In Latin America, Brazil is the leader in data protection regulations. In 2018, the legislator adopted the General Data Protection Law (Lei Geral de Proteção de Dados Pessaoais or LGPD), which is very similar to European Union law. It will enter into force in August 2020. Companies should identify and document a legal basis for processing for each of the activities identified in the database and should indicate both the purpose of the processing and the legal basis of when and where the data was collected. If we look back over the past decade when it comes to data protection, we have seen significant legal progress in giving users control over their privacy. Since 2010, sixty-two new countries have enacted data protection laws, resulting in a total of 142 data protection laws worldwide. In Latin America, Chile was the first country to adopt such a law in 1999, followed by Argentina in 2000. Several countries have now followed suit: Uruguay (2008), Mexico (2010), Peru (2011), Colombia (2012), Brazil (2018), Barbados (2019) and Panama (2019). Although there are still different approaches to privacy protection, data protection laws are no longer a purely European phenomenon.
In the United States, various federal laws – including the Health Insurance Portability and Accountability Act of 1996 for health information, the Federal Privacy Act for personal data in government hands, the Federal Trade Commission`s rules regarding consumer privacy and personal information – impose or delegate different security requirements for their respective industries. In addition, most states have adopted state-level laws that provide consumers or authorities with data breach notifications. The principle allows citizens to access their data through a habeas data redress mechanism, which should be simple, without complex administrative procedures, easily accessible, cost-effective and not require the applicant to explain why he or she wishes to access the data. If there are obstacles to the exercise of this right, they must respect the principles of proportionality and necessity (e.g. where national security is at stake) (Lanza, 2017). When we think about the collection and protection of personal data, we generally consider those who are the subject of data collection as passive actors, but who have a legal framework designed to protect and properly process their data. Habeas data grants these persons a right of access, rectification and deletion of the data stored about them. Data protection is part of habeas data and acts both as a mechanism for granting rights to individuals and as an obligation of the state and its institutions.
Compliance is directly related to the right to privacy and access to information, both of which are enshrined in various international treaties. Data protection transparency and information protection can also play a key role in promoting a better understanding of the practices of companies and governments when it comes to requesting and transmitting user communication data. In collaboration with the EFF, many Latin American NGOs have urged internet service providers to publish their enforcement policies and gather information on government data requests. We have made progress over the years, but there is still plenty of room for improvement. As regards public oversight, data protection authorities should have a legal mandate to monitor the processing of personal data by public bodies, including law enforcement authorities. They should be impartial and independent authorities with knowledge of data protection and technology and sufficient resources to carry out the functions entrusted to them. Regional agreements also affect framework conditions, such as the T-MEC (USMCA), a free trade agreement between Mexico, the United States and Canada. The T-MEC contains a special chapter on e-commerce that focuses on cybersecurity, consumer protection and cross-border data flow (Más Seguridad, 2020), thus influencing the data governance regimes of the countries concerned. Future challenges in Latin America include designing laws specifically tailored to the digital context, creating data protection authorities, delineating the rights and obligations of the private sector, introducing clear transparency and accountability mechanisms, and building trust in data exchange at the regional level. Transparency of privacy and information guarantees strengthen a user`s right to be informed when government agencies have requested their data. European courts have argued that this right derives from the protection of privacy and data protection. In the Tele2 Sverige AB and Watson cases, the Court of Justice of the European Union (CJEU) ruled that “national authorities that have had access to the retained data must inform the data subjects.
as soon as such notification could no longer jeopardise the investigations carried out by those authorities. Previously, in Szabó and Vissy v. Hungary, the European Court of Human Rights (ECHR) had stated that the notification of users of surveillance measures was also inextricably linked to the right to an effective remedy against the abuse of surveillance power. Most Latin American constitutions recognize the rights to the protection of personal data. [1] Unlike the European Union, for example, where neighboring and historically connected countries share the GDPR, a single data protection law, Latin American health data and information remain governed by a patchwork of country-specific laws and regulations. This should be seen as an obstacle to the exchange of health data for research, public health and epidemiological science. [2] There is still a need to learn more about these laws. At the level of the Organisation of American States, habeas data is included in Principle 3 of the Declaration of Principles on Freedom of Expression, which states that the GDPR, which was adopted in April 2016 and is due to enter into force in all EU Member States in May 2018, is an improvement over the 1995 Data Protection Directive, both in terms of substantive provisions and harmonised implementation.