The General Data Protection Regulation (GDPR) has prompted a series of legislative proposals in Latin American countries to update data protection regulations, many of which reflect the higher standards of the GDPR. With a large number of European and U.S. companies operating in the region, we look at some of the latest developments below.
Argentina was the first Latin American country to implement data protection laws and the first non-European country to be recognised by the European Commission as having adequate levels of data protection. The need to revisit the current legislation is a result of technological advances and the changed international landscape with the introduction of the GDPR since the Argentinian Personal Data Protection Act 2000 came into force.
Argentina's new draft data protection bill proposes further changes to bring the country's data protection law in line with the GDPR. The bill acknowledges the right to be forgotten and the right to data portability. Other changes include stricter provisions in the area of cross-border transfers to countries with inadequate levels of data protection, new legal bases for data processing other than data subject consent, including legitimate interests, and new definitions of biometric and genetic data.
Brazil's data protection law, Lei Geral de Proteção de Dados (LGPD), enters into force in August 2020. Before the LGPD, the data protection legislation in Brazil was sector-based and primarily regulated by the country's civil rights framework for the internet (Internet Act) and Consumer Protection Code. LGPD imposes detailed rules for the collection, use, processing, and storage of personal data. This new regulation replaces more than 40 different regulations that deal with data protection. The final version of LGPD also introduced important revisions to the original version of the law, such as the creation of the National Data Protection Authority that will be responsible for overseeing and enforcing the LGPD.
Chile has a comprehensive data protection regulation, Law No. 19.628 On the Protection of Private Life, as amended in 2018. While Law No. 19.628 requires data subjects to be informed about the purposes of the processing of their personal data and requires data subject consent, it fails to establish mechanisms to supervise compliance...