Cédric Laurant, Ana Brian Nougrères & Renato Opice Blum, "New Data Protection Laws and Case Law Trends in Central & South America". Presentation made at the
International Association of Privacy Professionals (IAPP)'s Privacy Academy 2011 in Dallas, TX (USA) on September 15, 2011.
Presentation also available at http://cedriclaurant.com/wp-content/uploads/2011/09/110916-new_latam_data_prot_laws_case_law_trendsfv.pdf.zip
2. WWW.OPICEBLUM.COM.BR
Renato Opice Blum
renato@opiceblum.com.br
@opiceblum
Attorney and economist, Digital Law coordinator of GVLaw and of the
MBA on Electronic Law at Escola Paulista de Direito; Invited-
Professor at USP and Mackenzie Presbyterian University; President of
the Council of Information Technology and Communication of the
Commerce Federation of São Paulo/SP and of the Technology Law
Committee of AMCHAM; Advisor of the Committee of High
Technology Crimes of Brazilian Bar Association; International
Lectures: Global Privacy Summit 2010, 73rd Conference of the
International Law Association; ISSA International Conference 2010;
HTCIA International Conference 2010; Inter American Bar
Association: Reunión del Consejo y Seminario 2010, Invited
Participant at The Sedona Conference 2010 and invited lecturer at
the 3rd Annual Sedona Conference 2011; Seton Hall Law – 2011 and
ABA annual meeting 2011; Coordinator and co-author of the book
“Manual of Electronic Law and Internet” and “Electronic Law:
internet and the courts”
2 New Data Protection Laws and Case Law Trends in Central & South America
3. Dra. Ana Brian Nougreres
Legal Consultant at the Uruguayan Parliament,
Senate and Chamber of Representatives and at
the Uruguayan College of Attorneys.
Teacher at School of Law, Legal Informatics Chair,
Universidad de la República Oriental del Uruguay.
Chief Consultant at Estudio Jurídico Briann and
Associates.
E-mail: abrian [at] netgate [dot] com [dot] uy
3 New Data Protection Laws and Case Law Trends in Central & South America
4. Cédric Laurant
rincipal, Cedric Laurant
P
Consulting (Brussels)
ttorney at law (Washington,
A
DC)
E-mail: c [at] cedriclaurant [dot] com
Website: http://cedriclaurant.com
Blogs: http://cedriclaurant.org
http://security-breaches.com
Linkedin: http://www.linkedin.com/in/cedriclaurant
4 New Data Protection Laws and Case Law Trends in Central & South America
5. Outline
Introduction
A. Brazil
B. Uruguay & Argentina
C. Colombia, Peru, Costa Rica
D. Key take aways
Q & A
5 New Data Protection Laws and Case Law Trends in Central & South America
6. Outline
Introduction (Cedric Laurant)
A. Brazil
B. Uruguay & Argentina
C. Colombia, Peru, Costa Rica
D. Key take aways
Q & A
6 New Data Protection Laws and Case Law Trends in Central & South America
7. 7 New Data Protection Laws and Case Law Trends in Central & South America
8. 8 New Data Protection Laws and Case Law Trends in Central & South America
9. Introduction
Most important privacy developments in Brazil, Argentina,
Uruguay, Colombia, Peru and Costa Rica.
Recent regulatory and case law trends that affect how you do
business in Central and South America.
How the most recent Latin American data protection laws are
likely to be implemented.
Q&A
9 New Data Protection Laws and Case Law Trends in Central & South America
10. Outline
Introduction
A. Brazil (Renato Opice Blum)
B. Uruguay & Argentina
C. Colombia, Peru, Costa Rica
D. Key take aways
Q & A
10 New Data Protection Laws and Case Law Trends in Central & South America
11. Brazil
11 New Data Protection Laws and Case Law Trends in Central & South America
12. The children of
darkness are
always faster
than the children
of light.
Lucas chapter 16 verse 8
12 New Data Protection Laws and Case Law Trends in Central & South America
13. BRAZIL – SOME CASES
MEDICAL CLINIC
database copy / unfair competition
M COMPANY
illegal video
BROKER COMPANY
database breach / unfair competition
T COMPANY
database breach
CHEMICAL INDUSTRY COMPANY
database breach
RACE DRIVER
image damage
BEVERAGE COMPANY
483 confidential files
13 New Data Protection Laws and Case Law Trends in Central & South America
14. PERSONAL DATA BILL OF LAW
Article 1. The aim of this project guarantees
and protection, in the area personal
information specially dignity and
fundamental rights of the person, specially
with regard to his/her freedom, equality and
personal privacy in terms of art 5 of Federal
Constitution.
Article 2. Everybody has the right to the
protection of his/her personal data.
14 New Data Protection Laws and Case Law Trends in Central & South America
15. PERSONAL DATA BILL OF LAW
Article 35. The international transfer of personal data is only allowed to countries
that provide a level of data protection comparable to the one of this law, unless
the following exceptions:
I - when the owner has expressed his own free consent, express and informed to
the transfer;
II - when it is necessary for the implementation of obligation under a contract of
which the holder is a party;
III - when it is necessary to guarantee a significant public interest specified by
law;
IV - when it is necessary for international cooperation among government
agencies for intelligence and research, according to international law instruments
to which Brazil is bounded;
V - when it is necessary to defend a right in court, if the data are transferred
solely for this purpose and for the necessary period of time;
VI - when it is necessary to protect the life or physical safety of the owner or
third party, if the holder cannot provide its consent because of physical
impossibility, incapacity to act or understand.
15 New Data Protection Laws and Case Law Trends in Central & South America
16. CONSTITUTION
Section 5.10 – Intimacy, privacy, honor and image of persons – INVIOLABLE.
Section 5.12 – Secrecy of correspondence and Telecom – INVIOLABLE.
CIVIL CODE
Section 20 – Disclosure of writings, the transmission of the word, or
publication, display or use of the image of a person.
Section 21 – Private life of a person – INVIOLABLE.
EXPECTATION OF PRIVACY
SÃO PAULO STATE COURT DECISION
Violation of image rights, privacy, intimacy and honor by being
photographed and filmed (in intimacy) on locations – Spanish beach –
Injunction to terminate the exhibition of movies and photos on web-
sites because of the presumption of lack of consent to the publication.
Filling with a daily penalty payment of $ 250,000.00, to inhibit
infringement of the command to abstain.
The paparazzi are known for aggressively working with the capture of
images, which characterizes the illegality of their activities
[voyeurism]. Denying injunctive relief would reward the work of these
professionals that do not require authorization for their photos and,
especially, to legalize the sensationalism and scandal propagated by
the media, without permission of those involved.
16 New Data Protection Laws and Case Law Trends in Central & South America
17. NEWS ON THE INTERNET CAUSES HARM TO CITIZEN’S
HONOR. HE WAS NOT GUILTY, BUT THERE WAS NO NEWS
ABOUT THAT, ONLY ABOUT THE ONGOING LAWSUIT.
JUDGE ORDERS
GOOGLE TO SET UP A
FILTER TO RANDOMIZE
RESULTS WITH THE
PLAINTIFF’S NAME,
ENABLING VARIETY OF
NEWS
PARANA STATE COURT 1819/2008
17 New Data Protection Laws and Case Law Trends in Central & South America
18. Brazilian authority postpones to 2012 legislation
that obliges tracking devices in new cars.
The Brazilian National Transit Counsel has postponed to 2012
the obligation to install anti-theft devices in all the cars.
According to the department, the change was made due to the
complexity of the telecommunications infrastructure that may
be needed to develop the Integrated System of Monitoring e
Automatic Registry of Vehicles (SINRAV, in Portuguese).
The installation of the tracking device is mandatory.
The obligation to install this device has been postponed since
2009. The main reason is that this law is seen as harmful to the
citizens’ liberty, since anyone can be monitored without
consentiment and have their private life invaded.
18 New Data Protection Laws and Case Law Trends in Central & South America
19. CONSUMER DEFENSE CODE
Section 43 – Database access.
Section 72 – Block access. Penalty – detention from six
months to one year or a fine.
PRIVACY
SANTA CATARINA STATE
COURT DECISION
Consumer Defense
Association causes
damages to consumers
disclosing its database to
third parties. Association
must include a warning
about the disclosure and
ask for permission.
19 New Data Protection Laws and Case Law Trends in Central & South America
20. WIRETAPPING – ACT 9296/1996
Section 1 – Interception of telephone communications – flow of
communication.
Section 10 – Intercept communication or break secret of Justice, without
judicial authorization – confinement from two to four years and fine.
PRIVACY
SÃO PAULO STATE COURT DECISION
Breach of confidentiality of correspondence, telegraphic,
data and telephone communications - Nonoccurrence -
Seizure of emails in possession and knowledge of the
recipient by a court order - strong suspicions that the
material might enlighten the criminal infraction –
interpretation of art. 5, XII of the Constitution.
T H E R E I S N O V I O L AT I O N O F T H E S E C R E C Y O F
CORRESPONDENCE.
20 New Data Protection Laws and Case Law Trends in Central & South America
21. APPEAL TO THE SUPERIOR COURT OF JUSTICE
BRAZIL Nº 1.193.764 - SP (2010/0084512-0)
APPELLANT : I P DA S B
APELLEE : GOOGLE BRASIL INTERNET LTDA
SUMMARY
CIVIL AND CONSUMER LAW. INTERNET. CUSTOMER RELATION. CDC
(BRAZILIAN CONSUMER DEFENSE CODE). FREE SERVICE.
INDIFFERENCE. CONTENT PROVIDER. PREVIOUS FISCALIZATION ON
THE CONTENT OF THE USER POSTED INFORMATIONS ON THE
WEBSITE. UNNECESSARY. MESSAGE WITH OFFENSIVE CONTENT.
MORAL DAMAGE. INHERENT RISK TO BUSSINESS. INEXISTENCE.
ACKNOWLEDGMENT OF THE FORBIDDEN CONTENT. IMMEDIATE
REMOVAL OF THE CONTENT. DUTY. PROVIDE MEANS FOR THE
IDENTIFICATION OF EACH USER. DUTY. REGISTER THE IP NUMBER.
SUFFICIENT.
21 New Data Protection Laws and Case Law Trends in Central & South America
22. SUPERIOR LABOR COURT –
CORPORATE EMAIL AND
RECORDINGS AS VALID PROOF FOR
DISMISSION
“(…) As a subscriber of the internet service
provider, the company is responsible for its intern
use, in accordance to laws. 8. Thus, if the
employee eventually use the corporate email for
personal reasons, he should be aware that the
access to the content of the messages by the
employer do not represent major violation of its
mails, nor violation of privacy or intimacy, because
we are talking about equipment and technology
provided by the employer for usage to work and
reach the goals of the company. 9. This way, we do
not understand that it sets up no defense to the
usage of evidence embodied in access to e-mail
box, provided by the employer to his employees.
Interlocutory appeal devoided.”
22 New Data Protection Laws and Case Law Trends in Central & South America
23. SUPERIOR LABOR COURT –
CORPORATE EMAIL AND
RECORDINGS AS VALID PROOF
FOR DISMISSION
INTERLOCUTORY APPEAL IN A REVIEW APPEAL. PAIN AND
SUFFERING. GOOD CAUSE.
The sentence from the lower level court registred that it
does not hurt constitutional standard of financial
disclosure and corporate email, especially when the
employer, in advance, warn its employees about the rules
for using the system and the possibility of tracking and
monitoring their email. Interlocutory appeal devoided.
23 New Data Protection Laws and Case Law Trends in Central & South America
24. SECURITY
Law enforcement agencies use social networks in
search of incriminating data users
24 New Data Protection Laws and Case Law Trends in Central & South America
25. GPS - Monitoring
25 New Data Protection Laws and Case Law Trends in Central & South America
26. 3rd FEDERAL COURT – LETTERS ROGATORY?
26 New Data Protection Laws and Case Law Trends in Central & South America
27. Greetings
Ambassador Roberto Campos: "Those who
remain in this house have before them wonderful
agenda. I wish them, as in the words of
theologist Reinhold Niehbuhr:
"May God give the serenity to accept the things
they cannot change, courage to change the
things they can change and the wisdom to know
the difference."
27 New Data Protection Laws and Case Law Trends in Central & South America
28. Recommendations and Practices for the Safe Use of
Internet to Entire Family
Link: http://www.opiceblum.com.br/download/OABMack_Safety.pdf
28 New Data Protection Laws and Case Law Trends in Central & South America
29. Outline
Introduction
A. Brazil
B. Uruguay & Argentina (Ana Brian
Nougreres)
C. Colombia, Peru, Costa Rica
D. Key take aways
Q & A
29 New Data Protection Laws and Case Law Trends in Central & South America
30. Argentina 2003
Decision 2003/490/CE
November 21, 2003
Declaration of Adequation to the levels of data
protection of Directive 95/46/EC of the European
Parliament and the Council.
