Data-Privacy

Data protection is going global, with stronger laws and enforcement strategies in Latin America, Africa and Asia-Pacific. And for compliance, one size doesn't fit all.

Last May, in-house eyes were on the European Union, as companies prepared for the General Data Protection Regulation. The EU's sweeping data privacy law enhanced residents' rights over their personal data, implementing new policies on the right to be forgotten, explicit, informed consent and processor accountability, with fines up to 20 million euros, or 4 percent of global turnover.

The rule's hefty price tag and strong enforcement has, in part, kept in-house focus on Europe. But ignoring data privacy changes outside of Europe, or assuming GDPR policies will comply anywhere, may lead to fines or diminished consumer trust in other regions, lawyers said. Camila Tobón, a Colorado-based data privacy lawyer at Shook, Hardy & Bacon, said many countries in the Latin America follow a consent-based model, which doesn't allow for the legitimate interest data collection case presented under GDPR. She said many Latin American countries with data privacy laws used Spain's consent-based version of the 1995 Data Protection Directive to shape their regulations.

"When Spain incorporated the directive into their law, one noticeable change [from other EU countries] was the lack of legitimate interest for a basis for processing personal data," Tobón said. "When most Latin American countries were starting to implement their laws in 1999, 2000, 2001, they used the Spanish law as a model, which didn't include legitimate interest. So what you ended up seeing in Latin America was a consent-based model."

Big changes in Brazil

That's no longer the case for all countries in the region. Brazil's General Data Protection Law, which passed in 2018, includes the case for legitimate interest collection. The regulation closely aligns the country's laws with Europe's. In-house counsel in Brazil said it's a massive change, especially for non-multinational companies.

Lyn Nicholson, General Counsel of Holding Redlich, in Sydney, Australia.

Álvaro Felipe Rizzi Rodrigues, a legal director at Itaú Unibanco in São Paulo, said the introduction of legitimate interest led his in-house team to review the whys and hows of all their data collection, a process that's still ongoing. He said it's taken a fast-moving, large, multi-department team to review and adapt his company's data collection practices to meet new compliance standards.

"You have to review all your processes and check if you indeed need all the data. And you not only need to have a purpose to hold and to use the data of the clients, but you have to tell the clients [the purpose of] the data use," Rodrigues said.

Valéria Camacho Martins Schmitke, the Latin American regional general counsel for Zurich Minas Brasil Seguro in São Paulo, said Brazilian in-house counsel are also concerned with ensuring third-party data processors and distributors are secure. Additionally, many companies use "non structured data," which she said can complicate deleting information and complying with the right to be forgotten.

There's also a chance that the law could change, depending on regulators, Rodrigues said. "We have this deadline of August next year, but we do not know all the rules that we will need to comply [with]," Rodrigues said. "This is also a concern. At a certain point, I hope this year, we will face additional rules related to the law. And we'll have to, if necessary, start again this review process to be in compliance with these specific rules."

Latin America gets new regulations, stricter enforcement

Brazil's not the only country seeing change. Schmitke's eyes are on Chile, which recently voted to create a national data protection authority. Panama's National Assembly approved a national data protection regulation last year that currently awaits the president's signature. An updated Argentine bill is also in the works, with a draft standing in front of Congress. Argentina's proposed changes would bring the country's data protection regulations closer to Europe's with a legitimate interest model and data protection officer requirement, said Diego Fernández, a privacy lawyer at Marval, O'Farrell & Mairal in Argentina. The draft also states minors need an adult guardian's sign-off to consent to data collection.

Fernández said the chances of Argentina passing the bill will be clearer after the country's election in October. But there is pressure for stricter regulation as Argentina strives to maintain its status as an "adequate" data transfer country from the EU.

"We still are adequate because that decision has not been reversed, but the truth is we have not been analyzed under the GDPR. So if that was to happen, we might lose the adequacy," Fernández said. "So that's why we are pushing the law as fast as we can."

The GDPR-adequate non-EU countries are, as of February: Andorra, Argentina, Canada (organizations subject to the Personal Information Protection and Electronic Documents Act, only), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the U.S. (processors in the EU-U.S. Privacy Shield).

Other countries in Latin America haven't changed their laws but have kept enforcement strong. Rosa Maria Franco Velázquez, the managing director of the International Association of Privacy Professionals in Latin America, and head of  privacy and data protection practice of Axkati Legal in Mexico City, said Mexico's data privacy law isn't set to see change in the very near future.

But the country's data protection regulators have remained active, issuing fines and, she said, "working hard to enforce the law" and increase awareness around privacy concerns. Mexico's law requires controllers issue a privacy notice and obtain consent.

Colombia's Superintendency of Industry and Commerce cracked down on data privacy violations in February, when it ordered Facebook to strengthen its data security measures over the next four months, or risk government investigation in the country.

