Skip to content
BY 4.0 license Open Access Published online by De Gruyter May 26, 2022

Follow the Leader? Comparative Law Study of the EU’s General Data Protection Regulation’s Impact in Latin America

Arturo J Carrillo ORCID logo and Matías Jackson
From the journal ICL Journal

Abstract

In May 2018, the General Data Protection Regulation (GDPR) entered into force in the European Union. As is widely recognized, its impact goes beyond the borders of the old continent, permeating through the regulatory processes of countries all over the world. Nowhere is this more evident than in Latin America, where governments have long emulated European data protection standards. Professor Anu Bradford has famously characterized this phenomenon as a prominent example of ‘the Brussels Effect,’ defined as Europe’s unilateral power to regulate global markets. Other scholars see a more complex dynamic at play. This is especially true in the data privacy context in which the EU has benefited from a highly transplantable legal model and normative innovations that have proved successful in a global marketplace of ideas. This Article joins the debate around the EU’s transnational influence on the regulation of personal data by evaluating the de jure impact that the GDPR has had in Latin America to date. To this end, the Article addresses three main questions. First, what is the panorama of data privacy legislation across Latin America since the 2016 adoption of the GDPR? Second, how have those countries in the region that have moved first to reform or enact data privacy legislation in light of the GDPR’s key innovations done so? And finally, what lessons can be learned from the Latin American experience based on the responses to these questions? In responding, the Article looks first at which countries in the region have introduced or proposed changes to their legislation in the wake of the GDPR’s enactment in 2016. It then evaluates the experience of key jurisdictions in greater detail, namely Brazil, Mexico, Chile and Uruguay, to determine what lessons can be drawn from their efforts. By pursuing these inquiries, the authors shed new light on the debate surrounding the nature of the de jure dimension of ‘the Brussels Effect’ in the region.

1 Introduction

In May 2018, the General Data Protection Regulation (GDPR) came into force in the European Union.[1] As is widely recognized, its impact goes beyond the borders of the old continent, permeating through the regulatory processes of countries all over the world.[2] Among the most notable of its innovations is its extraterritorial reach. Gráinne de Búrca highlighted this feature of the GDPR in an online symposium of the American Journal of International Law:

Describing itself as a measure intended to harmonize data privacy laws across Europe’s single market, the GDPR (…) applies to any organization operating within the EU or offering goods or services to customers or businesses in the EU (…). The key to the way in which the GDPR goes far beyond being a domestic EU-focused legislative measure is in its application to any business or organization anywhere in the world that offers good or services to persons within the EU (…).[3]

But the global impact of the EU’s latest installment to its data protection regime derives not merely from its extra-territorial jurisdiction. The transnational influence of the European Union’s data protection norms dates back at least to the approval of Directive 95/46/EC of 24th October 1995 on the protection of individuals with regard to the processing of personal data and the free movement of such data.[4] Prior to 2016, it was this Directive that set the data privacy standards to follow around the world.[5] Nowhere was this more evident than in Latin America, where governments have long emulated European laws in this arena.[6] Once the GDPR was enacted in April 2016 to replace the Directive, and especially since coming into force two years later in May 2018, it has become the standard bearer of European data privacy law, inter alia, by imposing stricter requirements on businesses and broadening individuals’ rights.[7]

While there is widespread agreement that European legislation in general, and the GDPR in particular, ‘[have] taken an essential role in shaping how the world thinks about data privacy,’[8] there is some disagreement about how and why that is so. As just noted, the GDPR is widely recognized as ‘a significant’ extension of the global process of policy convergence and the trading-up of international privacy standards.’[9] Moreover, scholars have pointed out that although ‘[m]any difficulties remain to be overcome, (…) the GDPR is rapidly evolving into the transnational gold standard of data protection, applicable to all domestic and cross-border transfers of personally identifiable data.’[10] Naturally, this means that the EU Regulation has garnered a fair share of attention, academic and otherwise.

Anu Bradford has famously characterized this phenomenon – the GDPR evolving into a global ‘gold standard’ – as a prominent example of ‘the Brussels Effect,’ defined as ‘Europe’s unilateral power to regulate global markets.’[11] Her idea is that through the use of market mechanisms primarily, Europe has been able to ‘unilaterally’ export its laws and regulations to other jurisdictions resulting in the ‘de facto’ adoption of its regulatory standards by ‘export-oriented’ companies, as well as the ‘de jure’ promulgation of its rules by the similarly motivated legislatures in those other jurisdictions.[12] Other scholars see a more complex dynamic at play, especially in the data privacy context. Paul Schwartz takes issue with Bradford’s (and others’) one-dimensional formulations of Europe’s regulatory influence in this area, affirming that, in addition to market forces, ‘[the] EU employs a broad set of [negotiation and other] strategies that have encouraged the spread of its data protection laws. Beyond these strategies, the EU has benefited both from elaborating a highly transplantable legal model and from developing concepts that have proved successful in a global marketplace of ideas.’[13]

This Article joins the debate around the EU’s transnational influence on data privacy regulation by evaluating the de jure impact that the GDPR has had specifically in Latin America to date. It looks at which countries in the region have introduced or proposed changes to their legislation in the wake of the Regulation’s enactment in 2016. It also explores the experience of key jurisdictions in greater detail, namely Argentina, Brazil, Chile, Mexico and Uruguay, to determine what lessons can be drawn from their efforts. Although international experts recognize that Latin-American countries have taken steps to modify their data privacy law frameworks since the GDPR was enacted,[14] there has yet been no systematic or wider comparative review of said countries’ legislation in this regard; the literature in the field is incomplete and, where it does exist, tends to focus on comparing the Regulation to one country at a time.[15]

In this Article, we begin to close that gap by conducting a comparative law study of the Latin American countries that have contemplated, are contemplating, or have enacted legislative changes to their national legal frameworks for data protection in light of the promulgation and provisions of the GDPR. To this end, the Article addresses three main questions. First, what is the panorama of data privacy legislation across Latin America since the 2016 adoption of the GDPR? Second, how have countries in the region that have moved first to reform or enact data privacy legislation in light of the GDPR done so? And finally, what lessons can be learned, if any, from the Latin American experience based on the initial responses to both prior questions? By addressing these questions, we intend to shed light on the debate surrounding the nature of the de jure dimension of ‘the Brussels Effect’ in the region.

Indeed, there are several virtues to evaluating the Brussels Effect de jure in terms of post-GDPR data protection regulation in Latin America. Keeping a more precise tab on how many countries in the region have reacted to the enactment of the Regulation is one. Another is to better understand the extent to which the GDPR is the model that Latin American countries are following as they promulgate new data protection rules. What aspects of the EU Regulation are most commonly reproduced? Which are not? A third virtue is to learn more about how and why the countries most engaged in revamping their legal regimes have made, or are making, such GDPR-inspired changes. Are they following the European model of enacting comprehensive legislation, known as ‘omnibus’ laws, to promulgate new rules or some other approach? How faithful to the GDPR’s letter and spirit are the changes?

It is our hope to begin to identify best practices, pitfalls, and challenges that can inform, and perhaps even guide, other initiatives in countries undergoing similar reform. All of which contributes to the final insight: elucidating the real-world manifestations in law of the Brussels Effect with respect to data privacy regulation, for one important region of the world.

This Article has four Parts aside from this Introduction. The first provides an overview of the GDPR’s newest and most relevant provisions from a Latin American perspective. The second Part surveys the region to determine which national legislations in Latin America have since 2016 adopted modifications or drafted bills to incorporate GDPR provisions into domestic law. Part III features case studies of four strategic jurisdictions in Latin America identified as ‘first movers’ in terms of GDPR adoption. The four countries are Brazil, Chile, México, and Uruguay. They were chosen, inter alia, because of their governments’ concerted efforts to modify the respective data privacy law regimes to adapt to the GDPR. While some of them have gone as far as to approve new legislation in this regard (Brazil, Mexico and Uruguay), Chile is still debating a bill that would introduce substantive changes in line with the EU Regulation. The same is true for Argentina, also discussed in 4. Finally, Part IV summarizes our preliminary findings and conclusions with respect to the regional comparative analysis of data privacy regimes post-GDPR with an emphasis on the lessons learned from the four case-studies.

A final caveat is in order. Due to the nature of our touchstone inquiries, any responses we provide will necessarily be preliminary: tracking legal reform is by definition a moving target, as countries continue to debate, legislate and promulgate new laws, rules and regulations governing data protection in their domestic spheres.[16] That said, at first blush, it seems that a significant number of countries in Latin America have considered or enacted changes to their legislations since the approval of the GDPR in 2016. In the ensuing five-year period, 12 countries in the region (of the 20 we studied) have at least debated legislative initiatives related to data protection, if not actually reformed their legal regimes in this respect.[17] At the same time, the approaches taken by these legislative changes vary in certain substantive aspects. For instance, as a rule, not all the key new elements of the Regulation are taken on board by the Latin American legislatures enacting reform, and when GDPR-style provisions are introduced, it is often with key omissions, variations or nuances.[18] Across the board, countries in the region have tended to adopt the elements of the GDPR in a more general way, meaning they prefer higher-level norms with fewer details, which they tend to leave to the regulatory process.[19]

2 Overview of GDPR and Key Elements

In this Part, we provide an overview of the EU’s General Data Protection Regulation (GDPR) that focuses on its novel characteristics as well as several of the new provisions it brings to European data privacy law. Doing so allows us to fashion a framework of ‘key elements’ to use in subsequent Parts to analyze in a more nuanced fashion the extent to which Latin American countries implementing GDPR-style legal reforms have ‘followed the leader,’ that is, adhered to the Regulation’s parameters in carrying out those reforms.

Building as it does on Data Protection Directive 95/46/EC, the GDPR retains much of the basic configuration and content of its predecessor.[20] At the same time, however, the Regulation was enacted because ‘[p]rivacy issues arising from an exponential growth in consumer and mobile technologies, an increasingly connected planet[,] and mass cross-border data flows (…) pushed the EU to entirely rethink its data protection legislation to ensure that (…) fundamental rights are fully protected in today’s digital economy.’[21] It thus expands, deepens, and strengthens numerous aspects of the legal regime created by the Data Protection Directive.[22] This was necessary because, while influential globally, the Directive generated conflicting domestic legal interpretations within the EU, leading to the ‘fragmentation’ of national data privacy laws.[23]

The GDPR was enacted to harmonize EU law on data privacy and transfers while reinforcing protections for the fundamental rights enshrined in Articles 7 and 8 of the Charter of Fundamental Rights.[24] As such, it introduces a host of new elements that have transformed it into the most powerful data protection framework in the world.[25] This Part homes in on several of the most innovative aspects of the GDPR, identifying them in the sections below and accompanying Table A as ‘key elements.’ By compiling a roster of new elements from the GDPR deemed ‘key’ in this way, we can in the remaining Parts proceed to canvass and compare the data privacy regimes in Latin America with reference to a specialized framework of European legal norms as indicators.

2.1 Key Elements of the GDPR

The GDPR is a piece of legislation that has received a great deal of attention in recent years, especially among those who work on data privacy issues in most any context. Much of the commentary has been centered on the Regulation’s two-year anniversary, and the widely held view that it has – and is – transforming data privacy regulation worldwide, mostly for the better.[26] For example, the consensus view of a panel of privacy and international law experts at the American Society of International Law’s Annual Meeting, held virtually in June of 2020, was that ‘the rising tide’ of the GDPR’s broad impact on countries outside the EU was ‘lifting all boats,’ in the sense that it was influencing a trend worldwide towards not just more, but also better, data privacy laws.[27] This is apparently the case to an even greater degree than was true for the Directive, which did not possess the same degree of legal weight, far-reaching data privacy safeguards, or enforceability.[28]

In this section, we compile a roster of several of the GDPR’s innovative provisions: select features that the Regulation introduces to European data privacy law (and the world). These ‘key elements,’ as we will call them, are listed below and presented in Table A. Though not an exhaustive list of all the innovations enacted by the Regulation, our roster of key elements includes several that we believe characterize the strengthened European approach to protecting data privacy. In addition to being novel and representative of the GDPR, these elements also tend to be easily verifiable; generally speaking, their implementation can be readily ascertained by establishing whether a specific obligation to do ‘X’ is reproduced or not in the Latin American domestic legal norms surveyed. It is for these reasons that they were chosen.[29] Moving forward, this list of select elements will serve as the normative framework of benchmarks we will use in subsequent Parts to determine the extent to which the GDPR has been internalized (or not) by Latin American legal systems.

By tracking whether and how the selected key elements from the GDPR are incorporated into Latin American data privacy regimes, we will be able to establish a correlation between the two. Whether or not that correlation also reflects elements of causation is a question to be addressed in 4 and 5. Accordingly, our key elements moving forward, organized under the general headings of the GDPR, are these:

  • General Provisions

    • Expanded Scope of Territorial Application

  • Rights of the Data Subject

    • Right to be forgotten

    • Right to data portability

  • Controller and Processor

    • Heightened standard for processing consent: the ease of withdrawal must match that for giving consent

    • Notification of data breaches

    • Data protection impact assessments (DPIAs)

    • Designation of the Data Protection Officer (DPO)

  • Governance and Accountability

    • Remedies and Liability

    • Penalties

Table A graphically organizes this outline structure across the horizontal axis. The vertical axis is comprised of three rows. Row 1 indicates the source articles from the GDPR for each element, while Row 2 summarizes the highlighted effects of the cited norms. A more detailed introduction to each key element is outlined below. In addition, Table A includes a third row that presents the corresponding questions to pose in relation to each key element when conducting the survey and case studies to follow in Parts II and III, respectively. Once the operational mapping of these normative benchmarks is completed, we can in the next Part move on to the initial survey of data privacy law reform in the Latin American region since the GDPR burst onto the global scene in 2016.

2.1.1 General Provisions

2.1.1.1 Expanded Territorial Scope

GDPR Article 3 defines the territorial scope of the Regulation, introducing not one but two hugely significant changes vis à vis the Directive that we wish to highlight. The first, noted already, is that it applies ‘to any business or organization anywhere in the world that offers good or services to persons within the EU (…),’[30] or monitors their behavior.[31] Not surprisingly, the GDPR’s new extraterritorial ambit has been a crucial factor in extending the Regulation’s influence beyond the borders of the EU.[32] The other innovation to highlight is that, for the first time, European data privacy law expressly covers data processors – suppliers or agents who may be hired by a controller to process personal data on the latter’s behalf – and imposes a series of specific obligations on them.[33]

2.1.2 Rights of the Data Subject

The GDPR recognizes two new data subject rights not expressly covered by the Directive: the right to erasure, and to data portability.

2.1.2.1 Right to Erasure (Right to be Forgotten) (Articles 5 & 17)

GDPR Article 17(1) grants a ‘right to erasure’ to data subjects when their personal data ‘are no longer necessary in relation to the original purposes for which they were collected or otherwise processed,’ or where ‘the data subject withdraws consent on which the processing is based.’[34] In so doing, it gives effect to the principle in Article 5(d) affirming that ‘every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.’[35]

The Right to be Forgotten (RTBF) derives from the 2014 judgment of the Court of Justice of the European Union (CJEU) in Google Spain SL v Costeja, Case C-131/12 (2014).[36] The CJEU found a ‘right to be forgotten’ to be implied by the rights to erasure and blocking of data, provided for in Directive 95/46 Article 12(b), and the right to object, provided for by subparagraph (a) of the first paragraph of Article 14.[37] The European Court of Justice determined that if the information at issue is found ‘to be inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue carried out by the operator of the search engine, the information and links concerned in the list of results must be erased.’[38] This interpretation has been expressly imported into the GDPR through Article 17.