30 New Data Protection Laws and Case Law Trends in Central & South America
31. Argentina 2011
Transfers to other countries only permitted if the country
of destination ensures an adequate level of protection.
Exceptions to this principle only in special cases: explicit
and unambiguous consent, execution of certain
contracts, safeguard of public interests or
individual vital interests, information of public
registers.
31 New Data Protection Laws and Case Law Trends in Central & South America
32. Articles 25 and 26,
Directive 95/46/CE
European Economic Space
DATA TRANSFERS AEPD March 31, 2011
32 New Data Protection Laws and Case Law Trends in Central & South America
33. INTERNATIONAL DATA TRANSFERS
WITH COUNTRIES WITH NO ADEQUATION
AEPD March 31, 2011
33 New Data Protection Laws and Case Law Trends in Central & South America
34. AEPD March 31, 2011
34 New Data Protection Laws and Case Law Trends in Central & South America
35. AEPD March 31, 2011
35 New Data Protection Laws and Case Law Trends in Central & South America
36. Uruguay - Dispositions
Law 18331 - August 18, 2008
Decree 664/2008
Decree 437/2009
Decree 414/2009
Law 18719 - December 27, 2010
Law 18778 – July 15, 2011
36 New Data Protection Laws and Case Law Trends in Central & South America
37. Uruguayan Data Protection System
Scope of application of the legislation
Data protection principles
Rights of the data holders
Liability
Enforcement mechanisms
Control
Sanctions
37 New Data Protection Laws and Case Law Trends in Central & South America
38. Scope
The regime is applied to all personal data recorded in
any kind of medium that makes them likely to be
processed, and any kind of subsequent use of these
data within public or private domains.
38 New Data Protection Laws and Case Law Trends in Central & South America
39. Principles
Purpose limitation principle
Data quality and proportionality principle
Principle of transparency
Security principle
39 New Data Protection Laws and Case Law Trends in Central & South America
40. Rights of the data holders
Access
Rectification
Opposition
40 New Data Protection Laws and Case Law Trends in Central & South America
41. International data transfers restricted:
Countries that provide adequate levels of protection.
Transfers authorized by the control authority
in cases that offer contractual clauses
regarding privacy, rights, freedoms of individuals
and the exercise of their rights.
Consent, contract, public interest, individual’s
vital interest, public registry.
41 New Data Protection Laws and Case Law Trends in Central & South America
42. Sensitive data
(9% of the data universe in Uruguay)
Definition as personal data revealing racial or ethnic origin,
political preferences, religious or moral beliefs, trade union
membership or information concerning health or sex life.
Explicit consent required for data processing.
Nobody can be compelled to provide sensitive data.
42 New Data Protection Laws and Case Law Trends in Central & South America
43. Direct marketing
The data used for this purpose are home addresses,
distribution of documents, advertising, sale or similar
activities.
In case this data is suitable for promotional profiling,
commercial or advertising purposes, it should appear in
documents accessible to the public or must have been
supplied or consented by the affected individual.
Right to access, remove and block data can be
applied at any times.
43 New Data Protection Laws and Case Law Trends in Central & South America
44. Automatic individual decision
Decisions based on the processing of data should not
affect people or their performance (employment,
credit, reliability, behavior, etc.).
The affected person has the right to obtain
information from the controller, both regarding
the assessment criteria and the program
used for the processing.
44 New Data Protection Laws and Case Law Trends in Central & South America
45. Supervisory Data Protection Authority
URCDP : autonomous entity with technical autonomy
Management: Executive Council of three members
(Executive Director of AGESIC and the other two appointed
by the Executive Power).
Assistance: Advisory Council of five members
(Members appointed by Legislative and Judicial
Power, Public Ministry, academy and private
sector).
45 New Data Protection Laws and Case Law Trends in Central & South America
46. Procedural and enforcement
mechanisms
URCDP provides assistance, advice, regulations, registries of
databases, monitors compliance with regulations, guarantees
security and confidentiality of data provided, issues opinions.
Investigation,
Inspection and
Sanctions are in charge of the URCDP
Habeas data action, legal quick action.
46 New Data Protection Laws and Case Law Trends in Central & South America
47. Sanctions
Warning (83 %)
Fines (17 %)
Suspension of database.
47 New Data Protection Laws and Case Law Trends in Central & South America
48. Opinion 6/2010 of the WP29 on the
level of personal data protection in
Uruguay, adopted October 12, 2010.
CONCLUDES that Uruguay ensures an adequate
Level of protection within the meaning of
Article 25 (6) of Directive 95/46/CE.
48 New Data Protection Laws and Case Law Trends in Central & South America
49. Why data protection systems work
as a win-win process
For the consumers, because they can control their
own data and the information disseminated about
them.
For the enterprises, because then can prevent risks of
vulnerability of the information they manage from
their clients.
For the countries, because then can attract
investors, improve their positions and compliment
international standards.
49 New Data Protection Laws and Case Law Trends in Central & South America
50. Outline
Introduction
A. Brazil
B. Uruguay & Argentina
C. Colombia, Peru, Costa Rica
(Cedric Laurant)
D. Key take aways
Q & A
50 New Data Protection Laws and Case Law Trends in Central & South America
51. Colombia, Peru & Costa Rica:
Outline
1. Colombia: case studies,
problem-solving in real world
situations
2. Peru: overview of the data
protection law
3. Costa Rica: overview of the data
protection law
See references at end of slide deck
51 New Data Protection Laws and Case Law Trends in Central & South America
52. Colombia
7 real cases:
How they might be solved with the upcoming
data protection law.
Why are those cases relevant to you and for
your job?
Cases range from private to public and
governmental aspects of data protection,
not only for private businesses but also
for public/government authorities.
52 New Data Protection Laws and Case Law Trends in Central & South America
53. Trust
53 New Data Protection Laws and Case Law Trends in Central & South America
54. Trust
Case study: why do books always come wrapped in
Colombian bookstores? Lack of trust towards customers?
High price? Attitude towards books as sacred objects? Piracy?
Problem: lack of trust by businesses towards consumers.
Significance: lack of trust by businesses breeds lack of trust
by consumers towards businesses.
