UNDERSTANDING DATA PRIVACY IN LATIN AMERICA
How are LATAM countries protecting user data privacy?
23 March 2023
Enshrined as a human right in most countries in the world, privacy in the digital age is hugely important both legally and ethically.
The European Union leads the world in data privacy protection with its GDPR and the United States is currently experiencing a wave of new privacy legislation – so what’s the status of data privacy in Latin America?
There isn’t a simple answer. Some countries are making large strides and some are lagging behind with outdated, insufficient, or confusing protection.
Here’s a summary of the most noteworthy legislation in Brazil, Chile, Peru, Argentina, Mexico, and Colombia.
Brazil has strong, comprehensive data privacy legislation.
Passed in September 2020 and backdated to come into effect in August the same year, the General Data Protection Law (LGPD) unifies 40 already existing laws into one comprehensive legislation.
The law is heavily inspired by the EU’s GDPR. For example, it enforces ‘opt-in’ clauses, meaning user consent cannot be assumed but must be explicitly given.
The LGPD also explicitly states the ten particular circumstances where personal data can be processed, which echoes the GDPR’s six.
Rounding off the comparisons, the requirements and responsibilities for data transfer are also similar to the GDPR’s.
Brazil also boasts the highest potential fines in the LATAM region, with a maximum potential fine of 50 million reals, equivalent to over 8,600,000 euros.
Overall, the LGPD sets a standard for user privacy protection in the Latin American region.
Chile has one of the first data protection laws in the region – Law no. 19.628, On the Protection of Public Life, was passed in 1999 – but as the technological landscape has changed massively in the 24 years since then, it’s needed modernization.
Similarly to Brazil, Chile has taken inspiration from the GDPR. Currently making its way through the Chilean government is Bill No. 11144-07, Regulating the Processing and Protection of Personal Data and Creating the Personal Data Protection Authority.
The bill is set to bring Chilean law in line with the regulations necessary to protect privacy in the modern technological era, putting the country’s protection law on a similar footing to Brazil’s.
Also making its way through the government is the creation of a Data Protection Agency with the power to investigate, regulate, supervise, and sanction public and private entities.
Peru’s data protection law goes back to 2011 (before the GDPR) and was majorly amended in 2017 (a year after the GDPR), and remains a mixed bag.
The Personal Data Protection Law specifies limited obligations to data controllers and processors, especially when compared to the EU’s GDPR and Brazil’s LGPD – as an example, there are no mandatory legal requirements for entities to appoint data protection officers.
Furthermore, while Peru’s law does specify strict penalties for violations, they’re capped at 100 tax units – roughly 120,000€. In contrast, the GDPR’s largest fine to date has been 746 million € (levied against Amazon in 2021).
While Peru’s economy cannot be compared 1:1 with the European Union’s, it is questionable whether Peru’s data protection penalties are sufficient for regulating the largest corporations.
The country’s Personal Data Protection Law was passed in the year 2000 and hasn’t had substantial changes in the years since.
A major reform was presented on August 30, 2022, and is currently making its way through Congress.
The reform is set to update the law for the modern day with new terms like ‘anonymization’, ‘genetic data’, ‘international data transfer, and ‘profiling’, among many others. While the bill as it stands in its largely unchanged 2000s form protects privacy, the reforms will bring it up to speed with today’s technologies.
The Federal Law on the Protection of Personal Data Held by Private Parties (the LFPDPPP) is a robust law that was passed in 2010 and updated several times up until 2017.
By and large, the law and its updates are keeping Mexico in lockstep with the GDPR with two notable differences: legitimate interest and tacit consent.
‘Legitimate interest’ is a clause in the GDPR which outlines one of the six lawful bases for processing user data, and in principle it’s as simple as it sounds: companies must have a legitimate reason for wanting to process data. Mexican law holds no such clause.
On the other hand, and unlike the GDPR, the LFPDPPP does specifically allow for ‘tacit consent’, meaning consent that is implied rather than explicitly given. Despite not allowing for that in cases of sensitive personal information such as racial, religious, or financial data, it’s arguably not as protective of user privacy as the GDPR’s more explicit consent clauses are.
With an upper limit of 27 million pesos, equivalent to over 1.3 million euros, Mexico’s fines are among the highest in the region.
Law 1581, which regulates data privacy, was implemented in 2012 – making Colombia the fourth in the region to pass robust data privacy legislation.
The law set up an independent regulating authority and, unlike Mexico which allows for tacit consent, specifically calls for express consent. The law also protects individual control over their personal data, overall making it similar to the GDPR.
The law allows for fines of up to 850 million Colombian pesos – roughly 356,000 euros.
Law 1581 is still being actively updated today. In July 2022, Bill 066 was filed in the Senate which aims to strengthen citizens against unconsented advertising messages through text, web messages, and emails. The bill also seeks to create a registry that will provide a streamlined way for users to exclude themselves from companies’ databases.
When looking at the data privacy legislation for countries throughout the LATAM region, one thing becomes substantially clear: data privacy laws must be continuously updated.
As new technologies emerge, new challenges for user privacy abound.
Many of these technologies can invade privacy through methods that current legislation simply may not have the language for, as has happened with Argentina’s privacy legislation before its current reform.
The GDPR may be the world’s gold standard, but it, too, must be reformed eventually – LATAM countries that are following in the EU’s footsteps should aim to be proactive and ahead of the curve or risk being unprepared for protecting citizen privacy as technology evolves.
Protecting privacy in Latin America and elsewhere isn’t only a legal obligation, it’s an ethical one as well – that’s why ShowHeroes Group pledges to protect it as part of our Data Ethics pillar in our Better Media framework.
ShowHeroes utilizes cookieless technology such as SemanticHero to deliver highly relevant advertising without any data harvesting – that means no user profiling or remarketing tactics at any step.
Furthermore, viewability, brand safety, ad quality, and verification are measured and ensured through long-term relationships with MOAT, IAS, DoubleVerify, and Adalyser.
Learn more about how we protect user privacy: