Data Protection Committee Conducts Survey on Security Incidents and Cookies in Latin America

Over the past few years, numerous jurisdictions have enacted laws to regulate businesses’ use of personal data. However, in Latin America, a significant number of jurisdictions still lack specific regulations, raising concerns for multinational companies creating international data protection policies.

To map the legislative status of personal data protection in Latin American jurisdictions, the Data Protection Committee collected information from local experts on two hot topics in data protection governance: security incidents and cookies. The results of this research are published in a new report titled, Security Incidents and Cookies in Latin American Countries.

The term “security incident” may have different meanings depending on the jurisdiction. The report refers to “security incidents” as any confirmed or suspected adverse event involving a data breach such as unauthorized, accidental, or unlawful access that results in destruction, loss, alteration, or leakage of data, as well as any form of inappropriate or unlawful data processing that could put the rights and freedoms of data subjects at risk, and, as such, requires notification.

The survey covers Argentina, Bolivia. Brazil, Chile, Costa Rica, the Dominican Republic, Ecuador, El Salvador, Guatemala, Jamaica, Mexico, Panama, Paraguay, Peru, Uruguay, and Venezuela. A significant number of these jurisdictions have yet to establish specific regulations concerning both personal data security and general personal data protection. Nonetheless, in certain instances, existing constitutional and civil laws might offer a legal framework, providing a basis for setting expectations across different jurisdictions.

Indeed, most of the respondents reported that security incidents involving personal data are somehow regulated in their jurisdictions. The obligation to report security incidents to local authorities varies among the surveyed jurisdictions. Likewise, the procedure, timeframe, content, and circumstances for reporting security incidents also observe different rules.

In seven jurisdictions, including Brazil and Mexico, failure to report a security incident is deemed a legal violation. The consequences vary based on administrative proceedings and can range from fines and suspension of operation to administrative sanctions.

The survey also delved into “cookie consent requirements.” It revealed that a majority of the jurisdictions surveyed lack explicit laws or administrative directives on this matter. In several jurisdictions, guidelines or statements from local data protection authorities or other governmental entities act as the de facto standards in the absence of formal regulations.

Unlike practices in Europe and the United States, the obligation to display cookie banners on websites is not widespread across the surveyed jurisdictions. However, in order to be compliant with general principles of transparency and consumer protection, implementing such banners is still deemed best practice. In the jurisdictions that do mandate cookie banners, failing to obtain explicit consent for cookie installation may lead to penalties such as fines, database suspension, and other corrective actions. Interestingly, in those jurisdictions lacking specific cookie policy regulations or enforcing authorities, consenting to cookie policies essentially equates to agreeing to a binding contract, largely due to prevailing civil law practices.

The survey ultimately highlights a lack of uniformity in data protection regulation across Latin America. Despite security incidents and cookies representing only a fraction of the broader personal data protection compliance and governance spectrum, the survey offers valuable insights into the current legislative landscape and best practices within Latin America. Law firms and in-house legal teams seeking a comprehensive understanding of privacy laws across these jurisdictions will no doubt find the report both informative and beneficial.

Read the Security Incidents and Cookies in Latin American Countries report.

Although every effort has been made to verify the accuracy of this article, readers are urged to check independently on matters of specific concern or interest. 

© 2024 International Trademark Association