Business context: B2C transactions between foreign
companies and Colombian consumers.
Relevance for US/EU companies: foreign companies must
be aware of, and understand, this essential feature of the
commercial context in which personal information is
being processed in Colombia.
54 New Data Protection Laws and Case Law Trends in Central & South America
55. Trust
Resolution:
Should bookstores unwrap all books to make better
sales? Will it demonstrate more trust by the shopkeeper
towards its customers? Will it have a positive or negative
impact on sales?
How is trust related to complying with new data
protection legal requirements? Does it mean that for a
company to be successful, it should be more transparent
about how it processes its customers’ personal data?
How would the upcoming Colombian data protection law
apply? What would have to change in current data
management practices? (Take local commercial traditions
and way of doing business into account.)
How could this have an impact on the level of
enforcement of the new law?
Take away
55 New Data Protection Laws and Case Law Trends in Central & South America
56. Trust
56 New Data Protection Laws and Case Law Trends in Central & South America
58. Credit reporting system
Case study: Colombian real estate franchise of a US
company (“Century 21 Luque Medina”).
Problem: illustrates the current serious problem with the
credit reporting system in Colombia: abusive use is
detrimental to consumers, tenants and sureties; does not
encourage accountability and business ethics by real estate
companies.
Significance: lack of trust by Colombian tenants, landlords
and sureties towards Colombian subsidiaries or franchises of
foreign businesses.
Business context: B2C/B2B transactions between, on the
one hand, foreign companies or Colombian subsidiaries or
franchises of foreign companies, and, on the other hand,
Colombian consumers.
Relevance for US/EU companies: negative impact on US/
EU companies’ reputation.
58 New Data Protection Laws and Case Law Trends in Central & South America
59. Law No. 1266 of 2008
The Colombian “FCRA”.
Applies in addition to the upcoming data protection law by
focussing only on the protection of credit reports and the
processing of financial personal information.
Lacks teeth to address international data transfer issues: scope
too limited to provide enough protections for information
processed by European companies’ subsidiary call centers
based in Colombia.
No “adequate protection”. European Commission’s opinion:
adequate to regulate the financial sector, but not medical,
religious, ethnic, and other type of personal data.
Enforcement has started by supervisory authorities.
59 New Data Protection Laws and Case Law Trends in Central & South America
60. Credit reporting system
Resolution:
How does the Law No. 1266 of 2008 apply to this case?
Was it violated? No but did in fact unfairly treat the data
subject.
What would have to change in current data management
practices?
How has that law applied so far? Enforcement case by the
Superintendencia de Industria y Comercio.
How will the upcoming data protection law have any
impact? Purpose specification principle.
Take away:
Doing business in a fair way will give the advantage to
foreign companies.
Go beyond strict compliance of the letter of the law in
implementing it.
60 New Data Protection Laws and Case Law Trends in Central & South America
61. Authentication for private
transactions
61 New Data Protection Laws and Case Law Trends in Central & South America
62. Authentication for private
transactions
Case study: fingerprints required as means of authentication
for all sorts of contracts between individuals and businesses
(rental agreements, online password releases for online
banking accounts, exchange of currencies, “pospago”
contracts with mobile phone providers, shipment of packages
abroad,…
Problem: need for a reliable way to authenticate individuals;
signature not sufficient for authentication purposes. Main
reason: high level of fraud.
Significance: processing of sensitive personal information
(biometrics) by businesses.
Business context: B2C/B2B transactions between foreign
companies and Colombian customers/clients or companies.
62 New Data Protection Laws and Case Law Trends in Central & South America
63. Authentication for private
transactions
Relevance for US/EU companies: authentication
procedures may prove very burdensome, bureaucratic and
onerous; on the other hand, motivated by good reasons: to
prevent fraud (cfr fraud statistics in Colombia) and money
laundering.
Questions/Resolution:
How will the upcoming Colombian data protection law
apply? (transparency, right of access, adequate security
measures, …)
How will the new law impact those authentication
practices? (proportionality and security measures)
How will current data management practices have to
change? (more transparency, subject access and
security)
Take away
63 New Data Protection Laws and Case Law Trends in Central & South America
64. Collection of biometrics for
security purposes
64 New Data Protection Laws and Case Law Trends in Central & South America
65. Collection of biometrics for
security purposes
Case study: digital biometric fingerprint scanner used as a
security measure at the entrance of office buildings; required
from everyone to get access to the premises.
Significance: higher risk of data breaches because of
databases storing very sensitive personal information
(biometrics) and higher risk for data subjects concerned.
Business context: B2C transactions between foreign
companies and data subjects (Colombians or foreigners,
individuals or clients).
Relevance for US/EU companies: higher risk for hacking
and data breaches exists as sensitive personal information is
being stored.
Problem: use of biometrics and other authentication and
identification measures by private actors in a wide range of
situations where collection, use and secondary use of
personal information is not necessarily legitimate,
transparent or proportionate (e.g., building access).
65 New Data Protection Laws and Case Law Trends in Central & South America
66. Collection of biometrics for
security purposes
Questions:
Why is a digital fingerprint required as opposed to a less
intrusive and less risky means of access security measure? Is
it proportionate?
What happens with this data? With whom is it shared?
Where is there any type of privacy policy explaining what
happens with the information collected?
What happens if I am being denied access to the building?
Where can I complain? (transparency issue)
Resolution:
How does the upcoming Colombian data protection law
apply?
Proportionality; prior and express consent;
transparency;…
What would have to change in current data management
practices to make this processing compliant with the law?
What are the exemptions for law enforcement authorities?
Take away
66 New Data Protection Laws and Case Law Trends in Central & South America
67. Phone no. and ID for every
purchase
67 New Data Protection Laws and Case Law Trends in Central & South America
68. Phone no. and ID for every
purchase
Case study: Phone no. and ID no. are requested for every
purchase made with an electronic means of payment. No
explanation of reason why or what the information is
ultimately used for; no privacy policy.
Significance: possibility to match all purchases made by
individuals with their ID no. Link it with governmental
databases? Relationships between those purchases and the
stores’ discount grocery shopping cards?
Business context: B2C transactions between, on the one
hand, foreign companies or their Colombian subsidiaries or
franchises of foreign companies and, on the other, Colombian
consumers.
Relevance for US/EU companies: Do US/EU businesses’
subsidiaries in Colombia using such information collect it
legitimately and for valid reasons?