Article 17(2) adds a robust notification requirement with respect to the erasure of personal data or similar restriction of the processing. It establishes that ‘[t]o strengthen the right to be forgotten in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data.’[39]

2.1.2.2 Right to Data Portability (Article 20)

A wholly new right created by the GDPR for data subjects relates to data portability.[40] Article 20 authorizes data subjects to request and receive their personal data from a data controller in a structured, commonly used and machine-readable format, and to transmit it to another data controller without hindrance.[41] Article 20 has two main purposes. From the human rights perspective, it aims to empower data subjects in their relationship with controllers by ‘strengthen[ing] the [subject’s] control over his or her own data.’[42] From a more economic approach, it can work as a tool to support free flow of personal data and foster competition between controllers by lowering switching costs.[43] Finally, it is important to note that the right to data portability only applies to information which was obtained on the basis of consent or as necessary for the performance of a contract, but not for information obtained on other grounds.[44]

2.1.3 Controller and Processor

2.1.3.1 Heightened Standard for Consent (Withdrawal)

Although the basic normative structure for determining the lawfulness of processing remains largely the same from the Directive to the GDPR, the latter has raised the bar with respect to what constitutes valid consent to the collection and processing of personal data.[45] For example, ‘[c]onsent must [now] be fully unbundled from other terms and conditions and will not be valid unless freely given, specific, informed and unambiguous (Articles 4(11) and 6(1)(a)).’[46] Moreover, the effects of valid consent under the Regulation have been further limited through the operation of the new data subjects’ rights just examined, namely, the right to erasure and to data portability.[47] But, for our purposes in this section, the precise element of the GDPR’s reinforced provisions regarding consent to highlight is that relating to its withdrawal.

Under the Regulation’s revised regime, ‘[i]t shall be as easy to withdraw as to give consent.’[48] Article 7 makes clear that the data subject may withdraw his or her consent at any time.[49] Recital 42 clarifies further that ‘[c]onsent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.’[50] For purposes of the operating methodology as reflected in Table A, then, it is this particular principle – that data subjects must be able to withdraw their consent as easily as they provided it – which will serve as the touchstone for purposes of identifying efforts to implement the GDPR’s heightened consent requirements. As a practical matter, this element will function as a representative indicator of whether the jurisdiction under study has considered the importance of protecting consent in line with the GDPR’s new strictures.[51]

2.1.3.2 Notification of Personal Data Breaches

The establishment of duties to notify data breaches to supervisory authorities and affected persons is one ‘of the most profound changes to be introduced by the GDPR.’[52] Articles 33 and 34 refer to the obligations that data controllers have to notify data breaches to supervisory authorities and affected individuals, respectively. The object of these critical new provisions is to mitigate or avoid the ‘physical, material or non-material damage to natural persons’ that can result from data breaches and/or a failure to report them.[53] Said damage can include loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorized reversal of pseudonymization, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.[54]

With respect to the duties under Article 33, controllers must as a general rule notify the supervising authority promptly of any personal data breach; where feasible, they must do so within 72 of becoming aware of it.[55] The controller’s notification must provide information on the nature of the breach, the number of subjects affected, the type of data compromised, the likely consequences of the breach, and the measures taken or proposed to be taken, among other things.[56] When the breach compromises information that may result in high risks to the rights and freedoms of individuals, Article 34 stipulates that the controller must also notify the data subjects affected by the breach ‘without undue delay.’[57] This is ‘in order to allow him or her to take the necessary precautions. The communication should describe the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects.’[58]

2.1.3.3 Data Protection Impact Assessment

Much of the GDPR’s import flows from the emphasis on demonstrating compliance with its enhanced data protection principles and promoting greater accountability for the failure to do so.[59] A novel mechanism established to this end is the Data Protection Impact Assessment, or DPIA, which applies to ‘new technologies’ and any other type of processing ‘likely to result in a high risk to the rights and freedoms of natural persons.’[60] The DPIA is ‘an assessment of the impact of the envisaged processing operations on the protection of personal data.’[61] It is used ‘to describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data by assessing them and determining the measures to address them.’[62] Examples of the types of processing covered are those that involve sensitive personal data or automated ‘profiling’ of persons; or are carried out en masse.[63]

DPIAs are thus an important tool for increasing the compliance of data processors and their accountability with respect to the obligations set out in the Regulation. Among other things, overseeing these impact assessments is one of the primary functions of the newly created Data Protection Officers described in the next sub-section.[64] In this way, the information resulting from the DPIAs can lead to better understandings, and more uniform evaluations, between controllers, processors and the corresponding Data Protection Authorities.[65]

2.1.3.4 Designation of the Data Protection Officer

Still another ‘significant new governance’ requirement for organizations covered by the GDPR is to appoint a data protection officer, or DPO.[66] Article 37 establishes the obligation for data controllers and processors to designate a DPO inside their organizations when:

  • the data processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

  • the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;[67] or

  • the core activities of the controller or the processor consist of processing on a large scale sensitive personal data pursuant to Article 9 (special categories of personal data) or personal data relating to criminal convictions and offences referred to in Article 10.[68]

The DPO must possess an expert level of relevant expertise and be designated on the basis of his or her professional qualities.[69] Recital 97 stipulates that said expertise must be related ‘to the data processing operations carried out and the protection required for the personal data being processed.’[70] Among the key duties of the DPO are monitoring and providing guidance on Data Protection Impact Assessments.[71] The DPO should also be able to carry out his or her duties ‘in an independent manner.’[72] GDPR Articles 38 and 39 expand further on the position and responsibilities of the officer inside the organizations covered. As is the case with the DPIAs, the purpose of this obligation is to promote greater compliance with the provisions of the GDPR and ensure accountability when necessary.[73]

2.1.4 Governance and Accountability

The GDPR’s ratcheting up of governance requirements, several of which have been highlighted in the prior paragraphs, have been accompanied by stricter accountability mechanisms, especially the creation of enhanced remedies for individuals to bring private claims and stiffer penalties for non-compliance.[74] Furthermore, the GDPR heightens the responsibility for data controllers and processors by requiring them to demonstrate their compliance with all the prescribed principles and norms of data processing.[75]

2.1.4.1 Remedies and Liability

Individuals seeking redress from a controller or processor under the GDPR are guaranteed a range of remedial avenues. They can lodge a complaint with the supervisory authority set up under GDPR Article 51 ‘if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.’[76] They are similarly entitled to pursue legal action ‘before the courts of the Member State’ against an offending controller or processor, without prejudice to any other remedies that might be available.[77] Perhaps most significantly, any person who has suffered ‘material or non-material damage’ as a result of a breach of the Regulation is guaranteed the right to compensation for the harm suffered from the controller or processor.[78] ‘The inclusion of ‘non-material’ damage means that individuals will be able to claim compensation for distress and hurt feelings even where they are not able to prove financial loss.’[79]

2.1.4.2 Penalties

The penalties contemplated by the GDPR are of a magnitude not previously seen in European data privacy law. Fines are divided into two categories depending on the characteristics of the breach. The first corresponds to more severe breaches, which include the non-compliance with data subjects’ rights or international transfer restrictions, among others. In these cases, applicable fines rise to 20,000,000 Euros or, in the case of an undertaking, up to 4% of total worldwide turnover of the preceding year, whichever is higher.[80] The second category applies to breaches of obligations set for data controllers and processors, such as those related to security, data breach notifications, certification and monitoring. In these cases, fines go up to 10,000,000 Euros or, in the case of an undertaking, up to 2% of total worldwide turnover of the preceding year, whichever is the higher.[81] With these provisions, the GDPR follows the example of anti-bribery and anti-trust laws that tend to set high fines tied to companies’ global revenues.[82]

3 Panorama of Data Protection Legislation in Latin America

The objective of this second Part is to review the context and status of legislative initiatives on data protection in Latin America through 2021. To do this, we focused our research on relevant legislation across the region that was introduced or enacted since April 2016, the date the GDPR was approved by the European Parliament and the Council of the European Union. This legal framework entered into force in May 2018, of course; however, governments in Europe and abroad took advantage of the two-year window between the Regulation’s adoption and its activation to adapt their domestic regimes and practices to the new rules.[83] For this reason, we will highlight those pertinent legal initiatives starting from the time of the GDPR’s approval in 2016.

But first we must set the stage. In Latin America, data protection is uniquely built upon the concept and tradition of habeas data as a constitutional right.[84] Since the 1980s, countries in the region have protected privacy and personal data vis à vis their governments through a right to habeas data, which mirrors the writ of habeas corpus but for information.[85] Habeas data translates from Latin as ‘bring me the data’ and implies the right of the data subject to access the information that the State possesses about him or herself.[86] As a constitutional right, it applies to government authorities first and foremost, but has been extended to cover non-state actors as well.[87] A writ of habeas data applies to any type of personal data, which the subject is entitled to request and access on demand.[88] It can also include the rights to rectify as well as sometimes erase personal data held by any public or private third party. [89]

Habeas data was first introduced in the region as a constitutional right enshrined by a number of Latin American countries during the eighties and nineties.[90] It was most recently enacted through a constitutional amendment in Chile in 2018.[91] In this way, Latin American constitutional law became the primary means of protecting personal data through the operation of three key mechanisms: the recognition of habeas data as an autonomous fundamental right; the concomitant creation of a specialized constitutional remedy – the writ or action of habeas data; and growing recognition of the broad scope of the right and its enforcement with respect to both public and private actors.[92]

After the approval of the EU’s Personal Data Directive in 1995, Latin American countries moved towards the enactment of specific data protection laws that complemented the aforementioned constitutional protections. Those new laws tended to follow the European approach of enacting comprehensive ‘omnibus’ legislation, thus providing more detailed rights and procedures to increase both legal certainty within domestic jurisdictions and harmonization across countries in the region.[93] Commentators have previously divided those legislative initiatives into ‘two waves.’[94] The first wave of legislation came immediately after the adoption of the Data Protection Directive in 1995 with the enactment of data protection laws in Chile (1999), Argentina (2000), and Paraguay (2000).[95] It is worth noting here that as part of this first wave, the Ibero-American Data Protection Network was founded in 2003; we discuss this influential organization in more detail below.[96] A second wave of reform came in the following years, with the enactment of new laws in Uruguay (2008), México (2010), Costa Rica (2011), Peru (2011), Nicaragua (2012), and Colombia (2012).[97] To these two we can now add a third wave of ongoing data privacy initiatives, with new or additional laws promulgated in Mexico (2017), Uruguay (2018), Brazil (2018), Panama (2019) and Ecuador (2021).[98]

The respective national laws adopted during each of the three historical waves identified share some common characteristics. Latin American countries tend to protect data privacy in comprehensive legislation that expands upon the core right of habeas data in their constitutions.[99] Inspired in turn by EU initiatives like the Directive, and now the GDPR, these evolving legal frameworks govern the collection, use and dissemination of personal data by private as well as public parties.[100] In addition, they generally grant at least some if not all of the individual rights known as ‘ARCO’ rights, for their acronym in Spanish. The ARCO rights of data subjects entitle them to Access, Rectify (correct), Cancel (erase) or Oppose processing personal information that has been collected by government authorities or, more recently, by private companies.[101] If the data is inaccurate, incomplete or outdated, the subject can ask for its rectification; if the data is being processed, he or she can request that it not be.[102] These are all key characteristics of the Latin American approach to protecting personal data.

The comparative study we develop in this Part is primarily descriptive of domestic legislative activity related to data protection. Our intention is to provide a panoramic ‘snapshot’ of the landscape with respect to data privacy legal reform in Latin America as it stands in 2021, as well as how it is developing at a regional level. Our goal is to gain a comprehensive view of the way Latin American countries have responded to the adoption of the GDPR in 2016. It is worth noting, first, that this research draws heavily from States’ official government websites to provide greater certainty about the status of the laws and bills reviewed; and second, that it focuses on the 20 sovereign States geographically located in Central and South America. Thus, territories and dependencies like French Guyana in South America are excluded from our purview, as are all the Caribbean nations, for the most part.[103]

Our preliminary findings are summarized in Table B, entitled ‘Review of Data Privacy Regulation in Latin America in 2021.’ In the first column on the vertical axis, the Table lists all 20 independent countries in Central and South America we surveyed; it then arrays the topics reviewed for each along the top row of the horizontal axis. Those topics are as follows. The second column of Table B reflects whether the particular country studied has a comprehensive data protection law or not. If it does, the Table gives the law’s reference number or code along with the date it was enacted; a link is provided to the official version of the law whenever possible. Where such a law exists, its full title translated into English is reproduced in the third column. The fourth column registers whether the country has established a national data protection authority – the ‘supervisory authority’ originally required by EU Directive 95/46, and subsequently reinforced by the GDPR.[104] The fifth identifies whether the countries have proposed changes to their basic data protection law or some other legislative initiative on data privacy after April 2016, while the sixth column registers whether those proposals have to date been successful or not, ie enacted into law. These ‘changes’ can flow from either a bill intended to modify the basic data privacy regime identified in the second and third columns, or an entirely new stand-alone law (as in the case of Brazil).

It is worth highlighting here that our set of surveyed nations covers all of the Latin American countries that are part of the Ibero-American Data Protection Network (Red Iberoamericana de Protección de Datos Personales),[105] as well as those that are not. As noted, this Network was created in 2003; it was established with the aim of promoting cooperation and policy development among governments with respect to the regulation of data privacy.[106] Today, it counts with the participation of 10 countries in Latin America and Europe,[107] and has accredited 19 other countries or entities as observers as well, including the Council of Europe’s Consultative Committee for the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108).[108]

Not surprisingly, the Ibero-American Network has actively contributed to the expansion of the European model of data privacy in Latin America, due in large part to Spain’s prominent role in the organization.[109] For example, the Network’s agenda for 2015–2018 expressly included the promotion of the European data privacy model in Latin American countries, among others, because ‘the benefits that such adoption would bring to Spanish companies that desire to transfer an increasing volume of personal data with such countries.’[110] By joining the Ibero-American Network, countries in Latin America have shown a prior interest in, if not commitment to, the European framework and its principles.[111] Almost all of the Latin American participants in the Network, for instance, have an established Data Protection Authority (DPA), which was one of the pillars of the Directive 95/46/EC (Article 28).[112]

In short, the vertical axis of Table B is populated by the 20 Latin American countries in Central and South America, while the top row on the horizontal axis is comprised of the specific topics we reviewed for each of the states surveyed. The final column of Table B is for comments dedicated primarily to highlighting notable aspects of the selected country’s data privacy regime. We note, for example, if a country has a data protection law, as well as any new legislation since 2016 that has referenced the GDPR and/or reflected any of the key elements of that Regulation in a manner attesting to a connection between the two. If no such law exists, we offer a brief commentary on the status of a country’s efforts to enact data privacy regulation where pertinent. Finally, we indicate in the Table which countries have obtained an ‘adequacy’ determination from the European Commission, as well as those that have ratified Convention 108 and its protocols. The summaries captured in that final column read as follows:

  • In 2018, Argentina proposed a comprehensive draft law to update the omnibus law approved in 2000, with a view to maintaining the ‘adequacy’ of protections recognized by the European Union. The 2018 draft bill made express reference to the GDPR as the ‘international standard’ to emulate, and includes almost all the key elements from Table A. Despite this bill losing parliamentary status in 2020,[113] a new proposed law was introduced in March of 2020.[114] Two additional bills were presented in November[115] and December[116] of 2020 and remain in parliamentary debate. These three pending bills have the same general purpose of maintaining the ‘adequacy’ with the EU and seek to follow the GDPR standards. Argentina ratified Convention 108 in 2018 and signed (but not ratified) the 2018 Protocol updating the convention to 108+.[117] For details, see the Argentina case study, infra, 4.1.

