New Ibero-American Standards to Provide Consistency in the Protection of Personal Data
The Situation: On June 20, 2017, the Ibero-American Network for Data Protection approved the Standards for Data Protection for the Ibero-American States.
The Result: For the first time, the Ibero-American countries (the Spanish-speaking countries in North, Central, and South America, plus Portuguese-speaking Brazil) have a legal basis for creating a common framework in those regions for the protection of personal data.
Looking Ahead: The Standards constitute an essential tool for development of new regulations for the protection of data, based on a unified set of principles.
The Ibero-American Network for the Protection of Data has approved the Standards for Data Protection for the Ibero-American States.
The principal objective of the Standards is to establish a common framework of principles and rights for the protection of data in the different national legislations of the Ibero-American states. The Standards are intended to guarantee homogeneous guardianship of the right to the protection of personal data in all of the Ibero-American states and will facilitate the flow of personal data among them and beyond their borders.
The Standards have taken as their reference the new Regulation (EU) 2016/679 (the General Data Protection Regulation, or "GDPR") and include measures and provisions that are very similar to those presented in the GDPR.
Scope of Application. The Standards will be applicable to the processing of personal data of physical persons, although the local legislation of every state also can include legal persons. With regard to the scope of territorial application, they will be applicable to data processing conducted within the territory of the Ibero-American states as well as for responsible parties in territories outside of the Ibero-American states, in specific cases.
General Principles for the Protection of Data. The Standards identify certain basic principles that must govern the processing of personal data, including its legitimacy, legality, fairness, transparency, purposes, proportionality, quality, liability, security, and confidentiality. The processing of personal data must be conducted on a strictly legal basis, in accordance with, among other things, the unequivocal, informed consent of the holder.
Rights of the Holders of Personal Data. The Standards expressly acknowledge the rights to access, rectification, cancellation, and opposition, as well as other, new rights, such as the right to not be subject to individual, automated decisions (except in specific cases); the right to limitation of processing; and the right to portability. They also expressly acknowledge the right of the holders to submit a claim before the supervisory authority in the case of violation of their rights, as well as the right to indemnification.
Proactive Responsibility. Responsible parties must implement the necessary mechanisms to certify compliance with the principles and obligations included in the Standards. Means for proactive responsibility are included in the Standards, such as the adoption of privacy measures by design and by default, the obligation to conduct impact assessments in selected circumstances, and the obligation, in specific cases, to designate a personal data protection official.
Data Processor. The Standards expressly define a "data processor" as the entity that processes personal data "without decision-making power over processing" and according to the terms set by the data controller. The relationship between the data processor and the data controller must be formalized in a contract that must include certain basic content.
Security Breaches. Data controllers must immediately notify both the Supervisory Authority and the affected parties of security breaches, unless the unlikeliness of a security violation can be demonstrated.
International Transfers. As a general rule, international transfers to certain recipients (territory, sector, business, or international organizations) will be permitted, as long as they have been recognized as having a sufficient level of protection by the transferring country. Such transfers will also be permitted if the data exporter offers sufficient guarantees (and has been accredited for doing so) to complete the processing in the recipient country. The validity of the standard contract clauses, the Binding Cooperative Standards, or certification mechanisms is recognized.
The Standards constitute a flexible model that responds to national and international needs and requirements and that guarantees an adequate level of protection of personal data, without establishing barriers to the free movement of information and commercial activities in the region. It will be the responsibility of the Ibero-American states to establish local standards and measures to promote compliance with the data protection legislation, including each Ibero-American state's obligation to establish one or more fully autonomous supervisory authorities, to ensure the protection of personal data.
Two Key Takeaways
- The Standards are a unifying step in the processing of personal data of the Ibero-American states, which, to date, have different data protection regulations.
- The Standards envisage the development of new local data protection standards that will oblige companies to review their procedures and programs on personal data.
For further information, please contact your principal Firm representative or one of the other lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com/contactus/.
Daniel J. McLoon
Mauricio F. Paez
Guillermo E. Larrea
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.