Data Privacy in Central America
The digitalization of services and markets is the phenomenon that has defined the direction of commercial and social relations between people. Especially in the Western world, it has had and has a significant socioeconomic impact on the lives of inhabitants, corporations and even public entities of any kind.
Consequently, new responsibilities arise, to which the law and the different legal systems must adapt. The protection of personal data is therefore a fundamental element in the economic and social environment; as the new forms of business that incorporate companies, governments and people evolve into the digital era. These elements all demand from the authorities efforts in the protection of the personal information to guarantee the privacy and intimacy of each individual.
Currently, in places such as the United States and Europe, Data Privacy is widely developed and effectively applied in practically all business relationships; nonetheless, when we look at the Central American region, the differences are evident. Therefore, it has been considered necessary to promote initiatives that recognize the importance of the matter and its proper regulation.
Are the inhabitants then unprotected?
It is important to emphasize that, although countries such as Honduras, El Salvador and Guatemala currently lack explicit regulations regarding how Personal Data should be processed, stored, collected and distributed; this does not mean that people are helpless in the event of abuses or unlawful practices against their rights.
Principles such as informational self-determination and the right to privacy are recognized and guaranteed jurisprudentially or through the analogical application of alternative and preexisting norms in these countries.
Honduras, for example, in 2014 approved the Electronic Commerce Law, which addresses ecommerce relationships. By the end of 2013, they had approved and incorporated the Law on Electronic Signatures, which helped regulations regarding the development of new models of contracts, responding to the market and its needs.
Currently, a preliminary draft on the Protection of Personal Data Law covers sensitive data that affects the privacy of individuals. This law will essentially propose the establishment of a procedural scheme towards the elaboration of both a Law and a Data Protection Agency (Prodatos), part of the Institute of Access to Public Information (IAIP), an entity that would monitor compliance with said law.
While Guatemala has the Public Information Access Law, which regulates access to information by Public Institutions and provides certain tools to protect its inhabitants against abuses on behalf of the government institutions.
The situation is no different in El Salvador, where no specific Data Privacy Law is recognized; the only know regulation limits and protect solely credit information. To this day this is the closest they get towards a specific law created to protect the people’s right to privacy and informational self-determination.
As an exception, Costa Rica was until recently, the only country that had a clear and concise Legislation that protects the Personal Data and Information of its Inhabitants since 2011, at which time a Data Protection Agency was created with the purpose of monitor, register and sanction people or undertakings that gather, use or distribute data without the knowledge or consent of their users.
Costa Rican law binds every person or enterprise to apply proper data privacy policies on every relationship that takes place in the country. Specially addressed to companies that gather and collect personal data with business purposes; they are now compelled by law to inform the costumer why is this information being asked, for what purposes and how they can unsubscribe from their data bases.
Changes also include the necessity of intensifying cyber-security practices directed to protect their data bases according to the nature of the information stored and gathered by the companies.
Sanctions are in order to anyone that decides not to comply with the Data Privacy Law, both administrative, and judicial procedures can be pursued against the person or company responsible. They way to follow, will be determined by the severity of the infringement or the following consequences.
Nowadays, just like Costa Rica; Nicaragua issued their Personal Data Protection Law, number 787, which stablishes as main regulations, the following principles:
- Notice: data subjects should be given notice when their data is being collected;
- Purpose: data should only be used for the purpose stated and not for any other purposes;
- Consent: data should not be disclosed without the data subject’s consent;
- Security: collected data should be kept secure from any potential abuses;
- Disclosure: data subjects should be informed as to who is collecting their data;
- Access: data subjects should be allowed to access their data and make corrections to any inaccurate data; and
- Accountability: data subjects should have a method available to them to hold data collectors accountable for following the above principles.
Is this good for business?
The current absence of clear regulation, and what appears to be an imminent creation of new laws in Central America, will unavoidably affect the way business relationships are handled.
There are at least two sides to be considered, the personal and the business end of the equation.
For the citizens, a tool that protects them against an unlawful use of their data is clearly a privilege that benefits them all equally. With time and education, more and more people will raise awareness on their rights, and fewer problems will arise.
On the other hand, every company, business, undertake, government institution among others, will be forced to comply with Data Privacy policies. This means that investments will be necessary, in many areas to insure that the rules are followed as a way to void two main scenarios:
- Reputation scandals.
From a business point of view, investing in a proper internal data privacy policies will guarantee that no penalties will be suffered and more important, scandal against their business are less likely.
Gathering, selling and using personal information unlawfully obtained will be a condemned practice, not only by the data privacy agencies, but by the public eye too; even more so security breaches on their data bases.
From this point of view, the implementation of these laws and regulations will definitively imply an investment on bylaws, cybersecurity and data base security, especially for big enterprises. But it could be considered as an investment and a “good publicity” strategy to comply with these regulations, insuring the consumers that their information is gathered safely and for specific purposes.
Unavoidably the change is coming, the best we can do is to adapt and turn it as a favorable weapon from a business point of view.
Jaime has more than 7 years of experience in the field of Law, and currently stands out for being an expert on intellectual property issues.
He has developed his practice in the area of intellectual property, mainly in matters related to trademarks, patents, and copyright, thus he has been able to combine his knowledge and experience to provide commercial advice to important clients and companies.
He recently completed a Master's Degree in Information Technology and Communication, Social Networks and Intellectual Property Law at the prestigious ESADE University of Barcelona; Recognized as the best masters in the area at European level. This has allowed him to focus and direct his practice towards the digital and corporate world.
At the moment Jaime is one of the few professionals specialized in Law of the TIC in Costa Rica.
Jaime has more than 2 years of experience as a Public Prosecutor, which has allowed him to develop skills in litigation that proved to be of great value since his arrival at the firm, especially for compliance and anti-piracy issues.
Its multidisciplinary profile indicates that it is able to advise its clients and solve problems effectively.