  • Belize lacks a formal data privacy law. Privacy is recognized as a right in the Constitution, and some privacy protections are included in laws which regulate public and private entities that handle personal data.[118]

  • Bolivia is among the countries that currently lacks a comprehensive data protection framework. In 2018, legislators presented a bill seeking to enact the ‘Personal Data Protection Law.’[119] It included some GDPR key elements, such as the right to data portability and data breach notification requirements. The law would have created a DPA with the power to impose sanctions. In 2019, a similar draft bill was presented by Foundation Internet Bolivia.org.[120] Neither was enacted but modified versions of the proposed laws may be considered if re-submitted and endorsed by the new legislature.[121]

  • Brazil enacted a comprehensive data protection law in 2018, Lei Geral de Proteção de Dados Pessoais (LGPD), for the first time; it was amended in 2019 to establish the DPA as part of the Executive Branch.[122] The law resembles the GDPR in many important respects, inter alia, by having extraterritorial application, promoting stronger data subject rights, and adding a duty for notification of data breaches. However, it differs from European standards on other fronts. The LGPD went into effect in September 2020 due to the pandemic,[123] while enforcement was slated to begin in August 2021.[124] For more information, see the Brazil case study, infra, in 4.1.

  • In 2017 Chile’s Congress began consideration of a bill to update the 1999 personal data law and, inter alia, create a data protection authority. The proposed law contains some provisions that advance GDPR protections, such as the rights to erasure and data portability, as well as the duty to notify breaches. It ignores several others. The bill remains in parliamentary debate; in January 2021, President Sebastián Piñera submitted an urgent request to expedite the process.[125] Notably, in 2018 Chile adopted Act No 21.096 to amend the Constitution to add data protection as a fundamental right with constitutional status.[126] For more information, see the Chile case study, infra, in 4.2.

  • Since 2016, in Colombia, the Congress has discussed various legislative proposals to modify the omnibus Data Protection Law of 2012, though none has yet succeeded. In their introductions, the bills referenced the GDPR as a source of guidance, which is not surprising given that Colombian data protection law is largely based on Europe’s.[127] The proposed reforms would have expanded the territorial scope and increased data processors responsibility by introducing duties to realize privacy by design, to prepare impact assessments reports, and establish DPOs.[128] The Colombian DPA is actively enforcing its law against companies that do not comply, like WhatsApp.[129]

  • In July 2016, the Costa Rican DPA promulgated Executive Decree Nº 40008 to update the country’s Data Protection Law by introducing several the GDPR’s key elements into the legal regime, such as the right to be forgotten and extended liability regime for both controllers and processors. In January 2021, draft law N° 22.388 was introduced to provide a complete reform of the 2011 law,[130] and is currently being debated by the Legislative Assembly.[131] The bill expressly cites the GDPR as its guide to filling the gaps left by the 2011 Law.[132] Among other things, the proposed law would modernize the country’s regime of data subject rights and establish the Costa Rican DPA as an independent institution.[133]

  • In Ecuador, data protection is a fundamental constitutional right.[134] In May 2021 Ecuador’s National Assembly enacted its first DP law which specifically recognizes the GDPR’s impact.[135] It contains several of the Regulation’s key elements. For example, it enshrines the rights to data portability[136], mandates DPIAs[137] and the designation of DPOs,[138] as well as the duty to report data breaches.[139] It also regulates processors’ liability for data breaches with enhanced penalties for serious offenses.[140] The original draft included the right to be forgotten but it was eliminated in the approved bill.

  • Although El Salvador’s Legislative Assembly approved a Data Protection Law in April of 2021,[141] it was immediately vetoed by President Nayib Bukele.[142] A ‘National Digital Authority’ was also enacted by legislative decree to oversee implementation of the new legislation,[143] and vetoed as well. [144] Thus, El Salvador remains without a comprehensive data protection Law.

  • Guatemala recognizes a right to privacy for personal communications in its Constitution, which has been developed through rulings of the Constitutional Court.[145] To date, however, there is no data privacy legal regime in place. Although several legislative initiatives promoting data protection and actively supported by civil society have been presented to the Parliament, none have yet been approved.[146]

  • Guyana has no privacy or data protection law, although it has legislation specific to the financial sector.[147] However, Prime Minister Mark Philips announced an impending data protection law[148] and a request for draft proposals was published in November 2020.[149]

  • Honduras protects the right to intimacy and confidentiality of communications in its Constitution.[150] Despite the absence of a specific law on data protection, the country does have a National Commissioner for Human Rights with authority to protect personal data.[151] Furthermore, Honduras in 2015 added the writ of habeas data to its constitutional protections.[152] That same year, a bill on personal data protection was introduced in the Honduran Senate that focused on the protection of ARCO Rights and a sanctions regime.[153] Since 2018, Honduras has been debating legal reforms to enact a data privacy law in line with European standards under pressure from civil society actors to do so.[154]

  • In 2017, Mexico enacted the General Law on the Protection of Personal Data in the Possession of Obligated Subjects, which imposed data privacy duties on public authorities and entities that were not covered by the private actor-focused Federal Data Protection Law of 2010.[155] The new law incorporates several GDPR key elements, including data portability, DPOs and DPIAs.[156] In 2021, the Government approved a controversial legal reform to create a central government database for mobile telephone users of sensitive personal data.[157] The Mexican Supreme Court is hearing numerous challenges to this initiative, not least for violating the Data Protection Law.[158] In the meantime, the Court decided to suspend the collection of data due to the legal challenges filed.[159] In 2018, Mexico acceded to Convention 108 as well as the 2001 Additional Protocol on supervising authorities and transborder data flows.[160] For more information, see the Mexico case study, infra 4.3.

  • Nicaragua protects the right to personal data and the habeas data action in its Constitution and Law on Protection of Personal Data (Act No 787) of 2012.[161] No legislative proposals for updating the Law have been found.[162] On January 2021, the telecommunication regulatory body (TELECOR) issued an administrative decree on cybercrime which may run counter to its Data Protection Law by granting police or the Public Ministry, subject to judicial approval, the authority to prompt disclosures of personal data within information systems.[163]

  • Panama adopted its first data protection law in March 2019 soon after the GDPR came into force. The law came into effect in March 2021.[164] However, it acknowledges few of the GDPR’s innovations (the right to data portability being one) while omitting most of them. Instead, the new Panamanian data protection regime follows a more sectorial approach like the one prevalent in the United States.[165]

  • In May 2021, in Paraguay, a comprehensive bill was proposed in Congress to update the country’s Data Protection Law across the board[166] and bring it more into line international standards.[167] It seeks to build on the progress made by a similar 2019 legal reform of personal data protections that was restricted to the specific context of financial and credit information.[168] The recent proposed legislation is also modelled on the GDPR and seeks to create a single independent DPA[169] as well as create a right to data portability.[170]

  • In Peru, the Regulatory Decree that implements the country’s Protection of Personal Data Law (2011) was modified in 2017 to strengthen the regime by giving more independence to the DPA and increasing the severity of sanctions.[171] In December 2020, the Ministry of Justice and Human Rights approved an additional resolution adopting a method of calculating sanctions for violations of the Data Protection Law.[172]

  • In Suriname, the right of privacy has constitutional status despite the lack of a comprehensive data protection law.[173] In May 2018, legislators proposed the Privacy and Data Protection Law, which does not refer explicitly to the GDPR.[174] It does, however, recognize the need to harmonize with international standards, including several of the Regulation’s key elements, such as extraterritorial application, the right of erasure, data portability, and the duty to notify breaches, among others.[175] It is uncertain whether the bill will be enacted.[176]

  • In 2018, Uruguay approved changes to its 2008 Law to introduce GDPR key elements.[177] Among these are the notification of data breaches, the duty to carry out impact assessments, and the designation of data protection officers under certain circumstances.[178] The legislature opted not to include other key elements such as the right to be forgotten, the right to data portability or a tougher sanctions regime.[179] In February 2020, however, the Executive issued Decree 64/020 regulating certain aspects of the law relating to data protection officers and impact assessments. This decree further reinforced the liability of entities that treat personal data.[180] It is worth noting that in 2013, Uruguay became the first country outside of Europe to adhere to Convention 108; in 2021, Uruguay became the first Latin American country to fully ratify the 2018 Protocol ‘modernizing’ the convention.[181] For more information, see the Uruguay case study, infra, in 4.4.

  • The Venezuelan Constitution contains various provisions protecting privacy, which can be enforced directly through the courts.[182] However, Venezuela lacks a data protection law and a data protection authority,[183] with early efforts to create a data protection law ceasing after 2005.[184]

This panoramic view of the region’s data privacy regimes allows us to formulate several initial observations, which are the subject of the next sub-section.

3.1 General Findings Regarding the Latin American Panorama

Through the panorama portrayed in Table B, we gain a broad perspective on the status of data privacy regulation in Latin America in 2021, with a focus on the changes introduced since the GDPR’s adoption in April 2016. In South America, eight of 12 countries had data protection laws in place at the end of 2021, which is nearly 70% of the continent; in Central America, however, only three of seven countries did, or about 40%. Overall, 12 of the 20 countries we examined in Latin America, which encompasses both South and Central America, had a personal data protection regime, or 60%. Those 12 countries are Argentina (2000), Brazil (2019), Chile (1999), Colombia (2012), Costa Rica (2011), Ecuador (2021), México (2010 & 2017), Nicaragua (2012), Panamá (2019), Paraguay (2000), Perú (2011) and Uruguay (2008 & 2018).

But if you add in the number of countries in Latin America that are currently in the process of debating and/or enacting new data protection laws, that 60% figure for the region improves significantly. Currently, there are legislative initiatives to this end underway in three South American countries that do not have a data protection law – Bolivia, Guyana and Suriname – and in three similarly situated Central American countries: El Salvador, Guatemala and Honduras. This means that 90% of Latin America is either covered by data protection laws or may soon be. Only Venezuela in South America and Belize in Central America have neither data protections laws nor a process to legislate one.

A close examination of Table B points up other interesting insights. If we focus for a moment on the nine countries that already had a general data protection regime prior to 2016, we discover that nearly 80% of them have since updated, or sought to update, their data privacy legislation (Argentina, Chile, Colombia, Costa Rica, Mexico, Paraguay and Uruguay). Specifically, three countries in this latter group have modernized their data protection laws with new GDPR-inspired provisions (Costa Rica, Mexico, and Uruguay), while another four plus Costa Rica have considered or are studying draft laws to amend their existing regime (Argentina, Colombia, Chile, and Paraguay).[185] Two countries – Peru and Nicaragua – have pre-existing data protection laws but have not made major legislative moves to update them, although Peru has made regulatory tweaks to its regime.[186]

In addition, some of the aforementioned governments are reforming their data protection laws with a view to retaining or seeking an adequacy determination under the GDPR. In the region only Argentina and Uruguay have an adequacy determination in place from the European Commission under Directive 95/46.[187] To this end, both countries have been actively revising (Uruguay) or seeking to revise (Argentina) their already ‘adequate’ data privacy regimes, even as updated adequacy determinations by the European Commission under the GDPR are pending.[188] For instance, Argentina ratified Convention 108 and its additional 2001 Protocol in 2018 and 2019, respectively;[189] in 2018 it signed the Amending Protocol for Convention 108+ as well.[190] Uruguay went further, becoming in April 2021 the first Latin American country to ratify the 2018 Amending Protocol to Convention 108, to which it had already acceded in 2013.[191] There is reason to believe that that ratification of the Council of Europe’s Convention 108 and its protocols is a stepping stone towards obtaining a positive adequacy determination,[192] which may explain Mexico’s decision in 2018 to ratify Convention 108 and the 2001 Additional Protocol.[193] Other countries such as Brazil, Colombia and Costa Rica are studying the possibility of following suit.[194]

Looking now at the other end of the data protection spectrum, our study also shows that over a third of the countries in Latin America do not yet have a general data protection regime (8 out of 20). In four of them – Bolivia, El Salvador, Guyana, and Suriname – the respective legislatures have at least debated proposed laws since 2016, though without success. In two others – Guatemala and Honduras – civil society groups have been pushing for legislative initiatives that would lead to the adoption of legal frameworks for data privacy that encompass the GDPR’s key elements, also without success.[195] (Belize and Venezuela, as noted, have shown little movement on this front). This suggests that there is still some distance to go in the regional development of data privacy protections generally, and in measuring the GDPR’s impact, more specifically.

Finally, it is worth observing that Table B offers qualitative as well as quantitative insights. In particular, it allows us to analyze the types of legislative changes that have taken place between 2016 and 2021. In those five years, for instance, countries undergoing reforms have moved at different paces. Three countries have enacted new laws and/or regulatory reforms to update their pre-existing data protection regime (Costa Rica, Mexico, and Uruguay), while three have enacted entirely new laws (Brazil, Ecuador and Panama) to establish such regimes for the first time. In parallel, seven countries have considered or are studying either the adoption of a new data protection law (Bolivia, El Salvador, Guyana and Suriname), or the reform of their existing data privacy frameworks (Argentina, Chile, Colombia, Costa Rica and Paraguay). Table B provides information on the nature of those legislative initiatives; for example, it distinguishes between efforts that would implement the GDPR’s key elements almost in their totality (Argentina) and those that seem to ignore most of the Regulation’s innovative features (Panama, El Salvador), as well as everything in-between.

In sum, Table B provides a good overview of the current state of data privacy law in Latin America. We can see that by 2021 most countries in the region – 90% (18 of 20) by our count – have a general data protection law or are trying to enact one. Since 2016, a sweeping ‘third wave’ of legal reform has spread data protection regimes inspired by the GDPR to several new countries, as well as led several others to update their pre-existing legal frameworks in line with the Regulations’ transnational standards. Even so, questions remain about how these Latin American countries embarking on the modernization of their data privacy regimes navigate that course, and the extent to which they choose to follow the example of the GDPR – the acknowledged leader in this field – or not. To address these questions, we deploy case studies in Part III that delve into the details of data privacy reform in four Latin American countries.

4 Country Case Studies

In this Part we move into a detailed exploration of four strategic jurisdictions in Latin America identified as ‘first movers’ in terms of European norm adoption: Brazil, Chile, México, and Uruguay. Each represents a particular approach to data privacy regulation in the region at present. One objective of this third Part is thus to examine more closely the different types of legislative reforms and updates to Latin American data protection regimes that have been considered and/or approved since 2016 when the GDPR was approved. A second objective, building on the first, is to use the four case studies as inputs for the comparative analysis that underpins the Part IV to better understand the influence that the GDPR is having in the region more broadly. We believe that a closer look at each will allow us to appreciate more fully the nature and extent of the legal reforms in the countries studied. By reviewing the respective experiences since 2016, then, we can better understand not just the legislative initiatives themselves, but also the context and motivations that drive them.

