Privacy legislation in South American countries goes back to the predecessor of the GDPR, the European Data Protection Directive of 1995. Since that time, and following the introduction of the GDPR, most South American countries have followed suit in updating their own privacy laws to align with the GDPR. This article takes a look at three of the continent’s major economic powers: Brazil, Argentina, and Colombia.
All human beings have three lives: public, private, and secret.
—Gabriel García Márquez
Leading the effort was Brazil with the passage of the Lei Geral de Proteção de Dados (LGPD), legislation based on the GDPR. It reflected the government’s desire to closely align with the European Union and facilitate cross-border transfers between the block and Brazil.
Data Protection Laws in South America
Prior to Brazil’s 2018 introduction of their version of the GDPR, the Lei Geral de Proteção de Dados (LGPD), privacy in Brazil was regulated via roughly forty separate laws that were sometimes in conflict with one another. The LGDP, which took effect on August 15, 2020, unified all these laws and aligned the country’s privacy legislation with the GDPR.
The main drivers behind Brazil’s LGDP were the consolidation of the diverse and confusing privacy legislation already in effect and the strong desire for Brazil to ensure free and open cross-border transfers to the European Union.
Brazil: Intent and Major Provisions
As per Article 1 of the legislation:
This Law provides for the processing of personal data, including by digital means, by a natural person or a legal entity of public or private law, with the purpose of protecting the fundamental rights of freedom and privacy and the free development of the personality of the natural person.
The law mirrors the data-processing principles of GDPR in requiring that all processing is done “in good faith, with a specific legitimate purpose, within agreed scope, only as needed, and guaranteeing the data subject’s free access to the data, ensuring the quality and security of the data, and handling the data in a transparent, non-discriminatory, and accountable way.”
In terms of the individual’s rights under the law, LGDP is fairly clear in Articles 17 and 18:
Article 17. All natural persons (are) assured ownership of (their) personal data, with the fundamental rights of freedom, intimacy and privacy being guaranteed, under the terms of this Law.
Article 18. The personal data subject has the right to obtain the following from the controller, regarding the data subject’s data being processed by the controller, at any time and by means of request:
I – confirmation of the existence of the processing;
II – access to the data;
III – correction of incomplete, inaccurate or out-of-date data;
IV – anonymization, blocking or deletion of unnecessary or excessive data or data processed in noncompliance with the provisions of this Law;
V – portability of the data to another service or product provider, by means of an express request and subject to commercial and industrial secrecy, pursuant to the regulation of the controlling agency;
VI – deletion of personal data processed with the consent of the data subject, except in the situations provided in Art. 16 of this Law;
VII – information about public and private entities with which the controller has shared data;
VIII – information about the possibility of denying consent and the consequences of such denial;
IX – revocation of consent
Finally, as you would expect, the law requires the appointment of a Data Protection Officer to ensure the company’s compliance with the law.
Article 5 of the law defines the following classes of data:
For purposes of this Law, the following definitions apply:
I – personal data: information regarding an identified or identifiable natural person;
II – sensitive personal data: personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data, when related to a natural person;
III – anonymized data: data related to a data subject who cannot be identified, considering the use of reasonable and available technical means at the time of the processing
The LGDP applies to any business that processes data of Brazilian residents, irrespective of whether they operate inside Brazil or are simply providing goods or services to Brazilian residents. More specifically, as per LGDP’s Article 3 (edited for length).
Article 4 of the LGDP includes a long list of exclusions, shown (edited) below:
This Law does not apply to the processing of personal data that:
I – is done by a natural person exclusively for private and non-economic purposes;
II – is done exclusively:
a) for journalistic and artistic purposes; or
b) academic purposes…
III – is done exclusively for purposes of:
a) public safety;
b) national defense;
c) state security; or
d) activities of investigation and prosecution of criminal offenses; or
IV – have their origin outside the national territory and are not the object of communication
Originally, the LGDP called for the creation of the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados [ANPD]) and the creation of a National Council for the Protection of Personal Data (Conselho Nacional de Proteção de Dados Pessoais e da Privacidade) as independent agencies responsible for the enforcement of the LGDP, policy creation, and research.
The new president of Brazil vetoed this provision, and a few others, and instead established the new ANPD as a Brazilian Federal Government agency, reporting to the president. Its powers are essentially the same as originally proposed, and it remains the main enforcement agency for the regulation. ANPD will subsequently propose guidelines for the creation of the National Council for the Protection of Personal Data.
The penalties for violating the LGDP are significant and in alignment with the severity of fines imposed by the GDPR. Penalties can be up to 2% of total revenue (in Brazil) or up to $50M Brazilian Reals (about $11M U.A.).
Here is the LGDP’s complete text in English.
