Latin-America remains on the forefront of data protection legislation. In this final instalment of data protection laws around world, we look at the latest developments within this region. Several countries adopted new laws, while Uruguay is strengthening its existing data protection framework.
Cayman Islands
In 2017, a new comprehensive data protection law was adopted, which will come into force by September 2019. The new law takes many aspects from internationally-recognised principles, such as requiring data minimisation and purpose limitation. It grants individuals the rights to access the data that an organisation is processing, and to request that any inaccurate data is corrected or deleted. The Office of the Ombudsman will be made responsible to enforce the law.
Brazil
One of the major new data protection laws is Brazil’s General Data Protection Law. The law draws heavily from the EU’s GDPR, with similar requirements for data exports limited by adequacy requirements of the destination, data protection impact assessments, data protection officers, data breach notifications to the DPA and the data subject, and limits on automated processing.
It also includes well-known rights, including the right to access, to rectify and delete data; the right to be informed about data processing; and the right to data portability. The law will be enforced by a the newly established Data Protection Authority and administrative fines can be given up to 2% of a company’s previous year’s revenue in Brazil.
Panama
In October 2018 the Panamanian Parliament passed the Data Protection Law, and will take effect in 2021, i.e. two years after publication in the Official Gazette. With this law, Panama follows the regional trend of adopting comprehensive data protection legislation. The law makes the National Authority for Transparency and Access to Information responsible for its enforcement, which can hand out sanctions between US$1,000 and US$10,000. It provides for similar rights to individuals as most modern privacy laws, i.e. access, rectification, cancellation, opposition and portability.
St Kitts & Nevis
The Data Protection Act 2018 was enacted on May 4, 2018. The Act is largely derived from an Organization of Eastern Caribbean States (OECS) model, drawing upon EU sources as well as the OECD. It covers both the public sector and the private sector in respect to commercial transactions, and goes beyond minimal principles by including requirements in relation to sensitive data, and limits on data retention. The Information Commissioner is empowered to issue enforcement notices. Data subjects can take civil actions to seek compensation for breaches of the Act, and there are a range of criminal penalties.
Uruguay
Uruguay was one of the first countries is LATAM to adopt a comprehensive data protection law. In order to ensure its legal framework remains compatible with the new GDPR, so it can continue to enjoin the EU’s adequacy decision, it has updated its privacy law. The updated legislation strengthens the extra-territorial scope, data breach notification, accountability (requiring controllers to implement other GDPR elements), and data protection officers.
As we have seen in this and previous instalments of this series, there is currently a lot of movement in the data protection sphere globally, with many countries updating or introducing new laws. If you want to learn more about these developments and more make sure you subscribe to our ESOMAR Plus service.