The four case studies – Brazil, Chile, Mexico and Uruguay – were chosen in part because of the respective governments’ express efforts to modify their countries’ data privacy regimes to respond or adapt to the GDPR. In this regard, they reflect to various degrees the progress taking place regionally in relation to the legal reforms we previewed in 3. Geographically, Mexico is in Central America, while the remaining three countries are in South America. Brazil and Mexico adopted entirely new ‘omnibus’ legislation, while Uruguay pursued piecemeal reform. Chile represents those countries still in the process of debating legal reform to pre-existing data protection laws. The cohort thus exemplifies to a great extent the range of domestic experiences prevalent in the region, as reflected in Table B. That said, we would be remiss not to recognize a prominent omission from our roster of case studies: Argentina. We chose not to include Argentina due to the fact that its legislative activity at the time of this writing is greatly in flux. Given the importance of discussing the country in relation to the subject matter, however, we have included below a brief overview of data privacy protections and reform in Argentina as part of this introduction to the more in-depth case studies.

A word about methodology. With respect to the case studies for Brazil, Chile, Mexico and Uruguay, we will be tracking in each country’s respective legislation the GDPR’s key elements as set out in Part I and summarized in Table A. This will allow us to measure the extent to which, objectively, the pertinent norms incorporate the unique GDPR elements identified, or not; the strategic sample provided by the key elements is broad enough to support at least a preliminary analysis of the degree of assimilation present from a technical point of view. But the inquiry does not end there. We have also mined primary and secondary sources for complementary information on the context of the legislative changes proposed or enacted; these sources shed light on the motivations and objectives of the law and policymakers involved. Our overarching goal as noted already is to provide qualitative insights into the political and social processes behind the legislative initiatives to modernize data protection in these countries.

The results of this initial exercise are captured in Table C, entitled ‘GDPR Key Elements as Indicators of Influence.’ For each of the four case studies, this Table captures the degree to which the EU Regulation’s innovative elements identified in Part I are present in the selected country’s proposed or adopted legislation.[196] To achieve this, the horizontal axis of Table C imports verbatim the final row of ‘Basic Indicator Queries’ for each of the nine key elements identified from Table A. Those then became the questions that guide the process of filling in Table C, because the answer to the indicator query determines whether the referenced GDPR key element is present or not. On the vertical axis of Table A are listed the four countries, along with the pertinent legislation’s identification number and hyperlink to the original source. When cross-referenced, the two axes of Table C present a more detailed image of the extent to which the proposed or enacted legislation for these countries incorporates the GDPR’s unique features as distilled by the key elements.

The presence of several GDPR key elements in these first mover countries can give rise, at the very least, to the impression of influence by the former on the latter. It is necessary to acknowledge, however, that such correlation does not necessarily signify causation. We know that presumptions of influence are, of course, rebuttable by further investigation producing evidence to the contrary.[197] Graham Greenleaf points out that the question of causation regarding whether the European data protection rules have influenced the adoption of similar provisions by third countries can only be answered by detailed studies that bear down on the particularities of each countries’ legal history, as well as the myriad of reasons that go into the adoption of particular legislation.[198] With this important caveat in mind, we developed the case study methodology described above which we believe moves us in the right direction.

We call the GDPR’s ‘key’ elements ‘indicators of influence’ because the more these elements are present in the legislative acts studied, the stronger one can assume the GDPR’s influence to be. That is, the more correlation there is between a country’s legislation and the key elements identified, ‘the more it is suggestive of a conscious influence of the [European model] in [that] particular country.’[199] Fortunately, in most cases, we do not have to speculate solely on the basis of this technical analysis; legislative history and contemporary press accounts of the legal processes examined will expressly attest to the role of the GDPR in the legislative processes examined. Interpreting both sets of inputs together – textual analysis alongside contemporary accounts – we can fashion a more informed and accurate idea of the nature of the GDPR’s influence in that country to date. Before turning to the case studies themselves, however, we should take a look at the evolving panorama in Argentina, which, though not a case study country for the reasons alluded to earlier, has nonetheless been a data protection trailblazer in the region.

4.1 Data Privacy in Argentina

Argentina has long been in the forefront of data protection in Latin America. Like many countries in the region, Argentina built its personal data protection regime on the constitutionally protected right of habeas data. Specifically, the 1994 Argentinean Constitution incorporated the right to habeas data as part of the section on ‘amparo’ actions, which are constitutional writs to protect fundamental rights.[200] In 2000, the Argentine Congress approved Law No 25.326 on Personal Data Protection,[201] making it one of the first Latin American countries to adopt omnibus legislation that closely tracked EU Directive 95/46.[202] Along with Chile and Paraguay, it was thus part of the ‘first wave’ of data privacy legislation that came about in the wake of the Directive’s approval.[203]

After approval of the Data Protection Law in 2000, Argentina broadened its alignment with the European approach.[204] In 2003, it became the first country in Latin America to be recognized by the European Commission as having an ‘adequate’ level of protection under Directive 95/36, allowing for the free flow of data with Europe.[205] More recently, in 2019, the Argentine Congress ratified the Council of Europe’s 1981 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and signed the Additional Protocol regarding supervisory authorities and transborder data flows.[206] As such, it is one of the few non-European countries, along with Mexico and Uruguay, to have ratified Convention 108.[207] In September 2019, Argentina signed the Amending Protocol establishing Convention 108+, becoming only the second Latin American country after Uruguay to do so.[208] In 2020, the data protection authorities of Argentina and Uruguay introduced a joint Guide for Impact Assessment for Data Protection aimed at providing a common framework for controllers to follow in both countries.[209] This guide, which expressly cites the GDPR as a source of inspiration, includes a matrix for conducting risk assessments.[210]

Although reforms to the 2000 Data Protection Law are under consideration by the Argentine Congress, the legislative panorama is not nearly as clear or concrete as that in the case study countries selected. In September 2018, then President Mauricio Macri submitted a comprehensive draft law to Congress with the express aim of further modernizing the country’s data protection regime and adapting it to ‘regulatory changes that have occurred in comparative law in recent years,’ especially the GDPR.[211] The Macri bill, however, was allowed to lapse during the COVID-19 pandemic[212] and lost parliamentary status in 2020.[213] Nevertheless, towards the end of 2020, Argentine legislators introduced two new bills that substantially reproduce the purpose, focus and content of the Macri bill.[214] These developments, though inchoate, are significant because our analysis of the Macri bill found that it contained nearly all of the GDPR’s key elements,[215] as apparently do the subsequent bills that are still pending.[216] All this suggests that the adoption in Argentina of a revised data protection law substantially aligned with the GDPR is merely a question of time.

4.2 Brazil

Brazil offers another sample in regional data privacy regulation that, like Argentina, took place in response to the adoption of the GDPR in Europe; it is notable, however, for another reason: even though Brazil was the first country in Latin America to introduce habeas data protection into its Constitution in 1988,[217] it had no general data protection law at all until 2018.[218] It was in August of that year that Brazil approved the General Personal Data Protection Act (Lei Geral de Proteção de Dados Pessoais or LGPD), which was originally scheduled to go into effect in August of 2020.[219] Although the government of Jair Bolsonaro tried to delay by a year the LGPD’s entry into force due to the pandemic,[220] the Law ultimately took effect on September 18th, 2020.[221] Its enforcement of the sanctions regime established, however, did not become active until August 2021.[222]

The Brazilian General Personal Data Protection Act follows the GDPR not just in name, but in substance as well. Although it did not come with an official message expressly referencing its European inspiration and counterpart, the Brazilian statute was overtly intended not just to establish a data protection regime for the first time, but to do so in line with the prevailing international standards set by Europe.[223] As the discussion below will show, almost all of the GDPR’s key elements appear in the LGDP, which consciously follows in the EU Regulation’s footsteps in terms of format, logic and structure.[224] That said, even though the LGPD tracks the GDPR closely, it is not identical in every respect.[225] One example of this variance is the establishment of a data protection agency, the Autoridade Nacional de Proteção de Dados (ANDP), as part of the Executive, rather than as the fully independent authority mandated by article 51 of the GDPR.[226]

In any case, Brazil checks nearly every box in Table C’s accounting of GDPR key elements. Beginning with the General Provisions, the LGPD adopts a broad baseline scope with both extraterritorial reach and application to data processors (operadores) that seeks to protect Brazilian resident’s personal data regardless of where its processing is carried out.[227] The extra-territorial provisions activate when one of two conditions are met: where the processed data belongs to persons residing in Brazilian territory, or where the purpose served by the processing is to offer such persons goods or services online.[228] Moreover, data processors must comply with all the duties and responsibilities that data controllers have.[229]

In addition to enacting a scope of application similar to the GDPR’s, the Brazilian law likewise adopts a panoply of data subject rights that includes those to erasure and to data portability. So, on the one hand, the LGPD grants individuals the right to ask for erasure of personal data when it is inaccurate or out of date.[230] The legislators chose not to use the exact term ‘right to be forgotten’ because of the challenges noted surrounding the term in the Latin American context, as well as the related clashes with freedom of expression.[231] Although some Brazilian commentators include it in the long list of substantive similarities between the LGPD and the GDPR,[232] it is at best unclear what the operative effect would be.

On the other hand, the LGPD similarly recognizes the right to data portability.[233] Although Brazilian legislation previously only contemplated the right to portability with respect to personal data held by telecommunications companies, the new provision in the LGPD is a general right applicable to any kind of data controller.[234] The Law requires a controller to send personal data to another service or product provider upon request ‘in accordance with the regulations of the national authority, subject to commercial and industrial secrets.’[235] In this regard, the new law does not provide details on how it is to be implemented. But it does seem to be in tension with GDPR art. 20’s dictate that the transfer of personal data between controllers upon request by the data subject must be ‘without hindrance.’[236]

Having constructed its data protection regime upon the same principles as the GDPR, it is no surprise to find that the LGDP followed the European model of enshrining consent as the main basis for legitimate processing.[237] Of note is that Article 8 of the Brazilian Law establishes that consent may be revoked at any time upon the express manifestation of the holder, through a free and facilitated procedure.[238] However, there are some differences in the concept of consent when compared with GDPR; for example, the LGPD goes further in requiring ‘specific and highlighted consent’ from the data subject for international transfers of their personal data.[239] Another variance from the European norm of relevance to this discussion is the lack of express language to the effect that consent must be ‘as easy to withdraw as to give.’[240] For this reason, we do not register the LGPD as meeting that key element with respect to consent in Table C.

With respect to the GDPR’s other key elements of personal data breach notification, impact assessments and protection officers, the LGPD is largely, but not perfectly, in harmony with its European counterpart. For instance, the Brazilian Law mandates that data controllers report data breaches to both national authorities and affected data subjects only when those breaches may cause related risks or damage to the latter.[241] Another variance in this regard is that the Law does not impose a time restriction for breach notifications, only requiring that notice be given ‘within a reasonable period, as defined by the national [data protection] authority.’[242] The GDPR, of course, requires that the supervisory authority be notified of any breach of personal data with 72 h, regardless of whether it poses a ‘high risk’ of harm to data subjects.[243]

There are likewise significant divergences around data protection impact assessments (DPIAs) and the designation of data protection officers (DPOs). With respect to the former, the LGPD defines the DPIA as a ‘report (…) of the controller that contains the description of the processes for processing personal data that may generate risks to [users’] civil liberties and fundamental rights (…).’[244] However, it does not make them mandatory for controllers as does the GDPR where said risks are ‘high’;[245] instead, the Brazilian Law authorizes the ANPD, the new national data protection authority, to request that controllers (public or private) conduct DPIAs under certain circumstances.[246] For instance, the circumstances that may lead the ANPD to exercise its discretion in this regard include data processing that takes place because it is ‘necessary to serve the legitimate interests of the controller,’ except where the prevailing fundamental rights and freedoms of the data subjects require the protection of their personal data.[247] In that case, the ANPD may, but is not required to, commission a DPIA from the controller.[248]

As concerns the designation of data protection officers, the LGPD obligates only controllers to comply with this duty, although it is defined more broadly than in the GDPR.[249] The European Regulation goes further in requiring that both controllers and processors name a DPO if they are a public authority, are processing sensitive personal data, or engage in the ‘regular and systematic monitoring of data subjects on a large scale.’[250] But, on the other hand, the Brazilian Law requires all controllers to name a ‘person in charge’ of the data processing whose duties are similar to those of the European DPOs.[251] Those duties include accepting complaints from and communicating with data subjects, facilitating communications with the DPA, providing guidance to the controllers’ employees and contractors about the practices to be taken in relation to personal data, and performing other attributions determined by the controller or the ANPD.[252] In this sense, the Brazilian Data Protection Authority can calibrate different levels of compliance according to the nature and size of the entity or the volume of data processing operations.[253]

Finally, regarding accountability, there is again a partial following of the European model. On the one hand, just as the GDPR mandates, the ANPD will have the authority to impose administrative sanctions on ‘data processing agents,’ ie both controllers and processors.[254] Those sanctions can take the form of fines that can scale up to 2% of revenues generated in Brazil, with a maximum possible of 50 million reais (approximately USD 9,200,000).[255] There is no differentiation between serious and other breaches of the LGPD; the ANPD is given broad leeway to calculate the fines and other sanctions.[256] This means that while Brazilian legislators followed the criteria embraced by the GDPR of setting hefty fines on the basis of an organization’s revenues, they made no express distinction for grave breaches and chose to limit their revenue baseline to domestic production only, ie those of the ‘private company, group or conglomerate in Brazil in its last year.’[257] So, while still imposing significant sanctions, the LGPD declined to make them as potentially onerous as those enabled under the European Regulation, which (in)famously based its fines on an offending enterprise’s global revenue stream.[258]

Since the LGPD entered in force, the Brazilian authorities have taken significant steps to further develop the new data protection regime. In August 2020, President Jair Bolsonaro issued executive Decree No 10,474 establishing the regulatory structure of the new data protection authority, the ANPD; this decree also ‘provides details on the appointment of members of the ANPD, as well as administrative and internal procedures for [the agency’s] functioning.’[259] The ANPD in turn has actively engaged with its mission, not least by publishing in January 2021 its operating strategy for 2021–2023.[260] In July 2021, in anticipation of the entry into effect of its enforcement powers a month later, the ANPD issued regulations governing the imposition of sanctions under the LGPD after conducting public hearings.[261]

There have also been challenges to the new data privacy regime established by the LGPD, primarily emanating from the Executive. Most notably, President Bolsonaro in October 2019 issued an executive decree creating a Citizen Database (Cadastro Base do Cidadão) to ‘consolidate and improve the information inside government about each citizen.’[262] Enacted seemingly without regard for the newly-minted LGPD, this decree has been heavily criticized as a threat to citizens’ privacy.[263] Unsurprisingly, numerous Brazilian civil society actors have challenged its constitutionality before the Supreme Court of Brazil, including the Federal Counsel of the Brazilian Bar Association.[264] A similar measure which obliged telecom operators to share the personal data of more than 140 million mobile service users with the Brazilian Institute for Geography and Statistics was declared unconstitutional by the Brazilian Supreme Court in May 2020 on a number of grounds, including privacy and due process.[265]

Challenges notwithstanding, the LGPD is undisputedly landmark legislation that alters the landscape of data protection in Latin America. It was clearly inspired by the GDPR, which it generally emulates in key respects. At the same time, numerous variations – on the duties of processors, for instance, as well as around the notification of breaches, the conduction of DPIAs, and the establishment of a supervising authority housed in the Executive – significantly alter the tenor of the law, giving it a distinctly more restrictive ‘Brazilian flavor’.[266] While it shares a basic structure and guiding principles with its European counterpart, the LGPD leaves many of the regulatory details to the ANPD, which raises concerns about future implementation of key elements such as those relating to data portability and DPOs.[267] Although the ANDP recently has taken positive steps towards implementing the LGPD, challenges to the new regime remain.

