Habeas Data and Personal Data Protection in Latin America
"According to recent estimates, in 2022, 2.5 quintillion data are generated daily, and at least 1200 petabytes are saved and exchanged through digital media."
Our daily lives are increasingly influenced by digital data. Its value and potential are widely acknowledged in a variety of industries, due to the enormous benefits they generate every day. Against this background, data privacy is a hot topic on numerous countries’ policy agendas.
Data protection entails not only establishing rules for proper data collection, storage, and analysis, but also considering the right to privacy. Over time, several regions have built their own regulatory approach for protecting privacy and information. In Latin America, this approach is known as habeas data.
What is Habeas Data?
Habeas data is the right of individuals to access, update, rectify, and delete personal data collected by third parties and stored in databases.
When we think of the collection and safeguarding of personal data, we generally consider those subjected to data collection as passive actors who, nevertheless, have legal frameworks designed for the protection and proper treatment of their data. Habeas data grants these subjects agency through the right to access, rectify, and eliminate data stored about them. Data protection is part of habeas data and acts as both a rights-giving mechanism for individuals and an obligation on the part of the State and its institutions. Compliance is directly related to the right to privacy, as well as access to information, which are both enshrined in various international treaties.
What is a Personal Data?
- Personal data consists of any information related to a person, e.g., address, bank details, telephone number, pictures, etc.
- Every day, we share data with third parties both in the digital and offline world. Think about all the occasions when our address is required in banking transactions, when signing to support NGO campaigns, attending medical appointments, participating in sweepstakes, etc.
- Personal data flow takes place offline and online, although today, it is generally stored and processed digitally through multiple platforms and services. The above gives the exercise of habeas data a new dimension.
Source: Industria y Comercio (n.d.)
Practices in Latin America
Habeas Data is considered a constitutional right in Latin America because it is found in practically all Latin American constitutions, where it is recognized either substantively or procedurally (Organization of American States, 2013). According to data from 2011, 65% of Latin American countries have explicit provisions in their constitutions regarding personal data protection, habeas data, and privacy.
The Latin American approach to habeas data emerges from the regional prioritization of the right to privacy, considered a fundamental right, which has a special significance in the region due to the historical struggle against repressive regimes. Although several countries do not have a formal privacy law (for example, in Venezuela), the habeas data principle and articles on privacy protection are enshrined in their constitutions (Villegas, 2012).
The principle allows citizens to access their data through a mechanism of habeas data appeals, which should be simple, without complex administrative procedures, easy to access, low cost, and should not require the applicant to provide an explanation of why they want to access the data. If there are impediments to the exercise of this right, these must comply with the proportionality and necessity principles (for example, if national security is at stake) (Lanza, 2017).
In the region, the Red Iberoamericana de Protección de Datos [Ibero-American Data Protection Network] and the Inter-American Juridical Committee (CJI, for its acronym in Spanish Comité Jurídico Interamericano) of the Organization of American States are in charge of promoting data protection. Specifically, the CJI adopted the Propuesta de Declaración de Principios de Privacidad y Protección de Datos Personales [Proposal for a Statement of Privacy and Personal Data Protection Principles] (Stuart, 2012), which includes the following principles:
- Lawful and Fair Purposes
- Clarity and Consent
- Relevance and Necessary
- Limited Use and Retention
- Duty of Confidentiality
- Protection and Security
- Accuracy of Data
- Access and Correction
- Sensitive Personal Data
- Trans-border Flow of Data and Accountability
- Disclosing Exceptions
(Intern-American Judicial Committee, 2015)
The principles are based on other international documents such as the APEC Privacy Framework, the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Directive 95/46/EC of the European Parliament and of the Council, among others (Inter-American Judicial Committee, 2015).
At the level of the Organization of American States, habeas data is included in principle 3 of the Declaration of Principles on Freedom of Expression, which states:
“Every person has the right to access to information about himself or herself or his/her assets expeditiously and not onerously, whether it be contained in databases or public or private registries, and if necessary to update it, correct it and/or amend it”
Nonetheless, despite the protection offered by habeas data, special laws on the protection of personal digital data are required to provide straightforward methods for citizens to access their data, promote the adoption of best practices, and prevent and defend citizens against inappropriate data usage. Therefore, the following section focuses on analyzing data protection laws in the region.
