Assessing the Current and Future Privacy Landscape in the Americas

The explosion of new data privacy laws in the Americas over the past decade has transformed this region, requiring companies to expand and refine their privacy compliance programs to account for these new laws. Heading into 2021 and beyond, we expect enforcement in the region to grow as these privacy regimes mature, and some will also undergo further changes, largely in response to the new European data privacy rules.

Prior to 2010, only four jurisdictions in the Americas had comprehensive data privacy laws: Argentina; Barbados; Canada; and Chile. Between 2010 and 2020, 21 more jurisdictions enacted new data privacy laws and four amended their existing laws (one of the four of jurisdictions, Uruguay, amended its law twice during this 10-year period). The scope of laws in Barbados, Brazil, and Uruguay are the most similar to the EU’s General Data Protection Regulation (GDPR).

Starting in 2021, the data protection authorities in Panama and Brazil will begin enforcement of their new laws in March and August respectively and may issue detailed regulations and/or guidance that might require adjustments to existing compliance programs. The laws in Barbados, Bermuda, and Jamaica are likely to enter into effect this year and, in the next few years, we may see significant changes to existing laws in Argentina, Canada, and Chile.

While they share the same core data protection elements, the laws in the region each have their own specific rules that differ from each other and from those in other regions. Given the diversity among the legal systems and cultural/historical differences among the countries in the Americas, there is little consistency among the laws. It is important to take these differences into account when developing global or regional privacy compliance programs. This alert discusses some of the commonalities and differences among the privacy regimes in the region and identifies the jurisdictions that are likely to enact new or amended laws in the next couple of years.

Characteristics of the Current Regional Landscape: Commonalities and Differences

Twenty-five jurisdictions in the region now have comprehensive privacy laws.[1] The laws in Barbados, Bermuda, Brazil, Cayman Islands, Jamaica, and Panama are the most recent additions. Canada, Costa Rica, Peru, and Uruguay were amended within the last five years. While they share the same core data protection elements, all of these laws have specific rules that are different from each other and from those in other regions.

Scope. Three-quarters of the laws in this region apply to processing in-country only. However, six have extraterritorial provisions, two of which (Jamaica’s and Uruguay’s), like the GDPR, apply to the monitoring the behavior of individuals within their jurisdictions.

Cross-border Data Transfers. Two-thirds of the laws (17) restrict cross-border transfers of personal data. However, the similarities end there, because the legal bases for transfers vary from adequacy, consent, contracts, binding corporate rules (BCRs), or processing that is necessary to complete the contract (“contractual necessity”). Only one-quarter of the jurisdictions (Argentina, BES Islands, Cayman Islands, Colombia, Curaçao, and Uruguay) have issued a list of adequate countries and/or specified what must be contained in contracts or internal rules. Moreover, the laws of Argentina and Uruguay are the only ones in region to be found adequate by the EU.

The laws in Antigua & Barbuda, the Bahamas, Canada, Chile, Costa Rica, Mexico, St. Kitts & Nevis, and St. Lucia do not impose any restrictions on  cross-border transfers of personal data.

Breach notification. Almost half (12) require notification in the event of a data breach. While a number of laws only require that notice be provided to individuals and/or to the data protection authority “promptly” or “without delay,” others require notification within 72 hours (Barbados and Jamaica), within five days (Cayman Islands and Costa Rica), or within 15 days (Colombia).

Legal bases for processing. Almost three-quarters of the laws (18) do not permit processing on the basis of legitimate interests. Instead, the laws rely on other legal bases such as consent, contractual necessity, or legal requirements. The range of available legal bases varies widely from one jurisdiction to another. For example, in six of the jurisdictions, contractual necessity is not an available legal basis for processing (in contrast to almost half the laws in Asia).  Consequently, consent is the primary basis for processing in the region.

Individual Rights. Access and correction rights must be provided in all countries. Two-thirds (17) provide for some form of erasure rights and, like the laws in Asia, only a handful of countries provide data portability rights (Barbados, Brazil, Jamaica, and Panama).

The laws in the region provide for much shorter response times for Individual Rights requests, compared to Europe and Asia. One-third (9) require responses to rights requests in 10 days or less; two within 15–20 days; and 11 within 30 days or more days. Three do not specify any specific time period.

Data Protection Officer (DPO). The laws in one-quarter of the countries (6) require the appointment of a DPO: Barbados; Bermuda; Brazil; Canada; Colombia; and Uruguay.