4.3 Chile

Chile was among the first countries to enact a data protection regime in Latin America when the National Congress passed the Law for the Protection of Private Life in 1999.[268] Traditionally in Chile, the right to privacy was derived exclusively from Article 19(4) of the Constitution, which guarantees ‘the respect and protection of private life and the honor of the person and his family’.[269] The mechanism for guaranteeing the exercise of Article 19(4) was the constitutional writ to protect all fundamental rights authorized by Art 20 of the Constitution.[270] This approach was modified significantly in 2018, however, when the Constitution was amended to expressly add personal data protection in Article 19(4) as a constitutional right.[271]

The first attempt to codify data protection per se came in 1993 when Chilean legislators considered a draft law for the ‘protection of data of a personal character.’[272] At the time, they looked for inspiration to the laws of various European countries, including Spain, France, and England.[273] After six years of congressional debate, the current data protection law (Act No 19.628) was promulgated in August of 1999; it was, however, almost immediately considered ‘insufficient’ because it failed to adequately regulate third party (private) processing of personal data.[274] In particular, the 1999 Law did not create a data protection authority, regulate cross-border data transfer flows, or sufficiently protect consent; nor did it provide for remedies or effective sanctions for violations.[275]

Efforts from 1999 forward to modernize the Protection of Private Life (Data Protection) Law made little progress until 2017, when the government of President Michelle Bachelet sent a comprehensive reform bill to the Senate entitled ‘Regulation of the protection and processing of personal data and creation of the Personal Data Protection Agency.’[276] Up to that point, the 1999 Law had been amended piecemeal, primarily to protect persons from discriminatory treatment by private companies, for example, in the employment, financial and commercial sectors.[277] In 2014, Bachelet’s government conducted public consultations on a draft statute intended to help harmonize Chilean law with international standards on data protection, including EU Data Protection Directive 45/96 and the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, among other comparative law sources.[278] The government’s online description of its draft law adds that ‘the text of the European Union Regulation [then] under study was also taken into account,’ meaning the GDPR.[279] For reasons that are unclear, this ambitious initiative never progressed past the consultation phase and was ultimately unsuccessful.[280]

What is certain is that the draft law President Bachelet presented to Congress in March 2017 reflected a different approach to reforming the Chile’s data privacy regime than its defunct predecessor of 2014.[281] According to the President’s introductory message in the bill, one objective of the reform proposed is to establish a ‘modern and flexible’ legal framework in line with ‘international norms and standards’ on the subject of the protection and processing of personal data.[282] Pointedly, however, the drafters of that message left out of their lengthy exposition any reference to the law of the European Union, preferring to anchor the reform’s normative model primarily in the standards and recommendations of the OECD, a transatlantic club of countries dedicated in large part to economic development, of which Chile is a member.[283] It should also be highlighted that this legislation is configured as a series of amendments to the Protection of Private Life (Data Protection) Law of 1999, not a stand-alone omnibus law like the ones proposed in Argentina and enacted in Brazil. From December 2020 to May 2021, the Government sent no fewer than seven messages to the Chilean Congress urging approval of the pending proposed law.[284] However, as of July 2021, the Bachelet bill was still under consideration in the Senate.[285]

The absence of any express reference to the GDPR in the proposed legislative reform’s introductory section is made all the more curious by the inclusion in the text of several of the Regulation’s key elements. For example, Table C reflects how the draft law would create new rights for the data subject, including the rights to erasure and data portability. One can also see how it would similarly mandate data controllers and processors to report data breaches while strengthening sanctions in case of violations. That said, it is just as important to observe which of the GDPR’s key elements the Chilean Executive chose not to include in its proposal: for instance, Table C reveals how the bill would retain the underlying data protection law’s more limited territorial scope and would forego impact assessments altogether. Let us now take a look at the treatment of the key elements in a bit more detail.

Though never mentioned expressly as a model or source of inspiration, the GDPR infuses several of the most important updates to be enacted through the legal reform process. While the drafters of the bill preferred not to give the current data protection law extraterritorial reach,[286] they did expand the scope of its provisions to cover all public or private persons or organizations ‘responsible for data,’ a new term defined to cover both controllers and processors.[287] Likewise, with respect to the rights of data subjects, the President’s introduction to the bill confirms that the inclusion of the new right to data portability in Section 4 is in keeping with ‘the latest regulatory trends,’[288] which surely encompass the GDPR. Like its counterpart in the EU Regulation, the new provision in the Chilean bill would ensure that data subjects can ask either for a copy of their personal data in a structured format or request the transfer of their personal data to another controller.[289]

In this same vein, Section 4 of the reform bill further sets out the rights to ‘rectification, cancellation and opposition.’[290] Its drafters explain how the new right to ‘cancellation,’ which mandates the suppression of personal data under certain circumstances, should in particular operate to guarantee ‘the so-called ‘right to be forgotten’ in relation to data produced as a consequence of any criminal, civil, administrative and disciplinary offenses.’[291] In other words, the inclusion of the article authorizing cancellation, which does not expressly mention the ‘right to be forgotten’, was nonetheless intended to emulate the corresponding provision of the GDPR in form and function.[292] Like in Europe, this approach was deemed necessary for Chile to balance the rights of individuals to reduce public access to damaging information with the right to access information in the public interest.[293]

Similarly, in keeping with the European model, the Chilean reform would reinforce the data protection law’s reliance on consent as the primary ground for lawful processing. The bill’s proposed Article 12 sets out the rules for what should constitute valid consent and how to withdraw it.[294] According to this provision, the subject can revoke his or her consent at any time without cause ‘using similar or equivalent means to those employed for granting it.’[295] This phrasing, we believe, substantially meets the key element listed in Table C for withdrawing consent, even though it does not track the precise language of GDPR Art 7(3).

In similar fashion, the bill imposes greater duties for compliance on those organizations deemed to be ‘responsible for data,’ which, as noted, means both controllers and processors.[296] Like GDPR Art 33 and 34, proposed Article 14 would require, on the one hand, that those ‘responsible’ give notice ‘in the most expeditious way possible and without undue delay’ to the Personal Data Protection Agency to be created when a data breach happens;[297] on the other, where the breach concerns ‘sensitive data’ or that pertaining to ‘economic, financial, banking or commercial obligations,’ it would also require the party responsible for the data to notify all affected persons in this same way.[298] Unlike the GDPR, however, the reformed law would not fix a deadline for making the required notifications (72 h), leaving it to the regulator to determine what is reasonable under the stated standard.[299]

Not all key elements in the Chilean reform bill match those of the GDPR as closely as the foregoing. One example is the naming of data protection officers (DPOs). While the designation of a DPO is recognized as an important option for controllers and processors to have at their disposal as part of a suite of preventative measures, it is not mandatory.[300] This means that the decision to appoint an internal data privacy expert responsible for promoting and monitoring compliance with the law is left to the sole discretion of the controller or processor in charge of the database.[301]

Sanctions is another area in which certain aspects of the key element are incorporated but others are not. Unique to all the regimes we studied, the reform would introduce a novel three tier system – lesser, grave and very grave offenses – for imposing penalties on data controllers and processors that breach its provisions.[302] In this regard, it takes the GDPR’s dual tier approach even further.[303] According to proposed Article 39, the tier-three fines for the most serious offenses can reach a maximum of five thousand ‘monthly tax units,’ (unidades tributarias mensuales or UTM) which equals approximately USD $336,000.[304] This means that although drafters significantly increased the types and amounts of sanctions relative to the prior framework, they preferred to tie fines to monthly tax units and not company’s revenues as the GDPR does, thus lessening the potential onus on larger multinational companies.[305]

In conclusion, the Chilean Executive’s initiative to reform the Protection of Private Life (Data Protection) Law draws heavily from the innovations of the GDPR without ever referencing it directly. In this respect, the pending bill would add a series of novel articles to the existing law to expand coverage to processors, create new data subject rights, require notification of data breaches, and impose heavier sanctions on offenders following a tiered scale of breaches. However, several of the GDPR’s key elements – mandatory DPOs and impact assessments, as well as extraterritorial scope, to name a few – are largely ignored or substantially modified.

4.4 Mexico

Mexico’s approach to data privacy is unique in that it has adopted separate laws to govern private and public actors, respectively. The rules and regulations governing private enterprise are anchored in a law enacted in 2010 to this end,[306] while public authorities engaged in data processing at all levels of government are the subject of more recent legislation from 2017.[307] ‘This differentiation is explained by the introduction into the [Mexican] legal system of [data protection] under the umbrella of the right to access public information, whose application referred to the public sector exclusively.’[308] This approach created a bifurcated framework for data privacy that introduces a level of complexity to the analysis not present in the other case studies. For instance, most overviews of Mexican data protection law for consumption outside the country focus on the former set of rules – those regulating private parties – which, it is worth noting, were ‘clearly influenced’ by EU Directive 95/46.[309]

In this study, however, we will focus on the data protection regime established by the later law directed at public authorities and entities because it was promulgated after the GDPR-centered reference date of 2016. This perspective will provide us with insight into the extent to which the more recent Mexican legislation incorporates the key elements of EU Regulation 2016/679. We will, where relevant, comment as well on the corresponding norms from the parallel regime under the 2010 law and its regulations. In addition, we will highlight a recent challenge to the country’s constitutional and legislative data protection regime as it pertains to public entities.

Regardless of which data protection framework we are discussing, its foundation is the Mexican Constitution. Indeed, the country’s singular approach to the topic can be understood as the outcome of a series of constitutional reforms. In 2007, Article 6 was amended to declare that ‘information related to a person’s private life and personal data shall be protected in the terms and with the exceptions provided by law,’[310] which at the time still only applied to the public sector. In 2009, a fundamental normative shift occurred when Mexican legislators amended Article 16 of the Constitution to recognize ‘every person’s right to protection of their personal data, to access, rectify, and cancel [said data], as well as to manifest their opposition’ to its processing (the ARCO rights).[311] In so doing, they elevated the concept of data protection to the status of a constitutional norm to be protected in the private as well as the public sphere.[312] A third wave of relevant constitutional reform took place in 2014 dedicated to increasing transparency in government; this process was driven in large part by the ‘need to establish uniform standards for data protection’ throughout the country and create the authorities and procedures required to enforce those standards.[313]

The progressive constitutional reform just described ushered in a series of correlative congressional initiatives to modernize data privacy rights in Mexico. The first legislative brick laid in the wall of Mexican data protection law after 2009 was the Federal Law for the Protection of Personal Data in the Possession of Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares).[314] Promulgated in 2010, the Private Sector Law, as we will call it for short, looked to protect users’ privacy vis à vis private companies in line with international standards and EU Directive 95/46; it excluded public authorities from its scope because those were already regulated under the pre-existing regime of access to public information.[315] Notably, the 2010 Law set up the National Institute for Transparency, Access to Information and Personal Data Protection (INAI) to be the country’s data protection authority.[316] The administration of then President Felipe Calderón subsequently issued in 2011 a detailed Regulation to implement the 2010 Law and reinforce its protections for personal data in the hands of the private sector.[317]

In the wake of the seminal constitutional reforms of 2009 and 2014, Mexican authorities took active measures to revise its data protection regime even further. Consequently, Congress approved in 2016 the General Law on Protection of Personal Data in Possession of Mandated Subjects (Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados), which came into force in 2017.[318] ‘The mandated subjects to which the Public Sector Law applies at the federal, state, and municipal levels are any authority, entity, body and agency of the executive, legislative and judicial branches, autonomous [government] bodies, political parties, [public] trusts and public funds.’[319] Subsequently, Mexico acceded in 2018 to the Council of Europe’s Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data as well as the 2001 Additional Protocol regarding supervisory authorities and transborder data flows.[320] It is clear from the foregoing that Mexico, in its own unique way, ‘has followed, along with other Latin American countries, the international trend of ensuring the protection of personal data.’[321]

Be that all as it may, our goal here is not to map the entire panorama of Mexican data privacy law to date; rather, it is to trace the extent to which the main post-2016 legislative initiative – the Public Sector Law – embraced the key elements of the GDPR. We know that this Law grew out of the constitutional reform process just described, and that it was subject to ‘clear influence of the elevated standards of protection adopted by the European Union, which strengthens the very foundations of [the Law’s] construction and incorporates important innovations that invigorate the legitimate and proper processing of personal data.’[322] It remains to be seen which of those innovations translated into concrete changes in the data protection regime and what the impact of those changes has been.

This is because the 2017 Public Sector Law, while recognizing the GDPR’s importance, is distinct in a number of important ways. For one, it reflects Mexico’s dual track approach to regulating data privacy, which, for the reasons discussed already, is unique in the region: it differs from the comprehensive (omnibus) legal regimes traditionally deployed not only in Europe, but in Latin America as well.[323] This makes comparison with the GDPR challenging because, by definition, the Public Sector Law governs only the conduct of ‘mandated subjects,’ that is, Mexican public authorities and entities.[324] Restricting our analysis to one sector reduces its impact somewhat. Thus, for example, our inquiry into whether or not the Law’s territorial scope has been expanded to reach actors or activities beyond the country’s borders is, for better or for worse, not applicable in this case given the nature of the ‘mandated subjects.’

