Human Rights Council creates Special Rapporteur on Privacy

Today the UN Human Rights Council adopted by consensus a resolution that establishes a UN Special Rapporteur on the right to privacy. We couldn’t write to you earlier as negotiations have been ongoing till now and we did not know the timing or outcome.

This is a great achievement and I would like to thank all of you for your support. I know that the proponents of the text (Brazil and Germany in particular) were very grateful by the widespread support to this initiative from civil society around the world.

The Special Rapporteur will provide much-needed leadership and guidance on developing an understanding of the scope and content on the right to privacy, as well as strengthening the monitoring of states and companies’ compliance with their responsibility to respect and protect the right to privacy in their laws, policies and practices.

Link to PI’s press release welcoming this development:

The following were the original co-sponsors of the resolution: Angola, Argentina, Austria, Belgium,Bosnia and Herzegovina, Brazil, Bulgaria, Croatia, Cyprus, Chile, Denmark, Djibouti, El Salvador, Georgia, Germany, Greece, Haiti, Honduras, Hungary, Iceland, Indonesia, Ireland, Italy, Liechtenstein, Luxembourg, Mexico, Montenegro, Netherlands, Nicaragua, Norway, Panama, Paraguay, Peru, Poland, Portugal, Serbia, Slovakia, Slovenia, Spain, State of Palestine, Switzerland, Tajikistan, Timor-Leste, Uganda, Uruguay, Zambia.

Peru – education by the DPA of Peru

The data protection agency of Peru has started an informative campaign, similar to the ones already done by Argentina or Uruguay. The dpa of Peru has also created two videos available on Youtube, one for kids and another one explaining the functions of the dpa.

I think education campaigns are very important in Latin America, specially in children so they became aware of their rights and the consequences of the sometime incorrect use of new technologies.

The future of EU adequacy decisions for Latin American countries

Within Latin America, only Argentina and Uruguay has been declared adequate countries by the EU Commission.

Other countries since then that have approved data protection laws and merit consideration: Colombia, Peru, and Mexico are good examples. Mexico, for example is the only data protection authority that may be considered independent. Brazil and Chile may be the next candidates, if they manage to approve their data protection bills introduced in 2015 and 2014 respectively.

But EU next regulation is changing a bit the game. As Peter Blume’s recent article in IDPL  points out, the proposed EU Regulation changes an important part of the rules on data transfer. Today the Commission can endorse a third country as having an adequate level of protection. In the future also a territory within a third country, international organisations and processing sectors may be endorsed. My view is that this may open the view to approve certain sector in a country and obtain faster adequacy determinations.

Blume conclusion is that this proposal illustrates that internationalisation makes it difficult to uphold strict rules on data transfer.

It is true also that adequacy has been the “carrot” that the EU has been using to get Latin American countries in line to approve data protection laws. The promise of more business (call centers) was present in the Argetine approval of the data protection law and it can be read also in the legislative history of the Data Protection Act of Uruguay. Another influence is the work of the Red Iberoamericana de proteccion de datos.


Argentina – New data protection regulations

The DPA of Argentina has enacted two (2) new regulations: the first one is related to sanctions and the recent do not call registry law, the second one is about CCTV.

The new Sanctions Regulation (Disp. 9/2015) was enacted to implement new fines for the recently approved national Do Not Call Registry law (see report here).

The regulations provides a new scale of fines (very serious fines up top U$ 12,000, serious fines from U$ 3000 to U$S 10,000).

The following are considered serious breaches:

– Failure to renew the annual registration of a personal database at the DPA,

– Processing personal data without the DPA registration,

– Breach of the Do not call regulation in marketing campaigns (even if the caller is located abroad).

The following are considered very serious breaches:

– Do not comply with an order of the DPA to amend personal data,

– International transfers in breach of the Data Protection Act and its Regulations,

– Breach of the confidentiality regulation.

The new CCTV Regulation (Disp. 10/2015) address the use of video cameras used for purposes of video surveillance. The Regulation applies to public and private sector.

It requires to apply -if possible- notice and consent provisions to CCTV situations. It also creates a new sign to be included for the purpose of informing the data subject the name of the data controller and its domicile and where to exercise the data protection rights.

According to this new regulation, the collection of personal data by CCTV means cannot be disproportionate.

Some CCTV processing is exempted from consent (e.g. public databases by the Government, processing within private property for private purposes, e.g. the recent ECJ Ryneš case may seem to apply here, but there may be differences between EU law and Argentine law).

It also provides that the personal data collected shall not be used for any purpose or purposes which are different from or incompatible with those giving rise to their collection.

Confidentiality and security measures should be applied to the CCTV database and it has to be registered in the DPA (the DPA of Argentina has been requesting registration of CCTV databases several years ago in every audit). Finally this registration would require also to have in place a security manual.

Continue reading Argentina – New data protection regulations

April – May 2015 – Important meetings for data protection in Latin America

The Peruvian data protection authority is organizing the next meeting for the Iberoamerican Network of Data Protection. The meeting will take place on May 6, 7 and 8, 2015 in Lima and it has already a very interesting agenda of topics and speakers. These meetings end up with a declaration of principles (see past Cartagena Declaration &  Mexico Declaration).

Official website of Red Iberoamericana


The data protection agency of Colombia is organizing a meeting for May 2015 in the City of Medellin. The meeting will convene international speakers. On February 2015 the dpa of Colombia also organized a meeting about accountability.


IAF’s Martin Abrams has been invited to be the keynote speaker at a seminar on compliance privacy and personal data protection during 9 April in Sao Paulo, Brazil. The event will cover Brazil’s proposed data protection law (Marco Civil). Other speakers include Marcel Leonardi from Google,  Danilo Doneda (advisor to the Ministry of Justice on the draft dp bill) and Denis Antoniali (from Internet Labs).

FOI law seminar in Argentina

With focus in Latin America, next week the lower chamber of Congress is organizing together with the OAS and Canada, a seminar about FOI law with regional experts.

Argentina is still one of the only countries in Latin America with a legal FOIA (there is a decree but it only covers the Executive Power).

See AGENDA of the seminar.

Paraguayans resist Mandatory Data Retention Bill

From the EFF blog an interesting note from Katitza Rodriguez (EFF International Rights Director) about Paraguay new data retention bill.

Paraguay should learn from the experience of Argentina where the Supreme Court declared unconstitutional the data retention law (Law 25,873) in the Halabi v Estado Nacional case. The issue was also debated last year in Brazil but finally the Marco Civil law settled this issue. For a Latin American perspective see this EFF blog post.

Brazil new data protection bill

On the international data protection day, the Government of Brazil open a consultation and created a specific website about the new Data Protection Bill. The text of the new bill has been carefully re-drafted from the original bill several years ago.

Currently, Brazil does not have a data protection general law, but it has numerous statutes regulating privacy (see here Luiz Costa´s paper on the matter from June 2012). Last year, in the aftermath of the Snowden affair, Brazil approved a general framework for Internet regulation of certain aspects of privacy. Dilma Rousseff, Brazil’s President, has been a vocal critic of U.S. surveillance practices and was actively pressing for data protection reform in the last few months of 2013.

The Marco Civil however wass not a full fledge data protection law but a statute specifically addressing some privacy online issues and others matters like net neutrality. It has been called an Internet Bill of Rights and enacted on Net Mundial. Brazil has also been pushing for the UN Resolution and a Special Rapporteur for Privacy at the United Nations.

It is likely that there is going to be several exciting developments in Latin America this year including laws and bills in Chile, Ecuador, Mexico and Brazil.


New Brazilian Data Protection Bill (in Portuguese)

Brazilian  Draft Law PDF (in English)