Data Privacy Laws Across Latin America

Data privacy is a real concern across the globe causing Latin American countries to look for ways to implement new laws to tackle the problem.

Legislation around the world, such as the European Union's General Data Protection Regulation (GDPR), have highlighted the need for countries to create and update their current data privacy frameworks and regulations to fit today's business environment.

Brazil

Brazil is leading the way in Latin America with its new data privacy laws that will consolidate the over 40 different regulations currently in effect in the country. Lei Geral de Proteção de Dados (LGPD), which will come into effect in August 2020, includes some parts of GDPR but also puts significant compliance obligations on companies that process data or offer services to individuals in Brazil. "The law is about the protection of all personal data, similar to the GDPR, affecting all companies that deal with data," says Vanessa Mello, director of client legal compliance operations at TMF Brazil. The new law covers names, signatures, addresses, IP address, tax ID in addition to other personal data that it collected before.

The LGPD applies to all legal entities that process personal data, whether public or private, operating in Brazil or that supply goods or services to individuals located in Brazil. Companies must expressly seek consent from the owner of the data, informing them exactly what data is being collected, why, and for how long it will be stored. In addition, the data must be destroyed when the company no longer has any need for it.

While companies have 17 months to adapt, they must make sure all their data collection systems and technology are compliant. There are 2% annual revenue penalties as a consequence for a data protection breach.

Colombia

Colombia has the most developed data protection legislation in Latin America with laws that have been on the books since 2012. The laws have been updated and now contain information about how to store the personal data, treatment of it, how it used, amended or deleted as well as different measures depending on type and size of businesses. Permission is needed from users when using the data.

The data privacy legislation is always changing and currently there is a bill in congress that will complement the current legislation and will introduce new concepts like, privacy by design with separate laws for companies and financial institutions. For companies, the focus would be on personal...