Danilo Romero Raad, a Bogotá-based Holland & Knight partner who focuses on data and privacy, said the action against Facebook signals a stronger emphasis on preventing data privacy issues in Colombia.

"That's good. It's not because they have a penalty against Facebook," Raad said. "It's an important message to the market that data protection is important and [regulators are] taking care of that."

Representatives from Argentina and Brazil attended a November hearing in London where nine countries' leaders pressed Facebook's vice president of public policy for Europe, the Middle East and Africa, Richard Allan, on the platforms' efforts to boost data privacy and curb election interference, with some representatives calling for stricter regulation.

While regulations vary by stage, severity and model in each Latin American country, lawyers said much of the region is headed to a new era of data privacy.

"This is definitely 'the' matter in Latin America in terms of regulation," Schmitke said in an email.

Africa moves toward stronger regulation

Laws aren't just changing in Latin America. Inside and outside counsel in Africa are also watching debates on data privacy. The Corporate Counsel Association of South Africa's chief executive officer Alison Lee said she expects to see the country implement the Protection of Personal Information Act this year.

Unlike GDPR, POPIA asserts companies also have "personal data" that requires protection. South Africa currently doesn't require explicit consent to collect data or legitimate interest, but it does require some form of consent.

"Every year we've been expecting it to come in and it hasn't. But I think because the regulations have now been finalized and they have established the regulators office, I do believe the act will come in the next six months," Lee said. "The advice is [in-house counsel] should start looking at data impact assessments because it does take some time. It's not something you can do overnight."

Livia Dyer, a partner and co-head of technology, media and telecommunication at Bowmans Law in Johannesburg, said that in South Africa GDPR compliance is a good place to start preparing for POPIA's implementation.

Diego Fernández, with Marval, O'Farrell & Mairal in Buenos Aires, Argentina.

Nigeria could also see data protection changes. Iheanyi Samuel Nwankwo, a research assistant at the Institute of Legal Informatics of the Leibniz University of Hannover at the Law School of the University of Hannover who has focused on Nigerian privacy law, said Nigeria has long attempted to pass a specific data protection bill. That effort has been complicated by Nigeria's presidential elections in February, as the bill needs sign-off from the country's president.

Regardless, Nigeria's constitution protects citizens' right to privacy, and companies violating that right or one of the country's data-related laws can face fines. Mali, Côte d'Ivoire and some other West African countries have already established data privacy and protection laws.

 

APAC is changing but keeps focus on consent

Since GDPR's implementation, Scott Thiel, a Hong Kong-based DLA Piper partner, said he's increasingly asked questions about data protection in Asia.

"Everyone is sort of finally taking a breath and going, 'OK, we got through GDPR, we're somewhere near compliance and that's great. I assume that works everywhere, does it?' And the short answer is no, it doesn't," Thiel said. "A lot of the approaches to data compliance that work in Europe don't work in the Asian markets."

He said many companies have tried applying their GDPR policies to China and other Asian countries and it "just doesn't" work.

Like Latin America, much of East Asia relies on a consent-based model rather than legitimate interest, Thiel said. That means companies relying solely on GDPR methods to comply in every country may forego asking the consent required, instead assuming they can cite legitimate interest.

"[GDPR] has done away with consent as the fundamental basis for compliance. And that's great…but the problem is in Asia we haven't moved away from consent," Thiel said. "Consent is still the most common basis for getting yourself compliant in local markets, and China is the one that is perhaps most relevant to a lot of U.S. corporate counsel. In Europe, it's about avoiding asking for consent and trying to establish a legitimate interest."

Cybersecurity laws are also changing in APAC. Singapore created a cybersecurity regulator, implementing its Cybersecurity Act 2018. In January 2018, the Standardization Administration of China published the full text of the Information Security Technology – Personal Information Security Specification, a set of best practices to ensure compliance with the country's cybersecurity law.

The specification calls on companies to get consent before collecting data, but Xiaoyan Zhang, counsel in Reed Smith's IP, Tech & Data Group's San Francisco office, noted in February 2018 it is not clear how explicit that consent must be.

Lyn Nicholson, a Sydney-based general counsel at Holding Redlich, said Australia's mandatory data breach reporting rules and controversial encryption law stirred data privacy discussions in the country last year. Still, she said, many international companies in-house counsel were focused on Europe and GDPR.

While that makes sense, she said, given the high fines and compliance complications of the EU's law, Nicholson has seen companies attempt to apply GDPR-like standards to their Australian privacy policies. Australian and EU privacy policies have similar requirements, she said, but not identical—and regulators can tell when in-house counsel haven't read the country's law closely. "You can't just say, 'I comply with GDPR, therefore I comply with Australian law,'" Nicholson said. "Because the Australian regulator will want to see that you've looked at all of our particular rules. And they are framed differently. … It's similar, but it's not identical."

Caroline covers the intersection of tech and law for Corporate Counsel. She's based in San Francisco. Find her on Twitter @CarolineSpiezio.