Latin American DPAs Dialing Up Guidance, Enforcement
Companies operating in Latin America should be aware that data protection authorities (DPAs) there are increasing guidance and enforcement, said panelists during a webinar Tuesday sponsored by TrustArc, a privacy compliance vendor.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Latin America is "maturing a lot more beyond simply enacting data-protection laws or updating" them, said Maria Badillo, policy counsel for global privacy at the Future of Privacy Forum (FPF). Regional authorities are "becoming more and more active through regulatory efforts" and enforcement, she said. In addition, Latin countries are increasingly "issuing guidance" and information about "levels of responsibility across organizations, and even what happens in [the] case of data protection violations.”
Though strategies and priorities among Latin DPAs are "very broad," Badillo mentioned "clarifying governance roles within organizations and issuing guidance on cross-border data transfers" as significant area trends.
A rise in enforcement is “focused on unlawful data-collection practices, specifically for biometric data,” where authorities are “performing a lot of interpretation of what is truly informed consent or valid consent," she said. Children’s data is also a hot issue, especially “related to the processing of children's data."
And this is only the beginning, Badillo said, as she anticipates more regulation and guidance, "especially with the rise of AI and [its] global and widespread adoption." FPF generated a list of key topics it expects DPAs will focus on, including issuing guidance on “how to better exercise or safeguard rights of data subjects” and “how to perform data protection impact assessments.”
TrustArc's Daniela Sanchez, TrustArc privacy knowledge lead, agreed. She cited El Salvador's recent AI law and bills for comprehensive AI legislation in Brazil, Chile, Argentina and Colombia.
Most Latin countries "have implemented GDPR-like laws,” Sanchez noted, while others, such as “Colombia, Argentina and Guatemala [have] active bills to implement" them.
Sanchez said that neurotechnology is another hot topic in the area and there will likely be guidance and regulations issued in the coming years. “We have a lot of countries trying to cover that front before those types of technologies are actually implemented in the region,” she said. This is an example of "forward-thinking," characteristic of privacy professionals in the region, added Joanne Furtsch, a TrustArc vice president.
Panelists agreed compliance can be complicated considering each country in the region has its own regulatory and enforcement regime. Accordingly, adopting "the most privacy-friendly approach" and one based on GDPR-like regulation is a prudent strategy for regional businesses, Sanchez said. In addition, “constantly monitor[ing] the legal developments and the enforcement to make sure you know the focus of the authorities.”