68 New Data Protection Laws and Case Law Trends in Central & South America
69. Phone no. and ID for every
purchase
Problem: low level of trust in customer-business
relationships, very low level of consumer protection and
customer service; presumption of bad faith.
Questions/Resolution:
How will the upcoming Colombian data protection law
apply?
What would have to change in current data management
practices?
Take away: more transparency required from businesses
towards their customers with respect to the processing of
their personal information. Consumer protection mechanisms
must be established that much better ensure a higher level of
consumer protection and consumer privacy.
69 New Data Protection Laws and Case Law Trends in Central & South America
71. RFID transportation card
Case study: Medellin metro card is delivered upon
identification and tracks all itineraries of travelers. Lack of
information about availability of an anonymous card and its
benefits (only drawbacks are mentioned to encourage
adoption of individualized card).
Significance: use of customers’ personal location
information by public and private entitie; is covered by the
upcoming data protection law.
Business context: procurement contracts between
Colombian government authorities and foreign companies.
Relevance for US/EU companies: Potential sale of data
processing services to local governmental entities. Interest
for foreign companies to understand how the upcoming data
protection law applies to geo-location location personal
information.
71 New Data Protection Laws and Case Law Trends in Central & South America
72. RFID transportation card
Problem: Data protection issues: transparency, access
rights, potential secondary uses of travelers’ personal
information. Concerns: no privacy policy; no information
about the type of information being collected by the
system; about the uses of the itinerary information now and
later in time; about the current or considered secondary
uses; and about the possibility to ask for an anonymous
card. Use of data by private and public actors.
Questions: How will the upcoming Colombian data
protection law apply? What would have to change in current
data management practices?
Resolution: comply in advance and better than local
companies.
72 New Data Protection Laws and Case Law Trends in Central & South America
73. RFID transportation card
(comparison with Uruguayan case)
73 New Data Protection Laws and Case Law Trends in Central & South America
74. Privacy in e-government services
General obligation of all government
entities that use electronic resources to
manage the information of citizens in a
manner respectful to their privacy.
Decree No. 1151 of 2008 establishes
general principles to follow in how online
services are provided by the government.
Protection of privacy is further regulated
by the Ministry of Communications’ “e-
Government Policy Manual,” applicable
throughout all governmental entities.
74 New Data Protection Laws and Case Law Trends in Central & South America
75. Colombia: take aways
1. Get an edge over your competitors: be
transparent, explain, clarify how your company/
affiliate will use individuals/customers’ personal
information.
2. Don’t wait for the Colombian companies to
comply with the law: being seen as an early
adopter will be good for business and reputation.
3. Trust your consumers; trust will breed
reciprocal trust in your products, services,
reputation and brand.
75 New Data Protection Laws and Case Law Trends in Central & South America
76. Colombia: take aways
4. Follow all consumer protection regulations, and
go beyond strict compliance. Do better than
Colombian companies. Mandate your franchisees to
be consumer protection-friendly, like in the United
States, not like in Colombia.
5. Develop a reputation for being fully reliable for
your customers.
6. Get advice both from a local counsel (to conceive
the most adequate data protection solution to fit in
the cultural context) and from a global data
protection counsel. Both professionals will be
necessary to design how your company will comply
with the local data protection rules.
76 New Data Protection Laws and Case Law Trends in Central & South America
77. CENTRAL AMERICA
COSTA RICA
EL SALVADOR
GUATEMALA
HONDURAS
NICARAGUA
PANAMA
77 New Data Protection Laws and Case Law Trends in Central & South America
78. CENTRAL AMERICA
PROTECTION AT THE CONSTITUTIONAL LEVEL
- No Central American country has an express recognition for the right to
data protection.
- However, most countries provide constitutional protection for the “right
to privacy”, except Panama and Guatemala.
- Countries do not have “habeas data” at the constitutional level, but
some of them have a general constitutional remedy.
PROTECTION IN THE LAW
- No Central American country has a comprehensive personal data
protection law.
- Most countries have legal provisions that protect personal data
in their laws on access to information and public transparency
(Panama, 2002; Honduras, 2006; Nicaragua, 2007; and
Guatemala, 2008).
- There are telecommunication laws and credit reporting laws.
78 New Data Protection Laws and Case Law Trends in Central & South America
79. CENTRAL AMERICA
INTERNATIONAL INSTRUMENTS
- Political Dialogue and Cooperation Agreement between the
EU and Central America (2003): parties agreed to cooperate
on the protection in the processing of personal data.
BILLS ON PERSONAL DATA PROTECTION
- At least two Central American countries have
had legislative discussion on bills that would
regulate data protection: Costa Rica and
Nicaragua. Costa Rica has a new data protection
law since Sept. 7, 2011.
79 New Data Protection Laws and Case Law Trends in Central & South America
80. Costa Rica
Sept. 7, 2011: new Personal Data
Protection Law No. 8968 enters into
force.
Regulates the processing of personal data
carried out by public and private entities:
all databases distributing or selling
information. (Personal or corporate
databases not covered by the law.)
Law modeled after the EU Data
Protection Directive. Regulates almost all
processing of all types of personal data.
Requires express written consent for
many data processing activities.
80 New Data Protection Laws and Case Law Trends in Central & South America
81. Costa Rica
4 main categories of personal data:
1. sensitive data: include socioeconomic
level, and medical and genetic conditions.
2. restricted access data: data included in
a public database but with restricted access
because only concerns person or public
entity involved. Individual must give written
consent for his personal data to be
disclosed.
3. special restricted access data: data
contained in public databases created by
law.
4. credit records: data that allows financial
institutions to evaluate an individual’s
creditworthiness based on the general
principles laid out in the new data
protection law.
81 New Data Protection Laws and Case Law Trends in Central & South America
82. Costa Rica
New data protection authority
created within the Ministry of Justice
(“Prodhab”) to implement the
legislation, inspect registered
databases and issue sanctions for legal
violations.
Commercial databases must be
registered before Prodhab and will be
subject to an annual fee for their
administration.
Data controller must pay a fee
(“canon”) to Prodhab for sales made
using commercial databases. Fee based
on no. of data sold or contract value.
Regulation to be implemented.
82 New Data Protection Laws and Case Law Trends in Central & South America
83. Peru
July 2011: Peru has its first data
protection law (“Ley N° 29733 de
Protección de Datos Personales”).
Data protection authority will be
part of the Ministry of Justice
(independence?) and in charge of a
National Registry of Personal Data; may
levy fines for violations of the law.
