Data protection regulation in Latin America and the impact of the GDPR
The General Data Protection Regulation (GDPR), which is compulsory as from today, is a complex regulation that extends beyond the borders of Europe. The new rules will affect all companies, regardless of their location, that handle data of individuals living in the European Union, even if the company in question has neither a physical nor a legal presence in Europe.
These regulatory changes are likely to give rise to new data protection legislative measures in Latin America, where a large number of European companies operate. This article summarizes the current regulation in Brazil, Chile, Colombia, Mexico and Peru and looks at how the GDPR could influence new legislation in those countries.
- Data protection regulation in Latin America
- Impact of the GDPR
Brazil
1. The venture capital and fintech markets are quite active in Brazil. In the first quarter of 2018, three Brazilian startups achieved unicorn status (a valuation above US$1b), two of which hailed from the finance sector: Nubank and PagSeguro (via IPOs). To boost the sector, the National Monetary Council (Conselho Monetário Nacional, CMN) recently regulated, by means of Resolution No. 4,656, of April 26, 2018, what are known as Direct Credit Companies (Sociedades de Crédito Direto, SCD), financial institutions that provide loans and financing and acquire collection rights, always with own capital, as well as P2P Loan Companies (Sociedades de Empréstimo entre Pessoas, SEP), financial institutions that broker loans and financing between peers. Under the new legislation, SCDs and SEPs must act exclusively via electronic platforms, be incorporated as corporations, and have minimum paid-in capital and net worth of BRL 1 million at all times. SCDs and SEPs may also provide other services, such as credit analysis, loan collection and electronic money issue.
2. The new legislation creates a regulatory sandbox supporting the development of fintechs. Given the tightly concentrated nature of the Brazilian bank market and the resulting high interest rates charged, this would give Brazilian consumers better access to credit and on better terms. Accordingly, licensed direct credit and P2P lending fintechs can now act independently, without having to partner with and be backed by a bank (which was the market practice up to now). However, since the minimum capital and net worth requirement still poses a practical hurdle for some companies, traditional financial institutions and fintechs are still working together and complementing one another in some sectors.
Chile
1. In Chile, personal data protection has been regulated by law since 1999, particularly under Personal Data Protection Law No. 19,628, which establishes general provisions regarding personal data processed by third parties. The main obligation falling to these parties is that they must inform data subjects of the purpose for which their data will be stored and secure their written consent, although the law does not stipulate more specific formal requirements. Weaknesses in the law include the lack of adequate supervisory mechanisms and failure to cover the processing of information through digital media. To remedy these shortfalls, Chilean lawmakers have been working on a reform of the law for several years, proposing the creation of a personal data protection agency to ensure compliance with legal obligations and to penalize any breach thereof. This reform is in an advanced stage of its passage.
2. The design of the new Chilean personal data protection agency, incorporated in the current legislative bill, explicitly takes into account the experience of the Spanish Personal Data Protection Agency. The Spanish agency and European regulations served as models for Chilean lawmakers when determining the key features of the new legal data protection framework for their country. Consequently, the majority opinion in the market is that the Ministry of Economy, the body overseeing passage of the bill, will take the GDPR into account and amend the legislative bill to align it with European provisions.
Colombia
1. In Colombia, Law 1581/2012 and Decree 1377/2013 govern how the rights of data subjects should be safeguarded and the obligations arising for parties gathering and managing data. Prior to these regulations, Law 1266 was approved in 2008, particularly regulating the protection of personal data relating to credit and financial information. In addition to these laws, Decree 886 was issued in 2014, governing the National Database Registry, a public directory of information provided by parties gathering personal data.
2. Certain legislative bills have been put forth to endow Colombia's regulations with the same international scope as the GDPR (Senate Bill 89 of 2017). The GDPR includes obligations that are not regulated under Colombia law, such as the right to be forgotten, the preparation of profiles and the appointment of data protection officers.
Mexico
1. Personal data protection plays an essential role in the advent of new technologies and the web 3.0, and is regulated by a number of different legal systems throughout the world. In Mexico, the federal law on protection of data held by individuals (in force since July 6, 2010) and its implementing regulation (in force since December 22, 2011) are the main sources of law that, together, govern the lawful, supervised and informed processing of personal data, thereby ensuring privacy and the right to informational self-determination.
2. According to the Mexican government's official figures, in 2016 Spain accounted for 13.2% of foreign direct investment, which equals around 5,800 companies in Mexico. In addition, investments by European Union companies accounted for 33.5% of foreign direct investment. Many of these Mexican subsidiaries are over 50% owned or controlled by European companies subject to the new GDPR. Although specific legislative measures have not been established to bring Mexican regulations into line with the GDPR, it is essential that the content of the new regulation be widely distributed in the country so as to ensure it is correctly applied in alignment with the Mexican legal system.
Peru
1. Since 2011, Peru has specific personal data protection regulations in place. Law 29733 and its implementing regulations approved through Supreme Decree 003-2013-JUS establish the regulatory framework for personal data processing rights and obligations, through two main pillars: protection and safeguarding of the appropriate exercise of rights by data subjects and compliance with the obligations falling to companies processing personal data. In September 2017, a legislative reform was approved, setting out a new classification for breaches and infringements of data protection regulations.
2. Compliance with personal data protection legislation is still rather incipient (which is why Peru is reforming the law specifically to include a sanctioning regime). The new rights and obligations established in the GDPR will require specific guarantees and measures that, in many cases, have not yet been seen in Peruvian legislation.