Which Types of Personal Data Exist?
Personal data is information that can allow determining, identifying, or associating one or more specific natural person(s). Our data can be classified into five categories:
1- Private – of an intimate and reserved nature, relevant only to the owner.
2- Sensitive – they affect the owner’s privacy. Their improper use may result in discrimination, for example, political orientation, racial origin, etc.
3- Public – are defined by law or a country’s constitution.
4- Semi-Private – without public or private nature, they are relevant to a specific sector, group of people, or society in general.
5- Biometric – Physical, biological, or behavioral, for example, fingerprint, retina, voice, or signature.
Source: Sánchez Llano (2019)
The Latin American Landscape for the Protection of Personal Data
Latin America comprises Argentina, Bolivia, Brazil, Chile, Colombia, Costa Rica, Cuba, Dominican Republic, Ecuador, El Salvador, Guatemala, Haiti, Honduras, Mexico, Nicaragua, Panama, Paraguay, Peru, Uruguay, and Venezuela. Of these countries, Bolivia, Cuba, El Salvador, Honduras, Paraguay and Venezuela lack a data protection law (see Table 1). Some other nations, however, are in the process of drafting and approving data protection regulations (Enríquez, 2021).
As seen in the table above, personal data protection laws began to emerge after 2000, except for Chile, which is regarded as a pioneer in the region (Bordachar, 2022). The remaining countries without a specific law rely on constitutional provisions (habeas data) and other regulations to preserve the privacy of individuals. Bolivia, for example, relies on Article 130 of its constitution and the Bill of Personal Data Protection (DLA Piper, 2022c).
Other nations, such as Honduras, have initiated the debate on creating a law. The preliminary draft of the Personal Data Law was developed in 2015, but legislative progress has been slow. As of 2018, just 29 of the 96 provisions comprising the preliminary draft have been approved. In the interim, Honduras also embraces the habeas data principle contained in Article 76 of the national constitution and other laws such as the Law of Transparency and Access to Public Information (Latin Alliance, 2020). In addition to national constitutions and data protection laws, international treaties such as the American Convention on Human Rights (Article 11) and the International Covenant on Civil and Political Rights (Article 17) impose obligations on Latin American nations to respect privacy (Latin Alliance, 2020).
Some Players in the Data Ecosystem
Contributors of raw or unprocessed data – individuals who provide proof of raw or unprocessed data (they can be individuals or companies).
Data processors – those who clean, transform, aggrege, explore, and use data.
Connectors/data orchestrators – provide a space for data exchange and the technical infrastructure for other companies to do so.
Data service providers – are independent businesses that assist clients with managing their data. Their services are also referred to as “data as a service” (DaaS), web-delivered services provided by cloud vendors that conduct various operations on data.
Source: Techopedia, (n.d.), and Lasmaries
Latin America's Prospects for Data Governance
Despite the advantages of habeas data in the region, particular legal frameworks are required to secure personal digital data due to the diversity and scope with which they can be gathered, stored, analyzed, and used today. In recent years, several nations have established laws, primarily influenced by the European Union’s General Data Protection Regulation (GDPR). The foregoing illustrates the Latin American commitment to data governance and protection. However, laws should be adequately designed in accordance with the region’s economic and technical capabilities.
Regional treaties are also influencing the frameworks, such as the T-MEC (USMCA), a free trade agreement between Mexico, the United States, and Canada. The T-MEC includes a particular chapter on e-commerce that focuses on cybersecurity, consumer protection, and cross-border data flow (Más Seguridad, 2020), thereby influencing the data governance regimes of the involved nations. Future challenges in Latin America include the design of laws specifically oriented to the digital context, the creation of Data Protection Authorities, the delimitation of the rights and responsibilities of the private sector, the adoption of clear mechanisms for transparency and accountability, and the development of trust for data exchange at the regional level.
As previously noted, the region has been transitioning away from habeas data to implement the European model aiming to establish an optimal framework that facilitates commercial alliances (Villegas Carrasquilla, 2012). However, a Latin American path is needed to respond efficiently to the region’s social, economic, political, historical, and technological realities. In this regard, regional collaboration is essential for capacity building, boosting the digital economy at the regional level, and reaping its benefits throughout the continent.