Decree must now be drafted.
Problem with the regulation of credit-
reporting databases: eludes crucial
issue.
83 New Data Protection Laws and Case Law Trends in Central & South America
84. Peru
National Register of Personal Data
Protection can record:
1) publicly or privately administered
personal databases;
2) authorizations issued pursuant to the
law;
3) sanctions imposed by the National
Authority; and
4) codes of conduct of the entities
representing the privately administered
personal database controllers or
processors.
84 New Data Protection Laws and Case Law Trends in Central & South America
85. Peru
Political willingness:
Free trade agreements: Peru signed
them in Nov. 2008 with the US and
Canada. Bilateral negociations under
way with the EU, South Korea and
China.
Call centers.
Transborder data flows:
Destination country must have a
sufficient level of protection for the
personal data to be processed, or at
least comparable to that provided by
the law.
85 New Data Protection Laws and Case Law Trends in Central & South America
86. General references
1.- Agencia Española de Protección de Datos, cuatro gráficas aportadas a la fecha
31032011. Anales del Seminario “El impacto de las transferencias internacionales de datos
en América Latina. Las políticas preventivas y la autorregulación en la implantación de la
normativa de protección de datos”, Cartagena de Indias, Colombia. Junio de 2011 <http://
www.redipd.org/reuniones/seminario_2011_Cartagena/common/Ponencias/
JesusRubiNavarreteMartes.pdf>.
2.- José Luis Piñar Mañas. Protección de datos de carácter personal en Iberoamérica, Red
Iberoamericana de Protección de Datos, Agencia Española de Protección de Datos, Ed.
Tirant Lo Blanch Libros, Valencia, España. 2005.
3.- José Luis Piñar Mañas, La Red Iberoamericana de Protección de Datos, Declaraciones y
documentos. Ed. Tirant Lo Blanch. Valencia, 2006.
4.- Oscar Puccinelli, El habeas data en Indoiberoamerica. Ed. Temis, Bogota, Colombia.
1999.
5.- Ana Brian Nougreres. De la protección de datos personales y la cooperación
internacional. Anuario de Derecho Informático, Instituto de Derecho Informático, Facultad
de Derecho, Universidad de la República. FCU. 2005.
86 New Data Protection Laws and Case Law Trends in Central & South America
87. General references
6.- Cédric Laurant, “Emerging Data Protection Laws in Latin America and Doing Business in
the EU”, Cedric’s Privacy Blog, Sept. 15, 2011 <http://blog.cedriclaurant.org/2011/09/15/
emerging_data_protection_laws_in_latin_america_doing_business_in_eu/>.
7.- Alberto Cerda, Cédric Laurant & Renato Opice Blum, “Recent Privacy and Data
Protection Developments in Latin America and Their Impact on North American and
European Multinational Companies”, IAPP Global Privacy Summit (Washington, DC – April
21, 2010) <http://www.slideshare.net/cedriclaurant/quotrecent-privacy-and-data-
protection-developments-in-latin-america-and-their-impact-on-north-american-and-
european-multinational-companiesquot>.
8.- Marcos Normativos en materia de Protección de Datos Personales. Actas del Seminario.
Antigua, Guatemala, 2003.
87 New Data Protection Laws and Case Law Trends in Central & South America
88. References (Argentina)
1.- Declaration regarding Argentina’s Adequation to the levels of data protection
of the Directive 95/46/EC of the European Parliament and the Council,
November 21, 2003 <http://ec.europa.eu/justice/policies/privacy/docs/
adequacy/decision-c2003-1731/decision-argentine_en.pdf>.
2.- Carlos E. Delpiazzo, Protección de datos en Uruguay y el Mercosur,
Fundación de Cultura Universitaria. Montevideo, Uruguay, 2005.
3.- “Argentina” country report in Privacy & Human Rights 2006, Electronic
Privacy Information Center & Privacy International, December 18, 2007
<https://www.privacyinternational.org/article/phr2006-argentine-republic>.
88 New Data Protection Laws and Case Law Trends in Central & South America
89. References (Brazil)
1.- Brazilian Constitution, Title 2, Chapter 1, Article 5, X.
http://www.planalto.gov.br/ccivil_03/constituicao/constitui%C3%A7ao.htm
2.- Brazilian Constitution, Title 2, Chapter 1, Article 5, XI.
http://www.planalto.gov.br/ccivil_03/constituicao/constitui%C3%A7ao.htm
3.- Brazilian Constitution, Title 2, Chapter 1, Article 5, XII.
http://www.planalto.gov.br/ccivil_03/constituicao/constitui%C3%A7ao.htm
4.- Brazilian Constitution, Title 2, Chapter 1, Article 5, XIV.
http://www.planalto.gov.br/ccivil_03/constituicao/constitui%C3%A7ao.htm
5.- Brazilian Constitution, Title 2, Chapter 1, Article 5, LXXII.
http://www.planalto.gov.br/ccivil_03/constituicao/constitui%C3%A7ao.htm
6.- Federal Law No. 9.507/1997 (Habeas Data).
http://www.planalto.gov.br/ccivil_03/leis/l9507.htm
7.- Federal Law No. 9.507/1997, Article 4 § 1.
http://www.planalto.gov.br/ccivil_03/leis/l9507.htm
89 New Data Protection Laws and Case Law Trends in Central & South America
90. References (Brazil)
8.- Federal Law No. 9.507/1997, Article 4 § 2.
http://www.planalto.gov.br/ccivil_03/leis/l9507.htm
9.- Federal Law No. 10.406, January 12, 2002 (Civil Code).
http://www.planalto.gov.br/ccivil_03/leis/2002/L10406.htm
10.- Federal Law No. 7.232, October 29, 1984 (National Computer Policy).
http://www.planalto.gov.br/ccivil_03/leis/L7232.htm
11.- Federal Law No. 9.472, July 16, 1997, Book 1, Art. 3, IX. (Telecommunications Act).
http://www.consumidorbrasil.com.br/consumidorbrasil/textos/legislacao/l9472.htm
12.- Federal Law No. 9.454, April 7, 1997 (National Identity Registration).
http://www.planalto.gov.br/ccivil_03/Leis/L9454.htm
13.- Federal Law No. 8.078, Article 43, September 11, 1990 (Consumer´s Code).
http://www.planalto.gov.br/ccivil_03/leis/L8078.htm
14.- Document nº 05/2002, of the Economic Law Secretariat, Ministry of Justice
(Secretaria de Direito Econômico (SDE) do Ministério da Justiça).
