The need for a Data Protection Law in light of the effects of the pandemic and the European Data Protection Regulation

Back to All Thought Leadership

Written by:

Christian Betancourt

According to IBM, in 2019 humanity produced 2.5 trillion bytes of data every day (for perspective, a trillion is a 1 followed by 18 zeros). According to Forbes, in the same year 16 million text messages were sent, as well as 156 million emails, every minute worldwide. These are impressive and steadily rising figures, to which the European Parliament and the Council of the European Union heeded.

The General Data Protection Regulation [1] , also known as GPDR (General Data Protection Regulation), is a response with extraterritorial scope to the complex uses that are being given to personal data. Going into effect on May 25, 2018, the regulations introduce more sophisticated protection of personal information. We can identify at least five characteristics about the robustness of the GDPR:

  1. It gives the user more power and control of their data, and companies must request authorization and express consent for their use, understood as any manifestation of free, specific, informed and unequivocal will by which the interested party accepts, either through a declaration. or a clear affirmative action, the processing of personal data that concerns you.
  2. Companies assume a higher level of responsibility for the dangers of information processing, both internal and third-party, which leads to assessing the possibilities of risk of leakage, and devise an action plan in case of leakage.
  3. It has an extraterritorial scope, so companies located outside the European Union that do business with people or companies from member countries or that carry out data processing of European citizens or residents could also be subject to compliance with the GDPR.

Article 3 of the GDPR highlights that “ this Regulation applies to the processing of personal data in the context of the activities of an establishment of the controller or processor in the Union, regardless of whether the processing takes place in the Union or not.

This Regulation applies to the processing of personal data of interested parties residing in the Union by a controller or manager not established in the Union when the processing activities are related to a) the offer of goods or services to said interested parties in the Union, regardless of whether they are required to pay, or b) the control of their behavior, insofar as it takes place in the Union.

This Regulation applies to the processing of personal data by a controller who is not established in the Union but in a place where the law of the Member States is applicable under public international law ”.

  1. Higher fines for non-compliance. Those who are in violation of the provisions may receive fines of up to 4 percent of the annual global turnover or 20 million euros (whichever is greater). Fines and other sanctions are an intrinsic part of the GDPR design, being imposed even in minor infractions. In any case, they are intended to be effective, proportionate and dissuasive.
  2. The nature of “privacy by design” must be included within the services from the beginning, mediating an explicit consent and greater clarity about the use of the data. The GDPR requires the adoption of appropriate technical and organizational measures in order to ensure compliance with regulations. It is worth mentioning that the implications of the regulation are not only for the relationships between a company and its customers or external suppliers, but also internally for employee data.

The aforementioned regulation, for this purpose, introduces the new figure of Data Protection Delegate. This position is necessary in public authorities and organizations, entities that have among their main activities the processing operations that require regular and systematic observation of large-scale stakeholders, as well as in entities that have large-scale processing among their main activities. sensitive data.

In Latin America, where there is a considerable presence of European companies, several countries have already adapted their internal regulation to the GDPR, or have presented new bills or reforms, keeping in mind the extraterritorial application of the European regulation. Among the countries that have taken into account the principles and provisions of the GDPR are Argentina, Peru, Chile, Brazil, Colombia and Mexico.

In Honduras, the regulations on the subject are scarce, being found primarily in the Law of Transparency and Access to Public Information, which entered into force in 2006. Regarding the protection of personal data, this law is almost limited only to defining them. , as well as to define what is understood as confidential information. The content of its article 24, on the requirement of a judicial decree to access personal data that is not voluntarily supplied, is also rescued. In 2018, a draft of the Personal Data Protection Law was presented in the National Congress, but as it was presented, it does not seem to conform to international standards and it may even erroneously mix some concepts.

We must take special care on this issue, taking into account the effects of the pandemic caused by SARS-CoV-2, the coronavirus that causes the COVID-19 disease. The consulting firm McKinsey and Company calculated in July 2020 that the volume of electronic commerce in the United States grew to the level it was projected to be in the next 10 years, in just a couple of months. According to what we have seen in Honduras, this adoption must have accelerated even more in the country. Companies have the opportunity to analyze their internal compliance and risk reduction programs in the face of this new reality.

In addition to what happens in the private sector, attention must be paid to the use that the government is giving to our data, provided during the interactions that have developed with different state entities throughout the health emergency. The magnitude of the amount of data that a platform such as the one proposed in the recent Regulation on Electronic Government could capture, for example, without adequate legal protection regarding the use of our data, is worrying. On this point, it is important to remember the guarantee of Habeas Data, contained in the Constitutional Justice Law and in the 2013 reform of article 182 of the Constitution of the Republic. This tool states that “Every person has the right of access to information about himself or his property in an expeditious and non-onerous way, whether it is contained in databases, public or private registries and, if necessary, update, rectify and / or or suppress it ”, in accordance with the international conventions on human rights ratified by Honduras.

Thinking about the design of a suitable Data Protection Law, it will be appropriate to take into account the learning that has occurred with the regulations applicable to the financial system, a sector that has advanced to issue its own standards in accordance with the principles observed by the Basel Committee. There are a series of resolutions issued by the National Commission of Banks and Insurance that present similar lessons, mainly based on the so-called NOPATIC, the Norms to Regulate the Administration of Information and Communication Technologies in the Institutions of the Financial System, found in the Circular CNBS No. 119/2005.

The rapid adoption of new technologies, the emergence of increasingly refined algorithms and the effect of the pandemic on the acceleration of electronic commerce presents us with the obligation to rethink the legal environment necessary for the adequate protection of our data. Fortunately, we have important references on different experiences that could be analyzed in order to achieve a beneficial result for the current habits of society.

[1] General Data Protection Regulation (hereinafter “GDPR”) April 27, 2016 – European Parliament and the Council of the European Union (EU). https://www.boe.es/doue/2016/119/L00001-00088.pdf

Sign In

[login_form] Lost Password