Concerns about data privacy and protection have amplified over the past 20 years. In response, many countries worldwide have enacted data protection laws. Europe’s GDPR, which went into effect in 2018 and is now six years old, has served as a blueprint for many of these.
However, many countries and regions are also implementing legislation specifically suited to local circumstances. We’ve discussed a little about how these are both similar to and differ from GDPR in the case of:
- China’s Personal Information Protection Law (PIPL) which came into force in 2021.
- India’s Digital Personal Data Protection ACT (DPDPA), which came into force this year (2024).
For three decades, we’ve offered our expertise as records and information managers, ensuring our clients and stakeholders can stay aware of all these changes. Avoiding the financial risks of non-compliance is all important, given that major breaches can now cost billions in fines.
This article will explore some of the major data protection laws currently in force or under discussion in Latin America, focusing on key features that businesses operating in the region need to be aware of. This will be a brief overview of a complicated regulatory environment, albeit one that is fast becoming more harmonized with GDPR standards increasingly predominating. For more specific information, feel free to research further.
Remember, compliance when operating in these countries is mandatory.
Chile: Law on the Protection of Private Life (LPPL) – 1999 and Regulating the Processing and Protection of Personal Data (RPPPD) – 2017
Chile was the first country in Latin America to enact a data protection law back in 1999: the LPPL. Much like the other GDPR-predecessor laws discussed in this article, its scope and enforcement are very limited compared to GDPR itself. One of the key limitations of the LPPL is the lack of any official data-privacy authority.
The proposed law in 2017, the RPPPD, has been mired in legislative stagnation for many years. It aims to bring Chile in line with international standards discussed already here: Extraterritoriality, Data Portability, Rectificaton/Deletion of Personal Data and more. However, despite being placed by the Government in an “urgent” legislative category as of 2021, it still has not gained the force of law yet.
Mexico: The Federal Law on Protection of Personal Data (FLPPD) – 2010 and the General Law for the Protection of Personal Data in Possession of Obligated Subjects (GLPPDPOS) – 2017
Mexico has two concurrent laws dealing with personal data. The FLPPD governs data held by private organizations and businesses while the GLPPDPOS governs data held by public institutions, for example, the courts, civil service etc. This sort of “split” is fairly unusual by international standards.
FLPPD is, like other laws that predate GDPR, more limited in its scope. It does not have an extraterritorial mandate for example. It requires consent from the user to use their data, but does not offer as many redress offers (e.g. the opportunity for a user to “rectify” their data after consent has been given. Fines in Mexico are more limited (US $1.5m maximum, as opposed to GDPR’s “4% of turnover”), but there is the interesting inclusion of potential criminal liabilities for breaches. Something the GDPR does not mandate.
Brazil: The General Data Protection Law (LGPD) – 2020
Brazil is the largest economy, and arguably most influential country in Latin America. The General Data Protection Law (LGPD) is one of the most comprehensive data protection laws in Latin America, though it is not its first (that accolade belongs to Chile). The LGPD, unlike state-level laws in North America, applies to all businesses, not just those of a certain size or revenue.
It grants individuals significant rights, including the right to access, rectify, and delete their personal data. For businesses, the LGPD imposes strict obligations, such as conducting data protection impact assessments and appointing a data protection officer.
The LGPD has extraterritorial application – which is increasingly becoming a standard procedure in data protection law since GDPR. This means it applies to any processing of personal data of Brazilian residents, regardless of where the processing occurs. One very minor difference is that the LGPD also enshrines the rights of deceased citizens.
Argentina: The Personal Data Protection Act (PDPA) – 2000 and the proposed Draft Law on Personal Data 2023
Argentina’s Personal Data Protection Law is a relatively older piece of legislation (2000). However, it still provides a solid foundation for data protection in the country and has been amended since, for example in 2019 in order to include new forms of data such as video surveillance and other digital streams. Argentina is notable as the first country in Latin America to achieve “Adequacy” qualification for data transfers to the EU, for example.
The basics of the law establish principles for the processing of personal data, including legality, consent, and purpose limitation. It also grants individuals various rights, such as the right to access, rectify, and delete their personal data. However, its scope for what constitutes sensitive information is much more limited than GDPR and other more modern GDPR-like laws (e.g. not including gender)
As of 2023, the Argentinian Government has introduced a new draft law, titled “Draft Law on the Protection of Data” to replace the 2000 law in its entirety. This will include a broader scope of what is considered personal data as well as expanding the law to include extraterritoriality.
Conclusion
Latin America is an example of how the impetus set by GDPR in establishing certain gold standards around data protection in the digital age are not limited to developed economies. A majority of countries in this region either have in-force laws, amendments or draft laws that establish harmonized principles: Data Portability, a broad definition of “sensitive” data, user control over their data even after consent is given, and much more.
Our guidance for businesses operating or wanting to operate in Latin America is to adhere to international standards. Make sure your physical and digital records are regularly audited, that you have an up-to-date Information Governance Policy and that you are deleting lapsed information, physical or digital.
If you are already adhering to GDPR standards around the world, then you will likely not have issues in Latin America. However, as discussed, there are always idiosyncrasies at a national level to be mindful of, consider Mexico’s data-protection laws having criminal liability attached to them for example.
If you’d like to reach out to discuss data protection, then feel free to reach out to one of our experts.
