Habeas Data and Personal Data Protection in Latin America


Habeas Data and Personal Data Protection in Latin America


"According to recent estimates, in 2022, 2.5 quintillion data are generated daily, and at least 1200 petabytes are saved and exchanged through digital media." 

Wilse, 2022

Our daily lives are increasingly influenced by digital data. Its value and potential are widely acknowledged in a variety of industries, due to the enormous benefits they generate every day. Against this background, data privacy is a hot topic on numerous countries’ policy agendas.

Data protection entails not only establishing rules for proper data collection, storage, and analysis, but also considering the right to privacy. Over time, several regions have built their own regulatory approach for protecting privacy and information. In Latin America, this approach is known as  habeas data.

What is Habeas Data?

Habeas data is the right of individuals to access, update, rectify, and delete personal data collected by third parties and stored in databases.

When we think of the collection and safeguarding of personal data, we generally consider those subjected to data collection as passive actors who, nevertheless, have legal frameworks designed for the protection and proper treatment of their data. Habeas data grants these subjects agency through the right to access, rectify, and eliminate data stored about them. Data protection is part of habeas data and acts as both a rights-giving mechanism for individuals and an obligation on the part of the State and its institutions. Compliance is directly related to the right to privacy, as well as access to information, which are both enshrined in various international treaties.

What is a Personal Data?
  • Personal data consists of any information related to a person, e.g., address, bank details, telephone number, pictures, etc. 
  • Every day, we share data with third parties both in the digital and offline world. Think about all the occasions when our address is required in banking transactions, when signing to support NGO campaigns, attending medical appointments, participating in sweepstakes, etc.
  • Personal data flow takes place offline and online, although today, it is generally stored and processed digitally through multiple platforms and services. The above gives the exercise of habeas data a new dimension. 

Source: Industria y Comercio (n.d.)

Practices in Latin America

Habeas Data is considered a constitutional right in Latin America because it is found in practically all Latin American constitutions, where it is recognized either substantively or procedurally (Organization of American States, 2013).  According to data from 2011, 65% of Latin American countries have explicit provisions in their constitutions regarding personal data protection, habeas data, and privacy. 

The Latin American approach to habeas data emerges from the regional prioritization of the right to privacy, considered a fundamental right, which has a special significance in the region due to the historical struggle against repressive regimes. Although several countries do not have a formal privacy law (for example, in Venezuela), the habeas data principle and articles on privacy protection are enshrined in their constitutions (Villegas, 2012).

The principle allows citizens to access their data through a mechanism of habeas data appeals, which should be simple, without complex administrative procedures, easy to access, low cost, and should not require the applicant to provide an explanation of why they want to access the data. If there are impediments to the exercise of this right, these must comply with the proportionality and necessity principles (for example, if national security is at stake) (Lanza, 2017). 

In the region, the Red Iberoamericana de Protección de Datos [Ibero-American Data Protection Network] and the Inter-American Juridical Committee (CJI, for its acronym in Spanish Comité Jurídico Interamericano) of the Organization of American States are in charge of promoting data protection. Specifically, the CJI adopted the Propuesta de Declaración de Principios de Privacidad y Protección de Datos Personales [Proposal for a Statement of Privacy and Personal Data Protection Principles] (Stuart, 2012), which includes the following principles:

  • Lawful and Fair Purposes
  • Clarity and Consent
  • Relevance and Necessary
  • Limited Use and Retention
  • Duty of Confidentiality
  • Protection and Security 
  • Accuracy of Data
  • Access and Correction
  • Sensitive Personal Data
  • Accountability 
  • Trans-border Flow of Data and Accountability
  • Disclosing Exceptions

(Intern-American Judicial Committee, 2015)

The principles are based on other international documents such as the APEC Privacy Framework, the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Directive 95/46/EC of the European Parliament and of the Council, among others (Inter-American Judicial Committee, 2015). 

At the level of the Organization of American States, habeas data is included in principle 3 of the Declaration of Principles on Freedom of Expression, which states:

“Every person has the right to access to information about himself or herself or his/her assets expeditiously and not onerously, whether it be contained in databases or public or private registries, and if necessary to update it, correct it and/or amend it” 

Organization of American States, 2000

Nonetheless, despite the protection offered by habeas data, special laws on the protection of personal digital data are required to provide straightforward methods for citizens to access their data, promote the adoption of best practices, and prevent and defend citizens against inappropriate data usage. Therefore, the following section focuses on analyzing data protection laws in the region.

Which Types of Personal Data Exist?

Personal data is information that can allow determining, identifying, or associating one or more specific natural person(s). Our data can be classified into five categories:

1- Private – of an intimate and reserved nature, relevant only to the owner. 

