Category Archives: Latin America

Latin American Data Export Governance

Data flows are global, but privacy laws are local. I first uttered that statement in the last century during initial discussions on whether the United States had adequate privacy protection as defined by the 1995 European Union Data Protection Directive. At the time, I argued that privacy protections in the United States were a mosaic of federal and state laws, media attention, and private litigation that made the U.S. system effective — and effective is adequate. I also argued that the change in the wording of the Directive from equivalent to adequate was significant.  Alas, the U.S. was not among the handful of countries found adequate.

That was a simpler time before terrorism made government use of private sector data more globally pervasive, the use of observational data had accelerated, big data had become part of our vocabulary, and cars were not part of the internet of things. So, the question of adequate countries has become much more complex. Comparing country laws and systems to other country laws and systems has become more problematic. If anything, it has made governance alternatives to adequacy more and more appealing. The simplicity of the Canadian accountability requirements for data export has become more and more attractive.

Latin America has now entered this complex adequacy equation. Personal data must flow from Latin American countries to the rest of the world for Latin Americans to be part of the global society of connected individuals. Latin American data protection authorities have an obligation to make sure their national citizens are protected when data goes beyond borders.  Latin American interests mirror those that we see in Europe and Asia. As Brazil contemplates new legislation and the Ibero-American Data Protection Network Standards foretell revised legislation in other jurisdictions, it is useful to contemplate how policy makers might achieve protection and the free flow of data in highly complex ecosystems.

The comment period just closed on a draft decree from Colombia’s Superintendent of Industry and Commerce (“SIC”) on data transfers.  Colombian law and secondary regulations require data only be transferred to countries with adequate privacy protections unless there is an exception. However, Colombia’s concept of transfers is very different than what one would find in European law. Colombia’s secondary regulations differentiate between a transfer, where data is exported to another controller, and transmissions, where data is shared with foreign processors. It is likely that most of the data that leaves Colombia is going to a processor, which means it is a transmission. Both transmissions and transfers are subject to a 2015 SIC decree on accountability. That means that controllers are always responsible for the data they share with others, and most controllers identify and mitigate the risks related to data movement. I filed comments on this latest draft decree.

The draft SIC decree lists countries that have been determined to be adequate. That list includes countries that are members of the European Union, most of those determined to be adequate by the EU Commission, and the U.S.A.  I believe the U.S. was found to be adequate, not because privacy law and enforcement were found to be similar to Colombia’s, but rather because the U.S. is effective in protecting against careless and harmful data processing. Determining the adequacy of another country’s data protection and privacy protections is always difficult and complex. After 20 years, it is gratifying that the effective argument has some standing. But in the end, it is the accountability decree that is of most importance. Whether it is a transfer or a transmission, a data exporter owns the risks to others associated with all data processing phases, including movements across borders.

Most new and proposed general data protection laws contain accountability provisions. Linking accountability to responsible data movement is an effective means for signaling companies that they have ongoing obligations when data is moved. The due diligence they take to mitigate risk when moving data is what is ultimately important. For example, U.S. financial institutions do not have adequacy requirements, but they do have data safe guarding requirements that require high levels of assurance that the organization stands accountable when processing outside the United States.

My Colombia comments place an emphasis not on blanket requirements but rather on requiring organizations to understand the risk to people associated with a data export, and require contract provisions related to those risks. It is my view that tailored provisions protect against reticence risk as well as the other risks associated with processing.

The bottom-line for Latin American regulators, and those in Asia as well, is that protection of individuals will come more from accountability requirements than all the hours spent assessing whether other legal systems meet an adequacy test. And for companies, adequacy is not a get-out-of-jail free card. Companies will still have to have policies and procedures to protect individuals when data moves.

The IAF has an Americas Discussion Group. If you have an interest please contact Marty at

Europe Sets the Standard – Other Regions Follow

Europe Sets the Standard – Other Regions Follow The Ibero-American Data Protection Network (“network”) adopted “Standards for Personal Data Protection for Ibero-American States“ (“SPDP”) on June 20, 2017 at its meeting in Santiago, Chile, with the official English translation now available. Most data protection experts have predicted that the adequacy provisions of the European General… Continue Reading

The Colombia Congress Matters

There seems to be a privacy conference every week in the United States or Europe. However, privacy training and policy development in Latin America is not nearly as well developed as that in the United States and Europe. Latin America has one annual conference that is clearly considered the conference of conferences. It is organized… Continue Reading

IAF Policy Call

The ePrivacy Regulation may swallow any flexibility built into the GDPR.  What does mean for effective data protection governance and the ability for companies to build value by thinking with data?  Does the adequacy drive from Latin America cause additional disruption?  Will the International conference in Hong Kong bring balance back to global discussions?  Join… Continue Reading

IAF Announces International Advisory Board

The Information Accountability Foundation is truly international in its focus. As such, it relies heavily on non-U.S. supporters who provide insight and in-kind services that make its international programs so successful. To that end, the IAF has created an International Advisory Board comprised of members of its family that go well beyond just financial support.… Continue Reading

Look North

Canada, from a data protection perspective, has often been the bridge between U.S. harms-based approaches to privacy and European rights-based approaches to data protection. Canada is again showing its leadership, and this time has done so in the discussion and consultation paper released by the Office of the Privacy Commissioner on 11 May  2016. The title… Continue Reading

Information Impact Assessments Key to Protection with Innovation

Data must be used to improve global healthcare, economic opportunity, freedom of choice and expression, and functionality of markets. Data must be governed to assure the full range of interests and rights that are the basis of free democracies in the 21st century. Among those interests is the freedom from digital predestination–where probability alone determines… Continue Reading

Year-End Policy Call

2015 has been a most remarkable year for data protection, and 2016 will be full of challenges. To provide food for thought over the holiday break, the team at the Information Accountability Foundation will provide insights on accountability-based challenges for 2016. The discussion will touch on recent and upcoming policy as well as regulatory developments… Continue Reading

The Sophisticated Discussions Take Place in South America

Do you want to attend a cutting edge privacy conference? You need to book your reservations for Colombia in 2016. The Third International Data Protection Congress in Colombia took place in Medellín, Colombia, last week. The conference is put on by the country’s Office of the Superintendency of Industry and Commerce (SIC) and sponsored by… Continue Reading

IAF to Co-host International Conference on Data Protection

The Foundation and the Superintendencia de Industria y Comercio of Colombia will host the “The Third International Conference on Data Protection” in Medellin during 28-29 May 2015. The meeting will convene policy, regulatory, business, and civil society leaders from across the Americas. For more information about the event, contact us at Continue Reading