A year ago, the Governor of California signed the California Consumer Privacy Act of 2018 into law. Known as the first comprehensive privacy regime in the United States, the Act imposes on businesses significant privacy obligations, creates a number of privacy rights, and provides for enforcement both through private right of action and regulatory enforcement.

Just a few weeks earlier, on 25 May 2018, the European Union’s General Data Protection Regulation (GDPR) became enforceable. Under the GDPR, which aims to give European citizens and residents control over their personal data and to simplify the regulatory environment, a processor of personal data, amongst other obligations, must clearly disclose any data collection, declare the lawful basis and purpose for data processing, and state how long data is being retained and if it is being shared with any third parties or outside of the EU.

These landmark pieces of legislation are indicative of a growing concern, around the world, for one’s personal information, who has access to it, and how it is protected. The widespread outrage to recent data protection scandals such as Cambridge Analytica, which compromised the data of millions of Facebook users in the US, Europe, and the UK, further punctuate this concern.

This preoccupation with personal data security has extended to Latin America, where legislation is emerging to address these concerns. In 2016, the Inter-American Development Bank issued a report putting the cost of cybercrime in Latin America at approximately US$90 billion per year. The report also found that the region in general suffers from a low level of public awareness when it comes to cybercrime and data security; furthermore, many jurisdictions have no legislation in place to force private firms to disclose if they have been victim to cyber-attacks.

The purpose of this article is to provide an overview of the current legislative framework in the region, focusing on the region’s biggest jurisdictions. We will focus on the following key questions:
1 Who are the data protection authorities?
2 Is data breach a defined, legal term?
3 What are the data breach notification requirements, if any?

Argentina

Per the Ley de Protección de Datos Personales (Ley 25.326/2000), the relevant data protection authority in Argentina is the Dirección Nacional de Protección de Datos Personales.

While Argentinian legislation does not define data breach per se, there are several examples of breaches detailed and regulated in the law. Data breaches are also further categorized as light breach, serious breach, and very serious breach.

In terms of notification requirements, there is no requirement to notify the data owner of a personal data breach. However, current legislation is being proposed to make it obligatory to notify both the Dirección Nacional de Protección de Datos Personales and the owner of the compromised data.

Brazil

On 14 August 2018, the Brazilian Congress passed a bill related to personal data protection and its corresponding law, Law 13.709, was subsequently approved. This law is enforceable 18 months after its approval—February 2020.

Taking lessons from the GDPR, the law defines personal data, sensitive personal data, anonymous data, database, owner of the data; controller; operator (processor), etc. However, some provisions must be complemented by additional laws/regulations that are still in their early stages of growth. For example, the breach report communication and the methodology of the administrative sanctions require further regulations.

Regarding the relevant data protection authority, the original text of the bill established the creation of a specific authority, reporting to the Ministry of Justice. However, the Brazilian President removed this provision from the final wording of the law. Until it is determined whether a specific regulatory agency or administrative body will be created, the Brazilian Public Prosecutor, the Ministry of Justice and the Consumer Protection Authorities are the entities responsible for commencing/conducting any proceedings concerning the breach of Law 13.709.

While Law 13.709 does not define personal data breach specifically, it defines personal data as information related to a person’s identity and further defines sensitive personal data as information related to a person’s race or ethnicity, religious convictions, political opinions, health and sexual life, and genetic or biometric data.

Finally, in the case of a data breach, the data controller must report the incident to both the relevant authorities and the affected individual. The communication must be made within a reasonable time and must at least inform: i) the personal data affected by the breach; ii) a description of the technical and security processes used to protect the personal data; iii) the risks concerning the breach; and iv) the steps adopted to mitigate the breach.

Chile

Chile’s Law 19.628/2011 establishes some data privacy regulations; however, this law applies only to public entities. While the Council for Transparency handles compliance with Law 19.628, there is no regulatory authority that monitors compliance with data privacy laws by the private sector.

Law 19.628 does not define data breach; however, it defines personal data as information relating to a natural person’s identity. It further defines sensitive data as personal data that refers to a natural person’s physical or moral characteristics or facts or circumstances of their private or intimate life, such as data relating to a person’s habits, race, ideologies, political opinions, religious beliefs, physical and mental health, and sexual life.

In terms of notification requirements, there is no requirement to notify the data owner of a personal data breach.

Colombia

Per Colombia’s Law 1581/2012, the Superintendencia de Industria y Comércio is the relevant data protection authority. However, with respect to financial data and financial entities, the relevant authority is the Superintendencia Financiera.

While Law 1581/2012 does not establish a legal definition of data breach itself, there are established principles and obligations that should be followed in order to avoid allegations of non-compliance with Law 1581/2012.

Notification of a data breach should be addressed to the Superintendencia de Industria y Comercio, but there is no obligation to notify the data owner.

Mexico

Mexico’s Ley Federal de Protección de Datos Personales en Posesión de Particulares (LFPDPPP), passed in 2010, establishes the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales as Mexico’s data protection authority.

Mexico is one of the few countries in Latin America that has a specific legal definition for data breach: “any damage, theft, loss, alteration, modification, destruction or unauthorized use, copy, access or processing of personal data” (Article 63 of the LFPDPPP).

Mexico is also one of the few countries that requires owners of data that has been compromised to be notified of such. The LFPDPPP requires that “any breach that significantly damages pecuniary or non-pecuniary rights must be notified to the owners of the data immediately, once the data holder/controller confirms the breach and takes actions to begin an exhaustive investigation process to determine the breach’s magnitude, so that the data owners can take measures accordingly” (Article 20 of the LFPDPPP). The notification must inform: i) The nature of the breach; ii) the compromised personal data; iii) recommended measures to protect the data owner’s interests; iv) the corrective measures that immediately took place; and v) the means by which the owner of the data can get more information on the breach (Article 65 of the LFPDPPP).

Peru

We conclude our journey through the region’s legislative framework in Peru. Law 29733/2013 establishes the Autoridad Nacional de Proteccion de Datos Personales, a part of the Ministry of Justice, as the data protection regulator.

Law 29733 does not define data breach; however, non-performance of the principle and obligations established under Law 29733 is considered a breach per se.

In terms of notification requirements, there is no requirement to notify the data owner of a personal data breach.

Conclusion

As can be seen from our legislative overview, while cybersecurity and data privacy legislation is still nascent in Latin America, concern and interest is growing. As has usually been the case in the past, and as demonstrated by Brazil, we believe those jurisdictions whose current legislation is lacking will quickly take cues from the GDPR, cybersecurity legislation in the United States, and more sophisticated jurisdictions in Latin America. Development will be quick; and with development comes risk that will have to be properly addressed by (re)insurance carriers throughout the region.

Authors: Alex Guillamont, Head of Latin America and Caribbean at Kennedys and Javier Vijil, Associate at Kennedys’ regional hub in Miami.