Latin American endorsement of EU privacy model bolsters Brussels' leadership claim

South America Data Flow

14 August 2017. By Magnus Franklin.

The EU's claim to global leadership in the development of a gold standard for privacy got a boost this summer, when key Latin American regulators endorsed the European system, promoting legislation that restricts what companies can do with people's data.

In less than a year, the EU's privacy law enters into force, setting a gold standard globally for the protection of data. The bloc has already reached out to key trading partners, including Japan and the US, to make sure they bring their privacy standards to the point where data can flow relatively freely between them.

Now, Latin America's tacit endorsement of the European model will count as another feather in the cap of Brussels officials.

It also serves as a signal of the diminishing weight of Washington in the global privacy debate, when once the clout of the US commercially-driven model for privacy protection was on a par with the EU's fundamental-rights approach.

In June, the Ibero-American Data Protection Network, known as RIPD, signed a paper titled "standards for personal data protection for Ibero-American states" that outlines, in skeleton form, all the essential elements of the EU's privacy framework. These include the permissions needed for companies to process data, principles to limit the amount of personal data collected and stored by companies, and notions such as "portability" of data from one company to another.

The principal aim of RIPD's paper was to "establish a set of common principles and rights for the protection of personal data which could be adopted by the Ibero-American states and develop their national legislation thereon, with the goal of having homogenous rules in the region."

Further, echoing the repeated aims of the EU to improve the functioning of a single market in the bloc, another aim of the Ibero-American paper was to "make the flow of personal data between Ibero-American States and beyond their borders easier."

In effect, the paper is a carbon copy of the EU General Data Protection Regulation, endorsed by RIPD's members, which include Mexico, Argentina, Chile and Colombia.The network's members also include the Spanish and Portuguese data-protection authorities.

Indeed, the standards explicitly refer to the EU law, alongside guidelines developed by the Organization for Economic Cooperation and Development and the privacy framework developed by the Asia-Pacific Economic Cooperation Forum.

Notably, the Ibero-American standard set out in the paper "guarantees an adequate level of protection of personal data in the Ibero-American region, with the aim of establishing no barriers to their free circulation within the Ibero-American states and, consequently, favoring commercial activities between the region, as well as with other economic regions."

Under EU privacy law, that term "adequacy" describes the process by which countries can freely transfer personal data from a third country to the bloc, because they deem each other's data protection "adequate." The Latin American paper suggests that countries should, in principle, easily be able to strike a data-flow accord with the EU if they adopt the standards in their legislation.

With the privacy standards now adopted, it should come as no surprise if Latin American countries' data-protection laws start to look increasingly like Europe's, paving the way for simpler data transfers across the Atlantic.

Privacy report