Imperfect as the exercise may be, it is still worth highlighting the other aspects of the Public Sector Law that do lend themselves to comparison with the GDPR. One can observe, for instance, that the Law applies to processors (encargados) as well as controllers (responsables), and imposes significant duties on the former.[325] Regarding the rights of data subjects, the Law introduces the right to data portability for the first time.[326] Article 57 grants data subjects the right to obtain a copy of their personal data in a structured and commonly used electronic format for their own use or for ‘transfer (…) to another system.’[327] As was the case in other countries – Chile, for example – this norm was lifted directly from the text of what became the GDPR.[328]

In contrast, the other of the Regulation’s innovations (and key element) in terms of data subject rights, the right to be forgotten [erasure], has not been as widely or wholly embraced. ‘In [Mexico], the right to be forgotten only achieved implicit recognition in the regulation of the right to object to the processing of personal data by the [Public Sector Law].’[329] We saw similar approaches in Chile and Brazil.[330] An authoritative commentary to the Law stresses the substantial differences in legal, social and political context between Europe, on the one hand, and Latin America and especially Mexico, on the other, to explain why the ‘misnamed right to be forgotten’ has not taken root per se in the country.[331] To illustrate, consider the case from 2016 in which a Mexican court found that the national regulator, the INAI, had erroneously enforced a ‘non-existent right to be forgotten’ against Google Mexico,[332] which the regulator had argued was premised on the constitutional rights to cancel the holding and use of one’s personal data by controllers, as well as to object to its processing.[333] While those rights contemplate a degree of control by the data subject over their personal information in terms of erasure, said rights will under certain circumstances be outweighed by countervailing values that require preserving access to information and freedom of expression in the public interest.[334]

The remaining key elements reflected in the 2017 Public Sector Law are likewise a hodge-podge of norms that nonetheless follow the GDPR model to a significant extent. So, for instance, while consent is affirmed to be a central pillar for lawful data processing in Articles 16 and 21, no express provision or procedure for withdrawing it other than those envisioned by the ARCO rights is included.[335] Significant as well is the fact that the Law allows for ‘tacit’ consent, which is ‘when the privacy notice [explaining the data processing to occur] has been put at the disposal of the data subject [and] he or she does not express any disagreement with it.’[336] Tacit consent is expressly prohibited by the GDPR.[337] In other respects, the Law tracks the GDPR more closely. Thus, controllers are obliged to inform data subjects and the INAI ‘without undue delay’ of any breaches that ‘significantly’ affect the affected subjects’ rights in terms similar to those fixed by the Regulation;[338] processors are in turn bound to report data breaches to the controllers.[339]

The correlation between the two sets of norms extends to the obligation to conduct data protection impact assessments and, with a Mexican twist, the designation of data protection officials, at least with respect to controllers. With respect to the first, the Public Sector Law adopts criteria substantially similar to those in the GDPR for triggering DPIAs: such assessments are required whenever controller processing involves sensitive or special data, the transfers of personal data, or otherwise poses a risk to the rights and freedoms of the persons affected due to the nature of the data.[340] As regards the second, the Law follows the GDPR in function, if not form, with respect to a duty on controllers to designate a DPO. It obligates the public sector controllers to create an internal ‘Transparency Committee’ that is to operate as ‘the maximum authority with respect to the protection of personal data.’[341] This Committee’s primary function is internal and centered on directing the controller’s efforts to implement and comply with the Law.[342] At the same time, the controllers are obligated to establish a public-facing ‘Transparency Unit’, whose primary role is to ‘support and guide the data subject who requires it in relation to the exercise of their right to personal data protection’.[343] Together, these two mandated entities carry out the equivalent functions of the GDPR’s data protection officers, whose designation is mandatory for public bodies.[344]

Confusingly, however, the Mexican Law allows for, but does not require, the naming of an actual ‘data protection official’ within the Transparency Unit whose job would be to operate as a ‘special adviser on personal data for the management of data processing, the adoption of security measures, the handling of ARCO rights, etc’.[345] This means that although DPOs as a formal matter are optional under the Law, their functional equivalents – the Transparency Committee and Unit – are not. For that reason, we register it as meeting the corresponding key element as well.

Finally, the accountability regime set up by the Public Sector Law, though not fully comparable to that of the GDPR due to the variance in focus discussed, does, in our opinion, meet the criteria corresponding to the key elements of processor liability and enhanced sanctions. First, the Law establishes shared liability between the ‘mandated subjects’ (the controllers) and those put in charge of personal data processing (processors).[346] The latter can be held directly responsible for failures to comply with the obligations imposed by the Law and the controllers.[347] Second, the Law creates an entirely new system of sanctions that ‘are independent of those civil, criminal or any other legal order that might derive from the same facts’.[348] Like that of the GDPR, it operates on two tiers: ordinary infractions, and those offenses ‘considered grave for purposes of their administrative sanction’.[349] Included among the grave offenses are any acts undermining the exercise of ARCO rights by data subjections.[350] Failure to comply with the orders of the INAI or other supervisory body can result in enforcement measures directed at the offending officials in their personal capacity; these officials can be required to pay fines determined according to a variable unit of measure.[351] In any event, said fines would not exceed $7000 USD. Inclusion of these measures is considered at once ‘novel [and] of extreme transcendence’ for the Mexican data protection regime.[352]

In April 2021, Mexico enacted new legislation that challenges the foundations of the Public Sector Law.[353] Intended as an anti-crime measure, the new law amending the Federal Telecommunications and Radiofusion Law mandates the creation of a centralized government database for all mobile telephone users, commonly referred to by its Spanish acronym, PANAUT (Padrón Nacional de Usuarios de Telefonía Móvil).[354] The database would compile the personal information of users, including not just their name, nationality, and national ID number, but also biometric data.[355] The PANAUT would be managed by the Federal Institute for Telecommunications (Instituto Federal de Telecomunicaciones), the IFT, a government agency.[356] Given that it seems to fly in the face of the Public Sector Law in several respects, this new legislation has been the object of multiple constitutional and legal challenges, not least by the INAI, Mexico’s data protection authority, and the IFT itself.[357] Interestingly, in its complaint to the Supreme Court, the INAI drew comparisons between Mexico and the European Union where a similar law came into effect and was likewise challenged.[358] In June 2021, the Supreme Court suspended the implementation of the controversial new law at the request of the IFT for fiscal and constitutional reasons.[359]

In conclusion, Mexico’s bifurcated data privacy regime presents unique challenges to understanding how the GDPR has influenced data protection law and practice in that country. But our review of the Public Sector Law confirms the notion that the Law’s drafters were ‘clearly influenced’ by the GDPR (among others international standards in the field).[360] Nearly all of the Regulation’s key elements are reflected, one way or another, in the multiple innovations embodied in the Law: the right to data portability; the duties to notify breaches, conduct DPIAs, and implement a robust internal data protection mechanism to function like a data protection officer on steroids; and the ‘transcendent’ new sanctions regime. These features all testify to that influence. And at least two of the missing key elements – territorial scope, revocation of consent – can be explained as casualties of the sectorial focus of the Public Sector Law.[361] The recent creation of the PANAUT and the serious challenge it poses to the integrity of this Law remain an ongoing – and as yet unresolved – legal saga. We now proceed to the final case study country, Uruguay, before turning our attention to the comparative analyses and concluding observations contained in 5.

4.5 Uruguay

Uruguay has forged a functional approach to data protection that takes European standards as its starting point. It is one of the few countries in the region that does not have a habeas data provision in its Constitution.[362] Despite this, the 1966 Constitution protects the right to privacy and intimacy in articles 7, 10 and 72.[363] It was not until 2008, however, that data protection and habeas data were first introduced to the Uruguayan legal framework with the approval of Personal Data Protection Law Nº 18.331 (‘PDPL’), a comprehensive (omnibus) piece of legislation that regulates data processing in both the ‘public and private spheres’.[364]

Uruguay deliberately followed the prevailing European framework as it sought to harmonize its regime with the EU’s to the greatest extent possible.[365] The PDPL was modeled on EU Directive 95/46 and expressly motivated by the prospect of an adequacy determination, which became reality in 2012.[366] The 2008 Law established the Unit for the Regulation and Control of Personal Data (Unidad Reguladora y de Control de Datos Personales, also known as URCDP) and invested it with full supervisory powers over the data privacy regime.[367] The URCDP is set up as an autonomous part of the Executive Branch.[368] It is worth recalling that in 2013, Uruguay became the first country outside Europe to adhere to Convention 108 and the Additional Protocol regarding supervisory bodies and transborder data flows.[369] Just as notable is the fact that in April 2021, the country ratified the 2018 Amending Protocol as well, becoming the first (and only) Latin American State party to Convention 108+.[370]

Uruguay holds the distinction of being the first Latin American country to reform its data protection laws expressly to make them conform to the newly enacted GDPR. In so doing, the Uruguayan authorities chose not to replace the PDPL with new legislation, but to amend it through a series of legislative acts. Thus, five months after the GDPR came into force in Europe, the Uruguayan Parliament approved Budget Act Nº 19.670 (15th October 2018), which included a number of specific amendments to the PDPL.[371] Deliberations in the chambers of Parliament left no doubt that these changes were being pursued expeditiously in order to integrate the ‘good’ parts of the GDPR while adapting them to local ‘realities.’[372] In addition, Regulations decreed in 2020 to implement the PDPL as amended by the Budget Law likewise recognize that the latter’s reform took into account ‘the most recent provisions and doctrines,’ expressly referencing the GDPR among other European standards.[373] As it stands, these three legislative acts working together comprise Uruguay’s data protection regime.

Not surprisingly, this legal regime accounts for many – though not all – of the GDPR key elements, including a new extraterritorial scope and increased duties on both controllers and processors. The reforms expanded the territorial scope of the Personal Data Protection Law in the same direction as the GDPR.[374] Before the reform, the PDPL applied exclusively to processing carried out inside the country’s borders. Since 2018, Uruguayan law encompasses processing activities regardless of where they are conducted so long as the controllers’ are offering of goods and services to the inhabitants of the country.[375] Regarding processors, Uruguay was ahead of the curve in subjecting them to regulation: the original PDPL of 2008 distinguished between those entities ‘[r]esponsible for the data and its processing’ (Responsable de la base de datos o del tratamiento) and those ‘[i]n charge of processing’ (Encargado del tratamiento),[376] and imposed duties on both.[377] And, just to underscore this fact, the 2018 amendments to the PDPL expressly affirmed that liability for breaches of its provisions extends to processors as well.[378]

In this same manner, most of the GDPR’s key elements on the responsibilities of data controllers and processors have been updated in Uruguayan law to better align them with the European Regulation. The amendments broadened the responsibility of both controllers and processors by enacting additional proactive protection measures.[379] One of these measures is a new requirement that they conduct data protection impact assessments (DPIAs) under certain circumstances.[380] These arise whenever controllers or processors work with sensitive or specially protected data, and whenever they engage in personal profiling, target vulnerable groups, carry out big data processing or send the data to a non-adequate country.[381] Interestingly, the GDPR mandates DPIAs when processing ‘is likely to result in a high risk to the rights and freedoms of natural persons,’ taking into account the nature, scope, context and purposes of that processing.[382] In contrast, the Uruguayan regulation fixes a set of broad criteria that could effectively lower the bar for when DPIAs will be required.[383] In this sense, Uruguay sets its own standards and differentiates somewhat from the GDPR.

Furthermore, in its reform of the PDPL, Uruguay codified for the first time the duty to notify data breaches to the URCDP as well as the individuals affected.[384] While the 2018 Budget Law only set the obligation to notify data breaches ‘immediately,’ the 2020 Regulation went further by adopting the GDPR’s 72 h time maximum time frame for effectuating notification.[385] Some Uruguayan commentators consider this to be the most significant change among the many introduced through the amendment process.[386] In the same vein, the reforms also imported the duty of all public entities and some private organizations to designate data protection officers, a mechanism that did not exist under the original PDPL regime.[387] According to the URCDP, DPOs under the new provision must have knowledge in human rights with a focus on data protection, as well as the controller or processor’s core business.[388] The private entities subject to the duty to designate a DPO are those that have as their core business the treatment of sensitive personal information (health, sexual, political) or the management of large volumes of data.[389]

The foregoing testifies to the positive impact of the GDPR on Uruguay’s reform of its data protection law. But equally relevant is what was not changed. The amended legal regime does not track the GDPR’s key elements in three important respects. The first is that, despite the preeminence of consent as a pillar of personal data processing in the 2008 PDPL, the Uruguayan authorities did not see the need to add any language on how and when consent could be withdrawn.[390] Accordingly, it is not clear what mechanisms would be necessary or valid for a data subject to withdraw or cancel his or her consent to have their personal data processed by a controllers.[391] Second, the post-2018 reform process did not modify any of the key elements concerning the rights of the data subject, most importantly with respect to data portability. For reasons not entirely clear, this hallmark GDPR innovation recognized by every other case study country was not part of the normative harmonization process in Uruguay. One can speculate about how in a small country like Uruguay, where State agencies are the main controllers and processor of personal data, portability of said data may not be high on the list of priorities.[392] But it does seem nevertheless to be a curious omission in light of the context described.

Third, and more in line with regional practice, is the absence of express reference to the right to be forgotten. As is the case in the other countries studied, the Uruguayan authorities did not feel the need to expand on the existing data subject rights already guaranteed under the local ARCO regime.[393] Thus, for example, the URCDP issued an opinion in 2016 affirming that the ‘right to be forgotten can be considered as the projection of other rights, among others, (…) the right to deletion [supresión].’[394] This is defined as applying only where there is ‘an error, falsehood or exclusion’ in the personal data of the subject requesting it, which suggests that it would not reach as far as the European understanding of the right to be forgotten.[395]

Last but not least, there is the sanctions regime. On the one hand, as we saw already, processors have been liable for breaches of their duties since 2008 under the original Data Protection Law.[396] On the other hand, legislators made no other changes to the accountability provisions of that law, which established a tiered approach to sanctions based on degree of ‘gravity, repetition, or recidivism’ with respect to the offenses committed.[397] Among other penalties, potential fines were set at up to 500,000 ‘Indexed Units,’ which in Uruguay refers to a unit of measure adjusted daily by inflation.[398] Under prevailing levels, this translates into a maximum fine of USD 57,220.[399] So, while penalties were not ‘enhanced’ as part of the data protection law reform, and thus we do not check that element’s box in Table C, it must be recognized that an advanced accountability mechanism was already in place at the time of that reform and continues to this day.

In conclusion, Uruguayan data protection law tracks its European counterpart deliberately in many respects – extraterritorial scope, data breach notification, processor liability, to name a few – but not all. Some elements, notably data portability, were omitted; others, like those for DPIAs and DPOs, were modified to lower their respective thresholds. These differences can be attributed to modifications to the norms enacted by legislators to make them mesh better with local ‘realities.’ At the same time, we would be remiss if we did not point out that there are several other innovative GDPR elements not captured by our methodology that Uruguay has adopted, such as making privacy by design and by default obligatory.[400] Overall, the country – one of only two in the region with a recognized adequacy determination from the European Commission – continues to embrace European data protection standards, in particular the GDPR, even as it adapts them to its particular circumstances. Whether it does so sufficiently to warrant a new adequacy decision remains to be seen.

5 Observations and Conclusions

We began this Article by posing three overarching questions. The first asked what the panorama of data privacy legislation across Latin America looked like since the 2016 adoption of the GDPR. The second question explored how those countries in the region that moved first to reform or enact data privacy legislation in light of the GDPR have done so. And the third inquired as to the lessons to be learned from the Latin American experience based on our responses to the first o questions. By addressing each of these queries in turn, it has been our goal to shed light on the debate referenced in the Introduction surrounding the nature of the de jure dimension of the most recent ‘Brussels Effect’ in the region. The results of the quantitative and qualitative studies of data privacy legislation across Latin America in Parts II and III confirm that Europe’s normative influence in the region has not only continued but deepened as well. Insofar as data protection is concerned, a substantial number of countries, including all of the most developed ones in economic terms,[401] have indeed chosen to ‘follow the leader;’ that is, they have elected to emulate many key aspects of the EU’s revamped regime under the GDPR by incorporating them into domestic law.

