The emerging process of protecting personal data in Latin America

Indela, since its first call in 2019, has accompanied various organizations that work on the personal data protection in Latin America. As part of an external evaluation carried out over these three years of work, a case study was developed on the personal data area in particular, to analyze in depth the strategies and the impact of the processes led by two of the allied organizations; IDEC and TEDIC.

Guarantee personal data protection is guarantee the exercise of other human rights, such as privacy and freedom of expression. Providing tools and mechanisms that guarantee the confidentiality, security and personal data control is a need that is growing by leaps and bounds, especially for groups in situations of vulnerability.

In certain Latin American countries these rights are regulated, in some even with more progressive regulations as in the case of Brazil. However, there are still several countries that do not have specific laws on personal data, such as Paraguay.

In this context, IDEC from Brazil and TEDIC from Paraguay have developed comprehensive strategies with three main lines of action:

  1. Coordinated mobilization to achieve high-impact results in the fight for personal data protection, as a long-term commitment.
  2. Articulation with different actors, that allows collaboration and collective construction of projects with a multisectoral perspective.
  3. Collaboration among the community of consumer protection, and the community of digital rights for the construction of a regional agenda.

Achievements and impact

The projects led by these two organizations have generated impact at the national and regional levels. On the one hand, the multisector articulation for the co-construction of a draft personal data law with a human rights perspective in Paraguay, TEDIC, together with Personal Data Coalition, coordinated a dialogue process with strategic actors for the advancement in the personal data protection that complies with international standards.

In addition, with the support of the Faculty of Law of the National University of Asunción, it leads a process of strengthening the capacities of the new generation of professionals in digital rights issues, through the Legal Clinic on Digital Rights. This type of achievement allows the strengthening of the local ecosystem, through the actions of experiences exchange and learning.

On the other hand, IDEC has managed to weave ties and network work between the digital rights community and the consumer rights community in the region, for regional collective political action. These impacts allow strengthening the incidence capacities of civil society against public and private regulations related to personal data protection.

Personal data protection is a developing process that still needs support. Existing regulations require continuous updating in the face of emerging challenges generated by the digital context. It is essential to articulate collective actions in the face of new opportunities between different sectors and communities, which allow the construction of long-term agendas for the defense and protection of personal data.

Between technology and the pandemic

Paulina Gutiérrez

It is unquestionable that governments need information to respond to the pandemic, particularly to design evidence-based measures to control the contagion and save lives. Likewise, it is undeniable that the use of technology to collect that information has major implications on individuals’ human rights. Any argument otherwise would overlook the requirement for governments to demonstrate that limitations imposed on our rights are legal, necessary and proportionate, especially restrictions on free movement, privacy, protection of personal data and freedom of expression.

But what does that requirement mean and what does it involve? And, more importantly, how do we make sure that during and after the pandemic the restrictions on our rights are limited only to the purpose for which they were adopted? How do we protect ourselves against any abuse and violation of our human rights?

The deployment of technology-based initiatives to address public problems is not new and has been subject of controversy in the past. In the context of the pandemic, the difference lies in the invisibility and lack of knowledge about a virus whose social, economic and health impact demands immediate and focused attention. Although there is a general understanding that technological means must go hand-in-hand with a variety of non-technological measures, the need to make the virus visible and preventable has made technology seem as the only means to control it.

Some of the technological responses range from “chatbots,” informative mobile apps that provide diagnoses based on user-identified symptoms, body temperature readers and symptom monitoring, to mechanisms that control and track movement, contact and isolation through mobile phone services, georeferencing and the use of drones.

Each of the technological measures and tools designed to control and prevent the spread of the virus benefit from different levels of invasion of privacy. They record access, activities, interactions, symptoms and illnesses, whose technological and digital processing requires access of personal information by third parties – personal information generated through the collection, storage, transmission, use, study and management of data. Hence, presumably, it is not difficult to imagine a situation in which the solution to the pandemic’s impact would be the product of information we provide, waiving our privacy and data protection. However, the formula is much more complex, especially if we start by acknowledging that the restrictions are not confined only to the State accessing our information; we must also consider the active participation of the private sector. We are then facing privacy invasions in the name of public health. Although a health emergency can be invoked to impose restrictions on human rights, it will never be a legitimate justification when applied in isolation. In other words, combating the health crisis by accessing and using our individual, personal and collective information imposes an inadmissible surveillance system, unless the measures adopted comply with States’ mandatory observance of a set of conventional and legal protections, specifically those that safeguard the immunity afforded to privacy against arbitrary or abusive invasion by public authorities or non-public entities.

