Privacy and Cybersecurity Developments in Latin America

The Situation: Latin American governments, business leaders, and legal advisors continue to address privacy and cybersecurity concerns.

The Result: The development and implementation of privacy-focused regulations is a priority throughout the region.

Looking Ahead: Latin America appears to be on track for the implementation of EU-influenced comprehensive data protection regimes.

As is the case in most of the world's industrialized regions, Latin America's policymakers, industry leaders, and legal practitioners are giving significant attention to privacy, data breach, and cybersecurity matters. The ever-increasing acceleration in the introduction of new technologies, and the potential problems and liability related to compromised information, has raised these concerns to an even greater level. This Jones Day Commentary outlines recent developments in Latin America's privacy and cybersecurity landscape.

Danger Ahead?

Industry players see dangers in the unrestricted use of data and in possible cybersecurity breaches related to new technologies. Cybersecurity and related technologies, along with technological developments in areas like blockchain and digital currencies, artificial intelligence, autonomous vehicles, robotics, and the cloud, are under careful analysis by regulators and companies in the region, and they are expected to drive the legal industry in the coming years.

Cyberattacks Remain a Serious Concern

Banco de Mexico issued a statement that three banks experienced "incidents" with the Interbank Electronic Payment System known as SPEI, requiring them to connect under contingency schemes. The incidents caused significant interruption and delays in banking transfers, although the system infrastructure and client deposits apparently were not affected.

Although the cyberattack was not successful, it came just a few months after hackers attempted to steal funds from Bancomex, the export-import bank of the Mexican government. In addition, the Colombian Industrial Cybersecurity Center recently published a study detailing the increase of data breach incidents. All this came as a reminder that these issues are very real in the region, and they indicate that many individual companies, and the financial services industry, remain unprepared.

New Fintech Law

Mexico and Brazil lead the development of financial technology institutions ("Fintech") in the region.

Mexico's new Fintech law illustrates the importance new technologies are acquiring in the region and is likely to become a model precedent for neighboring countries cognizant of technological changes and their applications. According to the Comisión Nacional Bancaria y de Valores ("CNBV"), Mexico's banking and securities regulator, this is the first law of this kind in the Americas and is based, among others, on the principles of financial inclusion and innovation.

Brazil maintains a strong, innovation-driven Fintech sector. The new regulation on Cybersecurity Policies and Requirements for Data Processing and Storage issued by Brazil's National Monetary Council will bring more certainty, but also heavy obligations, to financial institutions.

Harmonizing with the European Union

Latin American countries appear to be developing privacy and data protection regulations in concert with European Union directives, as evidenced by:

  • Argentina, Costa Rica, and Chile recently adhering to the Budapest Convention on cybercrime, and additional countries, such as Mexico, Colombia, and Paraguay, considering observance.
  • The publication of the Standards for Data Protection for the Ibero-American States by the Red Iberoamericana in June 2017, which used the European Union's General Data Protection Regulation ("GDPR") as a guideline.
  • The enforcement of laws based on EU Directive 95/46/CE, and the use of EU mandates in developing Latin America's cybersecurity regulations.

Leaning Toward a "Notification to Authority" Model

Latin American countries appear to lean toward a data incident "notification to the authority" model, following the already established obligations in the United States and the European Union.

Some Latin American countries, such as Mexico and Peru, have laws requiring notification to the data subjects, but not to the authority. However, Mexico recently issued a proposal where notification to the authority would also be required. Other countries, including Colombia, already have authority notification requirements.

Jones Day partnered with professionals in the privacy and cybersecurity industry to host the Third Annual Latin American Privacy and Cybersecurity Symposium in Mexico City and discuss new legal obligations and trends in cybersecurity and data privacy in the region.

Five Key Takeaways

  1. Interest in cybersecurity and technology is increasing in Latin America.
  2. Cyberattacks are a serious problem in the region.
  3. Mexico and Brazil lead the development of Fintech in Latin America.
  4. Latin American countries are developing privacy and data protection laws in harmony with EU regulations.
  5. Latin American countries lean toward a "notification to the authority" model, following the already established obligations in the United States and the European Union.

Lawyer Contacts

For further information, please contact your principal Firm representative or the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at

Guillermo E. Larrea
Mexico City

Mauricio F. Paez
New York

Todd S. McClelland

Richard M. Martinez

Sergio Alvarez-Mena

Mark W. Rasmussen

Javier A. Cortés
Mexico City

Olivier Haas

Marina E. Moreno

Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.