Due to the speed in which technology – particularly IT and cloud computing – develops, as well as their tendency to cross international borders and jurisdictions, there is a mounting pressure on the legal systems of the countries concerned to create new policies or modify existing ones in order to adapt to the ever changing IT landscape, particularly with regard to data transfer, data collection, and data privacy, as different countries will have different (and sometimes conflicting) laws and policies, resulting in international data transfers that are otherwise perfectly legal in their originating countries violating laws in different countries where the data transmission passes, or where the data itself ended up stored.
The International collection, transfer, and storage of data and its conflicts with various international laws were already a problem in the early days of the Internet, but the rise of cloud computing has further exacerbated the phenomenon. All the various kinds of cloud applications and services – from cloud storage, to web based email, to cloud-based tools such as office suites – result in data being accessed, transferred, and stored in different countries on a regular basis.
It is therefore important that questions about the legal model that should be responsible for these kinds of transactions be posed, and that the most appropriate models for regulation and processing in cloud computing be the adoption of contractual stipulations aimed at preserving data integrity and privacy, while preventing it from turning into a loophole that cyber criminals or malicious individuals can use as a safe haven or protection from the law.
Personal Data Protection and Privacy
One of the key things about the data protection system in Latin America is that it differs greatly from the European and US models. Unlike Europe, there is no international treaty or supranational regional body of rules that regulates the protection of personal data nor their transfer. Unlike the US, a large number of Latin American countries and legal systems have data protection provisos enshrined in their Constitution. However, the problem with Latin American legal systems is that in spite of having provisions regarding protection of personal data in their constitutions, most of the countries have no legal rules building on said constitutional precepts. At best, the countries in question have had a delayed legislative development.
Argentina on Personal Data Protection
In Argentina, the regulations on personal data protection are developed out of a series of principles established in sections 4 to 12 of Law 25326. Argentina’s more proactive approach to safeguard the personal data through legislation has led to the country being recognized by the European Commission as the only Latin American country with an adequate level of protection, resulting in the country becoming the main recipient of personal data transferred from Spain to other Latin American countries.
In order to protect personal data, Argentina has created various principles of purpose, data quality, proportionality, transparency in processing, safety, modification, access, and opposition as well as restriction of successive transfers to outside countries. The only exclusions to Argentina’s laws regarding personal data are judicial and police collaboration, the fight against terrorism, the exchange of medical information, stock exchange and bank transfers, or transfers agreed within the framework of an international treaty.
Argentina’s laws provide no special provisions or special rules on the right to privacy when it comes to the Internet. The country’s justice courts tend to treat cases regarding privacy on the Internet the same as the ones in other media, such as TV and print. Their laws also lump the Internet and services provide through it in “files, databases, or other technical media for data processing.”
Colombia on Personal Data Protection
In Colombia, while there is a constitutional rule on the right to privacy, honor and good name, as well as legal protection granted to habeas data, there are no legal regulations that help develop the rights issued for more than 17 years. The right to privacy in Colombia was developed mainly on the basis of previous decisions, focusing on Constitutional rulings that started to define their essential core.
Colombia’s model regarding international transfer and data processing is extremely protectionist; any data processing requires previous, express, and informed consent. This is an extremely high standard that can’t even be found in European models.
When it comes to access to personal information via the Internet, Colombia’s draft statutory law contains a prohibition stating that “personal data, except for public information, shall not be available on the Internet.” This odd stipulation treats the Internet only as a means of communication, overlooking the fact that there are numerous services provided through the Internet that would require privacy protection.
The above means that Colombia prohibits the transfer or storage of personal data via Internet and cloud computing systems. In fact, their laws can be stretched and interpreted in a way that prohibits disclosure of private information like biographies or personal information on social networks. The key takeaway is that Colombia’s laws are not meant for a world with Internet, as they are made up of obsolescent rules.
Chile on Personal Data Protection
In Chile, the processing of personal data in registries or databases maintained by public or private bodies is ruled by Law 19628 on the Protection of Private Life or protection of personal data. Law 19628 governs over data processing that consists of personal information collection, processing, transfer and storage, and is applied to processing, collection, and storage of data over the Internet. This is because Chile has not yet created specific rules custom-tailored to the IT sector, and has been using or extending preexisting legislation to deal with cases.
When it comes to transfer of personal data internationally, Chile’s laws do not establish a specific pattern. They consider international transfer of data as included in the concept of processing, and is allowed as long as it complies with the provisions of their law for data processing. However, in the original text submitted before their Chamber of Deputies, which was not approved by the law makers, transfers to countries or third parties are prohibited if they don’t have the same level of protection as those prevailing in Chile.
