Member Article

On January 3^rd, 2024, the Senate approved, with 32 votes in favor, the Report of the Constitutional, Legislative, Judicial and Regulatory Affairs (“the Report”), on the Bill to amend the Data Protection Law and creates the Data Protection Agency (Bulletin No. 11144-07/11092-07), (“the Bill”).

However, despite the approval of the Report concerning amendments and proposals of the Chamber of Deputies, 24 of these were ultimately rejected. As a result, the Bill has completed its third constitutional process and has been referred to a Joint Committee (“The Committee”) to review the articles that caused disagreement between the two Chambers.

The modifications that were rejected relate to the territorial scope of application, definitions and principles, sources of lawfulness of processing, processing and transfer of personal data, the exercise of data subjects’ rights, and associated infractions and sanctions.

The following are the most relevant points:

• Territorial Scope of Application: The regulation proposed by the Chamber of Deputies regarding the territorial application of the Bill, applicable provisions to both data controllers and processors, was rejected.
• Definition of Personal Data and Sensitive Personal Data: Among the various definitions in the Bill, the amendments related to the concepts of “personal data” and “sensitive personal data” were rejected. This includes the rejection of the proposal to exclude from the definition of “personal data” the last phrase “in cases where the identification effort is disproportionate”.
• Purpose Limitation: The proposal from the Chamber to eliminate data from publicly accessible sources as an exception to the principle of purpose was rejected.
• Lawfulness: The Chamber of Deputies proposed excluding data collected from publicly available sources as a source of lawfulness. However, this proposal was rejected, and the admissibility of such data as a legal basis for the processing will be discussed in the Committee.
• Third-Party Data Processing: The Committee will analyze the admissibility of obligations of third-party processors to report security breaches and identify the appropriate entity to report to.
• Processing of Personal Data by Public Bodies: The Chamber of Deputies proposed that public bodies be subject to a special regime contained in the Bill regarding the processing of personal data involving activities for the protection of victims and witnesses. This proposal was rejected and will be discussed later in the Committee.
• Processing of Personal Data by Bodies with Constitutional Autonomy: Concerning the processing of personal data carried out by entities such as the National Congress, Judiciary, General Comptroller, among others, the Chamber of Deputies chose not to subject them to the regulation, oversight, and supervision of the Agency. This proposal was rejected and will be subject to further discussion.
• International Transfer of Personal Data: The Committee will review the enumeration of cases in which such transfer operations would be lawful, as well as the different criteria the Agency will follow to qualify a country as “adequate”.
• Exercise of Data Subject Rights: The Committee will discuss the legitimacy of i) the right to erasure; ii) the right to object to automated personal evaluations; iii) the right to restriction; iv) the obligation of foreign legal entities to appoint a representative, among others.
• Infractions: The Chamber of Deputies proposed the inclusion of i) providing incomplete information during the registration or certification process of the prevention model as a minor infraction, and ii) knowingly providing false, incomplete, or manifestly erroneous information within the same process as a serious infraction. However, both proposals were rejected by the Senate and will be discussed later in the Committee.
• Sanctions: The Report rejects Chamber of Deputies’ proposed modification regarding the range of fines applicable for infractions and the application of a fine equivalent to a percentage of annual income from sales, services, and other activities in the last calendar year if a company commits a serious or very serious infraction.

The post Personal Data Protection Bill moves forward appeared first on Carey Abogados.

 

Link to article