Introduction: Survey of Privacy Laws in Central and South America

The right to privacy -- most broadly, the “freedom from intrusion” -- is becoming more difficult to honor and protect. This is especially so given the extraordinary expansion of digital technologies that can access, monitor and study everyday activities. The increasing use of electronic payment methods, cellular phones, facial recognition software and a myriad of devices and instruments gathering data and information has created an urgent need to develop adequate regulatory and governance tools for protecting personal information. This urgency is perhaps greatest when it comes to health information.

Personal health information can be stored in records that may belong to hospitals, clinics and other healthcare and research institutions; they are therefore subject to regulations that impede or attempt to frustrate the inappropriate use of that information. But many commercial entities are not governed by regulation and security safeguards, and so, for instance, genetic information collected from thousands of individuals becomes a commodity that can be used for purposes different than those that motivated individuals to provide their genomic and other information in the first place.

Furthermore, the globalization of information systems has blurred national legislation boundaries, creating additional challenges regarding data sharing, ownership and accountability.

Latin American countries were for many years behind Europe and the United States in terms of legislation safeguarding personal data. However, the decreasing cost of technology and the explosion of digital health and commerce in Latin America have motivated legislators, governments and civil organizations to create new tools for the protection of personal data.

Most Latin American constitutions recognize personal data protection rights.[1] Unlike the European Union, for instance, where neighboring and historically connected countries share the GDPR, a single data-protection law, Latin American health data and information remains governed by a patchwork of country-specific laws and regulations. This should be regarded as an obstacle for health data sharing for research, public health and epidemiologic science.[2] There remains a need to know more about these laws.

This report is a survey of personal data, health data and electronic health record laws in Central and South America. The countries included are all of the Spanish-speaking countries in the region, and Brazil. The country-specific tables list and annotate the personal data laws of each country. Separate rows identify the health data law, if it exists, and any electronic health record (EHR) law or the status of EHRs in the country. These tables are meant to capture information outlined in each law; they do not provide analyses of the laws. Generally, national health data laws are congruent with national data protection laws.

Europe’s GDPR came into effect in May 2018. It applies to all EU citizens whether they reside in the EU or not. The GDPR focuses on individuals and garnering active consent from patients before storing any personal information.[3] Data controllers or data protection officers must be appointed by all institutions that collect or use health data.

By way of comparison, the United States’ Health Insurance Portability and Accountability Act of 1996 (HIPAA)[4] governs protection of health data. HIPAA emphasizes the concept of “minimal use,” i.e., the idea that stewards of health data should not share or disclose any more than is necessary for a particular purpose. HIPAA requires that patients have easy access to their own information. A controller or privacy officer is responsible for keeping data secure, and healthcare organizations can use a “limited data set” for research, marketing and other purposes. HIPAA also provides exceptions for public health and law enforcement.

South American laws tend to parallel the GDPR more than HIPAA.

In the tables here, data protection laws are divided into six categories: data transfer, data sharing, data retention, governance, enforcement and breach notification. Because most South American countries do not have laws that explicitly address health or medical data, one must infer applicability of general data protection laws. “Data transfer” refers to the transfer of personal (and sensitive) data internationally and within the country. Three common trends were noted: consent is necessary for data transfer; databanks are held to a standard in order to maintain the security of the information; and data can only be transferred for the original purpose of collection. “Data sharing” applies to those who may access data, including the titular or data subject or individual whose data is being or has been collected.

Generally, sensitive data can be shared for medical or public health purposes, which means that it can be used for statistics, historical purposes, etc. The third category, “data retention,” applies to individuals’ rights regarding their data. Individuals have the right to delete or modify their personal data if it is incorrect, but this is a general principle and does not apply to personal medical information. Every personal data law includes a version of these provisions. “Governance” generally applies to those responsible for the database. The laws identify who oversees the data, their responsibilities and the responsibilities of the entity that owns the database. “Governance” also pertains to information security and maintaining the rights of the titular. The “enforcement” category refers to the government agency in charge of enforcing the laws and imposing penalties or sanctions if these laws are not followed. Lastly, “breach notification” identifies the consequences – usually fines – if information is inadvertently or inappropriately disclosed.

Each country is represented by a separate table. As of June 2020, we could not identify personal data protection laws in Guatemala or Venezuela.

Discussions triggered by the GDPR are being reflected in some initiatives in the Latin American region. In February 2019, Argentina modified its legislation by adding genetic and biometric data to the legal considerations for protecting personal information, and established a requirement to appoint a “personal data protecting officer” in governmental agencies with access to personal health information. Also: Brazil is considering the creation of a national authority for personal health information; Chile has identified biometric data as sensitive information; and Colombia and Mexico are developing new legislation.[5]

[1] Silva, AJC. Protección de datos personales y prestación de servicios en línea en América Latina. In Bertoni EA, ed., Hacia una Internet Libre de Censura: Propuestas para América Latina. Buenos Aires: Universidad de Palermo, 2012.  Available at http://infojustice.org/wp-content/uploads/2012/01/internet_libre_de_censura_libro.pdf, accessed June 1,2020

[2] Rodriguez Pereda, K. Análisis comparado de las leyes y prácticas de vigilancia en Latinoamérica. Electronic Frontier Foundation, 2016. https://necessaryandproportionate.org/files/2016/10/07/comparative_report_october2016_es_0.pdf, accessed June 1, 2020.

[3] European Commission. Data protection: Rules for the protection of personal data inside and outside the EU, 2019. https://ec.europa.eu/info/law/law-topic/data- protection, accessed June 1, 2020.

[4] US Department of Health & Human Services. The HIPAA Privacy Rule. https://www.hhs.gov/hipaa/for-professionals/privacy/index.html, accessed June 1, 2020.

[5]  Bojalil, P. Abierto al Público. Despuntan las Reformas en Materia de Protección de Datos en América Latina. Inter American Development Bank, 2019. https://blogs.iadb.org/conocimiento-abierto/es/proteccion-de-datos-gdpr-america-latina/, accessed June 1, 2020.