90 New Data Protection Laws and Case Law Trends in Central & South America
91. References (Brazil)
15.- Personal Data Bill: regulates the protection of personal data, privacy and
other matters <http://www.cgu.gov.br/acessoainformacao/arquivos/
anteprojeto-lei-protecao-dados-pessoais.pdf>.
16.- Renato Leite Monteiro & Caio César Carvalho Lima, Comentários ao
Anteprojeto de Lei Brasileiro sobre Proteção de Dados Pessoais, Information
Security Breaches & The Law Blog, May 2011 <http://
securitybreaches.files.wordpress.com/2011/05/anteprojeto-de-lei-brasileiro-
sobre-protecao-de-dados-pessoais.pdf>.
17.- Renato Leite Monteiro & Cédric Laurant, “New Brazilian Data Protection Bill
Adopts Data Breach Notification Regime”, Information Security Breaches & The
Law Blog, May 9, 2011 <http://blog.security-breaches.com/2011/05/09/
new_brazilian_data_protection_bill_adopts_data_breach_notification_regime/>.
18. Renato Leite Monteiro , “Comentários ao Anteprojeto de Lei Brasileiro sobre
Proteção de Dados Pessoais”, Information Security Breaches & The Law Blog,
May 1, 2011 <http://blog.security-breaches.com/2011/05/01/comentarios-ao-
anteprojeto-de-lei-brasileiro-sobre-protecao-de-dados-pessoais/>.
91 New Data Protection Laws and Case Law Trends in Central & South America
92. References (Brazil)
19.- “Brazil” country report in Privacy & Human Rights 2006, Electronic Privacy
Information Center & Privacy International, December 18, 2007 <https://
www.privacyinternational.org/article/phr2006-federative-republic-brazil>.
20.- Danilo Doneda, Da privacidade a proteção de dados pessoais, Ed. Renovar.
Rio de Janeiro, Brasil, 2006.
21.- Stefano Rodota. A vida na sociedade da vigilancia, a privacidade hoje, Ed.
Renovar, trad. Maria Celina Bodin de Moraes, Rio de Janeiro, 2008.
22.- Temis Limberger. O direito a intimidade na era da informática. Ed. Livraria
do Avogado, Brasil, 2007.
92 New Data Protection Laws and Case Law Trends in Central & South America
93. References (Colombia)
1.- Informe de conciliación al Proyecto de Ley Número 046 de 2010 Cámara,
184 de 2010 Senado (upcoming Colombian data protection law) <http://
www.habeasdata.org.co/wp-content/uploads/2010/12/Informe-
Conciliación1.pdf>.
2.- Fernando Triana and Carolina Díaz (Triana, Uribe & Michelsen), “Data
Protection: Colombia”, April 1, 2010 <http://ipandit.practicallaw.com/
7-502-5167?source=relatedcontent>.
3.- Observatorio de la protección de datos personales en Colombia <http://
www.habeasdata.org.co/>.
4.- Nelson Remolina-Angarita, “¿Tiene Colombia un nivel adecuado de protección
de datos personales a la luz del estándar europeo?, 16 International Law,
Revista Colombiana de Derecho Internacional, 489-524 (2010) <http://
www.habeasdata.org.co/wp-content/uploads/2010/08/colombia-y-nivel-
adecuado-de-proteccion-de-datos-nelson-remolina-il-julio-de-2010.pdf>.
5.- Nelson Remolina-Angarita, “Propuestas para mejorar y aprobar el proyecto
de ley estatutaria sobre el derecho fundamental del habeas data y la protección
de los datos personales”, Documento GECTI No 11, Noviembre 24 de 2010
<http://www.habeasdata.org.co/wp-content/uploads/2010/12/documento-
gecti-11-de-2010.pdf>.
93 New Data Protection Laws and Case Law Trends in Central & South America
94. References (Colombia)
6.- Cédric Laurant, Summer course of continuing legal education: “Data
Protection & Privacy around the World”, School of Law, Universidad de los
Andes (Bogota, Colombia – June 17 - July 7, 2008).
7.- Spanish Data Protection Agency, “Report on International Data Transfers –
Ex Officio Sectorial Inspection of Spain-Colombia at Call Centres”, July 2007
<http://www.agpd.es/portalwebAGPD/jornadas/
transferencias_internacionales_datos/common/pdfs/
report_Inter_data_transfers_colombia_en.pdf>.
8.- “Colombia” country report in Privacy & Human Rights 2006, Electronic
Privacy Information Center & Privacy International, December 18, 2007
<https://www.privacyinternational.org/article/phr2006-colombia>.
94 New Data Protection Laws and Case Law Trends in Central & South America
95. References (Costa Rica)
1.- Personal Data Protection Law No. 8968 of Sept. 7, 2011 (Ley de
“Protección de la Persona frente al tratamiento de sus datos personales”)
<http://www.pgr.go.cr/scij/Busqueda/Normativa/Normas/nrm_repartidor.asp?
param1=NRTC&nValor1=1&nValor2=70975&nValor3=85989&strTipM=TC>.
2.- “Protection of the Person in the Processing of His Personal Data” (Data
protection bill, “Ley de protección de la persona frente al tratamiento de sus
datos personales”) <http://www.elderechoinformatico.com/index.php?
option=com_content&view=article&id=508:ley-proteccion-de-datos-
personales-costa-rica&catid=1:datos-personales&Itemid=54>.
3.- Roberto Lemaitre, “Proyecto de Ley - Expte. 16.679 “Protección de la
Persona frente al tratamiento de Datos Personales”, 11 de Junio de 2011
<http://www.elderechoinformatico.com/index.php?
option=com_content&view=article&id=583:proyecto-de-ley-
expediente-16679-proteccion-de-la-persona-frente-al-tratamiento-datos-
personales&catid=118:elderechoinformatico-costa-rica&Itemid=122>.
4.- Costa Rica country report in Privacy & Human Rights 2006, Electronic
Privacy Information Center & Privacy International, December 18, 2007
<https://www.privacyinternational.org/article/phr2006-costa-rica>.
95 New Data Protection Laws and Case Law Trends in Central & South America
96. References (Peru)
1.- Ley de Protección de Datos personales, 3 de julio de 2011 <http://
securitybreaches.files.wordpress.com/2011/07/110703-ley_peruana-pdp-
no29733.pdf>.
