Central American Data Privacy Updates
1. Costa Rica
On March 5, 2013, Costa Rica's data protection law, originally passed in 2011, came into force. The law, the Ley Protección de la Persona frente al tratamiento de sus datos personales, Law 8968, requires explicit data subject consent for any processing of data. Under the March 5 regulations implementing the law, companies must notify data subjects within five days of any "irregularity in the processing or storage of their data," such as a data breach or theft. Companies must also notify the Costa Rican data protection authority, the Agencia de Protección de Datos de los habitantes ("Prodhab"), of any data breach.
South American Data Privacy Updates
On April 18, 2013, Colombia's data protection law, Ley 1581 del 17 de Octubre de 2012 por el cual se Dictan Disposiciones Generales para la Protección de Datos Personales, took effect. In late June 2013, implementing regulations for the law were published by the Colombian government. The law was initially passed on October 17, 2012 with a six-month grace period for companies to come into compliance. Among its chief provisions, the law requires that data subjects give prior, informed consent before any collection occurs. The law also restricts processing of sensitive data without consent to just a few limited circumstances, such as those situations when processing is required by law. The implementing regulations impose fines of more than $600,000 for non-compliance.
On March 22, 2013, Peru's Personal Data Protection Law took effect - 30 days after the Peruvian government published implementing regulations for the law. While Peru's law does not require notification to any central authority or data subject in the event of a breach, the law generally requires data subject consent to process data. Further, the law provides individuals with various rights to access, update, or eliminate personal data held on them by a company. The implementing regulations clarified several aspects of the legislation, including registration of databases with the National Register of Personal Data Protection and enforcement.
On April 12, 2013, Uruguay acceded to the European Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108)...