The effect of the law is certainly regional, but its implementation has a global effect because of the expected effect in South America’s stance on privacy and the alignment between Brazilian privacy law and that of the European Union.
As of this writing, data within the borders of Argentina is regulated by the Personal Data Protection Act (PDPA), which has been in place since 2000. An additional regulation, Provision 60-E/2016 was issued in 2016 to cover cross-border transfers and bring the legislation into accord with the European Union model.
Privacy and protection of personal data was incorporated into the Argentine constitution in 1994. In 2000, the PDPA was enacted to regulate the principles outlined in the constitution under Section 43. In 2022, Beatriz de Anchorena was appointed the new head of the country’s Data Protection Agency, and she announced plans to update Argentina’s regulations.
Intent and Major Provisions
Given its age, the PDPA is an excellent attempt to protect individual data, making Argentina one of the first countries in South America to implement such legislation. Under the law, the data subject must be provided by the data processor clear notifications explaining the purpose for the data collection, who will process the data and where, what are the options for refusing such processing, who will have access to the data, as well as clear guidelines on ways for the data subject to access, suppress or correct the data. There are additional restrictions on how the data may be used and where it can be disclosed, including a requirement for data destruction once the purpose for data use has been satisfied.
The law also requires that appropriate data security and confidentiality measures are in place, although it does not require the appointment of a data protection officer.
The PDPA defines personal data as “information of any kind referring to certain or ascertainable physical persons or legal entities.”
Any business that processes Argentinian’s personal data is impacted by the law.
There are no exclusions in the current PDPA.
The agency responsible for enforcement is the Data Protection Agency.
A variety of penalties can be proposed for violation of the rules. Monetary penalties can range up to $5M Argentinian pesos (about $28K U.S.).
Here is an English translation of the PDPA.
The effect of the PDPA is limited to Argentina.
Colombia has a mature and sophisticated legislative privacy framework, in place since 2012. This framework, which aligns with the European GDPR in many areas, continues to be updated frequently, such as the introduction of privacy-by-design and industry-specific privacy legislation. A brief overview of the applicable laws follows.
The Colombian constitution has an explicit right to privacy in Article 15:
All individuals have the right to personal and family privacy and to their good reputation, and the State has to respect them and to make others respect them. Similarly, individuals have the right to know, update, and rectify information collected about them in data banks and in the records of public and private entities.
Freedom and the other guarantees approved in the Constitution shall be respected in the collection, processing, and circulation of data.
Correspondence and other forms of private communication may not be violated. They may only be intercepted or recorded on the basis of a court order in cases and following the formalities established by statute.
For tax or legal purposes and for cases of inspection, the oversight and intervention of the State may demand making available accounting records and other private documents within the limits provided by statute.
In support of the constitutional right to privacy, in 1973 Colombia enacted the Regulation of Data Protection Act (Decree 1377), which was supplemented by the Data Protection Act of 2012 (Law 1581).
Intent and Major Provisions
Looking at the framework as a whole, the intent is to protect personal data processing and grant certain rights to individuals with regard to both consent and access to their data. Specifically, the laws prescribe the need for explicit notice on purpose, use, the owner’s privacy rights, and explicit pathway for the data owner’s access to their own data. Additionally, there are specific consent requirements, including the need for preservation of the consent while processing private data. The laws provide for the right of consent revocation at any time, with the obvious exceptions of legal or contractual obligations.
The laws also limit the time that data can be held for processing. There is also a requirement that data only be processed for a specific, intended purpose, following which, the data is to be suppressed or deleted.
The different laws and decrees vary in their definition of personal data. The most pertinent one is the definition of sensitive personal data under the original Data Protection Act of 2012 (Law 1581), which defines sensitive personal data as any data that can affect the owner’s intimacy or that, if improperly used, can result in discrimination. It included data that reveals ethnic or racial origin, political affiliation, religious affiliation, membership data, health and sexual orientation data, and the recently added biometrics data.
Anyone who processes personal data in Colombia is affected by the law.
The current legislation excludes personal data collected by individuals for personal use, as well as personal data gathered by the government for national defense. Data used for security, intelligence, and counterterrorism purposes plus valid use of personal data used by journalists are also excluded.
The enforcement agency is the Superintendence of Industry and Commerce (SIC). For financial institutions, the enforcement agency is the Superintendence of Finance (SOF).
The penalties for violating the Colombian privacy law can be severe, including suspension and termination of business activities and fines up to $500K U.S.
Here is the original text of the Data Protection Act of 2012 (Law 1581) (in Spanish). And here is a detailed English-language analysis of the multiple regulations in Colombia’s framework.
The impact of the law is regional, focused on Colombia and businesses that process data there.
Privacy regulations differ around the world! See how Asian, Pacific countries do it here.