The Colombian lawyer Heidy Balanta, specialist in IT Law and New Technologies and manager of derechoinformatico.co, shares some reflections on data protection and the best way of knowing and exercising our rights, and complying with the data protection laws in Latin America.
The vast quantities of data that circulate between people and companies every day pose the colossal challenge of how to protect that information without interfering in its legitimate use by its recipients.
What's the general tone of the legislation on personal data in Latin America?
The spirit of the legislation in regard to personal data is that the owner of the information has control over data that is their, but which for commercial, contractual or civic reasons are processed by third parties –either a company or a state institution.
For this reason, most legislation limits the collection of data by third parties unless they have the free, prior and express authorization of the owner to process their personal information. That is, a third party cannot hold someone's personal data unless they have prior authorization to process them. This aspect lies at the heart of the data protection system.
What are the main differences between the data protection laws in Latin America compared to Europe or the United States?
There are two models of regulation in regard to data protection. The key differentiating feature of the European and US models lies in the conception of data protection. Whereas the European model conceives data protection as a fundamental right, the US model sees it as a consumer right.
Another difference between the two models is that the US prioritizes self-regulation, so is regulated by the sector. Meanwhile, the European model has a general regulation that establishes obligations for those responsible for and entrusted with the management of personal data, sanctions for organizations that fail to comply with the law, and the delimitation of the rights of the owners of the information. In thecase of Colombia, for example, there is a hybrid model, because there are both general regulations and sector regulations.
Many Internet services –social networks, search engines and apps– are free and capture several types of personal data. What type of information do these services inevitably need to take from the users, and what use do they give it?
The services we access free via the Internet are not actually free –the currency being traded is our data. We surrender our data in exchange for these services, because if we refuse to provide it we are unable to access the services being offered. Personal data have an economic value, as it is a factor for exchange on Internet.
Data are used by these services for the purposes of advertising, marketing, generating profiles and tracking consumer habits. So Internet users must exercise responsible behavior and take into account who is delivering the data and whether there are sufficient levels of security. We regularly see news of computer delinquents who steal passwords to well-known sites and sell them on the Internet black market.
What options do users have to find out more about the services they use?
The problem with Internet users is that most of them don't read the terms and conditions of the websites they access, and that's where they clearly state what's done with their data, the processing policies, and the general policies of the website.
In theory, users can request the elimination of the personal information contained on these pages from the administrator of this website.However, this is sometimes pointless, as there are widespread data-sharing practices whereby the personal data collected are passed on to other partners, which can no longer be controlled by the owner of the data. This highlights the importance of entering your personal data exclusively on reliable sites.
What are the greatest challenges facing the authorities when regulating the way users' data are captured and used?
One of the main challenges is the ability of Latin American countries to investigate and sanction leading social networks such as Facebook, due to the fact that Internet has no geographical limits. Countries such as Colombia and Mexico are currently seeking to implement a regulation that allows them to investigate these social networks; however, this is proving to be fruitless in practical terms.
The transfer of personal information between countries is another of the important challenges in regard to data protection as many do not have adequate levels of security.
A safe harbor agreement was signed for this reason between Europe and the United States, but was subsequently rendered invalid. Today there is a new “Privacy Shield” agreement“ whose purpose is to provide guarantees for European citizens regarding non-interference in their privacy by US government agencies, and US companies will therefore be required to make appropriate and legitimate use of personal data.
What mechanisms do users have to exercise their right to data protection?
Owners have the mechanism of consultations and complaint. Through these tools they can request to see, update and correct their data, and the revocation and suppression of access to any third parties who may possess them. If the third party does not respond, or if the response is negative, the owner may petition the supervisory body to conduct the respective investigation and take a decision.