Registration. More than one-third of the countries (9) require organizations to register processing activities with the data protection authority: Argentina; Barbados; Colombia; Costa Rica; Jamaica; Nicaragua; Peru; St. Lucia; and Uruguay.  Barbados requires both controllers and processors to register. In addition, Barbados, Brazil, and Panama require organizations to maintain internal records of the processing activities, which need to be made available to the DPA upon request.

Security. Unlike the GDPR or most of data protection laws in the countries in Asia, half of the laws (13) have detailed security provisions.

Data Protection Impact Assessments (DPIAs). Most laws in the region do not require organizations to carry out DPIAs.  DPIAs are required only in Barbados, Brazil, Jamaica, and Uruguay.

Enforcement. Law violations can result in significant criminal and civil and/or administrative penalties; however, the level of enforcement within the region has been relatively low, in part because it has taken time for some of the authorities to establish themselves. The DPAs in Colombia, Mexico, and Peru have been the most active in issuing fines, some of which have been quite high. Although the sanction provisions of Brazil’s law are not yet in force, the country has a long history of actively protecting privacy rights via the courts.

New Laws Expected in 2021 and Beyond

Anticipated Amendments to Existing Laws

Argentina. Amendments to Argentina’s current law have been in the works for a few years. However, because of a change in the political party controlling the government in December 2019, the reform bill, prepared by the prior administration, stalled after it was introduced into the legislature last spring. New reform bills (Senate bill and House bill) were introduced by both parties in November and December 2020 so it is unclear if and when reforms will be enacted.

Canada. In November 2020, Canada’s Minister of Information Science and Economic Development released Bill C-11, the Digital Charter Implementation Act, 2020 (DCIA), which, if enacted, would significantly amend Canada’s federal privacy law regime. Among other things, the proposed law would impose additional consent requirements, provide new Individual Rights with respect to deletion and data portability, increase the enforcement powers of the Office of the Privacy Commissioner (OPC), and authorize fines of up to C$25 million or 5% of an organization’s gross global revenue for violations. The bill does not specify an effective date and it is widely expected that the Canadian government will open a consultation so that interested stakeholders may weigh in on the draft bill. (See Morrison & Foerster’s alert).

Chile. Similarly, Chile has been working on reform legislation for several years.  Legislation was introduced in 2017 and is slowly working its way through a lengthy legislative process. If approved, the legislation would create for the first time a data protection authority and establish new requirements for consent, use of sensitive data, international data transfers, security, and data breach notification. In May 2018, the Chilean Congress approved an amendment to Article 19(4) of the Chilean Constitution, adding a new right that provides an explicit right to the protection of an individual’s personal data.  Prior to this amendment, there was only a general right to the respect and protection of private life, and the honor of the person and their family.

Developments in Countries with No Privacy Laws

Ecuador. Draft privacy legislation has been pending in the National Assembly since September 2019, when the President of the Republic submitted his government’s proposed bill. In May 2020, the bill was under review by the National Assembly’s Commission on Sovereignty and International Relations and, in November 2020, the National Assembly’s Commission on International Relations approved the report for the first debate of the bill. The bill is expected to be sent to the Presidency of the National Assembly for debate. Two key controversies with the bill are the proposed financial penalties (fines up to 17% of a business’s income from the prior year) and the degree of regulatory independence for the entity responsible for oversight.

Suriname. There is a draft Privacy and Data Protection (SPDP) Law that has been pending in Parliament since 2018; however, there is no indication if or when the legislation might be enacted.

Bolivia, El Salvador, Honduras, Guatemala, and Paraguay. Discussions about the need for data privacy laws have been underway for a while in these countries and while various civil society groups have put forward suggested texts, there is no evidence that any bills have been introduced into their respective legislatures. In November 2019, a legislative commission in El Salvador initiated a study on a draft Law on Data Protection and Habeas Data but no bill has been introduced yet.

[1] These jurisdictions are Antigua & Barbuda, Argentina, Aruba, Bahamas, Barbados, Bermuda, BES Islands, Brazil, Canada, Cayman Islands, Chile, Colombia, Costa Rica, Curaçao, Dominican Republic, Jamaica, Mexico, Nicaragua, Panama, Peru, St. Kitts & Nevis, St. Lucia, St. Maarten, Trinidad & Tobago, and Uruguay.  The laws in Barbados, Bermuda, Jamaica, St. Kitts & Nevis, St. Lucia, and Trinidad & Tobago are not yet in force.