobile devices are making the “border” between the United States and Latin America – meaning Mexico, Central America, the Caribbean, and South America – seem virtually non-existent.

But just the opposite is true. Collection of personal information in Latin America is subject to cultural and legal standards that are often profoundly different from those in the United States. In fact, data privacy and cybersecurity awareness has grown almost exponentially in the last few years, with Mexico, Costa Rica, Colombia, Peru, and Trinidad passing new privacy laws in just the last two years, and other countries, including the economic powerhouse Brazil, expected to follow. Cross-border commerce with Latin America that involves personal data presents significant land-mines for United States businesses, as each country has different, often multiple, privacy-law regimes. Nonetheless, there are common elements that can be understood.

Habeas Data
Perhaps no single concept is more fundamental to understanding Latin American data privacy law than Habeas Data. Habeas Data, literally translated as “you should have the data,” is a constitutional right granted to individuals in many Latin American countries and is the predominant force in the region's data privacy laws. Although its details vary by country, Habeas Data is generally the right of an individual to petition a court to help it protect his or her privacy, including his or her image, privacy, honor and freedom of information. The action can be brought against anyone holding information, and it empowers the complaining party to request a correction or even destruction of personal data held by a third party.

Brazil became the first country to officially enact a Habeas Data law in 1988, when it passed a new constitution and gave Habeas Data full constitutional authority. Thereafter, Columbia adopted the Habeas Data right in its new constitution in 1991; Paraguay in 1992; Peru in 1993; Argentina in 1994; Ecuador in 1996; and Bolivia in 2004. With each subsequent enactment, Habeas Data rights became clearer.

Traditionally, Habeas Data has been seen as an individual right that can only be brought and asserted by the affected individuals. But more recently, Latin American courts have begun to take a broader view, leading many to believe that Habeas Data will eventually become one way to seek privacy remedies for groups or classes of individuals.

EU Adequacy
As it happens, Habeas Data concepts tie well with European Union privacy laws. In particular, the EU Privacy Directive permits the cross-border transfer of personal data to other countries, but only if their privacy laws are deemed “adequate.” In order to attract additional trade and commerce with the EU, the trend in recent privacy legislation and in proposed legislation throughout the region is to adopt an EU-based model, in the hopes of obtaining that adequacy designation. Thus far, only Argentina has managed this feat. And it is worth noting that the United States privacy laws are not considered adequate.

Consent
Latin American privacy laws also rely heavily on consent. And, while implied consent can often be sufficient in the U.S., Latin American data privacy laws most often require express and verifiable consent before data from any person is gathered. For example, Colombia’s Law 1581, passed in October 2012, requires that each such person be notified of (i) the purpose of the data collection or processing; (ii) the intended use of the personal data; (iii) the data owner’s privacy rights; and (iv) how the data owner can access the responsible party’s policies regulating the processing of personal data. Parties collecting personal data must obtain verifiable written consent and retain that consent.

Lack of Uniformity
While the EU has adopted a uniform privacy standard and the U.S. has preemptive Federal privacy standards, Latin America data privacy lacks a common standard. To the contrary, each country has its own privacy laws, and often their political subdivisions have their own laws too. Mexico, for example, has its own national data privacy law but the states of Colima, Guanajuato, and the Federal District of Mexico City also have their own. There is simply a tremendous variety of laws to track.

Best Practices
In the face of this challenging data privacy landscape, there are certain best practices that businesses can follow to avoid legal or enforcement action. First, businesses should be transparent about their privacy practices. That is, be clear about why information is being collected, how it will be used, and how it can be accessed. Second, stay clear of sensitive privacy issues, like religion and health. They required heightened collection standard. Third, if your business is heavily dependent on the collection and transfer of personal information, it pays to build relationships with regulators ahead of time. Many Latin American countries have “Data Protection Authority” that focuses on privacy enforcement.

Finally, have a program in place. Businesses should have policies and procedures that establish internal requirements for data security and management. And critically, these programs should have established procedures to capture and respond to consumer privacy requests and complaints, to avoid their escalating to the attention of data protection authorities.

Reprinted with permission from the January 29, 2014 edition of the Daily Business Review© 2014 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-257-3382, reprints@alm.com or visit www.almreprints.com”