About the author: Berenice Fernandez Nieto is a Researcher with Data-Pop Alliance’s Data Feminism Program. She is from Mexico and currently lives in the UK.
- Bordachar, M. (2022). ¿Cómo y quiénes cuidan nuestros datos? Legislaciones vigentes en países Latinoamericanos. Derechos Digitales. https://www.derechosdigitales.org/17759/dia-de-la-proteccion-de-los-datos-personales/
- DLA PIPER. (2022a). DLA Piper Global Data Protection Laws of the World – World Map. https://www.dlapiperdataprotection.com/
- DLA Piper. (2022b). Law in El Salvador – DLA Piper Global Data Protection Laws of the World. https://www.dlapiperdataprotection.com/index.html?t=law&c=SV
- DLA Piper. (2022c). Law in Bolivia – DLA Piper Global Data Protection Laws of the World. https://www.dlapiperdataprotection.com/index.html?t=law&c=BO
- Enríquez, L. (2021). La protección de datos en América latina: influencia del RGPD. Observatorio Ciberderechos y Tecnosociedad. https://www.uasb.edu.ec/ciberderechos/2021/06/15/la-proteccion-de-datos-en-america-latina-influencia-del-rgpd/
- Industria y Comercio. (n.d.). Protección de datos Personales: Aspectos Prácticos sobre el derecho de Hábeas Data. Gobierno de Colombia. https://www.sic.gov.co/sites/default/files/files/Nuestra_Entidad/Publicaciones/Aspectos_Derecho_de_Habeas_Data.pdf
- Inter-american Juridical Committee. (2015). Privacy and Data Protection. OAS. https://www.oas.org/en/sla/dil/docs/CJI-doc_474-15_rev2.pdf
- Lasmaries, E. (2022). Data Ecosystem Players. Visions. https://visionspol.eu/en/2022/02/17/data-ecosystem-players/
- Latin Alliance. (2020). La Protección de Datos. https://latinalliance.co/wp-content/uploads/2020/08/Proteccion-de-Datos-Honduras.pdf
- Lanza, E. (2017). Standards for a Free, Open and Inclusive Internet. Organization of American States. http://www.oas.org/en/iachr/expression/docs/publications/internet_2016_eng.pdf
- Más Seguridad. (2020). T-MEC y el libre flujo transfronterizo de datos entre el usuario. https://www.revistamasseguridad.com.mx/t-mec-y-el-libre-flujo-transfronterizo-de-datos/
- Organization of American States. (2000). Declaration of Principles on Freedom of Expression. https://www.oas.org/en/iachr/mandate/basics/declaration-principles-freedom-expression.pdf
- Organization of American States. (2013). Freedom of expression and the Internet. Office of the Special Rapporteur for Freedom of Expression. http://www.oas.org/en/iachr/expression/docs/reports/2014_04_08_internet_eng%20_web.pdf
- Sánchez Llano, I. (2019). Tipos de datos personales que maneja la Universidad del Valle. NotiRed. https://notired.univalle.edu.co/tipos-de-datos-personales-que-maneja-la-universidad-del-valle/
- Stewart, D. P. (2012). Propuesta de declaración de Principios de Privacidad y Protección de Datos Personales en las Américas. http://www.oas.org/es/sla/ddi/docs/CJI-RES_186_LXXX-O-12.pdf
- Techopedia. (n.d.). What are Data Services? – Definition from Techopedia. Techopedia.Com. Retrieved August 12, 2022, from http://www.techopedia.com/definition/1005/data-services
- Villegas Carrasquilla, L. (2012). Personal data protection in Latin America: retention and processing of personal data in the Internet sphere. In Hacia una Internet libre de censura Propuestas para América Latina. https://www.palermo.edu/cele/pdf/english/Internet-Free-of-Censorship/05-Personal_data_protection_Latin_America_Villegas_Carrasquilla.pdf
- Wilse, J. (2022). How Much Data Is Created Every Day in 2022? [NEW Stats]. Earthweb. https://earthweb.com/how-much-data-is-created-every-day/