Chile’s law is the subject of controversy and criticism due to its lack of principle of purpose with regard to personal data processing, which means it lacks legal effect. Currently, their legislative branch is working on a bill that will incorporate the principle of purpose in Law 19628, which is a step in the right direction but not enough, as the law in question uses broad strokes and can still be subject to loopholes, especially due to the rapidly-developing nature of cloud computing technology.
Mexico on Personal Data Protection
Mexico is fairly late when it comes to crafting laws on personal data protection, having passed one only last 2010. Like with other countries, Mexico’s laws on personal data hinges on principles of purpose and consent, establishing that any processing of personal data is subject to the owner’s consent, with the stipulation that there are different ways of expressing consent, and that there are specific cases where consent may be bypassed, such as anything that concerns national security.
Due to its relatively young age, having been made when the cloud and IT industry is already in full swing, Mexico’s rules regarding personal data processing are much more suited to personal data processing over the Internet and over the cloud. For instance, provided that the data transfer happened and includes a privacy notice, the cybernaut’s behavior implies that they have accepted the conditions set forth by such notice (re: implicit consent). This opt-out system is conducive to smooth data transfers over the Internet and in the cloud.
The same amount of protection is afforded to international data transfers. For instance, Section 36 gives authorization to international data transfers as long as they are carried out in accordance with the privacy notice. Their laws also anticipate scenarios in which international data transfers are authorized even if the owner of the information has not given their consent, either intentionally or due to lack of foreknowledge. The events in question tend to cover a broader scope than those covered by the legislations of other countries in the region. In cases like this, Mexican law seems flexible enough and capable of adapting to the changes in IT trends in a reasonable speed and manner.
Data Retention: Conflicts Regarding the Right to Privacy
Personal Data Retention means the storage of personal information, from telephone call records and Internet traffic logs, and communication content – by public entities or business companies. Many rules regarding personal data retention consider the protection of personal information as another form of data processing.
Majority of legal systems do not allow communication violations, under the principle associated to the very origins of the liberal state in the 18th century. However, a series of recent events have set precedents for nations to create restrictions on said principle, allowing communication violations and rights to privacy to be withheld in the interest of national security or criminal prosecution. One of the main reasons for the shift is the terrorist attacks that hit New York on September 11, 2001. Another would be those that took place in Madrid on March 11, 2004, as well as those that occurred in London on July 7, 2005. The attacks led the European and US authorities to consider data retention as an effective means of predicting, anticipating, and preventing terrorist attacks, as well as help greatly in the fight against organized crime.
The legal developments concerning the above were not meant with praise, though, as the measures were deemed exaggerated and a danger to the rights to privacy. They are also criticized for being disproportionate, as the effectiveness of the measures do not compensate for the damages and limitations sustained by the rights to privacy: the results achieved by the measures are not considered enough justification for the extremely high levels of privacy limitation and intrusion. Thus, modifications to the scope of said measures have been proposed in order to meet halfway and achieve a more balanced scenario.
Latin America on Retention of Personal Information
Latin America currently doesn’t have any rules that can be assimilated to the European directive on personal data conservation or retention. It is worth noting that Latin American legislators usually have legal frameworks regulating the intervention in communications (particularly telecommunications) when there is a previous judicial order.
However, different countries tend to have different rules when it comes to imposing a series of obligations in terms of information retention, especially when it comes to credit and financial information and regarding obligations of the data banks that store this kind of information and their reports. This is attributed by pundits to the fact that majority of Latin American countries have not had to deal with any attack from outside forces that could have motivated the government to redesign its communication laws and internet traffic information, in an effort to help police authorities access pertinent information.
Conclusions and Recommendations
Due to Europe’s strong influence on Latin American legislation with regard to rules on personal data protection, Latin America has laws, policies, and rules regarding personal data protection on the cloud that are up to par with European standards. While they’re not excellent by any means and still have room for improvement, they can be considered as capable of providing adequate protection. This is why the last 11 years sees a lot of Latin American countries undergoing a transition from the habeas data model to general legislations with stringent and specific data protections.
Generaly, Latin American legislations tend to be stringent and based on their European counterparts, but it is fortunate that many of their laws are flexible and capable of acknowledging changes and developments in the IT and cloud computing industry. This ensures that there is a balanced scenario; privacy and personal data protection on the cloud is a fundamental right that must be protected, but the protection should be done in a reasonable, flexible, and proportionate manner. At the end of the day, Latin American countries would all benefit from working together on a joint policy to establish reasonable and balanced protection standards appropriate to contemporary privacy issues, which will ensure the adoption of a fair and adaptable regulatory framework designed to respond to the challenges posed by the Internet and the cloud.