Jurisdiction

Brazil.

Background

The main drivers behind Brazil's LGDP were the consolidation of the diverse and confusing privacy legislation already in effect and the strong desire for Brazil to ensure free and open cross-border transfers to the European Union.

Intent and Major Provisions

As per Article 1 of the legislation:

The law mirrors the data-processing principles of GDPR in requiring that all processing is done “in good faith, with a specific legitimate purpose, within agreed scope, only as needed, and guaranteeing the data subject's free access to the data, ensuring the quality and security of the data, and handling the data in a transparent, non-discriminatory, and accountable way.”

In terms of the individual's rights under the law, LGDP is fairly clear in Articles 17 and 18:

Finally, as you would expect, the law requires the appointment of a Data Protection Officer to ensure the company's compliance with the law.

PII Definition

Article 5 of the law defines the following classes of data:

Inclusion Criteria

The LGDP applies to any business that processes data of Brazilian residents, irrespective of whether they operate inside Brazil or are simply providing goods or services to Brazilian residents. More specifically, as per LGDP's Article 3:

Exclusions

Article 4 of the LGDP includes a long list of exclusions, shown (edited) below:

Enforcement Agency

Originally, the LGDP called for the creation of the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados [ANPD]) and the creation of a National Council for the Protection of Personal Data (Conselho Nacional de Proteção de Dados Pessoais e da Privacidade) as independent agencies responsible for the enforcement of the LGDP, policy creation, and research.

The new president of Brazil vetoed this provision, and a few others, and instead established the new ANPD as a Brazilian Federal Government agency, reporting to the president. Its powers are essentially the same as originally proposed, and it remains the main enforcement agency for the regulation. ANPD will subsequently propose guidelines for the creation of the National Council for the Protection of Personal Data.

Penalties

The penalties for violating the LGDP are significant and in alignment with the severity of fines imposed by the GDPR. Penalties can be up to 2% of total revenue (in Brazil) or up to 50,000,000 Brazilian Reals (about $11,000,000).

Complete Text

You can find the complete text in Portuguese here: http://www.planalto.gov.br/ccivil_03/_Ato2015-2018/2018/Lei/L13709.htm and translated in English here: https://iapp.org/media/pdf/resource:center/Brazilian_General_Data_Protection_Law.pdf.

Effect

The effect of the law is certainly regional, but its implementation has a global effect because of the expected effect in South America's stance on privacy and the alignment between Brazilian privacy law and that of the European Union.

Jurisdiction

Argentina.

Background

Privacy and protection of personal data was incorporated into the Argentinian constitution in 1994. In 2000, the Personal Data Protection Act (25,326) was enacted to regulate the principles outlined in the constitution under Section 43. The law, along with the associated decrees and regulations is known as the PDPA or DPA.

Intent and Major Provisions

Given its age, the PDPA is an excellent attempt to protect individual data, making Argentina one of the first countries in South America to implement such legislation. Under the law, the data subject must be provided by the data processor clear notifications explaining the purpose for the data collection, who will process the data and where, what are the options for refusing such processing, who will have access to the data, as well as clear guidelines on ways for the data subject to access, suppress or correct the data. There are additional restrictions on how the data may be used and where it can be disclosed, including a requirement for data destruction once the purpose for data use has been satisfied.

The law also requires that appropriate data security and confidentiality measures are in place, although it does not require the appointment of a data protection officer.

PII Definition

The PDPA defines personal data as “information of any kind referring to certain or ascertainable physical persons or legal entities.”

Inclusion Criteria

Any business that processes an Argentinian's personal data is impacted by the law.

Exclusions

There are no exclusions in the current PDPA.

Enforcement Agency

The agency responsible for enforcement is the “Agency for Access to Public Information.”

Penalties

The Agency for Access to Public Information can impose a variety of penalties, proportional to the violation. Monetary penalties can range up to 5,000,000 Argentinian pesos (about $81,000).

Complete Text

The English version of the regulation can be found at: http://www.jus.gob.ar/datos-personales/english-version/regulation.aspx.

Effect

The effect of the law is limited to Argentina.

Jurisdiction

Colombia.

Background

The Colombian constitution has an explicit right to privacy in Article 15:

In support of the constitutional right to privacy, Colombia, in 1973, enacted the Regulation of Data Protection Act (Decree 1377), which supplemented the original Data Protection Act of 2012 (Law 1581).

Intent and Major Provisions

Looking at the framework as a whole, the intent is to protect personal data processing and grant certain rights to individuals with regard to both consent and access to their data. Specifically, the laws prescribe the need for explicit notice on purpose, use, the owner's privacy rights, and explicit pathway for the data owner's access to their own data. Additionally, there are specific consent requirements, including the need for preservation of the consent while processing private data. The laws provide for the right of consent revocation at any time, with the obvious exceptions of legal or contractual obligations.

The laws also limit the time that data can be held for processing. There is also a requirement that data only be processed for a specific, intended purpose, following which, the data is to be suppressed or deleted.

PII Definition

The different laws and decrees vary in their definition of personal data. The most pertinent one is the definition of sensitive personal data under the original Data Protection Act of 2012 (Law 1581), which defines sensitive personal data as any data that can affect the owner's intimacy or that, if improperly used, can result in discrimination. It included data that reveals ethnic or racial origin, political affiliation, religious affiliation, membership data, health and sexual orientation data, and the recently added biometrics data.

Inclusion Criteria

Anyone who processes personal data in Colombia is affected by the law.

Exclusions

The current legislation excludes personal data collected by individuals for personal use, as well as personal data gathered by the government for national defense. Data used for security, intelligence, and counterterrorism purposes plus valid use of personal data used by journalists are also excluded.

Enforcement Agency

The enforcement agency is the Superintendence of Industry and Commerce (SIC). For financial institutions, the enforcement agency is the Superintendence of Finance (SOF).

Penalties

The penalties for violating the Colombian privacy law can be severe, including suspension and termination of business activities and fines up to $500,000.

Complete Text

You can find the original text (in Spanish) at https://www.sisben.gov.co/Documents/Informaci%C3%B3n/Leyes/LEY%20TRATAMIENTO%20DE%20DATOS%20-%20LEY%201581%20DE%202012.pdf and http://www.lasallecucuta.edu.co/infopdf/decreto1377.pdf.

Effect

The impact of the law is regional, focused on Colombia and businesses that process data there.