The following article was first published on the Latin American Corporate Counsel Association’s website on 6 July 2018. In it, lawyers from across Latin America outline steps organisations should follow when dealing with a breach of data privacy from an international employment law perspective as well as the key legislative developments impacting companies globally.
By: Alvaro Gonzalez-Schiaffino, Germán Capoulat, José Carlos Wahle, Fábio Barboza Pereira
Firms: Funes de Rioja & Asociados. Basham, Ringe y Correa, Veirano Advogados
It has been argued by security analysts that a breach of data privacy will undoubtedly transpire within every organisation at some point or another; indeed, it is not a question of if, but only a matter of when. Following the spate of high-profile data breaches that have occurred over the past year, including major breaches at the world’s biggest social network, and more recently, the biggest Australian bank, it has become clear that no company is safe and all businesses must be prepared for the inevitability of a data breach.
A look at legislation around the region
Mexico’s Federal Law on the Protection of Data Held by Private Parties (the Data Privacy Law) is the statute that sets forth all legal requirements and principles to be complied with in respect of the handling of personal data, as well as outlining employers’ obligations, such as issuing privacy notices to all employees.
Employers in Mexico should be aware that employees can exercise their rights to access, rectify, cancel, or suppress the information their employer has collected from them at any time.
Sanctions that the regulator — the National Institute of Transparency, Access to Information and the Protection of Personal Data (INAI) — may impose on companies that breach legal requirements are mostly monetary fines. The highest the regulator may impose is about USD 1.5 million for each infringement. This, however, may be doubled if the breach relates to sensitive personal information. In such cases, the fine could be as much as USD 3 million.
Aside from fines, companies in Mexico may be subject to civil liability. In some circumstances, infringements may lead to criminal liability; however, malicious intent is a condition to criminal liability in most cases.
There is no specific regulation in Brazil covering the storage and transfer of employee data. Companies must follow internal regulations established according to international practices or principles found in other laws, including the country’s Consumer Code, the Banking Secrecy Law, the Internet Act and the Civil Code.
Accordingly, companies must take all reasonable measures to secure their employee data. Those that fail to implement appropriate security measures may be liable for damages according to the rule of civil liability determined by negligence. Provisions from the country’s Internet Act contain important security benchmarks, such as strict control over access to personal data, the definition of responsibilities of the personnel who have access to the stored data, authentication mechanisms that must be used to allow access to stored personal data (e.g. two-step verification should be used to ensure the identification of the employee with access to the stored personal data), detailed data inventories that must be created to record access to personal data (e.g. date, time and duration of access, identity of the employee responsible for access and a record of the accessed files), and use of IT solutions that ensure the inviolability of data (e.g. encryption or equivalent protective measures).
It is worth noting that, on 29 May 2018, the plenary of the Chamber of Deputies approved Bill No. 4,060/12, that regulates the processing of personal data by individuals, private entities and public authorities. Soon after GDPR became effective, the proposal was given urgent status for the consideration of the plenary and its final text reproduces a number of central points of the European Regulation. The principle of extraterritoriality is one of them, that is, the application of the law to foreign companies which process data collected in the national territory or with activities and services offered to individuals in Brazil. The principle of free, informed and unequivocal consent from data subjects is another important requirement inspired by the GDPR.
The aforementioned Bill, once passed, is expected to cause a significant change in the way in which companies treat personal data and its approval is expected to provide legal certainty for conducting a series of business transactions. The Data Protection Authority (DPA) will be responsible for issuing guidelines containing applicable measures in case of data breaches.
Argentina’s Personal Data Protection Law (25,326), regulatory Decree 1558/2001 and provisions issued by the National Directorate for Personal Data Protections constitute the country’s legal framework for data security and privacy. While “personal data” is defined as any identifying information of a living individual or a company according to Law 25,326, “sensitive personal data” is defined as data containing information about an individual’s racial or ethnic origins, political opinions, religious, philosophical or moral beliefs, trade union membership, health and sexuality.
The processing or storage of personal data is only legal when carried out with the data subject’s prior and informed consent. Any company handling personal data should follow general principles of the law, which include stipulations that personal data must only be used for the purposes for which it was provided. Further, it should be accurate and updated, adequate, relevant and not excessive, not kept longer than necessary, protected against unauthorised or unlawful processing, protected against accidental loss or damage, and must not be transferred to third parties without previous authorisation.
Under the current legislation there is no legal requirement to notify data subjects or the National Directorate for Personal Data Protection of any personal data security breaches. Nonetheless, Provision 11/2006 of the National Directorate for Personal Data Protection established that owners or users of databases must have a “Data Protection Security Book” where any incident related to personal data security must be recorded.
