Privacy – Personal Data Protection news in LATAM
In this article, we comment some of the most important developments that took place during the last few months in Latin America regarding personal data protection.
(i) Ibero-American Network
– On September 27, the Ibero-American Data Protection Network published the “Guide for the implementation of standard contractual clauses that can be used to validate international data transfers” (“Guide”). The Guide seeks to establish the main aspects to be taken into account when international data transfers are carried out using standard contractual clauses. For this purpose, two standard contractual clauses were drafted; the first one to be used in case of transfers to controllers; the second one for transfers to processors.
– Data protection bill
On November 10, the Agency for Access to Public Information (“Agency”) published a new version of the Personal Data Protection draft bill as reported in a previous edition of the BeNews (see here).
For this new version the Agency considered some of the comments received during the public consultation process that began on September 12 and ended on October 11.
As previously mentioned, the bill is aligned with the EU General Data Protection Regulation. We list below some of the most important aspects of the bill:
- Adjustments in the definitions of certain terms included in the law, such as sensitive data;
- The territorial scope of application is extended to those data processing operations carried out by data controllers or processors that are not established in the Argentine territory;
- Certain principles such as data minimization, accountability, technological neutrality, prevalence are added;
- New legal basis as legitimate interest are recognized;
- Data breach notification obligation is included;
- New data subject’s rights are recognized such as the right to portability, not to be subject to a decision based solely or partially on the automated processing of data and to be informed of the criteria used for automated processing of data, among others;
- A data controller will have to conduct a data protection impact assessment in certain cases;
- In certain situations, a Data Protection Officer must be appointed;
- A representative must be appointed when the controller or processor are not established in Argentina;
- The value of fines is increased and will be updated annually.
– Convention 108+
On November 9, the Argentine Congress approved Argentina’s accession to Convention 108+. Among the new guidelines incorporated by this Protocol to Convention 108, to which Argentina acceded in 2019, the following stand out:
- The recognition of certain general principles on data processing, such as the principle of proportionality and data minimization;
- The definition of sensitive personal data is broadened. Genetic data, ethnic origin, union membership and biometric data are included;
- Certain data breaches must be reported to the data protection authority;
- Recognition of new rights for data subjects;
- Greater involvement of the principle of accountability for data controllers;
- Update of the international data transfer regime;
- New attributions of the control authorities and extension of the legal bases for international cooperation.
– Registration of databases of foreign data controllers
On November 29, the Agency, controlling authority of Argentine Personal Data Protection Law No. 25,326, released a web form to be used by foreign individuals or legal entities that process personal data of Argentine data subjects to comply with the obligation of registering databases.
According to the current legislation, the data controllers must report their data processing activities with the National Registry of Databases of the Agency.
Before the implementation of this new form, the National Registry was only available to Argentine based data controllers.
– Amendments to regulations concerning sanctions
On December 5, 2022, Resolution 240/2022 of the Agency was published in the Official Gazette. The Resolution introduces some modifications to the sanction regime regarding the protection of personal data established in Provision No. 7/2005 of the former National Directorate for Personal Data Protection.
Resolution 240/2022 provides for two annexes that formulate a new sanctions regime and establish new parameters for infringements to Data Protection Law and Do Not Call Law.
Annex I of the Resolution 240/2022 introduced several modifications to the different conducts that are classified as minor, serious and very serious infringements to the data protection regime.
Annex II of the Resolution 240/2022 modified the amount of fines as follow:
- Minor infringements: fines ranging from Argentine Pesos 1,000 to 80,000 (between USD 5,6 and 450,70 at the official exchange rate of December 12, 2022);
- Serious infringements: fines ranging from Argentine Pesos 80,000 to 90,000 (between USD 450,70 and 507);
- Very serious infringements: fines ranging from Argentine Pesos 90,000 to 100,000 (between USD 507 and 563).
On the other hand, Resolution 244/2022 of the Agency published on the Official Gazette on December 6, 2022, amended the maximum amount of fines that can be imposed in case of infringements.
When an infringement includes more than one pecuniary sanction for an identical conduct that constitute a violation within the same classification of infringement set forth in Resolution 240/2022 (minor, serious or very serious), the following rules will apply:
- Minor infringements: fines ranging up to Argentine Pesos 3,000,000 (USD 16,901 at the official exchange rate of December 12, 2022);
- Serious infringements: fines ranging up to Argentine Pesos 10,000,000 (USD 56,338);
- Very serious infringements: fines ranging up to Argentine Pesos 15,000,000 (USD 84,507).
– On November 8, the Brazilian Data Protection Authority published its Regulatory Agenda 2023-2024 (“Agenda”). The Agenda sets out the high priority topics over the next two years. The Agenda’s initiatives are divided into phases pursuant certain priorities of different topics.
– The House of Representatives is still discussing the personal data bill which seeks to replace Law 19.628 on Personal Data Protection.
– The Executive Branch pointed out certain aspects to be taken into account in the forthcoming debates. The main aspect to be considered will be the liability of infringers, whose sanctions could be classified as minor, serious and very serious.
– Other aspects such as the right of portability, what information must be provided to the data subject, the duty to adopt security measures, among others, will also be discussed.
– On October 25, the National Authority for the Protection of Personal Data approved the Guide of the Ibero-American Data Protection Network. As a result, companies will be able to use the contractual clauses approved by the Network when transferring personal data to other countries.
– On October 20, the Law on Accountability and Budget Balance for the fiscal year 2021 was passed. This statute modified the Uruguayan Law on Personal Data Protection. The main changes refer to the right to information of data subjects and the actions to be taken by the supervisory authority.
For further information please contact: email@example.com y/o firstname.lastname@example.org