In Short

The Situation: Latin American governments, business leaders, and legal advisors continue to address privacy and cybersecurity concerns.

The Result: : The development and implementation of privacy-focused regulations is a priority throughout the region. 

Looking Ahead: Latin America appears to be on track for the implementation of EU-influenced comprehensive data protection regimes. 

As is the case in most of the world's industrialized regions, Latin America's policymakers, industry leaders, and legal practitioners are giving significant attention to privacy, data breach, and cybersecurity matters. The ever-increasing acceleration in the introduction of new technologies, and the potential problems and liability related to compromised information, has raised these concerns to an even greater level. This Jones Day Commentary outlines recent developments in Latin America's privacy and cybersecurity landscape.

Danger Ahead? Industry players see dangers in the unrestricted use of data and in possible cybersecurity breaches related to new technologies. Cybersecurity and related technologies, along with technological developments in areas like blockchain and digital currencies, artificial intelligence, autonomous vehicles, robotics, and the cloud, are under careful analysis by regulators and companies in the region, and they are expected to drive the legal industry in the coming years.

Cyberattacks Remain a Serious Concern Banco de Mexico issued a statement that three banks experienced "incidents" with the Interbank Electronic Payment System known as SPEI, requiring them to connect under contingency schemes. The incidents caused significant interruption and delays in banking transfers, although the system infrastructure and client deposits apparently were not affected.

Although the cyberattack was not successful, it came just a few months after hackers attempted to steal funds from Bancomex, the export-import bank of the Mexican government. In addition, the Colombian Industrial Cybersecurity Center recently published a study detailing the increase of data breach incidents. All this came as a reminder that these issues are very real in the region, and they indicate that many individual companies, and the financial services industry, remain unprepared.

New Fintech Law

Mexico and Brazil lead the development of financial technology institutions ("Fintech") in the region. 

Mexico's new Fintech law illustrates the importance new technologies are acquiring in the region and is likely to become a model precedent for neighboring countries cognizant of technological changes and their applications. According to the Comisión Nacional Bancaria y de Valores ("CNBV"), Mexico's banking and securities regulator, this is the first law of this kind in the Americas and is based, among others, on the principles of financial inclusion and innovation. 

Brazil maintains a strong, innovation-driven Fintech sector. The new regulation on Cybersecurity Policies and Requirements for Data Processing and Storage issued by Brazil's National Monetary Council will bring more certainty, but also heavy obligations, to financial institutions.  

Harmonizing with the European Union

Latin American countries appear to be developing privacy and data protection regulations in concert with European Union directives, as evidenced by:

  • Argentina, Costa Rica, and Chile recently adhering to the Budapest Convention on cybercrime, and additional countries, such as Mexico, Colombia, and Paraguay, considering observance.
  • The publication of the Standards for Data Protection for the Ibero-American States by the Red Iberoamericana in June 2017, which used the European Union's General Data Protection Regulation ("GDPR") as a guideline.
  • The enforcement of laws based on EU Directive 95/46/CE, and the use of EU mandates in developing Latin America's cybersecurity regulations. 

Leaning Toward a "Notification to Authority" Model 

Latin American countries appear to lean toward a data incident "notification to the authority" model, following the already established obligations in the United States and the European Union.

Some Latin American countries, such as Mexico and Peru, have laws requiring notification to the data subjects, but not to the authority. However, Mexico recently issued a proposal where notification to the authority would also be required. Other countries, including Colombia, already have authority notification requirements.