The National Directorate for Personal Data Protection may apply sanctions for any violations of the country’s Data Protection Regulations. Sanctions could include anything from warnings, the suspension of operations, fines ranging from ARS 1,000 to ARS 100,000 (USD 35 to USD 3500) and the closure or cancellation of the file, register or database in question. Section 156 of the Criminal Code states that employees at companies may also face penalties of between ARS 1,500 and ARS 90,000 (USD 52 to USD 3105), plus a suspension from between six months to three years, if found to have gained access to confidential information and disclosed it without authorisation or legal or justified cause. Similarly, section 117 of the Criminal Code provides that any person who knowingly supplies a third party with false information contained in any given personal data record will be imprisoned for a period ranging from six months to three years. The sentence may be increased to half the minimum sentence and half the maximum sentence if any person suffers damage as a result.
Finally, section 157 of the Criminal Code provides the same jail sentence for employees who unlawfully provide or discloses information registered in a personal database to third parties.
Penalties imposed by sections 117 and 157 of the Criminal Code will be increased if the perpetrator is a public officer.
The impact of the GDPR on Latin American companies
The EU’s General Data Protection Regulation (GDPR) was approved by the European Parliament on 14 April 2016 and came into effect on 25 May 2018.
The GDPR applies to all companies processing and holding personal data of data subjects residing in the EU, regardless of the company’s location. It defines personal data as any information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Organisations in breach of the GDPR can be fined up to 4% of their annual global turnover or up to EUR 20 million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements. There is also a tiered approach to fines. For example, a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting an impact assessment. These rules apply to both controllers and processors of data.
Conditions for consent have been strengthened under the GDPR and companies will no longer be able to use long illegible terms and conditions full of legalese. Instead, the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to provide it.
Breach notification will become mandatory in all member states where it is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a breach.
Data protection authorities (DPA)
Currently, controllers are required to notify their data processing activities with local DPAs. Under the GDPR, there will be internal record keeping requirements, and the appointment of a data protection officer (DPO) will be mandatory only for those controllers and processors whose core activities consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale or of special categories of data as well as data relating to criminal convictions and offences.
Steps organisations should follow when a data breach occurs
In Mexico, there is no guidance concerning the handling of personal data in the workplace as there have not been particularly relevant or groundbreaking cases on the matter. Nevertheless, any breaches occurring at any stage during the processing of personal data that may materially affect the property or moral rights of the data subject must be promptly reported to the in-house data controller so that he or she can take the appropriate action.
Between 2011 and 2017, the INAI conducted 137 audits of local companies including insurance companies, financial services providers, hospitals and medical clinics, home appliance stores, restaurants, hotels and supermarkets.
Audits were triggered by complaints filed with the INAI, which led to investigations into whether the complaints had merit. Ultimately, the investigation will lead to fines should the authority identify there has been any violation to the provisions of the Data Protection Law. In most cases, audits result in fines for unauthorised data processing, failure to provide access, rectification, cancellation or right to oppose the use of personal data and failure to provide a Privacy Notice.
Even though Mexico’s current data protection legislation is based on European law (prior to the GDPR), subsidiaries of a European parent company in Mexico will have to adapt internal policies in accordance with new GDPR obligations. However, the fact that documents, policies or processes comply does not necessarily mean that they will conform to Mexican legislation, which means that legal departments must ensure policies are reviewed for compliance with both the GDPR and current privacy laws in Mexico.
If a Mexican individual or legal entity has activities in Europe (or if it offers goods or services in the EU), the collection and processing of personal data must comply with the GDPR.
It is important to assess whether any website or application is made available in Europe that may use tracking technologies. If this is the case, the applicability of GDPR will be triggered even if the company is incorporated under Mexican law.
In Brazil, it is advised that companies experiencing a breach of employee data privacy take a practical approach towards remedying the breach and preventing further damage, including the improvement of security mechanisms, understanding which features caused or permitted the breach and correcting them, and reporting the situation to employees in a transparent and reassuring manner.
The nature of the information hacked will determine if further action is necessary. Of particular concern is the proprietary data held by companies in relation to employee benefits and mandatory employment routines, including passwords. Accordingly, the company may need to reset the configuration of its systems.
Only regulated sectors are obliged to report situations where there has been a breach of data privacy. However, business standards make it advisable to report any breaches to mitigate the company’s liability. Depending on the circumstances, reporting may prevent further damage and might make the individuals aware of the risk of unauthorised use of their personal data, thus helping to enable a prompt reaction to any incident.
Breach of employees’ data privacy is a twofold problem. It affects the employees and the company itself because it might involve critical information such as compensation policies and salary progression. Labour laws do not address this situation and the company is not subject to any administrative fines. Under the rules of civil liability, it may face individual complaints for damages and litigation by the union or public attorney to demand collective damages.
