Personal data protection and cyber security in Latin America
February 2020 | SPOTLIGHT | DATA PRIVACY
Financier Worldwide Magazine
February 2020 Issue
Data protection and cyber security are huge concerns today as reliance on technology and digital infrastructure increases. Not only are businesses becoming more dependent on data in order to exploit the digital economy, countries are also relying on it more to govern.
As dependence on technology grows, cyber security threats and data protection concerns also grow. Countries are becoming more aware of the need to guarantee safety in cyber space and protect citizens’ personal and sensitive data.
The European Union (EU) pioneered a regulatory approach to data protection, which Latin American countries have watched with interest. Even the US has moved towards data protection, enacting rules on people’s right to privacy, similar to the EU’s General Data Protection Regulation (GDPR).
The California Consumer Privacy Act (CCPA) is the first of its kind in America. Its introduction has sparked debate on a possible federal law to regulate data protection across the country.
Regulatory changes, increasing connectivity and internet dependence, and a flourishing digital economy have impacted Latin American countries’ perspective on data protection. Although the region has not yet moved completely to the GDPR approach, privacy reforms adopting some GDPR rules have gained traction. Countries such as Brazil, Chile, Argentina and Colombia have announced or passed regulatory reforms on data protection, including cyber security.
For instance, Brazil introduced a general data protection law (previously, data protection rules were spread across the legal framework, and were sector focused) in which some of the GDPR rules were adopted. Its strict approach will come into force by August 2020. Brazil’s regulation, like the GDPR, is extraterritorial in scope.
Argentina also proposed amendments to its personal data protection rules, including categories such as biometric data and provisions regarding cloud computing not included within the existing law. Also, the right to data portability announced in a draft bill is one of the main steps toward an adequate level of protection as defined by the GDPR.
In Chile, reform has been more profound; personal data protection is now a constitutional right. Along with Argentina, Chile also added biometric data to its categories of sensitive data.
Colombia is also moving toward data protection reform. The government has announced through several public documents the urgent need to update data protection standards. It is anticipated that the country’s data protection system will be reformed to reduce multiple regulatory barriers holding back the digital economy, while guaranteeing an adequate level of protection for citizens. Colombia has a complex data protection system with certain rules that have been disassembled in the EU, such as the Data Base Registry. Also, the complex system governing transfer and transmission of data is distinct from other countries. Regulatory changes are likely to balance this system, and also introduce additional citizens’ rights.
At the time of writing, the Advocate General Saugmandsgaard Øe set an opinion for the European Court of Justice (ECJ) regarding standard contractual clauses for the transfer of personal data to processors established in third countries. This opinion is relevant as it finally addresses the validity of standard contractual clauses. The opinion sets forth that: “If the third country doesn’t have an adequate level of protection of the data, the data controller may nevertheless proceed with the transfer if it is accompanied by appropriate safeguards. Such opinion may be relevant for Latin American countries to rely more effectively on model clauses of transfer”.
Not just data
Besides data protection, countries are also more concerned than ever about critical infrastructure. After the attack in Estonia, which shut down digital access for almost all of April 2007, states are aware of current threats to their digital critical infrastructure. Cyber security, cyber defence and risk management measures are at the core of the national defence agenda in almost every country.
According to the ‘2016 Cybersecurity Report for Latin America and the Caribbean’ issued by the Organization of American States (OAS), Mexico, Brazil, Argentina, Chile and Colombia achieved an intermediate score in the cyber security ranking, but their response to breaches is still limited.
In 2017, Chile and Mexico released cyber security policies covering civil rights, national security, cooperation, the economy, innovation and infrastructure. Despite this, Mexico, Brazil and Chile suffered significant cyber attacks in 2018. Argentina, on the other hand, has focused on a programme to protect critical national infrastructure as a major part of its cyber security policy.
Colombia is also expanding its legal framework in this area. In 2016, the country released its public policy on cyber security primarily for public institutions, creating digital security risk management and enabling the deployment of a system for different levels of incident reporting. Despite this, the existing framework has been inadequate. Earlier this month, the country announced a new policy which will involve digital literacy and cyber security awareness, cooperation between the public and private sectors, a centralised authority for cyber security and incident reporting, and a registry of critical infrastructure. Changes to data protection rules and compliance were also announced.
The adoption of these measures to guarantee cyber security and national defence in Latin America will put businesses’ compliance under greater scrutiny. The main goal is to reduce cyber security vulnerabilities, foster cooperation and the use of new technologies, and balance new technologies with civil rights. This might be an opportunity for enterprises that offer cyber security services and talent training. It may also move us closer to tightening the regulatory framework around the world to protect the internet.
Cyber security for the financial sector
Following various cyber attacks on major banks in Mexico, Brazil and Chile in 2018, rules to protect the financial sector have been introduced.
Colombia has created a solid legal framework to guarantee cyber security for financial institutions. For instance, early in 2019, the Financial Superintendence of Colombia (SFC) issued ‘Circular 005’ regarding cloud computing services for financial institutions. The Ministry of Information and Communication Technology also released guidelines on cloud computing services and security in the cloud, which requires controls and specific technologies.
Furthermore, in 2018, the SFC released ‘External Circular 007’, which outlined minimum requirements for cyber security risk management. The Circular introduced principles and guidelines regarding information processing and cyber security risks and responsibilities, cyber security policy and procedures. More recently, the SFC issued new amendments regarding biometric data and QR codes to guarantee cyber security. Mexico, Brazil and Chile have also focused on cyber security provisions for the financial sector, addressing cloud computing rules and cyber security standards.
Lorenzo Villegas-Carrasquilla is a partner at CMS Colombia. He can be contacted on +57 (1) 321 8910 or by email: lorenzo.villegas@cms-ra.com.
© Financier Worldwide
BY
Lorenzo Villegas-Carrasquilla
CMS Colombia