Indeed, the results of our panoramic survey of the region in Part II suggest that a ‘third wave’ of EU standards-driven legislative reform is still underway.[402] By the end of 2021, most countries in the region – 90% (18 of 20) by our count – had a general data protection law or were trying to enact one.[403] And of those jurisdictions possessing data protection laws prior to 2016, nearly 80% have since either approved or proposed substantive reforms to their legislation.[404] Three successfully updated their pre-existing legal regimes with new GDPR-inspired provisions (Costa Rica, Mexico, and Uruguay), while four others have considered or are still studying similarly inspired draft laws (Argentina, Colombia, Chile, and Paraguay).[405] In addition to updates it made in 2016, Costa Rica is currently in the process of debating a new draft law, which looks certain to be approved, [406] checking both boxes simultaneously. In addition, since 2016, Brazil, Ecuador and Panama have promulgated entirely new data protection laws for the first time; Brazil and Ecuador in particular provide clear examples within the ‘third wave’ cohort of the GDPR’s de jure impact on domestic jurisdictions in Latin America.[407] That said, it is important to note that not all ‘third wave’ initiatives have taken the form of ‘omnibus’ laws, as the aforementioned three countries did, and as was primarily the case for the first two waves of reform that took place in the wake of Directive 96/45.[408] Uruguay and Chile, for example, have opted to enact or propose amendments to their original laws already in place.[409]

The panorama painted in Part II heralds the advent of a ‘third wave’ of reform after the approval of the GDPR in 2016; prior to 2016, it was EU Directive 95/46 that set the data privacy standards to follow in Latin America and the world.[410] Since 2016, with the GDPR firmly in place on the regulatory horizon, 16 of the 20 countries surveyed adopted or debated new standards for data protection within their existing domestic legal framework, and in several cases enacted an entirely new law to that same end.[411] In the majority of those ‘third wave’ countries, the GDPR’s influence is palpable, if not express, with few exceptions (eg Panama and El Salvador).[412] This wave can be further differentiated from the previous ones in at least one other respect. Several countries that already possessed a data protection law sought amendments or reforms to that law rather than enacting entirely new ‘omnibus’ legislation, which continued to be the preferred route for countries enacting data privacy legislation for the first time. Uruguay, Chile and Colombia are examples of the former group, while Brazil, Ecuador and Panama exemplify the latter. For the reasons we go into below, these trends are likely to continue and strengthen in the region.

The initiatives by most countries described in Parts II and III to align their law with the GDPR are part and parcel of a broader context of interrelationship between Europe and Latin America. The post-2016 trend of following the GDPR has been accompanied by Argentina and Mexico’s adherence in parallel to Convention 108 and the Additional Protocol regarding supervisory authorities and transborder data flows.[413] Consequently, there are now three countries in the region – the other is Uruguay – that are parties to the first and only data protection treaty in effect and its additional protocol. In addition, Argentina has signed the Amending Protocol updating the treaty as Convention 108+, while Uruguay has ratified it; other countries look to follow suit.[414] All this testifies to the broad attraction that European approaches to data privacy regulation have on Latin American lawmakers. Another example of this connection is Chile’s strong affinity for the OECD’s data protection framework, which it chooses to emphasize as its primary reference in the ongoing reform process.[415]

Conversely, not all aspects of the GDPR or Europe’s approach to data protection are equally popular in the region. This is especially true in relation to the mechanism for granting adequacy status to non-EU countries, which initiated under the EU Directive and continues under the GDPR.[416] Since 1995, only Argentina and Uruguay have received an adequacy determination from the European Commission, and maintaining that status has been a source of inspiration for the legislative reform efforts since 2016 in both countries.[417] But, as far as we know, no other Latin American country has applied to obtain adequacy status, despite widespread admiration for European standards and the fact that two other countries – Japan and the United Kingdom – have recently achieved that recognition under the Regulation.[418] More and broader research into this issue is required. Our preliminary exploration of these topics, however, seems to support the novel proposition that the Europe’s adequacy mechanism may not be the incentive for governments that some might think it is, at least in Latin America.[419] This is true even where most countries in the region are actively seeking to update their national data protection regimes in light of the GDPR.

The foregoing observations respond to the first question regarding what the panoramic overview of regional practice since 2016 shows us. To answer the other two queries – what have first-mover States done and what lessons can we derive overall from the research – we have to parse the particular practice of the four countries profiled in Part III’s case studies. In this respect, a number of sub-queries suggest themselves: What key elements of the GDPR are most commonly reproduced? Which are not? What might explain the difference? What legislative strategies have they followed to enact or promote such changes? And are there any other patterns, trends or other observations worth highlighting out of a comparative evaluation of the case studies? Keeping in mind that we are describing ‘a moving target,’[420] our initial set of observations in response to these queries are drawn largely from Table C, which summarizes the ‘score’ for each country studied in terms of GDPR key elements present in the legislation analyzed. At the same time, there are other important characteristics of the referenced laws or draft laws not reflected in Table C, including legislative history and context, that we draw upon from the case studies.

We have seen how the history and context of the countries studied allows us to frame the correlation between their respective legislative reforms and the GDPR’s key elements in terms of influence.[421] By influence we mean the extent to which any correlation in key elements between the Regulation and the national legislation contrasted can be said to be due to the effect of the former on the latter. The case studies confirm how in every jurisdiction legislators were aware of the GDPR and its role as ‘standards bearer;’ in nearly all – Brazil, Mexico, and Uruguay – its role in shaping the national legislation reviewed was explicit or manifest.[422] In Chile, the EU Regulation’s role was minimized: the introductory chapter of the Chilean draft law submitted by the Executive pointedly omits any direct reference to EU standards, much less the GDPR itself.[423] Yet even in that case, the GDPR’s fingerprints appears repeatedly, as when Chile seeks to codify data portability, a hallmark innovation of the GDRP.[424]

Turning now to the review of the GDPR’s key elements in Table C, there are a few that stand out due to their (near) ubiquity across the countries studied: data portability, data breach notification, the application of the data protection law to processors as well as controllers, and enhanced sanctions. Although assigned different labels by different regimes (eg operadores vs encargados), processors have been or would be made regulated subjects of the respective data protection laws in all the jurisdictions studied, most for the first time, and all have or would be held liable for failure to comply with the law. The duties imposed on processors, however, tend to vary from place to place; for instance, in Uruguay and Mexico, they are required to appoint DPOs, but not in Brazil or Chile.[425] One thing that is nearly uniform across the region is increased sanctions, although in no case do they rise to the level of those contemplated by the GDPR.[426] With the exception of Uruguay, which already had a strong sanctions regime in place, the other countries enacted or would enact a stricter penalties framework vis à vis its predecessor, though in some cases even those have been criticized for not going far enough.[427]

The two elements that most strongly correlate across jurisdictions are the right to data portability and the duty on controllers to report data breaches. The former in particular is a hallmark innovation of the GDPR regime; as such, it is a strong indicator of influence.[428] The consistent acceptance of data portability as a new right of users in every case study regime but one speaks to the transferability of the idea behind it (the exception, oddly enough, is Uruguay). The duty to notify breaches is similarly illustrative, even as it is rapidly becoming the global standard: witness its introduction into conventional international law in the modernizing of Convention 108.[429] The laws examined in Brazil, Chile, Mexico and Uruguay all establish or would require the communication of personal data breaches to both the data protection authority and the affected users; those laws similarly establish or would dictate the minimal content of the reports to be notified (eg nature of incident, type of data compromised, and security measures taken).[430] Uruguay, which enjoys an adequacy decision from the European Commission, took the additional step of imitating the GDPR model even more closely by establishing a time limit of 72 h for reporting a breach.[431]

Another element that correlates strongly, though not always in the positive sense, is the right to erasure and ‘the right to be forgotten.’ On the one hand, the Latin American legal tradition reflected in the figure of habeas data, and the ARCO rights derived therefrom, provide fertile ground for the integration of these rights – in particular the right to erasure [cancelar] – across legal systems.[432] All of the laws studied purport to do so – either in the pre-existing regime or as part of the updates after 2016.[433] On the other hand, no State was willing to adopt explicitly the more expansive European concept of the ‘right to be forgotten,’ which was read into the rights to erasure and to object to processing by the European Court of Justice.[434] While the two concepts – erasure and RTBF – are closely related they are not exactly the same. The right to be forgotten is not so much a right in itself as an extension of the right to erasure that transforms it, in the view of Latin American critics, into a ‘mechanism for censorship.’[435] All the countries studied enacted or proposed provisions codifying the right to erasure; at the same time, however, when addressing the RTBF dimension, legislators and commentators alike emphasized the importance of the countervailing rights to access information and freedom of expression ‘in both its individual and social dimensions.’[436]

As noted already, this regional reluctance to import the full meaning of the right to erasure from the GDPR can be explained by the fact that there are aspects of Latin American law and culture that diverge from Europe’s, specifically in terms of what is understood by the term ‘right to be forgotten.’[437] The region has a long tradition of protecting freedom of expression and the right of access to information that collides with the broad application of the ‘right to be forgotten’ as defined in European law.[438] For example, the Special Rapporteur for Freedom of Expression of the Organization of American States (OAS) has categorically affirmed that Inter-American human rights law does not protect or recognize the so-called ‘right to be forgotten’ in the terms outlined by the CJEU in the Costeja case.[439] The Rapporteur has emphatically stated that ‘[p]eople [in Latin America] want to remember and not to forget’.[440] This is because, more so than in Europe, the Latin America political and legal context, shaped by its history, favors the right to truth and access to information in furtherance of the public interest as essential components of freedom of expression.[441]

Even when a key element is not universally shared – extraterritorial scope, say – much can be learned from examining how the States that implement it do so. Thus, for instance, the two countries that include an expansive jurisdiction over data protection activities (Brazil, and Uruguay) tie it to the purpose of offering or providing goods or services to person residing in their respective territories.[442] In this sense, the countries added the ‘targeting criterion’ which is one of the key provisions introduced by the GDPR to expand its territorial scope.[443] Another example is the designation of data protection officers. All the countries examined introduced the designation of DPOs into their domestic legal regimes in some form; most made it a requirement.[444] Even so, there are variances: Brazil requires it only for controllers, but not processors; Chile makes it optional for both, and Mexico reconfigured the concept by requiring ‘Transparency Units’ that would function in much the same way as a DPO in other contexts.[445]

These are the preliminary observations we have been able to identify on the basis of the studies conducted in 3 and 4. But there are other, methodological questions we have had to grapple with that are worth surfacing here because they explain in more detail how the aforementioned observations were formulated. For example, with respect to the Brussels Effect itself, how do you go about measuring de jure influence generally, and of the GDPR in particular? How do you determine the extent of such impact where the parts of the legislative acts contrasted – much less the whole – do not always match up exactly? In the terms established by our methodology, the question posed would be this: how many key elements need to be ‘present’ in a law to support an affirmation of de jure effect? What form must those key elements take to find a match or correlation?

In our methodology, we took a functional approach. It rapidly became clear to us that whenever countries adopted key elements from the GDPR, they do not do so verbatim. Rather, national legislators consistently chose to adapt the language of the source provisions to their particular context, often leaving out details or adding new ones. So, on the one hand, a sanctions regime featuring revenues-based fines, one of the main enforcement innovations of the GDPR, is followed only partially by Brazil’s law, despite the range of reforms of establishing or reinforcing penalties in other jurisdictions.[446] The same goes for data breach notification: although imported into all case study jurisdictions, only Argentina and Uruguay copied the 72 h timeframe into their law.[447] Others like Chile have left the meaning of giving notice ‘without undue delay’ to the regulatory process.[448] In other words, in these and many other instances, the substance or ‘spirit’ of the referenced GDPR provisions was followed, if not the ‘letter’ or text of the Regulation’s provisions per se. We thus full credit to countries in such scenarios, emphasizing function over form in the application of our methodology to the legislative acts reviewed.

On the other hand, some States – most notably Chile and Mexico – chose different models when regulating data protection in their jurisdiction, which made it even more challenging to compare and contrast with the GDPR. Chile’s comprehensive overhaul of its deficient data protection law through a series of detailed amendments referenced OECD standards rather than those of the GDPR.[449] Mexico built upon its bifurcated data privacy regime by adopting a detailed law focused exclusively on public sector data processing, which led to specialized frameworks, for example, for remedies. Regardless, in both cases, what we saw were extreme examples of the principle that countries in the region have tended to adapt rather than copy key elements of the GDPR, shaping them to fit national realities and regulatory capacities. Depending on the country context and approach taken, this could result in higher-level norms with fewer details in some circumstances, as in Brazil, or more distinctive and extensive normative frameworks in others, like in Mexico. Here, again, we credited the substance and function of the norms, rather than the form they took.

Methodological challenges notwithstanding, we are confident in our finding of a post-2016 ‘active influence’ on Latin American data protection law emanating from the GDPR.[450] We can, of course, point to express references to the GDPR as a primary source of inspiration or model made by legislators in Argentina, Colombia, Uruguay and Mexico.[451] In the case of Argentina and Brazil, the parallels in form as well as function between their respective legislation and the GDPR speak volumes: imitation is, after all, the greatest form of flattery. But it is one thing to highlight an obvious connection between two sets of norms, and quite another to try to map the degree of influence one has had on producing the other, if by influence we mean how one source contributed to or caused the second. We understand that our work in this respect only scratches the surface of understanding the evolution of data protection law in Latin America, not least because the legislative processes at issue are notoriously complex, and each country is a universe unto itself.

It is for these reasons that we developed the comparative law methodology employed in this Article to allow us to at least begin to address the challenges identified with some degree of rigor, logic and consistency. The case studies in Part III have, among other things, provided us with a lens into the practice of the States selected that complements the more quantitively-focused research analyzed in 3. By combining the two we are able to formulate the foregoing observations, such as they are, about the de jure influence of the GDPR in the region. Which leaves just the question of why: if, as we saw, achieving adequacy status does not seem to be the ultimate goal for most of the countries in the region, why then do their governments maintain the tradition of implementing or adapting European data protections standards like those in the GDPR? Even accepting we can trace an ‘active’ de jure influence in the way we purport to, this only begs the question of why it continues to transpire in the first place.

We think the answer to the question of why the GDPR has been as influential as it has includes at least the following dimensions, the least of which is related to market forces. First, most Latin American countries are animated by constitutions that through habeas data and other provisions enshrine access to data, privacy and more recently, data protection, as fundamental rights.[452] Though it emanates from different sources and legal traditions, this perspective – indeed, philosophy – nonetheless dovetails seamlessly with Europe’s tradition of treating data privacy protection in terms of human rights.[453] Uruguay’s Data Protection Law most clearly reflects this synchronicity when it affirms unequivocally in Article 1, entitled ‘Human Right,’ that ‘the right to the protection of personal data is inherent in the human person.’[454] Similarly, Mexico’s constitution was amended in 2009 to recognize ‘every person’s right to protection of their personal data.’[455] This reality cannot come as a complete surprise given the historical ties between the two regions, and the fact that most Latin American legal systems were founded on European models.[456]

Second, Europe’s regulatory innovations in the 1995 Directive and now the GDPR appeal to Latin American legislators precisely because they represent a rights-based approach to ensuring the effective protection of personal data in a globalized and highly interconnected world.[457] In other words, several features of the European model, if not the entire model itself, are widely considered the best formulation of data protection regulations currently available; these are truly ‘concepts that have proved successful in [the] global marketplace of ideas.’[458] Data breach notification; data portability; processor liability; robust preventive measures such as DPIAs and DPOs; these are the GDPR innovations that sell it – individually and collectively – as a legal paradigm. They further represent a roster of normative innovations that other countries can pick and choose from as they adopt and adapt the European standards to their domestic legal regimes.

And, of course, there are market forces at play, but these are less dispositive relatively speaking than in other regions of the world. Such forces are often assumed to be the reason most countries follow the GDPR, and they certainly do have a role to play, even in Latin America, where the primary trading partners of the countries we studied tended to be each other, the United States, and only occasionally, a European country.[459] It is certainly no coincidence that the largest economies in Latin America – Brazil, Argentina, and Mexico in particular – are active implementers of GDPR key elements. Argentina for the time being continues to enjoy its adequacy determination,[460] while Mexico and Brazil are thinking of pursuing their own.[461] But in terms of trade in goods and services, Europe figures barely at all among the top trade partners for each of these countries.[462] Although economic integration is referenced in general terms, the primary reason cited by most Latin American legislators and commentators for Europe’s influence has been that its standards are the most modern and protective of personal data.[463] This perspective tends to confirm that history, tradition and sector-leading innovations are what most draw Latin American legislators to the GDPR when it comes time to update or reform their data protection laws.