This means that States must strictly comply with the legitimacy test when adopting surveillance practices, especially those with the purpose of tracking and containing the spread of a virus. Any government that decides to opt for technological responses based on information generated by the activities of individuals must ensure that (a) the legally stipulated restriction is clear and precise and that there is a legal framework for protection of the affected rights, as well as effective legal remedies against abuse and violations of rights restricted by public and private parties – legality; (b) the restrictive measure is suitable and effective to achieve the intended purposes, demonstrating that it is the only available method – necessity; and (c) there are no other available measures and methods that would be less detrimental to the right to privacy and other rights, and that there are strict limits on the duration of the invasive measure – proportionality.

In Latin America, the legitimacy test for limitations over the right to privacy has never been more relevant, primarily due to the existing technological capacity prior to the pandemic and its abuse through targeted and mass surveillance practices, extensively documented in the last six years.
Argentina, Bolivia, ChileColombiaEcuadorGuatemalaMexicoParaguay, and Peru are some of the countries in which governments have decided to adopt surveillance technology measures and collection methods to respond to the health crisis. There is still no evidence supporting the effectiveness of these measures, hence, public scrutiny alongside legal and judicial controls are critical to contain arbitrariness and abuses from governments and non-public entities.

Existing data protection frameworks in the region seem to be insufficient for the challenges posed by the pandemic. However, if we regard them as improvable, they will be invaluable for imposing controls over both governments and private entities. Aware of the fact that their development and implementation in Latin America is asymmetrical and inconsistent – and in some cases non-existent, special regulations may provide legal avenues to demand justification of the limits imposed on individuals’ power to know what information third parties have about them, to limit the duration and purpose of processing their information, and to decide whether to provide their most sensitive data – that is information that may reveal information about their health, race, sexual preference, among others.

Although these legal frameworks include exceptions on the basis of public health, the principles of temporality, necessity and legality remain applicable. Above all, they are essential for knowing the destination, purpose and use of the information collected and processed, as well as preventing practices from becoming permanent once the pandemic is under major control.

Therefore, we must be clearly informed on whether the use of technological tools and measures contributes to effectively contain the virus, whether these tools request or access more information than they claim to need to control the spread of the virus, and what legal framework or remedy we can resort to if our data is shared with government bodies or non-public entities not involved in containing the pandemic, just to name a few practical scenarios.

In Latin America and in other regions of the world, the legitimacy test and data protection legal frameworks have already prevented the invasive, unnecessary and disproportionate use of technology to control the health crisis:

  • In Brazil, Provisional Measure (Medida Provisória – MP) 954/2020 was suspended by the Federal Supreme Court on May 7, 2020, to prevent irreparable harm to the privacy of individuals. Measure 954/2020 was issued by the Executive Branch to order telecommunications companies to provide information from mobile users to the Brazilian Institute of Geography and Statistics (Instituto Brasileño de Geografía y Estadística – IBGE), which would prepare statistics on the pandemic. Under necessity, suitability and proportionality analysis, a judge from the Supreme Court ruled that, without underestimating the severity of the health crisis and the need to develop public policies based on certain data, the constitutional rights of individuals must not be violated and, therefore, it was necessary to suspend the measure as it did not provide nor existed suitable mechanisms to protect individuals’ data against unauthorized access or undue use of their information.
  • In Chile, a short-term or special temporary law was proposed to safeguard the data of individuals whose state of health is exposed and subject to processing by a variety of parties during the pandemic. The Transparency Council proposed this initiative in April, recognizing that health related data are not only constitutionally protected but also have a special protection due to the information they reveal. Something similar happened in the United Kingdom, where the Parliamentary Joint Committee on Human Rights proposed special legislation focused on precisely regulating the purpose and limits for obtaining and processing information collected through a contact monitoring app, requiring the government to delete the information collected after the end of the health crisis, and imposing measures against abuses by the government and third parties.
  • In India, the Kerala High Court admitted three petitions against mandatory use of a contact monitoring app and the imposition of criminal sanctions for not using it. In addition, on April 24, 2020, the Kerala High Court issued an order instructing the to safeguard the confidentiality of data of patients at risk of coronavirus, collected by a digital system operated by the government of Kerala and Sprinklr Inc. It also prohibited this company from committing any act that compromises the confidentiality of the data.
  • In Slovakia, the Constitutional Court suspended the special legislation that allowed authorities to access user data collected by telecommunications companies to monitor individuals infected with coronavirus. On May 13, 2020, the Court determined that the legislation was ambiguous and the purposes of the processing were not sufficiently clear; the legislation would allow processing of personal data without clear intentions and lacked the necessary safeguards against abuse of the information collected and processed.

The challenge is not simple but the obligations of governments are very clear: our rights to privacy and protection of personal data remain applicable during the health crisis. The burden to demonstrate that our rights may be subject to limitation must not be driven by technology-centered approaches, whose benefits enable the exercise of our human rights. Rather, States must observe their human rights obligations in terms of transparency and accountability, as well as its duty to prove the legitimacy of the measures; allowing their abuse make them arbitrary.

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from Youtube
Vimeo
Consent to display content from Vimeo
Google Maps
Consent to display content from Google