Argentina recently experienced two notorious data breach cases. In November 2017, Equifax reported a vulnerability in an internal website in Argentina, whereby an online employee tool used locally could be accessed by typing “admin” as both a login and password. Security researchers from Hold Security found that, because they were granted administrative access, they could add, delete or modify employee records and were able to access consumer complaint records on the site. The site also listed each person’s DNI – the Argentine National ID. Unlike social security numbers in the US, DNIs are publicly available in Argentina; however, one UK-based cybersecurity expert agreed the case raised questions about how Equifax protects the data it holds. Similarly, on February 2018, seven employees from AFIP, the Argentine tax agency, were arrested for selling taxpayers’ confidential information since 2010 through the online business information service Reportes Online. These companies would have acted as intermediaries to offer the information to other major companies and even to some banks.
These recent cases further highlight the need for companies to be ready for a data privacy breach and prepare a contingency plan in advance with an appropriate task group. A contingency plan should determine the extent of the data breach. The exact steps to follow will depend on the nature and scope of the breach. If the company was a victim of hackers who stole personal information from the company server (affecting employees, customers and providers personal information), there is a general agreement that the first step to follow is to fix the vulnerabilities of the company system and isolate the problem avoiding multiple data breaches or additional losses of data. The company should also have identified a specific team to deal with a breach (from IT specialists, legal advisers, communication officers, operations, HR and management).
Depending on the company’s size and resources, it is also advisable to hire independent forensic analysts to determine the source and extent of the breach, as Australia’s biggest bank, Commonwealth Bank of Australia (CBA), did after losing the financial records of almost 20 million customer accounts after a subcontractor lost two magnetic tape drives containing the data back in 2016. In a statement, CBA said the data included customer names, addresses, account numbers and 16 years of transaction information used to print customer account statements (dating from 2000 to early 2016). CBA said it informed Australia’s Privacy Commissioner when it became aware of the breach in May 2016, but customers were not alerted. The magnetic tapes were lost by subcontractor Fuji Xerox during the process of decommissioning one of CBA’s data centres. When CBA could not confirm the tapes had been destroyed, the bank hired accounting firm KPMG to conduct a forensic investigation.
Buzzfeed News reported that one of the possible scenarios investigated by KPMG was that the tapes fell off the back of a truck when they were being transported to be destroyed. The bank said the data did not include passwords, PINs or other information that could enable account fraud and it was monitoring the 19.8 million customer accounts involved for suspicious activity. The incident represents one of the largest data and privacy breaches in Australian history.
Employee training and investment in IT staff and cybersecurity systems could, therefore, help avoid potential data breach incidents similar to the breach at CBA. As soon as the problem has been identified, measured and fixed, the data subjects potentially affected by the breach (company’s employees, customers or providers) should be notified to avoid further damages.
There is general consent that companies should have a communications plan that reaches all affected subjects. Depending on the number affected, companies must formally explain in writing what happened, how it happened, what information was involved, what the company is doing and what the subject can do to avoid additional damage (and how the company will contact the affected subject in the future). Offering a free contact number or updating information on the company’s website can also be useful.
Under current legislation in Argentina, there is no legal obligation to notify a data privacy breach to the National Directorate for Personal Data Protection; however, this will change if a proposed new Data Protection Law is passed by the Argentine Congress. The proposed bill defines a security breach of personal data as: “any incident occurred in any phase of the treatment that implies: unauthorised loss or destruction; theft, loss or unauthorised copying; unauthorised use, access or processing of data; or damage, alteration or modification not authorised”.
Such incidents should be reported by the data controller to the National Data Protection Agency “within reasonable time, taking into account the circumstances of the case, the security breaches of personal data that occurred at any stage of the data treatment process that significantly affect the rights of data owners”, as soon as the company confirms that a breach occurred and has taken the necessary measures to initiate a review process and determine the scale of the incident.
The data controller “must also inform the owner of the data about the security breach that occurred, in a clear and simple language”. The notification must contain at least the following information: the nature of the incident, the personal data compromised, the corrective actions taken immediately before becoming aware of the incident, recommendations to the affected data subject about the measures that it can adopt to protect their interests, and the means available to the affected data subject to obtain more information in this regard.
The data controller must document any security breach of personal data that occurred at any stage of processing, identifying the date on which it occurred, the reason for the violation, the facts related to it and its effects, as well as the corrective measures implemented immediately and definitively. These provisions are consistent with what is stipulated by the most advanced laws on data protection at the global level, such as GDPR.
To conclude, the current legal framework in Mexico, Brazil and Argentina does not impose an obligation on data processors or controllers to notify data privacy breaches. However, it is always advisable to notify the affected subjects to avoid further damage and it will now be mandatory in certain circumstances under the GDPR.