[Read more session reports and live updates from the 12th Internet Governance Forum]
The session, moderated by Ms Carolina Aguerre, University of San Andres, and Mr Luiz Fernando Castro, CGI.br, featured discussions on the challenges for the regulation of personal data protection in Latin America and identifying solutions and innovations developed in the different countries in an exercise that can feed back into ongoing regulatory discussions in the region.
The session started with a keynote speech by Mr Danilo Doneda, State University of Rio de Janeiro (UERJ), that gave a brief overview of the potential legislation in Latin America, the situation, and the developments. He began by noting that personal data may be protected because it is fundamental to the development of personalities, to the granting of individual rights, and for so many other reasons in the Information Society. Doneda said that every country in Latin America has read data protection according to its own experiences. From his point of view, the future of data protection in Latin America will be strongly based on building a constitutional and legal tradition. Latin American countries have to keep in mind that they are now one of the major frontiers of data protection.
After the keynote speech, the first round of interventions moderated by Aguerre began with an orienting question about the situation of data protection in selected countries of the region.
Mr Marcel Leonardi, Senior Counsel, Public Policy at Google Brazil, said that the European tradition and the European legal system have an influence across Latin America in bills about data protection. He talked about the latest draft of the data protection bill in Brazil, expressing his worries about that the public sector wants to process data without constant agreement. According to Leonardi, it is important that all countries in the region adopt a flexible approach to data processing, because technology is always changing and it is not easy to predict what is coming behind. He said how there is some confusion regarding data protection and privacy of the individual . It is common to see people mixing these things up in the sense of how exactly individuals should be protected by what they publish online and exactly what people are saying about themselves.
Mr Martin Borgioli, Project Director at Hiperderecho, said that the Peruvian constitution recognised that every citizen has a right to privacy and data protection. Since 2011, the right to data protection has been recognised in data protection law, which grants individuals the rights of access, reconciliation, consolation, and the protection of personal data. In Peru, there is a data protection authority that is an administrative office, but not so independent within the Ministry of Justice. He said that earlier this year, the data protection law was updated to include among other things, the protection of data for persons. Borgioli mentioned a case in which a survey related to the LGBTI community was made by the government using a very insecure web platform that allowed any malicious user to download every entry of the service containing sensitive personal data such as sexual orientation.
In the second round of the session, Castro asked participants of the roundtable who did not present comments to present specific cases from their countries.
Ms Amalia Toledo, Fundación Karisma, noted that despite the existence of a data protection law in Colombia since 2015 and the recognition of the privacy right in the constitution, there was a very emblematic case in the country. A woman got a call from a laboratory offering her some stem cell preservation services after she received her pregnancy results. The Colombian data protection authority punished the provider for unauthorised collection and use of sensitive data related to the woman's pregnancy status in order to provide commercial services. Toledo said that the government is working on a new regulation to create an electronic health and clinic record information exchange system between healthcare providers that can be problematic because of the tendency of the Colombian government to rely on a non public intermediary to operate the databases and systems.
Ms Romina Garrido, Datos Protegidos, affirmed that Chile was the first country to have a data protection law in Latin America, dating from 1990. Despite this, the Chilean data protection law does not cover the Internet. It means that the law only regulates the database and the right to access consulate modification, and refers to the processing of data, but does not create a data protection authority. According to Garrido, the people who have to exercise their right have to go to tribunals or common courts, which is a very expensive process. She talked about some bills at the Chilean Congress on how data protection can recognise some new rights for people, like portability and the right to dispute an automatic decision.
The session ended with some considerations from the audience about the role of education and legislation in data protection.