2.- Department of Commerce, English translation of Peru’s Law for Personal Data
Protection (Ley de Protección de Datos Personales) <http://
www.huntonprivacyblog.com/uploads/file/Peru%20Data%20Protection%20Law
%20July%2028_EN%20_2_.pdf>.
3.- Iriarte & Asociados, Handbook IA N° 6 - Protección de Datos Personales-
Entidades Privadas, v. 1.0, julio de 2011 <http://www.iriartelaw.com/apc-aa-
iriartelaw/img_upload/80fbc41a7158c9c9b59314f28f167fb1/
Handbook_IA_N__6_ley_de_Protecci_n_de_Datos_Personales.pdf>.
4.- Carlos Ferreyros Soto, “Los desafios digitales del Ministerio de Justicia: El
Sistema Peruano de Información Judicial, SPIJ y la Ley de Datos Personales”, 30
June 2011, <http://derecho-ntic.blogspot.com/2011/06/los-desafios-digitales-del-
ministerio.html>.
5.- José Miguel Silva, “Ley de protección de datos personales: Todo lo que usted
debe saber”, LaRepublica.pe, 23 June 2011 <http://www.larepublica.pe/
23-06-2011/ley-de-proteccion-de-datos-personales-todo-lo-que-usted-debe-
saber>.
96 New Data Protection Laws and Case Law Trends in Central & South America
97. References (Peru)
6.- Cédric Laurant, “Perspectivas europeas sobre la protección de los
consumidores y usuarios peruanos del Internet. Interpretando el nuevo Código
peruano de Protección y Defensa del Consumidor (Ley No. 29571)” (Conferencia
internacional: “Implicancias del Nuevo Codigo de Proteccion y Defense del
Consumidor: Nuevos Retos”), Asociación Nacional de Defensa del Consumidor,
Universidad Nacional Jorge Basadre Grohmann, Tacna, Peru – December 21,
2010) <http://www.slideshare.net/cedriclaurant/perspectivas-europeas-sobre-la-
proteccin-de-los-consumidores-y-usuarios-peruanos-del-internetinterpretando-el-
nuevo-cdigo-peruano-de-protecciny-defensa-del-consumidor-ley-no-29571>.
7.- “Peru” country report in Privacy & Human Rights 2006, Electronic Privacy
Information Center & Privacy International, December 18, 2007
<https://www.privacyinternational.org/article/phr2006-republic-peru>.
97 New Data Protection Laws and Case Law Trends in Central & South America
98. References (Uruguay)
1.- The Uruguayan laws can be consulted at <http://www.parlamento.gub.uy>.
2.- Text of the Uruguayan decrees can be consulted at <http://
www.presidencia.gub.uy>.
3.- Ana Brian Nougreres, “El sistema legal uruguayo en protección de datos
personales y acceso a la información pública,” Universidad de Los Andes, Bogotá,
Colombia, 2010.
4.- Opinion 6/2010 on the level of protection of personal data in the Eastern
Republic of Uruguay, adopted October 12, 2010, 0475/10/EN WP 117 <http://
ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp177_en.pdf>.
5.- Ana Brian Nougreres. Taller sobre Protección de Datos Personales, Colegio de
Abogados del Uruguay, Montevideo, 2010.
6.- Augusto Duran Martinez, Derecho a la Protección de Datos personales y al
acceso a la información pública, Ed. Amalio Fernández, Montevideo, Uruguay,, 2009.
98 New Data Protection Laws and Case Law Trends in Central & South America
99. References (Uruguay)
7.- Carlos E. Delpiazzo, Protección de datos en Uruguay y el Mercosur, Fundación de
Cultura Universitaria. Montevideo, Uruguay, 2005.
8.- Ana Brian Nougreres, “Integración Iberoamericana en materia de protección de
Datos Personales”, Anuario de Derecho Informático, Montevideo, Uruguay, 2007.
9.- Ana Brian Nougreres. Protección de datos personales en Uruguay. Imp. Teijeiro.
Montevideo, Uruguay, 2009.
10.- “Uruguay” country report in Privacy & Human Rights 2006, Electronic Privacy
Information Center & Privacy International, December 18, 2007 <https://
www.privacyinternational.org/article/phr2006-republic-uruguay>.
12.- Ana Brian Nougreres, “El sistema de transporte metropolitano y la protección
de datos personales de los uruguayos”, Anuario de Derecho Informatico, Instituto de
Derecho Informático, Facultad de Derecho, Universidad de la República, FCU, 2007.
99 New Data Protection Laws and Case Law Trends in Central & South America
100. Outline
Introduction
A. Brazil
B. Uruguay & Argentina
C. Colombia, Peru, Costa Rica
D. Key take aways (Cedric Laurant)
Q & A
100 New Data Protection Laws and Case Law Trends in Central & South America
101. Key take aways
• 1. Get an edge over your competitors:
be transparent, explain, clarify how
your company/affiliate will use
individuals/customers’ personal
information.
• 2. Being seen as an early adopter will
be good for business and reputation.
• 3. Trust your consumers (trust breeds
trust, in your products, services,
reputation, brand).
101 New Data Protection Laws and Case Law Trends in Central & South America
102. Key take aways
• 4. Follow all consumer protection
regulations and go beyond strict
compliance.
• 5. Build your company’s reputation as
being fully reliable for your customers.
• 6. Get advice not only from local
counsel, but also from global ones.
102 New Data Protection Laws and Case Law Trends in Central & South America
103. Outline
Introduction
A. Brazil
B. Uruguay & Argentina
C. Colombia, Peru, Costa Rica
D. Key take aways
Q & A
103 New Data Protection Laws and Case Law Trends in Central & South America
104. Panelists: contact info
Cedric Laurant, Esq., LL.M.
Principal, Cedric Laurant Consulting (Belgium)
http://cedriclaurant.com – Twitter: @cedric_laurant
c [at] cedriclaurant [dot] com
Dra. Ana Brian Nougreres
Law Professor, Universidad de la República
Oriental del Uruguay; Chief Consultant, Estudio
Jurídico Briann & Associates (Uruguay)
abrian [at] netgate [dot] com [dot] uy
Renato Opice Blum
CEO and Partner, Opice Blum Advogados
Associados (Brazil)
http://www.opiceblum.com.br – Twitter: @opiceblum
renato [at] opiceblum [dot] com [dot] br
104 New Data Protection Laws and Case Law Trends in Central & South America