Data protection laws and cybersecurity: Challenges for Latin America

News item | 07-06-2017

Data protection laws and policies are closely related with cybersecurity: either through principles of data security, regulatory powers for secure data handling, or the obligation to notify security incidents to authorities and/or the subjects of personal data. This relation is useful both for enhancing privacy protections and improving the understanding of the cybersecurity threats we are facing. With Europe and the United States working on this issue throughout the last decade, Latin American countries should follow this discourse and address the issue with a view to protect their citizens’ rights and improve their cybersecurity capabilities.

Written by: Francisco Vera, Protected Data Foundation, Chile

Nowadays, most of our personal data is stored in a digital platform: our government records, health data, consumer profiles, financial information and our private communications in emails or instant messages can be accessed, altered or copied millions of times, in a matter of milliseconds. The last two years, data breaches like those of Yahoo (>1 billion records), Target (70 million records), ebay (145 million records), Ashley Madison (37 million records) are also possibly happening in Latin America, but this information hardly is not anywhere to be found. This reality poses a big challenge both for privacy and cybersecurity.

There are several areas where data protection laws and policies are related with cybersecurity. Data protection laws can set general principles of data security and regulatory powers for secure data handling, which requires the adoption of technical measures to ensure that data retains its confidentiality, integrity and availability. On the other side, data protection laws may also contain some provisions obligating data handlers to notify security incidents to authorities and/or the subjects of that data.

While security measures are necessary to safeguard the privacy of the people who are in fact the data subjects, the obligation to notify security incidents is also essential to improve the cybersecurity of a State. This dimension of security is achieved by aggregating and understanding the type of threats that are evolving in cyberspace, as well as preventing further malicious actions (sometimes involving the use of stolen data, such as identity thefts), and preventing future incidents in the same company, industry or the whole country.

In sum, the first step to improve the cybersecurity of a given State is to understand its vulnerabilities, identify the risks it is facing and enhance its capability to analyze the threat landscape. Mandatory incident notification is crucial to gather that information and act on it.


The situation in Europe and the U.S.

Data protection regulations not only add necessary technical requirements to the data and systems that contain it, but also the requisite measures for managing data in a safe, reliable and confidential manner. While the European Union is moving towards preparing the implementation of its General Data Protection Regulation (GDPR), the United States have a patchwork of regulations that range from addressing economic sectors in the whole country, to passing data breach laws in most of the States.

The GDPR, adopted in April 2016 and scheduled to enter into force in all EU Member States in May 2018, is an improvement over the Data Protection Directive that dates from 1995 both in terms of substantive provisions and of harmonized implementation. As a Regulation it will be directly applicable to all EU Member States without the need of any implementing national legislation required by Directives. The Regulation establishes responsibilities and duties for those who handle personal data, prescribing the adoption of appropriate technical and organizational measures to securely process the information.

The regulation goes even beyond asking the adoption of “appropriate measures”, but provides suggestions of what those security measures could be – like data encryption, ensuring the confidentiality, integrity, availability and resilience of systems coupled with constant assessing of their own measures’ effectiveness. On top of that, the Regulation contains clear personal data breach notification rules to the data protection authorities and the data subjects, with sanctions that can go up to the 2% of the annual turnover of a company.

In the United States different federal laws – among others the Health Insurance Portability and Accountability Act of 1996 for health information, the Federal Privacy Act for personal data in the Government’s hands, the rules of the Federal Trade Commission with regards to consumers’ privacy and personal information – prescribe different security requisites for their respective sectors, or delegate the right to do so. In addition, at State level most States have implemented laws providing data breach notifications to consumers or authorities.

Challenges for Latin America

Latin American countries while following the European model of having comprehensive data protection regimes, based on principles and rules applicable to all personal data and some special rules for specific types of data, they tend to fall behind European and United States’ standards. The main reason for this shortcoming is that most data protection laws were designed following the norms set by the 1995 European Data Protection Directive which was not tailored to address these relatively new issues.

Some countries, like Brazil, don’t have a comprehensive data protection law, providing little certainty over the necessary measures that data handlers should adopt to protect personal data, and what are their reporting responsibilities for the notification of security incidents. Other countries, like Argentina or Chile, have outdated laws in this regard, addressing data security only in a generic manner and without specific rules prescribing the notification of security incidents. However, these three countries are in the process of updating their legislative frameworks to address these issues.

Some other countries in the region are more advanced in this area. Among the countries that do have laws addressing data security and notification are Colombia, Mexico, Peru and Uruguay, but in some cases the only required notification is to the users and not the authority, thereby creating information gaps that affect the gathering of information regarding security incidents which are crucial for cybersecurity purposes.

In addition, having a national cybersecurity strategy is an effective tool to highlight the relation between data protection and cybersecurity. The need to adopt or update data protection legislative frameworks addressing cybersecurity issues is outlined in the cybersecurity strategies of countries like Chile, Colombia, or Paraguay that were published in the last two years.

As the digital economy expands, it is becoming urgent for countries in Latin America to update their data protection legislation to address cybersecurity issues and adopt the necessary technical measures that can safeguard the privacy of data and incorporate effective incident reporting mechanisms. Compared legislation in both Europe and the United States may serve as examples of implementation. Otherwise, Latin American countries will not be capable to protect their citizens’ data or gather information that nowadays is essential to develop cybersecurity threat assessments.

This article first appeared in the third issue of the Global Cyber Expertise Magazine – May 2017