The challenge of data protection: new trends in terms of regulation, investigation and emblematic cases

Tuesday 25 July 2023

Verónica Franco

Ferrere, Asunción

vfranco@ferrere.com

Conference report

Biennial IBA Latin American Regional Forum Conference: Technology, social media and artificial intelligence: challenges for the legal industry in the digital age

22 March 2023

Breakout session 2

Session Co-Chairs

Agustin Mayer Ferrere, Montevideo; Website Officer, IBA Latin American Regional Forum; Vice-Chair, IBA Intellectual Property and Entertainment Law Committee

Lorenzo Villegas CMS Rodriguez Azuero, Bogota

Speakers

Adriana Olarte Jerónimo Martins Colombia SAS, Bogota

Mario Arrua-Leon Equifax, Asuncion

Catherine Collins Falabella, Santiago

Paula Vargas Meta, Buenos Aires

The current state of data privacy regulation in Latin America

Catherine Collins opened the session by explaining that data privacy rules across Latin America are challenging. The main problem is that there is no unique authority to establish uniform principles and enforcement trends across countries.

The European Union standard (the GDPR) is always present as a regulation but does that not necessarily mean there is uniformity. Villegas states that the EU uses the GDPR as a fundamental economic value as well as a fundamental right of the individuals. In Latin America, data privacy regulation is only used for the second of these purposes. That difference has an important impact.

There are different stages and levels of regulation within Latin America. For example, Bolivia or Venezuela only regulate data privacy at a constitutional level. Ecuador or Brazil have just approved GDPR-based regulations. Other countries lack legislation to protect substantive data rights.

Mariana Olarte mentioned that Colombian regulators adopted some principles of GDPR, but a few are missing. She also explained the importance of data privacy enforcement officers and their roles. Colombian law and enforcement is currently more focused on big companies.

In Argentina, the law was recently updated, and there is an established system in place. Other countries such as Chile are enacting data protection for the first time, inspired by GDPR. On the other hand, Brazil has had such a law for two years.

The issues covered by the legislature are the same as in other legislation, but are not regulated in the same way.

Definitions regulated differently, and different levels of enforcement

The matters covered by the legislation are sanctions, fines, users’ rights and extension, type of rights, among others. They may appear the same but in the text of the law but they are regulated in different ways, which leads to the possibility of fragmentation, that is a different standard across the region. Mario Arrúa-Leon stated that there is a clear trend in countries applying the EU standards versus the others.

Catherine Collins discussed how the different level of complexity across Latin America has an impact. As a company operating in the region, it is difficult to settle a compliance programme if we consider such different enforcement mechanisms and levels of complexity.

Mario Arrúa-Leon mentioned how challenging it is to have so many inconsistencies. For example, although all jurisdictions establish that data transfer is permitted provided that certain measures are taken, these measures usually vary from country to country. The law may even be the same, but each country has different enforcement approaches which require rationalising in each country. What should the solution be? A more uniform law and enforcement approach and better and improved cooperation among agencies.

Other key issues relating to data protection

Mario Arrúa-Leon emphasised how cooperation and agreement between different regulators is key for companies operating across Latin America. There is a need for uniformity in matters relating to the transfer of data but also those connected with finance regulators. Clients in the banking sector don’t want to deal with the regulator. It is important for governments to make an effort so that the rules apply across all industries and sectors.

Paula Vargas discussed many issues relating to data policy. In that regard, when speaking about regulation, she mentioned that lawyers must not only consider protecting people’s rights but also accomplishing other policy goals, such as innovation. Innovation needs certainty in terms of how users’ rights are going to be protected. In order to innovate in a global economy, legal harmonisation is key. Regulation should also foster the digital economy.

Paula Vargas also discussed the challenges relating to the identification of privacy risks and helping users improve the use of their rights. Other challenges relate to balancing privacy with other rights, as well as to freedom of speech.

‘Is data the new oil?’ The answer is no. Data creates value but is not a resource. When we think about regulation, we need to understand that different perspectives are needed in considering the ways in which data creates value.

Regarding the importance of sharing personal information. If an individual is allowed to share information about the income and expenses a person with no credit gets, will serve that person to access credit. This will allow individuals who are not part of the system, to be visible and gain access credit and other rights.

The panel concluded the session by discussing the state of the debate in the EU and the US on the impact of artificial intelligence in credit decisions. If AI is the one determinant which decides who has credit, the reasons behind such decisions need to be understood. Companies also need to be accountable for the decisions made because individuals will need to feel that they have been treated fairly.