Spotlight: Personal data protection regulations in Latin America

Editor's note: Corrected to show that Argentine legislation has not yet been updated.

Latin America has tightened its focus on data protection and privacy regulations.

Regional powerhouses Brazil introduced new rules this half.

A regional trailblazer, Argentina presented draft legislation this year to update existing regulations having introduced a law 20 years ago that aligned regulations with the European model.

Elsewhere, neighbor Uruguay issued an associated decree in February, updating a 2017 law. In Chile, a bill remains in congress after being submitted several years ago. National transparency council CPLT chief Gloria de la Fuente has urged progress.

As well as pressure stemming from digital transformation, among the drivers in Latin America is bringing frameworks in line with the EU General Data Protection Regulation of 2016, or GDPR as it is known, to support trade and investment links with the bloc.

GDPR applies not only to organizations within the EU but also to organizations outside of the bloc "offering goods/services (paid or for free) or monitoring the behavior of individuals in the EU," the European Commission, the EU's executive arm, said. The regulation reshapes the way data must be handled in every sector, from banking and insurance through to the likes of healthcare and telecom.

Most countries in the region have a general data protection law in place, according to Peru’s Universidad ESAN. Among the latest to join the club is Panama, which passed legislation last year.

Out of the 16 major economies examined by the higher education institution, only Bolivia, El Salvador and Guatemala have no general data protection laws on the books, although proposals have been made. 

In El Salvador, lawmakers this year consulted the private sector as part of a bill-drafting process and draft legislation should get the green light in 2021, BNamericas has learned. El Salvador does have legislation concerning personal data protection – but this is applicable only to government entities.  

Data privacy and data protection is an area that saw “a lot of activity” in Latin America in 2020, OneSpan, a company that develops digital solutions for identity, security and business productivity, said in a financial regulations report.

“The regulatory environment in the financial sector is ever changing,” the report said.

“While the pandemic has prioritized the move to digital services, the reality is the industry has been migrating to digital for some time. The pandemic, in turn, exposed shortcomings in security and technical infrastructure, particularly in jurisdictions and financial institutions that have been lagging in the migration to digital. As a result, we will continue to see more data privacy and data protection laws enacted throughout the world.”

US-headquartered OneSpan works with financial institutions and other businesses globally – including in Latin America. OneSpan’s Trusted Identity Platform brings together a broad portfolio of security technologies to enable real-time fraud detection through a cloud-based and API platform that helps prevent account takeover, new account fraud and application fraud against financial institutions.  

In terms of regulatory frameworks, the key is in the detail, OneSpan’s director of global regulations and standards, Michael Magrath, told BNamericas.

“Globally, you’re seeing more and more countries enact these very heavyweight data protection laws. Brazil’s just went into effect a couple of months ago,” Magrath said. “GDPR in Europe was kind of the first and that’s led to other countries taking a hard look at how they protect consumers.”

But legislation tends to have shortfalls – and Magrath urged Latin American lawmakers to consider these.

“One of the things that’s really lacking in these laws is that, they are data protection, but they are very open ended regarding how to protect that data,” said Magrath, co-author of the OneSpan report.

“You can write down ‘you can’t do this, this or this’ but it leaves it open-ended as to how an organization is really protecting that data. Are they using static passwords? Or are they hardening that with encryption? Are they using multi-factor authentication to access that data? Are customers using multi-factor authentication to access data and transact online?”

Guidance around how to protect the data itself – and rules regarding how companies obtain consumer consent – is critical, Magrath added.

Against this backdrop, OneSpan has seen an increase in business in the areas of mobile application security and electronic signature solutions, including in Latin America.

General industry trends, Magrath said, include a tighter focus on identity-verification across multiple verticals and segments – such as telemedicine – and the leveraging of government data to strengthen these processes, moves already underway in the US and UK. 

Underlying drivers are the impact of online fraud on economic growth, as well as the rapid global march of digital transformation, turbo-boosted by the pandemic.

Read the OneSpan Global Financial Regulations Report