Corresponding author: Arturo J Carrillo, The George Washington University Law School, Washington, DC, USA, E-mail:

Annex

Table A:

Select ‘key’ elements introduced by GDPR.

General provisions Rights of the data subject Controller and processor Governance and accountability
Scope of territorial application Right to erasure (‘right to be forgotten’) Right to data portability Heightened standard for processing with consent Notification of a personal data breach Data Protection Impact Assessment (DPIA) Designation of the Data Protection Officer (DPO) Remedies & liability Penalties
GDPR
  1. Art 3 (1) & (2)

  2. Art 28

  1. Art 5(1)(d)

  2. Art 17

  3. Art 19

  1. Art 20

  1. Arts 7(3)

  1. Art 33

  2. Art 34

  1. Art 35

  1. Art 37

  1. Art 82

  1. Art 58

  2. Art 83

Highlighted focus of selected elements Extraterritorial application to businesses and organizations operating in EU

Applies to processors of data as well as controllers
Right to accuracy and erasure as data principles

Controllers must erase inaccurate, unnecessary, & unconsented to data without undue delay when requested by data subject (‘right to be forgotten’)
Right to receive data in ‘structured, commonly used and machine-readable format,’ and to transmit it to another data controller ‘without hindrance’ Data subjects must be able to withdraw consent as easily as they give it Data controllers must notify data breaches to the supervisory authorities and, in certain cases, the affected individuals, ‘without undue delay,’ and where feasible, not later than 72 h after becoming aware of the breach Controllers must carry out DPIAs anytime their data processing is likely to result in ‘high risk to rights and freedoms of persons.’
  1. DPOs must at least ‘monitor’ the performance of any DPIA

Controllers and processor must designate DPOs when processing personal data ‘on a large scale,’ especially if they are public authorities and/or processing sensitive data Individuals are guaranteed a range of administrative and legal remedies for ‘material or non-material damage’ suffered at the hands of data processors Heavy fines are imposed for serious breaches of either data subject rights, among others, or of the duties of controllers and processors
Base indicator queries
  1. Does country’s data privacy (DP) law apply extraterritorially?

  2. Does it apply to processors as well as controllers?

  1. Is the ‘right to be forgotten’ per se protected in the DP law?

  2. How is it defined?

  1. Is the right to data portability protected in the DP law?

  2. How is it defined?

  1. Is a rule that withdrawal of consent must be as easy as giving it, recognized in the DP law?

  1. Does DP law require controllers to report data breaches?

  2. If so, when and to whom?

  1. Does the law require DPIAs to be conducted for high-risk data processing?

  2. If so, how?

  1. Does the DP law require controllers & processors to appoint a DPO?

  2. if so, under what circumstances?

  1. Are processors liable for breaches of the DP law?

  1. Does the DP law impose enhanced penalties for serious breaches?

Table B:

Review of data privacy regulation in Latin America in 2021.

Country DP law identification

& date of approval
Title of the DP law DPA Draft law or decree proposed after May 2016 (Y/N) Approved changes to DP legal regime after May 2016 (Y/N) Comments on GDPR influence
Argentinaa Act No 25.326

10.4.2000
Personal Data Protection Act Y Y

March (2020)

November (2020)

December (2020)
N In 2018, Argentina proposed a comprehensive draft law to update the omnibus law approved in 2000, with a view to maintaining the ‘adequacy’ of protections recognized by the European Union. The 2018 draft bill made express reference to the GDPR as the ‘international standard’ to emulate, and includes almost all the key elements from Table A. Despite this bill losing parliamentary status in 2020, a new proposed law was introduced in March of 2020. Two additional bills were presented in November and December of 2020 and remain in parliamentary debate. These three pending bills have the same general purpose of maintaining the ‘adequacy’ with the EU and seek to follow the GDPR standards.
Belize N/A N/A N N N Belize lacks a formal data privacy law. Privacy is recognized as a right in the Constitution, and some privacy protections are included in laws which regulate public and private entities that handle personal data.
Bolivia N/A N/A N Y

November 2019b

May 2019b
N Bolivia is among the countries that currently lacks a comprehensive data protection framework. In 2018, legislators presented a bill seeking to enact the ‘Personal Data Protection Law.’ It included some GDPR key elements, such as the right to data portability and data breach notification requirements. The law would have created a DPA with the power to impose sanctions. In 2019, a similar draft bill was presented by Foundation Internet Bolivia.org. Neither was enacted but modified versions of the proposed laws may be considered if re-submitted and endorsed by the new legislature.
Brazil Act No 13.709

14.8.2018
General Data Privacy Law Y Y Y

Link
In 2018 Brazil adopted a comprehensive data protection law, the Lei Geral de Proteção de Dados Pessoais (LGPD), for the first time; it was subsequently amended in 2019 to establish the DPA as part of the Executive Branch. The law resembles the GDPR in many important respects, inter alia, by having extraterritorial application, promoting stronger data subject rights, and adding a duty for notification of data breaches. However, it differs from European standards on other fronts. The LGPD went into effect in September 2020 due to the pandemic, while enforcement was slated to begin in August 2021.
Chile Act No 19.628

8.28.1999
Privacy Law N Y

Link
N In 2017 Chile’s Congress began consideration of a bill to update the 1999 personal data law and, inter alia, create a data protection authority. The proposed law contains some provisions that advance GDPR protections, such as the rights to erasure and data portability, as well as the duty to notify breaches. It ignores several others. The bill remains in parliamentary debate; in January 2021, President Sebastián Piñera submitted an urgent request to expedite the process. Notably, in 2018 Chile adopted Act No 21.096 to amend the Constitution to add data protection as a fundamental right with constitutional status.
Colombia Act No (1581)

10.17.2012
Data Protection Law Y Y

Link
N Since 2016 the Colombian Congress has discussed various legislative proposals to modify the omnibus Data Protection Law of 2012, though none has yet succeeded. In their introductions, the bills referenced the GDPR as a source of guidance, which is not surprising given that Colombian data protection law is largely based on Europe’s. The proposed reforms would have expanded the territorial scope and increased data processors responsibility by introducing duties to realize privacy by design, to prepare impact assessments reports, and establish DPOs. The Colombian DPA is actively enforcing its law against companies that do not comply, like WhatsApp.
Costa Rica Act No (8968)

06.27.2011
Protection of Persons Subject to Personal Data Processing Y Y

Link
Y

Link
In July 2016, the Costa Rican DPA promulgated Executive Decree No 40008 to update the country’s Data Protection Law by introducing several the GDPR’s key elements into the legal regime, such as the right to be forgotten and extended liability regime for both controllers and processors. In January 2021, draft law N22.388 was introduced to provide a complete reform of the 2011 law, and is currently being debated by the Legislative Assembly. The bill expressly cites the GDPR as its guide to filling the gaps left by the 2011 Law. Among other things, the proposed law would modernize the country’s regime of data subject rights and establish the Costa Rican DPA as an independent institution.
Ecuador Official Register N.459

05.10.2021
Organic Law of Personal Data Protection Y N/A N/A In Ecuador, data protection is a fundamental constitutional right. In May 2021 Ecuador’s National Assembly enacted its first DP law which specifically recognizes the GDPR’s impact. It contains several of the Regulation’s key elements. For example, it enshrines the rights to data portability, mandates DPIAs and the designation of DPOs, as well as the duty to report data breaches. It also regulates processors’ liability for data breaches with enhanced penalties for serious offenses. The original draft included the right to be forgotten but it was eliminated in the approved bill.
El Salvador N/A N/A N Y

Linkc
N Although El Salvador’s Legislative Assembly approved a Data Protection Law in April of 2021, it was immediately vetoed by President Nayib Bukele. A ‘National Digital authority’ was also enacted by legislative decree to oversee implementation of the new law, and vetoed as well. Thus, El Salvador remains without a comprehensive data protection Law.
Guatemala N/A N/A N N N Guatemala recognizes a right to privacy for personal communications in its Constitution, which has been developed through rulings of the Constitutional Court. To date, however, there is no data privacy legal regime in place. Although several legislative projects for data protection have been presented to the Parliament, none of them have been approved.
Guyana N/A N/A N N/A N Guyana has no privacy or data protection law, although it has legislation specific to the financial sector. However, Prime Minister Mark Philips announced an impending data protection law and a request for draft proposals was published in November 2020.
Honduras N/A N/A N N N Honduras protects the right to intimacy and confidentiality of communications in its Constitution. Despite the absence of a specific law on data protection, the country does have a National Commissioner for Human Rights with authority to protect personal data. Furthermore, Honduras in 2015 added the writ of habeas data to its constitutional protections. That same year, a bill on personal data protection was introduced in the Honduran Senate that focused on the protection of ARCO Rights and a sanctions regime. Since 2018, Honduras has been debating legal reforms to enact a data privacy law in line with European standards.
Mexico LFPDPPP

07.5.2010

LGPDPPSO

01.26.2017
Federal Law for Protection of Personal Data in Possession of Individuals Y Y Y

Link
In 2017, Mexico enacted the General Law on the Protection of Personal Data in the Possession of Obligated Subjects, which imposed data privacy duties on public authorities and entities that were not covered by the private actor-focused Federal Data Protection Law of 2010. The new law incorporates a number of GDPR key elements, including data portability, DPOs and DPIAs. In 2021, the Senate approved a controversial legal reform to create a central government database for mobile telephone users (PANAUT) of sensitive personal data. The Mexican Supreme Court is hearing numerous challenges to this initiative, not least for violating the Data Protection Law. The Court has suspended the collection of data under the new law due to the legal challenges filed against the initiative.
Nicaragua Act No 787

03.21.2012
Protection of Personal Data Law Y N N Nicaragua protects the right to personal data and the habeas data action in its Constitution and Law on Protection of Personal Data (Act No 787) of 2012. No legislative proposals for updating the Law have been found. On January 2021, the telecommunication regulatory body (TELECOR) issued an administrative decree on cybercrime which may run counter to its Data Protection Law by granting police or the Public Ministry, subject to judicial approval, the authority to prompt disclosures of personal data within information systems.
Panama Act No 81

03.26.2019
Protection of Personal Data Law Y Y Y

Link
Panama adopted its first data protection law in March 2019 soon after the GDPR came into force. The law came into effect in March 2021. However, it acknowledges few of the GDPR’s innovations (the right to data portability being one) while omitting most of them. Instead, the new Panamanian data protection regime follows a more sectorial approach like the one prevalent in the United States.
Paraguay Act No (1682)

12.28.2000
Law on Information of a Private Nature N Y

Link
N In May 2021, a comprehensive bill was proposed in the Paraguayan Congress to update the country’s Data Protection Law across the board and bring it more into line international standards. It seeks to build on the progress made by a similar 2019 legal reform of personal data protections that was restricted to the specific context of financial and credit information. The recent proposed legislation is also modelled on the GDPR and seeks to create a single independent DPA, as well as create a right to data portability.
Peru Act No 29.733

07.3.2011
Protection of Personal Data Law Y N N The Regulatory Decree that implements Peru’s 2011 Protection of Personal Data Law was modified in 2017 to strengthen the regime by giving more independence to the DPA and increasing the severity of sanctions. In December 2020, the DPA approved an additional resolution adopting a method of calculating sanctions for violations of the Data Protection Law.
Suriname N/A N/A N Y

Link
N The right of privacy has constitutional status in Suriname despite the lack of a comprehensive data protection law. In May 2018, legislators proposed the Privacy and Data Protection Law, which would fit the bill. The proposed legislation does not refer explicitly to the GDPR, but it does recognize the need to harmonize with international standards and includes several of the Regulation’s key elements, such as extraterritorial application, the right of erasure, data portability, and the duty to notify breaches, among others. It is uncertain whether the bill will be enacted.
Uruguaya Act No 18.331

09.11.2008

Act No 19.670

10.15.2018
Law on the Protection of Personal Data and the Right to Habeas Data Y Y Y

Link
In 2018, Uruguay approved changes to its 2008 Law to introduce GDPR key elements. Among these are the notification of data breaches, the duty to carry out impact assessments, and the designation of data protection officers under certain circumstances. The legislature opted not to include other key elements such as the right to be forgotten, the right to data portability or a tougher sanctions regime. In February 2020, however, the Executive enacted Decree 64/020 regulating certain aspects of the law relating to data protection officers and impact assessments; it further reinforced the liability of entities that treat personal data.
Venezuela N/A N/A N N N The Venezuelan Constitution contains various provisions protecting privacy, which can be enforced directly through the courts. However, Venezuela lacks a data protection law and a data protection authority, with early efforts to create a data protection law ceasing after 2005.

  1. aRecognized by the European Commission to have ‘adequate protection’ with regard to automated processing of personal data under EU Directive 95/46. bOn file with Authors. cThe approved law (later vetoed) was never published, the only draft available is the 2019 Draft Law.

Table C:

GDPR key elements as indicators of influence in Latin America 2021.

General provisions Rights of the data subject Controller & processor Governance & accountability
Does country’s data privacy (DP) law or proposed law apply extraterritorially? Does or would it apply to processors as well as controllers? Is the right to forgotten protected in the DP law or proposed law? Is the right to data portability protected in the DP law or proposed law? Is a rule that withdrawal of consent must be as easy as giving it, recognized in the DP law or proposed law? Does DP law or proposed law require controllers to report data breaches? Does the current or proposed law require DPIAs to be conducted for high-risk data processing? Does the current or proposed law require that controllers and processors appoint a DPO? Are processors liable under the relevant norms for breaches of the DP law? Does the DP law or proposed law impose enhanced penalties for serious breaches?
Brazil Act No 13. 709/19 Yes, Art 3. Yes, arts 5 (VI & VII) & 37. Unlikely, arts 16 & 18 (VI). Yes, Art 18 (V & IX Section 7). No Partially, Art 48 (only in cases of risk or harm to users). No, arts 4 (IV Section 3)

& 32 (national authority may request DPIAs)
Partially, Art 41 (controllers only). Yes, arts 52. Partially, Art 52 (one category of breach; fines based on domestic revenues).
Chile

Proyecto de Ley PTDP
No Yes, Section (2)(b). Unlikely, Section 4; President’s Introductory Message. Yes, Section 4. Substantially yes, Section 5. Yes, Section 5. No No (Section 10 makes DPOs optional for controllers and processors). Yes, Section 10. Yes, Section 10 (three categories of breach, fines increased).
Mexico

LGPDPPSO
N/A Yes, Art 3 (XV & XXVIII); title IV. Unlikely, Art 46. Yes, Art 57. No Yes, Art 40. Yes, arts 74 to 79. Partially, arts 83–85 (public controllers only). Yes, Art 60. Yes, arts 163–165 (two tiers, fines introduced).
Uruguay

Act No 18.331
Yes, Art 37 of Act No 19.670. Yes, arts 4 & 12. Unlikely, although DPA affirms it falls within right to deletion. No Unlikely, art 13 E. Yes, Art 38 of Act No 19.670. Yes, Art 12. Yes, Art 40 of Act No 19.670. Yes, Art 12. No enhanced penalties.
Published Online: 2022-05-26

© 2021 Arturo J Carrillo and Matías Jackson, published by De Gruyter, Berlin/Boston

This work is licensed under the Creative Commons Attribution 4.0 International License.