2- Sensitive – they affect the owner’s privacy. Their improper use may result in discrimination, for example, political orientation, racial origin, etc.

3- Public – are defined by law or a country’s constitution.

4- Semi-Private – without public or private nature, they are relevant to a specific sector, group of people, or society in general. 

5- Biometric – Physical, biological, or behavioral, for example, fingerprint, retina, voice, or signature.

Source: Sánchez Llano (2019)

The Latin American Landscape for the Protection of Personal Data

Latin America comprises Argentina, Bolivia, Brazil, Chile, Colombia, Costa Rica, Cuba, Dominican Republic, Ecuador, El Salvador, Guatemala, Haiti, Honduras, Mexico, Nicaragua, Panama, Paraguay, Peru, Uruguay, and Venezuela. Of these countries, Bolivia, Cuba, El Salvador, Honduras, Paraguay and Venezuela lack a data protection law (see Table 1). Some other nations, however, are in the process of drafting and approving data protection regulations (Enríquez, 2021). 

Source: Author´s elaboration with data from DLA Piper (2022a)

As seen in the table above, personal data protection laws began to emerge after 2000, except for Chile, which is regarded as a pioneer in the region (Bordachar, 2022). The remaining countries without a specific law rely on constitutional provisions (habeas data) and other regulations to preserve the privacy of individuals. Bolivia, for example, relies on Article 130 of its constitution and the Bill of Personal Data Protection (DLA Piper, 2022c).

Other nations, such as Honduras, have initiated the debate on creating a law. The preliminary draft of the Personal Data Law was developed in 2015, but legislative progress has been slow. As of 2018, just 29 of the 96 provisions comprising the preliminary draft have been approved. In the interim, Honduras also embraces the habeas data principle contained in Article 76 of the national constitution and other laws such as the Law of Transparency and Access to Public Information (Latin Alliance, 2020). In addition to national constitutions and data protection laws, international treaties such as the American Convention on Human Rights (Article 11) and the International Covenant on Civil and Political Rights (Article 17) impose obligations on Latin American nations to respect privacy (Latin Alliance, 2020).

Some Players in the Data Ecosystem

Contributors of raw or unprocessed data – individuals who provide proof of raw or unprocessed data (they can be individuals or companies).

Data processors – those who clean, transform, aggrege, explore, and use data.

Connectors/data orchestrators – provide a space for data exchange and the technical infrastructure for other companies to do so.

Data service providers – are independent businesses that assist clients with managing their data. Their services are also referred to as “data as a service” (DaaS), web-delivered services provided by cloud vendors that conduct various operations on data.

Source: Techopedia, (n.d.), and Lasmaries

Latin America's Prospects for Data Governance

Despite the advantages of habeas data in the region, particular legal frameworks are required to secure personal digital data due to the diversity and scope with which they can be gathered, stored, analyzed, and used today. In recent years, several nations have established laws, primarily influenced by the European Union’s General Data Protection Regulation (GDPR). The foregoing illustrates the Latin American commitment to data governance and protection. However, laws should be adequately designed in accordance with the region’s economic and technical capabilities.

Regional treaties are also influencing the frameworks, such as the T-MEC (USMCA), a free trade agreement between Mexico, the United States, and Canada. The T-MEC includes a particular chapter on e-commerce that focuses on cybersecurity, consumer protection, and cross-border data flow (Más Seguridad, 2020), thereby influencing the data governance regimes of the involved nations.  Future challenges in Latin America include the design of laws specifically oriented to the digital context, the creation of Data Protection Authorities, the delimitation of the rights and responsibilities of the private sector, the adoption of clear mechanisms for transparency and accountability, and the development of trust for data exchange at the regional level.

As previously noted, the region has been transitioning away from habeas data to implement the European model aiming to establish an optimal framework that facilitates commercial alliances (Villegas Carrasquilla, 2012). However, a Latin American path is needed to respond efficiently to the region’s social, economic, political, historical, and technological realities. In this regard, regional collaboration is essential for capacity building, boosting the digital economy at the regional level, and reaping its benefits throughout the continent.

About the author: Berenice Fernandez Nieto is a Researcher with Data-Pop Alliance’s Data Feminism Program. She is from Mexico and currently lives in the UK.


Project Report

Stratégie Nationale des Données du Sénégal – Résumé

En 2023, DPA a fourni un soutien technique à l’élaboration de la

Project Report

Community-Based Social Protection Mechanisms in Africa’s Borderlands – Liberia and Sierra Leone Case Study

The report on “Community-based social protection mechanisms in Africa’s borderlands – Liberia

Annual Report

Overview and Outlook 2022-2024

10 YEARS IN REVIEW: A LETTER FROM OUR DIRECTOR Finding appropriate metrics